cert: allow cert expiry to be set in config

2021-04-06 12:23:33 +09:00 · 2021-04-06 12:23:33 +09:00 · 786568fa46
commit 786568fa46
parent 1ccf6ed7d4
6 changed files with 32 additions and 21 deletions
--- a/cert/selfsigned.go
+++ b/cert/selfsigned.go
@ -16,13 +16,6 @@ import (
 	"time"
 )

-const (
-	// DefaultAutogenValidity is the default validity of a self-signed
-	// certificate. The value corresponds to 14 months
-	// (14 months * 30 days * 24 hours).
-	DefaultAutogenValidity = 14 * 30 * 24 * time.Hour
-)
-
 var (
 	// End of ASN.1 time.
 	endOfTime = time.Date(2049, 12, 31, 23, 59, 59, 0, time.UTC)
--- a/cert/selfsigned_test.go
+++ b/cert/selfsigned_test.go
@ -3,11 +3,16 @@ package cert_test
 import (
 	"io/ioutil"
 	"testing"
+	"time"

 	"github.com/lightningnetwork/lnd/cert"
 	"github.com/stretchr/testify/require"
 )

+const (
+	testTLSCertDuration = 42 * time.Hour
+)
+
 var (
 	extraIPs     = []string{"1.1.1.1", "123.123.123.1", "199.189.12.12"}
 	extraDomains = []string{"home", "and", "away"}
@ -27,7 +32,7 @@ func TestIsOutdatedCert(t *testing.T) {
 	// Generate TLS files with two extra IPs and domains.
 	err = cert.GenCertPair(
 		"lnd autogenerated cert", certPath, keyPath, extraIPs[:2],
-		extraDomains[:2], false, cert.DefaultAutogenValidity,
+		extraDomains[:2], false, testTLSCertDuration,
 	)
 	if err != nil {
 		t.Fatal(err)
@ -82,7 +87,7 @@ func TestIsOutdatedPermutation(t *testing.T) {
 	// Generate TLS files from the IPs and domains.
 	err = cert.GenCertPair(
 		"lnd autogenerated cert", certPath, keyPath, extraIPs[:],
-		extraDomains[:], false, cert.DefaultAutogenValidity,
+		extraDomains[:], false, testTLSCertDuration,
 	)
 	if err != nil {
 		t.Fatal(err)
@ -149,7 +154,7 @@ func TestTLSDisableAutofill(t *testing.T) {
 	// Generate TLS files with two extra IPs and domains and no interface IPs.
 	err = cert.GenCertPair(
 		"lnd autogenerated cert", certPath, keyPath, extraIPs[:2],
-		extraDomains[:2], true, cert.DefaultAutogenValidity,
+		extraDomains[:2], true, testTLSCertDuration,
 	)
 	require.NoError(
 		t, err,
--- a/config.go
+++ b/config.go
@ -79,6 +79,11 @@ const (
 	defaultTorV2PrivateKeyFilename = "v2_onion_private_key"
 	defaultTorV3PrivateKeyFilename = "v3_onion_private_key"

+	// DefaultAutogenValidity is the default validity of a self-signed
+	// certificate. The value corresponds to 14 months
+	// (14 months * 30 days * 24 hours).
+	defaultTLSCertDuration = 14 * 30 * 24 * time.Hour
+
 	// minTimeLockDelta is the minimum timelock we require for incoming
 	// HTLCs on our channels.
 	minTimeLockDelta = routing.MinCLTVDelta
@ -199,6 +204,7 @@ type Config struct {
 	TLSExtraDomains    []string      `long:"tlsextradomain" description:"Adds an extra domain to the generated certificate"`
 	TLSAutoRefresh     bool          `long:"tlsautorefresh" description:"Re-generate TLS certificate and key if the IPs or domains are changed"`
 	TLSDisableAutofill bool          `long:"tlsdisableautofill" description:"Do not include the interface IPs or the system hostname in TLS certificate, use first --tlsextradomain as Common Name instead, if set"`
+	TLSCertDuration    time.Duration `long:"tlscertduration" description:"The duration for which the auto-generated TLS certificate will be valid for"`

 	NoMacaroons     bool          `long:"no-macaroons" description:"Disable macaroon authentication, can only be used if server is not listening on a public interface."`
 	AdminMacPath    string        `long:"adminmacaroonpath" description:"Path to write the admin macaroon for lnd's RPC and REST services if it doesn't exist"`
@ -364,6 +370,7 @@ func DefaultConfig() Config {
 		DebugLevel:        defaultLogLevel,
 		TLSCertPath:       defaultTLSCertPath,
 		TLSKeyPath:        defaultTLSKeyPath,
+		TLSCertDuration:   defaultTLSCertDuration,
 		LetsEncryptDir:    defaultLetsEncryptDir,
 		LetsEncryptListen: defaultLetsEncryptListen,
 		LogDir:            defaultLogDir,
--- a/lnd.go
+++ b/lnd.go
@ -873,7 +873,7 @@ func getTLSConfig(cfg *Config) ([]grpc.ServerOption, []grpc.DialOption,
 		err := cert.GenCertPair(
 			"lnd autogenerated cert", cfg.TLSCertPath,
 			cfg.TLSKeyPath, cfg.TLSExtraIPs, cfg.TLSExtraDomains,
-			cfg.TLSDisableAutofill, cert.DefaultAutogenValidity,
+			cfg.TLSDisableAutofill, cfg.TLSCertDuration,
 		)
 		if err != nil {
 			return nil, nil, nil, nil, err
@ -923,7 +923,7 @@ func getTLSConfig(cfg *Config) ([]grpc.ServerOption, []grpc.DialOption,
 		err = cert.GenCertPair(
 			"lnd autogenerated cert", cfg.TLSCertPath,
 			cfg.TLSKeyPath, cfg.TLSExtraIPs, cfg.TLSExtraDomains,
-			cfg.TLSDisableAutofill, cert.DefaultAutogenValidity,
+			cfg.TLSDisableAutofill, cfg.TLSCertDuration,
 		)
 		if err != nil {
 			return nil, nil, nil, nil, err
--- a/sample-lnd.conf
+++ b/sample-lnd.conf
@ -52,6 +52,11 @@
 ; change.
 ; tlsautorefresh=true

+; The duration from generating the self signed certificate to the certificate
+; expiry date. Valid time units are {s, m, h}.
+; The below value is about 14 months (14 * 30 * 24 = 10080)
+; tlscertduration=10080h
+
 ; Do not include the interface IPs or the system hostname in TLS certificate,
 ; use first --tlsextradomain as Common Name instead, if set.
 ; tlsdisableautofill=true
--- a/server_test.go
+++ b/server_test.go
@ -117,6 +117,7 @@ func TestTLSAutoRegeneration(t *testing.T) {
 	cfg := &Config{
 		TLSCertPath:     certPath,
 		TLSKeyPath:      keyPath,
+		TLSCertDuration: 42 * time.Hour,
 		RPCListeners:    rpcListeners,
 	}
 	_, _, _, cleanUp, err := getTLSConfig(cfg)