I’m running Bitwarden unified and have set up SSO via Keycloak. I’ve also set up domain verification for our domain, which works - until it doesn’t. Somehow it just disappears from the list. I see no error in the logs, no reason why it would be removed, just one day it’s there, verified, and the next it isn’t.
Is there any way for me to figure out what is happening?
Hi Mark,
There are several event logs for domain verification events you can look for:
2000)2001)2002)2003)Additionally - are you keeping the DNS txt record in place or are you removing it following successful verification? There are jobs that run periodically to verify that the DNS record is still in place and will un-verify the domain if it is not found.
I don’t see any of those in the logs. I only see “[INF] Validating 0 domains.” - even though there is a domain configured!
If I check the event log in the web vault, I can see when I added it and when it got verified (and that the first time, it failed to verify, until I added the TXT record 5mins later). I don’t see a single entry about it being removed.
We’re keeping the DNS entry, and the weird thing is that it doesn’t even go back to “unverified”, the entry is removed entirely. And then we have to go and modify the TXT record again.
Those logs I listed would be shown in the event logs in the web UI, not server logs.
We’re keeping the DNS entry, and the weird thing is that it doesn’t even go back to “unverified”, the entry is removed entirely.
The entry in the DNS record is removed entirely, or the domain is removed from the organization?
The domain is removed from the organization. The DNS isn’t modified, since Bitwarden can’t do that 
Thanks, ChatGPT.
1 - irrelevant, as Keycloak doesn’t have anything to do with Domain Verification. This is purely Bitwarden checking our TXT record.
2 - we do, there aren’t any.
3 - what should I look out for? There’s nothing there. No warnings, no errors, it doesn’t even log that it removed the domain unless I myself click the button in the GUI.
4 - are there multiple methods? Bitwarden certainly doesn’t give me any options other than TXT record, so this is probably just a hallucination, isn’t it?
5 - BW support tends to go “oh, unified deployment? That’s beta, sucks to be you.” Hence why I’m asking in here.
6 - There are two people who can change the settings in BW, and if someone changed it manually, that actually shows up in the logs. So I know it wasn’t me, and it wasn’t my buddy either. There’s more people who have access to Keycloak, but see 1 - this is completely irrelevant.
7 - How would I back up the BW configuration? As far as I can tell, that’s not an option. Bitwarden doesn’t do declarative configuration, it’s all GUI-based other than a few environment variables (which aren’t involved in this topic).
It has happened again, and again, there’s nothing in the logs. I’ve been reading through the code, and I don’t find anything that would trigger the removal.
The maintenance jobs all check for the VerifiedDate being null - which is not the case. The domain gets verified once and has a value for VerifiedDate in the database.
That tracks with the logs of the maintenance jobs saying things like “Removing 0 unverified domains” - there aren’t any. Yet somehow, the entry in the database was gone, and I have to set it up again.
Sure, I can create my own cronjob and just INSERT the entry periodically to ensure that it is present, but that’s obviously nonsense.
Am I doing it wrong by claiming the domain in my self-host instance? Do I need to claim it in the SaaS instance, like the license?