Bitwarden organization license has expired before expiration date

[GuillaumeHullin]

Steps To Reproduce

I have a valid license for "Families 2019" plan on my self-hosted server
Families 2019

bitwarden.sh version 2023.10.2
Docker version 24.0.7, build afdd53b
Docker Compose version v2.21.0

1. Get an email alert stating that my license is expired:

This email is to notify you that your Bitwarden organization license for xxxx has expired and must be updated for continued use. See the following article for details about replacing your license file:

https://bitwarden.com/help/article/licensing-on-premise/

2. License is effectively not seen (Organization password not working) but still show Subscription expiration ..... 2024
3. Go to vault.bitwarden.com, download the license again and upload on my self-host instance.
4. Problem fixed... until next time.

It happened again today and happened 2 more time in the past 7 days.

This issue is a duplicate of issue #3412 which was prematurely marked as solved.

Support has been contacted.

Expected Result

The license should not expired before its expiration date.

Actual Result

No access to organisation for any users.

Screenshots or Videos

No response

Additional Context

No response

Githash Version

3d14eb3

Environment Details

• OS Debian 12
• Virtual Machine ESXi

Database Image

No response

Issue-Link

#2480

Issue Tracking Info

• I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

[GuillaumeHullin]

@florie1706
@kolja1507

If you have more data ;)

[florie1706]

I recently did a restart to my docker container, updated to the latest beta-tag which got an update about 2 days ago. Then reissued the license and uploaded it. Since then it is working as expected.

[GuillaumeHullin]

@florie1706 are you on 2023.10.2? Did the license "stopped" just after your upgrade? I run the upgrade script automatically every night... but I get the email and license expired on the middle of the afternoon.

[florie1706]

No, the license stopped after let's say half a day. But now it is running without a problem (newly downloaded license) since 2-3 days. I would say it is working again on my side

[GuillaumeHullin]

Ok let's wait and see. If in a week we still don't have a problem I'll close this issue.

[Greenderella]

Thank you for the report, and I am glad to read that your server is functional once again.

I can confirm that there was a bug in the 2023.10 release that caused this issue, and that in most instances re-applying the license file resolved this.

We have since released version 2023.10.1, which solved the issue.

The root cause was a change in the license file format for the 2023.10 release. I apologize once again for the inconvenience, and can confirm that the team will take every effort to ensure that a similar error never reoccurs.

EDIT:

If anybody is still experiencing this issue, please follow these steps:

1. If you haven’t already, please update your self-hosted server to the latest version following these steps: https://bitwarden.com/help/updating-on-premise/

2. Have an Owner log into the Cloud Org at https://vault.bitwarden.com or https://vault.bitwarden.eu and download a new license file.

3. Have an Owner log into the self-hosted organization (which may not be the same user as the cloud one) and apply the new license file.

If you have billing sync enabled, it is possible that you may need to disable it first:

1. Remove the following line from ./bwdata/env/global.override.env:
   globalSettings__enableCloudCommunication=true

2. Run the Bitwarden restart command from Bitwarden shell script.

3. Re-download the license from https://vault.bitwarden.com or https://vault.bitwarden.eu

4. Re-apply this to the server manually once again.

5. After confirming that the organization has been enabled, re-enable billing sync.

Full documentation on this feature can be found here: https://bitwarden.com/help/families-for-enterprise-self-hosted/#step-1-enable-cloud-communication

[GuillaumeHullin]

@Greenderella thanks for this complete answer. I can confirm also that I don't have the issue since the latest version.

[enoch85]

@Greenderella Having issues with this.... Made a fresh install with 2023.10.2, and now upgraded to 2023.10.3 - followed all the steps above and still getting this:

An error has occurred. Check your internet connection and ensure the billing token is correct. 

fail: Bit.Core.OrganizationFeatures.OrganizationLicenses.SelfHostedGetOrganizationLicenseQuery[0]
      => SpanId:[redacted]0, TraceId:[redacted], ParentId:0000000000000000 => ConnectionId:[redacted] => RequestPath:/organizations/licenses/self-hosted/[redacted]/sync/ RequestId:[redacted] => Bit.Api.Controllers.SelfHosted.SelfHostedOrganizationLicensesController.SyncLicenseAsync (Api)
      Unable to send GET request to https://api.bitwarden.com/licenses/organization/[redacted] because an access token was unable to be obtained 

I don't think this issue can be closed.

[GuillaumeHullin]

@enoch85 did you try to disable CloudCommunication?
See issue #3412 where @florie1706 received the following procedure from Support

#2 - Disable billing sync
Remove the following line from ./bwdata/env/global.override.env:
globalSettings__enableCloudCommunication=true
Run bitwarden restart command from Bitwarden shell script.
Re-download the licence from https://vault.bitwarden.com or https://vault.bitwarden.eu 
Re-apply this to the server manually once again
Full documentation on this feature can be found here:
https://bitwarden.com/help/families-for-enterprise-self-hosted/#step-1-enable-cloud-communication 

[GuillaumeHullin]

@enoch85 did you try to disable CloudCommunication? See issue #3412 where @florie1706 received the following procedure from Support

#2 - Disable billing sync
Remove the following line from ./bwdata/env/global.override.env:
globalSettings__enableCloudCommunication=true
Run bitwarden restart command from Bitwarden shell script.
Re-download the licence from https://vault.bitwarden.com or https://vault.bitwarden.eu 
Re-apply this to the server manually once again
Full documentation on this feature can be found here:
https://bitwarden.com/help/families-for-enterprise-self-hosted/#step-1-enable-cloud-communication 

Sorry I wrote too fast... if you did all the steps above then you would have done this.

[enoch85]

@enoch85 did you try to disable CloudCommunication? See issue #3412 where @florie1706 received the following procedure from Support

#2 - Disable billing sync
Remove the following line from ./bwdata/env/global.override.env:
globalSettings__enableCloudCommunication=true
Run bitwarden restart command from Bitwarden shell script.
Re-download the licence from https://vault.bitwarden.com or https://vault.bitwarden.eu 
Re-apply this to the server manually once again
Full documentation on this feature can be found here:
https://bitwarden.com/help/families-for-enterprise-self-hosted/#step-1-enable-cloud-communication 

Sorry I wrote too fast... if you did all the steps above then you would have done this.

Yes I did, since I followed all the steps. :)

[enoch85]

@GuillaumeHullin Should I create a new ticket or can we continue in this one?

[GuillaumeHullin]

@enoch85 well let see if we can fix it.
First, where do you get this error?
Second, what about if you explicitly set globalSettings__enableCloudCommunication=false and restart?

[enoch85]

Steps to reproduce:

1. Follow the instructions here
2. When syncing the license on the self-hosted vault, get this message:
   
3. Check the api logs (docker logs -f bitwarden-api) in docker, and notice this:

fail: Bit.Core.OrganizationFeatures.OrganizationLicenses.SelfHostedGetOrganizationLicenseQuery[0]
      => SpanId:[redacted]0, TraceId:[redacted], ParentId:0000000000000000 => ConnectionId:[redacted] => RequestPath:/organizations/licenses/self-hosted/[redacted]/sync/ RequestId:[redacted] => Bit.Api.Controllers.SelfHosted.SelfHostedOrganizationLicensesController.SyncLicenseAsync (Api)
      Unable to send GET request to https://api.bitwarden.com/licenses/organization/[redacted] because an access token was unable to be obtained 

4. Follow the steps above
5. Repeat 2-3.
6. Set globalSettings__enableCloudCommunication=false according to above
7. Follow the steps above
8. Repeat 2-3 with same result.

[GuillaumeHullin]

1. What type of paid license do you have?
2. In your organization's Bitwarden web interface, under the Billing tab, are you using Automatic Sync or Manual Sync?

[GuillaumeHullin]

@Greenderella do you mind reopenning this issue... today I had the same issue. Solved by reuploading the license file.

bitwarden.sh version 2023.12.0
Docker version 24.0.7, build afdd53b
Docker Compose version v2.21.0

[pbinksma]

Same here. Happened a few hours ago. Org had been deactivated, license is still valid until April.

[GuillaumeHullin]

Same here. Happened a few hours ago. Org had been deactivated, license is still valid until April.

Re-uploading the license worked for you?

[enoch85]

• What type of paid license do you have?

Enterprise License (to be able to self-host)

• In your organization's Bitwarden web interface, under the Billing tab, are you using Automatic Sync or Manual Sync?

Tried both, manual works, but not syncing (which is the issue here)

@GuillaumeHullin

[pbinksma]

Same here. Happened a few hours ago. Org had been deactivated, license is still valid until April.

Re-uploading the license worked for you?

Yes. Re-Uploading fixed it for now. Let's see for how long.

[enoch85]

I can confirm that billing sync now works on 2023.12.0. It might have been a DNS issue on our end, not sure.

[GuillaumeHullin]

DNS issue? @enoch85 Can you tell more on how you came to that conclusion?

[enoch85]

DNS issue? @enoch85 Can you tell more on how you came to that conclusion?

We're behind a super restricted firewall and our Bitwarden is only local.

I added inbound rules for API, identity and push, and also changed DNS on the server to our local ones - after that it worked.

[GuillaumeHullin]

Interesting. I do also have my Self hosted behind a restricted firewall (pfSense).
Do you mean that you did a port forward from internet to your instance?
I also use local DNS but that did not change.

[enoch85]

Interesting. I do also have my Self hosted behind a restricted firewall (pfSense). Do you mean that you did a port forward from internet to your instance? I also use local DNS but that did not change.

Yeah, we're behind Fortinet here, and everything is closed. You need to open everything, even locally. But basically I allowed the FQDNs from internet to the bitwarden host. My guess is that it couldn't talk to the services needed to verify that the license was valid, but I might be wrong.

[GuillaumeHullin]

I see. Which FQDNs did you allow thought?
In my case I'm using pfSense and my firewall is pretty restricted. However, the Bitwarden instance can reach outside without a problem.