joule-extension
joule-extension copied to clipboard
joule-labs
Add how-to for `lnd` self-signed TLS certificate management
By default, Chromium Browser / Google Chrome won't recognize the self-signed TLS certificate prepared by lnd. This will prevent Joule from successfully connecting to lnd.
Chrome can be made to accept the self-signed cert by following these steps:
- navigate to https://localhost:8080/v1/getinfo
- click on the lock next to the URL and view the certificate
- navigate to the certificate viewer's "details" tab and export the cert to a file
- navigate to edit > preferences > manage certificates > authorities > import
- check all of the boxes and import the cert
Now Chrome should accept the cert and Joule should be able to connect to lnd!
Ah, this is very unfortunate. I had my node serving remotely through nginx when testing, and didn't consider that the raw node has a self-signed certificate.
Another quick workaround is to navigate to that URL, and manually bypass the error and accept the self-signed cert. Either way, this should be a part of the initial setup, and will be better served by having a full page for it ala #20.
I think this should be reopened. AFAICT, not encouraging users to register LND's self-signed cert with Joule opens remote nodes up to MITM attacks. If Joule can't do a registration with the browser automatically (I'd be surprised if extensions were allowed to do this), we should probably direct the user towards browser-specific instructions for registering a custom certificate authority manually.
Edit: happy to submit a PR for this if you agree.
Google actually did make an API for this, but it's Chrome OS only: https://developer.chrome.com/extensions/certificateProvider
I definitely agree that having the user properly add the certificate would be ideal. I think providing instructions can be a little daunting, because the method of adding a certificate is different for every operating system and browser combination.
It would be most ideal for lnd to do one of the following:
- offer an
httpREST API and let's just forget trying to encrypt traffic on localhost / have people use a webserver to do https instead of baking it into lnd - add the self-signed cert to your trusted certificats during node startup (Not entirely sure how this is done, or if it's supported in Go)
- Provide an easy way for users to get a cert signed by a trusted CA (e.g. Lets Encrypt)
But that's not likely to happen in the mean time. I'll try to get some more robust documentation up on lightningjoule.com that I can link to from the extension on how to do this for each operating system.
I'm also beginning to come to terms with the possibility that Joule may require a native application to really work well. It would certainly clear up a whole lot of issues, this included. This is tracked in #106.
It could not make Joule work with my RaspiBlitz for a long time but the instructions from @brandoncurtis solved it. It is a bit different on chrome now. I am thinking of making a tutorial to do this. Can it be any useful @wbobeirne ?
made a version to connect to a RaspiBlitz: https://github.com/openoms/bitcoin-tutorials/blob/master/JouleToRaspiBlitz.md
I'll also add how to import & trust the self-signed LND certificate on MacOS:
- navigate to https://localhost:8080/v1/getinfo
- click on the lock next to the URL and view the certificate
- drag the certificate icon to a finder window to export the cert to a file
- launch keychain access app and click "+" to import certificate
- select the exported cert file to import it.
- double-click the imported certificate, click trust and choose "Always trust" when using this certificate.
I hope it helps.
