raspiblitz icon indicating copy to clipboard operation
raspiblitz copied to clipboard
verified publisher icon rootzoll

certificate error when connecting electrum

Open JessieRaspi opened this issue 2 years ago • 6 comments

Since this week, my electrum can't connect to Raspiblitz any more. I updated to 1.10.0 the minimal installation with a fresh install, but that didn't help. Previously I had version 1.10.0. rc2 with worked smoothly until this week). I work with the Electrum desktop app on windows 10.

In the Electrum log I found that the certificate of the local host has expired on the 22nd of September:

INFO | network | connecting to 192.168.178.234:50002:s as new interface 20230929T181015.142126Z | INFO | interface.[192.168.178.234:50002] | certificate has expired: Certificate (localhost) has expired (at 2023-09-22 07:47:17 UTC). 20230929T181015.156174Z | INFO | interface.[192.168.178.234:50002] | succeeded in getting cert 20230929T181015.165157Z | WARNING | interface.[192.168.178.234:50002] | Cannot connect to main server due to SSL error (maybe cert changed compared to "C:\Users\xxxxxx\AppData\Roaming\Electrum\certs\192.168.178.234"). Exc: ConnectError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1129)')) 20230929T181015.166156Z | INFO | network | couldn't launch iface 192.168.178.234:50002:s -- CancelledError()

How and where can I change the certificate?

Just tried to connect Trezor Suite to Raspiblitz and no issue there... Tried to delete the certificate in Electrum in "certs", but that doesn't help

JessieRaspi avatar Sep 30 '23 09:09 JessieRaspi

After thinking for a while, I changed the connection in my desktop Electrum from : 50002:s into 50001:t. That worked. I'm on my cabled home network.

JessieRaspi avatar Oct 02 '23 08:10 JessieRaspi

I just downloaded Sparrow wallet and managed to connect it to Raspiblitz through 50002 and SSL enabled. In de certs of Sparrow wallet on my windows pc, I found that my certificate there was dated at 22 -08-2022. I deleted the Electrum cert and copied the sparrow cert into the Electrum cert directory, but unfortunately Electrum deleted that copied Sparrow cert and instead put the recent one that it finds and could not connect....

I also tried to open RTL in Firefox with https. Got the usual certificate error (LND autogenerated cert for local host). When I looked through the certificate, I found that the validation is from 28 July 2022 till 23 September 2023...So, outdated as described in the Electrum log. But no problem. After accepting, RTL starts.

Really don't know what to try else to solve this issue. I have seen two certificate files on Raspiblitz, but don't know how to read them nor how to change those (the date).

JessieRaspi avatar Oct 02 '23 12:10 JessieRaspi

This is a client issue. Electrum uses the TOFU "trust on first use" principle. When a certificate from the server (here the Raspiblitz) expires, the client won't connect to that server even when you replace the certificate on the server with a new one, you need to issue a new certificate on the RaspiBlitz AND delete the old one on your client:

Replacing the server on the RaspiBlitz should be possible like this via SSH:

cd /home/electrumx/.electrumx/ openssl genrsa -out keyfile.key 2048 openssl req -new -key keyfile.key -out server.csr openssl x509 -req -days 1825 -in server.csr -signkey server.key -out certfile.crt service restart electrumx

On the client, delete the corresponding old cert from C:\Users\xxxxxx\AppData\Roaming\Electrum\certs\192.168.178.234 or something like that.

freerko avatar Nov 21 '23 16:11 freerko

electrs uses the nginx SSL proxy on port 5002 - if the SSL cert is outdated this needs to be handled by nginx

https://github.com/raspiblitz/raspiblitz/blob/624f8ca1a78d5935f94ea90af2136be088442c8a/home.admin/config.scripts/bonus.electrs.sh#L357

TODO: check nginx SSL certs - undo using the lnd one (system might not have lnd running)

rootzoll avatar Nov 22 '23 11:11 rootzoll

After having installed Electrum on a Linux PC and connected to Electrs in my Raspiblitz, the same cert error popped up. After SSH'd in, I recreated the LND Macaroons and TLS.cert from the Connect Menu. That helped! I finally can connect through 50002:s instead of 50001:t

JessieRaspi avatar Jan 12 '24 19:01 JessieRaspi

If your wallet can't connect to 50002 after a fresh install, but can connect on 50001 it could be an old certificate on the wallet. As freerko said, once Electrum gets that first connection, it remembers it forever. As JessieRaspi said reset your tls.cert on the raspiblitz Connect Options AND delete the certs on the machine running your wallet. Here's how I did it on windows: The cert directory for each wallet was in ThisPC > Local Disk (C:) > Users > Username > AppData > Roaming > WalletName > certs. Change the name of the entry for your local area network (for example 192.168.1.20 to 192.168.1.20.old) and the next time you open your wallet it will create a new cert. If this doesn't fix the problem you can change the name back to the original.

Nerfzooka avatar Mar 20 '24 19:03 Nerfzooka

This is now also discussed here: https://github.com/raspiblitz/raspiblitz/issues/4431#issuecomment-2377624050 .. closing this issue as duplicate.

rootzoll avatar Sep 27 '24 23:09 rootzoll