PR feedback

lightningnetwork · Nov 30, 2020 · e2bf1a3 · e2bf1a3
1 parent 7e72bb1
commit e2bf1a3
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 12 deletions.
diff --git a/config.go b/config.go
@@ -108,6 +108,15 @@ const (
 	defaultDiskBackoff  = time.Minute
 	defaultDiskAttempts = 0
 
+	// Set defaults for a health check which ensures that the TLS certificate
+	// is not expired. Although this check is off by default (not all setups
+	// require it), we still set the other default values so that the health
+	// check can be easily enabled with sane defaults.
+	defaultTLSInterval = time.Second * 30
+	defaultTLSTimeout  = time.Second * 5
+	defaultTLSBackoff  = time.Minute
+	defaultTLSAttempts = 0
+
 	// defaultRemoteMaxHtlcs specifies the default limit for maximum
 	// concurrent HTLCs the remote party may add to commitment transactions.
 	// This value can be overridden with --default-remote-max-htlcs.
@@ -457,6 +466,12 @@ func DefaultConfig() Config {
 					Backoff:  defaultDiskBackoff,
 				},
 			},
+			TLSCheck: &lncfg.CheckConfig{
+				Interval: defaultTLSInterval,
+				Timeout:  defaultTLSTimeout,
+				Attempts: defaultTLSAttempts,
+				Backoff:  defaultTLSBackoff,
+			},
 		},
 		MaxOutgoingCltvExpiry:   htlcswitch.DefaultMaxOutgoingCltvExpiry,
 		MaxChannelFeeAllocation: htlcswitch.DefaultMaxLinkFeeAllocation,

diff --git a/lncfg/healthcheck.go b/lncfg/healthcheck.go
@@ -40,6 +40,10 @@ func (h *HealthCheckConfig) Validate() error {
 		return err
 	}
 
+	if err := h.TLSCheck.validate("tls"); err != nil {
+		return err
+	}
+
 	if h.DiskCheck.RequiredRemaining < 0 ||
 		h.DiskCheck.RequiredRemaining >= 1 {
 

diff --git a/sample-lnd.conf b/sample-lnd.conf
@@ -860,7 +860,7 @@ litecoin.node=ltcd
 
 ; The amount of time we should wait between certificate expiration health checks.
 ; This value must be >= 1m.
-; healthcheck.tls.interval=6h
+; healthcheck.tls.interval=30s
 
 [signrpc]
 

diff --git a/server.go b/server.go
@@ -1335,19 +1335,14 @@ func newServer(cfg *Config, listenAddrs []net.Addr,
 			if err != nil {
 				return err
 			}
-			outdated, err := cert.IsOutdated(
-				parsedCert, cfg.TLSExtraIPs,
-				cfg.TLSExtraDomains, cfg.TLSDisableAutofill,
-			)
-			if err != nil {
-				return err
+			// If the current time is passed the certificate's
+			// expiry time, then it is considered expired
+			if time.Now().After(parsedCert.NotAfter) {
+				return fmt.Errorf("TLS certificate is expired")
 			}
-			// if the certificate is not outdated, no error needs to
+			// If the certificate is not outdated, no error needs to
 			// be returned
-			if !outdated {
-				return nil
-			}
-			return fmt.Errorf("certificate outdated")
+			return nil
 		},
 		cfg.HealthChecks.TLSCheck.Interval,
 		cfg.HealthChecks.TLSCheck.Timeout,