Can't follow between two instances I own

Kynn · Janvier 3, 2025, 8:03

Hi,

So I’ve set up 2 peertube v7 instances, with different domain names.
Each one works and is accessible on the web, but I cannot get them to follow one another.

My goal is to add redundancy to video hosting.

We have one instance which is normally used, which possesses videos.
The other is empty (no video)
I want to make the empty one to follow the one with videos (kind of a master-slave behavior ?)

When making the follower request from the slave, this is what I get on the master :

[peertube.tata.casa:443] 2025-01-03 07:45:06.200 info: Fetching remote actor https://peertube.alt.tata.casa/accounts/peertube.
[peertube.tata.casa:443] 2025-01-03 07:45:09.458 warn: Error in ActivityPub signature checker. {
  "err": {
    "stack": "RequestError: cacheableLookup ENOTFOUND peertube.alt.tata.casa\n    at ClientRequest.<anonymous> (file:///app/node_modules/got/dist/source/core/index.js:792:107)\n    at Object.onceWrapper (node:events:632:26)\n    at ClientRequest.emit (node:events:529:35)\n    at TLSSocket.socketErrorListener (node:_http_client:501:9)\n    at TLSSocket.emit (node:events:517:28)\n    at emitErrorNT (node:internal/streams/destroy:151:8)\n    at emitErrorCloseNT (node:internal/streams/destroy:116:3)\n    at process.processTicksAndRejections (node:internal/process/task_queues:82:21)\n    at CacheableLookup.lookupAsync (file:///app/node_modules/cacheable-lookup/source/index.js:202:18)",
    "message": "cacheableLookup ENOTFOUND peertube.alt.tata.casa",
    "name": "RequestError",
    "requestHeaders": {
      "user-agent": "PeerTube/7.0.0 (+https://peertube.tata.casa)",
      "date": "Fri, 03 Jan 2025 07:45:06 GMT",
      "accept": "application/activity+json, application/ld+json",
      "accept-encoding": "gzip, deflate, br",
      "host": "peertube.alt.tata.casa",
      "signature": "keyId=\"https://peertube.tata.casa/accounts/peertube\",algorithm=\"rsa-sha256\",headers=\"(request-target) host date\",signature=\"fPCoqINsPvdOHSpy7rRWf9SNY53msocqKr51so4TQ+JTS26vQ4HCQC+CpBAG3fQPDjR+uxQA62kc3rGY765ePagQqklNN90l4AtVWtrjpBTQbo0/hD9ZaLrGr8fG/H8cx+qXCyNA/5ooxzoqa1PheXAhCmMGGfbjQr4l+EivYjCj3DXs/mlgwoTzVl1WtMoZpdcPVzj6Zc4acJD0U1RJ6p844VUWiNlgpJ6aI2Gobwrrq7B+iUWqqgKeJyXa/WSdM5YGiNad+Qf6IfXgHmSVuj5VcZ4kA1GCUnBexyA84duQo0HC0+JPHuCGJCTzrv+0Gr62gy3CP2gm40dSEKZwfA==\""
    },
    "requestUrl": "https://peertube.alt.tata.casa/accounts/peertube",
    "requestMethod": "GET"
  }
}
[peertube.tata.casa:443] 2025-01-03 07:45:09.465 info: 37.65.43.141 - - [03/Jan/2025:07:45:09 +0000] "POST /accounts/peertube/inbox HTTP/1.1" 403 109 "-" "PeerTube/7.0.0 (+https://peertube.alt.tata.casa)"

And this is what I get on the slave :

[peertube.alt.tata.casa:443] 2025-01-03 07:44:52.503 info: 2a02:: - - [03/Jan/2025:07:44:52 +0000] "POST /api/v1/server/following HTTP/1.1" 204 - "https://peertube.alt.tata.casa/admin/settings/follows/following-list" "Firefox"
[peertube.alt.tata.casa:443] 2025-01-03 07:44:52.519 info: Processing ActivityPub follow in job 3.
[peertube.alt.tata.casa:443] 2025-01-03 07:44:53.233 info: Creating job to send follow request to https://peertube.tata.casa/accounts/peertube.
[peertube.alt.tata.casa:443] 2025-01-03 07:44:53.323 info: Processing ActivityPub unicast in job 2.
[peertube.alt.tata.casa:443] 2025-01-03 07:45:09.461 info: Updating 0 good actor follows and 1 bad actor follows scores in cache. {
  "badInboxes": [
    "https://peertube.tata.casa/accounts/peertube/inbox"
  ]
}
[peertube.alt.tata.casa:443] 2025-01-03 07:46:13.065 info: 2a02:: - - [03/Jan/2025:07:46:13 +0000] "GET /admin/settings/follows/following-list HTTP/1.1" 200 18859 "-" "Firefox"

Result :
The request appears on the web-view from the slave.
No request appears on the master. Thus I cannot reply to associate the two instances.

All in all, I find no information on this case in the doc, or on what is a « badInbox »'.

I should probably say that I previously changed the domain name of the master, from alt to « without alt ». (ie the slave has the previous address the master had, and the master changed to get the « main domain »). The slave was started cleanly, never changed its domain. The master, I used the script given in the doc.

The two instances are using the official docker images.
The migration script was correctly executed on master, which was previously a 6.0.1.

Thank you for your help.

Chocobozzz · Janvier 3, 2025, 9:03

Hi,

Seems peertube.alt.tata.casa does not have a valid DNS A entry

Kynn · Janvier 3, 2025, 9:42

Oooooooh. Thank you, I understand now.

Indeed, I’m french under « red-by-sfr » internet provider, and their last box directly comes under IPV6 routing. There is no more IPV4. No more NAT…

So I only have a AAAA valid entry.

Does peertube not know how to work with ipv6 ?

Chocobozzz · Janvier 3, 2025, 10:00

Yes it should work Maybe a DNS cache issue?

EDIT: just tested to follow peertube.alt.tata.casa from peertube2.cpy.re with success, so maybe a network issue or a DNS cache issue

JohnLivingston · Janvier 3, 2025, 10:13

Have you applied IPv6 configuration changes that are required with v6.3.0:

Note: another modification comes with v7:

Kynn · Janvier 3, 2025, 3:48

Hi,

Thank you for the suggestion, indeed I spent time to check the releases notes, but in some way I ommited the ipv6 lines.

Still, after modifying my env and yml files, this doesn’t seem to resolve my problem.

Thus I thought about it, and I’m not sure why it should ; this is my setup (I host multiple services behind a common reverse proxy) :

I have no problem accessing peertube.alt.tata.casa, so that must mean the reverse proxy is correctly set up for web access ; maybe I’m missing something for activitypub, which could be perticular with IPV6 ?

On the master node, I see multiple exchanges regularly from activitypub in peertube logs; on the slave, I do not. So this is probably the problem.

In short, here is the corresponding haproxy conf used :

bind :::443 v4v6 ssl crt /certs/peertube_alt_tata_casa/ck.pem
...
acl host_tube hdr(host) -i peertube.alt.tata.casa
use_backend peertube if host_tube
...
backend peertube
        server tube 127.0.0.1:9999 check # 9999 redirects to 9000 in docker compose

JohnLivingston · Janvier 3, 2025, 4:01

If you only have IPv4 on master, and only IPv6 on slave, they can’t communicate…
There is not magic on the internet.

To connectivity open a bash session in your slave, and try to do a curl 'https://peertube.tata.casa'.
You can do the same test in the order way.

JohnLivingston · Janvier 3, 2025, 4:02

From my computer:

curl 'https://peertube.alt.tata.casa'
curl: (7) Failed to connect to peertube.alt.tata.casa port 443 after 3002 ms: Couldn't connect to server

Seems your 443 port is not open on your alt server.

You probably have to open the port on your internet box.

Kynn · Janvier 3, 2025, 4:19

You couldn’t contact my server because it fell a few minutes after having added the ipv6 lines in docker-compose.yml + env.

For some reasons it seems to conflict with my haproxy (network mode: host). But well as you can see I’m no ipv6 expert .

You can try again your curl, the server is up and running, but I had to remove the ipv6 lines you had previously pointed .

Indeed you’re right :
from my slave (peertube.alt.tata.casa) I can contact my master (curl works).
but from my master (peertube.tata.casa), I cannot contact my slave (curl doesn’t work).

Not sure how to work around this.

EDIT : forget about it, it fell again… gonna investigate this.

JohnLivingston · Janvier 3, 2025, 4:38

I assume your master has no IPv6?
Maybe check again the configuration change in v7 (it is highly recommended to have both IPv4 and IPv6 for production servers).