Vaultwarden warnings

girish

Recently, I noticed this in our vaultwarden installation:

May 02 10:09:16 [WARNING] The following environment variables are being overriden by the config.json file.
May 02 10:09:16 [WARNING] Please use the admin panel to make changes to them:
May 02 10:09:16 [WARNING] SIGNUPS_ALLOWED, INVITATIONS_ALLOWED

Vaultwarden has two ways to configure settings: one via Admin UI and another by environment variables - https://github.com/dani-garcia/vaultwarden/wiki/Configuration-overview . The wiki saying env vars is preferred, but the situation is a bit complicated. config.json gets generated by the admin UI . When settings are present both as env vars and in config.json, the above warning is shown.

The solution is to delete the exports in the env.sh . The warning then go away. Also, double check that config.json has:

  "signups_allowed": false,
  "invitations_allowed": false,

girish

There's also this warning in the logs (and also in the admin UI):

2023-05-02T07:56:43.000Z Please generate a secure Argon2 PHC string by using `vaultwarden hash` or `argon2`.
2023-05-02T07:56:43.000Z See: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token
2023-05-02T07:56:43.000Z [2023-05-02 07:56:43.903][vaultwarden::api::notifications][INFO] Starting WebSockets server on 0.0.0.0:3012
2023-05-02T07:56:43.000Z [2023-05-02 07:56:43.905][start][INFO] Rocket has launched from http://127.0.0.1:3000
2023-05-02T07:56:43.000Z [INFO] Using saved config from `/app/data/config.json` for configuration.
2023-05-02T07:56:43.000Z [NOTICE] You are using a plain text `ADMIN_TOKEN` which is insecure.

Important note:

• The admin UI in /admin provides a way to change the password. But this simply stores the password in plain text in config.json . So, the warning does not go away by changing the password in the Admin UI.

To fix this:

• Open a Web terminal and run /app/code/vaultwarden hash

# /app/code/vaultwarden hash
Generate an Argon2id PHC string using the 'bitwarden' preset:

Password: 
Confirm Password: 

ADMIN_TOKEN='$argon2id$v=19$m=65540,t=3,p=4$RCpl3a+FItyn4KBJVAtZ+EyP9+fK0hoRqqo9jEdyRJE$d7UfKfZYsZJad6OIKpzPtO2o2ccLkrHjEi5jXdWWkO0'

Generation of the Argon2id PHC string took: 471.497904ms

• Take that above token and put it in config.json in the field admin_token. Important: remove the single quote around the argon2id string above. JSON does not require it.

• Restart the app and verify if token actually changed.

necrevistonnezr

Added some of this info to the Cloudron docs (i.e. merge request).
Note (as I struggled to login): The token to enter in the admin login page is NOT the generated argon token but the password you used to generate the token.

nebulon

@necrevistonnezr thanks, its merged and public https://docs.cloudron.io/apps/vaultwarden/#admin

murgero

It should be noted that inputting the data incorrectly (I did this on accident) will cause vaultwarden to completely delete the config.json contents in an error.

girish

@murgero whoa really, how can I reproduce this?

murgero

@girish Maybe it was an issue I caused, but what I did was:

• Login to my cloudron
• Go to Vaultwarden app
• Launch file explorer
• edit config.json to put in hash, but left out all quotes (double and single) for the admin_token variable

Like This:

{
  ......
  "admin_token": PretendIAmAHash,
  "disable_admin_token": false,
  ......
}

• Restart the app
• config.json was then COMPLETELY blank (as if Vaultwarden removed all the config due to a bad admin-hash??)

I was able to recover from a previous backup, but others may not be so lucky.

jdaviescoates

@nebulon said in Vaultwarden warnings:

@necrevistonnezr thanks, its merged and public https://docs.cloudron.io/apps/vaultwarden/#admin

Thanks, but these instructions don't work for me

They say:

Therefore, open a web terminal and run

# app/code/vaultwarden hash
Generate an Argon2id PHC string using the 'bitwarden' preset:

Password:
Confirm Password:

But in my web terminal for my Vaultwarden I can't get to app/code/vaultwarden and running hash in app/code/ just results in hash: hash table empty

I also tried typing app/code/vaultwarden hash but that didn't work either, just resulted in bash: app/code/vaultwarden: No such file or directory

And after looking at https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token I also tried just typing vaultwarden hash but that just results in bash: vaultwarden: command not found

Help!

murgero

@jdaviescoates Just to confirm, cause it's not in your post, you need to run /app/code/vaultwarden not app/code/vaultwarden; Linux is VERY particular about file paths lol make sure you have the prefixed / as it is needed to produce a "full path" to the vaultwarden binary.

jdaviescoates

@murgero said in Vaultwarden warnings:

@jdaviescoates Just to confirm, cause it's not in your post, you need to run /app/code/vaultwarden not app/code/vaultwarden; Linux is VERY particular about file paths lol make sure you have the prefixed / as it is needed to produce a "full path" to the vaultwarden binary.

That was it, thank you!

@staff that all important / at the beginning is missing from the docs!

necrevistonnezr

Corrected: https://git.cloudron.io/necrevistonnezr/docs/-/compare/master...105912c6569b655649989167ad84594a412c8292?from_project_id=311

jdaviescoates

@necrevistonnezr thanks! I would've submitted a PR myself but I had to dash out to collect my children from school