Open ekimber opened 4 weeks ago
jonasnick
commented
2 weeks ago Why do you want lnd to be able to generate its own certificates? I agree that ideally this should be possible because it feels like it can prevent some use cases or make them harder. On the other hand, allowing lnd to generate the certs increases the number of configurations we have to support and test.
ekimber
commented
2 weeks ago Why do you want lnd to be able to generate its own certificates?
It's not that I really need to do this, it is just a consequence of using manual secret generation that the script does not run and lnd cannot start without certificates.
I could generate and supply the certificates manually with sops but it certainly does make the use case harder. Alternatively the lnd cert generation could be handled independent from the secret generation so it gets generated even if manual is set.
I see the use cases for both manual and automatic secret generation but I don't see a use case for manual lnd certs. I guess not many people actually use manual or this issue would have come up already.
The lnd TLS key and certificate are generated by the secrets script. If this is set to manual, for example, if you wish to supply preconfigured secrets with sops, then no key and certificate are generated. However, lnd cannot generate its own certificates in
/etc/nix-bitcoin-secretsbecause of permissions. Perhaps there is a reason that thelndCertoption is read only? If I allow the relevant options to be set then lnd can generate the certs. It seems to me that the cert is effectively a runtime thing and doesn't necessarily belong in the/etc/directory