Bitwarden CLI unable to verify first certificate

Hi together,

we want to self-host Bitwarden in our work environment and use the integration in ASG Remote-Desktop.This integration uses the CLI. But when I try to connect to our Bitwarden server with CLI via Powershell (or cmd) I get the following error:

I searched for it and found threads like this: ([Solved] [CLI] Failed to login on our server: "reason: unable to verify the first certificate") but the steps mentioned didn’t work for me. When I merge the certificates into a single one and don’t use the ca.crt Bitwarden isn’t accessible at all.

We have our own CA that is trusted by all our client PC’s via GPO. The certificate used for Bitwarden is generated from our CA and has no intermediates. Every other method we want to use (browser extension, web access, desktop app) but the CLI works.

I followed the best practice instructions for the installation and we are using the latest version.

If you need additional infos feel free to ask.
Anyone had a similar problem ro knows where I could have made a mistake?

when following the cat cert chain >> certificate.crt command, you might have reversed the order, and that would prevent BW from starting the nginx container.
Double check that when you append the cert, it goes cat server-cert intermediate-ca >> certificate.crt

Alternatively, it may work if there are not intermediates to append your local CA to the ca.crt chain instead.

I had a similar issue recently. The fix above should work, but only partially.
The bw CLI is a nodejs application, which has a separate CA store when compared to the PC the app is run on. Even if the cert is trusted by your local machine, it might not be trusted by the command line.

You will need to define the following environmental variable before being able to fully use the CLI:
$env:NODE_EXTRA_CA_CERTS="C:\path\ca.pem"

C:\path\ca.pem represents the path towards your root CA, which must be stored locally on the PC that is trying to connect to the CLI. I’d suggest setting this up on your AD in the future, once everything works.

To apply this change to your machine as a whole, so that you don’t have to re-use the command every time you open a new Powershell, the following command should work:

[Environment]::SetEnvironmentVariable('NODE_EXTRA_CA_CERTS', 'C:\path\ca.pem', 'Machine')
The params define the name, value and then the scope of the variable.

2 Likes

Thanks to @Southwick I got it working under MacOS/Linux.

To do the tests:
NODE_EXTRA_CA_CERTS=/Path/To/My/Cert.pem bw config server https://bitwarden.mydomain/

When I got it working, added it to my .bashrc/.zshrc/.zshenv:

echo "export NODE_EXTRA_CA_CERTS=/Path/To/My/Cert.pem" >> .bashrc
echo "export NODE_EXTRA_CA_CERTS=/Path/To/My/Cert.pem" >> .zshrc

source  .bashrc
bw status --pretty