Only one user getting the "An unexpected error has occurred" error message when trying to log in self-hosted instance

Hello fellow Bitwarden users,

We are using Bitwarden as a self-hosted solution, running the bitwarden docker images and script. We recently had to update the SSL certificates and I took the liberty of updating Bitwarden to the latest version, using

./bitwarden.sh updateself
./bitwarden.sh update

Everything went smoothly, Bitwarden came back online without a hitch. Now, one of our users - and so far, only one - cannot log into her vault, whatever the connection method or app used. The website interface, the desktop app and the browser extension all return the same error message: “An unexpected error has occurred”.

I looked in the nginx error.log, but could not find anything directly related to the problem at hand. Note that the access.log does contain a 500 error line with a timestamp from when the user attempts to login. But that error is not detailed in the error.log itself:

192.168.0.1 - - [27/Sep/2023:19:03:30 +0000] "POST /identity/connect/token HTTP/1.1" 500 0 "https://our-password-server.here/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36" "The user's IP here"

The only errors contained in the error.log are the following:

2023/09/27 17:17:13 [error] 50#50: OCSP_basic_verify() failed (SSL: error:27069076:OCSP routines:OCSP_basic_verify:signer certificate not found) while requesting certificate status, responder: ocsp.sectigo.com, peer: 104.18.15.101:80, certificate: "/etc/ssl/our_website_directory/certfile.crt"
2023/09/27 17:52:12 [error] 52#52: OCSP_basic_verify() failed (SSL: error:27069076:OCSP routines:OCSP_basic_verify:signer certificate not found) while requesting certificate status, responder: ocsp.sectigo.com, peer: 104.18.14.101:80, certificate: "/etc/ssl/our_website_directory/certfile.crt"
2023/09/27 18:22:12 [error] 52#52: OCSP_basic_verify() failed (SSL: error:27069076:OCSP routines:OCSP_basic_verify:signer certificate not found) while requesting certificate status, responder: ocsp.sectigo.com, peer: 104.18.15.101:80, certificate: "/etc/ssl/our_website_directory/certfile.crt"
2023/09/27 18:52:13 [error] 45#45: OCSP_basic_verify() failed (SSL: error:27069076:OCSP routines:OCSP_basic_verify:signer certificate not found) while requesting certificate status, responder: ocsp.sectigo.com, peer: 104.18.15.101:80, certificate: "/etc/ssl/our_website_directory/certfile.crt"

Since these errors are linked to the ssl_stapling and ssl_stapling_verify directives of the nginx default.conf file, I tried to force both of these to off in the file, then restarted the nginx container. I have confirmed that stapling is now off, by running nginx -T. And no more errors show up in the error.log file. However the user is still experiencing the same issue.

I was (kind of) able to reproduce the issue by logging in from a private browser window. The first time I log in, I get the “An unexpected error has occurred” message. Then if I press Enter or click the Login button again, I get to access my vault. Unfortunately, nothing shows up in the error.log.

Is there any way I can force nginx to write more detailed errors to its error.log file? Or should I look elsewhere for the source of this error? Could the problem stem from one of the other containers? If so, how should I go about pinpointing the source of the problem?

Hi @Inlibrolivier - welcome to our community! Just read over your issue: I think this would best be answered by reaching out to our Support Team. Feel free to post the resolution here for others

Hi there @JaiBitwarden, thanks for reading my thread. Following your suggestion, I have forwarded the contents of my post to the support team. I will post back again here with the solution, should one ultimately be found.

I am having same exact problem, triggered after updating, and also impacting one single user only on our on-prem environment. No other users having the problem. In-Private, other browser, kill cache, nothing fixed anything. Opened ticket.

This is a huge problem as this is our accountant and payroll is due and she is only one who can do it.

Hi @ExR90 - please DM your ticket number to me. Thanks!

End result, after days of messing with this, was the Mail Relay was not reachable. Incredibly poor handling that broken mail relay would lead to such a generic and problematic issue.

Had it simply popped up an error saying “Unable to relay the security email” or something, it would have immediately clued me in what to hunt for.

Lack of OAUTH for mail is a problem too, more and more providers are clamping down on legacy smtp auth. I had to spin up some old janky cpanel system just to relay this mail since our m365 tenant has legacy smtp auth blocked and the mail connector we created for this purpose would not handshake with Bitwarden during TLS so that failed too.

Hey there @ExR90 - I’m so glad you got the issue resolved but that does indeed sound like a lot of work to get there.

Thank you @ExR90 for your input and your work on the issue. In the end, the problem we were facing was exactly the same. Emails were not being sent. Only one of our users had 2FA activated, which explains why she was the only one getting the error.

Once the mail-related configuration variables were fixed in the global.override.env file and Bitwarden restarted, everything started working again.

Thank you so much for sharing the solution. Never would have thought about mail-relay.
My problem:

1. The organization was disabled. Never figured out why, but reuploaded the license solved this.
2. Without organization license the Duo Mobile 2FA does not work as it is a premium feature.
3. The fall back is sending the code via mail. This failed due the mail relay not working. The mail relay might not have worked for a long time because it is rarely used. We use bitwarden only for the family.

@grafnull Welcome to the forum!

I’m a bit confused - do you still have those problems? Or was the solution in this thread also the solution to your problems?

Sorry for the confusion. My problem was solved. I just wanted to describe the symptoms for others.