Vaultwarden warnings
-
Recently, I noticed this in our vaultwarden installation:
May 02 10:09:16 [WARNING] The following environment variables are being overriden by the config.json file. May 02 10:09:16 [WARNING] Please use the admin panel to make changes to them: May 02 10:09:16 [WARNING] SIGNUPS_ALLOWED, INVITATIONS_ALLOWED
Vaultwarden has two ways to configure settings: one via Admin UI and another by environment variables - https://github.com/dani-garcia/vaultwarden/wiki/Configuration-overview . The wiki saying env vars is preferred, but the situation is a bit complicated. config.json gets generated by the admin UI . When settings are present both as env vars and in config.json, the above warning is shown.
The solution is to delete the exports in the
env.sh
. The warning then go away. Also, double check thatconfig.json
has:"signups_allowed": false, "invitations_allowed": false,
-
There's also this warning in the logs (and also in the admin UI):
2023-05-02T07:56:43.000Z Please generate a secure Argon2 PHC string by using `vaultwarden hash` or `argon2`. 2023-05-02T07:56:43.000Z See: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token 2023-05-02T07:56:43.000Z [2023-05-02 07:56:43.903][vaultwarden::api::notifications][INFO] Starting WebSockets server on 0.0.0.0:3012 2023-05-02T07:56:43.000Z [2023-05-02 07:56:43.905][start][INFO] Rocket has launched from http://127.0.0.1:3000 2023-05-02T07:56:43.000Z [INFO] Using saved config from `/app/data/config.json` for configuration. 2023-05-02T07:56:43.000Z [NOTICE] You are using a plain text `ADMIN_TOKEN` which is insecure.
Important note:
- The admin UI in
/admin
provides a way to change the password. But this simply stores the password in plain text inconfig.json
. So, the warning does not go away by changing the password in the Admin UI.
To fix this:
- Open a Web terminal and run
/app/code/vaultwarden hash
# /app/code/vaultwarden hash Generate an Argon2id PHC string using the 'bitwarden' preset: Password: Confirm Password: ADMIN_TOKEN='$argon2id$v=19$m=65540,t=3,p=4$RCpl3a+FItyn4KBJVAtZ+EyP9+fK0hoRqqo9jEdyRJE$d7UfKfZYsZJad6OIKpzPtO2o2ccLkrHjEi5jXdWWkO0' Generation of the Argon2id PHC string took: 471.497904ms
-
Take that above token and put it in
config.json
in the fieldadmin_token
. Important: remove the single quote around the argon2id string above. JSON does not require it. -
Restart the app and verify if token actually changed.
- The admin UI in
-
-
Added some of this info to the Cloudron docs (i.e. merge request).
Note (as I struggled to login): The token to enter in the admin login page is NOT the generated argon token but the password you used to generate the token. -
@necrevistonnezr thanks, its merged and public https://docs.cloudron.io/apps/vaultwarden/#admin
-
-
-
-
@girish Maybe it was an issue I caused, but what I did was:
- Login to my cloudron
- Go to Vaultwarden app
- Launch file explorer
- edit config.json to put in hash, but left out all quotes (double and single) for the admin_token variable
Like This:
{ ...... "admin_token": PretendIAmAHash, "disable_admin_token": false, ...... }
- Restart the app
- config.json was then COMPLETELY blank (as if Vaultwarden removed all the config due to a bad admin-hash??)
I was able to recover from a previous backup, but others may not be so lucky.
-
@nebulon said in Vaultwarden warnings:
@necrevistonnezr thanks, its merged and public https://docs.cloudron.io/apps/vaultwarden/#admin
Thanks, but these instructions don't work for me
They say:
Therefore, open a web terminal and run
# app/code/vaultwarden hash Generate an Argon2id PHC string using the 'bitwarden' preset: Password: Confirm Password:
But in my web terminal for my Vaultwarden I can't get to
app/code/vaultwarden
and runninghash
inapp/code/
just results inhash: hash table empty
I also tried typing
app/code/vaultwarden hash
but that didn't work either, just resulted inbash: app/code/vaultwarden: No such file or directory
And after looking at https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token I also tried just typing
vaultwarden hash
but that just results inbash: vaultwarden: command not found
Help!
-
@jdaviescoates Just to confirm, cause it's not in your post, you need to run
/app/code/vaultwarden
notapp/code/vaultwarden
; Linux is VERY particular about file paths lol make sure you have the prefixed/
as it is needed to produce a "full path" to the vaultwarden binary. -
@murgero said in Vaultwarden warnings:
@jdaviescoates Just to confirm, cause it's not in your post, you need to run
/app/code/vaultwarden
notapp/code/vaultwarden
; Linux is VERY particular about file paths lol make sure you have the prefixed/
as it is needed to produce a "full path" to the vaultwarden binary.That was it, thank you!
@staff that all important
/
at the beginning is missing from the docs! -
@necrevistonnezr thanks! I would've submitted a PR myself but I had to dash out to collect my children from school