I recently decided to move my vaultwarden instance to a new domain. Actually migrating the service is easy enough (largely just changing the domain name in the relevant places). However, my account uses U2F keys to log in and, after migrating domains, I can’t use the keys to log in:
I assume this is due to the U2F key(s) being tied to the old domain, so they can’t be used to login to the new domain. My question is whether it is possible to update this in Vaultwarden? I tried deleting one of my keys in the hopes that that would generate a new entry for the new domain, but that didn’t seem to work. Is there a way to do this in vaultwarden, perhaps? I’m mainly hoping I can migrate things without having to go through the process of exporting all vaults and starting from scratch with new accounts.
Let me know if there’s any other information I can provide.
You probably forgot to update the settings where you need to configure the FQDN. If that isn’t correct it not matching then these kind of errors occur.
Modifying these keys in the database will probably not work out cause issues. If it all still does not work remove all 2FA options and add them again. You can do that via the Vaultwarden admin interface.
The FQDN is set via the DOMAIN
environment variable, correct, assuming I don’t have a settings.json
file? If so, it’s actually set to the new domain still, even though I can only use the keys on the old one.
I’ll try removing 2FA options later today and see if that works to shift things over.
I removed all 2FA options via the admin interface and, after recreating them (accessing vaultwarden from the new domain) they worked! I had tried removing them one at a time before, but that didn’t seem to purge the old domain from being associated with my account. I guess that is tied to the account rather than the individual 2FA items.
I imagine that if you manually delete all 2FA (or at least all U2F 2FA keys) then it might work as well? Since I went through the admin interface I can’t try this route.
Key’s are indeed linked to the domain, so that was probably it.