Enabling SSL results in "Problem loading page"

Hey everyone,

My docker command looks like this:

docker run -d --name bitwarden -v HOST_DATA_DIR:/data/ -v HOST_SSL_DIR:/ssl/ -p HOST_PORT:80 -e ROCKET_TLS='{certs="/ssl/cert.pem",key="/ssl/key.pem"}' bitwardenrs/server:raspberry

Without SSL I had a working setup but I recently had to enable SSL for my local server (only being served on LAN) because of Firefox 75.0 crypto API update.

Now I simply get (on Firefox) “The connection was reset”

Using docker ps I can see the container is up, running, and healthy:

CONTAINER ID        IMAGE                          COMMAND                  CREATED             STATUS                PORTS                             NAMES
dd4961121035        bitwardenrs/server:raspberry   "/usr/bin/entry.sh /…"   2 days ago          Up 2 days (healthy)   3012/tcp, 0.0.0.0:57034->80/tcp   bitwarden

Checking the docker logs docker logs bitwarden reveals nothing:

/--------------------------------------------------------------------\
|                       Starting Bitwarden_RS                        |
|                      Version 1.13.1-70f3ab8e                       |
|--------------------------------------------------------------------|
| This is an *unofficial* Bitwarden implementation, DO NOT use the   |
| official channels to report bugs/features, regardless of client.   |
| Report URL: https://github.com/dani-garcia/bitwarden_rs/issues/new |
\--------------------------------------------------------------------/

[2020-05-10 11:05:34][start][INFO] Rocket has launched from https://0.0.0.0:80

My system is a raspberry pi 4b 4GB edition running Raspbian Buster. The server is accessible for all other services it is running without issue, hence the problem is probably not with the network config

What could be causing this?

Thank you, any and all help is appreciated

What does curl -kv https://<host-ip>:<host-port> show? How did you generate the certificate?

So it says

Trying HOST_IP:HOST_PORT…

  • TCP_NODELAY set
  • Connected to HOST_IP (HOST_IP) port HOST_PORT (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
    CApath: /etc/ssl/certs
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
  • TLSv1.3 (IN), TLS handshake, Certificate (11):
  • TLSv1.3 (IN), TLS handshake, CERT verify (15):
  • TLSv1.3 (IN), TLS handshake, Finished (20):
  • TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
  • TLSv1.3 (OUT), TLS handshake, Finished (20):
  • SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
  • ALPN, server did not agree to a protocol
  • Server certificate:
  • start date: May 8 04:53:23 2020 GMT
  • expire date: May 8 04:53:23 2021 GMT
  • issuer: C=US; ST=STATE; L=LOCATION; O=Internet Widgits Pty Ltd; CN=Ares; emailAddress=EMAIL
  • SSL certificate verify result: self signed certificate (18), continuing anyway.

GET / HTTP/1.1
Host: HOST_IP:HOST_PORT
User-Agent: curl/7.68.0
Accept: /

  • TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
  • Mark bundle as not supporting multiuse
    < HTTP/1.1 200 OK
    < Content-Type: text/html; charset=utf-8
    < Cache-Control: public, max-age=600
    < Server: Rocket
    < Feature-Policy: accelerometer ‘none’; ambient-light-sensor ‘none’; autoplay ‘none’; camera ‘none’; encrypted-media ‘none’; fullscreen ‘none’; geolocation ‘none’; gyroscope ‘none’; magnetometer ‘none’; microphone ‘none’; midi ‘none’; payment ‘none’; picture-in-picture ‘none’; sync-xhr ‘self’ https://haveibeenpwned.com https://twofactorauth.org; usb ‘none’; vr ‘none’
    < Referrer-Policy: same-origin
    < X-Frame-Options: SAMEORIGIN
    < X-Content-Type-Options: nosniff
    < X-XSS-Protection: 1; mode=block
    < Content-Security-Policy: frame-ancestors ‘self’ chrome-extension://nngceckbapebfimnlniiiahkandclblb moz-extension://* ;
    < Access-Control-Allow-Origin:
    < Content-Length: 1373
    < Date: Wed, 13 May 2020 04:54:24 GMT
    <
Bitwarden Web Vault
Bitwarden

* Connection #0 to host HOST_IP left intact

I generated it with

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes

which was recommended by dani_garcia on the corresponding github issue
https://github.com/dani-garcia/bitwarden_rs/issues/958#issuecomment-626441209

So it seems to work in curl. What version of Firefox are you running? Have you tried other browsers?

Version 75.0. Happens with every other browser I’ve tried (including mobile browsers)

You probably need to specify https://<host-ip>:<host-port> in your browser, not just <host-ip>:<host-port>.

I am not sure. The reply should be HTML content, right?

# curl -v https://bitwarden.example.com

(...)
< referrer-policy: same-origin
< server: Caddy
< server: Rocket
< x-content-type-options: nosniff
< x-frame-options: SAMEORIGIN
< x-xss-protection: 1; mode=block
< content-length: 1373
<
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
<!DOCTYPE html>
<html>

<head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=1010">
    <meta name="theme-color" content="#3c8dbc">

    <title page-title>Bitwarden Web Vault</title>
(...)

Oops, yes all I needed to do was add https:// in front of it. Lol, thank you though