cert: allow cert expiry to be set in config

This commit is contained in:
Jonathan Underwood 2021-04-06 12:23:33 +09:00 committed by GitHub
parent 1ccf6ed7d4
commit 786568fa46
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 32 additions and 21 deletions

@ -16,13 +16,6 @@ import (
"time" "time"
) )
const (
// DefaultAutogenValidity is the default validity of a self-signed
// certificate. The value corresponds to 14 months
// (14 months * 30 days * 24 hours).
DefaultAutogenValidity = 14 * 30 * 24 * time.Hour
)
var ( var (
// End of ASN.1 time. // End of ASN.1 time.
endOfTime = time.Date(2049, 12, 31, 23, 59, 59, 0, time.UTC) endOfTime = time.Date(2049, 12, 31, 23, 59, 59, 0, time.UTC)

@ -3,11 +3,16 @@ package cert_test
import ( import (
"io/ioutil" "io/ioutil"
"testing" "testing"
"time"
"github.com/lightningnetwork/lnd/cert" "github.com/lightningnetwork/lnd/cert"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
) )
const (
testTLSCertDuration = 42 * time.Hour
)
var ( var (
extraIPs = []string{"1.1.1.1", "123.123.123.1", "199.189.12.12"} extraIPs = []string{"1.1.1.1", "123.123.123.1", "199.189.12.12"}
extraDomains = []string{"home", "and", "away"} extraDomains = []string{"home", "and", "away"}
@ -27,7 +32,7 @@ func TestIsOutdatedCert(t *testing.T) {
// Generate TLS files with two extra IPs and domains. // Generate TLS files with two extra IPs and domains.
err = cert.GenCertPair( err = cert.GenCertPair(
"lnd autogenerated cert", certPath, keyPath, extraIPs[:2], "lnd autogenerated cert", certPath, keyPath, extraIPs[:2],
extraDomains[:2], false, cert.DefaultAutogenValidity, extraDomains[:2], false, testTLSCertDuration,
) )
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
@ -82,7 +87,7 @@ func TestIsOutdatedPermutation(t *testing.T) {
// Generate TLS files from the IPs and domains. // Generate TLS files from the IPs and domains.
err = cert.GenCertPair( err = cert.GenCertPair(
"lnd autogenerated cert", certPath, keyPath, extraIPs[:], "lnd autogenerated cert", certPath, keyPath, extraIPs[:],
extraDomains[:], false, cert.DefaultAutogenValidity, extraDomains[:], false, testTLSCertDuration,
) )
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
@ -149,7 +154,7 @@ func TestTLSDisableAutofill(t *testing.T) {
// Generate TLS files with two extra IPs and domains and no interface IPs. // Generate TLS files with two extra IPs and domains and no interface IPs.
err = cert.GenCertPair( err = cert.GenCertPair(
"lnd autogenerated cert", certPath, keyPath, extraIPs[:2], "lnd autogenerated cert", certPath, keyPath, extraIPs[:2],
extraDomains[:2], true, cert.DefaultAutogenValidity, extraDomains[:2], true, testTLSCertDuration,
) )
require.NoError( require.NoError(
t, err, t, err,

@ -79,6 +79,11 @@ const (
defaultTorV2PrivateKeyFilename = "v2_onion_private_key" defaultTorV2PrivateKeyFilename = "v2_onion_private_key"
defaultTorV3PrivateKeyFilename = "v3_onion_private_key" defaultTorV3PrivateKeyFilename = "v3_onion_private_key"
// DefaultAutogenValidity is the default validity of a self-signed
// certificate. The value corresponds to 14 months
// (14 months * 30 days * 24 hours).
defaultTLSCertDuration = 14 * 30 * 24 * time.Hour
// minTimeLockDelta is the minimum timelock we require for incoming // minTimeLockDelta is the minimum timelock we require for incoming
// HTLCs on our channels. // HTLCs on our channels.
minTimeLockDelta = routing.MinCLTVDelta minTimeLockDelta = routing.MinCLTVDelta
@ -199,6 +204,7 @@ type Config struct {
TLSExtraDomains []string `long:"tlsextradomain" description:"Adds an extra domain to the generated certificate"` TLSExtraDomains []string `long:"tlsextradomain" description:"Adds an extra domain to the generated certificate"`
TLSAutoRefresh bool `long:"tlsautorefresh" description:"Re-generate TLS certificate and key if the IPs or domains are changed"` TLSAutoRefresh bool `long:"tlsautorefresh" description:"Re-generate TLS certificate and key if the IPs or domains are changed"`
TLSDisableAutofill bool `long:"tlsdisableautofill" description:"Do not include the interface IPs or the system hostname in TLS certificate, use first --tlsextradomain as Common Name instead, if set"` TLSDisableAutofill bool `long:"tlsdisableautofill" description:"Do not include the interface IPs or the system hostname in TLS certificate, use first --tlsextradomain as Common Name instead, if set"`
TLSCertDuration time.Duration `long:"tlscertduration" description:"The duration for which the auto-generated TLS certificate will be valid for"`
NoMacaroons bool `long:"no-macaroons" description:"Disable macaroon authentication, can only be used if server is not listening on a public interface."` NoMacaroons bool `long:"no-macaroons" description:"Disable macaroon authentication, can only be used if server is not listening on a public interface."`
AdminMacPath string `long:"adminmacaroonpath" description:"Path to write the admin macaroon for lnd's RPC and REST services if it doesn't exist"` AdminMacPath string `long:"adminmacaroonpath" description:"Path to write the admin macaroon for lnd's RPC and REST services if it doesn't exist"`
@ -364,6 +370,7 @@ func DefaultConfig() Config {
DebugLevel: defaultLogLevel, DebugLevel: defaultLogLevel,
TLSCertPath: defaultTLSCertPath, TLSCertPath: defaultTLSCertPath,
TLSKeyPath: defaultTLSKeyPath, TLSKeyPath: defaultTLSKeyPath,
TLSCertDuration: defaultTLSCertDuration,
LetsEncryptDir: defaultLetsEncryptDir, LetsEncryptDir: defaultLetsEncryptDir,
LetsEncryptListen: defaultLetsEncryptListen, LetsEncryptListen: defaultLetsEncryptListen,
LogDir: defaultLogDir, LogDir: defaultLogDir,

4
lnd.go

@ -873,7 +873,7 @@ func getTLSConfig(cfg *Config) ([]grpc.ServerOption, []grpc.DialOption,
err := cert.GenCertPair( err := cert.GenCertPair(
"lnd autogenerated cert", cfg.TLSCertPath, "lnd autogenerated cert", cfg.TLSCertPath,
cfg.TLSKeyPath, cfg.TLSExtraIPs, cfg.TLSExtraDomains, cfg.TLSKeyPath, cfg.TLSExtraIPs, cfg.TLSExtraDomains,
cfg.TLSDisableAutofill, cert.DefaultAutogenValidity, cfg.TLSDisableAutofill, cfg.TLSCertDuration,
) )
if err != nil { if err != nil {
return nil, nil, nil, nil, err return nil, nil, nil, nil, err
@ -923,7 +923,7 @@ func getTLSConfig(cfg *Config) ([]grpc.ServerOption, []grpc.DialOption,
err = cert.GenCertPair( err = cert.GenCertPair(
"lnd autogenerated cert", cfg.TLSCertPath, "lnd autogenerated cert", cfg.TLSCertPath,
cfg.TLSKeyPath, cfg.TLSExtraIPs, cfg.TLSExtraDomains, cfg.TLSKeyPath, cfg.TLSExtraIPs, cfg.TLSExtraDomains,
cfg.TLSDisableAutofill, cert.DefaultAutogenValidity, cfg.TLSDisableAutofill, cfg.TLSCertDuration,
) )
if err != nil { if err != nil {
return nil, nil, nil, nil, err return nil, nil, nil, nil, err

@ -52,6 +52,11 @@
; change. ; change.
; tlsautorefresh=true ; tlsautorefresh=true
; The duration from generating the self signed certificate to the certificate
; expiry date. Valid time units are {s, m, h}.
; The below value is about 14 months (14 * 30 * 24 = 10080)
; tlscertduration=10080h
; Do not include the interface IPs or the system hostname in TLS certificate, ; Do not include the interface IPs or the system hostname in TLS certificate,
; use first --tlsextradomain as Common Name instead, if set. ; use first --tlsextradomain as Common Name instead, if set.
; tlsdisableautofill=true ; tlsdisableautofill=true

@ -117,6 +117,7 @@ func TestTLSAutoRegeneration(t *testing.T) {
cfg := &Config{ cfg := &Config{
TLSCertPath: certPath, TLSCertPath: certPath,
TLSKeyPath: keyPath, TLSKeyPath: keyPath,
TLSCertDuration: 42 * time.Hour,
RPCListeners: rpcListeners, RPCListeners: rpcListeners,
} }
_, _, _, cleanUp, err := getTLSConfig(cfg) _, _, _, cleanUp, err := getTLSConfig(cfg)