Closed HamishMacEwan closed 4 years ago
Would this have the desired effect?
; Adds an extra domain to the generate certificate. Setting multiple tlsextradomain= entries is allowed.
; (old tls files must be deleted if changed)
tlsextradomain=h4bfsgspmdsqeok5.onion
I have added the example line to lnd.conf via the web GUI, saved the changes and myNode rebooted, but the certificate does not include the extra domain:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
f8:28:72:c0:7b:c1:c2:c6:66:92:52:c2:f7:d2:93:be
Signature Algorithm: ecdsa-with-SHA256
Issuer: O = lnd autogenerated cert, CN = myNode
Validity
Not Before: Nov 8 05:06:10 2019 GMT
Not After : Jan 2 05:06:10 2021 GMT
Subject: O = lnd autogenerated cert, CN = myNode
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:0c:11:96:88:15:86:74:4d:62:10:d1:98:e7:4e:
f7:27:0a:34:1f:dd:9d:b6:68:a5:00:32:cb:e0:6f:
d7:b3:6a:7c:11:d7:d7:b2:23:d6:06:f5:0b:97:de:
d6:8d:33:a1:27:4a:aa:fd:66:c2:65:e4:30:57:70:
5b:ca:58:1c:ad
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Public-Key: (256 bit)
pub:
04:0c:11:96:88:15:86:74:4d:62:10:d1:98:e7:4e:
f7:27:0a:34:1f:dd:9d:b6:68:a5:00:32:cb:e0:6f:
d7:b3:6a:7c:11:d7:d7:b2:23:d6:06:f5:0b:97:de:
d6:8d:33:a1:27:4a:aa:fd:66:c2:65:e4:30:57:70:
5b:ca:58:1c:ad
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Certificate Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Alternative Name:
DNS:myNode, DNS:localhost, DNS:unix, DNS:unixpacket, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1, IP Address:192.168.1.50, IP Address:2406:E001:2:7E01:A855:B1A5:BCB2:8BF3, IP Address:2406:E001:2:7E01:DB82:3300:52ED:915F, IP Address:FE80:0:0:0:D029:4145:A1C0:D16F
Signature Algorithm: ecdsa-with-SHA256
30:45:02:21:00:ae:8e:15:78:6f:8e:d3:c6:45:01:98:3c:0d:
88:a4:08:23:26:ff:0f:e1:44:b2:fa:0f:ca:61:d6:b2:a6:83:
b0:02:20:62:f5:5f:10:27:7c:fb:bb:ec:5e:b0:fa:94:0c:f4:
47:19:cf:d8:6c:2a:a4:6d:7d:1e:bc:9f:cb:23:8a:5d:85
You would have to delete the tls.cert file and restart LND. It should appear then.
I'll look into finding a way to automatically add it.
Aha. Seems the reboot isn't sufficient to regenerate the tls.cert & tls.key files. As in other places, shutdown (didn't):
admin@myNode:/home/bitcoin/.lnd $ sudo su bitcoin
[sudo] password for admin:
bitcoin@myNode:/mnt/hdd/mynode/lnd $ rm tls.cert tls.key
bitcoin@myNode:/mnt/hdd/mynode/lnd $
And start lnd up again.
[In the end I rebooted it, bitcoind rolled forward, lnd finished logging in and the cert looks like this now:
And as you say, automate it, I wonder how the lnd-tls-reset tool does it?
Hi,
A request to support TLS connection over Tor. At present the certificate supports "Subject Alt Names:"
If (for example)
h4bfsgspmdsqeok5.onion
(taken from lndconnect) could be added to the list of Alt Names it would make the certificate more acceptable.