Unable to set YubiKey OTPs #29

New Issue

AtHeartEngineer · 2025-07-08T08:37:49-04:00

AtHeartEngineer commented

2025-07-08 08:37:49 -04:00

Originally created by @JYLN on 6/24/2025

Vaultwarden Support String

Your environment (Generated via diagnostics page)

Vaultwarden version: v1.34.1
Web-vault version: v2025.5.0
OS/Arch: linux/x86_64
Running within a container: true (Base: Debian)
Database type: SQLite
Database version: 3.49.1
Uses config.json: false
Uses a reverse proxy: true
IP Header check: true (X-Forwarded-For)
Internet access: true
Internet access via a proxy: false
DNS Check: true
TZ environment: America/Denver
Browser/Server Time Check: true
Server/NTP Time Check: true
Domain Configuration Check: true
HTTPS Check: true
Websocket Check: true
HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Config:

{
  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "*****://******************************",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://*******************",
  "domain_origin": "*****://*******************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "JaySyn Bitwarden",
  "invitations_allowed": true,
  "ip_header": "X-Forwarded-For",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 100000,
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": true,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": "Plain",
  "smtp_debug": false,
  "smtp_embed_images": false,
  "smtp_explicit_tls": null,
  "smtp_from": "************",
  "smtp_from_name": "JaySyn Bitwarden",
  "smtp_host": "*******************",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "*********************",
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": "112971",
  "yubico_secret_key": "***",
  "yubico_server": "https://api.yubico.com/wsapi/2.0/verify"
}

Vaultwarden Build Version

v1.34.1

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

Cloudflare Tunnel

Host/Server Operating System

NAS/SAN

Operating System Version

Synology DSM 7.2.2-72806 Update 3

Clients

Web Vault

Client Version

v2025.5.0

Steps To Reproduce

Go to 'Settings > Security > Two-Step Login'
Click on 'Manage' next to 'Yubico OTP security key'
Enter master password
Follow the steps on the page to enter a YubiKey OTP

Expected Result

Yubikey OTP to save successfully without error

Actual Result

Receives a 'Invalid Yubikey OTP provided' error

Logs

[2025-06-24 10:06:44.197][request][INFO] PUT /api/two-factor/yubikey

[2025-06-24 10:06:44.338][error][ERROR] Invalid Yubikey OTP provided.

[CAUSE] DecodeError(

    InvalidByte(

        27,

        61,

    ),

)

[2025-06-24 10:06:44.339][response][INFO] (activate_yubikey_put) PUT /api/two-factor/yubikey => 400 Bad Request

Screenshots or Videos

No response

Additional Context

The Cloudflare tunnel setup is new, the vault used to just run on an NGINX Reverse Proxy container within my NAS but I recently switched to the Cloudflare tunnel because I am managing multiple other resources for my domain within Cloudflare. I used to have 2 Yubikey OTPs saved to my account but had to reset my Yubikeys recently. Upon resetting, I haven't been able to save any OTPs within Vaultwarden. I have regenerated my Client ID and Secret twice. I have attempted the using the normal secret and adding a = based on another issue I found within the Github repo. I have explicitly set the server URL and unset the server URL for YubiKey. When testing the API within Postman and random nonce data, I am getting an OK response. Also, I have validated multiple OTPs on Yubikey's demo website. I did recently fix the IP header match, but that hasn't helped resolve my issue. I'm not entirely sure what I'm missing here. Thank you for any help in advance.

*Originally created by @JYLN on 6/24/2025* ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.34.1 * Web-vault version: v2025.5.0 * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Database type: SQLite * Database version: 3.49.1 * Uses config.json: false * Uses a reverse proxy: true * IP Header check: true (X-Forwarded-For) * Internet access: true * Internet access via a proxy: false * DNS Check: true * TZ environment: America/Denver * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: true * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Config:** ```json { "_duo_akey": null, "_enable_duo": false, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "*****://******************************", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://*******************", "domain_origin": "*****://*******************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "JaySyn Bitwarden", "invitations_allowed": true, "ip_header": "X-Forwarded-For", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 100000, "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": true, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": "Plain", "smtp_debug": false, "smtp_embed_images": false, "smtp_explicit_tls": null, "smtp_from": "************", "smtp_from_name": "JaySyn Bitwarden", "smtp_host": "*******************", "smtp_password": "***", "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "*********************", "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": "112971", "yubico_secret_key": "***", "yubico_server": "https://api.yubico.com/wsapi/2.0/verify" } ``` </details> ### Vaultwarden Build Version v1.34.1 ### Deployment method Official Container Image ### Custom deployment method _No response_ ### Reverse Proxy Cloudflare Tunnel ### Host/Server Operating System NAS/SAN ### Operating System Version Synology DSM 7.2.2-72806 Update 3 ### Clients Web Vault ### Client Version v2025.5.0 ### Steps To Reproduce 1. Go to 'Settings > Security > Two-Step Login' 2. Click on 'Manage' next to 'Yubico OTP security key' 3. Enter master password 4. Follow the steps on the page to enter a YubiKey OTP ### Expected Result Yubikey OTP to save successfully without error ### Actual Result Receives a 'Invalid Yubikey OTP provided' error ### Logs ```text [2025-06-24 10:06:44.197][request][INFO] PUT /api/two-factor/yubikey [2025-06-24 10:06:44.338][error][ERROR] Invalid Yubikey OTP provided. [CAUSE] DecodeError( InvalidByte( 27, 61, ), ) [2025-06-24 10:06:44.339][response][INFO] (activate_yubikey_put) PUT /api/two-factor/yubikey => 400 Bad Request ``` ### Screenshots or Videos _No response_ ### Additional Context The Cloudflare tunnel setup is new, the vault used to just run on an NGINX Reverse Proxy container within my NAS but I recently switched to the Cloudflare tunnel because I am managing multiple other resources for my domain within Cloudflare. I used to have 2 Yubikey OTPs saved to my account but had to reset my Yubikeys recently. Upon resetting, I haven't been able to save any OTPs within Vaultwarden. I have regenerated my Client ID and Secret twice. I have attempted the using the normal secret and adding a `=` based on another issue I found within the Github repo. I have explicitly set the server URL and unset the server URL for YubiKey. When testing the API within Postman and random nonce data, I am getting an `OK` response. Also, I have validated multiple OTPs on Yubikey's demo website. I did recently fix the IP header match, but that hasn't helped resolve my issue. I'm not entirely sure what I'm missing here. Thank you for any help in advance.

AtHeartEngineer closed this issue

2025-07-08 08:37:50 -04:00

AtHeartEngineer added the bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug labels 2025-07-08 08:37:51 -04:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#29