You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Removes the now-obsolete checkServerIdentity: () => undefined TLS bypass from the Lightning client's tlsAgent. This re-enables standard server-identity (SAN) verification for the LND connection while still pinning the self-signed CA.
This is the correct, narrowed subset of the Lightning cleanup that was bundled into #3912 — see "Deliberately NOT changed" below.
Why this is safe now
LND is reached at https://lnd:8080 (post-cutover, dfxprd compose). The LND certificate's SAN covers that hostname (lnd, plus localhost, 127.0.0.1, 10.0.1.4, and the legacy Azure host), so default server-identity verification passes against the pinned CA — the explicit bypass is dead code.
Removing the bypass is a small hardening: a future cert/host mismatch now fails loudly instead of being silently accepted.
#3912's commit also removed the Host: new URL(Config.url()).hostname header from httpLnBitsConfig. That removal is kept out here on purpose: the LNBits instance on dfxprd has no base-URL / forwarding config (LNBITS_BASEURL, FORWARDED_ALLOW_IPS are unset), so LNBits builds its LNURL callback URLs from the incoming Host header. Dropping it would make LNURLs resolve to the internal lnbits:5000 host → broken LNURL pay/withdraw links. The header stays.
Test plan (verify on DEV before promoting to main)
After deploy to DEV: LND calls succeed (/version-adjacent health, e.g. node info / channel balance) — confirms TLS still verifies against the DEV LND cert SAN.
LNURL pay/withdraw links generated via LNBits still resolve to the public host (confirms the retained Host header).
The removed checkServerIdentity: () => undefined is not dead code: it was added yesterday in #3899 to fix a live PRD outage (all LNURL pay/withdraw calls returning 500 ERR_TLS_CERT_ALTNAME_INVALID). Root cause: the Host: api.dfx.swiss header (from #3893) drives Node's TLS SNI/servername, and the self-signed LND/LNBits cert does not carry api.dfx.swiss in its SAN.
It only appears removable today because, post-cutover, LNBits is reached over plain HTTP (http://lnbits:5000 on both DEV and PRD), so the agent/SNI path isn't exercised and LND's own SNI (lnd) is already in the SAN. That gives this change zero functional benefit while reintroducing the #3899 landmine the moment LNBits returns to HTTPS.
Correct sequence if we want the override gone (per #3899's own note): first reissue the LND cert with api.dfx.swiss in the SAN (tlsextradomain=api.dfx.swiss is already in the dfxprd lnd.conf), verify LNURL calls stay green, then drop the override.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Removes the now-obsolete
checkServerIdentity: () => undefinedTLS bypass from the Lightning client'stlsAgent. This re-enables standard server-identity (SAN) verification for the LND connection while still pinning the self-signed CA.This is the correct, narrowed subset of the Lightning cleanup that was bundled into #3912 — see "Deliberately NOT changed" below.
Why this is safe now
https://lnd:8080(post-cutover, dfxprd compose). The LND certificate's SAN covers that hostname (lnd, pluslocalhost,127.0.0.1,10.0.1.4, and the legacy Azure host), so default server-identity verification passes against the pinned CA — the explicit bypass is dead code.Deliberately NOT changed (differs from #3912)
#3912's commit also removed the
Host: new URL(Config.url()).hostnameheader fromhttpLnBitsConfig. That removal is kept out here on purpose: the LNBits instance on dfxprd has no base-URL / forwarding config (LNBITS_BASEURL,FORWARDED_ALLOW_IPSare unset), so LNBits builds its LNURL callback URLs from the incomingHostheader. Dropping it would make LNURLs resolve to the internallnbits:5000host → broken LNURL pay/withdraw links. The header stays.Test plan (verify on DEV before promoting to main)
/version-adjacent health, e.g. node info / channel balance) — confirms TLS still verifies against the DEV LND cert SAN.Hostheader).