Solved Bitwarden - Self-hosted password manager

iamthefij

@girish roger. That worked! Now I'm getting some new error from within Bitwarden_rs, which is good and means that it's actually hitting the server!

@fbartels got it. That could also be facilitated using an ARG.

It doesn't matter too much. The difference is really just in caching, but it doesn't look like the Cloudron build servers do caching.

iamthefij

@fbartels I'm not sure if something is different in my configuration... but if I visit my site at bitwarden.example.com/admin from a private window with no cookies, I'm not getting a basic auth prompt.

Is that working for you?

iamthefij

@girish is there anything that might prevent this container from querying LDAP?

I'm getting the following error:

Jun 27 18:30:57 thread 'main' panicked at 'rc=1 (operationsError), dn: "ou=users, dc=cloudron", text: "No such app"', src/main.rs:21:9

To verify that it's something to do with the cron container, I generate the config file and cat it to the log in the main application as well as the schedule container. I diffed the two configs and they are identical.

However, when I run the sync script from the terminal attached to the main container, it works correctly. From the scheduled container, I get this error.

Any ideas? I'm actually unable to find out where the "No such app" comes from. It is a pretty generic term, so searching online isn't much help. I did check the bitwarden_ldap_sync codebase, the Rust ldap3 codebase, and the box codebase, but no luck.

girish

@iamthefij I think that's the LDAP server not allowing scheduler containers from accessing it. Can you try this - https://git.cloudron.io/cloudron/box/commit/22d731f06da98af196c43e6713bf0ce551107fa6 ?

iamthefij

@girish woo!!! That did it! I'll just clean up all the stuff I did for debugging and I can publish it after the next Cloudron update.

iamthefij

@fbartels in addition to the admin page issue described above, I'm running into email sending issues again.

This time I'm not having success with any setting.

Explicit TLS only: Bitwarden hangs and times out when trying to invite/send with a panic:

Jun 28 03:35:56 thread 'main' panicked at 'Could not call with http://90859b46-d863-4609-a83a-79c5f010254c:3000/admin/invite. Error { kind: Io(Custom { kind: TimedOut, error: StringError("timed out") }), url: Some("http://90859b46-d863-4609-a83a-79c5f010254c:3000/admin/invite") }', src/bw_admin.rs:134:21
Jun 28 03:35:56 stack backtrace:
Jun 28 03:35:56 0: std::sys::unix::backtrace::tracing::imp::unwind_backtrace
Jun 28 03:35:56 at src/libstd/sys/unix/backtrace/tracing/gcc_s.rs:39
Jun 28 03:35:56 1: std::sys_common::backtrace::_print
Jun 28 03:35:56 at src/libstd/sys_common/backtrace.rs:70
Jun 28 03:35:56 2: std::panicking::default_hook::{{closure}}
Jun 28 03:35:56 at src/libstd/sys_common/backtrace.rs:58
Jun 28 03:35:56 at src/libstd/panicking.rs:200
Jun 28 03:35:56 3: std::panicking::default_hook
Jun 28 03:35:56 at src/libstd/panicking.rs:215
Jun 28 03:35:56 4: std::panicking::rust_panic_with_hook
Jun 28 03:35:56 at src/libstd/panicking.rs:478
Jun 28 03:35:56 5: std::panicking::continue_panic_fmt
Jun 28 03:35:56 at src/libstd/panicking.rs:385
Jun 28 03:35:56 6: std::panicking::begin_panic_fmt
Jun 28 03:35:56 at src/libstd/panicking.rs:340
Jun 28 03:35:56 7: bitwarden_rs_ldap::bw_admin::Client::invite
Jun 28 03:35:56 8: bitwarden_rs_ldap::invite_from_ldap
Jun 28 03:35:56 9: bitwarden_rs_ldap::main
Jun 28 03:35:56 10: std::rt::lang_start::{{closure}}
Jun 28 03:35:56 11: std::panicking::try::do_call
Jun 28 03:35:56 at src/libstd/rt.rs:49
Jun 28 03:35:56 at src/libstd/panicking.rs:297
Jun 28 03:35:56 12: __rust_maybe_catch_panic
Jun 28 03:35:56 at src/libpanic_unwind/lib.rs:87
Jun 28 03:35:56 13: std::rt::lang_start_internal
Jun 28 03:35:56 at src/libstd/panicking.rs:276
Jun 28 03:35:56 at src/libstd/panic.rs:388
Jun 28 03:35:56 at src/libstd/rt.rs:48
Jun 28 03:35:56 14: main

Enable SSL only: Bitwarden hangs and times out when trying to invite/send

Jun 28 03:37:54 [Fri Jun 28 03:37:54.553168 2019] [proxy_http:error] [pid 34] (70007)The timeout specified has expired: [client 172.18.0.1:36626] AH01102: error reading status line from remote server 127.0.0.1:3000, referer: https://bitwarden.iamthefij.com/admin

With both enabled: I get the handshake error.

Jun 28 03:40:52 [2019-06-28 03:40:52][bitwarden_rs::error][ERROR] Error sending email. handshake error

fbartels

@iamthefij yes, http auth is working in my branch.

I think I should add that I am not using the app for my production bitwarden install. This is still running on a different system.

I have also seen quite some weird behaviour in regards to the mail integration, but did not yet have the time or interest in really digging into it.

girish

Given that the email error is Timeout, could it be that the mail server hostname or port configuration is not set correctly?

d19dotca

Sorry if this is a newbie question (somewhat new to Cloudron) but how does one install this as a community app? I have the option for unstable apps showing enabled, but I do not see Bitwarden in the list of apps I can install. Am I missing something?

girish

@d19dotca Apps that are not published yet have to be built by hand. It's easy to build though:

git clone <app repo>
npm install -g cloudron-cli
cloudron build # this will ask your cloudron.io login
cloudron install # this will ask you for your cloudron's login

murgero

@girish Is the cloudron build command usable to all users or just developers right now?

necrevistonnezr

@murgero It's available to anyone, using the cli tool (https://cloudron.io/blog/2017-03-08-cli-part2.html)

murgero

@necrevistonnezr in theory sure, but last I tried (about a month ago) it said my user account was denied access (error 503)

iamthefij

Started digging back into email sending and got closer.

I just noticed that the Cloudron docs say that the STARTLS uses a self signed cert, which makes sense given that the host I'm using is mail and not my.example.com.

So I switched back to unencrypted and enabled more verbose logging. Ended up with:

Jul 25 16:34:22 [2019-07-25 16:34:22][rocket::rocket][INFO] POST /admin//invite/ application/json:
Jul 25 16:34:22 [2019-07-25 16:34:22][_][INFO] Matched: POST /admin/invite (invite_user)
Jul 25 16:34:22 [2019-07-25 16:34:22][lettre::smtp::client][DEBUG] connecting to 172.18.0.6:2525
Jul 25 16:34:22 [2019-07-25 16:34:22][lettre::smtp::client][DEBUG] Read: 220 my.example.com ESMTP Haraka/2.8.23 ready<CRLF>
Jul 25 16:34:22 [2019-07-25 16:34:22][lettre::smtp][INFO] connection established to 172.18.0.6:2525
Jul 25 16:34:22 [2019-07-25 16:34:22][lettre::smtp::client][DEBUG] Wrote: EHLO 90859b46-d863-4609-a83a-79c5f010254c<CRLF>
Jul 25 16:34:22 [2019-07-25 16:34:22][lettre::smtp::client][DEBUG] Read: 250-my.example.com Hello 90859b46-d863-4609-a83a-79c5f010254c.cloudron [172.18.0.12]Haraka is at your service.<CRLF>250-PIPELINING<CRLF>250-8BITMIME<CRLF>250-SMTPUTF8<CRLF>250-SIZE 26214400<CRLF>250 AUTH LOGIN PLAIN<CRLF>
Jul 25 16:34:22 [2019-07-25 16:34:22][lettre::smtp][DEBUG] server my.example.com with {Authentication(Login), Authentication(Plain), SmtpUtfEight, EightBitMime}
Jul 25 16:34:22 [2019-07-25 16:34:22][lettre::smtp][INFO] No supported authentication mechanisms available
Jul 25 16:34:22 [2019-07-25 16:34:22][lettre::smtp::client][DEBUG] Wrote: MAIL FROM:<bitwarden.app@example.com> BODY=8BITMIME SMTPUTF8<CRLF>
Jul 25 16:34:22 [2019-07-25 16:34:22][lettre::smtp::client][DEBUG] Read: 550 Mail from domain 'example.com' is not allowed from your host<CRLF>
Jul 25 16:34:22 [2019-07-25 16:34:22][lettre::smtp::client][DEBUG] Wrote: QUIT<CRLF>
Jul 25 16:34:22 [2019-07-25 16:34:22][lettre::smtp::client][DEBUG] Read: 221 my.example.com closing connection. Have a jolly good day.<CRLF>
Jul 25 16:34:22 [2019-07-25 16:34:22][bitwarden_rs::error][ERROR] Error sending email. Mail from domain 'example.com' is not allowed from your host
Jul 25 16:34:22 [2019-07-25 16:34:22][_][INFO] Outcome: Success
Jul 25 16:34:22 172.18.0.1 - User [25/Jul/2019:16:34:22 +0000] "POST /admin/invite/ HTTP/1.1" 400 990 "https://bitwarden.example.com/admin" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Firefox/68.0"
Jul 25 16:34:22 [2019-07-25 16:34:22][_][INFO] Response succeeded.
Jul 25 16:34:24 [Thu Jul 25 16:34:24.254775 2019] [access_compat:error] [pid 32] [client 172.18.0.1:37122] AH01797: client denied by server configuration: proxy:http://127.0.0.1:3000/admin/

So this is definitely more descriptive. Seems like the server is rejecting the request.

girish

: 550 Mail from domain 'example.com' is not allowed from your host<CRLF>

Can you check if the email for example.com is not set to Disabled under the outbound relay email settings?

necrevistonnezr

Tried updating the bitwardenrs-app today to its current domain; usually it would just install (and upgrade) the app. Today I got the following error:

➜ cloudron install
ERROR (node:9463) Warning: Setting the NODE_TLS_REJECT_UNAUTHORIZED environment variable to '0' makes TLS connections and HTTPS requests insecure by disabling certificate verification. [ internal/process/warning.js:27:3 ]
Location: bit
ERROR Failed to install app. Domain 'bitwarden.domain.com' is in use [ /Users/user/.nvm/versions/node/v12.7.0/lib/node_modules/cloudron/src/helper.js:68:29 ]

necrevistonnezr

Tried with the LTS node version today - still the same error "Domain is in use". Anyone have an idea why?

girish

@necrevistonnezr You have to delete the DNS entry manually in the DNS provider. What's hapenned is that the dns already has an entry for the subdomain. Cloudron will never overwrite existing DNS records.

This is getting fixed with https://git.cloudron.io/cloudron/box/issues/644. Cloudron will then overwrite DNS entries with that flag set.

If the above is not the issue, maybe there is another app on that subdomain? (Also, check any redirects you have to set for other apps).

necrevistonnezr

@girish said in Bitwarden - Self-hosted password manager:

@necrevistonnezr You have to delete the DNS entry manually in the DNS provider. What's hapenned is that the dns already has an entry for the subdomain. Cloudron will never overwrite existing DNS records.

Where am I supposed to delete the DNS entry? Is the "DNS provider" something in the cloudron control panel?

I have no other apps / redirects regarding that subdomain.

d19dotca

@necrevistonnezr - He means delete the DNS entry from your DNS service provider itself for the domain. So if you already have bitwarden.domain.com in your DNS listing for your domain, then remove the bitwarden entry and then re-create with Cloudron.

necrevistonnezr

@d19dotca said in Bitwarden - Self-hosted password manager:

@necrevistonnezr - He means delete the DNS entry from your DNS service provider itself for the domain. So if you already have bitwarden.domain.com in your DNS listing for your domain, then remove the bitwarden entry and then re-create with Cloudron.

That was not the issue since I did not have a subdomain entry in my DNS settings (I have a wildcard DNS entry). The issue was that cloudron-cli was not able to connect to my cloudron properly (TLS, https issues) for reasons I don't know (I told support about it).

After using cloudron login --allow-selfsigned I was able to build and update the bitwarden...

d19dotca

@necrevistonnezr Ah interesting, good to know you figured that out then. Normally when that error is seen (I came across it quite a lot when setting up new environments on Cloudron as I learned the platform), it was always because I had already defined a "www" subdomain in my DNS provider, for example, so it then needed me to remove it before it could create it automatically by itself.

iamthefij

Ok. So I think I've just figured out the email issue, but don't have a fix yet.

When using the non-smtps connection, the logs show that lettre, the Rust email library that Bitwarden_rs uses, recognizes that the server supports several authentication methods, including Authentication(Plain), which is what swacks uses when successfully sending on the same port. However, lettre refuses to use it because we aren't using an encrypted connection and it doesn't want to send credentials in the clear. (Checked here, defined as empty here).

Unfortunately, using smtps is not a solution either because it appears that lettre is trying to validate the certificate, but that certificate is invalid.

A patch to Bitwarden_rs may be required to tell lettre to allow sending credentials over an insecure connection using this method or by telling it to accept insecure certs.

I'm working on a patch for Bitwarden_rs to allow insecure SSL connections so that it will accept a self signed cert.

iamthefij

Also, it looks like MySQL support is available now. Once I get all the email support sorted out, I'll try to roll that in as well.

iamthefij

@iamthefij Ok. My bitwarden_rs patch works. I'm going to submit that upstream.

girish

@iamthefij Talking to yourself again ?

iamthefij

On another note... There is no Docker image built for MySQL support yet, so I'm writing a new Dockerfile that uses a multi stage built to compile Bitwarden_rs with MySQL support.

fbartels

@iamthefij there is one already at https://github.com/dani-garcia/bitwarden_rs/tree/master/docker/amd64/mysql

iamthefij

@fbartels yes. But not an image on Docker Hub that I can pull from. Instead I'm building a multistage build that looks a lot like that Dockerfile but with the an LDAP layer and the Cloudron layer.

fbartels

@iamthefij it's here https://hub.docker.com/r/bitwardenrs/server-mysql

iamthefij

@fbartels well, I guess I didn't look hard enough! (Edit: Looks like the 1.10.0 release was only 2 hours ago. No wonder I missed it. ) It would be good to roll those all into one image with multiple tags, but I can chat with them about that on Matrix.

Anyway, adding the multi-stage build wasn't terribly hard and cuts out an extra dependency on that build pipeline, which is probably a good thing for a security sensitive project.

Latest on my master is now fully operational. Working email, working ldap sync, working MySQL.

BIG WARNING! There is no migration path from SQLite to MySQL. You should export your vault to CSV or something and then re-import it after migration.

https://git.cloudron.io/iamthefij/bitwardenrs-app

necrevistonnezr

@iamthefij Maybe the migration scripts by the author work that are mentioned here?

* Start bitwarden_rs with and empty mysql database, so diesel can run migrations and set up the schema properly. Do not do anything else.
* Stop bitwarden_rs.
* Dump your existing sqlite database: sqlite3 db.sqlite3 .dump > sqlitedump.sql
* Drop schema creation and diesel metadata from your dump, leaving only your actual data: grep "INSERT INTO" sqlitedump.sql | grep -v "__diesel_schema_migrations" > mysqldump.sql

* Load your MySQL dump: mysql -u bitwarden -p bitwarden < mysqldump.sql

* Start bitwarden_rs
ˋˋˋ

iamthefij

@necrevistonnezr I saw that. Yea, it's possible to do, but it's not something that I think is worth automating given that it could be a bit finicky.

If someone wants to do this, they are welcome to try using the console.

I'm planning to just export and re-import myself.

necrevistonnezr

@iamthefij but import / export does not work for attachments, right? Or are these somehow migrateable?

iamthefij

@necrevistonnezr hmm. I've got no clue. I don't have any attachments and only use Bitwarden to manage passwords.

lukaszj

@iamthefij I've used your build with fixed emails and ldap and it installed well however I'm not sure how to get in.

Bitwarden asks for email so I supply email corresponding to my Cloudron login and Cloudron's password but it says username or password is invalid. Can you suggest something?

iamthefij

@lukaszj you should receive an invite email within a few min of the sync task running. I think it runs every 5 min. You'll need to click the link in that email to create your account.

jimcavoli

With all the activity on this thread, is it likely that Bitwarden will see release in the App Store any time soon? Even as an "unstable" package for easier trial by others?

girish

@jimcavoli We will take this up next week since we are working on getting 4.2 out this week. Will follow up with @iamthefij on what the status is.

iamthefij

@girish it should be good to go. My branch is working with MySQL and LDAP.

I've got two working Dockerfiles. One that compiles the entire project and another that just pulls the binary from the published images on Docker Hub. End result is the same.

lukaszj

Hello @girish is there any progress with releasing Bitwarden to App Store? Thanks!

girish

Unfortunately, not this week. The 4.2 release hit some hiccups. Good news is that we are rolling out 4.2 as we speak. So, we should get to this next week.

lukaszj

@girish Great, can't wait. Fingers crossed!

iamthefij

@girish great to hear! Let me know if there is anything I can do to help.

necrevistonnezr

Again, there's trouble with cloudron cli. I tried to login but it gives me the following errors:

cloudron login --allow-selfsigned
Cloudron Admin Domain: my.domain.com
ERROR (node:51749) Warning: Setting the NODE_TLS_REJECT_UNAUTHORIZED environment variable to '0' makes TLS connections and HTTPS requests insecure by disabling certificate verification. [ internal/process/warning.js:27:3 ]
ERROR Cloudron my.domain.com not found.
Try providing the admin location, probably my.my.domain.com [ /Users/user/.nvm/versions/node/v12.7.0/lib/node_modules/cloudron/src/helper.js:71:29 ]

What am I doing wrong?

girish

@necrevistonnezr You almost never have to use --allow-selfsigned Does my.domain.com have the correct cert?

necrevistonnezr

@girish Yes, the situation is the same with or without "--allow-selfsigned"
BTW I'm on macOS 10.15

girish

@necrevistonnezr Can you try using the CLI on the demo cloudron? Like:

cloudron login my.demo.cloudron.io

username and password is cloudron. you can then build and install there. does that entire flow work?

necrevistonnezr

@girish that gives me the same error but pinging works

bitwardenrs-app on master [!?] via ⬢ v12.7.0
➜ cloudron login my.cloudron.io
ERROR (node:55034) Warning: Setting the NODE_TLS_REJECT_UNAUTHORIZED environment variable to '0' makes TLS connections and HTTPS requests insecure by disabling certificate verification. [ internal/process/warning.js:27:3 ]
ERROR Cloudron my.cloudron.io not found.
Try providing the admin location, probably my.my.cloudron.io [ /Users/kdj/.nvm/versions/node/v12.7.0/lib/node_modules/cloudron/src/helper.js:71:29 ]
bitwardenrs-app on master [!?] via ⬢ v12.7.0 took 18s
➜ ping my.cloudron.io
PING my.cloudron.io (45.55.2.141): 56 data bytes
64 bytes from 45.55.2.141: icmp_seq=0 ttl=50 time=188.063 ms
64 bytes from 45.55.2.141: icmp_seq=1 ttl=50 time=181.041 ms
64 bytes from 45.55.2.141: icmp_seq=2 ttl=50 time=237.531 ms

lukaszj

Hi @girish is there any update re pushing official Bitwarden to Marketplace? Thanks.

girish

@lukaszj No ETA but it's on our immediate list. Currently, we are pushing out the release that makes it possible to build custom apps without our build service.

lukaszj

@girish Thanks.

murgero

@girish But building apps without the build service is already possible - do you mean that the manifest will allow us to specify a repo and docker image to install? Cause that would be nice!

girish

Just started looking into getting this package published. I also found a related https://github.com/dani-garcia/bitwarden_rs/pull/677 .

iamthefij

@girish I'd be neat if that gets merged, but the maintainers rejected a previous patch for direct LDAP support and that's why it was moved to a different binary. See comments here: https://github.com/dani-garcia/bitwarden_rs/pull/396#issuecomment-464059020

iamthefij

Hey @girish any updates on this? I've been holding off on migrating from my external instance to my Cloudron one because I'm not sure about the process of migrating from the dev one to an official one. Any guidance on when to expect this or if it's possible to preserve the Docker volume would be helpful.

will

@iamthefij said in Bitwarden - Self-hosted password manager:

Hey @girish any updates on this? I've been holding off on migrating from my external instance to my Cloudron one because I'm not sure about the process of migrating from the dev one to an official one. Any guidance on when to expect this or if it's possible to preserve the Docker volume would be helpful.

I'm in the same boat. I am maintaining a VPS solely for Bitwarden access. Would save $10 a month and time if I could roll this out! Thanks for all the hard work!

I tried deploying the Cloudron Bitwarden like below:

Commands run on Cloudron server.

git clone https://git.cloudron.io/fbartels/bitwardenrs-app #Successfully clones to home directory
npm install -g cloudron-cli **#Command fails, no cloudron-cli **
cloudron build # this will ask your cloudron.io login #Never got to this stage
cloudron install # this will ask you for your cloudron's login #Never got to this stage

murgero

@will Those commands do NOT get ran on the cloudron server.

The cloudron CLI is ONLY for use outside of the server (it's the management tool for cli users)

At home, install virtualbox on your computer and create an ubuntu VM. (If you already have a computer with linux, ignore this step, these steps can be installed in windows if you install nodejs and git first)

Then run:

git clone https://git.cloudron.io/fbartels/bitwardenrs-app
cd bitwardenrs-app
## Install NodeJS from https://nodejs.org/en/download/package-manager/
npm install -g cloudron
cloudron build
cloudron install

will

@murgero Thanks! I'm running windows subsystem for linux so I'll give it a shot. Thanks again!

murgero

@will If you plan on building apps using a local docker install, that can only be done on linux (not the subsystem), otherwise using a build service (either the app one or cloudron's cloud build service) is good on any system with nodejs support