Zerotierone: zerotier-cli return 401

Created on 20 Jun 2017  路  6Comments  路  Source: zerotier/ZeroTierOne

I'm using root user and token is readable

# zerotier-cli info
401 info invalid JSON response (parse error - unexpected end of input)

Use curl:

# curl -H "X-ZT1-Auth: $(sudo cat /var/lib/zerotier-one/authtoken.secret)" http://localhost:9993/join -vv
* Hostname was NOT found in DNS cache
*   Trying ::1...
* Connected to localhost (::1) port 9993 (#0)
> GET /join HTTP/1.1
> User-Agent: curl/7.38.0
> Host: localhost:9993
> Accept: */*
> X-ZT1-Auth: ******
>
< HTTP/1.1 200 OK
< Cache-Control: no-cache
< Pragma: no-cache
< Content-Type: application/json
< Content-Length: 67
<
{
    "controller": true,
    "apiVersion": 3,
    "clock": 1497938919193
}
* Connection #0 to host localhost left intact

Use curl ipv4 instead of ipv6

curl -H "X-ZT1-Auth: $(sudo cat /var/lib/zerotier-one/authtoken.secret)" http://127.0.0.1:9993/join -vv
* Hostname was NOT found in DNS cache
*   Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 9993 (#0)
> GET /join HTTP/1.1
> User-Agent: curl/7.38.0
> Host: 127.0.0.1:9993
> Accept: */*
> X-ZT1-Auth: ****

< HTTP/1.1 401 Unauthorized
< Cache-Control: no-cache
< Pragma: no-cache
< Content-Type: text/plain
< Content-Length: 0
<
* Connection #0 to host 127.0.0.1 left intact

cc @glimberg

picture typcn
👍1

Most helpful comment

@typcn I have just encouter the same problem. Turns out the MASQUERADE target rewrites 127.0.0.1 to the ip of the external interfaces. Remove that rule solves the problem.

Consider using rules like

-A POSTROUTING ! -o lo -j MASQUERADE
picture yshui on 12 Nov 2017
👍3

All 6 comments

Not sure I understand. Is this a permission problem? It should keep authtoken.secret mode 0600 on -nix platforms.

adamierymenko picture adamierymenko on 28 Jun 2017

No, Use the same token

127.0.0.1:9993 : 401 Unauthorized

typcn picture typcn on 28 Jun 2017

I'm getting the same errors on all my RasberryPi3's and my Ubuntu 16.04.

paulrd picture paulrd on 22 Jul 2017

I suspect it's because I changed this in my local.conf "allowManagementFrom": ["192.168.111.0/24"]. Probably the error would go away if I added "127.0.0.0/24" to the list or something.

paulrd picture paulrd on 22 Jul 2017

I can confirm that adding "127.0.0.0/8" to the above list works, but then I can no longer manage from the 192.168.111.0/24 address. The documentation should be updated to specify the proper form of the JSON object - a list of strings rather than a string (https://github.com/zerotier/ZeroTierOne/blob/0daff26fba640f2ef167ad66974dc1c4a6c79c01/service/README.md)

But also, if it is a list, does this not suggest allowing more than one?

paulrd picture paulrd on 22 Jul 2017

@typcn I have just encouter the same problem. Turns out the MASQUERADE target rewrites 127.0.0.1 to the ip of the external interfaces. Remove that rule solves the problem.

Consider using rules like

-A POSTROUTING ! -o lo -j MASQUERADE
yshui picture yshui on 12 Nov 2017
👍3
Was this page helpful?
0 / 5 - 0 ratings

Related issues

leviacn picture leviacn  路  3Comments
paweljacewicz picture paweljacewicz  路  4Comments
bstin picture bstin  路  3Comments
coretemp picture coretemp  路  4Comments
kulheim picture kulheim  路  5Comments