btcd
btcd copied to clipboard
btcsuite
Documentation doesn't mention how to set a CA file so self-signed certs work
I personally find all this SSL/TLS stuff a bit bamboozling, and I know in theory it's just elliptic curve/diffie hellman key exchange and AES encryption of some kind, but the special jargon makes it seem like it is something somehow more.
Anyway, I got tired of working without the websockets and I learned that the rpc certificates created automatically have by default got the IsCA flag on and that a certificate authority contains exactly a self-signed certificate, so you can literally just copy rpc.cert to the cafile location and voila (why does it not do this by default especially in testnet?)
The RPC is somewhat hobbled without websockets available, and for development/testing work it's necessary to be able to do this. Specifically relating to linking btcd to btcwallet, scans and syncing are all synchronous and though I haven't fiddled that much with it yet, basically the wallet connection to the chain RPC without websockets is a joke, unless you are using btcctl anyway and are not automatically querying it, and honestly, it's not that simple to understand how to trigger a wallet rescan either.
I think this should be at least briefly mentioned in the introductory documentation, I went a year unaware that I could so easily get the websockets validating. I'm not gonna disagree with the decision to isolate wallet server from the chain server, but it's a big obstacle to usability not having websockets working, and I will disagree with the implementation because it basically is useless without TLS enabled but an SSL newbie like me is scratching their head wondering how the hell to use it.
LetsEncrypt does not include being able to sign certs referring to IP addresses and it's unreasonable to expect people to pay the silly fees for a signed certificate when for private use, your own CA totally makes sense anyway and given there is no other way to do it!
So what's your suggestion here, to explain in the docs that btcd uses self-signed certs by default? It aren't a requirement, you can substitute your own cert (same format) and things will work properly.
I couldn't get btcwallet going for some reason, but eventually ran into btcdwebsockets in btcd/rpcclient - I ran that and received "~/Library/Application Support/Btcd/rpc.cert: no such file or directory"
So, relating to above, why does btcd need this rpc.cert, whereas bitcoind apparently does not require use of a certificate (it creates rpcuser and password by default, and then rpc is ready to go if I am not mistaken)?
I have used self-signed certs a little before, so this is what I would try next as the OP says, but I guess the average person might be a bit confused what rpc.cert is referring to.
Is it possible to override this behaviour so btcd acts like bitcoind, or creates the .cert automatically in ~/Library/Application Support/Btcd/? I think this might be the source of the confusion.
Edit: I created a .cer file in Keychain Access and moved that to ~/Library/Application Support/Btcd/rpc.cert Now I receive 2020/03/12 21:40:42 x509: certificate signed by unknown authority
Is there an example .cert file to make sure I have the right format? I restarted the server but get either "tls: private key type does not match public key type" or "tls: failed to find any PEM data in certificate input" - I'm pretty confused
OK, I finally understand what's going on now - I keep receiving the "Unable to start server on... Expected first entry in block index to be genesis block, found e524c45229b00e359ef8c670a63907e8a835595ef68de8178e089e0ed23cd5c3" error, so I kept deleting ~/Library/Application Support/Btcd/data while I was testing - when restarting the server without deleting the whole ~/Library/Application Support/Btcd/ directory, the rpc.cert and rpc.key files are not recreated so I was under the impression that they were not created automatically, which they are!
In summary:
- Is there a way to disable TLS requirement and have btcd act like bitcoind with needing cert files?
- Perhaps an edit can be made so that rpc.cert and rpc.key are created automatically if not present? When using bitcoind if syncing goes wrong often the block database etc. is deleted so I think deleting data is something that might feasible occur here, therefore causing this error.
