TLS / SSL certificates not working for docker?

[weltitob]

Hi,

I have difficulties using the API for a google server which is running litd in a docker in intergrated mode here is the configured lit.conf:

# Application Options
httpslisten=0.0.0.0:8443
uipassword=***
tlscertpath=~/.lit/tls.cert
tlskeypath=~/.lit/tls.key
lnd-mode=integrated
network=mainnet

# Lnd
lnd.lnddir=~/.lnd
lnd.alias=BitNet
lnd.rpclisten=0.0.0.0:10009
lnd.listen=0.0.0.0:9735
lnd.debuglevel=info

# Lnd - bitcoin
lnd.bitcoin.node=neutrino
lnd.feeurl = https://nodes.lightning.computer/fees/v1/btc-fee-estimates.json

# Lnd - Unlock Wallet once created
lnd.wallet-unlock-allow-create=true
lnd.wallet-unlock-password-file=~/.lit/wallet_password

# Lnd - bitcoind
#lnd.bitcoind.rpchost=localhost
#lnd.bitcoind.rpcuser=testnetuser
#lnd.bitcoind.rpcpass=testnetpw
lnd.bitcoind.zmqpubrawblock=localhost:28332
lnd.bitcoind.zmqpubrawtx=localhost:28333

...

When trying to call the api with

response = requests.get(url, headers=headers, verify=TLS_PATH)

I always get this error:

ubuntu@ubuntu:~/Desktop/authentication$ /bin/python3 /home/ubuntu/Desktop/authentication/pythonfunctions/taproot_assets/listassets.py
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 699, in urlopen
    httplib_response = self._make_request(
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 382, in _make_request
    self._validate_conn(conn)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 1012, in _validate_conn
    conn.connect()
  File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 411, in connect
    self.sock = ssl_wrap_socket(
  File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 449, in ssl_wrap_socket
    ssl_sock = _ssl_wrap_socket_impl(
  File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 493, in _ssl_wrap_socket_impl
    return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib/python3.10/ssl.py", line 513, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.10/ssl.py", line 1100, in _create
    self.do_handshake()
  File "/usr/lib/python3.10/ssl.py", line 1371, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1007)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 439, in send
    resp = conn.urlopen(
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 755, in urlopen
    retries = retries.increment(
  File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 574, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='mybitnet.com', port=8443): Max retries exceeded with url: /v1/taproot-assets/assets (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1007)')))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/ubuntu/Desktop/authentication/pythonfunctions/taproot_assets/listassets.py", line 19, in <module>
    response = requests.get(url, headers=headers, verify=TLS_PATH)
  File "/usr/lib/python3/dist-packages/requests/api.py", line 76, in get
    return request('get', url, params=params, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/api.py", line 61, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 544, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 657, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 514, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='mybitnet.com', port=8443): Max retries exceeded with url: /v1/taproot-assets/assets (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1007)')))

However I checked multiple times the TLS_PATH seems to be correct and the the fullchain.pem file generated by certbot also is correct. I'm pretty sure I've set up ssl correctly on the dockermaschine (certbot standalone setup in which I created the certificates on the server and then copied them into the litd docker while creating it)

Here is the command I've used creating my docker:

sudo docker run -d \
  -v ~/Desktop/wallet_password:/root/.lit/wallet_password \
  -v ~/Desktop/lit.conf:/root/.lit/lit.conf \
  -v /etc/letsencrypt/live/mybitnet.com/fullchain.pem:/root/.lit/tls.cert \
  -v /etc/letsencrypt/live/mybitnet.com/privkey.pem:/root/.lit/tls.key \
  -p 8443:8443/tcp \
  -p 9735:9735/tcp \
  -p 10009:10009/tcp \
  lightninglabs/lightning-terminal:v0.12.2-alpha --enablerest

Just in case the issue would be on my client side I tried this command and it seems to work fine. I've even manually installed the X1 certificate for my client mutltiple times.

ubuntu@ubuntu:~$ openssl s_client -connect mybitnet.com:8443 -showcerts
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = mybitnet.com
verify return:1
---
Certificate chain
 0 s:CN = mybitnet.com
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 24 17:15:42 2024 GMT; NotAfter: Apr 23 17:15:41 2024 GMT
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
---
Server certificate
subject=CN = mybitnet.com
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4491 bytes and written 378 bytes
Verification: OK
---

Please, I would be happy about any form or sort of help since I really dont know how to proceed ps: this is supposed to go production so simply putting verify=False when calling the API is no option for me Do I need to configure anything additional in my docker?

[guggero]

It looks like on the lightning terminal side everything works fine. I'm able to open the page in my browser. So I think our python code might be wrong? Are you supplying the system's CA certificates that include the ISRG Root X1 root certificate?

[weltitob]

It looks like on the lightning terminal side everything works fine. I'm able to open the page in my browser. So I think our python code might be wrong? Are you supplying the system's CA certificates that include the ISRG Root X1 root certificate?

I did supply it I still wonder if theres something wrong with my system I tried using certifi package from python and now and it works. I guess it seems to be a local issue on my maschine then.

I guess we can close the ticket I'll reopen if I find a bigger issue.

[weltitob]

import certifi .... r = requests.post(url, headers=headers, stream=True, data=json.dumps(data), verify=certifi.where())