Unable to connect to Embassy OS-hosted full node over HTTPS

[stripey679]

Brief statement of the problem: After considerable time and effort attempting to solve the problem myself, I remain unable to connect to my Embassy OS full node over my local network. I am able to connect over Tor, but this is extremely slow and even simple actions such as switching between wallets often take over a full minute. Before complaining about the performance, I endeavored to follow the primary recommended action for improving performance, which was to connect to my full node over the local network rather than over Tor. I have been unable to do so.

Steps to reproduce: Steps to reproduce the environment

1. Build the latest release of Embassy OS (v0.3.0 at time of writing) from source and follow the instructions to set it up on a Raspberry Pi.
2. Download and install the HTTPS certificate from Embassy OS and import it into Firefox. Check the box for trusting the cert to identify websites.
3. Verify you can access and log into Embassy OS via HTTPS using Firefox.
4. Verify you can access and log into Embassy OS via Tor (follow provided instructions from Embassy OS)
5. In Embassy OS, install the Bitcoin Core service and allow time (up to several days) for the Initial Block Download (IBD)
6. On a blank disk or in a Virtual Machine, install a fresh install of Ubuntu 20.04. Install updates during installation. Use this OS for reproducing the issue with Specter

Steps to reproduce the specific problem I'm reporting

1. Install Specter Desktop v0.1.10* and tor-daemon (via snap).
2. Configure specter to use Tor daemon
3. Follow Embassy OS instructions for connecting via Tor
4. Ensure you have connected to the full node properly over Tor.
5. Optionally (I don't think this is necessary, but I'll include it), install Bitcoin Proxy on Embassy OS and set up a second "specter" user separate from the default "bitcoin" user. Follow Embassy / Bitcoin Proxy instructions to successfully connect to the full node using the Bitcoin Proxy "specter" credentials and Tor address. NOTE: Each service on Embassy OS creates its own separate Tor address, so connecting to Bitcoin Proxy will require entering a different Tor address and credentials than connecting to Bitcoin Core directly.
6. Follow the instructions at https://ubuntu.com/server/docs/security-trust-store to install the "embassy.crt" file you installed in Firefox earlier into the Ubuntu OS in general. I believe this is necessary since Specter doesn't appear to have any way to manage its own certificates, but my expectation would be that it relies on the system certificates. After doing this, completely quit Specter Desktop and relaunch it (I did this in case it was necessary to detect the new certificate).
7. Ensure that Specter Desktop is still connected to the full node and still sees the node as fully synced. We are about to do the action that fails for me, so it's important everything up until this point is working as described to have the same starting point. 7A. (If you skipped step 5) In Embassy OS, navigate to Services > Bitcoin Core > Interfaces and copy the RPC Interface LAN address to clipboard. 7B. (If you followed Step 5) In Embassy OS, navigate to Services > Bitcoin Proxy > Interfaces and copy the LAN address to clipboard.
8. In Specter, navigate to the Node configuration JSON-RPC configuration settings. You should see the working HTTP Tor address in the Host field. Replace the HTTP Tor address with the HTTPS LAN address. Make sure to replace the whole thing as double-clicking won't select the entire existing address. NOTE that the LAN address should appear mostly identical to the Tor address except that it ends in .local instead of .onion and begins with https instead of http.
9. Click "Test" Expected Behavior: Test succeeds after delay (same outcome testing as over Tor, but probably faster) Actual Behavior: Immediate error "Test failed: Connection to node failed"

Notes:

• *I know I'm one release behind the latest release (currently v0.1.10.2), but I checked the release notes and I didn't see anything that sounded like it was related to LAN / HTTPS connections, so I assume behavior will be the same as v0.1.10.
• Speculation: It seems as if Specter might assume that local connections are going to be HTTP connections, and doesn't know how to handle HTTPS local connections
• Speculation: There might be something wrong on the Embassy OS side of things, but since the Tor-like LAN address (https://[tor-address].local) is specifically an RPC interface and not a browser-facing URL, I have no good way to test that myself. Since the "normal" https://embassy-[alphanumeric].local address provided during initial setup along with the downloadable embassy cert works fine, I'm trusting that the LAN address for the RPC-JSON interface works correctly as well. I did try using the embassy-[alphanumeric].local address as the Host address just to be thorough, and I received the same instant "Test failed: Connection to node failed" error that I did with the Interface LAN address that was supposed to work.
• I believe I have listed everything relevant in the "Steps to Reproduce", but I may have missed something, so there's that minor disclaimer. For the sake of brevity I have omitted reproducing instructions provided by Embassy OS in a few places, since I figure anyone troubleshooting this issue either won't need them in the first place, or will have less difficulty finding and navigating them on their own than if I tried to reproduce them here.

Edits: 2022-06-06 Edit 1: Clarify installing the Bitcoin Core service in Embassy OS 2022-06-06 Edit 2: Fix an unbalanced parenthesis character 2022-06-06 Edit 3: Add edit log

[relativisticelectron]

I don't have an embassy and therefore cannot reproduce this. Can this problem be reproduced in VirtualBox?

Have you tried http://[tor-address].local?

[BitcoinMechanic]

I am taking a look at this, though want to quickly point out that we figured the best solution for Specter + EmbassyOS was to package up Specter to run on the Embassy itself and access it through a webUI as with other services.

This is currently up on our alpha/beta marketplaces if you'd like to try it out.

In the mean time I am going to hunt down why Specter isn't able to connect over LAN.

[BitcoinMechanic]

Further info here: https://github.com/Start9Labs/embassy-os/issues/1148

tldr: You aren't going to be able to connect over LAN just yet, so I'd definitely encourage using Specter on the Embassy itself.

[stripey679]

we figured the best solution for Specter + EmbassyOS was to package up Specter to run on the Embassy itself and access it through a webUI as with other services.

I have a requirement for Specter to scan and detect a USB signing device at the point of use, which won't be the Embassy OS host hardware. My understanding is that Specter hosted on the Embassy OS device as a service will detect USB devices over a network. That is, if I connect a signer to an Ubuntu host I'm using to access Specter as a service over the network, the Specter service won't be able to detect the signer. If my understanding is inaccurate, please let me know and I'll give it a shot. I didn't try to do so because others online implied they wasted a lot of time and never got it working, in at least some cases even when the signer connected directly to the Embassy OS host (which again, isn't my use case).

Further info here: Start9Labs/embassy-os#1148

tldr: You aren't going to be able to connect over LAN just yet, so I'd definitely encourage using Specter on the Embassy itself.

Thank you for this information. I will keep an eye on this.

[BitcoinMechanic]

For sure, it should be released soon.

Yes the use-case is this: Specter runs as a service on the Embassy. Specter also runs on your laptop/desktop and you plug the signing device into that machine (not the Embassy). Then you configure the HWI to allow connections to your laptop's Specter/HWI from the Embassy Specter's address. You do this by going into Specter on the Embassy, clicking on the top right cog, click USB Devices, select "remote specter USB connection" and copy what is in step two into here:

http://127.0.0.1:25441/hwi/settings/ (go into a browser on your laptop where Specter is running for this)

Then go back to the Embassy Specter and click "save changes" and then click "Test connect" (you will need the signing device plugged in for this to work.)

Hope that's clear - there are detailed instructions in the package that is due for release this week.

Edit: One thing to add: This will work over .local, no need to use Tor for this. This is really fast and the best way to use Specter on the Embassy imo.

Edit 2: Things are a lot simpler when using airgappable signing devices like Coldcards. Just thought I'd mention that.

[k9ert]

It 's not yet mentioned, so for the completeness: This is about the "HWIbridge": https://docs.specter.solutions/desktop/hwibridge/

@stripey679 feel free to also jump in the telegram-developer-group which might make it easier to address/discuss your requirements. https://t.me/+yS4VO2JqBHkzYTI6

[k9ert]

Closing this for now as it's quite embassy specific.

[vindard]

Just adding some notes here, this was an absolute nightmare to setup.

What eventually got things working for me on specter-desktop v2.0.2 locally was:

1. Get specter desktop locally and in top left menu do 'Specter>Settings'
2. Choose "Yes, I run Specter remotely" and then fill in your embassy https://.local Note: https was important here for me
3. In the UI go to Settings and then 'USB Devices' (3rd top bar option) and then select 'Remote Specter USB connection'
4. In the device bridge setting that you are prompted to change in the instructions below add your embassy address and make sure you use https even though the interface instructions say http
5. Go back to your Embassy OS specter interface, go to 'Settings' and then 'USB Devices', and then choose 'Remote Specter USB connection' and save
6. Test connection with hardware device plugged in