VaultWarden with Rocket gets SSL errors

Hello, I’ve been trying for a while now to get VaultWarden in a docker running on my local server, but with no success.

I’ve tried the duckdns challenge, but ran into building issues with caddy. Decided to go the self-signed route, go to a point where I get Rocket has launched from http://0.0.0.0:80 but when I connect to the IP via HTTPS at the specified port on the docker compose file, I get ERR_SSL_PROTOCOL_ERROR.

So I curled that to get more info, and got this piece of info:

curl: (35) OpenSSL/1.1.1s: error:1408F10B:SSL routines:ssl3_get_record:wrong version number

Tried recreating the certificates, made sure they all lined up name wise, nothing. What am I missing here? I would really appreciate your view on the matter.

Thanks and have a great day!

1 Like

Anyone? I really want to get started with VW.

Can you post your configuration and how you start the container? I think you are missing the ROCKET_TLS={certs="data/cert.pem",key="data/key.pem"} because your logs don’t say that Rocket has launched from https://0.0.0.0:80.

I do have that, and I did mention I get Rocket has launched from https://0.0.0.0:80
I got that after adding it in portainer as an env variable.

What else can cause this?

You said:

If you have configured that make sure you recreate the container. Otherwise please post your configuration.

name: vaultwarden
services:
  server:
    container_name: vaultwarden
    image: vaultwarden/server:latest
    networks:
      default: null
    ports:
    - mode: ingress
      target: 80
      published: "88888"
      protocol: tcp
    - mode: ingress
      target: 3012
      published: "3012"
      protocol: tcp
    restart: unless-stopped
    volumes:
    - type: bind
      source: /Path/to/VaultWarden
      target: /data
      bind:
        create_host_path: true
    - type: bind
      source: /Path/to/VaultWarden/SSL
      target: /ssl
      bind:
        create_host_path: true

networks:
  default:
    name: vaultwarden_default

and the env var that is set through portainer:

name
ROCKET_TLS:
value
'{certs="/ssl/vaultwarden.crt",key="/ssl/vaultwarden.key"}'

when I tried putting the env inside the docker compose normally I got:

Error: Rocket.
[CAUSE] Io(

    Custom {
        kind: NotFound,
        error: "error reading TLS file `ssl/vaultwarden.crt`: No such file or directory (os error 2)",
    },
)

Hope this helps.

So is this issue not solvable? Should I report this as a bug?

You are getting the error message for a reason and you should try to figure out why (i.e. does the file /Path/to/VaultWarden/SSL/vaultwarden.crt exist?).

If you just set the environment variable on a different layer vaultwarden will simply ignore it (as it does not get random environment variables from your host) and you have not actually configured it.

I am trying to figure out why, but I’ve followed all the logical paths I can think of. The file exists in the directory, made sure of that. If the portainer env didn’t work, won’t it show up with the same error as when I try to do it in the compose file?
could this be a permission thing on the crt? Should I chown or chmod or both that directory to a specific user?

First make sure you don’t have a typo in the path. And since the path should exist you should also not need create_host_path: true (I am not sure why you have set this option).

I think a permission issue should prevent either the volume to be mounted in the first place or result in a different error message: Permission denied (os error 13)

If you have a running container (i.e. when you don’t set ROCKET_TLS) you can also run an interactive bash shell (e.g. with docker exec) and inspect the /ssl directory and maybe check if you can cat ssl/vaultwarden.crt

OK, using ls, I find the source of my problem, thanks for your patience and support!