App on Android does not connect to Vaultwarden anymore

[toddehb]

Prerequisites

• I have searched the existing Closed AND Open Issues AND Discussions
• I have searched and read the documentation

Vaultwarden Support String

1

Vaultwarden Build Version

latest docker

Deployment method

Official Container Image

Custom deployment method

docker

Reverse Proxy

Sophos XGS

Host/Server Operating System

Linux

Operating System Version

Ubuntu 24

Clients

Android

Client Version

No response

Steps To Reproduce

HI,

I installed Vaultwarden via Docker compose. Was working till yesterday. Then the bitwarden app on my Android 17 Google Pixel 10 pro XL stopped logging my in with this error. Basically it say "we cannot verify the servers certificate. The certificate chain or the proxy settings on your device or on the bitwarden server are setup correctly"

Connecting to vaultwarden via Browser and Linux Desktop App is no problem. I user a WAF on Sophos XGS to secure vaultwarden, but without any protection profile bound to WAF rule

Expected Result

connection

Actual Result

error

Logs

Screenshots or Videos

Additional Context

No response

[toddehb]

I used the flight recorder to genrate the log:
bitwarden.log

[krotname]

This is very likely happening before the request reaches Vaultwarden. Since TLS is terminated by Sophos WAF, Vaultwarden itself usually cannot fix this; the Android Bitwarden client is rejecting the certificate chain that Sophos presents.

Browsers and desktop clients can appear to work while Android fails because they may use a different trust store, cached intermediates, or intermediate fetching. The mobile app is stricter here.

I would check the certificate served by the WAF from outside the server:

openssl s_client -connect your.domain.example:443 -servername your.domain.example -showcerts </dev/null

Things to verify:

1. The WAF serves the full chain: leaf certificate plus intermediate certificate(s), not only the leaf cert.
2. The hostname used in the Android app exactly matches the certificate SAN.
3. Sophos is not presenting an inspection/proxy certificate to the phone.
4. Android resolves the same hostname to the same endpoint as your browser/desktop test.
5. If you use a local name, IP address, Tailscale name, or split DNS, that name must also be covered by the cert SAN.

On Sophos, re-import/assign the certificate as a full-chain bundle if it currently has only the leaf certificate. For PEM-based setups that usually means the server certificate followed by the intermediate CA bundle. Then apply/restart the WAF rule.

A quick external check with SSL Labs or openssl verify should show the same thing: if the chain is incomplete, Android can fail exactly with this Bitwarden message even though the web vault opens in a browser.

[toddehb]

Hi,

in Sophos XGS I already deleted certificate and re-assigned . This did not change anything. I use letsencrypt and all I can do is to assign the automatically created certificate to a WAF rule. I have no influence how Sophos handles this. This setup has worked for many months. I don´t see what has changed all of a sudden. Mayby the Android App does a more strict checking of certificate chain? SSL Labs gives me a chain incomplete. I found a thread with sophos https://community.sophos.com/sophos-xg-firewall/f/discussions/151226/sophos-xg---let-s-encrypt-chain-is-incomplete

[toddehb]

Got it working. Just imported intermediate CAs as PEM in XGS

[HawkM8]

That fixed it. Thank you!

Got it working. Just imported intermediate CAs as PEM in XGS

[cohowap]

Any chance to share what steps were taken? I am having the same issue, but I have a PositiveSSL cert (via Namecheap), everything seems to work across browsers/extensions. Trying to get this setup in TrueNAS, I tried installing the cert while creating the app, no cert with nginx proxy manager in front, and a few other things and still get this same error.

[HawkM8]

Any chance to share what steps were taken? I am having the same issue, but I have a PositiveSSL cert (via Namecheap), everything seems to work across browsers/extensions. Trying to get this setup in TrueNAS, I tried installing the cert while creating the app, no cert with nginx proxy manager in front, and a few other things and still get this same error.

I don´t know anything about TrueNAS but is there a way to upload the full certificate chain as e.g. PEM or is there maybe a way to add Intermediate Certificates as trusted. I guess TrueNas is not showing the full chain, which is fine for you Browser, but not the the App. SSLLabs or openssl should help to find out, if the chain is complete.