feat(config): load LND TLS cert from file with env fallback#200
Open
Danswar wants to merge 1 commit into
Open
Conversation
Add support for an optional LIGHTNING_API_CERTIFICATE_PATH env var. When set and readable, the LND TLS certificate is read from that file on disk (the live cert), avoiding the recurring 'self-signed certificate' errors that occur when the hand-copied LIGHTNING_API_CERTIFICATE env var drifts after LND regenerates its cert. Fully backward compatible: if the path is unset or unreadable, falls back to the existing LIGHTNING_API_CERTIFICATE env-var behavior unchanged.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
On dfxdev we keep hitting recurring
Failed to fetch Lightning balance: self-signed certificateerrors. The root cause is that the LND TLS certificate is supplied to the app only through theLIGHTNING_API_CERTIFICATEenv var, which is a hand-copied snapshot of the cert. Whenever LND regenerates its certificate, that env-var copy goes stale and no longer matches the live cert, so the HTTPS connection to LND fails.Change
This adds support for a new optional env var
LIGHTNING_API_CERTIFICATE_PATH:LIGHTNING_API_CERTIFICATE_PATHis set and the file is readable, the app reads the certificate straight from that file on disk (fs.readFileSync). Pointing this at the live LND cert means it can never drift again.LIGHTNING_API_CERTIFICATEenv-var behavior, completely unchanged.The certificate is read in
src/config/config.ts(theblockchain.lightning.certificatefield) via a smallreadCert()helper. The lightning client TLS logic that consumes this cert is untouched.Backward compatibility
Fully backward compatible. With no new env var set, behavior is identical to before. Nothing is removed.
Deploy order
Safe to ship code first: with
LIGHTNING_API_CERTIFICATE_PATHunset there is zero behavior change. The matching infra change (mounting the live LND cert file into the container and setting the new env var) is a separate PR in the server/infra repo, which can land afterward to actually switch dfxdev over to the file.