cert: allow cert expiry to be set in config
This commit is contained in:
parent
1ccf6ed7d4
commit
786568fa46
@ -16,13 +16,6 @@ import (
|
|||||||
"time"
|
"time"
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
|
||||||
// DefaultAutogenValidity is the default validity of a self-signed
|
|
||||||
// certificate. The value corresponds to 14 months
|
|
||||||
// (14 months * 30 days * 24 hours).
|
|
||||||
DefaultAutogenValidity = 14 * 30 * 24 * time.Hour
|
|
||||||
)
|
|
||||||
|
|
||||||
var (
|
var (
|
||||||
// End of ASN.1 time.
|
// End of ASN.1 time.
|
||||||
endOfTime = time.Date(2049, 12, 31, 23, 59, 59, 0, time.UTC)
|
endOfTime = time.Date(2049, 12, 31, 23, 59, 59, 0, time.UTC)
|
||||||
|
@ -3,11 +3,16 @@ package cert_test
|
|||||||
import (
|
import (
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
"testing"
|
"testing"
|
||||||
|
"time"
|
||||||
|
|
||||||
"github.com/lightningnetwork/lnd/cert"
|
"github.com/lightningnetwork/lnd/cert"
|
||||||
"github.com/stretchr/testify/require"
|
"github.com/stretchr/testify/require"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
testTLSCertDuration = 42 * time.Hour
|
||||||
|
)
|
||||||
|
|
||||||
var (
|
var (
|
||||||
extraIPs = []string{"1.1.1.1", "123.123.123.1", "199.189.12.12"}
|
extraIPs = []string{"1.1.1.1", "123.123.123.1", "199.189.12.12"}
|
||||||
extraDomains = []string{"home", "and", "away"}
|
extraDomains = []string{"home", "and", "away"}
|
||||||
@ -27,7 +32,7 @@ func TestIsOutdatedCert(t *testing.T) {
|
|||||||
// Generate TLS files with two extra IPs and domains.
|
// Generate TLS files with two extra IPs and domains.
|
||||||
err = cert.GenCertPair(
|
err = cert.GenCertPair(
|
||||||
"lnd autogenerated cert", certPath, keyPath, extraIPs[:2],
|
"lnd autogenerated cert", certPath, keyPath, extraIPs[:2],
|
||||||
extraDomains[:2], false, cert.DefaultAutogenValidity,
|
extraDomains[:2], false, testTLSCertDuration,
|
||||||
)
|
)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatal(err)
|
t.Fatal(err)
|
||||||
@ -82,7 +87,7 @@ func TestIsOutdatedPermutation(t *testing.T) {
|
|||||||
// Generate TLS files from the IPs and domains.
|
// Generate TLS files from the IPs and domains.
|
||||||
err = cert.GenCertPair(
|
err = cert.GenCertPair(
|
||||||
"lnd autogenerated cert", certPath, keyPath, extraIPs[:],
|
"lnd autogenerated cert", certPath, keyPath, extraIPs[:],
|
||||||
extraDomains[:], false, cert.DefaultAutogenValidity,
|
extraDomains[:], false, testTLSCertDuration,
|
||||||
)
|
)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatal(err)
|
t.Fatal(err)
|
||||||
@ -149,7 +154,7 @@ func TestTLSDisableAutofill(t *testing.T) {
|
|||||||
// Generate TLS files with two extra IPs and domains and no interface IPs.
|
// Generate TLS files with two extra IPs and domains and no interface IPs.
|
||||||
err = cert.GenCertPair(
|
err = cert.GenCertPair(
|
||||||
"lnd autogenerated cert", certPath, keyPath, extraIPs[:2],
|
"lnd autogenerated cert", certPath, keyPath, extraIPs[:2],
|
||||||
extraDomains[:2], true, cert.DefaultAutogenValidity,
|
extraDomains[:2], true, testTLSCertDuration,
|
||||||
)
|
)
|
||||||
require.NoError(
|
require.NoError(
|
||||||
t, err,
|
t, err,
|
||||||
|
19
config.go
19
config.go
@ -79,6 +79,11 @@ const (
|
|||||||
defaultTorV2PrivateKeyFilename = "v2_onion_private_key"
|
defaultTorV2PrivateKeyFilename = "v2_onion_private_key"
|
||||||
defaultTorV3PrivateKeyFilename = "v3_onion_private_key"
|
defaultTorV3PrivateKeyFilename = "v3_onion_private_key"
|
||||||
|
|
||||||
|
// DefaultAutogenValidity is the default validity of a self-signed
|
||||||
|
// certificate. The value corresponds to 14 months
|
||||||
|
// (14 months * 30 days * 24 hours).
|
||||||
|
defaultTLSCertDuration = 14 * 30 * 24 * time.Hour
|
||||||
|
|
||||||
// minTimeLockDelta is the minimum timelock we require for incoming
|
// minTimeLockDelta is the minimum timelock we require for incoming
|
||||||
// HTLCs on our channels.
|
// HTLCs on our channels.
|
||||||
minTimeLockDelta = routing.MinCLTVDelta
|
minTimeLockDelta = routing.MinCLTVDelta
|
||||||
@ -193,12 +198,13 @@ type Config struct {
|
|||||||
DataDir string `short:"b" long:"datadir" description:"The directory to store lnd's data within"`
|
DataDir string `short:"b" long:"datadir" description:"The directory to store lnd's data within"`
|
||||||
SyncFreelist bool `long:"sync-freelist" description:"Whether the databases used within lnd should sync their freelist to disk. This is disabled by default resulting in improved memory performance during operation, but with an increase in startup time."`
|
SyncFreelist bool `long:"sync-freelist" description:"Whether the databases used within lnd should sync their freelist to disk. This is disabled by default resulting in improved memory performance during operation, but with an increase in startup time."`
|
||||||
|
|
||||||
TLSCertPath string `long:"tlscertpath" description:"Path to write the TLS certificate for lnd's RPC and REST services"`
|
TLSCertPath string `long:"tlscertpath" description:"Path to write the TLS certificate for lnd's RPC and REST services"`
|
||||||
TLSKeyPath string `long:"tlskeypath" description:"Path to write the TLS private key for lnd's RPC and REST services"`
|
TLSKeyPath string `long:"tlskeypath" description:"Path to write the TLS private key for lnd's RPC and REST services"`
|
||||||
TLSExtraIPs []string `long:"tlsextraip" description:"Adds an extra ip to the generated certificate"`
|
TLSExtraIPs []string `long:"tlsextraip" description:"Adds an extra ip to the generated certificate"`
|
||||||
TLSExtraDomains []string `long:"tlsextradomain" description:"Adds an extra domain to the generated certificate"`
|
TLSExtraDomains []string `long:"tlsextradomain" description:"Adds an extra domain to the generated certificate"`
|
||||||
TLSAutoRefresh bool `long:"tlsautorefresh" description:"Re-generate TLS certificate and key if the IPs or domains are changed"`
|
TLSAutoRefresh bool `long:"tlsautorefresh" description:"Re-generate TLS certificate and key if the IPs or domains are changed"`
|
||||||
TLSDisableAutofill bool `long:"tlsdisableautofill" description:"Do not include the interface IPs or the system hostname in TLS certificate, use first --tlsextradomain as Common Name instead, if set"`
|
TLSDisableAutofill bool `long:"tlsdisableautofill" description:"Do not include the interface IPs or the system hostname in TLS certificate, use first --tlsextradomain as Common Name instead, if set"`
|
||||||
|
TLSCertDuration time.Duration `long:"tlscertduration" description:"The duration for which the auto-generated TLS certificate will be valid for"`
|
||||||
|
|
||||||
NoMacaroons bool `long:"no-macaroons" description:"Disable macaroon authentication, can only be used if server is not listening on a public interface."`
|
NoMacaroons bool `long:"no-macaroons" description:"Disable macaroon authentication, can only be used if server is not listening on a public interface."`
|
||||||
AdminMacPath string `long:"adminmacaroonpath" description:"Path to write the admin macaroon for lnd's RPC and REST services if it doesn't exist"`
|
AdminMacPath string `long:"adminmacaroonpath" description:"Path to write the admin macaroon for lnd's RPC and REST services if it doesn't exist"`
|
||||||
@ -364,6 +370,7 @@ func DefaultConfig() Config {
|
|||||||
DebugLevel: defaultLogLevel,
|
DebugLevel: defaultLogLevel,
|
||||||
TLSCertPath: defaultTLSCertPath,
|
TLSCertPath: defaultTLSCertPath,
|
||||||
TLSKeyPath: defaultTLSKeyPath,
|
TLSKeyPath: defaultTLSKeyPath,
|
||||||
|
TLSCertDuration: defaultTLSCertDuration,
|
||||||
LetsEncryptDir: defaultLetsEncryptDir,
|
LetsEncryptDir: defaultLetsEncryptDir,
|
||||||
LetsEncryptListen: defaultLetsEncryptListen,
|
LetsEncryptListen: defaultLetsEncryptListen,
|
||||||
LogDir: defaultLogDir,
|
LogDir: defaultLogDir,
|
||||||
|
4
lnd.go
4
lnd.go
@ -873,7 +873,7 @@ func getTLSConfig(cfg *Config) ([]grpc.ServerOption, []grpc.DialOption,
|
|||||||
err := cert.GenCertPair(
|
err := cert.GenCertPair(
|
||||||
"lnd autogenerated cert", cfg.TLSCertPath,
|
"lnd autogenerated cert", cfg.TLSCertPath,
|
||||||
cfg.TLSKeyPath, cfg.TLSExtraIPs, cfg.TLSExtraDomains,
|
cfg.TLSKeyPath, cfg.TLSExtraIPs, cfg.TLSExtraDomains,
|
||||||
cfg.TLSDisableAutofill, cert.DefaultAutogenValidity,
|
cfg.TLSDisableAutofill, cfg.TLSCertDuration,
|
||||||
)
|
)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, nil, nil, nil, err
|
return nil, nil, nil, nil, err
|
||||||
@ -923,7 +923,7 @@ func getTLSConfig(cfg *Config) ([]grpc.ServerOption, []grpc.DialOption,
|
|||||||
err = cert.GenCertPair(
|
err = cert.GenCertPair(
|
||||||
"lnd autogenerated cert", cfg.TLSCertPath,
|
"lnd autogenerated cert", cfg.TLSCertPath,
|
||||||
cfg.TLSKeyPath, cfg.TLSExtraIPs, cfg.TLSExtraDomains,
|
cfg.TLSKeyPath, cfg.TLSExtraIPs, cfg.TLSExtraDomains,
|
||||||
cfg.TLSDisableAutofill, cert.DefaultAutogenValidity,
|
cfg.TLSDisableAutofill, cfg.TLSCertDuration,
|
||||||
)
|
)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, nil, nil, nil, err
|
return nil, nil, nil, nil, err
|
||||||
|
@ -52,6 +52,11 @@
|
|||||||
; change.
|
; change.
|
||||||
; tlsautorefresh=true
|
; tlsautorefresh=true
|
||||||
|
|
||||||
|
; The duration from generating the self signed certificate to the certificate
|
||||||
|
; expiry date. Valid time units are {s, m, h}.
|
||||||
|
; The below value is about 14 months (14 * 30 * 24 = 10080)
|
||||||
|
; tlscertduration=10080h
|
||||||
|
|
||||||
; Do not include the interface IPs or the system hostname in TLS certificate,
|
; Do not include the interface IPs or the system hostname in TLS certificate,
|
||||||
; use first --tlsextradomain as Common Name instead, if set.
|
; use first --tlsextradomain as Common Name instead, if set.
|
||||||
; tlsdisableautofill=true
|
; tlsdisableautofill=true
|
||||||
|
@ -115,9 +115,10 @@ func TestTLSAutoRegeneration(t *testing.T) {
|
|||||||
// Now let's run getTLSConfig. If it works properly, it should delete
|
// Now let's run getTLSConfig. If it works properly, it should delete
|
||||||
// the cert and create a new one.
|
// the cert and create a new one.
|
||||||
cfg := &Config{
|
cfg := &Config{
|
||||||
TLSCertPath: certPath,
|
TLSCertPath: certPath,
|
||||||
TLSKeyPath: keyPath,
|
TLSKeyPath: keyPath,
|
||||||
RPCListeners: rpcListeners,
|
TLSCertDuration: 42 * time.Hour,
|
||||||
|
RPCListeners: rpcListeners,
|
||||||
}
|
}
|
||||||
_, _, _, cleanUp, err := getTLSConfig(cfg)
|
_, _, _, cleanUp, err := getTLSConfig(cfg)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
Loading…
Reference in New Issue
Block a user