error certifficate wher run litd "transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority"

[asyscom]

Background
Hello, when run litd i've this error at login
Error when creating LND Services client: error subscribing to lnd wallet state: lnd version incompatible, need at least v0.13.0-beta, got error on state subscription: rpc error: code = Unavailable desc = connection error: desc = "transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority"
LND is not running. Please start lnd and try again.

Your environment
lit version 13.3
lnd versione 18.2
Ubuntu 22.4
bitcoind version 27.1.0
In journal ive this
024-08-26 09:03:23.431 [DBG] GRPC: [core] Creating new client transport to "{Addr: "127.0.0.1:10009", ServerName: "127.0.0.1:10009", }": connection error: desc = "transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority"

Of course, LND and Bitcoin are functioning correctly, and the TLS settings are correct because they are also used by other software like BOS.

[ellemouton]

Hi @asyscom - could you maybe provide some more info like what your remote.lnd.tlscertpath is set to? If your LND tls cert is somewhere other than the default expected path or perhaps the default path has an older TLS cert then that would explain this.

TLDR: are you very sure that LiT is pointing at the correct, latest TLS cert path?

[asyscom]

Hi @asyscom - could you maybe provide some more info like what your remote.lnd.tlscertpath is set to? If your LND tls cert is somewhere other than the default expected path or perhaps the default path has an older TLS cert then that would explain this.

TLDR: are you very sure that LiT is pointing at the correct, latest TLS cert path?

Hello,
thanks to replay
This is the entry in lit.conf

Remote lnd options

remote.lnd.rpcserver=127.0.0.1:10009
remote.lnd.macaroonpath=/.lnd/data/chain/bitcoin/mainnet/admin.macaroon
remote.lnd.tlscertpath=/.lnd/tls.cert

this is the output of command
lit@xxxxx:~$ ls -la ~/.lnd/tls.cert
-rw-r--r-- 1 lnd lnd 769 Aug 23 13:22 /home/lit/.lnd/tls.cert

Path is correct and can read the certs

p.s
Hav you send me and amail with link to download file? it's very suspicious.

[ViktorTigerstrom]

Hi @asyscom!

Hav you send me and amail with link to download file? it's very suspicious.

First of all, we who work on lightning-terminal have NOT sent you this link. Do not download it!

Second of all, to try to resolve your issue:
Could you attempt by deleting the tls.cert at the specified path, as well as the tls.cert that's located in your litd folder and then restart both lnd + litd and see if that helps? The tls.cert files will be regenerated automatically by doing so.

[asyscom]

Hi @asyscom!

Hav you send me and amail with link to download file? it's very suspicious.

First of all, we who work on lightning-terminal have NOT sent you an email, and have not sent you this link. Do not download it!

Second of all, to try to resolve your issue: Could you attempt by deleting the tls.cert at the specified path, as well as the tls.cert that's located in your litd folder and then restart both lnd + litd and see if that helps? The tls.cert files will be regenerated automatically by doing so.

nothig to do, same error.
I've put all errors log here, i hope to help you
https://privatebin.io/?2be7558e7b15baac#TZKToTwKiss2gBDAq2AejJMKw3v69WFgspxrumoFEmg

Tls are all new:

-rw-r--r-- 1 lit lit 843 Aug 26 10:11 tls.cert
-rw------- 1 lit lit 227 Aug 26 10:11 tls.key

-rw-r--r-- 1 lnd lnd 769 Aug 26 10:11 tls.cert
-rw------- 1 lnd lnd 267 Aug 26 10:11 tls.key

[asyscom]

actuallly i'm using latest experimentale but the errors are the same of 13.3

[asyscom]

I've this confiuration in nginx .conf, could be a problem? are self signed

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
worker_connections 768;
}

http {
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
ssl_session_cache shared:HTTP-TLS:1m;
ssl_session_timeout 4h;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
include /etc/nginx/sites-enabled/*.conf;
}

stream {
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
ssl_session_cache shared:STREAM-TLS:1m;
ssl_session_timeout 4h;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
include /etc/nginx/streams-enabled/*.conf;
}

[ViktorTigerstrom]

Thanks for the extra info and logs @asyscom!

I'd just like to sanity check a few more things:

1. Do you happen to have multiple lnd instances running? That could cause issues like the one you're experiencing. If you do, ensure that only one lnd instance is running, and delete lnd's tls.cert, and restart the single lnd instance again to ensure that it's regenerated.

2. Do you want to use the taproot-assets lightning functionality since you're running the latest experimentale version of litd?
   If yes: that functionality is not compatible with lnd v0.18.2. You instead need to be running an lnd that's based on the lnd 0-19-staging branch (https://github.com/lightningnetwork/lnd/tree/0-19-staging). I highly recommend running litd in integrated mode instead though, if your goal is to use taproot-assets lightning functionality.
   If you do not want to use the taproot-assets lightning functionality, i recommend running litd v0.13.3-alpha instead.

3. Is the lnd-mode="remote" config option also set in the config file?

4. To ensure that there are no errors reading litd´s config file which are causing the issue, let's attempt by sending the flags directly to litd to see that resolves the issue. Therefore restart litd with the following:
   litd --lnd-mode="remote" --remote.lnd.rpcserver="127.0.0.1:10009" --remote.lnd.macaroonpath="/.lnd/data/chain/bitcoin/mainnet/admin.macaroon" --remote.lnd.tlscertpath="/.lnd/tls.cert"
   Check that the paths in the above is correct, and also pass any extra flags to the command if that's what you're usually doing.

5. Finally if it's an option with your setup: have you attempted running litd in integrated mode (which then starts an lnd instance through litd), instead of running lnd separately? Do have the same issue in integrated mode?

[asyscom]

3. lnd-mode="remote"

i've switched to 0.13.3-alpha, added lnd-mode="remote" in lit.confi star but same error

Question:
In lit.conf, the autentication about faraday, is it possible use .cookie instead user and password? i'm in vps and put my ip public. is it correct?

Tried from command line also but same certifcate error, this is output
p.s. I've removed lit.conf only for test

litd --lnd-mode="remote" --remote.lnd.rpcserver="127.0.0.1:10009" --remote.lnd.macaroonpath="/data/lnd/data/chain/bitcoin/mainnet/admin.macaroon" --remote.lnd.tlscertpath="/data/lnd/tls.cert" --uipassword=123456789
2024-08-26 11:39:48.021 [WRN] LITD: open /home/lit/.lit/lit.conf: no such file or directory
2024-08-26 11:39:48.022 [INF] LITD: LiT version: 0.13.3-alpha commit=v0.13.3-alpha
2024-08-26 11:39:48.023 [INF] LITD: Listening for http_tls on: 127.0.0.1:8443
2024-08-26 11:39:48.026 [INF] SESS: Checking for schema update: latest_version=2, db_version=2
2024-08-26 11:39:48.027 [INF] FWDB: Checking for schema update: latest_version=0, db_version=0
2024-08-26 11:39:48.027 [INF] LITD: Dialing lnd gRPC server at 127.0.0.1:10009
2024-08-26 11:39:48.029 [WRN] GRPC: [core] [Channel #4 SubChannel #5] grpc: addrConn.createTransport failed to connect to {Addr: "127.0.0.1:10009", ServerName: "127.0.0.1:10009", }. Err: connection error: desc = "transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority"
2024-08-26 11:39:48.029 [WRN] GRPC: [core] [Channel #2 SubChannel #3] grpc: addrConn.createTransport failed to connect to {Addr: "127.0.0.1:10009", ServerName: "127.0.0.1:10009", }. Err: connection error: desc = "transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority"

Lightning Terminal (LiT) by Lightning Labs

LND Operating mode remote
LND Node status locked
LND Alias ???? (node is locked)
LND Version ???? (node is locked)
LiT Version 0.13.3-alpha commit=v0.13.3-alpha
Web interface 127.0.0.1:8443 (open https://127.0.0.1:8443 in your browser)

Lnd instance is single and in not locket

lnd 906628 1 12 10:11 ? 00:10:17 /usr/local/bin/lnd
postgres 917175 6098 1 11:31 ? 00:00:00 postgres: 14/main: admin lndb 127.0.0.1(40050) idle
postgres 917242 6098 0 11:32 ? 00:00:00 postgres: 14/main: admin lndb 127.0.0.1(52192) idle
admin 917312 894988 0 11:32 pts/2 00:00:00 grep --color=auto lnd

[asyscom]

LIT connects correctly to LND, but it doesn't like the certificates or the version. However, this is a false error because the version is 18.2

2024-08-26 11:58:50.417 [INF] LITD: Retrying to create LND Services client
2024-08-26 11:58:50.417 [INF] LNDC: Creating lnd connection to 127.0.0.1:10009
2024-08-26 11:58:50.418 [INF] LNDC: Connected to lnd
2024-08-26 11:58:50.419 [WRN] GRPC: [core] [Channel #464 SubChannel #465] grpc: addrConn.createTransport failed to connect to {Addr: "127.0.0.1:10009", ServerName: "127.0.0.1:10009", }. Err: connection error: desc = "transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority"
2024-08-26 11:58:50.419 [ERR] STAT: could not start the lit sub-server: Error when creating LND Services client: error subscribing to lnd wallet state: lnd version incompatible, need at least v0.13.0-beta, got error on state subscription: rpc error: code = Unavailable desc = connection error: desc = "transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority"
2024-08-26 11:58:55.424 [INF] LITD: Retrying to create LND Services client

[ViktorTigerstrom]

i've switched to 0.13.3-alpha

Great, thanks!

I'm not really able to recreate your issue, so just wanted to check if you could please share your lnd + lit config with us (and censor out anything sensitive of course) so that I can check if there's anything strange in the configs?

From the logs you've just shared:
2024-08-26 11:39:48.021 [WRN] LITD: open /home/lit/.lit/lit.conf: no such file or directory

It seems like you're having issues loading a config from that path just FYI.

You've also specified that the lnd datadir should be /data/lnd/ in the startup command of litd.

Could you please double check that all of these paths are correct?

Question:
In lit.conf, the autentication about faraday, is it possible use .cookie instead user and password? i'm in vps and put my ip public. is it correct?

Are you refering to the config options for bitcoin in Faraday? If so, these are the config options that exists:
https://github.com/lightninglabs/faraday/blob/f7ba1fea38fdead61b8c22d57775ec076579b40f/chain/client.go#L22-L29

LIT connects correctly to LND, but it doesn't like the certificates or the version. However, this is a false error because the version is 18.2

If you're refering to the line need at least v0.13.0-beta in the log you've included, that version in the error message is to be expeected.

[asyscom]

i've switched to 0.13.3-alpha

Great, thanks!

I'm not really able to recreate your issue, so just wanted to check if you could please share your lnd + lit config with us (and censor out anything sensitive of course) so that I can check if there's anything strange in the configs?

From the logs you've just shared: 2024-08-26 11:39:48.021 [WRN] LITD: open /home/lit/.lit/lit.conf: no such file or directory

It seems like you're having issues loading a config from that path just FYI.

You've also specified that the lnd datadir should be /data/lnd/ in the startup command of litd.

Could you please double check that all of these paths are correct?

Question:
In lit.conf, the autentication about faraday, is it possible use .cookie instead user and password? i'm in vps and put my ip public. is it correct?

Are you refering to the config options for bitcoin in Faraday? If so, these are the config options that exists: https://github.com/lightninglabs/faraday/blob/f7ba1fea38fdead61b8c22d57775ec076579b40f/chain/client.go#L22-L29

LIT connects correctly to LND, but it doesn't like the certificates or the version. However, this is a false error because the version is 18.2

If you're refering to the line need at least v0.13.0-beta in the log you've included, that version in the error message is to be expeected.

Hello,
error about lit.conf is ok, i had temporary removed to run litd manually with optio, now ive resumed into right folder.
Here link to may lnd and lit confi via privatebin

lnd.conf
https://privatebin.io/?5c8fc77001b0eb84#57UT27niEvHXG41njLB8eLXpXuiR8wpK1DVDeB3e2kjD

lit.conf
https://privatebin.io/?97be351c9e0127d0#43yzcHKBZEJQD9i9kXYVBqFYeWdvrp2FxohSvM5eWTgj

The path to the macaroon and tls are link bur readable without problem from user lit

The macaroon of faraday and loop not exist in path specified in lit.conf, is it correct?

[ViktorTigerstrom]

Oh, I see you've enabled tlsencryptkey=true in lnd. I think this is likely what's causing the issues. I need to check if this is compatible while lnd is in remote mode.

Normally in litd, there's also options to enable it for lit through the lit.conf when lnd is in integrated mode.

lightning-terminal/config.go

Lines 159 to 165 in a9c5764

	LetsEncrypt bool `long:"letsencrypt" description:"Use Let's Encrypt to create a TLS certificate for the UI instead of using lnd's TLS certificate. Port 80 must be free to listen on and must be reachable from the internet for this to work."`
	LetsEncryptHost string `long:"letsencrypthost" description:"The host name to create a Let's Encrypt certificate for."`
	LetsEncryptDir string `long:"letsencryptdir" description:"The directory where the Let's Encrypt library will store its key and certificate."`
	LetsEncryptListen string `long:"letsencryptlisten" description:"The IP:port on which LiT will listen for Let's Encrypt challenges. Let's Encrypt will always try to contact on port 80. Often non-root processes are not allowed to bind to ports lower than 1024. This configuration option allows a different port to be used, but must be used in combination with port forwarding from port 80. This configuration can also be used to specify another IP address to listen on, for example an IPv6 address."`
	TLSCertPath string `long:"tlscertpath" description:"Path to write the self signed TLS certificate for LiT's RPC and REST proxy service (if Let's Encrypt is not used). This only applies to the HTTPSListen port."`
	TLSKeyPath string `long:"tlskeypath" description:"Path to write the self signed TLS private key for LiT's RPC and REST proxy service (if Let's Encrypt is not used). This only applies to the HTTPSListen port."`

I'm assuming you intentionally want use tlsencryptkey=true? If yes, I'll have to look into this and see if I can make that work locally while lnd is in remote mode.

[asyscom]

thanks!
Well...i've followed the standard procedure to installa lnd using mininbolt guide and say to set it.
What do you mean withe remote? lnd, btc and lit are in the same machine

[asyscom]

Oh, I see you've enabled tlsencryptkey=true in lnd. I think this is likely what's causing the issues. I need to check if this is compatible while lnd is in remote mode.

Normally in litd, there's also options to enable it for lit through the lit.conf when lnd is in integrated mode.

lightning-terminal/config.go

Lines 159 to 165 in a9c5764

	LetsEncrypt bool `long:"letsencrypt" description:"Use Let's Encrypt to create a TLS certificate for the UI instead of using lnd's TLS certificate. Port 80 must be free to listen on and must be reachable from the internet for this to work."`
	LetsEncryptHost string `long:"letsencrypthost" description:"The host name to create a Let's Encrypt certificate for."`
	LetsEncryptDir string `long:"letsencryptdir" description:"The directory where the Let's Encrypt library will store its key and certificate."`
	LetsEncryptListen string `long:"letsencryptlisten" description:"The IP:port on which LiT will listen for Let's Encrypt challenges. Let's Encrypt will always try to contact on port 80. Often non-root processes are not allowed to bind to ports lower than 1024. This configuration option allows a different port to be used, but must be used in combination with port forwarding from port 80. This configuration can also be used to specify another IP address to listen on, for example an IPv6 address."`
	TLSCertPath string `long:"tlscertpath" description:"Path to write the self signed TLS certificate for LiT's RPC and REST proxy service (if Let's Encrypt is not used). This only applies to the HTTPSListen port."`
	TLSKeyPath string `long:"tlskeypath" description:"Path to write the self signed TLS private key for LiT's RPC and REST proxy service (if Let's Encrypt is not used). This only applies to the HTTPSListen port."`

I'm assuming you intentionally want use tlsencryptkey=true? If yes, I'll have to look into this and see if I can make that work locally while lnd is in remote mode.

Disabling tlsencryptkey=true all works fine

[ViktorTigerstrom]

Disabling tlsencryptkey=true all works fine

Great! If you do not explicitly want to run lnd with tlsencryptkey=true set, I recommend turning it off.

I've now checked locally, and managed to reproduce your error when tlsencryptkey=true is set to true and with lnd-mode=remote is set. Like I previously suspected, we currently don't support tlsencryptkey=true in Lightning Terminal when lnd is running remotely.

If you want to explicitly run lnd with letsencrypt, we do support it when lnd is running in integrated mode in Lightning Terminal (lnd-mode=integrated)!

What do you mean withe remote?

In lightning Terminal (litd), there are two modes of operation, integrated or remote. If you run in integrated mode, litd will launch lnd (and all other sub-servers like loop, pool etc) as a single executable daemon, meaning you won't need to run an lnd instance separately. If you run it in remote mode, you need to run lnd separately and connect litd to that instance. This is why you need to specify the information required to connect to the remote instance when starting litd --remote.lnd.rpcserver="127.0.0.1:10009" --remote.lnd.macaroonpath="/data/lnd/data/chain/bitcoin/mainnet/admin.macaroon" --remote.lnd.tlscertpath="/data/lnd/tls.cert". If you run in integrated mode, that won't be required as litd will launch the lnd instance! You can read more about integrated mode here:
https://docs.lightning.engineering/lightning-network-tools/lightning-terminal/integrating-litd

When running lnd in integrated mode, you will specify it's configuration in the lit.conf file instead, by moving the config options you've specified in your lnd.conf file, to the lit.conf file and prefixing them lnd.OPTION, i.e. the options you've specified here: https://privatebin.io/?5c8fc77001b0eb84#57UT27niEvHXG41njLB8eLXpXuiR8wpK1DVDeB3e2kjD

So if you want to run litd in integrated mode with tlsencryptkey=true, you'd first need to specify lnd-mode=integrated in your lit.conf file need, and then also add lnd.tlsencryptkey=true.

Like I said though, if you don't want to explicitly run with letsencrypt, feel free to keep the setup you have which is working!

Finally:
Note that there's been new spam messages from bots above, which I've now removed. Therefore do not download the files from the link(s) that you'll see in your Github notification email!

[ViktorTigerstrom]

Let me know if you're satisfied with the above! If so, I'll go ahead and close the issue.

[asyscom]

Let me know if you're satisfied with the above! If so, I'll go ahead and close the issue.

Yes absolutely yes! Close the issue
Thank you very much