Vaultwarden warnings

girish

Recently, I noticed this in our vaultwarden installation:

May 02 10:09:16 [WARNING] The following environment variables are being overriden by the config.json file.
May 02 10:09:16 [WARNING] Please use the admin panel to make changes to them:
May 02 10:09:16 [WARNING] SIGNUPS_ALLOWED, INVITATIONS_ALLOWED

Vaultwarden has two ways to configure settings: one via Admin UI and another by environment variables - https://github.com/dani-garcia/vaultwarden/wiki/Configuration-overview . The wiki saying env vars is preferred, but the situation is a bit complicated. config.json gets generated by the admin UI . When settings are present both as env vars and in config.json, the above warning is shown.

The solution is to delete the exports in the env.sh . The warning then go away. Also, double check that config.json has:

  "signups_allowed": false,
  "invitations_allowed": false,

girish

There's also this warning in the logs (and also in the admin UI):

2023-05-02T07:56:43.000Z Please generate a secure Argon2 PHC string by using `vaultwarden hash` or `argon2`.
2023-05-02T07:56:43.000Z See: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token
2023-05-02T07:56:43.000Z [2023-05-02 07:56:43.903][vaultwarden::api::notifications][INFO] Starting WebSockets server on 0.0.0.0:3012
2023-05-02T07:56:43.000Z [2023-05-02 07:56:43.905][start][INFO] Rocket has launched from http://127.0.0.1:3000
2023-05-02T07:56:43.000Z [INFO] Using saved config from `/app/data/config.json` for configuration.
2023-05-02T07:56:43.000Z [NOTICE] You are using a plain text `ADMIN_TOKEN` which is insecure.

Important note:

The admin UI in /admin provides a way to change the password. But this simply stores the password in plain text in config.json . So, the warning does not go away by changing the password in the Admin UI.

To fix this:

Open a Web terminal and run /app/code/vaultwarden hash

# /app/code/vaultwarden hash
Generate an Argon2id PHC string using the 'bitwarden' preset:

Password: 
Confirm Password: 

ADMIN_TOKEN='$argon2id$v=19$m=65540,t=3,p=4$RCpl3a+FItyn4KBJVAtZ+EyP9+fK0hoRqqo9jEdyRJE$d7UfKfZYsZJad6OIKpzPtO2o2ccLkrHjEi5jXdWWkO0'

Generation of the Argon2id PHC string took: 471.497904ms

Take that above token and put it in config.json in the field admin_token. Important: remove the single quote around the argon2id string above. JSON does not require it.
Restart the app and verify if token actually changed.

necrevistonnezr

Added some of this info to the Cloudron docs (i.e. merge request).
Note (as I struggled to login): The token to enter in the admin login page is NOT the generated argon token but the password you used to generate the token.

nebulon

@necrevistonnezr thanks, its merged and public https://docs.cloudron.io/apps/vaultwarden/#admin

murgero

It should be noted that inputting the data incorrectly (I did this on accident) will cause vaultwarden to completely delete the config.json contents in an error.

girish

@murgero whoa really, how can I reproduce this?

murgero

@girish Maybe it was an issue I caused, but what I did was:

Login to my cloudron
Go to Vaultwarden app
Launch file explorer
edit config.json to put in hash, but left out all quotes (double and single) for the admin_token variable

Like This:

{
  ......
  "admin_token": PretendIAmAHash,
  "disable_admin_token": false,
  ......
}

Restart the app
config.json was then COMPLETELY blank (as if Vaultwarden removed all the config due to a bad admin-hash??)

I was able to recover from a previous backup, but others may not be so lucky.

jdaviescoates

@nebulon said in Vaultwarden warnings:

@necrevistonnezr thanks, its merged and public https://docs.cloudron.io/apps/vaultwarden/#admin

Thanks, but these instructions don't work for me

They say:

Therefore, open a web terminal and run

# app/code/vaultwarden hash
Generate an Argon2id PHC string using the 'bitwarden' preset:

Password:
Confirm Password:

But in my web terminal for my Vaultwarden I can't get to app/code/vaultwarden and running hash in app/code/ just results in hash: hash table empty

I also tried typing app/code/vaultwarden hash but that didn't work either, just resulted in bash: app/code/vaultwarden: No such file or directory

And after looking at https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token I also tried just typing vaultwarden hash but that just results in bash: vaultwarden: command not found

Help!

murgero

@jdaviescoates Just to confirm, cause it's not in your post, you need to run /app/code/vaultwarden not app/code/vaultwarden; Linux is VERY particular about file paths lol make sure you have the prefixed / as it is needed to produce a "full path" to the vaultwarden binary.

jdaviescoates

@murgero said in Vaultwarden warnings:

@jdaviescoates Just to confirm, cause it's not in your post, you need to run /app/code/vaultwarden not app/code/vaultwarden; Linux is VERY particular about file paths lol make sure you have the prefixed / as it is needed to produce a "full path" to the vaultwarden binary.

That was it, thank you!

@staff that all important / at the beginning is missing from the docs!

necrevistonnezr

Corrected: https://git.cloudron.io/necrevistonnezr/docs/-/compare/master...105912c6569b655649989167ad84594a412c8292?from_project_id=311

jdaviescoates

@necrevistonnezr thanks! I would've submitted a PR myself but I had to dash out to collect my children from school

Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.

Cloudron Forum

Vaultwarden warnings