lnrpc: lets encrypt

This commit enables lnd to request and renew a Let's Encrypt
certificate. This certificate is used both for the grpc as well as the
rest listeners. It allows clients to connect without having a copy of
the (public) server certificate.

Co-authored-by: Vegard Engen <vegard@engen.priv.no>

cmd/lncli/main.go

@@ -5,6 +5,7 @@
 package main
 
 import (
+	"crypto/tls"
 	"fmt"
 	"os"
 	"path/filepath"
@@ -74,13 +75,24 @@ func getClientConn(ctx *cli.Context, skipMacaroons bool) *grpc.ClientConn {
 		fatal(fmt.Errorf("could not load global options: %v", err))
 	}
 
-	// Load the specified TLS certificate and build transport credentials
-	// with it.
+	// Load the specified TLS certificate.
 	certPool, err := profile.cert()
 	if err != nil {
 		fatal(fmt.Errorf("could not create cert pool: %v", err))
 	}
-	creds := credentials.NewClientTLSFromCert(certPool, "")
+
+	// Build transport credentials from the certificate pool. If there is no
+	// certificate pool, we expect the server to use a non-self-signed
+	// certificate such as a certificate obtained from Let's Encrypt.
+	var creds credentials.TransportCredentials
+	if certPool != nil {
+		creds = credentials.NewClientTLSFromCert(certPool, "")
+	} else {
+		// Fallback to the system pool. Using an empty tls config is an
+		// alternative to x509.SystemCertPool(). That call is not
+		// supported on Windows.
+		creds = credentials.NewTLS(&tls.Config{})
+	}
 
 	// Create a dial options array.
 	opts := []grpc.DialOption{