Carbonio Mesh credentials

Have a Question?

Carbonio Mesh’s credentials are kept in /etc/zextras/service-discover/cluster-credentials.tar.gpg, a GPG-encrypted tar archive. The tar archive contains:

  • The Bootstrap token
  • Carbonio Mesh’s internal CA and matching private key
  • The encryption keys

The file containing the Carbonio Mesh credentials must be available and accessible throughout different administrative actions, including Carbonio setup and upgrade, pending-setups, and other small procedures involving Carbonio components.

The file indicated above is GPG-encrypted with a secret (which is simply another password) saved in /var/lib/service-discover/password and accessible only to the root user. The secret is required when using the pending-setups command and the Service Discover installation procedure.

So, if you can’t remember your password, connect in as root to any Carbonio Mesh Server and read the /var/lib/service-discover/password file.

If you wish to modify the secret or need to update it (for example, because it has been hacked, shared with or communicated to the incorrect people, or one of your company’s system administrators has departed), you must reset Carbonio Mesh Credentials.

Reset Carbonio Mesh credentials.

On a Multi-Server, before beginning the operation, it is required to identify the Leader Node, on which to do certain preliminary chores, then erase the old secret, produce a new one, and lastly set up the other nodes by copying the credentials and restarting the service.

Identify and log onto the Carbonio Mesh leader node. While this is often the node on which the Directory Server is deployed, the actual leader may differ. To identify the right IP, log onto a Directory Server node and perform the command as the zextras user.

This will list all Carbonio Mesh servers: To ensure that you are on the leader node, execute the following command.

The output will include an IP address and a port, such as If this IP address differs from the Directory Server’s, connect to the latter at

Remove Old Credentials

The initial action, performed as the service-discover user, is to save the current reset index to a file, allowing a new ACL token to be produced. As mentioned in the instance above, the value is 908 (alter it according to the output you obtain), thus we must execute.

Then terminate the service discovery service.

Remove the following two files.

Finally, delete any certificates connected to service discovery.

Generate New Credentials

The first job is to create a new, strong password, which we save in a temporary variable for further protection. Remember to keep the password somewhere secure in case you need it in the future.

When asked, enter your preferred password and then perform the setup as the first instance.

This is virtually the same command as the one used to configure Carbonio Mesh; the only difference is that we use an explicit IP address and execute it as the first occurrence.

If the operation is successful, you may manually unset the password.

Optionally, check the ACL token using the instructions.

Set up other nodes.

To finish the operation, repeat these steps on each of the remaining Nodes.

Log into one node and then copy the credentials from the leader node.

Stop the service discovery service.

Delete the following two files:

Remove any certificates relevant to service discovery.

Finally, start the Carbonio Mesh setup: Put the MESH_SECRET password specified on the leader node into a variable.

When asked, enter a password of your choosing and execute the setup.

If the operation is successful, you may manually unset the password.