'Instance does not support hidden service connections' when looking up a clearnet instance

irb(main):002:0> ResolveAccountService.new.call('[redacted]@[redacted clearnet domain]')
/home/mastodon/live/app/lib/request.rb:37:in `initialize': Instance does not support hidden service connections (Mastodon::HostValidationError)

The instance I’m looking up is also one that I control. LOCAL_DOMAIN was never changed, as far as I recall, but WEB_DOMAIN, CDN_HOST, and STREAMING_API_BASE_URL were changed to our onion, temporarily.

What could be causing this? I’m running commit c5751f8377ed966381445a4a5871711ef565c3ea of glitch-soc.

First, WEB_DOMAIN is not supposed to change, ever, as it is used for all actors/objects’ identifiers (which are supposed to be immutable).

Basically, when resolving foo@LOCAL_DOMAIN, a webfinger query is issued to LOCAL_DOMAIN, which should redirect to WEB_DOMAIN, and, ultimately, to something like https://WEB_DOMAIN/users/foo which is the immutable identifier for foo@LOCAL_DOMAIN.

What seems to happen is that your [redacted]@[redacted clearnet domain] was initially known to your instance as resolving to the onion. It’s either cached locally or the webfinger reply is cached on the reverse-proxy (Mastodon allows its webfinger replies to be cached for up to 3 days, as they are not supposed to change).

Also, there is an environment variable to allow access to hidden services: ALLOW_ACCESS_TO_HIDDEN_SERVICE=true

1 Like

Is there some way to fix this, either on my end or on other admins’ end? I wonder if sending out an Update activity for each account would do it…?

Sending an Update would not help. Other admins could nuke your account from their database. On your end, I am not sure. Mind sharing one such account?

How could other admins go about doing that?

Depends on the software, on Mastodon this could be done through the Rails console (RAILS_ENV=production bundle exec rails c) with:
DeleteAccountService.new.call(Account.find_by(username: 'your_username', domain: 'your_clearnet_domain'), reserve_username: false, skip_activitypub: true)

1 Like

It seems that, having changed the WEB_DOMAIN back, other instances are starting to cache the new value. To be sure, though, if an account has an old cached value, it would be under uri in the Account model right?

Yes, the broken cached value would be under uri.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.