Have a Question?
Carbonio Mesh’s credentials are kept in the file /etc/zextras/service-discover/cluster-credentials.tar.gpg, which is a tar archive encrypted with GPG. The tar archive contains the following files:
- The bootstrap token is a type of token.
- Carbonio Mesh’s internal CA and its associated private key
- The cryptographic keys
The file containing the Carbonio Mesh credentials must be available and accessible for different administrative actions, including Carbonio CE setup and upgrade, pending-setups, and other minor procedures involving Carbonio CE components.
The above-mentioned file is GPG-encrypted with a secret (nothing more than another password), which is kept in /var/lib/service-discover/password and is only accessible by the root user. When performing the pending-setups command and the Service Discover installation procedure, the secret is required.
If you don’t remember your password, log in as root to your Single-Server Carbonio CE, or connect in to any Carbonio Mesh Server, then read the /var/lib/service-discover/password file.
If you wish to modify the secret, or if you need to change it (for example, because it has been hacked, shared with or communicated to the incorrect people, or if one of your company’s system administrators has departed), you must Regenerate Carbonio Mesh Secret.
Carbonio Mesh Credentials Reset on a Single-Server
Please keep in mind that the Carbonio Mesh service will be unavailable for the length of the operation.
We need to know certain vital details before we begin the treatment. Connect to the Single-Server and run the command
The command returns the reset index value, which is required for the reset operation. The output will always be something like:
The last part of the output is the reset index value (reset index: 908), in our instance 908: copy or write it down.
Remove Old Credentials
The first job, to be performed as the service-discover user, is to save the current reset index to a file in order to produce a new ACL token. As mentioned in the instance above, the value is 908 (alter it depending on the outcome), thus we must execute.
Then, halt the service-discovery process.
Remove the two files listed below.
Finally, delete all service-discovery certificates.
Make New Credentials
The first job is to create a new, strong password, which we will save in a temporary variable for further protection. Remember to keep the password somewhere secure in case you need it in the future.
As a first instance, run the setup.
This is exactly the same command as used during Carbonio Mesh configuration, with the exception that we use the explicit IP address and run it as first instance.
If the operation is successful, you may manually remove the password.
Optionally, use the instructions to validate the ACL token.
Carbonio Mesh Credentials Reset on Multi-Server
Before beginning the method on a Multi-Server, select the Leader Node, on which to do certain preliminary chores, then wipe the old secret, produce the new one, and lastly set up the other nodes by copying the credentials on the remaining nodes and restarting the service.
Determine the IP Address of the Leader Node
You must locate and log into the Carbonio Mesh leader node node. While the Directory Server is normally deployed on this Node, the actual leader may be different. Log in to a Directory Server node and run the command as the zextras user to discover the right IP address.
This will provide a list of all Carbonio Mesh servers: Use the following command to ensure you are on the leader node.
The result will be an IP address and a port, such as 172.16.0.12:8300. If this IP address differs from that of the Directory Server, connect to it at 172.16.0.12.
Remove Old Credentials
The first job, to be performed as the service-discover user, is to save the current reset index to a file in order to produce a new ACL token. As mentioned in the instance above, the value is 908 (alter it depending on the outcome), thus we must execute.
Then, halt the service-discovery process.
Remove the two files listed below.
Finally, delete all service-discovery certificates.
Make New Credentials
The first job is to create a new, strong password, which we will save in a temporary variable for further protection. Remember to keep the password somewhere secure in case you need it in the future.
As a first instance, run the setup.
This is exactly the same command as used during Carbonio Mesh configuration, with the exception that we use the explicit IP address and run it as first instance.
If the operation is successful, you may manually remove the password.
Optionally, use the instructions to validate the ACL token.
Configure Additional Nodes
To finish the operation, repeat these steps on each of the remaining Nodes.
Stop the service discovery process.
Remove the two files listed below:
Remove any certificates linked to service-discovery as well.
Finally, execute the Carbonio Mesh configuration: Put the MESH_SECRET password from the leader node into a variable.
Start the setup.
If the operation is successful, you may manually remove the password.