I have a private (LAN only) Vaultwarden instance running on a Raspberry Pi4 via docker. It is set up per the Wiki with Duck DNS and Caddy reverse proxy. Bitwarden Windows Desktop, Firefox Extension and Web Vault all work perfectly. The Android app also works but no web icons are displayed.
Web icons are working correctly in all Windows clients and the Firefox Android Extension on my phone. It’s only the Bitwarden Android app (latest release and beta) that does not display web icons. Is that normal, or is there something I can do to get web icons working in the Bitwarden Android app?
Actually, I’ve also created a cloud-hosted Bitwarden account and the Android app displays the web icons correctly using that account. The missing web icons only occur when using my self-hosted Vaultwarden and the Bitwarden Android app.
I’ve looked into this issue further and can report the following.
Setting Icons Server URL = https://icons.bitwarden.net under Custom Environment in the Android app displays the web icons correctly. Without this setting, I believe the app tries to load web icons from https://my-vwserver/icons/<site>/icon.png and they are all missing.
Entering https://my-vwserver/icons/google.com/icon.png (for example) in Firefox Android displays the correct icon.
I downloaded the app source code and built it in Debug mode in Visual Studio. Running via an emulator gives SSL CERTIFICATE_VERIFY_FAILED errors in the terminal output when loading icons. For example:
Image loading failed: https://my-vwserver/icons/google.com/icon.png
FFImageLoading.Exceptions.DownloadAggregateException: One or more errors occurred. (The SSL connection could not be established, see inner exception.) (The SSL connection could not be established, see inner exception.) (The SSL connection could not be established, see inner exception.) (The SSL connection could not be established, see inner exception.) ---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception. ---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception. ---> Mono.Btls.MonoBtlsException: Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
at /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/external/boringssl/ssl/handshake_client.c:1132
at Mono.Btls.MonoBtlsContext.ProcessHandshake () [0x00042] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/Mono.Btls/MonoBtlsContext.cs:220
at Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake (Mono.Net.Security.AsyncOperationStatus status, System.Boolean renegotiate) [0x000da] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/Mono.Net.Security/MobileAuthenticatedStream.cs:715
at (wrapper remoting-invoke-with-check) Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake(Mono.Net.Security.AsyncOperationStatus,bool)
at Mono.Net.Security.AsyncHandshakeRequest.Run (Mono.Net.Security.AsyncOperationStatus status) [0x00000] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/Mono.Net.Security/AsyncProtocolRequest.cs:289
at Mono.Net.Security.AsyncProtocolRequest.ProcessOperation (System.Threading.CancellationToken cancellationToken) [0x000fc] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/Mono.Net.Security/AsyncProtocolRequest.cs:223
--- End of inner exception stack trace ---
at Mono.Net.Security.MobileAuthenticatedStream.ProcessAuthentication (System.Boolean runSynchronously, Mono.Net.Security.MonoSslAuthenticationOptions options, System.Threading.CancellationToken cancellationToken) [0x0025c] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/Mono.Net.Security/MobileAuthenticatedStream.cs:310
at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore (System.IO.Stream stream, System.Net.Security.SslClientAuthenticationOptions sslOptions, System.Threading.CancellationToken cancellationToken) [0x0007b] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/external/corefx/src/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/ConnectHelper.cs:165
--- End of inner exception stack trace ---
I have no experience in C# programming but followed the suggestion in https://github.com/luberda-molinet/FFImageLoading/issues/1448 and created an instance of HttpClient with SSL bypass in its handler for the FFImageLoading ImageService in MainApplication.cs. Rebuilt the app in Release mode and installed on my phone. The web icons now display correctly.
It therefore seems that the root cause of the missing web icons in the Bitwarden Android app is an invalid SSL certificate when loading icons from https://my-vwserver/icons/<site>/icon.png. This occurs when running a private (LAN only) Vaultwarden instance with Caddy and Duck DNS via docker-compose per the Wiki.
I"m experiencing this also. @NotLikely38 great investigative work. @BlackDex I think you may be on to it. I believe the icons went missing right about the time LE expired their root LE cert.
I’m using SWAG from Linuxserverio which uses nginx reverse proxy. SWAG container handles the LE cert stuff. It looks like they addressed the issue in release 1.20.0-ls88, from the release notes "Check if the cert uses the old LE root cert, revoke and regenerate if necessary. " I’m currently running a later version than this so should have this fix baked in. However, my icons still don’t show.
Is there a way to resolve this cert error due to LE root cert expiration?
I can confirm that per @NotLikely38, Setting Icons Server URL = https://icons.bitwarden.net under Custom Environment in the Android app displays the web icons correctly.
I also ran into another issue, which seems like a bug. The android app does not persist the Icon Server URL. If I close and reopen the app, icons are gone. I logout and check custom settings and Icon Server URL is empty. So this is not a working workaround.
Any of options 2 through 5 should work. Option 2 is a device-specific fix, and is probably easiest if there are only a few Android devices you care about and you control all of them. If you need to support unknown Android devices, then you need one of the other options.
Thank you @jjlin and @BlackDex. Option 2 fixed the SSL certificate error for me and web icons are now working again in the official Bitwarden Android app.
Since the DST ROOT CA X3 is a system cert, to be on the safe side, I chose option 5 and switched from LetsEncrypt to ZeroSSL for my certs. I then re-enabled DST Root CA X3 on my android devices. Tested and I see all icons fine.
Use another CA such as ZeroSSL, which uses a root which is trusted back to Android 2.2, and which won’t expire until 2038.
For me, setting Icons Server URL = https://icons.bitwarden.net under Custom Environment in the Android app did not make the icons appear, no luck on my OnePlus 8 running Android 11.
So I had to switch to zerossl and yes it worked for me, it was a real pain having to add CAA tom my DNS, then adding a second certresolver to traefik, finding out they all need to use the same email, and finally adding the proper labels to my routers so only vaultwarden gets it from zerossl given the pretty limiting constraints of a free zerossl account…
There is no chance I get the time to give examples and anyway my setup with traefik is probably too specific to me. All steps I did are already summarized : CAA in your DNS, then add a certResolver, there are great guides for zerossl and traefik, plus the doc is quite helpful to add certResolver and set it on router.
So knowing zerossl provides free certs that work with icons is the key information here