Full Local SelfHosted BW - Android App issue

Hello everyone,
I’m struggling with that issue for 4 days now, i’m asking for someone cleverness to help me …

I’ve basically setup a bitwarden docker on a NAS which is not reachable from the Internet (local access only, that’s what I want). I can log on my Bitwarden instance Web UI on all browsers on my computer, it works like a charm. But I can’t figure out how to make the Android app working. Each time I try to connect, i have the "Trust anchor for certification path not found" error.

I’ve seeked for a long time about the certificate chain issue, self signed certificate etc… and here is how I generate my stuff (Self signed certificate with own CA) :

echo ">>>>> CA Key"
openssl genrsa -des3 -out towerrootCA.key 4096
echo ">>>>> CA Cert"
openssl req -x509 -new -nodes -key towerrootCA.key -sha256 -extensions v3_ca -config conf.file -days 365 -out towerrootCA.crt

echo ">>>>> Server Key"
openssl genrsa -out tower.key 2048
echo ">>>>> Server csr"
openssl req -new -sha256 -key tower.key -subj “/C=FR/ST=FR/O=MyNas/CN=tower” -extensions v3_req -out tower.csr

echo ">>>>> Server cert"
openssl x509 -req -in tower.csr -CA towerrootCA.crt -CAkey towerrootCA.key -CAcreateserial -out tower.crt -extensions v3_req -days 365 -sha256 -extfile conf.file

cat tower.crt towerrootCA.crt > finalcertif.crt

With conf.file :

distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
C = FR
L = Local
O = MyNas
OU = MyNas
CN = tower
[ v3_ca ]
basicConstraints = critical, CA:TRUE, pathlen:3
keyUsage = critical, cRLSign, keyCertSign
nsCertType = sslCA, emailCA
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = u/alt_names
DNS.1 = tower
DNS.2 = tower.local
DNS.3 = tower:18443

I access my bitwarden server with https://tower:18443/bitwarden

I’ve imported my towerrootCA.crt on my computer and on my android phone. My Web Browsers trust the finalcertif.crt (both on computers and Android) but the bitwarden application keeps showing me the error. Do you have any idea ?

Thank you in advance for your help guys,

Just a suggestion – life is much easier having real certificates, and I’d suggest you focus your energy on setting that up instead of managing your own CA.

An example:

1 Like

Many thanks for you reply !

Considering your method would require me to setup a private DNS or modifying hosts file on all my endpoints to make sure that the duckdns subdomain return the bitwardenrs IP, is that right ?

Could it be possible that the Android fails because of the URL I provided in the settings ? I mean “https://tower:18443/bitwarden” is not just a subdomain, it contains ports and a path, could it be something not handled by the android app ?


No, DuckDNS provides the DNS server. You don’t need to run any additional server. All you need to do is create an account there and add a DNS entry. Modifying your /etc/hosts files won’t work for this purpose.

Very unlikely. If it works in your other clients, you probably have an issue with loading your certs, such as not providing the full cert chain. But as I said, getting real certs is much better since you don’t need to worry about whether your certs were generated correctly, or bother with loading them on your various devices.

Ok i got it, so as I understood, caddy would be used as a reverse proxy internally ?

Ok, I finally got that working with your DNS validation method. Thanks a lot for having put me on the right way man.

All is working with :

  • DuckDNS subdomain
  • SWAG reverse proxy with DNS validation (SWAG setup - LinuxServer.io)
  • My Nextcloud and Bitwarden containers work fine with the generated certificate. All is ok on android app :slight_smile: