Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. App Wishlist
  3. Bitwarden - Self-hosted password manager

Bitwarden - Self-hosted password manager

Scheduled Pinned Locked Moved Solved App Wishlist
218 Posts 20 Posters 131.9k Views 29 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • necrevistonnezrN Offline
    necrevistonnezrN Offline
    necrevistonnezr
    wrote on last edited by
    #137

    Still gettin errors:

    osboxes@osboxes:~/bitwardenrs-app$ cloudron update --app bit
    Will update app at location bit
     => Waiting for app to be updated 
     => Starting ... ...
     => Backup - Snapshotting app bit.mydomain.de ..
     => Backup - undefined 
     => Downloading image ...........................................
    App update error: Installation failed: undefined
    
    osboxes@osboxes:~/bitwardenrs-app$ sudo cloudron update --app bit
    Will update app at location bit
    Failed to update app: 409 message: Not allowed in error state
    
    fbartelsF 1 Reply Last reply
    0
    • necrevistonnezrN necrevistonnezr

      Still gettin errors:

      osboxes@osboxes:~/bitwardenrs-app$ cloudron update --app bit
      Will update app at location bit
       => Waiting for app to be updated 
       => Starting ... ...
       => Backup - Snapshotting app bit.mydomain.de ..
       => Backup - undefined 
       => Downloading image ...........................................
      App update error: Installation failed: undefined
      
      osboxes@osboxes:~/bitwardenrs-app$ sudo cloudron update --app bit
      Will update app at location bit
      Failed to update app: 409 message: Not allowed in error state
      
      fbartelsF Offline
      fbartelsF Offline
      fbartels
      App Dev
      wrote on last edited by
      #138

      @necrevistonnezr it seems to fail at downloading the image, so it has nothing to do with the app per se.

      Can you also post the output of cloudron build?

      Maybe it could also help to remove the existing app before (but since it fails at downloading I would doubt that).

      1 Reply Last reply
      0
      • necrevistonnezrN Offline
        necrevistonnezrN Offline
        necrevistonnezr
        wrote on last edited by
        #139

        Output of cloudron build:

        Building locally as necrevistonnezr/bitwardenrs:20191210-094936-34576695f
        
        Sending build context to Docker daemon  114.2kB
        
        Step 1/28 : FROM "bitwardenrs/server:1.13.0-alpine" as bitwarden
         ---> c0f785714c65
        Step 2/28 : FROM cloudron/base:1.0.0@sha256:147a648a068a2e746644746bbfb42eb7a50d682437cead3c67c933c546357617
         ---> 534bd0efda10
        Step 3/28 : ENV ROCKET_ENV "staging"
         ---> Using cache
         ---> 08e348a2d671
        Step 4/28 : ENV ROCKET_PORT=3000
         ---> Using cache
         ---> 4f829684eb90
        Step 5/28 : ENV ROCKET_WORKERS=10
         ---> Using cache
         ---> 4c341fbb8b34
        Step 6/28 : ENV DATA_FOLDER=/app/data
         ---> Using cache
         ---> 624de75507eb
        Step 7/28 : ENV CONFIG_FILE=/app/data/config.json
         ---> Using cache
         ---> df63ce28a824
        Step 8/28 : ENV SIGNUPS_ALLOWED=false
         ---> Using cache
         ---> 98489eda2ecf
        Step 9/28 : ENV INVITATIONS_ALLOWED=true
         ---> Using cache
         ---> 363bd3b89949
        Step 10/28 : ENV WEBSOCKET_ENABLED=true
         ---> Using cache
         ---> c3ab1f3b150c
        Step 11/28 : ENV DISABLE_ADMIN_TOKEN=true
         ---> Using cache
         ---> 57d590406e2c
        Step 12/28 : RUN mkdir -p /app/data
         ---> Using cache
         ---> bf796d6b68b4
        Step 13/28 : VOLUME /app/data
         ---> Using cache
         ---> af0388a6c7c5
        Step 14/28 : EXPOSE 80
         ---> Using cache
         ---> c4e5fc4eef9c
        Step 15/28 : EXPOSE 3012
         ---> Using cache
         ---> 0d3be2006979
        Step 16/28 : RUN rm /etc/apache2/sites-enabled/*
         ---> Using cache
         ---> 128658526e5f
        Step 17/28 : RUN sed -e 's,^ErrorLog.*,ErrorLog "|/bin/cat",' -i /etc/apache2/apache2.conf
         ---> Using cache
         ---> 460b63a85e66
        Step 18/28 : RUN a2disconf other-vhosts-access-log
         ---> Using cache
         ---> b660416c4b47
        Step 19/28 : COPY apache.conf /etc/apache2/sites-enabled/bitwarden.conf
         ---> Using cache
         ---> 380066c29b0c
        Step 20/28 : RUN a2enmod ldap authnz_ldap proxy proxy_http proxy_wstunnel rewrite
         ---> Using cache
         ---> 5d85bcdb4449
        Step 21/28 : COPY --from=bitwarden /web-vault /app/code/web-vault
         ---> Using cache
         ---> 8c8e6cd0a79a
        Step 22/28 : COPY --from=bitwarden /bitwarden_rs /app/code/
         ---> Using cache
         ---> 23aa34133bc8
        Step 23/28 : COPY --from=bitwarden /Rocket.toml /app/code/
         ---> Using cache
         ---> 16d854c4cdb4
        Step 24/28 : ADD supervisor/ /etc/supervisor/conf.d/
         ---> Using cache
         ---> 94e6be8b3e39
        Step 25/28 : RUN sed -e 's,^logfile=.*$,logfile=/run/supervisord.log,' -i /etc/supervisor/supervisord.conf
         ---> Using cache
         ---> a4b630549d9e
        Step 26/28 : WORKDIR /app/code
         ---> Using cache
         ---> ac66a3410991
        Step 27/28 : COPY start.sh /app/code/start.sh
         ---> Using cache
         ---> 8fee6c91fd4a
        Step 28/28 : CMD [ "/app/code/start.sh" ]
         ---> Using cache
         ---> ebd0cc6480c9
        Successfully built ebd0cc6480c9
        Successfully tagged necrevistonnezr/bitwardenrs:20191210-094936-34576695f
        
        Pushing necrevistonnezr/bitwardenrs:20191210-094936-34576695f
        The push refers to repository [docker.io/necrevistonnezr/bitwardenrs]
        59ca39a8baf6: Preparing
        d20566396bfd: Preparing
        426f40b89686: Preparing
        351495e80404: Preparing
        205c5dee79e1: Preparing
        4f9345d26f82: Preparing
        ffd05eeb91b1: Preparing
        5418b55c5d1d: Preparing
        92cad9313b91: Preparing
        0ea137c0c63c: Preparing
        16ef7d4b2f8e: Preparing
        f8a2b79c8722: Preparing
        5648d21d9467: Preparing
        bfe34f2cfbd0: Preparing
        83a42f6af455: Preparing
        f81e4eb4d80a: Preparing
        cd78fba29389: Preparing
        5662a07238a1: Preparing
        8d7ea83e3c62: Preparing
        6a061ee02432: Preparing
        f73b2816c52a: Preparing
        6267b420796f: Preparing
        a30b835850bf: Preparing
        5648d21d9467: Waiting
        bfe34f2cfbd0: Waiting
        83a42f6af455: Waiting
        f81e4eb4d80a: Waiting
        cd78fba29389: Waiting
        4f9345d26f82: Waiting
        5662a07238a1: Waiting
        8d7ea83e3c62: Waiting
        6a061ee02432: Waiting
        ffd05eeb91b1: Waiting
        5418b55c5d1d: Waiting
        f73b2816c52a: Waiting
        6267b420796f: Waiting
        92cad9313b91: Waiting
        0ea137c0c63c: Waiting
        16ef7d4b2f8e: Waiting
        f8a2b79c8722: Waiting
        a30b835850bf: Waiting
        351495e80404: Layer already exists
        205c5dee79e1: Layer already exists
        d20566396bfd: Layer already exists
        426f40b89686: Layer already exists
        59ca39a8baf6: Layer already exists
        4f9345d26f82: Layer already exists
        ffd05eeb91b1: Layer already exists
        0ea137c0c63c: Layer already exists
        16ef7d4b2f8e: Layer already exists
        f8a2b79c8722: Layer already exists
        92cad9313b91: Layer already exists
        5418b55c5d1d: Layer already exists
        5648d21d9467: Layer already exists
        bfe34f2cfbd0: Layer already exists
        f81e4eb4d80a: Layer already exists
        5662a07238a1: Layer already exists
        cd78fba29389: Layer already exists
        8d7ea83e3c62: Layer already exists
        83a42f6af455: Layer already exists
        6a061ee02432: Layer already exists
        f73b2816c52a: Layer already exists
        6267b420796f: Layer already exists
        a30b835850bf: Layer already exists
        20191210-094936-34576695f: digest: sha256:ab443082901c6beac8d3e222448e20436b5e4d51c380bc2146f1f8d868ce06d4 size: 5114
        

        And how do I get past the 409 message: Not allowed in error state?

        1 Reply Last reply
        0
        • fbartelsF Offline
          fbartelsF Offline
          fbartels
          App Dev
          wrote on last edited by
          #140

          I don't know enough about the internal workings of cloudron to give a definite answer, but from what I see I would guess your first install failed (because it could seemingly not fetch the right image) and now the app is in a failed state.

          One way to get out of this is to try restore an earlier backup (but it also said => Backup - undefined ) so its unclear if one exists, or remove the app and start anew.

          1 Reply Last reply
          0
          • necrevistonnezrN Offline
            necrevistonnezrN Offline
            necrevistonnezr
            wrote on last edited by
            #141

            Thanks for the hint. In the control panel, I have the following error:

            An error occurred during the operation: Docker Error: Unable to pull image. Please check the network or if the image needs authentication. statusCode: 404
            
            1 Reply Last reply
            0
            • necrevistonnezrN Offline
              necrevistonnezrN Offline
              necrevistonnezr
              wrote on last edited by
              #142

              Stupid me! My docker repository was set to private!
              Once made public - at least for the time of updating - a simple click on "repair" in the Cloudron control panel was enough!

              fbartelsF 1 Reply Last reply
              0
              • necrevistonnezrN necrevistonnezr

                Stupid me! My docker repository was set to private!
                Once made public - at least for the time of updating - a simple click on "repair" in the Cloudron control panel was enough!

                fbartelsF Offline
                fbartelsF Offline
                fbartels
                App Dev
                wrote on last edited by
                #143

                @necrevistonnezr then this here in the settings would probably be helpful for you: 5acc412e-8e7d-4e98-9c2b-b3ca716e1ccc-image.png

                1 Reply Last reply
                1
                • M Offline
                  M Offline
                  moonmeister
                  wrote on last edited by
                  #144

                  For those using this. Does/will it support 2FA, and what kind? I'm mostly interested in Yubikey support. Thanks.

                  1 Reply Last reply
                  1
                  • iamthefijI Offline
                    iamthefijI Offline
                    iamthefij
                    App Dev
                    wrote on last edited by
                    #145

                    Yes. It supports a variety of 2FA including YubiKey.

                    1 Reply Last reply
                    2
                    • d19dotcaD Offline
                      d19dotcaD Offline
                      d19dotca
                      wrote on last edited by
                      #146

                      Happy New Year everybody! 🙂

                      Just learned how to deploy a custom app using Bitwarden as the test, but seeing as it should be delivered soon, figured I'd wait for the more official release. So on that note... is there any ETA yet for this app @girish or @nebulon by any chance? If it's going to be a month or two I may start with the custom app, but figured if it'd be just another week or two (or just less than a month), then I'll just wait it out.

                      Thanks again for all the work you guys do - including everyone else in this thread, as I was able to learn a lot from reviewing everything you all wrote! 🙂

                      --
                      Dustin Dauncey
                      www.d19.ca

                      1 Reply Last reply
                      4
                      • girishG Offline
                        girishG Offline
                        girish
                        Staff
                        wrote on last edited by girish
                        #147

                        Sorry for the delay, back to working on getting this published.

                        As a prelude, I have written to the upstream project to see if there is a chance of getting bitwarden (the .net project) working with a database other than MSSQL. As it stands, Cloudron cannot run the main project in a supported fashion.

                        Now for Bitwarden Rust, I built @iamthefij's project and it works great.

                        The current LDAP integration will essentially sync periodically and auto-invite users. I think this is awesome. However, Cloudron has a few limitations:

                        1. Apps are installed with 'all users' by default. This would mean all users on Cloudron will get invited/get email on installation. @iamthefij Maybe we can add a flag to not send email even if smtp is configured? My understanding is that this way LDAP users first have to 'create account' to get themselves an invite. Non-LDAP users won't get an invite. (https://github.com/dani-garcia/bitwarden_rs/wiki/Syncing-users-from-LDAP)

                        2. I guess we should disable users somewhere in https://github.com/ViViDboarder/bitwarden_rs_ldap/blob/master/src/main.rs#L107 when users go away from LDAP?

                        If 1 is not possible, I am also open to publishing the app without LDAP integrated directly. i.e we just include the binary and add docs to tell the user to run the command from the web terminal. That way they are aware email is going to be sent.

                        For 2, if you think that is outside the scope of an "invitation" system, then I think we should disable the ldap addon but include the bitwarden_ldap binary (this is just to be consistent with all our other apps wrt access control). We can add something in Cloudron to get credentials to the ldap server. That way, user can run the binary with the credentials directly.

                        d19dotcaD 1 Reply Last reply
                        1
                        • girishG girish

                          Sorry for the delay, back to working on getting this published.

                          As a prelude, I have written to the upstream project to see if there is a chance of getting bitwarden (the .net project) working with a database other than MSSQL. As it stands, Cloudron cannot run the main project in a supported fashion.

                          Now for Bitwarden Rust, I built @iamthefij's project and it works great.

                          The current LDAP integration will essentially sync periodically and auto-invite users. I think this is awesome. However, Cloudron has a few limitations:

                          1. Apps are installed with 'all users' by default. This would mean all users on Cloudron will get invited/get email on installation. @iamthefij Maybe we can add a flag to not send email even if smtp is configured? My understanding is that this way LDAP users first have to 'create account' to get themselves an invite. Non-LDAP users won't get an invite. (https://github.com/dani-garcia/bitwarden_rs/wiki/Syncing-users-from-LDAP)

                          2. I guess we should disable users somewhere in https://github.com/ViViDboarder/bitwarden_rs_ldap/blob/master/src/main.rs#L107 when users go away from LDAP?

                          If 1 is not possible, I am also open to publishing the app without LDAP integrated directly. i.e we just include the binary and add docs to tell the user to run the command from the web terminal. That way they are aware email is going to be sent.

                          For 2, if you think that is outside the scope of an "invitation" system, then I think we should disable the ldap addon but include the bitwarden_ldap binary (this is just to be consistent with all our other apps wrt access control). We can add something in Cloudron to get credentials to the ldap server. That way, user can run the binary with the credentials directly.

                          d19dotcaD Offline
                          d19dotcaD Offline
                          d19dotca
                          wrote on last edited by
                          #148

                          @girish Do all users on the system automatically get invited? I didn't see that in my experience when I deployed the same app the other day, I had to manually invite myself through the /admin panel. I'm going to be a bit embarrassed if all my clients on the server got an email invite without me knowing 😬

                          --
                          Dustin Dauncey
                          www.d19.ca

                          rmdesR 1 Reply Last reply
                          0
                          • d19dotcaD d19dotca

                            @girish Do all users on the system automatically get invited? I didn't see that in my experience when I deployed the same app the other day, I had to manually invite myself through the /admin panel. I'm going to be a bit embarrassed if all my clients on the server got an email invite without me knowing 😬

                            rmdesR Offline
                            rmdesR Offline
                            rmdes
                            wrote on last edited by
                            #149

                            @d19dotca other LDAP enabled apps never invite anyone and don't even create the profile/user before that particular user actually login..not sure if that answer your use case..

                            1 Reply Last reply
                            0
                            • girishG Offline
                              girishG Offline
                              girish
                              Staff
                              wrote on last edited by girish
                              #150

                              My understanding of the way it works is: Each Bitwarden user has a "master" password (also the login password). This password is set by a user when they setup their account (via an invitation email - this is the only way to finish account setup). There is no mechanism to create a user with a pre-setup password (like changeme) on the server. This is because all the encryption/key generation happens on the clients. The clients get the master password, generate keys etc and just send it to the server.

                              What this means is that Cloudron/LDAP password cannot be used as a login mechanism for Bitwarden. What the LDAP integration in the current Cloudron package does is to basically get the list of all users in Cloudron via LDAP and just sends them invitation emails (it does this periodically). This way each user can click on the invitation email, setup a master password and start using Bitwarden. Because Cloudron apps are installed with "all users" access restriction as the default, this would mean that the LDAP integration sends invitation email to all Cloudron users. In addition, if you change Cloudron/LDAP password or even delete the user in Cloudron, there is no effect in Bitwarden. This is quite different from how all other apps behave.

                              @d19dotca does that clarify?

                              d19dotcaD 1 Reply Last reply
                              0
                              • iamthefijI Offline
                                iamthefijI Offline
                                iamthefij
                                App Dev
                                wrote on last edited by iamthefij
                                #151

                                Should be possible, like some other apps, to have the option of enabling automatic invites or forego it.

                                Technically, user management is local to the application. Invites is all that is really happening.

                                It should also be possible to silently invite users. This means that any user can sign up in the application directly as long as their email has been added to the invite list. May have to patch the core application for that, but certainly doable. If this sounds preferable, I can look into that.

                                As for disabling customers, it should also be possible. It was also planned, but just not implemented yet. Disabling does sound risky though as cutting off access to a password manager could be extremely disruptive.

                                fbartelsF 1 Reply Last reply
                                0
                                • girishG girish

                                  My understanding of the way it works is: Each Bitwarden user has a "master" password (also the login password). This password is set by a user when they setup their account (via an invitation email - this is the only way to finish account setup). There is no mechanism to create a user with a pre-setup password (like changeme) on the server. This is because all the encryption/key generation happens on the clients. The clients get the master password, generate keys etc and just send it to the server.

                                  What this means is that Cloudron/LDAP password cannot be used as a login mechanism for Bitwarden. What the LDAP integration in the current Cloudron package does is to basically get the list of all users in Cloudron via LDAP and just sends them invitation emails (it does this periodically). This way each user can click on the invitation email, setup a master password and start using Bitwarden. Because Cloudron apps are installed with "all users" access restriction as the default, this would mean that the LDAP integration sends invitation email to all Cloudron users. In addition, if you change Cloudron/LDAP password or even delete the user in Cloudron, there is no effect in Bitwarden. This is quite different from how all other apps behave.

                                  @d19dotca does that clarify?

                                  d19dotcaD Offline
                                  d19dotcaD Offline
                                  d19dotca
                                  wrote on last edited by
                                  #152

                                  @girish Yes I think that clarifies then. Thank you for explaining it. I thought from your earlier post you meant that all LDAP users registered on the Cloudron server would automatically be invited to use Bitwarden and I was worried there for a second. haha. My experience is what you explained most recently in that the invite needs to be manually done through the Bitwarden admin area.

                                  --
                                  Dustin Dauncey
                                  www.d19.ca

                                  1 Reply Last reply
                                  0
                                  • iamthefijI iamthefij

                                    Should be possible, like some other apps, to have the option of enabling automatic invites or forego it.

                                    Technically, user management is local to the application. Invites is all that is really happening.

                                    It should also be possible to silently invite users. This means that any user can sign up in the application directly as long as their email has been added to the invite list. May have to patch the core application for that, but certainly doable. If this sounds preferable, I can look into that.

                                    As for disabling customers, it should also be possible. It was also planned, but just not implemented yet. Disabling does sound risky though as cutting off access to a password manager could be extremely disruptive.

                                    fbartelsF Offline
                                    fbartelsF Offline
                                    fbartels
                                    App Dev
                                    wrote on last edited by
                                    #153

                                    @iamthefij said in Bitwarden - Self-hosted password manager:

                                    This means that any user can sign up in the application directly as long as their email has been added to the invite list.

                                    I think there was already an option to only allow signups from specific mail domains.

                                    iamthefijI 1 Reply Last reply
                                    0
                                    • fbartelsF fbartels

                                      @iamthefij said in Bitwarden - Self-hosted password manager:

                                      This means that any user can sign up in the application directly as long as their email has been added to the invite list.

                                      I think there was already an option to only allow signups from specific mail domains.

                                      iamthefijI Offline
                                      iamthefijI Offline
                                      iamthefij
                                      App Dev
                                      wrote on last edited by
                                      #154

                                      @fbartels yes. You can whitelist an entire domain. That will not allow whitelisting particular people on that domain though. So group or other constraints that we get with LDAP integration would not be supported.

                                      The issue is that by default if sending mail is enabled Bitwarden will send an invite email with a particular invite code for any newly invited user: https://github.com/dani-garcia/bitwarden_rs/blob/88c56de97b48bb5b9b8af350d0d0e0d5f080ff0e/src/api/admin.rs#L163

                                      An option to suppress this without disabling email entirely would allow whitelisting (and possibly revoking) users based on an LDAP query.

                                      1 Reply Last reply
                                      0
                                      • iamthefijI Offline
                                        iamthefijI Offline
                                        iamthefij
                                        App Dev
                                        wrote on last edited by
                                        #155

                                        As a short term, I can enable the optionalSso manifest option and disable LDAP integration when the user specifies.

                                        1 Reply Last reply
                                        0
                                        • iamthefijI Offline
                                          iamthefijI Offline
                                          iamthefij
                                          App Dev
                                          wrote on last edited by iamthefij
                                          #156

                                          And done. Just pushed an update that allows disabling of SSO entirely and should fall back to the administrator manually inviting folks via the /admin page. I have not had a chance to test this though.

                                          https://git.cloudron.io/iamthefij/bitwardenrs-app

                                          1 Reply Last reply
                                          0
                                          Reply
                                          • Reply as topic
                                          Log in to reply
                                          • Oldest to Newest
                                          • Newest to Oldest
                                          • Most Votes


                                          • Login

                                          • Don't have an account? Register

                                          • Login or register to search.
                                          • First post
                                            Last post
                                          0
                                          • Categories
                                          • Recent
                                          • Tags
                                          • Popular
                                          • Bookmarks
                                          • Search