curl: (60) SSL certificate problem: self-signed certificate

[tonyaldon]

Hi Shahana,

when I use clnrest with rest_protocol=http, everything works fine.

But when I use the default https protocol, I can't do POST requests with curl (I also tried with Python and the library requests) without ignoring the self-signed certificate.

You can check this by running the following (assuming we have lightning and clnrest repository cloned locally in the current directory):

$ source lightning/contrib/startup_regtest.sh
$ start_ln
$ l1-cli plugin start $(pwd)/clnrest/clnrest.py
$ curl -X  'POST' 'https://127.0.0.1:3010/v1/getinfo' -H 'accept: application/json' -H 'Rune: xxx' -H 'Nodeid: xxx' -H 'Content-Type: application/json' -d '{}'
curl: (60) SSL certificate problem: self-signed certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
$ curl --insecure -X  'POST' 'https://127.0.0.1:3010/v1/getinfo' -H 'accept: application/json' -H 'Rune: xxx' -H 'Nodeid: xxx' -H 'Content-Type: application/json' -d '{}'
{"id": "03fb4ef67aa659e39a812ac15cc15d7387ff4625dcaf416fd50216eefb5b7f848e", "alias": "GREENSET", "color": "03fb4e", "num_peers": 0, "num_pending_channels": 0, "num_active_channels": 0, "num_inactive_channels": 0, "address": [], "binding": [{"type": "ipv4", "address": "127.0.0.1", "port": 7171}], "version": "v23.05.1", "blockheight": 2, "network": "regtest", "fees_collected_msat": "0msat", "lightning-dir": "/tmp/l1-regtest/regtest", "our_features": {"init": "08a0000a0269a2", "node": "88a0000a0269a2", "channel": "", "invoice": "02000002024100"}}

I have no idea why is this.

[ShahanaFarooqui]

@tonyaldon Thank you for testing.

It is expected behaviour from curl as, by default, it expects certificates to be signed by a trusted certificate authority.

Currently clnrest follows below steps to use/generate certificates: 1 - If the rest-certs path is set in config, search for the certificates at the location. 2 - Else, search at the default location (current working directory), where cln-grpc's generated certificates reside. 3 - If certificates are missing at the configured/default location, create self signed certificate and use them.

Certificates generated by either cln-grpc/clnrest are self signed and will not be recognised by curl. Some possible options are:

• Use trusted certificates: Configure rest-certs path with trusted certificate location.
• Trust the certificate: Instruct curl to ignore the certificate verification with the -k or --insecure, which you already did.
• Add the certificate to the trusted list: Use the --cacert option to specify the trusted certificate. For example curl --cacert /path/to/client.pem -X POST 'https://127.0.0.1:3010/v1/getinfo' -H 'accept: application/json' -H 'Rune: xxx' -H 'Nodeid: xxx' -H 'Content-Type: application/json' -d '{}'

Closing this issue now.

[tonyaldon]

Thanks for the explanation. I'll try to use a trusted certificate with rest-certs option.