rustls-tls-native-roots does not use user added certificates in /etc/ssl/certs for SSO #7073

inhinias · 2026-04-09T14:15:56Z

inhinias
Apr 9, 2026

Issue:

Running a SSO service (Keycloak, Authentik, Authelia etc.) under a private CA or a selfsigned cert, i get a "Failed to discover OpenID provider: 400 Bad Request"
Opening the Vaultwarden SSO page just shows a JSON response with the same error as above.
This happens even when adding the CA-cert to /etc/ssl/certs. Or adding it via update-ca-certs.

What Resolves the issue:

Setting the auth server to HTTP
Adding .danger_accept_invalid_certs(true) to the reqwest client builder in sso_client.rs, line 61_
Changing Cargo.toml, Line 147 to features = ["native-tls", ... from features = ["rustls-tls", "rustls-tls-native-roots", ...

Cause analysis:

Apparantly rustls-tls-native-roots does not load any new certificate in /etc/ssl/certs
Using curl within the container to query the auth servers ".well-known" endpoint does not result in a TLS error, providing the root CA being in the mentioned /etc folder.

Further Details:

Docker image: latest/1.35.4
SSO-Providers Tested: Authelia & Authentik
Private CA Used
Everything is running behind a Caddy reverse proxy. This proxy also adds all the necessary certificates to the auth server and Vaultwarden.

Similar discussions

#6785
-> Apparently the wrong certificate was volume mounted

#6409
-> Volume mounting the hosts ca-certificates.crt or the CA cert solved it. It did not in my case.

#6553
-> SSL subject hash did not fix my issue

#6241
-> Mentions that all configured URL's should have a trailing slash. Which mine have.

I can post config/compose files, if it is of any relevance.

Answered by inhinias

Apr 10, 2026

After bouncing around with some of reqwest's features in a minimal sample program, I found that for some reason the featureset used in Vaultwarden doesn't like ECDSA with SHA512 Certificates. Using SHA384 or lower fixes the issue.
I think this might get resolved by updating to reqwest v0.13.x. I haven't had the time to extensively test that version, as it changed the entire approach to tls.

Having applied the updated cert, it worked with just volume mounting the root CA to /etc/ssl/certs. No need for SSL_CERT_DIR or SSL_CERT_FILE.

View full answer

BlackDex · 2026-04-09T16:57:54Z

BlackDex
Apr 9, 2026
Collaborator

Have you defined SSL_CERT_DIR? Else it will only use hashed ones if I'm correct from the top of my head.

1 reply

inhinias Apr 10, 2026
Author

After bouncing around with some of reqwest's features in a minimal sample program, I found that for some reason the featureset used in Vaultwarden doesn't like ECDSA with SHA512 Certificates. Using SHA384 or lower fixes the issue.
I think this might get resolved by updating to reqwest v0.13.x. I haven't had the time to extensively test that version, as it changed the entire approach to tls.

Having applied the updated cert, it worked with just volume mounting the root CA to /etc/ssl/certs. No need for SSL_CERT_DIR or SSL_CERT_FILE.

Answer selected by inhinias

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

rustls-tls-native-roots does not use user added certificates in /etc/ssl/certs for SSO #7073

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Select a reply

Uh oh!

Uh oh!

rustls-tls-native-roots does not use user added certificates in /etc/ssl/certs for SSO #7073

Uh oh!

inhinias Apr 9, 2026

Issue:

What Resolves the issue:

Cause analysis:

Further Details:

Similar discussions

Replies: 1 comment · 1 reply

Uh oh!

BlackDex Apr 9, 2026 Collaborator

Uh oh!

Uh oh!

inhinias Apr 10, 2026 Author

inhinias
Apr 9, 2026

Replies: 1 comment 1 reply

BlackDex
Apr 9, 2026
Collaborator

inhinias Apr 10, 2026
Author