Issues authenticating to vaultwarden using mobile app on Android

Hello all,

I am new to posting on forums so if I lack etiquette or am demonstrating ignorance of anything, please feel free to correct me so I can learn.

I’m trying to set up my vaultwarden instance using FIDO2 WebAuthn on a new Pixel 7a. The vaultwarden instance is self-hosted on a Synology NAS and I’m using tailscale to communicate with it, the vault server domain is a tailnet hostname with the port the vault is accessed through. This configuration works just fine on an iphone’s mobile app and on all browser extensions and desktop applications. Tailscale is turned on. When I attempt to authenticate, it does seem to connect to the server since it provides me with the authentication options I have specified for the vault, but none seem to work.

In the case of webauthn, which is the preferred option, I get the screen with the picture of a hand holding a yubikey to the back of a phone with the “authenticate webauthn” button, but when I click the button it sends me back to the app and generates the error “Please make sure your default browser supports WebAuthn and try again. SecurityError: The relying party ID is not a registrable domain suffix of%2c nor equal to the current domain”

In the case of both soft token authenticator and yubikey otp options, it says that the token is invalid, despite resetting both and generating fresh tokens for each. Not really sure what to do besides this.

Also, I have the same configuration for an official bitwarden-hosted vault and was able to complete the webauthn authentication flow using the mobile app without running into any errors. I have tried using Chrome and Brave so far.

Update: I needed an intermediate certificate to address the issue, and I had also been entering the web vault into the wrong field. I was entering the base url into the Web Vault Server URL under Custom Environment rather than the Server URL field under Self-hosted environment. The root issue was the need for an intermediate certificate. I took my key and crt files from the certificate generated by LetsEncrypt, then included the Intermediate Certificate provided by LetsEncrypt and replaced the certificate in the DSM with all three to ensure the intermediate certificate was included. This solved the issue. Leaving this here for anyone else who runs into this issue.