From 786568fa460a982f6b9e6a0ff3e32a281771057d Mon Sep 17 00:00:00 2001 From: Jonathan Underwood Date: Tue, 6 Apr 2021 12:23:33 +0900 Subject: [PATCH] cert: allow cert expiry to be set in config --- cert/selfsigned.go | 7 ------- cert/selfsigned_test.go | 11 ++++++++--- config.go | 19 +++++++++++++------ lnd.go | 4 ++-- sample-lnd.conf | 5 +++++ server_test.go | 7 ++++--- 6 files changed, 32 insertions(+), 21 deletions(-) diff --git a/cert/selfsigned.go b/cert/selfsigned.go index 9a41b13d..a0ae23a7 100644 --- a/cert/selfsigned.go +++ b/cert/selfsigned.go @@ -16,13 +16,6 @@ import ( "time" ) -const ( - // DefaultAutogenValidity is the default validity of a self-signed - // certificate. The value corresponds to 14 months - // (14 months * 30 days * 24 hours). - DefaultAutogenValidity = 14 * 30 * 24 * time.Hour -) - var ( // End of ASN.1 time. endOfTime = time.Date(2049, 12, 31, 23, 59, 59, 0, time.UTC) diff --git a/cert/selfsigned_test.go b/cert/selfsigned_test.go index b1428349..dd9953e2 100644 --- a/cert/selfsigned_test.go +++ b/cert/selfsigned_test.go @@ -3,11 +3,16 @@ package cert_test import ( "io/ioutil" "testing" + "time" "github.com/lightningnetwork/lnd/cert" "github.com/stretchr/testify/require" ) +const ( + testTLSCertDuration = 42 * time.Hour +) + var ( extraIPs = []string{"1.1.1.1", "123.123.123.1", "199.189.12.12"} extraDomains = []string{"home", "and", "away"} @@ -27,7 +32,7 @@ func TestIsOutdatedCert(t *testing.T) { // Generate TLS files with two extra IPs and domains. err = cert.GenCertPair( "lnd autogenerated cert", certPath, keyPath, extraIPs[:2], - extraDomains[:2], false, cert.DefaultAutogenValidity, + extraDomains[:2], false, testTLSCertDuration, ) if err != nil { t.Fatal(err) @@ -82,7 +87,7 @@ func TestIsOutdatedPermutation(t *testing.T) { // Generate TLS files from the IPs and domains. err = cert.GenCertPair( "lnd autogenerated cert", certPath, keyPath, extraIPs[:], - extraDomains[:], false, cert.DefaultAutogenValidity, + extraDomains[:], false, testTLSCertDuration, ) if err != nil { t.Fatal(err) @@ -149,7 +154,7 @@ func TestTLSDisableAutofill(t *testing.T) { // Generate TLS files with two extra IPs and domains and no interface IPs. err = cert.GenCertPair( "lnd autogenerated cert", certPath, keyPath, extraIPs[:2], - extraDomains[:2], true, cert.DefaultAutogenValidity, + extraDomains[:2], true, testTLSCertDuration, ) require.NoError( t, err, diff --git a/config.go b/config.go index 801d0f8f..be22891d 100644 --- a/config.go +++ b/config.go @@ -79,6 +79,11 @@ const ( defaultTorV2PrivateKeyFilename = "v2_onion_private_key" defaultTorV3PrivateKeyFilename = "v3_onion_private_key" + // DefaultAutogenValidity is the default validity of a self-signed + // certificate. The value corresponds to 14 months + // (14 months * 30 days * 24 hours). + defaultTLSCertDuration = 14 * 30 * 24 * time.Hour + // minTimeLockDelta is the minimum timelock we require for incoming // HTLCs on our channels. minTimeLockDelta = routing.MinCLTVDelta @@ -193,12 +198,13 @@ type Config struct { DataDir string `short:"b" long:"datadir" description:"The directory to store lnd's data within"` SyncFreelist bool `long:"sync-freelist" description:"Whether the databases used within lnd should sync their freelist to disk. This is disabled by default resulting in improved memory performance during operation, but with an increase in startup time."` - TLSCertPath string `long:"tlscertpath" description:"Path to write the TLS certificate for lnd's RPC and REST services"` - TLSKeyPath string `long:"tlskeypath" description:"Path to write the TLS private key for lnd's RPC and REST services"` - TLSExtraIPs []string `long:"tlsextraip" description:"Adds an extra ip to the generated certificate"` - TLSExtraDomains []string `long:"tlsextradomain" description:"Adds an extra domain to the generated certificate"` - TLSAutoRefresh bool `long:"tlsautorefresh" description:"Re-generate TLS certificate and key if the IPs or domains are changed"` - TLSDisableAutofill bool `long:"tlsdisableautofill" description:"Do not include the interface IPs or the system hostname in TLS certificate, use first --tlsextradomain as Common Name instead, if set"` + TLSCertPath string `long:"tlscertpath" description:"Path to write the TLS certificate for lnd's RPC and REST services"` + TLSKeyPath string `long:"tlskeypath" description:"Path to write the TLS private key for lnd's RPC and REST services"` + TLSExtraIPs []string `long:"tlsextraip" description:"Adds an extra ip to the generated certificate"` + TLSExtraDomains []string `long:"tlsextradomain" description:"Adds an extra domain to the generated certificate"` + TLSAutoRefresh bool `long:"tlsautorefresh" description:"Re-generate TLS certificate and key if the IPs or domains are changed"` + TLSDisableAutofill bool `long:"tlsdisableautofill" description:"Do not include the interface IPs or the system hostname in TLS certificate, use first --tlsextradomain as Common Name instead, if set"` + TLSCertDuration time.Duration `long:"tlscertduration" description:"The duration for which the auto-generated TLS certificate will be valid for"` NoMacaroons bool `long:"no-macaroons" description:"Disable macaroon authentication, can only be used if server is not listening on a public interface."` AdminMacPath string `long:"adminmacaroonpath" description:"Path to write the admin macaroon for lnd's RPC and REST services if it doesn't exist"` @@ -364,6 +370,7 @@ func DefaultConfig() Config { DebugLevel: defaultLogLevel, TLSCertPath: defaultTLSCertPath, TLSKeyPath: defaultTLSKeyPath, + TLSCertDuration: defaultTLSCertDuration, LetsEncryptDir: defaultLetsEncryptDir, LetsEncryptListen: defaultLetsEncryptListen, LogDir: defaultLogDir, diff --git a/lnd.go b/lnd.go index a2522c61..b0c741fb 100644 --- a/lnd.go +++ b/lnd.go @@ -873,7 +873,7 @@ func getTLSConfig(cfg *Config) ([]grpc.ServerOption, []grpc.DialOption, err := cert.GenCertPair( "lnd autogenerated cert", cfg.TLSCertPath, cfg.TLSKeyPath, cfg.TLSExtraIPs, cfg.TLSExtraDomains, - cfg.TLSDisableAutofill, cert.DefaultAutogenValidity, + cfg.TLSDisableAutofill, cfg.TLSCertDuration, ) if err != nil { return nil, nil, nil, nil, err @@ -923,7 +923,7 @@ func getTLSConfig(cfg *Config) ([]grpc.ServerOption, []grpc.DialOption, err = cert.GenCertPair( "lnd autogenerated cert", cfg.TLSCertPath, cfg.TLSKeyPath, cfg.TLSExtraIPs, cfg.TLSExtraDomains, - cfg.TLSDisableAutofill, cert.DefaultAutogenValidity, + cfg.TLSDisableAutofill, cfg.TLSCertDuration, ) if err != nil { return nil, nil, nil, nil, err diff --git a/sample-lnd.conf b/sample-lnd.conf index baa7f778..50ee6433 100644 --- a/sample-lnd.conf +++ b/sample-lnd.conf @@ -52,6 +52,11 @@ ; change. ; tlsautorefresh=true +; The duration from generating the self signed certificate to the certificate +; expiry date. Valid time units are {s, m, h}. +; The below value is about 14 months (14 * 30 * 24 = 10080) +; tlscertduration=10080h + ; Do not include the interface IPs or the system hostname in TLS certificate, ; use first --tlsextradomain as Common Name instead, if set. ; tlsdisableautofill=true diff --git a/server_test.go b/server_test.go index cfc1b253..5e8683f8 100644 --- a/server_test.go +++ b/server_test.go @@ -115,9 +115,10 @@ func TestTLSAutoRegeneration(t *testing.T) { // Now let's run getTLSConfig. If it works properly, it should delete // the cert and create a new one. cfg := &Config{ - TLSCertPath: certPath, - TLSKeyPath: keyPath, - RPCListeners: rpcListeners, + TLSCertPath: certPath, + TLSKeyPath: keyPath, + TLSCertDuration: 42 * time.Hour, + RPCListeners: rpcListeners, } _, _, _, cleanUp, err := getTLSConfig(cfg) if err != nil {