Other instances can't fetch my toot

yuzulabo · 2018-12-12 02:29:01 UTC

Hello. I’m one of the admin of https://knzk.me.

The other day, my instance stopped by high load. There was a problem when restarting.

My instance is using ae3d2f4 ( GitHub - KnzkDev/mastodon: Your self-hosted, globally interconnected microblogging community )

I didn’t find any problematic errors in nginx and mastodon-web logs.

Sidekiq seems worked, My instance request was sent to other instance, but it returned 401.

Should I check other logs?

Thank you.

wioxjk · 2018-12-12 16:28:18 UTC

What does happend if you add a relay?
Can you try https://relay.linux.pizza/inbox as a relay?

yuzulabo · 2018-12-13 08:26:21 UTC

Thank you for replying.

I added this relay server, but it can’t be approved…

wioxjk · 2018-12-13 10:08:58 UTC

Did you add it around 8:26 AM GMT+1 today?
Or what time did you add it? I am trying to see if your instance even sent a request to me

yuzulabo · 2018-12-13 10:13:52 UTC

Yes. Thank you for helping.

wioxjk · 2018-12-13 18:49:35 UTC

I did get requests actually that time, + I have created a test-account on your instance (testpizza) and successfully send messages to my instances.

Do you still have issues?

yuzulabo · 2018-12-14 08:26:30 UTC

it can send to knzk.me from other instances but it can’t send to other instances from knzk.me…
However, there seems to be a time to succeed.

I tried it now:

yuzulabo · 2018-12-14 08:27:08 UTC

yuzulabo · 2018-12-16 12:36:36 UTC

I checked nextcloud social can be fetched knzk.me’s toot.
(Because I understand PHP, I thought it was a nice way.)

Then, “signature can not be checked” was recorded in the log of nextcloud social.

Do you think this relates to other mastodon instances that return 401?

Gargron · 2018-12-17 17:54:51 UTC

I am trying to figure out where the problem is. I can fetch from knzk and I can deliver to knzk inbox. So the thing not working is knzk delivering outside, right? A bit difficult to test…

Gargron · 2018-12-17 17:58:36 UTC

I am also able to resolve accounts and public keys from knzk.me, which could have been the reason for 401s if that wasn’t working.

Gargron · 2018-12-17 18:04:03 UTC

@yuzulabo This is a wild guess at this point, but try to edit app/controllers/concerns/signature_verification.rb and replace:

    account_stoplight = Stoplight("source:#{request.ip}") { account_from_key_id(signature_params['keyId']) }
      .with_fallback { nil }
      .with_threshold(1)
      .with_cool_off_time(5.minutes.seconds)
    account = account_stoplight.run

with:

account = account_from_key_id(signature_params['keyId'])

I don’t know if this would help, and it undoes a security-related fix, but if something is wrong with your IP configuration, it could maybe be related.