This guide helps diagnose and resolve common issues with Bitwarden Server deployments. For each problem, we provide symptoms, root causes, and step-by-step solutions.
Service Health Checks # Check container status docker ps -a | grep bitwarden # Test health endpoints curl http://localhost/healthz curl http://localhost/healthz/extended # View service logs docker logs --tail 100 bitwarden-api docker logs --tail 100 bitwarden-identity docker logs --tail 100 bitwarden-mssql
Database Connectivity # Test SQL Server connection docker exec -it bitwarden-mssql /opt/mssql-tools18/bin/sqlcmd \ -S localhost -U sa -P "${ SA_PASSWORD }" -C \ -Q "SELECT @@VERSION;" # Check database state docker exec -it bitwarden-mssql /opt/mssql-tools18/bin/sqlcmd \ -S localhost -U sa -P "${ SA_PASSWORD }" -C \ -Q "SELECT name, state_desc FROM sys.databases WHERE name = 'vault';"
Network Diagnostics # Test service connectivity from API container docker exec bitwarden-api curl -I http://identity:5000 # Check DNS resolution docker exec bitwarden-api nslookup identity # Verify port bindings netstat -tulpn | grep -E '(80|443|5000)'
Authentication Issues Login Failures Symptoms:
Users cannot log in
“Invalid username or password” errors
Timeout during authentication
Common Causes:
Identity Service Unavailable
Check: Identity service statusdocker ps | grep identity docker logs bitwarden-identity --tail 50
Solution: docker-compose restart identity
If service won’t start, check configuration: docker exec bitwarden-identity cat /app/appsettings.json
Database Connection Issues
Check: Database connectivity from Identity servicedocker exec bitwarden-identity cat /etc/bitwarden/config.yml
Solution:
Verify connection string in globalSettings.sqlServer.connectionString:database : connectionString : "Server=mssql;Database=vault;User Id=sa;Password=***"
Symptoms: SSL/TLS errors, “Invalid token” messagesCheck: Certificate configurationls -la /etc/bitwarden/identity/ docker logs bitwarden-identity | grep -i certificate
Solution:
Regenerate data protection certificates:
Symptoms: Login works intermittently, 429 errorsCheck: Rate limit configuration in appsettings.json{ "IpRateLimitOptions" : { "GeneralRules" : [ { "Endpoint" : "post:/connect/token" , "Period" : "1m" , "Limit" : 10 } ] } }
Solution:
Adjust rate limits or whitelist specific IPs:{ "IpRateLimitOptions" : { "IpWhitelist" : [ "10.0.0.0/8" ] } }
Two-Factor Authentication Issues Symptoms:
2FA codes not working
Email 2FA not received
Authenticator app code rejected
Diagnostic Steps:
Check Email Delivery
Verify email configuration: docker exec bitwarden-api cat /etc/bitwarden/config.yml | grep -A 10 mail
Test email service: docker logs bitwarden-api | grep -i "mail\|smtp\|sendgrid"
Verify Time Sync
TOTP codes require accurate time: # Check server time docker exec bitwarden-identity date # Sync if needed sudo ntpdate -s time.nist.gov
Check 2FA Rate Limits
2FA endpoints have rate limiting: { "Endpoint" : "post:/two-factor/send-email" , "Period" : "10m" , "Limit" : 5 }
Vault Access Issues Cannot Access Items Symptoms:
Vault appears empty
Specific items not visible
“Access denied” errors
Troubleshooting: # Check user permissions in database docker exec -it bitwarden-mssql /opt/mssql-tools18/bin/sqlcmd \ -S localhost -U sa -P "${ SA_PASSWORD }" -C -Q " SELECT u.Email, ou.Status, ou.Type FROM [dbo].[User] u JOIN [dbo].[OrganizationUser] ou ON u.Id = ou.UserId WHERE u.Email = '[email protected] '; " # Check collection access docker exec -it bitwarden-mssql /opt/mssql-tools18/bin/sqlcmd \ -S localhost -U sa -P "${ SA_PASSWORD }" -C -Q " SELECT c.Name, cg.ReadOnly, cg.HidePasswords FROM [dbo].[Collection] c JOIN [dbo].[CollectionGroup] cg ON c.Id = cg.CollectionId WHERE c.OrganizationId = '<org-id>'; "
Sync Failures Symptoms:
Changes not syncing across devices
“Sync failed” errors
Stale data displayed
Solutions:
Check Notifications Service
docker ps | grep notifications curl http://localhost:5000/healthz
Verify WebSocket Connection
Check for WebSocket errors in browser console Test WebSocket endpoint: wscat -c ws://localhost/notifications/hub
Review Notification Hub Configuration
For Azure Notification Hub deployments: { "notificationHub" : { "connectionString" : "Endpoint=sb://..." , "hubName" : "bitwarden" } }
Slow Response Times Symptoms:
API requests take >2 seconds
Timeout errors
High CPU/memory usage
Diagnostic Steps: # Check resource usage docker stats # Identify slow queries docker exec -it bitwarden-mssql /opt/mssql-tools18/bin/sqlcmd \ -S localhost -U sa -P "${ SA_PASSWORD }" -C -Q " SELECT TOP 10 total_elapsed_time/execution_count AS avg_time_ms, execution_count, SUBSTRING(st.text, (qs.statement_start_offset/2)+1, ((CASE qs.statement_end_offset WHEN -1 THEN DATALENGTH(st.text) ELSE qs.statement_end_offset END - qs.statement_start_offset)/2) + 1) AS statement_text FROM sys.dm_exec_query_stats AS qs CROSS APPLY sys.dm_exec_sql_text(qs.sql_handle) AS st ORDER BY total_elapsed_time/execution_count DESC; " # Check for blocking docker exec -it bitwarden-mssql /opt/mssql-tools18/bin/sqlcmd \ -S localhost -U sa -P "${ SA_PASSWORD }" -C -Q " SELECT * FROM sys.dm_exec_requests WHERE blocking_session_id <> 0; "
Solutions:
Connection Pool Exhaustion
Increase connection pool size in connection string: Server=mssql;Database=vault;User Id=sa;Password=***;Min Pool Size=10;Max Pool Size=100;
Increase container resources: services : api : deploy : resources : limits : cpus : '2.0' memory : 2G reservations : cpus : '1.0' memory : 1G
High Memory Usage Check Memory Usage: # Container memory docker stats --no-stream # Host memory free -h
Solutions:
Reduce log verbosity (change to Warning level)
Implement log rotation with size limits
Clear old logs: find /etc/bitwarden/logs -mtime +7 -delete
Increase container memory limits
Database Issues Database Connection Errors Error Message: Login failed for user 'sa'Solutions:
Verify Password
Check SA password in environment: docker exec bitwarden-mssql printenv | grep SA_PASSWORD
Reset SA Password
docker exec -it bitwarden-mssql /opt/mssql-tools18/bin/sqlcmd \ -S localhost -U sa -P "${ OLD_PASSWORD }" -C \ -Q "ALTER LOGIN sa WITH PASSWORD='${ NEW_PASSWORD }';"
Update configuration with new password.
Check SQL Server State
docker logs bitwarden-mssql --tail 50
Look for:
“SQL Server is now ready for client connections”
Error messages about recovery or startup
Migration Failures Error: Server is in script upgrade modeSolution:
The migrator includes automatic retry logic (up to 10 attempts). If it persists:# Check for blocking processes docker exec -it bitwarden-mssql /opt/mssql-tools18/bin/sqlcmd \ -S localhost -U sa -P "${ SA_PASSWORD }" -C -Q " SELECT session_id, blocking_session_id, wait_type, wait_time FROM sys.dm_exec_requests WHERE blocking_session_id <> 0; " # Kill blocking session if found KILL < session_i d > ;
Error: Migration script timeoutSolution:
For large migrations, increase timeout:
Default: 5 minutes
Large migrations: 60 minutes (automatic for noTransactionMigration)
See util/Migrator/DbMigrator.cs:131 for configuration.
Database Corruption Symptoms:
CHECKDB errors
Consistency errors in logs
Random query failures
Diagnostic: DBCC CHECKDB (vault) WITH NO_INFOMSGS ;
Recovery:
Attempt Automatic Repair
DBCC CHECKDB (vault, REPAIR_REBUILD);
Restore from Backup
If automatic repair fails, restore from backup: ./bitwarden.sh stop # Restore database (see Backup/Restore guide) ./bitwarden.sh start
Service-Specific Issues API Service Issues Symptoms:
500 Internal Server Error
API endpoints not responding
Unhandled exceptions in logs
Implementation Reference: src/SharedWeb/Utilities/ExceptionHandlerFilterAttribute.csError Types: Exception Type HTTP Status Meaning BadRequestException 400 Invalid request data GatewayException 502 Upstream service failure NotFoundException 404 Resource not found SecurityTokenValidationException 401 Invalid/expired token UnauthorizedAccessException 401 Insufficient permissions (Other) 500 Unhandled error
Check Logs: docker logs bitwarden-api | grep -i "error\|exception" | tail -50
Identity Service Issues Symptoms:
Token generation failures
OpenID configuration errors
Certificate errors
Check Configuration: # Verify Identity configuration docker exec bitwarden-identity cat /etc/bitwarden/config.yml # Test OpenID endpoint curl http://localhost/.well-known/openid-configuration
Admin Portal Issues Symptoms:
Cannot access admin portal
“Access denied” on admin pages
System information not loading
Solutions:
Verify admin user has proper role
Check admin service logs
Ensure license is valid and not expired
SSL/TLS Issues Certificate Errors Symptoms:
SSL handshake failures
Certificate validation errors
“NET::ERR_CERT_AUTHORITY_INVALID”
Solutions:
Verify Certificate
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com
Check Certificate Chain
Ensure full certificate chain is installed: cat server.crt intermediate.crt root.crt > fullchain.pem
Validate Certificate Dates
openssl x509 -in /etc/bitwarden/ssl/certificate.crt -noout -dates
Update Certificate
# Copy new certificate cp new-cert.crt /etc/bitwarden/ssl/certificate.crt cp new-key.key /etc/bitwarden/ssl/private.key # Restart nginx docker-compose restart nginx
File Storage Issues Attachment Upload Failures Symptoms:
“Failed to upload” errors
Attachments not appearing
Storage errors in logs
Check Configuration: # Verify storage configuration docker exec bitwarden-api cat /etc/bitwarden/config.yml | grep -A 5 attachment
For Local Storage: # Check permissions ls -la /etc/bitwarden/core/attachments/ chown -R bitwarden:bitwarden /etc/bitwarden/core/attachments/ # Check disk space df -h /etc/bitwarden/
For Azure Blob Storage: # Test connection string az storage blob list \ --account-name < accoun t > \ --container-name attachments \ --connection-string "${ CONNECTION_STRING }"
Logging and Debugging Enable Debug Logging Temporarily enable verbose logging:
{ "Logging" : { "LogLevel" : { "Default" : "Debug" , "Bit.Api" : "Trace" , "Bit.Core" : "Debug" } } }
Debug/Trace logging generates significant log volume. Only enable for troubleshooting and revert to Warning or Information afterwards.
#!/bin/bash # Diagnostic collection script DIAG_DIR = "bitwarden-diagnostics-$( date +%Y%m%d_%H%M%S)" mkdir -p " $DIAG_DIR " # Container status docker ps -a > " $DIAG_DIR /containers.txt" # Logs from all services for service in api identity admin notifications events ; do docker logs "bitwarden- $service " > " $DIAG_DIR / $service .log" 2>&1 done # System info uname -a > " $DIAG_DIR /system.txt" df -h >> " $DIAG_DIR /system.txt" free -h >> " $DIAG_DIR /system.txt" # Network info docker network inspect bitwarden_default > " $DIAG_DIR /network.json" # Create archive tar -czf " $DIAG_DIR .tar.gz" " $DIAG_DIR " rm -rf " $DIAG_DIR " echo "Diagnostics collected: $DIAG_DIR .tar.gz"
Getting Help Before Requesting Support
Check Logs
Review service logs for error messages and stack traces.
Search Documentation
Search this documentation and Bitwarden community forums.
Verify Configuration
Double-check configuration files against documentation.
Test in Isolation
Try to reproduce the issue with minimal configuration.
When requesting support, include:
Bitwarden Server version
Deployment type (Docker, Kubernetes, etc.)
Operating system and version
Relevant error messages and logs
Steps to reproduce the issue
Recent changes to configuration
