Trust Anchor Issue w/ Android App

Help
1

I can’t seem to login w/ the Android App w/ my Bitward Setup.

Here are some details:

I have a wildcard SSL Certificate from ComodoSSL configured to terminate at my NGinX proxy behind my home gateway router.

I serve multiple domains and have a positive check from Comodo SSL Checker - SSL/TLS Certificates Checker Tool

I setup using docker and have tried using both w/ and without SSL in both docker/nginx,

I can login fine via Web.

Feeling frustrated, any assistance is welcome! So far I really like the look of this application!

Docker-Setup:

WD=/opt/bitwarden
mkdir -p $WD/{setup,data,ssl}
cd $WD/setup
cat << 'EOF' >docker-compose.yaml
version: '3.7'

services:
 bitwarden:
    container_name: bitwarden
    image: bitwardenrs/server:latest
    hostname: bitwarden
    ports:
      - '8217:80'
    volumes:
      - type: bind
        source: /opt/bitwarden/data/
        target: /data
     # - type: bind
     #   source: /opt/bitwarden/ssl/
     #   target: /ssl

    environment:
      - 'TZ=America/Whitehorse'
      - 'SIGNUPS_ALLOWED=true'
      - 'WEBSOCKET_ENABLED=True'
      - 'DOMAIN=https://sub.domain.com'
      - 'LOG_FILE=/data/bitwarden.log'
      #- 'ROCKET_TLS={certs = "/ssl/domain.pem", key = "/ssl/domain.key"}'
      #- 'DATABASE_URL=postgresql://[[user]:[password]@]host[:port][/database]'


EOF
chmod +x docker-compose.yaml

NGinx:

##BITWARDEN
server {
       listen         80;
       server_name    sub.domain.com;

       return         301 https://$server_name/;

}

server {
        listen 443 ssl;
        server_name sub.domain.com;

        ssl_certificate /etc/ssl/sub/domain.crt;
        ssl_certificate_key /etc/ssl/sub/domain.key;
        client_max_body_size 128M;


location / {

        proxy_pass              http://localhost:8217/;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
#        include                 /etc/nginx/conf.d/proxy.conf;
    }
}
2

Do you have all the root chains included also?
Most of these certs have a chain of signed certs and all need to be served instead of only the cert of your domain.

That will probably solve your issue.

1 Like
3

Honestly, I switched from paying for wildcard to setting up LetsEncrypt and that worked asap, only issue is I now need a DNS record for wvery internal domain because I dont want to bother eith ACME but its free and was on my todo list.

It is annoying that nothing else complaining about my old certs except Android apps, but even Passbolt was complaining I dont see this as a Bitwarden issue. In fact, bitwarden gave a more descriptive error at least!

4

Just as a reference:

What are chains:

How to apply/use chains:

1 Like
5

If you run Windows, check out certify the web, it’s pretty great