[bug]: issue with letsencrypt

chloehjung15 commented 1 year ago

Background

I'm trying to use letsencrypt so I won't have to use self signed cert when I'm making REST API calls. I've added letsencrypt configurations in the lnd.conf file but had no luck.

Your environment

version of lnd tried both v0.15.5-beta and v0.16.0-beta
which operating system (uname -a on *Nix) ubuntu 22
version of btcd, bitcoind, or other backend v24.0.1
any other relevant environment details

Steps to reproduce

Add below to ~/.lnd/lnd.conf

letsencryptdir=~/.lnd/letsencrypt

letsencryptlisten=localhost:8081

letsencryptdomain=my.domain.name

Forward port 80 to 8081 using sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to 8081

sudo iptables -t nat -vnL returns below

Chain PREROUTING (policy ACCEPT 1808 packets, 78821 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   12   568 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 redir ports 8081

Start lnd and I can see LTND: Using Let's Encrypt certificate for domain your.domain.name in the log

I tried connecting to lnd via RPC (I used thunderhub) with the tls.cert in the .lnd/ folder because in the doc it says the letsencrypt certificate is only requested and stored when the first rpc connection comes in.

Expected behaviour

Letsencrypt cert to be generated and when I do the REST api call, it won't use the self-signed cert.

Actual behaviour

I can see that there is a acme_account+key generated in the letsencrypt/ folder but nothing else. When I make the REST api call, it returns a SSL error about self-signed cert.

Roasbeef commented 1 year ago

cc @joostjager ?

jjager-nydig commented 1 year ago

How do you make the REST api call that returns the error - do you also get this error if you just use curl?

And does it work via grpc using lncli? (see lncli section in https://github.com/lightningnetwork/lnd/pull/2428)

chloehjung15 commented 1 year ago

@jjager-nydig I've made the REST api call just using a POST request but because it's self-signed, I have to tell it to ignore any SSL errors. Unfortunately with the app I'm trying to use this on doesn't allow that so I need it to have a proper certification using let's encrypt.

Sorry not sure how to check the second part. I can call lncli getinfo on the terminal and it spits out the correct information.

joostjager commented 1 year ago

Yes, for lncli you have to make sure that it doesn't have access to the tls.cert file. Can you try that?

guggero commented 1 year ago

Closing due to inactivity. Please re-open if problem persists.

khashmeshab commented 1 year ago

Hi. I have the same problem with v0.16.3-beta. I used LND for years with Let's Encrypt certificate flawlessly. But after I updated my LND today, it keeps using the self-signed certificate. I even deleted the tls.key and tls.cert, but they got regenerated. This is my last logs related to Let's Encrypt:

2023-06-14 05:44:44.515 [INF] LTND: Autocert challenge listener stopped
2023-06-14 05:45:45.706 [INF] LTND: Using Let's Encrypt certificate for domain maxod.ir
2023-06-14 05:45:45.707 [INF] LTND: Autocert challenge listener started at 127.0.0.1:8090
2023-06-14 05:45:45.710 [INF] LTND: Autocert challenge listener stopped
2023-06-14 05:46:13.579 [INF] LTND: Autocert challenge listener stopped
2023-06-14 05:46:46.705 [INF] LTND: Using Let's Encrypt certificate for domain maxod.ir
2023-06-14 05:46:46.705 [INF] LTND: Autocert challenge listener started at 127.0.0.1:8090
2023-06-14 05:57:15.337 [INF] LTND: Autocert challenge listener stopped
2023-06-14 05:57:26.430 [INF] LTND: Using Let's Encrypt certificate for domain maxod.ir
2023-06-14 05:57:26.431 [INF] LTND: Autocert challenge listener started at 127.0.0.1:8090
2023-06-14 06:01:44.684 [INF] LTND: Autocert challenge listener stopped
2023-06-14 06:01:45.322 [INF] RPCS: Generating TLS certificates...
2023-06-14 06:01:45.326 [INF] RPCS: Done generating TLS certificates
2023-06-14 06:01:45.327 [INF] LTND: Using Let's Encrypt certificate for domain maxod.ir
2023-06-14 06:01:45.327 [INF] LTND: Autocert challenge listener started at 127.0.0.1:8090

It claims it uses the Let's Encrypt certificate, but it doesn't.

khashmeshab commented 1 year ago

More information:

When I deleted the letsencrypt directory and restarted LND, the log saw that the certificate doesn't exist and recreated the directory and generated new certificate using Let's Encrypt. But there was no file in the directory. I restarted LND again, and it claimed that it found the certificate and didn't generate one. And it's still using the self-signed certificate!

bitromortac commented 1 year ago

letsencrypt is currently not working, this should be fixed by https://github.com/lightningnetwork/lnd/pull/7739

lightningnetwork / lnd