You can configure the HTTPS server to automatically install a free SSL certificate provided by Let's Encrypt. This is recommended if you plan to access the website from a remote computer and do not want to deal with the browser warning you get about the self-signed certificate. Another benefit is you can use a memorable URL to access the Terminal UI instead of an IP address.
Note: LiT only serves content over HTTPS. If you do not use
letsencrypt, LiT will use the self-signed certificate that is auto-generated bylnd(or LiT itself inremotemode) to encrypt the browser-to-server communication. Web browsers will display a warning when using the self-signed certificate.
- Purchase a domain name to use. It can be a root domain such as
mydomain.comor a sub-domain such asterminal.mydomain.com. - Update the domain's DNS to point the domain name to your node's public IP address, by
creating an
Arecord. The specific steps to configure theArecord varies depending on the service you use to host your domain's DNS zone.
In order for Let's Encrypt to automatically install and renew your SSL certificate, it
will need to validate that you control the domain name. LiT uses the
HTTP-01 challenge
method for this validation. You will need to open port 80 in your firewall or configure
port forwarding on your router so that http requests for your domain name can be
responded to by LiT.
On some linux-based platforms, you may need to run LiT with superuser privileges since
port 80 is a system port. You can permit the
CAP_NET_BIND_SERVICE
capability using setcap 'CAP_NET_BIND_SERVICE=+eip' /path/to/litd to allow binding on
port 80 without needing to run the daemon as root.
If you are able to use port-forwarding on your router/firewall, you can specify a
different port (ex: 8080) to listen for LetsEncrypt challenges using the
letsencryptlisten flag.
There are a few litd flags that you need to set to make use of LetsEncrypt certificates.
These can be provided on the command line or via the lit.conf file.
| Flag | Required | Default Value | Description |
|---|---|---|---|
letsencrypt |
Yes | false |
Use Let's Encrypt to create a TLS certificate for the UI instead of using lnd's TLS certificate. |
letsencrypthost |
Yes | "" |
The host name to create a Let's Encrypt certificate for. |
letsencryptdir |
No | {lit-dir}/letsencrypt |
The directory where the Let's Encrypt library will store its key and certificate. |
letsencryptlisten |
No | :80 |
The IP:PORT on which LiT will listen for Let's Encrypt challenges. Let's Encrypt will always try to contact on port 80. Often non-root processes are not allowed to bind to ports lower than 1024. This configuration option allows a different port to be used, but must be used in combination with port forwarding from port 80. This configuration can also be used to specify another IP address to listen on, for example an IPv6 address. |
Examples:
Command Line:
⛰ litd --letsencrypt --letsencrypthost=terminal.mydomain.comConfiguration file (litd.conf):
--letsencrypt=true
--letsencrypthost=terminal.mydomain.com
When using a LetsEncrypt certificate, you will need to provide the correct --rpcserver
and --tlscertpath flags to the lncli, loop and faraday commands.
Let's go through an example for each of the command line tools and will explain the reasons for the extra flags. The examples assume that LiT is started with the following configuration (only relevant parts shown here):
httpslisten=0.0.0.0:8443
letsencrypt=1
letsencrypthost=terminal.mydomain.com
lnd-mode=integrated
network=testnet
The lncli commands in the "integrated" mode are the same as if lnd was running
standalone.
⛰ lncli --network=testnet getinfoSince loopd also runs on the same gRPC server as lnd, we have to specify the
LetEncrypt host:port and TLS certificate. But loopd verifies its own macaroon, so
we have to specify that one from the .loop directory.
⛰ loop \
--rpcserver=terminal.mydomain.com:8443 \
--tlscertpath=~/.lit/letsencrypt/terminal.mydomain.com \
--macaroonpath=~/.loop/testnet/loop.macaroon \
quote out 500000You can easily create an alias for this by adding the following line to your ~/.bashrc
file:
⛰ alias lit-loop="loop --rpcserver=terminal.mydomain.com:8443 --tlscertpath=~/.lit/letsencrypt/terminal.mydomain.com --macaroonpath=~/.loop/testnet/loop.macaroon"Since poold also runs on the same gRPC server as lnd, we have to specify the
LetEncrypt host:port and TLS certificate. But poold verifies its own
macaroon, so we have to specify that one from the .pool directory.
⛰ pool \
--rpcserver=terminal.mydomain.com:8443 \
--tlscertpath=~/.lit/letsencrypt/terminal.mydomain.com \
--macaroonpath=~/.pool/testnet/pool.macaroon \
accounts listYou can easily create an alias for this by adding the following line to your
~/.bashrc file:
⛰ alias lit-pool="pool --rpcserver=terminal.mydomain.com:8443 --tlscertpath=~/.lit/letsencrypt/terminal.mydomain.com --macaroonpath=~/.loop/testnet/loop.macaroon"Faraday's command line tool follows the same pattern as loop. We also have to specify the
LetEncrypt host:port and TLS certificate but use faraday's macaroon:
⛰ frcli \
--rpcserver=terminal.mydomain.com:8443 \
--tlscertpath=~/.lit/letsencrypt/terminal.mydomain.com \
--macaroonpath=~/.faraday/testnet/faraday.macaroon \
auditYou can easily create an alias for this by adding the following line to your ~/.bashrc
file:
⛰ alias lit-frcli="frcli --rpcserver=terminal.mydomain.com:8443 --tlscertpath=~/.lit/letsencrypt/terminal.mydomain.com --macaroonpath=~/.faraday/testnet/faraday.macaroon"