Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add how-to for lnd self-signed TLS certificate management #19

Open
brandoncurtis opened this issue Oct 31, 2018 · 7 comments
Open

Add how-to for lnd self-signed TLS certificate management #19

brandoncurtis opened this issue Oct 31, 2018 · 7 comments
Labels
education enhancement New feature or request

Comments

@brandoncurtis
Copy link

By default, Chromium Browser / Google Chrome won't recognize the self-signed TLS certificate prepared by lnd. This will prevent Joule from successfully connecting to lnd.

Chrome can be made to accept the self-signed cert by following these steps:

  1. navigate to https://localhost:8080/v1/getinfo
  2. click on the lock next to the URL and view the certificate
  3. navigate to the certificate viewer's "details" tab and export the cert to a file
  4. navigate to edit > preferences > manage certificates > authorities > import
  5. check all of the boxes and import the cert

Now Chrome should accept the cert and Joule should be able to connect to lnd!

@wbobeirne
Copy link
Member

Ah, this is very unfortunate. I had my node serving remotely through nginx when testing, and didn't consider that the raw node has a self-signed certificate.

Another quick workaround is to navigate to that URL, and manually bypass the error and accept the self-signed cert. Either way, this should be a part of the initial setup, and will be better served by having a full page for it ala #20.

@wbobeirne wbobeirne added the enhancement New feature or request label Oct 31, 2018
@jamesob
Copy link
Contributor

jamesob commented Dec 19, 2018

I think this should be reopened. AFAICT, not encouraging users to register LND's self-signed cert with Joule opens remote nodes up to MITM attacks. If Joule can't do a registration with the browser automatically (I'd be surprised if extensions were allowed to do this), we should probably direct the user towards browser-specific instructions for registering a custom certificate authority manually.

Edit: happy to submit a PR for this if you agree.

@wbobeirne
Copy link
Member

Google actually did make an API for this, but it's Chrome OS only: https://developer.chrome.com/extensions/certificateProvider

I definitely agree that having the user properly add the certificate would be ideal. I think providing instructions can be a little daunting, because the method of adding a certificate is different for every operating system and browser combination.

It would be most ideal for lnd to do one of the following:

  1. offer an http REST API and let's just forget trying to encrypt traffic on localhost / have people use a webserver to do https instead of baking it into lnd
  2. add the self-signed cert to your trusted certificats during node startup (Not entirely sure how this is done, or if it's supported in Go)
  3. Provide an easy way for users to get a cert signed by a trusted CA (e.g. Lets Encrypt)

But that's not likely to happen in the mean time. I'll try to get some more robust documentation up on lightningjoule.com that I can link to from the extension on how to do this for each operating system.

@wbobeirne wbobeirne reopened this Dec 19, 2018
@wbobeirne
Copy link
Member

wbobeirne commented Dec 19, 2018

I'm also beginning to come to terms with the possibility that Joule may require a native application to really work well. It would certainly clear up a whole lot of issues, this included. This is tracked in #106.

@openoms
Copy link

openoms commented Jan 16, 2019

It could not make Joule work with my RaspiBlitz for a long time but the instructions from @brandoncurtis solved it. It is a bit different on chrome now. I am thinking of making a tutorial to do this. Can it be any useful @wbobeirne ?

@openoms
Copy link

openoms commented Jan 16, 2019

made a version to connect to a RaspiBlitz: https://github.com/openoms/bitcoin-tutorials/blob/master/JouleToRaspiBlitz.md

@pseudozach
Copy link

I'll also add how to import & trust the self-signed LND certificate on MacOS:

  1. navigate to https://localhost:8080/v1/getinfo
  2. click on the lock next to the URL and view the certificate
  3. drag the certificate icon to a finder window to export the cert to a file
  4. launch keychain access app and click "+" to import certificate
  5. select the exported cert file to import it.
  6. double-click the imported certificate, click trust and choose "Always trust" when using this certificate.

I hope it helps.

wbobeirne pushed a commit that referenced this issue Oct 13, 2020
…g-6.3.0

Upgrade @types/query-string: 6.1.1 → 6.3.0 (minor)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
education enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

5 participants