Merge pull request #3011 from orbitalturtle/auto-regenerate-cert

Auto regenerate TLS cert

lnd.go

@@ -437,13 +437,39 @@ func getTLSConfig(cfg *config) (*tls.Config, *credentials.TransportCredentials,
 		}
 	}
 
-	cert, err := tls.LoadX509KeyPair(cfg.TLSCertPath, cfg.TLSKeyPath)
+	certData, err := tls.LoadX509KeyPair(cfg.TLSCertPath, cfg.TLSKeyPath)
 	if err != nil {
 		return nil, nil, "", err
 	}
 
+	cert, err := x509.ParseCertificate(certData.Certificate[0])
+	if err != nil {
+		return nil, nil, "", err
+	}
+
+	// If the certificate expired, delete it and the TLS key and generate a new pair
+	if time.Now().After(cert.NotAfter) {
+		ltndLog.Info("TLS certificate is expired, generating a new one")
+
+		err := os.Remove(cfg.TLSCertPath)
+		if err != nil {
+			return nil, nil, "", err
+		}
+
+		err = os.Remove(cfg.TLSKeyPath)
+		if err != nil {
+			return nil, nil, "", err
+		}
+
+		err = genCertPair(cfg.TLSCertPath, cfg.TLSKeyPath)
+		if err != nil {
+			return nil, nil, "", err
+		}
+
+	}
+
 	tlsCfg := &tls.Config{
-		Certificates: []tls.Certificate{cert},
+		Certificates: []tls.Certificate{certData},
 		CipherSuites: tlsCipherSuites,
 		MinVersion:   tls.VersionTLS12,
 	}

lntest/itest/lnd_test.go

@@ -4,13 +4,21 @@ package itest
 
 import (
 	"bytes"
+	"crypto/ecdsa"
+	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/sha256"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
 	"encoding/hex"
+	"encoding/pem"
 	"fmt"
 	"io"
 	"io/ioutil"
 	"math"
+	"math/big"
+	"net"
 	"os"
 	"path/filepath"
 	"reflect"
@@ -13494,6 +13502,133 @@ func testHoldInvoicePersistence(net *lntest.NetworkHarness, t *harnessTest) {
 	}
 }
 
+// testTLSAutoRegeneration creates an expired TLS certificate, to test that a
+// new TLS certificate pair is regenerated when the old pair expires. This is
+// necessary because the pair expires after a little over a year.
+func testTLSAutoRegeneration(lnNet *lntest.NetworkHarness, t *harnessTest) {
+	certPath := lnNet.Alice.TLSCertStr()
+	keyPath := lnNet.Alice.TLSKeyStr()
+
+	// Create an expired certificate.
+	expiredCert := genExpiredCertPair(
+		t, lnNet, certPath, keyPath,
+	)
+
+	// Restart the node to test that the cert is automatically regenerated.
+	lnNet.RestartNode(lnNet.Alice, nil, nil)
+
+	// Grab the newly generated certificate.
+	newCertData, err := tls.LoadX509KeyPair(certPath, keyPath)
+	if err != nil {
+		t.Fatalf("couldn't grab new certificate")
+	}
+
+	newCert, err := x509.ParseCertificate(newCertData.Certificate[0])
+	if err != nil {
+		t.Fatalf("couldn't parse new certificate")
+	}
+
+	// Check that the expired certificate was successfully deleted and
+	// replaced with a new one.
+	if !newCert.NotAfter.After(expiredCert.NotAfter) {
+		t.Fatalf("New certificate expiration is too old")
+	}
+}
+
+// genExpiredCertPair generates an expired key/cert pair to the paths
+// provided to test that expired certificates are being regenerated correctly.
+func genExpiredCertPair(t *harnessTest, lnNet *lntest.NetworkHarness, certPath,
+	keyPath string) *x509.Certificate {
+	// Max serial number.
+	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
+
+	// Generate a serial number that's below the serialNumberLimit.
+	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
+	if err != nil {
+		t.Fatalf("failed to generate serial number: %s", err)
+	}
+
+	host := "lightning"
+
+	// Create a simple ip address for the fake certificate.
+	ipAddresses := []net.IP{net.ParseIP("127.0.0.1"), net.ParseIP("::1")}
+
+	dnsNames := []string{host, "unix", "unixpacket"}
+
+	// Construct the certificate template.
+	template := x509.Certificate{
+		SerialNumber: serialNumber,
+		Subject: pkix.Name{
+			Organization: []string{"lnd autogenerated cert"},
+			CommonName:   host,
+		},
+		NotBefore: time.Now().Add(-time.Hour * 24),
+		NotAfter:  time.Now(),
+
+		KeyUsage: x509.KeyUsageKeyEncipherment |
+			x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+		IsCA:                  true, // so can sign self.
+		BasicConstraintsValid: true,
+
+		DNSNames:    dnsNames,
+		IPAddresses: ipAddresses,
+	}
+
+	// Generate a private key for the certificate.
+	priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		t.Fatalf("failed to generate a private key")
+	}
+
+	derBytes, err := x509.CreateCertificate(
+		rand.Reader, &template, &template, &priv.PublicKey, priv)
+	if err != nil {
+		t.Fatalf("failed to create certificate: %v", err)
+	}
+
+	expiredCert, err := x509.ParseCertificate(derBytes)
+	if err != nil {
+		t.Fatalf("failed to parse certificate: %v", err)
+	}
+
+	certBuf := bytes.Buffer{}
+	err = pem.Encode(
+		&certBuf, &pem.Block{
+			Type:  "CERTIFICATE",
+			Bytes: derBytes,
+		},
+	)
+	if err != nil {
+		t.Fatalf("failed to encode certificate: %v", err)
+	}
+
+	keybytes, err := x509.MarshalECPrivateKey(priv)
+	if err != nil {
+		t.Fatalf("unable to encode privkey: %v", err)
+	}
+	keyBuf := bytes.Buffer{}
+	err = pem.Encode(
+		&keyBuf, &pem.Block{
+			Type:  "EC PRIVATE KEY",
+			Bytes: keybytes,
+		},
+	)
+	if err != nil {
+		t.Fatalf("failed to encode private key: %v", err)
+	}
+
+	// Write cert and key files.
+	if err = ioutil.WriteFile(certPath, certBuf.Bytes(), 0644); err != nil {
+		t.Fatalf("failed to write cert file: %v", err)
+	}
+	if err = ioutil.WriteFile(keyPath, keyBuf.Bytes(), 0600); err != nil {
+		os.Remove(certPath)
+		t.Fatalf("failed to write key file: %v", err)
+	}
+
+	return expiredCert
+}
+
 type testCase struct {
 	name string
 	test func(net *lntest.NetworkHarness, t *harnessTest)
@@ -13741,6 +13876,10 @@ var testsCases = []*testCase{
 		name: "cpfp",
 		test: testCPFP,
 	},
+	{
+		name: "automatic certificate regeneration",
+		test: testTLSAutoRegeneration,
+	},
 }
 
 // TestLightningNetworkDaemon performs a series of integration tests amongst a

lntest/node.go

@@ -305,6 +305,16 @@ func (hn *HarnessNode) Name() string {
 	return hn.cfg.Name
 }
 
+// TLSCertStr returns the path where the TLS certificate is stored.
+func (hn *HarnessNode) TLSCertStr() string {
+	return hn.cfg.TLSCertPath
+}
+
+// TLSKeyStr returns the path where the TLS key is stored.
+func (hn *HarnessNode) TLSKeyStr() string {
+	return hn.cfg.TLSKeyPath
+}
+
 // ChanBackupPath returns the fielpath to the on-disk channels.backup file for
 // this node.
 func (hn *HarnessNode) ChanBackupPath() string {