mirror of
https://github.com/lightningnetwork/lnd.git
synced 2025-07-28 13:52:55 +02:00
lnd: Add ability to encrypt TLS key on disk
This commit is contained in:
Orbital
49
lnd.go
49
lnd.go
@@ -213,15 +213,31 @@ func Main(cfg *Config, lisCfg ListenerCfg, implCfg *ImplementationCfg,
|
||||
return mkErr("error initializing DBs: %v", err)
|
||||
}
|
||||
|
||||
// Only process macaroons if --no-macaroons isn't set.
|
||||
tlsManager := NewTLSManager(cfg)
|
||||
serverOpts, restDialOpts, restListen, cleanUp,
|
||||
err := tlsManager.getConfig()
|
||||
tlsManagerCfg := &TLSManagerCfg{
|
||||
TLSCertPath: cfg.TLSCertPath,
|
||||
TLSKeyPath: cfg.TLSKeyPath,
|
||||
TLSEncryptKey: cfg.TLSEncryptKey,
|
||||
TLSExtraIPs: cfg.TLSExtraIPs,
|
||||
TLSExtraDomains: cfg.TLSExtraDomains,
|
||||
TLSAutoRefresh: cfg.TLSAutoRefresh,
|
||||
TLSDisableAutofill: cfg.TLSDisableAutofill,
|
||||
TLSCertDuration: cfg.TLSCertDuration,
|
||||
|
||||
if err != nil {
|
||||
return mkErr("unable to load TLS credentials: %v", err)
|
||||
LetsEncryptDir: cfg.LetsEncryptDir,
|
||||
LetsEncryptDomain: cfg.LetsEncryptDomain,
|
||||
LetsEncryptListen: cfg.LetsEncryptListen,
|
||||
|
||||
DisableRestTLS: cfg.DisableRestTLS,
|
||||
}
|
||||
tlsManager := NewTLSManager(tlsManagerCfg)
|
||||
serverOpts, restDialOpts, restListen, cleanUp,
|
||||
err := tlsManager.SetCertificateBeforeUnlock()
|
||||
if err != nil {
|
||||
return mkErr("error setting cert before unlock: %v", err)
|
||||
}
|
||||
if cleanUp != nil {
|
||||
defer cleanUp()
|
||||
}
|
||||
defer cleanUp()
|
||||
|
||||
// If we have chosen to start with a dedicated listener for the
|
||||
// rpc server, we set it directly.
|
||||
@@ -512,7 +528,7 @@ func Main(cfg *Config, lisCfg ListenerCfg, implCfg *ImplementationCfg,
|
||||
server, err := newServer(
|
||||
cfg, cfg.Listeners, dbs, activeChainControl, &idKeyDesc,
|
||||
activeChainControl.Cfg.WalletUnlockParams.ChansToRestore,
|
||||
multiAcceptor, torController,
|
||||
multiAcceptor, torController, tlsManager,
|
||||
)
|
||||
if err != nil {
|
||||
return mkErr("unable to create server: %v", err)
|
||||
@@ -538,6 +554,12 @@ func Main(cfg *Config, lisCfg ListenerCfg, implCfg *ImplementationCfg,
|
||||
}
|
||||
defer atplManager.Stop()
|
||||
|
||||
err = tlsManager.LoadPermanentCertificate(activeChainControl.KeyRing)
|
||||
if err != nil {
|
||||
return mkErr("unable to load permanent TLS certificate: %v",
|
||||
err)
|
||||
}
|
||||
|
||||
// Now we have created all dependencies necessary to populate and
|
||||
// start the RPC server.
|
||||
err = rpcServer.addDeps(
|
||||
@@ -629,17 +651,6 @@ func Main(cfg *Config, lisCfg ListenerCfg, implCfg *ImplementationCfg,
|
||||
return nil
|
||||
}
|
||||
|
||||
// fileExists reports whether the named file or directory exists.
|
||||
// This function is taken from https://github.com/btcsuite/btcd
|
||||
func fileExists(name string) bool {
|
||||
if _, err := os.Stat(name); err != nil {
|
||||
if os.IsNotExist(err) {
|
||||
return false
|
||||
}
|
||||
}
|
||||
return true
|
||||
}
|
||||
|
||||
// bakeMacaroon creates a new macaroon with newest version and the given
|
||||
// permissions then returns it binary serialized.
|
||||
func bakeMacaroon(ctx context.Context, svc *macaroons.Service,
|
||||
|
||||
Reference in New Issue
Block a user