bitbetter/identity - always restarting error

[robina80]

hi all,

so i upgraded my bitwarden via bitbetter build.sh and it succesfully installed new "bitbetter/api" and "bitbetter/identity" and also when running the license gen it build the bitbetter/license gen

it upgraded it from 1.41.3 to 1.43.0 looking in the admin page

but when running a "docker ps" i get this

fc1693b74b16 bitbetter/identity "/entrypoint.sh" 11 minutes ago Restarting (139) 56 seconds ago bitwarden-identity

i re run the script again and it still fails

any help would be very much appreciated

edit im using this link to get the latest bitbetter link

wget https://github.com/jakeswenson/BitBetter/archive/refs/heads/master.zip

thanks, rob

[TheSp1der]

This appears to be an issue with the process inside the container.

Unhandled exception. System.Security.Cryptography.CryptographicException: The certificate data cannot be read with the provided password, the password may be incorrect.
 ---> System.Security.Cryptography.CryptographicException: A certificate referenced a private key which was already referenced, or could not be loaded.
   at Internal.Cryptography.Pal.UnixPkcs12Reader.BuildCertsWithKeys(CertBagAsn[] certBags, AttributeAsn[][] certBagAttrs, CertAndKey[] certs, Int32 certBagIdx, SafeBagAsn[] keyBags, RentedSubjectPublicKeyInfo[] publicKeyInfos, AsymmetricAlgorithm[] keys, Int32 keyBagIdx)
   at Internal.Cryptography.Pal.UnixPkcs12Reader.Decrypt(ReadOnlySpan`1 password, ReadOnlyMemory`1 authSafeContents)
   at Internal.Cryptography.Pal.UnixPkcs12Reader.VerifyAndDecrypt(ReadOnlySpan`1 password, ReadOnlyMemory`1 authSafeContents)
   at Internal.Cryptography.Pal.UnixPkcs12Reader.Decrypt(SafePasswordHandle password)
   --- End of inner exception stack trace ---
   at Internal.Cryptography.Pal.UnixPkcs12Reader.Decrypt(SafePasswordHandle password)
   at Internal.Cryptography.Pal.PkcsFormatReader.TryReadPkcs12(OpenSslPkcs12Reader pfx, SafePasswordHandle password, Boolean single, ICertificatePal& readPal, List`1& readCerts)
   at Internal.Cryptography.Pal.PkcsFormatReader.TryReadPkcs12(ReadOnlySpan`1 rawData, SafePasswordHandle password, Boolean single, ICertificatePal& readPal, List`1& readCerts, Exception& openSslException)
   at Internal.Cryptography.Pal.OpenSslX509CertificateReader.FromFile(String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
   at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(String fileName, String password, X509KeyStorageFlags keyStorageFlags)
   at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(String fileName, String password)
   at Bit.Core.Utilities.CoreHelpers.GetCertificate(String file, String password)
   at Bit.Core.Utilities.CoreHelpers.GetIdentityServerCertificate(GlobalSettings globalSettings)
   at Bit.Core.Utilities.ServiceCollectionExtensions.AddIdentityServerCertificate(IIdentityServerBuilder identityServerBuilder, IWebHostEnvironment env, GlobalSettings globalSettings)
   at Bit.Identity.Utilities.ServiceCollectionExtensions.AddCustomIdentityServerServices(IServiceCollection services, IWebHostEnvironment env, GlobalSettings globalSettings) in /home/runner/work/server/server/src/Identity/Utilities/ServiceCollectionExtensions.cs:line 25
   at Bit.Identity.Startup.ConfigureServices(IServiceCollection services) in /home/runner/work/server/server/src/Identity/Startup.cs:line 119
   at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor, Boolean wrapExceptions)
   at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
   at Microsoft.AspNetCore.Hosting.ConfigureServicesBuilder.InvokeCore(Object instance, IServiceCollection services)
   at Microsoft.AspNetCore.Hosting.ConfigureServicesBuilder.<>c__DisplayClass9_0.<Invoke>g__Startup|0(IServiceCollection serviceCollection)
   at Microsoft.AspNetCore.Hosting.ConfigureServicesBuilder.Invoke(Object instance, IServiceCollection services)
   at Microsoft.AspNetCore.Hosting.ConfigureServicesBuilder.<>c__DisplayClass8_0.<Build>b__0(IServiceCollection services)
   at Microsoft.AspNetCore.Hosting.GenericWebHostBuilder.UseStartup(Type startupType, HostBuilderContext context, IServiceCollection services, Object instance)
   at Microsoft.AspNetCore.Hosting.GenericWebHostBuilder.<>c__DisplayClass13_0.<UseStartup>b__0(HostBuilderContext context, IServiceCollection services)
   at Microsoft.Extensions.Hosting.HostBuilder.CreateServiceProvider()
   at Microsoft.Extensions.Hosting.HostBuilder.Build()
   at Bit.Identity.Program.Main(String[] args) in /home/runner/work/server/server/src/Identity/Program.cs:line 13

[TheSp1der]

I believe this to be the cause: https://github.com/dotnet/runtime/issues/44535 But I'm not a .net developer, so I'm having trouble identifying a functional work-around.

[robina80]

I also read it was a problem because of the new dot net version, is there anyway to roll back the version of dot net

[robina80]

Here's a link I found to get it working again

https://github.com/bitwarden/server/issues/1528

[TheSp1der]

Can yo be more specific? I re-created my pkcs12 store from the comments and ran the build script but am still running into the issue. Did you perhaps do that after the image was created?

[robina80]

I havnt even done the above yet, I'm about to tho just need down time to do it

Luckily I have this on a vm so I can restore the vm from backup

[TheSp1der]

You can correct this by:

# Get your certificate pfx password by inspecting your global.override.env file
#     It is stored in this line: globalSettings__identityServer__certificatePassword
export CERT_PASS=secret_stuff_here

# In your bitwarden data store locate the `identity` directory and switch to it.
cd data/identity

#Backup your existing data
cp identity.pfx identity.pfx.backup

# Correct your pfx
openssl pkcs12 -in identity.pfx -nocerts -nodes -out identity.key -passin pass:${CERT_PASS}
openssl pkcs12 -in identity.pfx -clcerts -nokeys -out identity.crt -passin pass:${CERT_PASS}
openssl pkcs12 -export -out identity.pfx -inkey identity.key -in identity.crt -passout pass:${CERT_PASS}

This should get you running again.

[robina80]

How come you have 3 openssl commands and the other one he has just done 1?

openssl pkcs12 -export -out ./identity/identity.pfx -inkey identity.key \ -in identity.crt -passout pass:IDENTITY_CERT_PASSWORD

[TheSp1der]

I saw 3 openssl commands in the solution you found.

The first one extracts just the key and stores it in identity.key The second one extracts just the certificate and stores it in identity.crt The third command builds the identity.pfx file from the extracted identity.key and identity.crt.

[captainhook]

Not useful input just passing commentary…

I haven't had a single issue with my setup but somehow @robina80 you seem to encounter a new problem almost weekly 🥲

[TheSp1der]

To be fair, this is not a problem with this project. Its a change in .NET's usage of certificate pfx stores. Once you update your pfx file to what .NET 5.x wants it works flawlessly.

[robina80]

Cool thanks @TheSp1der and @captainhook I wasn't having a go at all

[TheSp1der]

@robina80 Such is the life of keeping frequently updated. The troubles you experience are just a sign your keeping things up-to-date. Which is never a bad thing! I was lost until you found that issue, so it was not just you that ran into a problem :) I'm just happy to have contributed!

[robina80]

So @TheSp1der does that mean we have to run this all the time if we update bitbetter/bitwarden?

[TheSp1der]

If you did it the way I suggested and ran those commands against the files in your persistent storage you should only have to do it once. (Kinda why I included a back-up step!)

[robina80]

Great thanks @TheSp1der

[captainhook]

@robina80 okay to close this issue now?

[TheSp1der]

You could add a little note in the documentation. It might help others to know that this is not a BitBetter issue .

[robina80]

these commands to run below are only a one off as once your running dot net core 5, your good to go

openssl pkcs12 -in /bwdata/identity/identity.pfx -nocerts -nodes -out identity.key -passin pass:IDENTITY_CERT_PASS_HERE openssl pkcs12 -in /bwdata/identity/identity.pfx -clcerts -nokeys -out identity.crt -passin pass:IDENTITY_CERT_PASS_HERE openssl pkcs12 -export -out /bwdata/identity/identity.pfx -inkey identity.key -in identity.crt -passout pass:IDENTITY_CERT_PASS_HERE

as i didnt need to run these commands again when i upgraded from 1.43 > 1.45 as my dot net core was already on version 5

@TheSp1der @captainhook

[h44z]

Closed due to inactivity.