Public key not found for key


#1

I try to follow an actor on a mastadon instance from my own local machine. I sign my request and have uploaded my public key to a publicly available place where mastadon should be able to fetch it (a domain with a valid SSL cert).

But all I get is:

Public key not found for key https://www.example.com/id.pub

But I can download the public key with CURL without any problem.

The request looks like this:

{
    "@context": "https://www.w3.org/ns/activitystreams",
    "type": "Follow",
    "summary": "john.doe follows foobarbaz",
    "actor": {
        "@context": [
            "https://www.w3.org/ns/activitystreams",
            "https://w3id.org/security/v1"
        ],
        "type": "Person",
        "id": "https://localhost:8989/john.doe",
        "preferredUsername": "john.doe",
        "inbox": "https://localhost:8989/account/john.doe/inbox",
        "outbox": "https://localhost:8989/account/john.doe/outbox",
        "followers": "https://localhost:8989/account/john.doe/followers",
        "following": "https://localhost:8989/account/john.doe/following",
        "liked": "https://localhost:8989/account/john.doe/liked",
        "publicKey": {
            "@context": "https://w3id.org/security/v1",
            "@type": "Key",
            "id": "https://localhost:8989/john.doe#main-key",
            "owner": "https://localhost:8989/john.doe",
            "publicKeyPem": "-----BEGIN PUBLIC KEY-----\\nMIIBIjANBg...MNgwQII57\\niQIDAQAB\\n-----END PUBLIC KEY-----"
        }
    },
    "object": {
        "@context": [
            "https://www.w3.org/ns/activitystreams",
            "https://w3id.org/security/v1"
        ],
        "type": "Person",
        "id": "https://other-example.com/users/foobarbaz",
        "preferredUsername": "foobarbaz",
        "inbox": "https://other-example.com/users/foobarbaz/inbox",
        "outbox": "https://other-example.com/users/foobarbaz/outbox",
        "followers": "https://other-example.com/users/foobarbaz/followers",
        "following": "https://other-example.com/users/foobarbaz/following"
    }
}

And the Signature header:

keyId="https://example.com/id.pub",headers="(request-target) host date",signature="j9KruD7enrWaYaJuZ...4BjSUw=="

#2

The key and the actor must be on the same host, accessible from the outside. Your https://www.example.com/id.pub key points to a localhost owner, so the referential integrity check stops right there.


#3

Alright. Thanks for the clarification. I fixed that. It seems that my key gets found but now I end up in:

{"status":500,"error":"Internal Server Error"}

Don’t think it’s possible but any chance to get more information what went wrong than just the 500?


#4

Hmm. That’s weird, we normally have a lot of error reporting for different HTTP sig errors. Is this when submitting that activity to /inbox or when fetching the account?


#5

It’s when I try to POST the above JSON to the endpoint:

https://other-example.com/users/foobarbaz/inbox

Of course now with a publicly available ActivityPub script (not localhost:8989 anymore) and pubkey. I tried everything for 2 days now but nothing helped. I’m pretty lost.

I also reduced the payload:

{
    "@context": "https://www.w3.org/ns/activitystreams",
    "@type": "Follow",
    "summary": "john.doe follows foobarbaz",
    "actor": {
        "@type": "Person",
        "@id": "https://public.com/john.doe"
    },
    "object": {
        "@type": "Person",
        "@id": "https://other-example.com/users/foobarbaz"
    }
}