Desktop App Error - Failed to Fetch, unable to login

Hey all,

I’m having issues trying to get the Windows Desktop app working.
I’ve self-hosted my own BitWarden server locally on the LAN, and it is not reachable over the internet (which is intended).

I’ve created a certificate for this server (Ubuntu Server), which is signed by our local CA on the LAN. All devices on the LAN have the root CA’s certificate in their ‘Trusted Root CA’ repo.

I can navigate to the web instance of BitWarden absolutely fine on 443/SSL, the page shows as correctly secured and trusted. I can use the Web Browser plugins/extensions again, absolutely fine, no issue.

But when we try and log into the desktop app, we get the following error:
Failed to load resource: net::ERR_CERT_COMMON_NAME_INVALID

Has anyone else had this issue? The CN is correct, and the https URL entered into the app settings is also correct.
The cert has the CN of ‘Mia’, and browsing to https://mia shows it’s correctly working and trusted, but the app just doesn’t seem to like it.

I ran into this issue as well when using certificates signed by my own CA. For me the fix was to include a Subject Alternate Name (SAN) in the certificate. I set the SAN to be the same as the CN and included the IP. This post has discussion about the issue in Chrome.

Thanks Monty, this was exactly the issue!
I finally got around to fixing this, which also fixed it so that I can now use the apps on Mobile Devices too!

Admittedly my use case is probably quite small, as our local CA is Microsoft (Running on a Windows DC).

For anyone else having this issue, what I did was:

  • Before generating the CSR on the BitWarden server, an amendment to the OpenSSL Config file is required to allow providing of an Subject Alt Name for the cert.

  • Add the following field under the heading ‘[ req_distinguished_name ]’ in the file /etc/ssl/openssl.cnf
    subjectAltName = SubjectAltName (e.g. DNS:mia.theden.home,IP:10.0.0.13)

  • Generate a new CSR from the BitWarden server, using the following command:
    openssl req -new -newkey rsa:2048 -nodes -keyout mia.theden.home.key -out mia.theden.home.csr

  • You will need to make the following change on your MS CA to allow the CA to provide the cert with a SAN (Subject Alternative Name)

  • Logon to the CA, and run the following cmd as admin:
    certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

  • Restart the CertSvc service on the CA for the changes to take affect

  • Logon to the CA webportal: https://CA/certsrv

  • Paste the CSR from the BitWarden server into the request field, and select the ‘Web Server’ template from the drop down

  • Add the following into the ‘Additional Attributes’ section:
    san:dns=mia.theden.home&ipaddress=10.0.0.13

Submit the request, and obtain the certificate in Base 64 encoded format

Dear all,

I am currently setting up a self-hosted Bitwarden instance on a Debian 11.2 in a private network without access from the internet. Unfortunately I am facing the same issue right now and receive the “Failed to fetch” error message, when trying to connect from the Windows Bitwarden desktop application to my vault.

As I can only use a self-signed certificate (for now), which needs to comply to Apple’s security requirements for certificates, I have created a config file for the certifcate like this:

[ req ]
default_bits           = 4096
default_md             = sha512
prompt                 = no
encrypt_key            = no
distinguished_name     = req_distinguished_name
x509_extensions        = usr_cert

[ req_distinguished_name ]
countryName            = "US"                        # Two Digit Country Code
stateOrProvinceName    = "California"                # State or Province Name
organizationName       = "Perpetual Technologies"    # Organization Name
commonName             = "Bitwarden"                 # Project or Domain Name (FQDN)
emailAddress           = "[email protected]"       # Any Email Address

[ usr_cert ]
basicConstraints       = critical, CA:true, pathlen:0
nsCertType             = sslCA
keyUsage               = digitalSignature, keyEncipherment
extendedKeyUsage       = serverAuth, clientAuth
nsComment              = "OpenSSL CA Certificate"
subjectAltName         = @alt_names

[alt_names]
DNS.1                  = vm-bitwarden-debian.fritz.box.    # Local Hostname or Public Domain Name
IP.1                   = 192.168.1.100    # Local or Public IP Address

Afterwards I have created the certificate with this statement:

sudo openssl req -x509 -keyout /etc/ssl/private/bitwarden.key -out /etc/ssl/certs/bitwarden.crt -config ~/bitwarden.cnf -days 365

It is possible to import the self-signed certificate locally on any iOS device as well as the local windows browsers and trust it, so Bitwarden works on the self-hosted instance perfectly. However, unfortunately the Bitwarden Windows App comes back with the “Failed to fetch” error message even though I have added the local DNS name as subjectAltName.

Is anybody able to provide some help, how I can get all this aligned, so all clients such as iOS devices, Windows Browsers and also Windows Desktop App can connect properly to the vaults and manage them, please?

Thanks for your kind support and keep the great community up!

John

Any help here would be highly appreciated, please…