Hello!
Deployed 2 Peertube instances (on-premise, not pulished to Internet) in our local network and can’t cross-federate them. Receiving an error.
After executing such command against peertube.log:
cd /var/www/peertube/peertube-latest && sudo -u peertube NODE_CONFIG_DIR=/var/www/peertube/config NODE_ENV=production npm run parse-log – --level debug --not-tags http sql
I see an error after trying to add « Following » in « Federation »:
[mediaserver-02.domain.local:443] 7/31/2025, 11:25:24 AM.906 warn: Do not follow peertube@mediaserver-01.domain.local:443 because we could not find the actor URL (in database or using webfinger) {
« err »: {
« stack »: « RequestError: The IP of the domain is reserved!\n at Request._beforeError (file:///var/www/peertube/versions/peertube-v7.2.3/node_modules/got/dist/source/core/index.js:189:21)\n at Request.flush (file:///var/www/peertube/versions/peertube-v7.2.3/node_modules/got/dist/source/core/index.js:178:18)\n at protect (file:///var/www/peertube/versions/peertube-v7.2.3/node_modules/got-ssrf/dist/index.js:57:15)\n at async Request._makeRequest (file:///var/www/peertube/versions/peertube-v7.2.3/node_modules/got/dist/source/core/index.js:823:28)\n at async Request.flush (file:///var/www/peertube/versions/peertube-v7.2.3/node_modules/got/dist/source/core/index.js:164:13) »,
« name »: « RequestError »,
« requestHeaders »: {
« user-agent »: « PeerTube/7.2.3 (+https://mediaserver-02.domain.local) »,
« date »: « Thu, 31 Jul 2025 06:25:24 GMT »,
« accept »: « application/json »,
« accept-encoding »: « gzip, deflate, br »
},
« requestUrl »: « https://mediaserver-01.domain.local/.well-known/nodeinfo »,
« requestMethod »: « GET »
}
}
mediaserver-01.domain.local:443 ← NETWORK is OK → mediaserver-02.domain.local:443
This two servers can to resolve themselves properly by DNS-server.
Could you please help to understand, what means this error.
Found that this text message (‹ The IP of the domain is reserved ›) is from /var/www/peertube/peertube-latest/node_modules/got-ssrf/dist/index.js:
// Another layer of protection against SSRF - ensure we're not hitting internal services.
// Try to match "reserved" IP ranges: https://en.wikipedia.org/wiki/Reserved_IP_addresses
// https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html#case-2-application-can-send-requests-to-any-external-ip-address-or-domain-name
// The function returns 'unicast' or the name of the reserved IP range, should it match any.
// This in effect blocks all private IP Range: https://git.io/JWy3u, https://git.io/JWy3b
// We use ip.process() here to deal with potentially IPv4-mapped IPv6 addresses (which will show up as "ipv4mapped"
// and not the whatever range the actual IPv4 address actually belongs to).
if (ip.process(IP).range() !== 'unicast')
throw new Error('The IP of the domain is reserved!');
As I understood my hosts not passing SSRF check…
How to ‹ whitelist › them? My hosts have ips from different subnets.
Hello! Thanks, it helps!
But receiving next error in one of instances now:
{
"err": {
"stack": "RequestError: self-signed certificate in certificate chain\n at ClientRequest.<anonymous> (file:///var/www/peertube/versions/peertube-v7.2.3/node_modules/got/dist/source/core/index.js:673:107)\n at Object.onceWrapper (node:events:639:26)\n at ClientRequest.emit (node:events:536:35)\n at emitErrorEvent (node:_http_client:101:11)\n at TLSSocket.socketErrorListener (node:_http_client:504:5)\n at TLSSocket.emit (node:events:524:28)\n at emitErrorNT (node:internal/streams/destroy:169:8)\n at emitErrorCloseNT (node:internal/streams/destroy:128:3)\n at process.processTicksAndRejections (node:internal/process/task_queues:82:21)\n at TLSSocket.onConnectSecure (node:_tls_wrap:1677:34)\n at TLSSocket.emit (node:events:524:28)\n at TLSSocket._finishInit (node:_tls_wrap:1076:8)\n at ssl.onhandshakedone (node:_tls_wrap:862:12)",
...
Our SSL certificates are signed by internal corp CA. How I can resolve an error above in such situation?
And on another instance receiving an « Bad response: 503 » error:
[mediaserver-01.domain.local:443] 8/1/2025, 10:41:40 AM.138 warn: Do not follow peertube@mediaserver-02.domain.local:443 because we could not find the actor URL (in database or using webfinger) {
"err": {
"stack": "RequestError: Bad response: 503\n at ClientRequest.<anonymous> (file:///var/www/peertube/versions/peertube-v7.2.3/node_modules/got/dist/source/core/index.js:673:107)\n at Object.onceWrapper (node:events:622:26)\n at ClientRequest.emit (node:events:519:35)\n at emitErrorEvent (node:_http_client:104:11)\n at _destroy (node:_http_client:898:9)\n at onSocketNT (node:_http_client:918:5)\n at process.processTicksAndRejections (node:internal/process/task_queues:91:21)\n at ClientRequest.<anonymous> (file:///var/www/peertube/versions/peertube-v7.2.3/dist/core/helpers/hpagent.js:100:26)\n at Object.onceWrapper (node:events:622:26)\n at ClientRequest.emit (node:events:507:28)\n at Socket.socketOnData (node:_http_client:598:11)\n at Socket.emit (node:events:507:28)\n at addChunk (node:internal/streams/readable:559:12)\n at readableAddChunkPushByteMode (node:internal/streams/readable:510:3)\n at Readable.push (node:internal/streams/readable:390:5)\n at TCP.onStreamRead (node:internal/stream_base_commons:189:23)",
"name": "RequestError",
"requestHeaders": {
"user-agent": "PeerTube/7.2.3 (+https://mediaserver-01.domain.local)",
"date": "Fri, 01 Aug 2025 05:41:40 GMT",
"accept": "application/json",
"accept-encoding": "gzip, deflate, br",
"host": "mediaserver-02.domain.local"
},
"requestUrl": "https://mediaserver-02.domain.local/.well-known/nodeinfo",
"requestMethod": "GET"
}
}
Such many errors with local federation…(
Helps this parameters in service load peertube.service:
Environment=NODE_EXTRA_CA_CERTS=/etc/ssl/certs/mediaserver-chain.pem
Environment=NODE_OPTIONS=--use-openssl-ca
Federation is fully worked now. Thanks a lot for help!
2 « J'aime »