No identity certificate to use error trying to run the Identity Container

Hello,

I’m self-hosting Bitwarden on an internal server and I’m getting the following error trying to restart the Identity container.

Error:
Unhandled exception. System.Exception: No identity certificate to use.
at Bit.SharedWeb.Utilities.ServiceCollectionExtensions.AddIdentityServerCertificate(IIdentityServerBuilder identityServerBuilder, IWebHostEnvironment env, GlobalSettings globalSettings) in /home/runner/work/server/server/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs:line 445
at Bit.Identity.Utilities.ServiceCollectionExtensions.AddCustomIdentityServerServices(IServiceCollection services, IWebHostEnvironment env, GlobalSettings globalSettings) in /home/runner/work/server/server/src/Identity/Utilities/ServiceCollectionExtensions.cs:line 21
at Bit.Identity.Startup.ConfigureServices(IServiceCollection services) in /home/runner/work/server/server/src/Identity/Startup.cs:line 131
at System.RuntimeMethodHandle.InvokeMethod(Object target, Span`1& arguments, Signature sig, Boolean constructor, Boolean wrapExceptions)
at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
at Microsoft.AspNetCore.Hosting.ConfigureServicesBuilder.InvokeCore(Object instance, IServiceCollection services)
at Microsoft.AspNetCore.Hosting.ConfigureServicesBuilder.<>c__DisplayClass9_0.g__Startup|0(IServiceCollection serviceCollection)
at Microsoft.AspNetCore.Hosting.ConfigureServicesBuilder.Invoke(Object instance, IServiceCollection services)
at Microsoft.AspNetCore.Hosting.ConfigureServicesBuilder.<>c__DisplayClass8_0.b__0(IServiceCollection services)
at Microsoft.AspNetCore.Hosting.GenericWebHostBuilder.UseStartup(Type startupType, HostBuilderContext context, IServiceCollection services, Object instance)
at Microsoft.AspNetCore.Hosting.GenericWebHostBuilder.<>c__DisplayClass13_0.b__0(HostBuilderContext context, IServiceCollection services)
at Microsoft.Extensions.Hosting.HostBuilder.CreateServiceProvider()
at Microsoft.Extensions.Hosting.HostBuilder.Build()
at Bit.Identity.Program.Main(String[] args) in /home/runner/work/server/server/src/Identity/Program.cs:line 10

I’m trying to run this behind an Apache reverse proxy so I’m planning on using a self-signed certificate in the Bitwarden Nginx container. I used the following commands to create my self-signed .key and .crt file and .pfx identity file. The .key and the .crt files were placed in the /ssl/bitwarden.internal.domingopropertymanagement.ca folder. The .pfx identity file was placed in the /ssl/ and the /identity/ folder.

sudo openssl req -x509 -newkey rsa:4096 -sha512 -days 365 -nodes -keyout ~/bitwarden-internal-private.key -out ~/bitwarden-internal-certificate.crt

sudo openssl pkcs12 -export -out ~/identity.pfx -inkey ~/bitwarden-internal-private.key -in ~/bitwarden-internal-certificate.crt

Here is the command for creating the Identity container that I’m using:

podman run --name=bitwarden-identity -d --label io.podman.compose.config-hash=123 --label io.podman.compose.project=docker --label io.podman.compose.version=0.0.1 --label com.docker.compose.project=docker --label com.docker.compose.project.working_dir=~/bwdata/docker --label com.docker.compose.project.config_files=./docker/docker-compose.yml --label com.docker.compose.container-number=1 --label com.docker.compose.service=identity --env-file ~/bwdata/docker/global.env --env-file ~/.local/share/containers/storage/volumes/bitwarden/_data/env/uid.env --env-file ~/.local/share/containers/storage/volumes/bitwarden/_data/env/global.override.env -v ~/.local/share/containers/storage/volumes/bitwarden/_data/identity:/etc/bitwarden/identity -v ~/.local/share/containers/storage/volumes/bitwarden/_data/core:/etc/bitwarden/core -v ~.local/share/containers/storage/volumes/bitwarden/_data/ca-certificates:/etc/bitwarden/ca-certificates -v ~/.local/share/containers/storage/volumes/bitwarden/_data/logs/identity:/etc/bitwarden/logs --net bitwarden --network-alias identity --restart always docker.io/bitwarden/identity:latest

Is anybody able to tell me what I’m doing wrong?

Thank you

Here are more configuration details.

This is my global.env file:

ASPNETCORE_ENVIRONMENT=Production
globalSettings__selfHosted=true
globalSettings__baseServiceUri__vault=
globalSettings__pushRelayBaseUri=https://push.bitwarden.com

Here is my redacted global.override.env file:

globalSettings__baseServiceUri__vault=
globalSettings__sqlServer__connectionString=“Data Source=tcp:mssql,1433;Initial Catalog=vault;Persist Security Info=False;User ID=sa;Password=;MultipleActiveResultSets=False;Connect Timeout=30;Encrypt=True;TrustServerCertificate=True”
globalSettings__identityServer__certificatePassword=
globalSettings__internalIdentityKey=
globalSettings__oidcIdentityClientKey=
globalSettings__duo__aKey=
globalSettings__installation__id=
globalSettings__installation__key=
#globalSettings__yubico__clientId=REPLACE
#globalSettings__yubico__key=REPLACE
globalSettings__mail__replyToEmail=support@domingopropertymanagement.ca
[email protected]
globalSettings__mail__smtp__port=587
globalSettings__mail__smtp__ssl=true
globalSettings__mail__smtp__username=
globalSettings__mail__smtp__password=
globalSettings__disableUserRegistration=false
#globalSettings__hibpApiKey=REPLACE
[email protected]

Anybody else run into this issue?

Hello,
Did you ever get this solved? I am currently running into the same issue with self-signed certificates

I also recieved this error. I do not fully know what was broken.
At the sametime the disk that bitwarden ran out of was full. We expanded the disk and still had the error.

Then we tried:
./bitwarden.sh restart
./bitwarden.sh updateself
./bitwarden.sh update
./bitwarden.sh restart

all of which “succeeded”

we ran
docker compose down
docker compose up

and then everything started to work again.