Public key not found for key

I try to follow an actor on a mastadon instance from my own local machine. I sign my request and have uploaded my public key to a publicly available place where mastadon should be able to fetch it (a domain with a valid SSL cert).

But all I get is:

Public key not found for key https://www.example.com/id.pub

But I can download the public key with CURL without any problem.

The request looks like this:

{
    "@context": "https://www.w3.org/ns/activitystreams",
    "type": "Follow",
    "summary": "john.doe follows foobarbaz",
    "actor": {
        "@context": [
            "https://www.w3.org/ns/activitystreams",
            "https://w3id.org/security/v1"
        ],
        "type": "Person",
        "id": "https://localhost:8989/john.doe",
        "preferredUsername": "john.doe",
        "inbox": "https://localhost:8989/account/john.doe/inbox",
        "outbox": "https://localhost:8989/account/john.doe/outbox",
        "followers": "https://localhost:8989/account/john.doe/followers",
        "following": "https://localhost:8989/account/john.doe/following",
        "liked": "https://localhost:8989/account/john.doe/liked",
        "publicKey": {
            "@context": "https://w3id.org/security/v1",
            "@type": "Key",
            "id": "https://localhost:8989/john.doe#main-key",
            "owner": "https://localhost:8989/john.doe",
            "publicKeyPem": "-----BEGIN PUBLIC KEY-----\\nMIIBIjANBg...MNgwQII57\\niQIDAQAB\\n-----END PUBLIC KEY-----"
        }
    },
    "object": {
        "@context": [
            "https://www.w3.org/ns/activitystreams",
            "https://w3id.org/security/v1"
        ],
        "type": "Person",
        "id": "https://other-example.com/users/foobarbaz",
        "preferredUsername": "foobarbaz",
        "inbox": "https://other-example.com/users/foobarbaz/inbox",
        "outbox": "https://other-example.com/users/foobarbaz/outbox",
        "followers": "https://other-example.com/users/foobarbaz/followers",
        "following": "https://other-example.com/users/foobarbaz/following"
    }
}

And the Signature header:

keyId="https://example.com/id.pub",headers="(request-target) host date",signature="j9KruD7enrWaYaJuZ...4BjSUw=="

The key and the actor must be on the same host, accessible from the outside. Your https://www.example.com/id.pub key points to a localhost owner, so the referential integrity check stops right there.

Alright. Thanks for the clarification. I fixed that. It seems that my key gets found but now I end up in:

{"status":500,"error":"Internal Server Error"}

Don’t think it’s possible but any chance to get more information what went wrong than just the 500?

Hmm. That’s weird, we normally have a lot of error reporting for different HTTP sig errors. Is this when submitting that activity to /inbox or when fetching the account?

It’s when I try to POST the above JSON to the endpoint:

https://other-example.com/users/foobarbaz/inbox

Of course now with a publicly available ActivityPub script (not localhost:8989 anymore) and pubkey. I tried everything for 2 days now but nothing helped. I’m pretty lost.

I also reduced the payload:

{
    "@context": "https://www.w3.org/ns/activitystreams",
    "@type": "Follow",
    "summary": "john.doe follows foobarbaz",
    "actor": {
        "@type": "Person",
        "@id": "https://public.com/john.doe"
    },
    "object": {
        "@type": "Person",
        "@id": "https://other-example.com/users/foobarbaz"
    }
}

Sorry to necro the thread, but I’ve been having the same error for the past couple days, but with I’m using ngrok to make my localhost publicly accessible, so the actor’s host does match the public-key post. My logs show that my Mastodon instance is indeed hitting the actor URL. Here’s what I’m sending (a lot of it is basically copied from Mastodon):

Click to expand request

Headers:

  HTTP::Headers{
   "Accept" => "application/json",
   "Content-Type" => "application/activity+json",
   "Date" => "Wed, 30 Oct 2019 13:53:57 GMT",
   "Digest" => "SHA-256=AYU01zHrdn/4GxCoarvDIn39tR5/9zKZORublYPPX0o=",
   "Signature" => "keyId=\"https://e0f2f0d6.ngrok.io/users/foo#main-key\",algorithm=\"rsa-sha256\",headers=\"(request-target) host date digest content-type\",signature=\"xqp/GokxsDSqnc8OT9LiKW/SlGWwYuwSK7QTk1OcgIslyNcBiIWtDKU2p9PuApC4Ih2stRI605cDPDMhWYDx+NYhq/PrXpPp5DU50xvGG2nrf15iG7X5Xf2DF/YSmh5Pc8zYLeqm5PnbKYpfTlmkzwHc1HI3P5Grp9j1D37227v4FwIY/U4rudQm2ooMsih2dOyBlLbAc15eEzuaW18N0OMeejgrMgYitRxWh0wU3CTk4hOgS0OVUqeGPBNV1vgJIl1d/eGLUhBzkqRpUxAQ+ZNovAsn1XHG78FAcKLKWC9/YUr9a+MCn1QNSrNQDzAdCtzURyV+6ekX/Jv7ynJGmptxhHbssGBH4WHUbsg0Z+p8k+40m1cbYKoHqib8ZZPLO11bXC4MAPtCb1V3m1vm3PPSTbAm6hdSsKA1HZJOmivGU+bpFoj5gHfL3E20qUeJH+Su4W1aAqyvcHfdLF3FBrTuZBNIl9eeCjbkCArawd4zDI2QLG6gbALPIe0IJrHrW/KOa8RLL/0W0ZTIqD07xZHb5ijh+4FVR2fcytr3nIzH671jKOovQ/Efi9xC+yYbZCQDy2kYeDeYcnwQ01o8oDWhbK7RPCfwXXuv4LNhHWI+abE+7lm+GWunfkv9KatbYoMC8y5Aaoj4mKOXexC/908F3RCxvvQTadL6vf0Jck8=\"",
   "User-Agent" => "Test client (test.cr/1.0.0; +https://e0f2f0d6.ngrok.io/)"},

Body:

  {"@context" => "https://www.w3.org/ns/activitystreams",
   "type" => "Follow",
   "actor" => "https://e0f2f0d6.ngrok.io/users/foo",
   "object" => "https://zomglol.wtf/users/jamie"}

And the response I’m sending to my Mastodon instance from my actor’s URL:

Click to expand user response
{
  "@context": [
    "https://www.w3.org/ns/activitystreams",
    "https://w3id.org/security/v1"
  ],
  "id": "https://e0f2f0d6.ngrok.io/users/foo",
  "type": "Person",
  "following": "https://e0f2f0d6.ngrok.io/users/foo/following",
  "followers": "https://e0f2f0d6.ngrok.io/users/foo/followers",
  "inbox": "https://e0f2f0d6.ngrok.io/users/foo/inbox",
  "outbox": "https://e0f2f0d6.ngrok.io/users/foo/outbox",
  "featured": "https://e0f2f0d6.ngrok.io/users/foo/collections/featured",
  "preferredUsername": "foo",
  "name": "FooBar",
  "summary": "This is an account",
  "url": "https://e0f2f0d6.ngrok.io/@foo",
  "manuallyApprovesFollowers": false,
  "discoverable": true,
  "publicKey": {
    "id": "https://e0f2f0d6.ngrok.io/users/foo#main-key",
    "owner": "https://e0f2f0d6.ngrok.io/users/foo",
    "publicKeyPem": "-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4+NEcXZQHgCqHhIuhw1V\nek/+zKX25aUVijR++v7AoeS/0x0yo5vQesMRqhWRsrs3DwSdUGzWT19Sl7q8bV1t\nr7o/ZTlB0EUZS6fAlAzLmk73eps5kCnHNe+t1oUBxoUIYyZSBQwhQJxNHyJZoedA\n60GbyVxi6OgLl0s0NRGMiCxp/x9fWuE6onQV5VTBKkBpmywvD37vIl8jBxZUPBly\n+mMVC+0hmpJlp9eJ1xJ5CJts8bmDlzJfLmnrv3cf5DKLcq0eEYK57kuE0DYUcpjj\nPO7uPPWvsrjC3rSVF5+/t7URQfh61yBHinrVrXMBCo9lV7h8J/E1wr2FXIp6RQAJ\nOgwI985fpcGJOJrhOwMTsoiBeTt0e6glKDmkCkOrh+E9N/X5HC/ssx4y6gu6aMMu\nQryg16HWCPEYNyvLW8HGmfFsCj2IzRRec5HKl/hoHQFpU3sCKl0XjWC2YG6gzIs9\nGqzPX6yoQ2C85H2DggCC9khZNn3kB1vEPk9b+AFBjnHoNhJu7oZztHjy634c05K0\nY95cC7ng3c1moG3R5jf1rYV/byDGok+HTBwL+mgKh2lFJHdrnE8pScfSGM+kbyFl\ncArOXBgXPYAKl+bxlTdrKgWKniwdmOj6dHIsNW8B9/sDWdzEf1XppKH1C29BuxhR\nXiJzhNFD89lbJxevpGM8Ao8CAwEAAQ==\n-----END PUBLIC KEY-----"
  },
  "tag": [],
  "attachment": [],
  "endpoints": {
    "sharedInbox": "https://e0f2f0d6.ngrok.io/inbox"
  }
}

Do y’all have any ideas? I’m pretty stumped.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.