Resolving SSL Certificate Verification Issues with Vaultwarden CLI

Last updated on Mar 18, 2025

Introduction

While setting up Bitwarden CLI (Vaultwarden self hosted), in my case on macOS, I encountered an SSL certificate verification issue that prevented the client from connecting to my self-hosted Vaultwarden instance. The error message was:

Unable to fetch ServerConfig from https://vault.example.com/api FetchError: request to https://vault.example.com/api/config failed, reason: unable to verify the first certificate
  at ClientRequest.<anonymous> (/opt/homebrew/Cellar/bitwarden-cli/2025.2.0/libexec/lib/node_modules/@bitwarden/cli/node_modules/node-fetch/lib/index.js:1505:11)
  [...]
  errno: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE',
  code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE'

In this post, I’ll explain the cause of the issue and how I resolved it.

Understanding the Issue

The error UNABLE_TO_VERIFY_LEAF_SIGNATURE usually means that the client application cannot verify the SSL certificate chain. This can happen for several reasons, such as:

The SSL certificate is self-signed or issued by a CA not recognized by the system.
The intermediate certificate is missing from the server’s certificate chain.
The client lacks the necessary root CA certificates.

In my case, I verified the SSL certificate using curl:

curl -v https://vault.example.com

The output confirmed that the SSL certificate was issued by Let's Encrypt and was valid, yet Bitwarden CLI still failed to verify it.

Solution

The issue was caused by a missing root CA in my local Node.js environment, which Bitwarden CLI relies on. The fix was to install the ssl-root-cas package using npm:

npm install ssl-root-cas

This package updates the SSL root certificates used by Node.js, allowing applications that depend on it (like Bitwarden CLI) to verify SSL certificates correctly.

After installing ssl-root-cas, I restarted my terminal and retried the Bitwarden CLI login:

bw login

The connection was successfully established, resolving the issue.

Additional troubleshooting

If you encounter similar SSL issues, here are some additional troubleshooting steps:

Check OpenSSL’s Output

openssl s_client -connect vault.example.com:443 -showcerts

This helps determine if any certificates are missing from the chain.

Conclusion

If you face SSL verification issues with Bitwarden CLI or other Node.js applications, installing ssl-root-cas is a quick and effective fix. However, always verify your certificate chain to ensure your server is correctly configured. By understanding and addressing the root cause, you can avoid potential security risks while maintaining a properly secured environment.