Zerotier doesn't start on Mac OS Sequoia (neither GUI neither in shell): 401 error

[INicolis]

Hello.
I installed ZeroTier 1.14.0 on a new Mac mini M4 Pro running Sequoia 15.3, completely fresh install, Mac out of the box.
When clicking on the GUI in Applications folder, ZeroTier icon appears in menu bar for a few seconds then disappears.

Zerotier seems to launch as we can see:
ps aux | grep zerotier
root 1711 0,0 0,0 410927408 11360 ?? Ss 6:06 0:00.17 zerotier-one

and sudo lsof -i :9993
replies with four zerotier lines listening (two TCP and two UDP)

but clearly it doesn't work:
zerotier-cli status
replies
401 status {}

If I try to launch with:
sudo launchctl load /Library/LaunchDaemons/com.zerotier.one.plist
I have the same situation and 401 error on every zerotier-cli command.

In the /var/log/com.apple.xpc.launchd/launchd.log file I see that it begins launching OK but terminates almost immediately:
2025-02-12 18:38:11.003721 (system) : entering bootstrap mode
2025-02-12 18:38:11.003945 (com.zerotier.one) : This service is defined to be constantly running and is inherently inefficient.
2025-02-12 18:38:11.003958 (system/com.zerotier.one) : internal event: WILL_SPAWN, code = 0
2025-02-12 18:38:11.003961 (system/com.zerotier.one) : service state: spawn scheduled
2025-02-12 18:38:11.003962 (system/com.zerotier.one) : service state: spawning
2025-02-12 18:38:11.003996 (system/com.zerotier.one) : launching: speculative
2025-02-12 18:38:11.004347 (system/com.zerotier.one [1848]) : xpcproxy spawned with pid 1848
2025-02-12 18:38:11.004364 (system/com.zerotier.one [1848]) : internal event: SPAWNED, code = 0
2025-02-12 18:38:11.004365 (system/com.zerotier.one [1848]) : service state: xpcproxy
2025-02-12 18:38:11.004434 (system) : Bootstrap by launchctl[1847] for succeeded (0: )
2025-02-12 18:38:11.004451 (system) : exiting bootstrap mode
2025-02-12 18:38:11.004471 (system/com.zerotier.one [1848]) : internal event: SOURCE_ATTACH, code = 0
2025-02-12 18:38:11.013951 (system/com.zerotier.one [1848]) : service state: running
2025-02-12 18:38:11.013977 (system/com.zerotier.one [1848]) : internal event: INIT, code = 0
2025-02-12 18:38:11.013996 (system/com.zerotier.one [1848]) : Successfully spawned launch.sh[1848] because speculative
2025-02-12 18:38:11.018035 (pid/1848 [bash]) : uncorking exec source upfront
2025-02-12 18:38:11.018063 (pid/1848 [bash]) : created
2025-02-12 18:38:11.047047 (pid/1848 [bash]) : domain exec event
2025-02-12 18:38:11.047068 (pid/1848 [bash]) : shutting down
2025-02-12 18:38:11.047085 (pid/1848 [bash]) : cleaning up
2025-02-12 18:38:11.047095 (system) : removing child: pid/1848

Of course I tried to uninstall/reinstall or delete the authtoken.secret file but as I said, it's a fresh install on a new Mac so as expected that doesn't help.

Can you help?

Thanks!

[laduke]

Thanks for writing this up. Does sudo zerotier-cli status work?

Can you post the output of

cd ~/Library/Application\ Support/ZeroTier && ls -l **

[INicolis]

Thanks for the quick reply!
Indeed, I have not thought trying sudo, it seems to work:

sudo zerotier-cli status
200 info 567e878d73 1.14.2 OFFLINE

And I never noticed there were ~/Library/Application\ Support/ZeroTier/authtoken.secret and ~/Library/Application\ Support/ZeroTier/One/authtoken.secret. I knew the /Library/Application\ Support/ZeroTier/One/authtoken.secret

cd ~/Library/Application\ Support/ZeroTier && ls -l **
-rw-r--r-- 1 root wheel 24 27 oct 2023 authtoken.secret
-rw-r--r-- 1 ioannisnicolis staff 779 6 nov 2023 saved_networks.json

One:
total 8
-rw-r--r-- 1 root wheel 24 27 oct 2023 authtoken.secret

[laduke]

I'm not sure why the location changed at some point. zerotier-cli might use one and the tray app might use the other.

Do the contents match the contents of the "system" copy in /Library/Application\ Support/ZeroTier/One/authtoken.secret

It looks like they have a 2023 date on them. Maybe restored by Apple somehow from an old computer.

Mine authtoken.secrets are owned by my user, not root.

So either the contents don't match the system token, or your account can't read the file because of the permissions on it. Either way, the app and cli (without sudo) will fail.

For a work around, you can probably copy the system token and change it's owner

sudo cp /Library/Application\ Support/ZeroTier/One/authtoken.secret ~/Library/Application\ Support/ZeroTier
sudo cp /Library/Application\ Support/ZeroTier/One/authtoken.secret ~/Library/Application\ Support/ZeroTier/One
sudo chown ioannisnicolis ~/Library/Application\ Support/ZeroTier/authtoken.secret
sudo chown ioannisnicolis ~/Library/Application\ Support/ZeroTier/One/authtoken.secret

and restart the tray app and test zerotier-cli

The apps and installers should handle this automatically somehow but at the moment they don't.

[INicolis]

Well, you are right: the ~/Library token was restored from another computer. And of course it was different from the /Library token on which I had no read access.
So, I uninstalled zerotier, deleted both /Library/Application\ Support/ZeroTier/ and ~/Library/Application\ Support/ZeroTier/ folders and reinstalled, thinking that I will get the token in ~. But the installer asked for root password and installed a token on /Library/Application\ Support/ZeroTier/One/
After that, I gave read access on the /Library... token to the user account and everything seems to work for the moment without needing to use sudo.
Thanks again, probably my solution is not suitable for a multiuser environment but I am the only user on this Mac, so it works for my case.