Bug: Self-signed LND certificates error in Windows Desktop

[rolznz]

From https://primal.net/e/note16l86pvcfcqdkrpm7h0re58gn9420js2tszndxqh08xfgvqe2lxpqph82r0

(1) There seems to be an issue when LND uses self-signed certificates, which is the default behavior. AlbyHub complains that the certificate isn't trusted, and this happens even if the self-signed certificate is added to the Trusted Root Authorities folder in the Windows Certs console. What I ended up doing was creating a dedicated DNS entry for LND (lnd.mydomain.com), and then getting a free SSL cert from one of the countless free providers, including that DNS name on the certificate. I forced LND to use that certificate instead of the self-signed one and then referenced it in the AlbyHub setup. That seemed to clear up the error.

[Ilmari-Hageken]

I'm running into the same (I think) issue but with both LND and AlbyHub dockerized (on a Raspberry Pi), making this a more general problem.

rpc error: code = Unavailable desc = connection error: desc = "transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority"

This is confusing because Alby Hub already asks me for the TLS certificate's hex in the setup, presumably so that it could use an otherwise untrusted certificate (shifting the responsibility onto me).

I think the self-signed certificate is a common use case for homebrew and non-public nodes and should be supported.

[a-nevermind]

Came here to +1. Seeing the same error trying to self-host on Linux x86.

At first, cat'ing the tls.cert resulted in invalid characters. Using xxd -p... worked and now I get this exact problem.

[rolznz]

I wonder why there is no issue when using Polar (at least on Linux). What happens if you provide no certificate? in the lnclient/lnd/wrapper/lnd.go we could try creds = credentials.NewTLS(&tls.Config{InsecureSkipVerify: true})

@im-adithya are you able to reproduce the issue?

[Filouman]

Adding my specs to the list. Self-hosted on x86 linux machine.

LND v0.18.3-beta
Bitcoin v28.0.0

tlsencryptkey=false is set in lnd.conf and have regenerated certs, however the issue persists.

This definitely appears to be an AlbyHub specific issue, since all other apps are able to accept the self-signed certs that LND generates without any issue.

Failed to start rpc error: code = Unavailable desc = connection error: desc = "transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority"

[Filouman]

Issue persists on AlbyHub v1.11.2

[rolznz]

We didn't implement any fix yet. @Filouman do you have any coding experience? are you able to test the suggested fix above? #405 (comment)

[Filouman]

No coding experience, however I was able to try the suggested fix and recompile– That did not solve the issue, at least on my system.

additional logs in case it's helpful:

{"level":"info","msg":"Launching LN Backend: LND","time":"2024-12-10T15:16:58Z"}
{"error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority\"","level":"error","msg":"Failed to launch LN backend","time":"2024-12-10T15:16:58Z"}
{"level":"error","msg":"Failed to launch LN backend: rpc error: code = Unavailable desc = connection error: desc = \"transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority\"","time":"2024-12-10T15:16:58Z"}
{"error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority\"","level":"error","msg":"Failed to start node","time":"2024-12-10T15:16:58Z"}

[rolznz]

@Filouman did you try it and pass an empty certificate?

[Filouman]

@Filouman did you try it and pass an empty certificate?

I'm not sure how I could do that? If I try to leave TLS Certificate (Hex) field blank I get

{"error":"invalid character '\u003c' looking for beginning of value","level":"error","msg":"Failed to decode API response","time":"2024-12-10T17:29:42Z"}
{"error":"invalid character '\u003c' looking for beginning of value","level":"error","msg":"Failed to request alby info endpoint","time":"2024-12-10T17:29:42Z"}

[im-adithya]

Can you please try if the fix works?

You can find the executables to test here:
Desktop: https://github.com/getAlby/hub/actions/runs/12296875108?pr=877
Server: https://github.com/getAlby/hub/actions/runs/12296875112?pr=877

[Filouman]

Yes, that works for me if I leave TLS Certificate (Hex) field blank during setup.

[a-nevermind]

I am still getting the error, despite updating to v1.12.0:

Interestingly, I tried leaving the tls.cert field blank and still got the error.

[Filouman]

Interestingly, I am getting a different error on v.1.12.0

Same error with automatic setup or advance setup and both when entering a certificate HEX and leaving cert field blank.

Is there any difference between v.1.12.0 and the executables posted by @im-adithya above? #405 (comment)