There have been multiple accounts created with the sole purpose of posting advertisement posts or replies containing unsolicited advertising.

Accounts which solely post advertisements, or persistently post them may be terminated.

Federation of my Lemmy instances doesnt work (please help)

I hope this is the right place for this.

So, here is the thing: my lemmy instance is accessible in the browser via its domain, everything is fine, but no other communities are shown. When I test federation with "curl -H “Accept: application/activity+json” my-instance.com/u/some-local-user" I get a SSL certificate error.

So I figured that it has something to do with my reverse proxy and modified the nginx.conf like described in the documentation.

But the error persists.

This is my nginx.config in /etc/nginx/sites-enables/<my-domain>:

" limit_req_zone $binary_remote_addr zone={{ my_domain }}_ratelimit:10m rate=1r/s;

server { listen 80; listen [::]:80; server_name {{ my_domain }}; # Hide nginx version server_tokens off; location / { return 301 https://$host$request_uri; } }

server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name {{ my_domain }};


<span style="color:#323232;"># Replace these lines with your own certificate and key paths
</span><span style="color:#323232;">ssl_certificate /etc/ssl/certs/{{ my_certs }};
</span><span style="color:#323232;">ssl_certificate_key /etc/ssl/certs/{{ my_keys }};
</span><span style="color:#323232;">
</span><span style="color:#323232;">ssl_protocols TLSv1.2 TLSv1.3;
</span><span style="color:#323232;">ssl_prefer_server_ciphers on;
</span><span style="color:#323232;">ssl_ciphers {{ cipher_encrypt }};
</span><span style="color:#323232;">ssl_session_timeout  10m;
</span><span style="color:#323232;">ssl_session_cache shared:SSL:10m;
</span><span style="color:#323232;">ssl_session_tickets on;
</span><span style="color:#323232;">ssl_stapling on;
</span><span style="color:#323232;">ssl_stapling_verify on;
</span><span style="color:#323232;">
</span><span style="color:#323232;"># Hide nginx version
</span><span style="color:#323232;">server_tokens off;
</span><span style="color:#323232;">
</span><span style="color:#323232;"># Upload limit, relevant for pictrs
</span><span style="color:#323232;">client_max_body_size 20M;
</span><span style="color:#323232;">
</span><span style="color:#323232;"># Enable compression for JS/CSS/HTML bundle, for improved client load times.
</span><span style="color:#323232;">gzip on;
</span><span style="color:#323232;">gzip_types text/css application/javascript image/svg+xml;
</span><span style="color:#323232;">gzip_vary on;
</span><span style="color:#323232;">
</span><span style="color:#323232;"># Various content security headers
</span><span style="color:#323232;">add_header Referrer-Policy "same-origin";
</span><span style="color:#323232;">add_header X-Content-Type-Options "nosniff";
</span><span style="color:#323232;">add_header X-Frame-Options "DENY";
</span><span style="color:#323232;">add_header X-XSS-Protection "1; mode=block";
</span><span style="color:#323232;">
</span><span style="color:#323232;">#location / {
</span><span style="color:#323232;">#  proxy_pass http://0.0.0.0:1236;
</span><span style="color:#323232;">#  proxy_http_version 1.1;
</span><span style="color:#323232;">#  proxy_set_header Upgrade $http_upgrade;
</span><span style="color:#323232;">#  proxy_set_header Connection "upgrade";
</span><span style="color:#323232;">#  proxy_set_header X-Real-IP $remote_addr;
</span><span style="color:#323232;">#  proxy_set_header Host $host;
</span><span style="color:#323232;">#  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
</span><span style="color:#323232;">#}
</span><span style="color:#323232;">
</span><span style="color:#323232;">
</span><span style="color:#323232;">location / {
</span><span style="color:#323232;">  set $proxy_pass "http://0.0.0.0:1236";
</span><span style="color:#323232;">  if ($http_accept = "application/activity+json") {
</span><span style="color:#323232;">      set $proxy_pass "http://0.0.0.0:8536";
</span><span style="color:#323232;">  }
</span><span style="color:#323232;">  if ($http_accept = "application/ld+json; profile="https://www.w3.org/ns/activitystreams"") {
</span><span style="color:#323232;">      set $proxy_pass "http://0.0.0.0:8536";
</span><span style="color:#323232;">  }
</span><span style="color:#323232;">  proxy_pass $proxy_pass;
</span><span style="color:#323232;">  proxy_http_version 1.1;
</span><span style="color:#323232;">  proxy_set_header Upgrade $http_upgrade;
</span><span style="color:#323232;">  proxy_set_header Connection "upgrade";
</span><span style="color:#323232;">  proxy_set_header X-Real-IP $remote_addr;
</span><span style="color:#323232;">  proxy_set_header Host $host;
</span><span style="color:#323232;">  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
</span><span style="color:#323232;">}
</span>

}

access_log /var/log/nginx/access.log combined;

"(end of file)

Maybe, someone has an idea how to solve this. I’m really at the end of my wits here :(

damium ,

Likely you needed to include the intermediate cert chain. Let’s encrypt sets that up automatically so it’s quite a bit easier to get right.

Decronym Bot , (edited )

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

Fewer Letters More Letters
HTTP Hypertext Transfer Protocol, the Web
SSL Secure Sockets Layer, for transparent encryption
TLS Transport Layer Security, supersedes SSL
nginx Popular HTTP server

3 acronyms in this thread; the most compressed thread commented on today has 15 acronyms.

[Thread for this sub, first seen 4th Feb 2024, 21:25] [FAQ] [Full list] [Contact] [Source code]

key ,

You can try using openssl s_client -connect domain:443 to help debug what the issue is. Without your domain it’s hard to guess what specifically is causing a TLS issue.

Where did you get your certs? Do they match exactly the domain you’re using? Are they expired or self signed? Are your details in the double curly brackets all correct?

You can try to use ssllabs, check cipher compatibility with browsers and such… though I think that requires things are working to a certain level first.

hendrik ,

Where did you get your certificates from and what’s the exact error message? Maybe you’re using self-signed certificates. Those don’t get accepted by anyone else. Your path doesn’t look like the default letsencrypt/acme path…

blue_berry OP ,
@blue_berry@feddit.de avatar

Ok, yeah, I’m using a certiciate of my domain provider. Maybe that’s the problem … thanks! I will try to do it with letsencrypt/acme

hendrik ,

That would explain it. I mean if your provider provides you with a proper certificate, you can also use that. But often times it’s just a temporary self-signed placeholder that’s only good for development and not valid.

SirMaple_ , (edited )
@SirMaple_@lemmy.sirmaple.ca avatar

Nah don’t use those. Get your own direct from Let’s Encrypt. Less hoops to go through when its time to renew. Acme with a crontab entry takes care of renewals automatically. Don’t forget to add to the crontab line to restart nginx right after the renewal so that the new certs are used.

Edit: spelling

redcalcium ,

Does the SSL error also occur when you access https://yourlemmyinstance.com from curl without the extra activity+json header?

blue_berry OP ,
@blue_berry@feddit.de avatar

Yes, also occures without the header. But I think I know the problem now: I tried to use the certificate of my host provider, which seems not to work for federation

blue_berry OP ,
@blue_berry@feddit.de avatar

Or do you know a similar post maybe?

  • All
  • Subscribed
  • Moderated
  • Favorites
  • [email protected]
  • random
  • lifeLocal
  • goranko
  • All magazines
    •