Unable to sync/log in with Android app

[GeorgeCastanza]

Prerequisites

• I have searched the existing Closed AND Open Issues AND Discussions
• I have searched and read the documentation

Vaultwarden Support String

Error Message

Stacktrace:
java.net.UnknownServiceException: CLEARTEXT communication to 192.168.1.134 not permitted by network security policy
Bd.t.b(Unknown Source:64)
Bd.t.a(Unknown Source:683)
Bd.t.f(Unknown Source:154)
Bd.l.d(Unknown Source:9)
Bd.l.a(Unknown Source:61)
Bd.b.intercept(Unknown Source:23)
Cd.g.b(Unknown Source:127)
Cd.b.intercept(Unknown Source:607)
Cd.g.b(Unknown Source:127)
Cd.a.intercept(Unknown Source:540)
Cd.g.b(Unknown Source:127)
Cd.a.intercept(Unknown Source:198)
Cd.g.b(Unknown Source:127)
Nd.b.intercept(Unknown Source:553)
Cd.g.b(Unknown Source:127)
com.bitwarden.network.interceptor.BaseUrlInterceptor.intercept(Unknown Source:42)
Cd.g.b(Unknown Source:127)
com.bitwarden.network.interceptor.HeadersInterceptor.intercept(Unknown Source:46)
Cd.g.b(Unknown Source:127)
Bd.q.d(Unknown Source:89)
Bd.n.run(Unknown Source:47)
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:644)
java.lang.Thread.run(Thread.java:1012)

Version: 2025.7.2 (20551)
Device: 📱 samsung SM-X800 🤖 15@35 📦 prod
CI: 🧱 commit: bitwarden/android@277fcbf
💻 build source: bitwarden/android/actions/runs/16758228945/attempts/1

Running inside Proxmox.

Environment

• Vaultwarden version: v1.34.3-8e7eeab2
• Web-vault version: v2025.7.0
• OS/Arch: linux/x86_64
• Running within a container: false (Base: Not applicable)
• Database type: SQLite
• Database version: 3.50.2
• Uses config.json: true
• Uses a reverse proxy: true
• IP Header check: true (X-Forwarded-For)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Browser/Server Time Check: true
• Server/NTP Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Websocket Check: true
• HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Environment settings which are overridden: ADMIN_TOKEN

Config:

{
  "_duo_akey": "***",
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "/opt/vaultwarden/data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "/opt/vaultwarden/data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "********************************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://***************",
  "domain_origin": "*****://***************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": "removed",
  "duo_ikey": "removed",
  "duo_skey": "***",
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": "***",
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "/opt/vaultwarden/data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": false,
  "ip_header": "X-Forwarded-For",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "purge_incomplete_sso_nonce": "0 20 0 * * *",
  "push_enabled": true,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "/opt/vaultwarden/data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "/opt/vaultwarden/data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": "TLS",
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "**********************",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": "**************",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "**********************",
  "sso_allow_unknown_email_verification": false,
  "sso_audience_trusted": null,
  "sso_auth_only_not_session": false,
  "sso_authority": "",
  "sso_authorize_extra_params": "",
  "sso_callback_path": "*****://********************************************",
  "sso_client_cache_expiration": 0,
  "sso_client_id": "",
  "sso_client_secret": "***",
  "sso_debug_tokens": false,
  "sso_enabled": false,
  "sso_master_password_policy": null,
  "sso_only": false,
  "sso_pkce": true,
  "sso_scopes": "email profile",
  "sso_signups_match_email": true,
  "templates_folder": "/opt/vaultwarden/data/templates",
  "tmp_folder": "/opt/vaultwarden/data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "/opt/vaultwarden/web-vault",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

1.34.3-8e7eeab2

Deployment method

Other method

Custom deployment method

Proxmox, fully updated.

Reverse Proxy

Cloudflare tunnel

Host/Server Operating System

Linux

Operating System Version

Proxmox

Clients

Android

Client Version

2025.7.2

Steps To Reproduce

Login via the android app.

Expected Result

Login

Actual Result

An error occurred. etc

Logs

Stacktrace:
java.net.UnknownServiceException: CLEARTEXT communication to 192.168.1.134 not permitted by network security policy
	Bd.t.b(Unknown Source:64)
	Bd.t.a(Unknown Source:683)
	Bd.t.f(Unknown Source:154)
	Bd.l.d(Unknown Source:9)
	Bd.l.a(Unknown Source:61)
	Bd.b.intercept(Unknown Source:23)
	Cd.g.b(Unknown Source:127)
	Cd.b.intercept(Unknown Source:607)
	Cd.g.b(Unknown Source:127)
	Cd.a.intercept(Unknown Source:540)
	Cd.g.b(Unknown Source:127)
	Cd.a.intercept(Unknown Source:198)
	Cd.g.b(Unknown Source:127)
	Nd.b.intercept(Unknown Source:553)
	Cd.g.b(Unknown Source:127)
	com.bitwarden.network.interceptor.BaseUrlInterceptor.intercept(Unknown Source:42)
	Cd.g.b(Unknown Source:127)
	com.bitwarden.network.interceptor.HeadersInterceptor.intercept(Unknown Source:46)
	Cd.g.b(Unknown Source:127)
	Bd.q.d(Unknown Source:89)
	Bd.n.run(Unknown Source:47)
	java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
	java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:644)
	java.lang.Thread.run(Thread.java:1012)

Version: 2025.7.2 (20551)
Device: 📱 samsung SM-X800 🤖 15@35 📦 prod
CI: 🧱 commit: bitwarden/android/release/2025.07-rc25@277fcbf14c8332179fcb8bdaef8943eae39dcab6
💻 build source: bitwarden/android/actions/runs/16758228945/attempts/1

Screenshots or Videos

No response

Additional Context

I was not able to sync the android app on either phone/tablet. So I logged out from tablet, and now am unable to login. The error is below:

Stacktrace:
java.net.UnknownServiceException: CLEARTEXT communication to 192.168.1.134 not permitted by network security policy
Bd.t.b(Unknown Source:64)
Bd.t.a(Unknown Source:683)
Bd.t.f(Unknown Source:154)
Bd.l.d(Unknown Source:9)
Bd.l.a(Unknown Source:61)
Bd.b.intercept(Unknown Source:23)
Cd.g.b(Unknown Source:127)
Cd.b.intercept(Unknown Source:607)
Cd.g.b(Unknown Source:127)
Cd.a.intercept(Unknown Source:540)
Cd.g.b(Unknown Source:127)
Cd.a.intercept(Unknown Source:198)
Cd.g.b(Unknown Source:127)
Nd.b.intercept(Unknown Source:553)
Cd.g.b(Unknown Source:127)
com.bitwarden.network.interceptor.BaseUrlInterceptor.intercept(Unknown Source:42)
Cd.g.b(Unknown Source:127)
com.bitwarden.network.interceptor.HeadersInterceptor.intercept(Unknown Source:46)
Cd.g.b(Unknown Source:127)
Bd.q.d(Unknown Source:89)
Bd.n.run(Unknown Source:47)
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:644)
java.lang.Thread.run(Thread.java:1012)

Version: 2025.7.2 (20551)
Device: 📱 samsung SM-X800 🤖 15@35 📦 prod
CI: 🧱 commit: bitwarden/android@277fcbf
💻 build source: bitwarden/android/actions/runs/16758228945/attempts/1

[dfunkt]

Not a bug. Since version 2025.7.2 of the Android app all self-hosted deployments need to be behind HTTPS: https://github.com/bitwarden/android/releases/tag/v2025.7.2-bwpm
bitwarden/android#5533

[GeorgeCastanza]

That's hard for me. Maybe some of us use Cloudflare Tunnels and just want to connect to an IP address locally.

[GeorgeCastanza]

I've been looking for a while now, and clueless as to how to even implement this.

[RSkotte]

I also have an issue now to log in from firefox add-in or ios app, but I can access my vault without any issue in a web browser also from outside my house, I am clueless.
I use QNAP docker with a reverse proxy over https. But I cannot figure out why the add-ins or apps cannot log in or alter items when I am able to access over web browser (firefox on PC local network and safari on mobile phone external network).

[klepptor]

Same here, but it's even more weird.

Android app doesn't work, Brave/Chrome app doesn't work, BUT Firefox addon and normal browser access work!

On Android the error in my case is:

Stacktrace:
kotlinx.serialization.json.internal.JsonDecodingException: Unexpected JSON token at offset 0: Expected start of the object '{', but had '<' instead at path: $
JSON input: <html lang="en-.....
vd.i.d(Unknown Source:31)
vd.i.e(Unknown Source:34)
C.a.l(Unknown Source:60)
C.a.m(Unknown Source:12)
C.a.B(Unknown Source:91)
C.a.g(Unknown Source:44)
vd.s.c(Unknown Source:41)
com.bitwarden.network.model.InternalPreLoginResponseJson$$serializer.deserialize(SourceFile:1)
com.bitwarden.network.model.InternalPreLoginResponseJson$$serializer.deserialize(SourceFile:2)
vd.s.v(Unknown Source:278)
com.bitwarden.network.serializer.BaseSurrogateSerializer.deserialize(Unknown Source:11)
vd.s.v(Unknown Source:278)
ud.c.a(Unknown Source:28)
z3.l.c(Unknown Source:33)
Rd.A.c(Unknown Source:53)
z3.e.w(Unknown Source:4)
Bd.n.run(Unknown Source:54)
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1156)
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:651)
java.lang.Thread.run(Thread.java:1119)

Version: 2025.7.2 (20551)
Device: 📱 google Pixel 7 🤖 16@36 📦 prod
CI: 🧱 commit: bitwarden/android@277fcbf
💻 build source: bitwarden/android/actions/runs/16758228945/attempts/1

Maybe the same issue!?

[BlackDex]

This looks like a HTML is returned instead of the wanted JSON.
So, either the reverse proxy returns something invalid, or the reverse proxy can't reach the Vaultwarden instance.
Or, the URL is not correctly configured, like for example, having /#/login appended to it.

[scubafly]

Same here, but it's even more weird.

Android app doesn't work, Brave/Chrome app doesn't work, BUT Firefox addon and normal browser access work!

On Android the error in my case is:

Stacktrace:
kotlinx.serialization.json.internal.JsonDecodingException: Unexpected JSON token at offset 0: Expected start of the object '{', but had '<' instead at path: $
JSON input: <html lang="en-.....
vd.i.d(Unknown Source:31)
vd.i.e(Unknown Source:34)
C.a.l(Unknown Source:60)
C.a.m(Unknown Source:12)
C.a.B(Unknown Source:91)
C.a.g(Unknown Source:44)
vd.s.c(Unknown Source:41)
com.bitwarden.network.model.InternalPreLoginResponseJson$$serializer.deserialize(SourceFile:1)
com.bitwarden.network.model.InternalPreLoginResponseJson$$serializer.deserialize(SourceFile:2)
vd.s.v(Unknown Source:278)
com.bitwarden.network.serializer.BaseSurrogateSerializer.deserialize(Unknown Source:11)
vd.s.v(Unknown Source:278)
ud.c.a(Unknown Source:28)
z3.l.c(Unknown Source:33)
Rd.A.c(Unknown Source:53)
z3.e.w(Unknown Source:4)
Bd.n.run(Unknown Source:54)
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1156)
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:651)
java.lang.Thread.run(Thread.java:1119)

Version: 2025.7.2 (20551) Device: 📱 google Pixel 7 🤖 16@36 📦 prod CI: 🧱 commit: bitwarden/android@277fcbf 💻 build source: bitwarden/android/actions/runs/16758228945/attempts/1

Maybe the same issue!?

I have the same issue using cloudflare as reverse proxy. When I add a bypass all policy in cloudflare the isssue is solved. ( but I don't want to bypass all )
My sollution for now is to create a vpn to my home network, and add a bypass all policy if the ip is my home network.

[Ko7Ad]

I had the same issue using Tailscale on Unraid. The solution was to serve the port as https, using the following the the Unraid terminal

tailscale serve --bg --https=4280 localhost:4743

Solution from here https://forums.unraid.net/topic/163159-tailscale-vaultwarden/

[bluef1ash]

Android client: self signed certificate in certificate chain, SSL validation failed

Hello, I’m running into an SSL certificate validation issue with my self-hosted Vaultwarden.
I’ve tried many steps but still cannot resolve it. Here are the details:

1. Environment

• Server: Synology NAS, self-hosted Vaultwarden
• Access: https://nas.lan:8508 (local network)
• Certificates: self-signed root CA + server certificate signed by this CA

2. Issue

• Android client fails to log in with the error:

We are unable to validate the server certificate. Your device or server's certificate chain or proxy settings may not be properly configured.

• OpenSSL check shows:

Verify return code: 19 (self signed certificate in certificate chain)

• The Windows browser opens normally

3. Troubleshooting so far

• Generated a root CA and server certificate, imported the root CA into Windows and Android trust store
• Verified that CN and SAN fields are correctly set for nas.lan
• Used openssl s_client -showcerts, certificates are shown but still get:

verify error\:num=19\:self signed certificate in certificate chain

• Imported root CA into Windows “Trusted Root Certification Authorities” but still failing
• Same issue on Android after importing the root CA

4. Possible causes I suspect

• Certificate chain order might be wrong (incomplete chain)
• Root CA Common Name may be empty or invalid when generated
• Vaultwarden (or Nginx) may not be serving a complete chain, so clients cannot verify properly

5. Questions

• What is the recommended way to configure a self-signed certificate with Vaultwarden?
• Should the certificate chain file (fullchain.pem) include server cert + intermediate + root?
• How can I resolve the Android client error self signed certificate in certificate chain?

[TeddyLafrite]

Same problem with Android app v2025.8 :
Stacktrace:
java.net.UnknownServiceException: CLEARTEXT communication to 192.168.10.2 not permitted by network security policy
zd.s.b(r8-map-id-068ba0e44f928840d694163f3e085fb646f62693ecff8492f3d3bafaee71f88e:65)
zd.s.a(r8-map-id-068ba0e44f928840d694163f3e085fb646f62693ecff8492f3d3bafaee71f88e:679)
zd.s.f(r8-map-id-068ba0e44f928840d694163f3e085fb646f62693ecff8492f3d3bafaee71f88e:155)
zd.k.d(r8-map-id-068ba0e44f928840d694163f3e085fb646f62693ecff8492f3d3bafaee71f88e:10)
zd.k.a(r8-map-id-068ba0e44f928840d694163f3e085fb646f62693ecff8492f3d3bafaee71f88e:62)
zd.b.intercept(r8-map-id-068ba0e44f928840d694163f3e085fb646f62693ecff8492f3d3bafaee71f88e:24)
Ad.h.b(r8-map-id-068ba0e44f928840d694163f3e085fb646f62693ecff8492f3d3bafaee71f88e:128)
Ad.b.intercept(r8-map-id-068ba0e44f928840d694163f3e085fb646f62693ecff8492f3d3bafaee71f88e:589)
Ad.h.b(r8-map-id-068ba0e44f928840d694163f3e085fb646f62693ecff8492f3d3bafaee71f88e:128)
Ad.a.intercept(r8-map-id-068ba0e44f928840d694163f3e085fb646f62693ecff8492f3d3bafaee71f88e:541)
Ad.h.b(r8-map-id-068ba0e44f928840d694163f3e085fb646f62693ecff8492f3d3bafaee71f88e:128)
Ad.a.intercept(r8-map-id-068ba0e44f928840d694163f3e085fb646f62693ecff8492f3d3bafaee71f88e:199)
Ad.h.b(r8-map-id-068ba0e44f928840d694163f3e085fb646f62693ecff8492f3d3bafaee71f88e:128)
Ld.b.intercept(r8-map-id-068ba0e44f928840d694163f3e085fb646f62693ecff8492f3d3bafaee71f88e:554)
Ad.h.b(r8-map-id-068ba0e44f928840d694163f3e085fb646f62693ecff8492f3d3bafaee71f88e:128)
com.bitwarden.network.interceptor.BaseUrlInterceptor.intercept(r8-map-id-068ba0e44f928840d694163f3e085fb646f62693ecff8492f3d3bafaee71f88e:43)
Ad.h.b(r8-map-id-068ba0e44f928840d694163f3e085fb646f62693ecff8492f3d3bafaee71f88e:128)
com.bitwarden.network.interceptor.HeadersInterceptor.intercept(r8-map-id-068ba0e44f928840d694163f3e085fb646f62693ecff8492f3d3bafaee71f88e:47)
Ad.h.b(r8-map-id-068ba0e44f928840d694163f3e085fb646f62693ecff8492f3d3bafaee71f88e:128)
zd.p.d(r8-map-id-068ba0e44f928840d694163f3e085fb646f62693ecff8492f3d3bafaee71f88e:90)
zd.m.run(r8-map-id-068ba0e44f928840d694163f3e085fb646f62693ecff8492f3d3bafaee71f88e:48)
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1156)
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:651)
java.lang.Thread.run(Thread.java:1119)

Version: 2025.8.0 (20577)
Device: 📱 samsung SM-A528B 🤖 14@34 📦 prod
CI: 🧱 commit: bitwarden/android@1c525b9
💻 build source: bitwarden/android/actions/runs/16834718954/attempts/1

So :

On Bitwarden extension for Brave Windows, HTTP connexion is possible without any problem (on local and remote with VPN WireGuard)
It's not possible with the 2025.8 Android App / why ?
I don't need a HTTPS connexion with certificates because secure VPN tunnel to my LAN... don't want to configure an HTTPS access with 3 month certificates just for that ?!

[GeorgeCastanza]

I don't need a HTTPS connexion with certificates because secure VPN tunnel to my LAN... don't want to configure an HTTPS access with 3 month certificates just for that ?!

I know right! Give us an option with a checkbox: KNOW THE RISKS (like other things in settings).

[TeddyLafrite]

Problem is in Bitwarden official android app...
Nothing to do with Vaultwarden server

[xcube16]

I ran into this same issue and was able to solve it by enabling vaultwarden's builtin ROCKET_TLS with a self-signed certificate for the local IP of my vaultwarden server and add it to my Android device without root. This may not be the best, simplest, or even safest way to set things up, but I feel it could help someone get things working, so here we go...

Generate a self-signed key for your local IP

openssl req -x509 -newkey rsa:4096 -sha256 -days 10000 \
   -keyout ssl/private.key -out ssl/certificate.crt -reqexts SAN -extensions SAN \
   -config <(cat /usr/lib/ssl/openssl.cnf <(printf '[SAN]\nsubjectAltName=IP:192.168.1.123\nbasicConstraints=CA:true')) \
   -subj "/C=US/ST=New York/L=New York/O=Anything Really/OU=Me/CN=192.168.1.123"

# openssl encrypts the key with a user-provided password by default, so let's decrypt it. The previous command
# could probably have generated an unencrypted private key in the first place, but I am too lazy to figure that out.
openssl rsa -in ssl/private.key -out ssl/unencrypt_private.key

source: https://bitwarden.com/help/certificates/

Install the certificate.crt on your Android device

1. Copy the certificate.crt to your Android filesystem (I just put it in Documents)
2. Go to **Settings -> Security & privacy -> More security settings -> Encryption & credentials **
3. Hit Install a certificate -> CA certificate
4. Accept the large scary warning with the knowledge that anyone who steals your private.key probably has a key to your life, liberty, and happiness. Browse to and hit the certificate.crt that you copied earlier.

source: https://support.google.com/pixelphone/answer/2844832?hl=en

Run vaultwarden with your fancy new keys

docker run -d --name vaultwarden2 \
   -e ROCKET_TLS='{certs="/ssl/certificate.crt",key="/ssl/unencrypt_private.key"}' \
   -v /path/to/your/ssl/:/ssl/ \
   -v /path/to/your/data/:/data/ \
   -p 443:80 \
   vaultwarden/server:latest

source: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-HTTPS

Bitwarden Android should now be able to use your self-hosted vaultwarden via the local network IP

example: https://192.168.1.123/