New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade 0.5.0 LND ignores tlsextradomain and tlsextraip #1421
Comments
I think it is caused by the commandline parameters now specified in docker. They override the values in the config file, the same problem as the Bitcoin container now has. So you can only modify settings that are not already in the commandline, this new behaviour is really annoying. |
After I read your issue, it was clear this is the same for lnd as well. The weird thing is that when I look in RTL to LND conf, it knows all the params from conf. However, It is ignored. It would be great to have a param in docker-compose to specifiy path to conf file and if the param is set, this conf file overides default docker-compose commandline parameters. |
Same issue here. Checking for how this can be fixed with docker-compose.yaml |
As much as I try not to let things like this get to me, it's true that ignoring lnd.conf may be a somewhat annoying design decision. |
I'm noticing two files of interest:
(they seem to originate from https://github.com/getumbrel/umbrel-apps) Oddy, modifying the --tlsextraip flag also doesn't seem to have the desired effect. I'm also wondering whether this flag can appear multiple times, or if the ips need to be comma seperated. |
Hmm my conclusion is that this isn't the right approach. i.e shouldn't try overriding tlsextraip. Instead should connect to LND via the 'connect wallet' functionality giving via the interface. |
@bc31164b-cfd5-4a63-8144-875100622b2d I am happy if that is a solution for you, but for many people that is not an option. I run many extra containers, and I cannot put them in |
I'm dealing with the same issue here... LND ignores new tlsextraip parameters. Were you able to work around this? I haven't found further discussion about this topic. |
no, there is no current workaround. TLS cert is renew every time when container is restarted. Use tor lnd connect to connect to your mobile app. |
As @bc31164b-cfd5-4a63-8144-875100622b2d mentions:
This is really the correct approach. @kroese the app sandbox on Umbrel provides security by limiting what apps have access to. You shouldn't expect a container running directly on the OS to be able to interface directly with a container in apps. This does happen to work today if you reference them directly by their internal IP, but this will break in the future when we lock down network sandboxing further. You should connect over the Umbrel's local network interface, Tor, or something like Tailscale. Alternatively if you want to keep your current setup, knowing it will break at some point in the future, and just want to get it working now. You could just pin your LND client to your SSL certificate and then disable host/ip verification. Or even just disable SSL verification all together. It's really not providing any security between two peers on an internal virtual network. I'm interested @mbio16 @felipehere @bc31164b-cfd5-4a63-8144-875100622b2d what are your use cases for wanting to change this setting? Are you also running external containers on the OS that you want to directly interface with LND like @kroese? Or something else? If there is some common need we aren't satisfying then we can see if there's something we can change to support it better. |
Hi @lukechilds, thank you for jumping in. My goal is to set up LNbits on the clearnet so that I can more properly host Lightning wallets for friends and family. As you know, the 'connect wallet' functionality only offers Tor and local network connections. So I've installed an LNbits instance on a VPS (which I also use to route the node's connection to the clearnet on hybrid mode) and I'm trying to allow it to use my node's wallet. In order to allow LNbits on the VPS to access the node's restwallet API, I need to set up a new tlsexternalip on lnd.conf and generate a new tls.cert file that LNbits on the VPS can use. It would be great to learn your thoughts about what I'm trying to achieve and if Umbrel could support it somehow. |
Hi @lukechilds, The reason is that I have domain name with DNSSEC setup to my LND. I have own LND rest client (on different HW). Cert has to be valid, disable verification is not right sec approach. |
This is a common usecase, which is used by a number of umbrel nodes following my guide, and with 0.5 not feasible anymore. |
Got it, thanks for the responses guys. Totally get the public LNbits use case, we have some ideas on how we can support this use case better directly in Umbrel in the future. In the meantime, here are some ideas for workarounds:
|
Appreciate the constructive ideas Luke. I really do. LND has the tlsextraip for the secured handshake, and LNBits is only one of many instances where the rest-wallet needs to validate a secure connection. I don't get why we take secure, established ways which are working for raspibolt, blitz, start9, mynode-users, but not supposed to work for umbrel. |
Option 3 I suggested above does keep this same method but allows it to work for Umbrel. It just requires setting up the hostname on the VPS end instead of adding an IP on the LND end. It would just be a one line change on the VPS:
FWIW the behaviour that's preventing your current guide from working could be considered a bug in LND:
According to the LND docs multiple |
Thanks, that would be the best way forward. I had 5 tlsextraip entries in umbrel < 0.5, and more than one in raspiblitz and raspibolt. So it's certainly working if defined in Is there a way for me to adjust docker-compose and add additional |
This might be something to look into
|
OK so heard back from Lightning Labs, this is correct LND behaviour:
So we'll have to handle this specially somehow in the Lightning app to get it working.
You can directly edit
We actually added this to prevent an issue where the SSL cert got rotated every startup due to LND seeing the Docker container hostname (which is random) not the host hostname. And then we manually passed the correct details in via the config. #318 But now I'm thinking if we remove that we could solve the SSL cert rotation issue by just spoofing the container hostname to the host hostname. I think it might grab the correct IP by default. That way we might be able to remove our |
@TrezorHannes this should now be resolved in the latest version of the Lightning app in the Umbrel App Store. You can now set |
Hi @lukechilds , thank you for addressing it! I was able to successfully set tlsextraip & tlsextradomain in the latest version. |
Hi, @lukechilds. TLS cert has |
- split Raspibolt and Raspiblitz due to check-up script adjustments - Raspiblitz 1.7 requires different adjustments than 1.8, so split those too - added umbrel 0.5 back in, due to the amendments the umbrel team did with getumbrel/umbrel#1421 💯
- split Raspibolt and Raspiblitz due to check-up script adjustments - Raspiblitz 1.7 requires different adjustments than 1.8, so split those too - added umbrel 0.5 back in, due to the amendments the umbrel team did with getumbrel/umbrel#1421 💯
- split Raspibolt and Raspiblitz due to check-up script adjustments - Raspiblitz 1.7 requires different adjustments than 1.8, so split those too - added umbrel 0.5 back in, due to the amendments the umbrel team did with getumbrel/umbrel#1421 💯
Hello,
I upgraded my node to 0.5.0. After that LND regenerated TLS cert and key, however it ignores lnd.conf where is tlsextradomain and ip is configured.
I remove umbrel.local from lnd.conf as tlsextradomain param and removed the TLS.key and cert files. Restart of the LND container regenerated cert and key but with same umbrel.local domain and no other tlsextradomain dns name.
The text was updated successfully, but these errors were encountered: