Skip Navigation
Selfhosted @lemmy.world
blue_berry @feddit.de

Federation of my Lemmy instances doesnt work (please help)

I hope this is the right place for this.

So, here is the thing: my lemmy instance is accessible in the browser via its domain, everything is fine, but no other communities are shown. When I test federation with "curl -H "Accept: application/activity+json" https://my-instance.com/u/some-local-user" I get a SSL certificate error.

So I figured that it has something to do with my reverse proxy and modified the nginx.conf like described in the documentation.

But the error persists.

This is my nginx.config in /etc/nginx/sites-enables/

<my-domain>

:

" limit_req_zone $binary_remote_addr zone={{ my_domain }}_ratelimit:10m rate=1r/s;

server { listen 80; listen [::]:80; server_name {{ my_domain }}; # Hide nginx version server_tokens off; location / { return 301 https://$host$request_uri; } }

server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name {{ my_domain }}; 

 undefined
        # Replace these lines with your own certificate and key paths
    ssl_certificate /etc/ssl/certs/{{ my_certs }};
    ssl_certificate_key /etc/ssl/certs/{{ my_keys }};

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers {{ cipher_encrypt }};
    ssl_session_timeout  10m;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets on;
    ssl_stapling on;
    ssl_stapling_verify on;

    # Hide nginx version
    server_tokens off;

    # Upload limit, relevant for pictrs
    client_max_body_size 20M;

    # Enable compression for JS/CSS/HTML bundle, for improved client load times.
    gzip on;
    gzip_types text/css application/javascript image/svg+xml;
    gzip_vary on;

    # Various content security headers
    add_header Referrer-Policy "same-origin";
    add_header X-Content-Type-Options "nosniff";
    add_header X-Frame-Options "DENY";
    add_header X-XSS-Protection "1; mode=block";

    #location / {
    #  proxy_pass http://0.0.0.0:1236;
    #  proxy_http_version 1.1;
    #  proxy_set_header Upgrade $http_upgrade;
    #  proxy_set_header Connection "upgrade";
    #  proxy_set_header X-Real-IP $remote_addr;
    #  proxy_set_header Host $host;
    #  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    #}


    location / {
      set $proxy_pass "http://0.0.0.0:1236";
      if ($http_accept = "application/activity+json") {
          set $proxy_pass "http://0.0.0.0:8536";
      }
      if ($http_accept = "application/ld+json; profile=\"https://www.w3.org/ns/activitystreams\"") {
          set $proxy_pass "http://0.0.0.0:8536";
      }
      proxy_pass $proxy_pass;
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

}

access_log /var/log/nginx/access.log combined;

"(end of file)

Maybe, someone has an idea how to solve this. I'm really at the end of my wits here :(

10 comments

  • Does the SSL error also occur when you access https://yourlemmyinstance.com from curl without the extra activity+json header?

    • Yes, also occures without the header. But I think I know the problem now: I tried to use the certificate of my host provider, which seems not to work for federation

  • You can try using openssl s_client -connect domain:443 to help debug what the issue is. Without your domain it's hard to guess what specifically is causing a TLS issue.

    Where did you get your certs? Do they match exactly the domain you're using? Are they expired or self signed? Are your details in the double curly brackets all correct?

    You can try to use ssllabs, check cipher compatibility with browsers and such... though I think that requires things are working to a certain level first.

10 comments