search

lightningnetwork / lnd

Lightning Network Daemon ⚡️
MIT License
7.67k stars 2.07k forks source link

Failed to connect to all addresses #5715

Closed aghamir closed 3 years ago

aghamir commented 3 years ago

Background

I've deleted the tls.cert and tls.key and change the tlsextraip to 0.0.0.0 as well. After I restart lnd, I can add invoice with lncli. However, I cannot add invoice in remote with tls.cert and admin.macaroon. I get this error for addinvoice grpc:

{"code":"-9","message":"Build invoice error. <_InactiveRpcError of RPC that terminated with:\n\tstatus = StatusCode.UNAVAILABLE\n\tdetails = \"failed to connect to all addresses\"\n\tdebug_error_string = \"{\"created\":\"@1631514327.242779824\",\"description\":\"Failed to pick subchannel\",\"file\":\"src/core/ext/filters/client_channel/client_channel.cc\",\"file_line\":3008,\"referenced_errors\":[{\"created\":\"@1631514273.943246107\",\"description\":\"failed to connect to all addresses\",\"file\":\"src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc\",\"file_line\":397,\"grpc_status\":14}]}\"\n>","status":"failed"}

Your environment

Steps to reproduce

Remove the tls.cert. Try to addinvoice with grpc from remote server. My lnd.conf is:

[Application Options]

tlsextraip=0.0.0.0
tlsextraip=xx.xx.xx.xx
tlsextraip=xx.xx.xx.xx
tlsdisableautofill=true
rpclisten=0.0.0.0:10009
restlisten=0.0.0.0:10010
[Bitcoin]

bitcoin.active=true
bitcoin.mainnet=true
bitcoin.node=bitcoind
bitcoin.defaultchanconfs=3

[Bitcoind]
bitcoind.dir=~/data/bitcoin
bitcoind.rpchost=localhost:8030
bitcoind.rpcuser=xxxxx
bitcoind.rpcpass=xxxxx
bitcoind.zmqpubrawblock=tcp://127.0.0.1:38331
bitcoind.zmqpubrawtx=tcp://127.0.0.1:38330

[tor]
tor.active=true
tor.socks=9050
tor.v3=true
tor.streamisolation=true

[protocol]

protocol.wumbo-channels=true

Expected behaviour

Can create invoice normally from remote too.

Actual behaviour

I cannot create invoice from remote.

guggero commented 3 years ago

What address are you trying to connect to? What does the log say?

aghamir commented 3 years ago

Dear @guggero , I ran the lnd on cloud server. I try to connect to it with my python grpc script from local with this tool: https://api.lightning.community/#addinvoice It returns:

{"code":"-9","message":"Build invoice error. <_InactiveRpcError of RPC that terminated with:\n\tstatus = StatusCode.UNAVAILABLE\n\tdetails = \"failed to connect to all addresses\"\n\tdebug_error_string = \"{\"created\":\"@1631514327.242779824\",\"description\":\"Failed to pick subchannel\",\"file\":\"src/core/ext/filters/client_channel/client_channel.cc\",\"file_line\":3008,\"referenced_errors\":[{\"created\":\"@1631514273.943246107\",\"description\":\"failed to connect to all addresses\",\"file\":\"src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc\",\"file_line\":397,\"grpc_status\":14}]}\"\n>","status":"failed"}

This works before I remove tls.cert and tls.key and changing tlsextraip in lnd.conf. However, after removing this files, I get this error. I will enable the debug level in lnd.conf and post it here as soon as I get the log.

aghamir commented 3 years ago

Dear @guggero , How can I be able to set the log for grpc module?

guggero commented 3 years ago

How can I be able to set the log for grpc module?

https://chromium.googlesource.com/external/github.com/grpc/grpc/+/HEAD/examples/python/debug/

I ran the lnd on cloud server.

I mean, what IP address are you using in your python code to connect? 127.0.0.1? I'm pretty sure this is a TLS problem with an incorrect address that isn't reflected in the cert.

aghamir commented 3 years ago

No not 127.0.0.1. I use valid static ip of server for cloud and local. I've set tlsextraip=0.0.0.0 and tlsextraip=xx.xx.xx.xx which my valid local static ip in lnd.conf. Doesn't this options enable all ip addresses to use tls.cert to connect to lnd server? tlsextraip=0.0.0.0

guggero commented 3 years ago

No, tlsextraip=0.0.0.0 is not automatically parsed into "all addresses". You need to add each one individually and then re-generate the cert (delete tls.key and tls.cert then restart lnd).

aghamir commented 3 years ago

One of the issue to add each ip address is that the tls.cert reveals the ip addresses in Subject Alternative Name field. Is there any way to avoid this issue? I used tlsdisableautofill=true. However, the info still shows in that name.

guggero commented 3 years ago

That's how TLS certificates work. They need to contain the information that you are trying to verify. Alternatively you can use a DNS name to mask the IP, but resolving that will still give you some IP address. If you just don't want to include the IP that your python script uses to connect, you can also turn off TLS certificate verification in the script, then it will just ignore the host/IP part of the certificate.

Roasbeef commented 3 years ago

Closing as there's no issue with lnd here, but as misunderstanding in what needs to be specified within a TLS certificate. Check out the Let's Encrypt support (--letsencryptdomain, etc) if you want to specify a domain instead of an IP in the cert.

aghamir commented 3 years ago

@guggero , Thanks for your help. My issue has been solved. You are awesome.