use already existing LetsEncrypt certificate in LIT's config file

[dasiyes]

It seems that once the Letsencrypt is set to TRUE in the lit.conf file, according to the code below from config.go [417-427]:

    if cfg.LetsEncrypt {
        if cfg.LetsEncryptHost == "" {
            return nil, fmt.Errorf("host must be set when using " +
                "let's encrypt")
        }

        // Create the directory if we're going to use Let's Encrypt.
        if err := makeDirectories(cfg.LetsEncryptDir); err != nil {
            return nil, err
        }
    }

the app tries to create the directory (and it works :)) - but it would be nice to just use this directory (if already exists - assuming the cert / key are in it) instead of only trying to create it and generate the cert/key pair.

[guggero]

If you look at makeDirectories, it uses os.MkdirAll() which doesn't do anything if the directory already exists:

// If path is already a directory, MkdirAll does nothing
// and returns nil.

So not sure what to improve here?

[dasiyes]

I have this subdomain lit.ivmanto.dev, and using certbot on Ubunto for nginx, I have created a Letsencrypt certificate for this subdomain. Now, if I try to add the folder where Letsecrypt has created the certificate and the key files, at startup, LITD says cannot create the folder because it already exists. I was wondering how to add the existing certificate path in the lit.conf file in such a way that it uses the already existing certificate and existing folder instead of trying to create a new certificate.

I hope this makes more sense now as a request.

[guggero]

See my other comment in https://github.com/lightninglabs/lightning-terminal/issues/630. If you use certbot to issue your certificate, you don't need to set any LetsEncrypt parameters in LiT (as that will attempt to do the same as certbot already did). So what you need to change are --tlscertpath and --tlskeypath to point to the files generated by certbot.

[dasiyes]

I have done that (conf parameters that point to the folder where the certbot has created the cert and pk), and the result is I am getting an error saying cannot create the folder because it already exists.

Do you mean I have to remove the parameter letsencrypt=true and then point the tlscertpath and tlskeypath to the existing folder?

[guggero]

Do you mean I have to remove the parameter letsencrypt=true

Yes, remove (or comment out) anything in your config file related to letsencrypt if you are generating the certificate outside of LiT. And then point tlscertpath to the certificate file (not folder) and the tlskeypath to the certificate key.

[dasiyes]

So - that worked for me. 👍 I have only added letsencryptdir=/etc/letsencrypt/live/domain-name/ in the config file and commented out the letsencrypt=true. Do I understand it correctly now that letsencrypt=true should be only used in lit.conf file when litd is supposed to create the Letsencrypt certificate on its own and not when using the Letsencrypt as certificate vendor?

Thanks a lot for the clarification.

[guggero]

Exactly.

From litd --help:

      --letsencrypt                                                              Use Let's Encrypt to create a TLS certificate for the UI instead of using
                                                                                 lnd's TLS certificate. Port 80 must be free to listen on and must be
                                                                                 reachable from the internet for this to work.

Any other config options that start with letsencrypt will be ignored if letsencrypt=false.

[dasiyes]

I understood that part it should be set to TRUE if the certificate must be created, but was not clear to set it to false (or remove it) when the certificate already exists. That was my misreading. 👍

Once again - thanks a lot!