highperfocused/lnd
1
0
Fork 0
mirror of https://github.com/lightningnetwork/lnd.git synced 2025-09-09 09:15:35 +02:00
Code Issues Packages Projects Releases Wiki Activity

lnrpc: lets encrypt

Browse Source 
This commit enables lnd to request and renew a Let's Encrypt
certificate. This certificate is used both for the grpc as well as the
rest listeners. It allows clients to connect without having a copy of
the (public) server certificate.

Co-authored-by: Vegard Engen <vegard@engen.priv.no>
This commit is contained in:
Joost Jager
2019-01-07 18:48:02 +01:00
parent 999ffffa37
commit 403d72b468
6 changed files with 133 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
cmd/lncli/main.go
View File

@@ -5,6 +5,7 @@
package main
import (
"crypto/tls"
"fmt"
"os"
"path/filepath"
@@ -74,13 +75,24 @@ func getClientConn(ctx *cli.Context, skipMacaroons bool) *grpc.ClientConn {
fatal(fmt.Errorf("could not load global options: %v", err))
}
// Load the specified TLS certificate and build transport credentials
// with it.
// Load the specified TLS certificate.
certPool, err := profile.cert()
if err != nil {
fatal(fmt.Errorf("could not create cert pool: %v", err))
}
creds := credentials.NewClientTLSFromCert(certPool, "")
// Build transport credentials from the certificate pool. If there is no
// certificate pool, we expect the server to use a non-self-signed
// certificate such as a certificate obtained from Let's Encrypt.
var creds credentials.TransportCredentials
if certPool != nil {
creds = credentials.NewClientTLSFromCert(certPool, "")
} else {
// Fallback to the system pool. Using an empty tls config is an
// alternative to x509.SystemCertPool(). That call is not
// supported on Windows.
creds = credentials.NewTLS(&tls.Config{})
}
// Create a dial options array.
opts := []grpc.DialOption{

19
cmd/lncli/profile.go
View File

@@ -36,6 +36,10 @@ type profileEntry struct {
// cert returns the profile's TLS certificate as a x509 certificate pool.
func (e *profileEntry) cert() (*x509.CertPool, error) {
if e.TLSCert == "" {
return nil, nil
}
cp := x509.NewCertPool()
if !cp.AppendCertsFromPEM([]byte(e.TLSCert)) {
return nil, fmt.Errorf("credentials: failed to append " +
@@ -113,11 +117,16 @@ func profileFromContext(ctx *cli.Context, store bool) (*profileEntry, error) {
return nil, err
}
// Load the certificate file now. We store it as plain PEM directly.
tlsCert, err := ioutil.ReadFile(tlsCertPath)
if err != nil {
return nil, fmt.Errorf("could not load TLS cert file %s: %v",
tlsCertPath, err)
// Load the certificate file now, if specified. We store it as plain PEM
// directly.
var tlsCert []byte
if lnrpc.FileExists(tlsCertPath) {
var err error
tlsCert, err = ioutil.ReadFile(tlsCertPath)
if err != nil {
return nil, fmt.Errorf("could not load TLS cert file "+
"%s: %v", tlsCertPath, err)
}
}
// Now load and possibly encrypt the macaroon file.