Unable To Federate / Subscribe

[kuwuwin]

Did you check the FAQ & Troubleshooting section for answers to common questions and issues?

Yes

Describe the issue

Been unable to federate to other instances / subscribe. It always shows as subscription pending

Diagnostic Information

Run ./deploy.sh -d and paste the output below:

==== Docker Information ====
Detected runtime: docker (Docker version 28.0.0, build f9ced58)
Detected compose: docker compose (Docker Compose version v2.33.0)
   Runtime state: OK

==== System Information ====
      OS: Linux
  KERNEL: 6.8.0-1019-oracle (aarch64)
HOSTNAME: OK
   SHELL: bash
  MEMORY:
               total        used        free      shared  buff/cache   available
Mem:            23Gi       2.0Gi        19Gi        68Mi       2.2Gi        21Gi
Swap:             0B          0B          0B

DISTRO:
----------------------------
PRETTY_NAME="Ubuntu 24.04.2 LTS"
NAME="Ubuntu"
VERSION_CODENAME=noble
UBUNTU_CODENAME=noble
----------------------------

==== Lemmy-Easy-Deploy Information ====
Version: 1.4.3

IMAGE                                   CREATED          STATUS
caddy:latest                            45 minutes ago   Up 45 minutes
dessalines/lemmy-ui:0.19.9              45 minutes ago   Up 45 minutes (healthy)
dessalines/lemmy:0.19.9                 45 minutes ago   Up 45 minutes
pgautoupgrade/pgautoupgrade:16-alpine   45 minutes ago   Up 45 minutes (healthy)
asonix/pictrs:0.5                       45 minutes ago   Up 45 minutes

Integrity:
    e406b803667c2910e37d150cd65b866e6611f2998766e235ce5a785bfef8ee42  ./deploy.sh
    92c95dfc886792b8df2e9fffb540fc71a35c3bc6fd6c7662134da1545a79457a  ./templates/Caddy-Dockerfile.template
    c1202e70662dd2228da36a35a0f38ec8fc81bec8964d7315d02e8671a58dd7d7  ./templates/Caddyfile.template
    2537678c7971df36c1ed95f4228d3cfcb15bb4a28a60d939eaf8dd75b5d64a36  ./templates/cloudflare.snip
    c494a610bcb4cd1cfc0a4fe4fb0f6d437b2a84a0ad1625daee240e6dd6f1c910  ./templates/compose-email-volumes.snip
    c9cb4c5fee12930e17798a02ae1bd12e2dc69e149a394c24511bc9d4e6b776d4  ./templates/compose-email.snip
    65f639e7b53bf16106fa6c1be3e3b227ad8911ffa7cb9396f9c923119e588206  ./templates/docker-compose.yml.template
    1c202b1b6e87c65b2fcda6035c9fe3f8631d76662907ffd38f24b14686e30647  ./templates/lemmy-email.snip
    6f937ab0cbe01b0cc6f9428b18dde987529e690d4ca24a22027c002617539fda  ./templates/lemmy.hjson.template

Custom Files: 
*** No custom files ***

==== Settings ====
        CLOUDFLARE: Yes
 CADDY_DISABLE_TLS: true
   CADDY_HTTP_PORT: 80
  CADDY_HTTPS_PORT: 443
 LEMMY_TLS_ENABLED: true
      ENABLE_EMAIL: true
         SMTP_PORT: 2525
    ENABLE_POSTFIX: false
POSTGRES_POOL_SIZE: 5
POSTGRES_SHM_SIZE: 1g

==== Generated Files ====
Deploy Version: 0.19.9;0.19.9

total 40K
drwxr-xr-x 2 0 0 4.0K Feb 21 05:12 caddy
-rw-r--r-- 1 0 0   26 Feb 21 05:20 caddy.env
-rw-r--r-- 1 0 0 1.8K Feb 21 05:20 docker-compose.yml
drwxr-xr-x 2 0 0 4.0K Feb 20 14:52 lemmy-ui-themes
-rw-r--r-- 1 0 0   50 Feb 20 14:51 lemmy.env
-rw-r--r-- 1 0 0  645 Feb 21 05:20 lemmy.hjson
-rw-r--r-- 1 0 0   57 Feb 20 14:51 pictrs.env
-rw-r--r-- 1 0 0   30 Feb 21 05:20 postfix.env
-rw-r--r-- 1 0 0   51 Feb 20 14:51 postgres.env
-rw-r--r-- 1 0 0   14 Feb 21 05:20 version

I have modified the template/docker-compose.template:

x-logging:
  &default-logging
  options:
    max-size: '500m'
  driver: json-file

services:

  proxy:
    {{COMPOSE_CADDY_IMAGE}}
    env_file:
      - ./caddy.env
      - {{ CADDY_EXTRA_ENV }}
    volumes:
      - ./caddy/Caddyfile:/etc/caddy/Caddyfile:ro
      - caddy_data:/data
      - caddy_config:/config
    ports:
      - 2000:80 # Since I only want http from caddy, I am using Nginx to serve the https
    depends_on:
      - pictrs
      - lemmy-ui
    restart: always
    logging: *default-logging

  lemmy:
    {{COMPOSE_LEMMY_IMAGE}}
    env_file: {{ LEMMY_EXTRA_ENV }}
    volumes:
      - ./lemmy.hjson:/config/config.hjson
    depends_on:
      - postgres
      - pictrs
    restart: always
    logging: *default-logging

  lemmy-ui:
    {{COMPOSE_LEMMY_UI_IMAGE}}
    env_file: {{ LEMMY_UI_EXTRA_ENV }}
    environment:
      - LEMMY_UI_LEMMY_INTERNAL_HOST=lemmy:8536
      - LEMMY_UI_LEMMY_EXTERNAL_HOST=localhost:1236
    volumes:
      - ./lemmy-ui-themes:/app/extra_themes
    depends_on:
      - lemmy
    restart: always
    logging: *default-logging

  pictrs:
    image: asonix/pictrs:0.5
    user: 991:991
    environment:
      - PICTRS__MEDIA__ANIMATION__MAX_WIDTH=256
      - PICTRS__MEDIA__ANIMATION__MAX_HEIGHT=256
      - PICTRS__MEDIA__ANIMATION__MAX_AREA=65536
      - PICTRS__MEDIA__ANIMATION__MAX_FRAME_COUNT=400
      - PICTRS__MEDIA__VIDEO__ENABLE=true
      - PICTRS__MEDIA__VIDEO__MAX_FILE_SIZE=20
    env_file:
      - ./pictrs.env
      - {{ PICTRS_EXTRA_ENV }}
    volumes:
      - pictrs_data:/mnt
    restart: always
    logging: *default-logging

  postgres:
    image: pgautoupgrade/pgautoupgrade:16-alpine
    environment:
      - POSTGRES_USER=lemmy
      - POSTGRES_DB=lemmy
    env_file:
      - ./postgres.env
      - {{ POSTGRES_EXTRA_ENV }}
    volumes:
      - postgres_data:/var/lib/postgresql/data
      - {{ POSTGRES_CONF }}
    restart: always
    shm_size: {{POSTGRES_SHM_SIZE}}
    logging: *default-logging

{{EMAIL_SERVICE}}

volumes:
  caddy_data:
  caddy_config:
  pictrs_data:
  postgres_data:
{{EMAIL_VOLUMES}}

My config:

# The hostname for your instance
# Do NOT put http:// or https://
# ONLY put your domain here. Subdomains are ok.
LEMMY_HOSTNAME="domain"

# If you use Cloudflare, your Cloudflare API token. Otherwise leave blank.
# Cloudflare Proxy users - set this if you have HTTPS issues
CF_API_TOKEN="x"

# The name of your Lemmy instance, will be displayed on the site header (only used during first-time setup)
# If you use special characters, please backslash-escape them.
SETUP_SITE_NAME="x"

# The admin username for first time setup
SETUP_ADMIN_USER="x"

###############################################################
###            SETTINGS FOR ADVANCED USERS ONLY             ###
###     Limited support is provided for these settings      ###
###############################################################

# If true/1, prefix the Caddy host block with http:// to disable TLS entirely
CADDY_DISABLE_TLS="true"

# The external port to use for Caddy's port 80
#CADDY_HTTP_PORT=
# The external port to use for Caddy's port 443
#CADDY_HTTPS_PORT=

# The tls_enabled key in lemmy.hjson
LEMMY_TLS_ENABLED="true"

# If true/1, add an email configuration block to lemmy.hjson
ENABLE_EMAIL="true"

# The SMTP server to use for email, if ENABLE_EMAIL==true
SMTP_SERVER="x"

# The login name to use for the SMTP server
SMTP_LOGIN="x"

# The login password to use for the SMTP server
SMTP_PASSWORD="x"

# The TLS type to use for SMTP, can be none, tls, or starttls
SMTP_TLS_TYPE="none"

# The SMTP port to use for email, if ENABLE_EMAIL==true
SMTP_PORT="x"

# The display name to show on emails
SMTP_NOREPLY_DISPLAY="x"

# The full from address for emails
SMTP_NOREPLY_FROM="x"

# If true/1, also deploy the postfix server and configure Lemmy to send emails
# Will override ENABLE_EMAIL to true
ENABLE_POSTFIX="false"

# The database.pool_size key in lemmy.hjson
POSTGRES_POOL_SIZE="5"

# The shm (shared memory) size parameter to pass to Postgres
# Docker unspecified default is 64m, official Lemmy uses 1g
# Low memory systems might not be able to use 1g
# Keeping the default at 64m, but allowing users to change it here if they experience issues
POSTGRES_SHM_SIZE="1g"

My Nginx.conf:

#limit_req_zone $binary_remote_addr zone=domain_ratelimit:10m rate=1r/s;
#proxy_cache_path /var/cache/lemmy/domain/ levels=1:2 keys_zone=domain:10m max_size=100m use_temp_path=off;
#proxy_cache_key $scheme$proxy_host$request_uri$http_accept;

server {
    listen 80;
    server_name domain;
    server_tokens off;
    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl http2;
    server_name domain;
    server_tokens off;
    ssl_certificate /x/fullchain.pem;
    ssl_certificate_key /x/privkey.pem;
    ssl_dhparam /x/dhparams.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers off;
    ssl_ciphers "";
    ssl_session_timeout 10m;
    ssl_session_cache shared:TLS:2m;
    ssl_session_tickets on;
    ssl_buffer_size 4k;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 1.1.1.1 1.0.0.1;
    client_max_body_size 20M;
    gzip on;
    gzip_types text/css application/javascript image/svg+xml;
    gzip_vary on;
    add_header Referrer-Policy "same-origin";
    add_header X-Content-Type-Options "nosniff";
    add_header X-Frame-Options "DENY";
    add_header X-XSS-Protection "1; mode=block";
    location / {
        #limit_req zone=domain burst=5 nodelay;
        proxy_pass http://127.0.0.1:2000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $host;
        #proxy_cache domain;
        #proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
        #proxy_no_cache $cookie_jwt $http_authorization;
        #proxy_cache_bypass $cookie_jwt $http_authorization;
    }
    access_log /var/log/nginx/access.log combined;
    error_log /var/log/nginx/error.log;
}

I am sure this has to do something with TLS, I would appreciate any help!

[ubergeek77]

Hi there, apologies for the delay.

I've taken a look at your setup and I'm quite certain your issues are due to you using Nginx. This deployment is designed as an "all in one" hosting solution for people who don't currently have their own webservers, so by overriding the template to include Nginx, weird things might happen.

Unfortunately I don't run Nginx so the help I can provide is limited, but most of the time it's due to host headers or something like that. Federation requires HTTPS, and it's also very picky about hosts, CORS, origins, and the like.

It's often not good to run a proxy server behind a proxy server, so you may be better off disabling Caddy entirely (remove it from the deployment template) and just make sure your Nginx can forward to the Lemmy frontend container in this deployment. Then you could read the official Lemmy Ansible configs to make sure your Nginx config has all the attributes it needs for federation. You can check the official configs here:

https://github.com/LemmyNet/lemmy-ansible/tree/main/templates