OpenId integration problem with keycloak. "Failed to discover OpenID provider: Request failed"

[SPGGPS]

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.35.2
• Web-vault version: v2025.12.1+build.3
• OS/Arch: linux/x86_64
• Running within a container: true (Base: Debian)
• Database type: SQLite
• Database version: 3.50.2
• Uses config.json: true
• Uses a reverse proxy: true
• IP Header check: true (X-Real-IP)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Browser/Server Time Check: true
• Server/NTP Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Websocket Check: false
• HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Environment settings which are overridden: DOMAIN, SIGNUPS_ALLOWED, INVITATIONS_ALLOWED, EMAIL_CHANGE_ALLOWED, ADMIN_TOKEN, SSO_ENABLED, SSO_ONLY, SSO_CLIENT_ID, SSO_CLIENT_SECRET, SSO_AUTHORITY, SMTP_HOST, SMTP_SECURITY, SMTP_PORT, SMTP_FROM, SMTP_FROM_NAME

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_idle_timeout": 600,
  "database_max_conns": 10,
  "database_min_conns": 2,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "dns_prefer_ipv6": false,
  "domain": "*****://*******************",
  "domain_origin": "*****://*******************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": "***",
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "debug",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "purge_incomplete_sso_auth": "0 20 0 * * *",
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": true,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "********************",
  "smtp_from_name": "********",
  "smtp_host": "******************",
  "smtp_password": null,
  "smtp_port": 25,
  "smtp_security": "off",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": null,
  "sso_allow_unknown_email_verification": false,
  "sso_audience_trusted": null,
  "sso_auth_only_not_session": false,
  "sso_authority": "*****://********************************",
  "sso_authorize_extra_params": "",
  "sso_callback_path": "*****://************************************************",
  "sso_client_cache_expiration": 2,
  "sso_client_id": "************",
  "sso_client_secret": "***",
  "sso_debug_tokens": false,
  "sso_enabled": true,
  "sso_master_password_policy": null,
  "sso_only": false,
  "sso_pkce": true,
  "sso_scopes": "openid email profile",
  "sso_signups_match_email": true,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

I have deployed de server with docker. My nginx configuration

vaultwarden
::::::::::::::
server {
listen 80;
server_name vault.xxxx.local;

return 301 https://vault.xxxx.local$request_uri;

}
::::::::::::::
vaultwarden_ssl
::::::::::::::
server {
listen 443 ssl http2;
server_name vault.xxxx.local;

# Rutas a tus certificados
ssl_certificate     /etc/ssl/certs/wildcard_xxxx_local.crt;
ssl_certificate_key /etc/ssl/private/wildcard_xxxx_local.key;

# Seguridad recomendada
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;

location / {
include /etc/nginx/proxy_params;
proxy_pass http://0.0.0.0:8085;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
# AÑADE ESTO:
proxy_set_header X-Forwarded-Proto https;
}
}

Admin portal is working fine. Vaulwarden is working fine without openid

Dcoker compose

version: '3'

services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: unless-stopped

volumes:
  - /opt/vaultwarden:/data
  # Certificado de la CA local para validación SSL interna
  - ./ca_xxxx_local.crt:/etc/ssl/certs/f70445e3.0:ro

ports:
  - "8085:80"
  - "3012:3012"

extra_hosts:
  - "sso.xxxx.local:host-gateway" --> Keycloak
  - "vault.xxxx.local:host-gateway"

environment:
  # --- Configuración General ---
  - ADMIN_TOKEN=${VAULTWARDEN_ADMIN_TOKEN}
  - DOMAIN=https://vault.xxxxxx.local
  - ROCKET_PORT=80
  - LOG_LEVEL=debug

  # --- Registro y Seguridad ---
  - SIGNUPS_ALLOWED=false
  - INVITATIONS_ALLOWED=false
  - EMAIL_CHANGE_ALLOWED=false

  # --- CONFIGURACIÓN SSO (Manual para saltar el Discovery) ---
  # Usamos el prefijo SSO_ para que Vaultwarden las reconozca correctamente
  - SSO_ENABLED=true
  - SSO_ONLY=false
  - SSO_CLIENT_ID=vault-client
  - SSO_CLIENT_SECRET=xxxxxxxxxxxxxxxxxxxxxxx
  - SSO_AUTHORITY=https://sso.xxxxxxx.local/realms/xxxxx

  # --- Configuración SSL Interna ---
  - SSL_CERT_DIR=/etc/ssl/certs

  # --- CONFIGURACIÓN SMTP (Correo) ---
  - SMTP_HOST=smtp.xxxxxxxxxxx.xxx
  - SMTP_SECURITY=off
  - SMTP_PORT=25
  - SMTP_FROM=no-reply@xxxxxxxxx.xxx
  - SMTP_FROM_NAME=Vaultwarden

When I tried to access with SSO I have this error

{
"message": "Failed to discover OpenID provider: Request failed",
"validationErrors": {
"": [
"Failed to discover OpenID provider: Request failed"
]
},
"errorModel": {
"message": "Failed to discover OpenID provider: Request failed",
"object": "error"
},
"error": "",
"error_description": "",
"exceptionMessage": null,
"exceptionStackTrace": null,
"innerExceptionMessage": null,
"object": "error"
}

And from the server

[2026-02-03 08:32:49.245][request][INFO] GET /
[2026-02-03 08:32:49.245][response][INFO] (web_index) GET / => 200 OK
[2026-02-03 08:32:49.800][request][INFO] GET /api/config
[2026-02-03 08:32:49.800][response][INFO] (config) GET /api/config => 200 OK
[2026-02-03 08:32:57.368][request][INFO] POST /api/organizations/domain/sso/verified
[2026-02-03 08:32:57.368][response][INFO] (get_org_domain_sso_verified) POST /api/organizations/domain/sso/verified => 200 OK
[2026-02-03 08:32:57.379][request][INFO] GET /identity/sso/prevalidate?domainHint=04c1dd89-b054-4cc0-
[2026-02-03 08:32:57.381][response][INFO] (prevalidate) GET /identity/sso/prevalidate => 200 OK
[2026-02-03 08:32:57.405][request][INFO] GET /identity/connect/authorize?client_id=web&redirect_uri=htt
[2026-02-03 08:32:57.421][reqwest::connect][DEBUG] starting new connection: https://ssoxxxx.local/
[2026-02-03 08:32:57.422][hyper_util::client::legacy::connect::http][DEBUG] connecting to 172.17.0.1:443
[2026-02-03 08:32:57.422][hyper_util::client::legacy::connect::http][DEBUG] connected to 172.17.0.1:443
[2026-02-03 08:32:57.423][vaultwarden::sso_client][ERROR] Failed to discover OpenID provider: Request failed
[2026-02-03 08:32:57.424][response][INFO] (authorize) GET /identity/connect/authorize?<data..> => 400 Bad Request

I reviwed other treaths with similar problems

#6409
#6728 --> I added the CA to complete the chain.

So, I think that my configurations is ok and I can't see where the problem is.

Thanks so much for your help

[BlackDex]

Vaultwarden seems to be unable to connect to the FQDN/IP.
Maybe you can try to use either curl or openssl to check if you can reach that endpoint from within the container?

# Via OpenSSL
docker exec -it vaultwarden openssl s_client -showcerts -connect ssoxxxx.local:443

# Via cURL
docker exec -it vaultwarden curl -v https://ssoxxxx.local

[SPGGPS]

Thanks for your reply.

I can see this error with openssl "verify error:num=19:self-signed certificate in certificate chain". But I think that it won't be a problem.
With curl I think that is working propertly

root@xxxxxxx:~# docker exec -it vaultwarden openssl s_client -showcerts -connect sso.xxxx.local:443
Connecting to 172.17.0.1
CONNECTED(00000003)
depth=1 DC=local, DC=xxxxx, CN=xxxxx-xxxxx-CA
verify error:num=19:self-signed certificate in certificate chain
verify return:1
depth=1 DC=local, DC=xxxxx, CN=xxxxx-xxxxxx-CA
verify return:1
depth=0 C=ES, ST=xx, L=xx , O=xxxxx, OU=SSII, CN=*.xxxxx.local, emailAddress=xxxxxx
verify return:1

Certificate chain
0 s:C=xx, ST=xxx, L=xxxx, O=xxxxx, OU=SSII, CN=*.xxxxx.local, emailAddress=xxxxx
i:DC=local, DC=xxxx, CN=xxxx-xxxxx-CA
a:PKEY: RSA, 2048 (bit); sigalg: sha256WithRSAEncryption
v:NotBefore: Mar 21 09:09:59 2025 GMT; NotAfter: Mar 21 09:09:59 2026 GMT
-----BEGIN CERTIFICATE-----
MIIHBjCCBe6gAwIBAgITNwAAAE6oK4gpwHMs3QAAAAAATjANBgkqhkiG9w0BAQsF
ADBSMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxFzAVBgoJkiaJk/IsZAEZFgdzc3Jl
eWVzMSAwHgYDVQQDExdzc3JleWVzLUFZVE8yNU9DU0kwMS1DQTAeFw0yNTAzMjEw
OTA5NTlaFw0yNjAzMjEwOTA5NTlaMIHGMQswCQYDVQQGEwJFUzEPMA0GA1UECBMG
TUFEUklEMSMwIQYDVQQHExpTQU4gU0VCQVNUSUFOIERFIExPUyBSRVlFUzEzMDEG
A1UEChMqQVlVTlRBTUlFTlRPIERFIFNBTiBTRUJBU1RJQU4gREUgTE9TIFJFWUVT
MQ0wCwYDVQQLEwRTU0lJMRgwFgYDVQQDDA8qLnNzcmV5ZXMubG9jYWwxIzAhBgkq
hkiG9w0BCQEWFHNpc3RlbWFzQHNzcmV5ZXMub3JnMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIB

-----END CERTIFICATE-----
1 s:DC=local, DC=xxxxx, CN=xxxx-xxxxx-CA
i:DC=local, DC=xxxx, CN=xxxx-xxxx-CA
a:PKEY: RSA, 2048 (bit); sigalg: sha256WithRSAEncryption
v:NotBefore: Jun 8 15:06:58 2020 GMT; NotAfter: Jun 8 15:16:58 2040 GMT
-----BEGIN CERTIFICATE-----
MIIDlDCCAnygAwIBAgIQewDOiEGVJoVBb+v/0/XuwDANBgkqhkiG9w0BAQsFADBS
MRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxFzAVBgoJkiaJk/IsZAEZFgdzc3JleWVz
MSAwHgYDVQQDExdzc3JleWVzLUFZVE8yNU9DU0kwMS1DQTAeFw0yMDA2MDgxNTA2
NThaFw00MDA2MDgxNTE2NThaMFIxFTATBgoJkiaJk/IsZAEZFgVsb2NhbDEXMBUG
CgmSJomT8ixkARkWB3NzcmV5ZXMxIDAeBgNVBAMTF3NzcmV5ZXMtQVlUTzI1T0NT
STAxLUNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAykBPc5nxLGmL
CEzOSMfoDRMlHdU0A6jyqrtnBvVmwfYHYPmkBmrMs0nBKUcTpOeB/UkoANF8AwBF
2Fs4eLJUrnJcR1d4tt7+8ihRMLosVsTMIDuiQxZ0y6qDFFFkJ0/OUz2v/osXKHxh
714C7vJR2bBB1TAYiIXI199FcfAat97K5UBYV+OofzBHoamb0qsWFganzzhYLgBH
s0Uf6icOkfhPt............
8FgCyG5BnwU=
-----END CERTIFICATE-----

Server certificate
subject=C=xx, ST=xx, L=xxxxx, O=xxxxx, OU=SSII, CN=*.xxxxx.local, emailAddress=xxxxxx
issuer=DC=local, DC=xxxx, CN=xxx-xxxx-CA

No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: rsa_pss_rsae_sha256
Peer Temp Key: X25519, 253 bits

SSL handshake has read 3287 bytes and written 1639 bytes
Verification error: self-signed certificate in certificate chain

New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Protocol: TLSv1.3
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 19 (self-signed certificate in certificate chain)

---

Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 22B57E2C9312BB4F4D6A74E8BDA743AC06BF1CB5A609AB119D709962419BE341
Session-ID-ctx:
Resumption PSK: DDE0991A7335ABE68426D83C057DAF782A21EED372CBB5FACE1D850BAE04E8C4055993C93775BA367072AC90CA1F4752
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 5a 5e e5 9d e7 fb b4 d0-51 21 40 9a dd 2e 1f d4 Z^......Q!@.....
0010 - 55 11 fb b9 c3 dd b7 38-63 83 02 87 fd 87 91 2a U......8c......*
0020 - 16 d7 a4 bd 24 72 fd 5d-ee 6c e7 5c 7a 39 6b da ....$r.].l.\z9k.
0030 - 6b 94 66 e2 73 9d 2b 32-ff c1 0b a3 39 a4 8a 40 k.f.s.+2....9..@
0040 - c9 1d bc cf 3c 83 f9 9b-31 01 99 b6 03 89 db 9c ....<...1.......
0050 - 29 2e 86 a0 d4 e3 86 fb-a6 a2 46 a3 c4 0d 41 aa ).........F...A.
0060 - 38 92 0a 61 67 6f 20 4b-a2 af 97 fe eb 57 c4 ac 8..ago K.....W..
0070 - 6f f4 87 8f 84 5d a1 c9-cd 2d 1e e3 b4 f2 93 03 o....]...-......
0080 - 31 3d 90 98 64 21 31 fa-67 da cd 0b 05 00 6c 81 1=..d!1.g.....l.
0090 - 4d 0f c2 58 c5 b2 a3 c2-69 17 01 d8 11 cc a2 7e M..X....i......~
00a0 - 67 c0 21 3a e7 22 f1 4a-09 ca 94 f2 ce 69 b9 9b g.!:.".J.....i..
00b0 - b1 87 b0 63 10 ef 60 97-b9 07 49 eb 66 b0 7d 19 ...c.....I.f.}. 00c0 - 7b 1b 8c 4c d4 d3 cb 42-1d e1 c3 21 d4 1f 1a b0 {..L...B...!.... 00d0 - 04 12 52 1d a2 12 07 13-68 0a 1d c0 f2 f9 40 8a ..R.....h.....@. 00e0 - c1 33 4d 67 dc 93 c4 20-3e 0b 60 ce dd 74 0f 2d .3Mg... >...t.-

Start Time: 1770192180
Timeout   : 7200 (sec)
Verify return code: 19 (self-signed certificate in certificate chain)
Extended master secret: no
Max Early Data: 0

---

read R BLOCK

Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 1C3541861A220235E6B0E011C244EB3CBF26EBCA6FAB9717AEEA14EC949D5ED0
Session-ID-ctx:
Resumption PSK: AED87A7C52EAB639C2D56F91B5F3541FDD9F0282F94C21064850DB595E799FEBE965D3D88B9C5480A9CA485883D73E3D
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 5a 5e e5 9d e7 fb b4 d0-51 21 40 9a dd 2e 1f d4 Z^......Q!@.....
0010 - 67 74 fd ec 43 33 4c b4-ef 6a cf 04 63 31 33 98 gt..C3L..j..c13.
0020 - a5 7b c7 61 4c 40 6a 89-bd b6 71 75 4b 03 b2 1c .{.aL@j...quK...
0030 - 01 ec d9 89 a6 3d 2f 7c-a6 c3 b6 13 12 20 53 02 .....=/|..... S.
0040 - d1 28 50 24 e3 d8 ca 2b-d0 4b 75 8a fb 4d 9e c0 .(P$...+.Ku..M..
0050 - 70 90 dd e9 c7 88 45 34-56 db d8 2f 1e 0c df 0f p.....E4V../....
0060 - 38 ad 1a ab 59 d9 46 89-c6 b4 75 67 28 24 3c 4e 8...Y.F...ug($<N
0070 - c8 85 dc ab d2 99 9d 74-81 b5 27 6a 1e b4 15 96 .......t..'j....
0080 - 70 f5 88 7c e0 30 42 2d-99 e5 1f d8 a5 00 2c dd p..|.0B-......,.
0090 - 6e b1 13 69 9f e9 84 1c-6e e2 e6 7e b7 9f 3f ff n..i....n..~..?.
00a0 - 12 e5 a7 33 7c d4 2f 4c-fd 5a 37 a2 23 28 c4 4f ...3|./L.Z7.#(.O
00b0 - 3c ea 9d c6 8c e7 d1 a0-ee a9 a0 e7 07 61 d2 09 <............a..
00c0 - a0 56 1d 7c 82 c7 68 e7-23 2a 10 16 68 25 5f 27 .V.|..h.#*..h%_'
00d0 - 04 33 e3 6c 65 ed b8 59-a0 46 e1 0b 4a 26 d5 5a .3.le..Y.F..J&.Z
00e0 - d9 1c a4 e4 ea 8c 7d f4-5a 29 12 6c 83 8c ac ad ......}.Z).l....

Start Time: 1770192180
Timeout   : 7200 (sec)
Verify return code: 19 (self-signed certificate in certificate chain)
Extended master secret: no
Max Early Data: 0

---

read R BLOCK
closed

root@xxxxx:~# docker exec -it vaultwarden curl -v https://sso.xxxxx.local

• Host sso.xxxx.local:443 was resolved.
• IPv6: (none)
• IPv4: 172.xxxxx.1
• Trying 172.xxxxx.1:443...
• ALPN: curl offers h2,http/1.1
• TLSv1.3 (OUT), TLS handshake, Client hello (1):
• CAfile: /etc/ssl/certs/ca-certificates.crt
• CApath: /etc/ssl/certs
• TLSv1.3 (IN), TLS handshake, Server hello (2):
• TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
• TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
• TLSv1.3 (IN), TLS handshake, Certificate (11):
• TLSv1.3 (IN), TLS handshake, CERT verify (15):
• TLSv1.3 (IN), TLS handshake, Finished (20):
• TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
• TLSv1.3 (OUT), TLS handshake, Finished (20):
• SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / RSASSA-PSS
• ALPN: server accepted h2
• Server certificate:
• subject: C=xxx; ST=xxx; L=xxxx; O=xxxxx; OU=SSII; CN=*.xxx.local; emailAddress=xxxx
• start date: Mar 21 09:09:59 2025 GMT
• expire date: Mar 21 09:09:59 2026 GMT
• subjectAltName: host "sso.xxx.local" matched cert's "*.xxxx.local"
• issuer: DC=local; DC=xxxx; CN=xxxx-xxxx-CA
• SSL certificate verify ok.
• Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
• Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
• Connected to sso.xxxx.local (172.17.0.1) port 443
• using HTTP/2
• [HTTP/2] [1] OPENED stream for https://sso.xxxx.local/
• [HTTP/2] [1] [:method: GET]
• [HTTP/2] [1] [:scheme: https]
• [HTTP/2] [1] [:authority: sso.xxxx.local]
• [HTTP/2] [1] [:path: /]
• [HTTP/2] [1] [user-agent: curl/8.14.1]
• [HTTP/2] [1] [accept: /]

GET / HTTP/2
Host: sso.xxxx.local
User-Agent: curl/8.14.1
Accept: /

• TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
• TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
• Request completely sent off
  < HTTP/2 302
  < server: nginx/1.18.0 (Ubuntu)
  < date: Wed, 04 Feb 2026 08:10:48 GMT
  < content-length: 0
  < location: https://sso.xxxx.local/admin/
  < referrer-policy: no-referrer
  < strict-transport-security: max-age=31536000; includeSubDomains
  < x-content-type-options: nosniff
  < x-robots-tag: none
  <
• Connection #0 to host sso.xxxx.local left intact

Thanks

[SPGGPS]

Sorry for waste your time.
Solution

Certificado de la CA local para validación SSL interna

• ./ca_xxxx_local.crt:/etc/ssl/certs/f70445e3.0:ro

I was using the sso.xxxx.local certificste instead of root CA.

Via OpenSSL

docker exec -it vaultwarden openssl s_client -showcerts -connect ssoxxxx.local:443 --> give me verify error:num=19:self-signed certificate in certificate chain error.

Via cURL

docker exec -it vaultwarden curl -v https://ssoxxxx.local --> work fine

Thanks and sorry