Web icons on Bitwarden Android

Hi All,

I have a private (LAN only) Vaultwarden instance running on a Raspberry Pi4 via docker. It is set up per the Wiki with Duck DNS and Caddy reverse proxy. Bitwarden Windows Desktop, Firefox Extension and Web Vault all work perfectly. The Android app also works but no web icons are displayed.

Web icons are working correctly in all Windows clients and the Firefox Android Extension on my phone. It’s only the Bitwarden Android app (latest release and beta) that does not display web icons. Is that normal, or is there something I can do to get web icons working in the Bitwarden Android app?

Thanks for your help.

See Android app no icons for logins - #13 by tgreer - User-to-User Support - Bitwarden Community Forums

Thanks BlackDex, I saw that thread previously.

Actually, I’ve also created a cloud-hosted Bitwarden account and the Android app displays the web icons correctly using that account. The missing web icons only occur when using my self-hosted Vaultwarden and the Bitwarden Android app.

All debugging which has already been done turned out that the application isn’t doing those calls to fetch the icons at all.

You should see the same on your server logs. I’m also not able to reproduce this, so it’s hard for me to test it my self.

But all points to the android app it self it looks like.

I’ve looked into this issue further and can report the following.

  1. Setting Icons Server URL = https://icons.bitwarden.net under Custom Environment in the Android app displays the web icons correctly. Without this setting, I believe the app tries to load web icons from https://my-vwserver/icons/<site>/icon.png and they are all missing.

  2. Entering https://my-vwserver/icons/google.com/icon.png (for example) in Firefox Android displays the correct icon.

  3. I downloaded the app source code and built it in Debug mode in Visual Studio. Running via an emulator gives SSL CERTIFICATE_VERIFY_FAILED errors in the terminal output when loading icons. For example:

Image loading failed: https://my-vwserver/icons/google.com/icon.png
FFImageLoading.Exceptions.DownloadAggregateException: One or more errors occurred. (The SSL connection could not be established, see inner exception.) (The SSL connection could not be established, see inner exception.) (The SSL connection could not be established, see inner exception.) (The SSL connection could not be established, see inner exception.) ---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception. ---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception. ---> Mono.Btls.MonoBtlsException: Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
  at /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/external/boringssl/ssl/handshake_client.c:1132
  at Mono.Btls.MonoBtlsContext.ProcessHandshake () [0x00042] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/Mono.Btls/MonoBtlsContext.cs:220 
  at Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake (Mono.Net.Security.AsyncOperationStatus status, System.Boolean renegotiate) [0x000da] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/Mono.Net.Security/MobileAuthenticatedStream.cs:715 
  at (wrapper remoting-invoke-with-check) Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake(Mono.Net.Security.AsyncOperationStatus,bool)
  at Mono.Net.Security.AsyncHandshakeRequest.Run (Mono.Net.Security.AsyncOperationStatus status) [0x00000] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/Mono.Net.Security/AsyncProtocolRequest.cs:289 
  at Mono.Net.Security.AsyncProtocolRequest.ProcessOperation (System.Threading.CancellationToken cancellationToken) [0x000fc] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/Mono.Net.Security/AsyncProtocolRequest.cs:223 
   --- End of inner exception stack trace ---
  at Mono.Net.Security.MobileAuthenticatedStream.ProcessAuthentication (System.Boolean runSynchronously, Mono.Net.Security.MonoSslAuthenticationOptions options, System.Threading.CancellationToken cancellationToken) [0x0025c] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/Mono.Net.Security/MobileAuthenticatedStream.cs:310 
  at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore (System.IO.Stream stream, System.Net.Security.SslClientAuthenticationOptions sslOptions, System.Threading.CancellationToken cancellationToken) [0x0007b] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/external/corefx/src/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/ConnectHelper.cs:165 
   --- End of inner exception stack trace ---
  1. I have no experience in C# programming but followed the suggestion in https://github.com/luberda-molinet/FFImageLoading/issues/1448 and created an instance of HttpClient with SSL bypass in its handler for the FFImageLoading ImageService in MainApplication.cs. Rebuilt the app in Release mode and installed on my phone. The web icons now display correctly.

  2. It therefore seems that the root cause of the missing web icons in the Bitwarden Android app is an invalid SSL certificate when loading icons from https://my-vwserver/icons/<site>/icon.png. This occurs when running a private (LAN only) Vaultwarden instance with Caddy and Duck DNS via docker-compose per the Wiki.

If could also be an issue with LetsEncrypt and the expired DST Cert.

I"m experiencing this also. @NotLikely38 great investigative work. @BlackDex I think you may be on to it. I believe the icons went missing right about the time LE expired their root LE cert.

I’m using SWAG from Linuxserverio which uses nginx reverse proxy. SWAG container handles the LE cert stuff. It looks like they addressed the issue in release 1.20.0-ls88, from the release notes "Check if the cert uses the old LE root cert, revoke and regenerate if necessary. " I’m currently running a later version than this so should have this fix baked in. However, my icons still don’t show.

Is there a way to resolve this cert error due to LE root cert expiration?

I can confirm that per @NotLikely38, Setting Icons Server URL = https://icons.bitwarden.net under Custom Environment in the Android app displays the web icons correctly.

I test this and it does work for my android app.

@BlackDex is it safe to set the Icons Server URI to https://icons.bitwarden.net? Are there any gotchas I would need to be aware of?

And it seems that @NotLikely38 has correctly identified the issue per #5 above. I see setting the Icon URl as a workaround and should be unnecessary.

What would be the fix for this so that it would work with https://my-vwserver/icons/<site>/icon.png as it always has in the past?

I also ran into another issue, which seems like a bug. The android app does not persist the Icon Server URL. If I close and reopen the app, icons are gone. I logout and check custom settings and Icon Server URL is empty. So this is not a working workaround.

It is safe to use bitwarden’s service. Only thing is that they would know the sites you have in your vault linked to your ip.

Best way to solve it is by fixing the certificate.

Thank you. I agree, but how do I fix the certificate?


Any of options 2 through 5 should work. Option 2 is a device-specific fix, and is probably easiest if there are only a few Android devices you care about and you control all of them. If you need to support unknown Android devices, then you need one of the other options.

Thank you @jjlin and @BlackDex. Option 2 fixed the SSL certificate error for me and web icons are now working again in the official Bitwarden Android app.

Ditto! Worked for me. Thank you @jjlin and @BlackDex!

Since the DST ROOT CA X3 is a system cert, to be on the safe side, I chose option 5 and switched from LetsEncrypt to ZeroSSL for my certs. I then re-enabled DST Root CA X3 on my android devices. Tested and I see all icons fine.

  1. Use another CA such as ZeroSSL, which uses a root which is trusted back to Android 2.2, and which won’t expire until 2038.

For me, setting Icons Server URL = https://icons.bitwarden.net under Custom Environment in the Android app did not make the icons appear, no luck on my OnePlus 8 running Android 11.

So I had to switch to zerossl and yes it worked for me, it was a real pain having to add CAA tom my DNS, then adding a second certresolver to traefik, finding out they all need to use the same email, and finally adding the proper labels to my routers so only vaultwarden gets it from zerossl given the pretty limiting constraints of a free zerossl account…

But switching to zerossl worked, thanks !

Maybe you can help others by explaining what’s steps you needed to take, and maybe some examples? That would be great.

There is no chance I get the time to give examples and anyway my setup with traefik is probably too specific to me. All steps I did are already summarized : CAA in your DNS, then add a certResolver, there are great guides for zerossl and traefik, plus the doc is quite helpful to add certResolver and set it on router.

So knowing zerossl provides free certs that work with icons is the key information here