CLI Login failing due to expired cert, but all certs appear to be current

Hi all! Big fan of Bitwarden. I’ve been running my own self-hosted instance on an AWS server without much trouble.

Lately, my automated backups started failing, and I’ve traced the problem to a failure of the “bw login” command to successfully log me in to Bitwarden, once I’m SSH’d in to the server. For background: my installation works perfectly: the web and app are both flawless, and I can login with my master account and view all my data without any problem via either of those.

Here’s the error I’m getting:

$ bw login
? Email address: [email protected]
? Master password: **********************************
request to https://MY.DNS.NAME/identity/connect/token failed, reason: certificate has expired

So, I tried running “ update” and “ renewcert”, and both succeed with no errors. It even updated the “Lets Encrypt” cert! In fact, the “Lets Encrypt” cert I have in place seems to pass all tests at:

Except for the “you’re not using one of our certs” test.

Any clues? What certificate does the “bw login” command need to be updated, and how do I update it? Thanks all! :slight_smile:

Hi @stonesand - welcome!

You might try inspecting your cloud service to see if there are any expired certificates that weren’t deleted. Let’s Encrypt updated their root certificate last fall, and it has caused some grief for some users. Specifically, look for this expired certificate and remove it: Digital Signature Trust (or DST) Root CA X3.

It is also worth checking your client machine, as well.

Thanks for the help! I’ve tried to do this, but I admit I’m a bit lost on what to do next.

I’ve followed the instructions here:

And used the linked tool to remove the CA X3 cert.

I’ve also followed the instructions here, under “Manually Update a Let’s Encrypt Cert”:

These haven’t helped, unfortunately: I still get the same error when trying to login from the command line (and yet the web portal and app still work great).

Are there logs or something generated by BW that tells me what certificate is failing?

I should also say that I’ve restarted the server after doing these cert changes, too. :slight_smile:
Thanks for any help anyone has! :slight_smile:

I saw another user having issues with the CLI on a self-hosted instance of vaultwarden (bitwarden_rs). Are you running the official Bitwarden server @Stonesand ?

Yes I am! Just the plain vanilla version. :slight_smile: I tried hunting around in bwdata/logs, but couldn’t find anything about certificate hits.

If you are running the Bitwarden official server, then I would reach out to the Bitwarden CS team for additional help. That’s very strange that the server works, other clients work, but not the CLI. I have not heard of that one before.

Some more info, as evidence of my work in case dh024 needs it or anyone else:

$ echo | openssl s_client -servername MYSERVER.NET -connect MYSERVER.NET:
443 2>/dev/null | openssl x509 -noout -enddate
notAfter=May  1 22:23:25 2022 GMT
$ openssl x509 -noout -in /etc/ssl/certs/ca-bundle.crt -enddate
notAfter=Dec 31 09:37:37 2030 GMT
$ trust list | grep "X3"

OK, thanks for the help @dh024 I’ll reach out to them! :slight_smile:

1 Like