Connection Failure with Bitwarden Android app

Help
1

I cannot access my Vaultwarden instance via the Bitwarden app. I am running Vaultwarden as a docker instance (image: vaultwarden/server:latest). I can easily access the web interface from anywhere (within my home network as well as from outside).
This also works without any problems with the Bitwarden Windows client and also with the browser extension.

What I fail with, however, is the Bitwarden Android app.
If I enter the user name in the first step and have entered the URL to the server, I get the error message: “Exception message: Connection failure”. I also get this message in the next step - entering the password.
No access attempts appear in the access logs of the reverse proxy (nginx).

However, I can connect to the Bitwarden server on bitwarden.com using the app.

The problem also occurs on 2 other Android phones - so it is obviously independent of the device.
However, I can access the server on all these phones via the browser without any problems.

Version information:
Bitwarden Android app version: 2024.3.0
Vaultwarden server: 1.30.5
Web interface: 2024.1.2b

Your environment (Generated via diagnostics page)

  • Vaultwarden version: v1.30.5
  • Web-vault version: v2024.1.2b
  • OS/Arch: linux/x86_64
  • Running within a container: true (Base: Debian)
  • Environment settings overridden: false
  • Uses a reverse proxy: true
  • IP Header check: true (X-Real-IP)
  • Internet access: true
  • Internet access via a proxy: false
  • DNS Check: true
  • Browser/Server Time Check: true
  • Server/NTP Time Check: true
  • Domain Configuration Check: true
  • HTTPS Check: true
  • Database type: SQLite
  • Database version: 3.44.0
  • Clients used:
  • Reverse proxy and version:
  • Other relevant information:

Config (Generated via diagnostics page)

Show Running Config

Environment settings which are overridden:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_smtp_img_src": "cid:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://***********************",
  "domain_origin": "*****://***********************",
  "domain_path": "",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "fido2-vault-credentials",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": false,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "Info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": true,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": null,
  "smtp_password": null,
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": null,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "websocket_address": "0.0.0.0",
  "websocket_enabled": true,
  "websocket_port": 3012,
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

nginx reverse proxy config

nginx config 
server {
    server_name vaultwarden.*;

	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	ssl_session_timeout 1d;
	ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
	ssl_session_tickets off;

	# intermediate configuration
	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
	ssl_prefer_server_ciphers off;

	ssl_certificate /config/keys/xxxxx/yyyyyy.net_ssl_certificate.cer;
	ssl_certificate_key /config/keys/xxxxx/_.yyyyyy.net_private_key.key;

	ssl_dhparam /config/nginx/dhparams.pem;

	# Enable TLS 1.3 early data
	ssl_early_data on;

	add_header X-Content-Type-Options "nosniff" always;
	add_header X-Frame-Options "SAMEORIGIN" always;
	add_header X-XSS-Protection "1; mode=block" always;

	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

	location / {
		proxy_pass http://vaultwarden.lan:877/;

        allow all;
		proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

		send_timeout 5m;
		proxy_read_timeout 240;
		proxy_send_timeout 240;
		proxy_connect_timeout 240;
		
		proxy_set_header Early-Data $ssl_early_data;

		proxy_http_version      1.1;
		proxy_set_header Upgrade                $http_upgrade;
		proxy_set_header Connection             $connection_upgrade;
		proxy_set_header X-Real-IP              $remote_addr;
		proxy_set_header X-Forwarded-For        $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto      $scheme;
		proxy_set_header X-Forwarded-Host       $host;
		proxy_set_header X-Forwarded-Port       $server_port;

		proxy_buffers 32 4k;
		proxy_headers_hash_bucket_size 128;
		proxy_headers_hash_max_size 1024;
		proxy_cache_bypass $cookie_session;
		proxy_no_cache $cookie_session;
		proxy_set_header Early-Data $ssl_early_data;
		proxy_set_header Host $host;
		
		client_max_body_size 250m;
	}
}

docker compose config

docker-compose.yml 
version: '3'

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    environment:
      - TZ=Europe/Berlin
      - WEBSOCKET_ENABLED=true
      - SIGNUPS_ALLOWED=true
      - INVITATIONS_ALLOWED=false
      - ADMIN_TOKEN=xxxxxxxxxxxxxxxxxxxxxx
      - DOMAIN=https://vaultwarden.xxxxxx.net
    volumes:
      - ./data:/data
    ports: # host:container
      - "877:80"
      - "3012:3012"
    restart: unless-stopped
2

I’m experiencing this same exact issue.

nginx looks shows no connection attempts from Android. I exposed vaultwarden directly and android works without SSL. I’m guessing it is failing very early in the SSL handshake process or it is not connecting at all.

3

I did a bunch of trial and errors to isolate the issue. I disabled SSL on nginx and observed nginx wasn’t the direct issue, the BW android client would connect to VW through nginx proxy without SSL.

I wish I could report exactly what I did to make it work, but among the things I tried is disabling privacy DNS on my android device, fiddling with the SSL keys, and adding large_client_header_buffers 4 4k; to the nginx config. I also wiped the application and reconnected it multiple times. Unfortunately, I don’t know if it was the client or the server or a combination of both that got it working, but I can say I did get it working. Hopefully, this issue can be isolated and identified a bit better by others.

4

Hallo,
i experience the same behavior, just with a different error message. Exeption message: net_http_request_timedout, 100

By “fiddling” with the certs and proxy settings i got it to work. But only for one night. The next morning i couldn’t connect again.

And it get even more confusing. From time to time I am able to sync. But I can’t see any pattern.

@jonmchan is your android app still working?

5

Hey together,
I also have the same problem with the android app not connecting via reverse proxy with ssl.
I strongly guess, its an android problem. I also noticed that problem for the Plex app. For the browser both services are working as expected.
I am not an android expert and dont know if or how to fix these issues. Using the reverse proxy without ssl isnt a problem for the apps.

6

Same, I got Android to connect once and now I noticed it isn’t actually syncing. I haven’t the time lately to investigate.

1 Like
7

Had the same Problem and found this thread, in my case nginx was missing the intermediate certificate/full certificate chain.

If you enable the debug logs of nginx you should see an error like this:
2024/04/17 17:05:13 [info] 20#20: *18 SSL_do_handshake() failed (SSL: error:0A000416:SSL routines::sslv3 alert certificate unknown:SSL alert number 46) while SSL handshaking, client: ***.***.***.***, server: ***.***.***.***:443

See also: nginx - SSL handshaking fails - Stack Overflow

After using the intermediate certificate it works consistently with the andoid bitwarden app.

8

Thank you for your reply.
Due to my lack of knowledge, I am not (yet) able to do what you have done.

BUT I have accidentally found that my Android phone can sync when using my WireGuard VPN. This is not a complete solution, but it is an easy workaround.

9

Same problem, cannot connect to self-hosted VW instance on Start9 server via Android app.
Have tried with and without VPN; over wi-fi and cell network; have cleared cache, restarted app, reinstalled app, checked the CA, everything I can think of, and still get the same error: “Exception message: Connection failure”
I see people mentioning Nginx, but IDK what that is.
Someone else mentioned something about “full-chain certificate” somethingorother, but all I know how to do is download my server’s cert and trust it on my phone, which I’ve done.
Others mentioned something about IPV6 being an issue…?
This is seemingly a rather common problem; strange it hasn’t been reliably solved.