-
Notifications
You must be signed in to change notification settings - Fork 907
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to generate gRPC certificates for hosts that are not localhost? #5227
Comments
@cdecker , do you know where I could find some documentation on how to do this? |
That is very strange, ingress.local sounds a lot like it's going through some kind of service mesh or load balancer. Sadly I don't have much experience running cln-grpc on kubernetes, so I'm not sure how we could debug this issue. Maybe Fwiw cln-grpc doesn't really use real hostnames when the cert is autogenerated. |
I am trying to connect through a Load Balancer / Ingress controller
and I'm getting (slightly different than last time):
Curiously, |
That is indeed much more reasonable, since as you noted It also seems like the change in configuration is now using SNI to pass through the encrypted stream instead of acting as a cleartext proxy (which'd open its own TLS connection to the plugin, thus presenting its own cert to the client, and potentially failing due to the domain name verification anyway). So this makes a lot of sense, and I wasn't aware the nginx ingress even allowed this HTTPS level proxying, I thought it'd mostly do TCP proxying which'd be transparent. I like your idea of adding
I personally prefer the first, as it is less likely to accidentally overwrite a manually created certificate with one that may not have all the bells and whistles attached (extra domains, key parameters, etc), while the other two are a bit more self-contained. The fact that we don't generate certificates if they are already present allows you already to generate one using |
Do you think that the first one make the overriding certificate a manual process? I think that the second point has a lot of good reason to have implemented in. BTW, also the last one sounds good if the certificate generate with the same domain is always equal. |
Yes, you'd delete the certs and then restart the node (no worries the plugin caches the certs on load, so you can just delete them while it's running).
I don't like this one too much since it'd prevent operators from using custom certificates that are maintained externally. Think adding swapping out the CA to be a real TLD, or configuring the TLS parameters such as hashing algos and encryption schemes, or any other of the thousands of openssl options that we definitely don't want to shoehorn into the |
Ah right, so now the option sounds less good |
First option sounds good to me. BTW, got it to work with |
I just ran unto this issue when I've tried to connect to my cln node via GRPC the first time. I'd second the idea to align with LND and allow to set (at least one) tlsextraip and/or tlsextradomain via config (file or CLI). In combination with only (re-)generating the certificates if they are missing that should cover most cases. (When I first encountered the same issue with LND a while ago I didn't understand why they didn't simply include the hosts private network IP per default but that might go to far and would only cover very simple cases, mostly with home-grade setups with only one IP etc). |
Issue and Steps to Reproduce
I'm running CLN on a Kubernetes cluster, with host
cln1.regtest.getalby.com
and other internal hostnames. I have the certificates but when I try to connect to the host I get the following error:certificate is valid for ingress.local, not cln1.regtest.getalby.com
.The text was updated successfully, but these errors were encountered: