paulkinlan
ACTIVITYPUB-TROUBLESHOOTING.md

ActivityPub Troubleshooting Guide

Current Status: ⚠️ Partial Implementation

Your ActivityPub implementation is working correctly but has one critical limitation that prevents posts from appearing in Mastodon timelines.

✅ What's Working

  1. ActivityPub Discovery: Your blog is discoverable via WebFinger (@blog@posthero.us)
  2. Following: Users can follow your blog from Mastodon
  3. Follower Management: The system correctly tracks followers and their inboxes
  4. Activity Creation: Posts are converted to proper ActivityPub Create/Note activities
  5. Delivery Attempts: The system attempts to deliver activities to follower inboxes
  6. Logging: Comprehensive logging shows exactly what's happening

❌ What's Not Working

HTTP Signatures: Most Mastodon servers (including the one following you) require HTTP signatures for authentication. Your current implementation sends unsigned requests, which are rejected with:

HTTP 401: {"error":"Request not signed"}

🔍 Current Test Results

From your latest test delivery:

📊 Followers found: {
  totalFollowers: 1,
  followersWithInbox: 1,
  followersWithSharedInbox: 1
}

📮 Delivery plan: { uniqueInboxes: 1, totalDeliveries: 1 }

❌ Inbox delivery failed: {
  inbox: "https://status.kinlan.me/inbox",
  error: 'HTTP 401: {"error":"Request not signed"}',
  followers: [ "paul" ]
}

🎉 ACTIVITYPUB PUBLISH COMPLETED: {
  processingTimeMs: 395,
  totalInboxes: 1,
  successfulDeliveries: 0,
  failedDeliveries: 1,
  deliveryRate: "0%"
}

🛠️ Solutions

HTTP signatures require:

  1. RSA Key Pair: Generate and store securely
  2. Signature Creation: Sign requests with private key
  3. Public Key Distribution: Serve public key in actor document

This is the proper long-term solution but requires careful cryptographic implementation.

Option 2: Find Mastodon Servers That Accept Unsigned Requests

Some smaller Mastodon instances may accept unsigned requests for testing purposes.

Option 3: Use Alternative ActivityPub Servers

Some ActivityPub implementations are more lenient with unsigned requests.

🧪 Testing Your Implementation

Use the test endpoint to verify delivery:

# Check current followers and posts
curl "https://your-val.web.val.run/test-activitypub-delivery?action=info"

# Test delivery to current followers
curl "https://your-val.web.val.run/test-activitypub-delivery?action=test-delivery"

📝 Next Steps

  1. Immediate: Your ActivityPub setup is correct - the issue is authentication
  2. Short-term: Consider implementing HTTP signatures for full compatibility
  3. Alternative: Test with other ActivityPub servers that may be more lenient

🔧 Implementation Notes

The current code includes:

  • ✅ Proper ActivityPub activity structure
  • ✅ Correct inbox discovery and delivery logic
  • ✅ SHA-256 digest creation for request bodies
  • ✅ Comprehensive error handling and logging
  • ❌ HTTP signature creation (disabled due to complexity)

📚 Resources

Summary: Your ActivityPub implementation is architecturally sound and would work perfectly with HTTP signatures. The 401 errors are expected behavior from security-conscious Mastodon servers.