cert: allow cert expiry to be set in config
This commit is contained in:
parent
1ccf6ed7d4
commit
786568fa46
@ -16,13 +16,6 @@ import (
|
|||||||
"time"
|
"time"
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
|
||||||
// DefaultAutogenValidity is the default validity of a self-signed
|
|
||||||
// certificate. The value corresponds to 14 months
|
|
||||||
// (14 months * 30 days * 24 hours).
|
|
||||||
DefaultAutogenValidity = 14 * 30 * 24 * time.Hour
|
|
||||||
)
|
|
||||||
|
|
||||||
var (
|
var (
|
||||||
// End of ASN.1 time.
|
// End of ASN.1 time.
|
||||||
endOfTime = time.Date(2049, 12, 31, 23, 59, 59, 0, time.UTC)
|
endOfTime = time.Date(2049, 12, 31, 23, 59, 59, 0, time.UTC)
|
||||||
|
@ -3,11 +3,16 @@ package cert_test
|
|||||||
import (
|
import (
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
"testing"
|
"testing"
|
||||||
|
"time"
|
||||||
|
|
||||||
"github.com/lightningnetwork/lnd/cert"
|
"github.com/lightningnetwork/lnd/cert"
|
||||||
"github.com/stretchr/testify/require"
|
"github.com/stretchr/testify/require"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
testTLSCertDuration = 42 * time.Hour
|
||||||
|
)
|
||||||
|
|
||||||
var (
|
var (
|
||||||
extraIPs = []string{"1.1.1.1", "123.123.123.1", "199.189.12.12"}
|
extraIPs = []string{"1.1.1.1", "123.123.123.1", "199.189.12.12"}
|
||||||
extraDomains = []string{"home", "and", "away"}
|
extraDomains = []string{"home", "and", "away"}
|
||||||
@ -27,7 +32,7 @@ func TestIsOutdatedCert(t *testing.T) {
|
|||||||
// Generate TLS files with two extra IPs and domains.
|
// Generate TLS files with two extra IPs and domains.
|
||||||
err = cert.GenCertPair(
|
err = cert.GenCertPair(
|
||||||
"lnd autogenerated cert", certPath, keyPath, extraIPs[:2],
|
"lnd autogenerated cert", certPath, keyPath, extraIPs[:2],
|
||||||
extraDomains[:2], false, cert.DefaultAutogenValidity,
|
extraDomains[:2], false, testTLSCertDuration,
|
||||||
)
|
)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatal(err)
|
t.Fatal(err)
|
||||||
@ -82,7 +87,7 @@ func TestIsOutdatedPermutation(t *testing.T) {
|
|||||||
// Generate TLS files from the IPs and domains.
|
// Generate TLS files from the IPs and domains.
|
||||||
err = cert.GenCertPair(
|
err = cert.GenCertPair(
|
||||||
"lnd autogenerated cert", certPath, keyPath, extraIPs[:],
|
"lnd autogenerated cert", certPath, keyPath, extraIPs[:],
|
||||||
extraDomains[:], false, cert.DefaultAutogenValidity,
|
extraDomains[:], false, testTLSCertDuration,
|
||||||
)
|
)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatal(err)
|
t.Fatal(err)
|
||||||
@ -149,7 +154,7 @@ func TestTLSDisableAutofill(t *testing.T) {
|
|||||||
// Generate TLS files with two extra IPs and domains and no interface IPs.
|
// Generate TLS files with two extra IPs and domains and no interface IPs.
|
||||||
err = cert.GenCertPair(
|
err = cert.GenCertPair(
|
||||||
"lnd autogenerated cert", certPath, keyPath, extraIPs[:2],
|
"lnd autogenerated cert", certPath, keyPath, extraIPs[:2],
|
||||||
extraDomains[:2], true, cert.DefaultAutogenValidity,
|
extraDomains[:2], true, testTLSCertDuration,
|
||||||
)
|
)
|
||||||
require.NoError(
|
require.NoError(
|
||||||
t, err,
|
t, err,
|
||||||
|
@ -79,6 +79,11 @@ const (
|
|||||||
defaultTorV2PrivateKeyFilename = "v2_onion_private_key"
|
defaultTorV2PrivateKeyFilename = "v2_onion_private_key"
|
||||||
defaultTorV3PrivateKeyFilename = "v3_onion_private_key"
|
defaultTorV3PrivateKeyFilename = "v3_onion_private_key"
|
||||||
|
|
||||||
|
// DefaultAutogenValidity is the default validity of a self-signed
|
||||||
|
// certificate. The value corresponds to 14 months
|
||||||
|
// (14 months * 30 days * 24 hours).
|
||||||
|
defaultTLSCertDuration = 14 * 30 * 24 * time.Hour
|
||||||
|
|
||||||
// minTimeLockDelta is the minimum timelock we require for incoming
|
// minTimeLockDelta is the minimum timelock we require for incoming
|
||||||
// HTLCs on our channels.
|
// HTLCs on our channels.
|
||||||
minTimeLockDelta = routing.MinCLTVDelta
|
minTimeLockDelta = routing.MinCLTVDelta
|
||||||
@ -199,6 +204,7 @@ type Config struct {
|
|||||||
TLSExtraDomains []string `long:"tlsextradomain" description:"Adds an extra domain to the generated certificate"`
|
TLSExtraDomains []string `long:"tlsextradomain" description:"Adds an extra domain to the generated certificate"`
|
||||||
TLSAutoRefresh bool `long:"tlsautorefresh" description:"Re-generate TLS certificate and key if the IPs or domains are changed"`
|
TLSAutoRefresh bool `long:"tlsautorefresh" description:"Re-generate TLS certificate and key if the IPs or domains are changed"`
|
||||||
TLSDisableAutofill bool `long:"tlsdisableautofill" description:"Do not include the interface IPs or the system hostname in TLS certificate, use first --tlsextradomain as Common Name instead, if set"`
|
TLSDisableAutofill bool `long:"tlsdisableautofill" description:"Do not include the interface IPs or the system hostname in TLS certificate, use first --tlsextradomain as Common Name instead, if set"`
|
||||||
|
TLSCertDuration time.Duration `long:"tlscertduration" description:"The duration for which the auto-generated TLS certificate will be valid for"`
|
||||||
|
|
||||||
NoMacaroons bool `long:"no-macaroons" description:"Disable macaroon authentication, can only be used if server is not listening on a public interface."`
|
NoMacaroons bool `long:"no-macaroons" description:"Disable macaroon authentication, can only be used if server is not listening on a public interface."`
|
||||||
AdminMacPath string `long:"adminmacaroonpath" description:"Path to write the admin macaroon for lnd's RPC and REST services if it doesn't exist"`
|
AdminMacPath string `long:"adminmacaroonpath" description:"Path to write the admin macaroon for lnd's RPC and REST services if it doesn't exist"`
|
||||||
@ -364,6 +370,7 @@ func DefaultConfig() Config {
|
|||||||
DebugLevel: defaultLogLevel,
|
DebugLevel: defaultLogLevel,
|
||||||
TLSCertPath: defaultTLSCertPath,
|
TLSCertPath: defaultTLSCertPath,
|
||||||
TLSKeyPath: defaultTLSKeyPath,
|
TLSKeyPath: defaultTLSKeyPath,
|
||||||
|
TLSCertDuration: defaultTLSCertDuration,
|
||||||
LetsEncryptDir: defaultLetsEncryptDir,
|
LetsEncryptDir: defaultLetsEncryptDir,
|
||||||
LetsEncryptListen: defaultLetsEncryptListen,
|
LetsEncryptListen: defaultLetsEncryptListen,
|
||||||
LogDir: defaultLogDir,
|
LogDir: defaultLogDir,
|
||||||
|
4
lnd.go
4
lnd.go
@ -873,7 +873,7 @@ func getTLSConfig(cfg *Config) ([]grpc.ServerOption, []grpc.DialOption,
|
|||||||
err := cert.GenCertPair(
|
err := cert.GenCertPair(
|
||||||
"lnd autogenerated cert", cfg.TLSCertPath,
|
"lnd autogenerated cert", cfg.TLSCertPath,
|
||||||
cfg.TLSKeyPath, cfg.TLSExtraIPs, cfg.TLSExtraDomains,
|
cfg.TLSKeyPath, cfg.TLSExtraIPs, cfg.TLSExtraDomains,
|
||||||
cfg.TLSDisableAutofill, cert.DefaultAutogenValidity,
|
cfg.TLSDisableAutofill, cfg.TLSCertDuration,
|
||||||
)
|
)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, nil, nil, nil, err
|
return nil, nil, nil, nil, err
|
||||||
@ -923,7 +923,7 @@ func getTLSConfig(cfg *Config) ([]grpc.ServerOption, []grpc.DialOption,
|
|||||||
err = cert.GenCertPair(
|
err = cert.GenCertPair(
|
||||||
"lnd autogenerated cert", cfg.TLSCertPath,
|
"lnd autogenerated cert", cfg.TLSCertPath,
|
||||||
cfg.TLSKeyPath, cfg.TLSExtraIPs, cfg.TLSExtraDomains,
|
cfg.TLSKeyPath, cfg.TLSExtraIPs, cfg.TLSExtraDomains,
|
||||||
cfg.TLSDisableAutofill, cert.DefaultAutogenValidity,
|
cfg.TLSDisableAutofill, cfg.TLSCertDuration,
|
||||||
)
|
)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, nil, nil, nil, err
|
return nil, nil, nil, nil, err
|
||||||
|
@ -52,6 +52,11 @@
|
|||||||
; change.
|
; change.
|
||||||
; tlsautorefresh=true
|
; tlsautorefresh=true
|
||||||
|
|
||||||
|
; The duration from generating the self signed certificate to the certificate
|
||||||
|
; expiry date. Valid time units are {s, m, h}.
|
||||||
|
; The below value is about 14 months (14 * 30 * 24 = 10080)
|
||||||
|
; tlscertduration=10080h
|
||||||
|
|
||||||
; Do not include the interface IPs or the system hostname in TLS certificate,
|
; Do not include the interface IPs or the system hostname in TLS certificate,
|
||||||
; use first --tlsextradomain as Common Name instead, if set.
|
; use first --tlsextradomain as Common Name instead, if set.
|
||||||
; tlsdisableautofill=true
|
; tlsdisableautofill=true
|
||||||
|
@ -117,6 +117,7 @@ func TestTLSAutoRegeneration(t *testing.T) {
|
|||||||
cfg := &Config{
|
cfg := &Config{
|
||||||
TLSCertPath: certPath,
|
TLSCertPath: certPath,
|
||||||
TLSKeyPath: keyPath,
|
TLSKeyPath: keyPath,
|
||||||
|
TLSCertDuration: 42 * time.Hour,
|
||||||
RPCListeners: rpcListeners,
|
RPCListeners: rpcListeners,
|
||||||
}
|
}
|
||||||
_, _, _, cleanUp, err := getTLSConfig(cfg)
|
_, _, _, cleanUp, err := getTLSConfig(cfg)
|
||||||
|
Loading…
Reference in New Issue
Block a user