ZeroTierOne icon indicating copy to clipboard operation
ZeroTierOne copied to clipboard
verified publisher icon zerotier

Zerotier doesn't start on Mac OS Sequoia (neither GUI neither in shell): 401 error

Open INicolis opened this issue 10 months ago • 8 comments

Hello. I installed ZeroTier 1.14.0 on a new Mac mini M4 Pro running Sequoia 15.3, completely fresh install, Mac out of the box. When clicking on the GUI in Applications folder, ZeroTier icon appears in menu bar for a few seconds then disappears.

Zerotier seems to launch as we can see: ps aux | grep zerotier root 1711 0,0 0,0 410927408 11360 ?? Ss 6:06 0:00.17 zerotier-one

and sudo lsof -i :9993 replies with four zerotier lines listening (two TCP and two UDP)

but clearly it doesn't work: zerotier-cli status replies 401 status {}

If I try to launch with: sudo launchctl load /Library/LaunchDaemons/com.zerotier.one.plist I have the same situation and 401 error on every zerotier-cli command.

In the /var/log/com.apple.xpc.launchd/launchd.log file I see that it begins launching OK but terminates almost immediately: 2025-02-12 18:38:11.003721 (system) <Notice>: entering bootstrap mode 2025-02-12 18:38:11.003945 (com.zerotier.one) <Notice>: This service is defined to be constantly running and is inherently inefficient. 2025-02-12 18:38:11.003958 (system/com.zerotier.one) <Notice>: internal event: WILL_SPAWN, code = 0 2025-02-12 18:38:11.003961 (system/com.zerotier.one) <Notice>: service state: spawn scheduled 2025-02-12 18:38:11.003962 (system/com.zerotier.one) <Notice>: service state: spawning 2025-02-12 18:38:11.003996 (system/com.zerotier.one) <Notice>: launching: speculative 2025-02-12 18:38:11.004347 (system/com.zerotier.one [1848]) <Notice>: xpcproxy spawned with pid 1848 2025-02-12 18:38:11.004364 (system/com.zerotier.one [1848]) <Notice>: internal event: SPAWNED, code = 0 2025-02-12 18:38:11.004365 (system/com.zerotier.one [1848]) <Notice>: service state: xpcproxy 2025-02-12 18:38:11.004434 (system) <Notice>: Bootstrap by launchctl[1847] for succeeded (0: ) 2025-02-12 18:38:11.004451 (system) <Notice>: exiting bootstrap mode 2025-02-12 18:38:11.004471 (system/com.zerotier.one [1848]) <Notice>: internal event: SOURCE_ATTACH, code = 0 2025-02-12 18:38:11.013951 (system/com.zerotier.one [1848]) <Notice>: service state: running 2025-02-12 18:38:11.013977 (system/com.zerotier.one [1848]) <Notice>: internal event: INIT, code = 0 2025-02-12 18:38:11.013996 (system/com.zerotier.one [1848]) <Notice>: Successfully spawned launch.sh[1848] because speculative 2025-02-12 18:38:11.018035 (pid/1848 [bash]) <Notice>: uncorking exec source upfront 2025-02-12 18:38:11.018063 (pid/1848 [bash]) <Notice>: created 2025-02-12 18:38:11.047047 (pid/1848 [bash]) <Notice>: domain exec event 2025-02-12 18:38:11.047068 (pid/1848 [bash]) <Notice>: shutting down 2025-02-12 18:38:11.047085 (pid/1848 [bash]) <Notice>: cleaning up 2025-02-12 18:38:11.047095 (system) <Notice>: removing child: pid/1848

Of course I tried to uninstall/reinstall or delete the authtoken.secret file but as I said, it's a fresh install on a new Mac so as expected that doesn't help.

Can you help?

Thanks!

INicolis avatar Feb 12 '25 17:02 INicolis

Thanks for writing this up. Does sudo zerotier-cli status work?

Can you post the output of

cd ~/Library/Application\ Support/ZeroTier && ls -l **

laduke avatar Feb 12 '25 17:02 laduke

Thanks for the quick reply! Indeed, I have not thought trying sudo, it seems to work:

sudo zerotier-cli status
200 info 567e878d73 1.14.2 OFFLINE

And I never noticed there were ~/Library/Application\ Support/ZeroTier/authtoken.secret and ~/Library/Application\ Support/ZeroTier/One/authtoken.secret. I knew the /Library/Application\ Support/ZeroTier/One/authtoken.secret

cd ~/Library/Application\ Support/ZeroTier && ls -l ** -rw-r--r-- 1 root wheel 24 27 oct 2023 authtoken.secret -rw-r--r-- 1 ioannisnicolis staff 779 6 nov 2023 saved_networks.json

One: total 8 -rw-r--r-- 1 root wheel 24 27 oct 2023 authtoken.secret

INicolis avatar Feb 12 '25 17:02 INicolis

I'm not sure why the location changed at some point. zerotier-cli might use one and the tray app might use the other.

Do the contents match the contents of the "system" copy in /Library/Application\ Support/ZeroTier/One/authtoken.secret

It looks like they have a 2023 date on them. Maybe restored by Apple somehow from an old computer.

Mine authtoken.secrets are owned by my user, not root.

So either the contents don't match the system token, or your account can't read the file because of the permissions on it. Either way, the app and cli (without sudo) will fail.

For a work around, you can probably copy the system token and change it's owner

sudo cp /Library/Application\ Support/ZeroTier/One/authtoken.secret ~/Library/Application\ Support/ZeroTier
sudo cp /Library/Application\ Support/ZeroTier/One/authtoken.secret ~/Library/Application\ Support/ZeroTier/One
sudo chown ioannisnicolis ~/Library/Application\ Support/ZeroTier/authtoken.secret
sudo chown ioannisnicolis ~/Library/Application\ Support/ZeroTier/One/authtoken.secret

and restart the tray app and test zerotier-cli

The apps and installers should handle this automatically somehow but at the moment they don't.

laduke avatar Feb 12 '25 18:02 laduke

Well, you are right: the ~/Library token was restored from another computer. And of course it was different from the /Library token on which I had no read access. So, I uninstalled zerotier, deleted both /Library/Application\ Support/ZeroTier/ and ~/Library/Application\ Support/ZeroTier/ folders and reinstalled, thinking that I will get the token in ~. But the installer asked for root password and installed a token on /Library/Application\ Support/ZeroTier/One/ After that, I gave read access on the /Library... token to the user account and everything seems to work for the moment without needing to use sudo. Thanks again, probably my solution is not suitable for a multiuser environment but I am the only user on this Mac, so it works for my case.

INicolis avatar Feb 12 '25 21:02 INicolis

I am having the same issue - fresh install Sequoia 15.5. None of the solutions presented here or #2415 would work to get the GUI up. However as mentioned the zerotier-cli command works fine from the terminal and I was able to join my network using sudo zerotier-cli join XxXxXxXxXxXX

@laduke I'm happy to help test any fixes on the GUI issue.

ethanpil avatar Jul 30 '25 15:07 ethanpil

I am having the same issue: everything works great under root on MacOS 15.6.1 but doesn't work under a regular user. Route to the vpn exit node works under any user.

Root:

sudo ping 192.168.14.189
PING 192.168.14.189 (192.168.14.189): 56 data bytes
64 bytes from 192.168.14.189: icmp_seq=0 ttl=64 time=129.298 ms

Regular user:

ping 192.168.14.189
PING 192.168.14.189 (192.168.14.189): 56 data bytes
ping: sendto: No route to host
ping: sendto: No route to host
Request timeout for icmp_seq 0

zerotier-cli status
200 info da65d62bd8 1.16.0 ONLINE

I tried to reinstall the app with total cleaning and I tried to copy authtoken.secret and chown it but with no avail. What else can be done with this problem?

idyakonov-dev avatar Sep 16 '25 12:09 idyakonov-dev

@laduke @joseph-henry @cspiegel sorry to be a pest. this is a really long time for a show stopper bug and I am begging for help...

Dupes/Similar:

https://github.com/zerotier/ZeroTierOne/issues/2415 https://github.com/zerotier/ZeroTierOne/issues/2380

ethanpil avatar Nov 04 '25 01:11 ethanpil

Sequoia added stricter security for applications accessing interfaces created on the local network. The fix is simple. Go to Privacy and Security -> Local Network Then find the application that you want to allow (terminal, iTerm whatever) and turn the switch to "on".

Would be nice if the installer did that or if it was in the release notes, FAQ or somewhere.

jpgeek avatar Nov 20 '25 02:11 jpgeek