lightning-terminal: After fresh install - failed to verify certificate: x509: certificate signed by unknown authority

I had litd running just fine until I disabled it for a few weeks while I made some tweaks to lnd. I’m now trying to turn the service back up and I’m being met with this:

Jul 21 11:15:24 host litd[49929]: 2023-07-21 11:15:24.739 [INF] LITD: LiT is running in mainnet, the taproot assets subserver do not support the `mainnet` network yet, disabling taproot assets subserver
Jul 21 11:15:24 host litd[49929]: 2023-07-21 11:15:24.739 [INF] LITD: LiT version: 0.10.2-alpha commit=v0.10.2-alpha
Jul 21 11:15:24 host litd[49929]: 2023-07-21 11:15:24.740 [INF] LITD: Listening for http_tls on: 127.0.0.1:8443
Jul 21 11:15:24 host litd[49929]: 2023-07-21 11:15:24.740 [INF] LITD: Listening for http on: [::]:8040
Jul 21 11:15:24 host litd[49929]: 2023-07-21 11:15:24.751 [INF] SESS: Checking for schema update: latest_version=0, db_version=0
Jul 21 11:15:24 host litd[49929]: 2023-07-21 11:15:24.752 [INF] LITD: Dialing lnd gRPC server at 127.0.0.1:10009
Jul 21 11:15:24 host litd[49929]: 2023-07-21 11:15:24.753 [WRN] GRPC: [core] grpc: addrConn.createTransport failed to connect to {127.0.0.1:10009 127.0.0.1:10009 <nil> 0 <nil>}. Err: connection error: desc = "transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority". Reconnecting...
Jul 21 11:15:24 host litd[49929]: 2023-07-21 11:15:24.753 [WRN] GRPC: [core] grpc: addrConn.createTransport failed to connect to {127.0.0.1:10009 127.0.0.1:10009 <nil> 0 <nil>}. Err: connection error: desc = "transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority". Reconnecting...
Jul 21 11:15:24 host litd[49929]: ----------------------------------------------------------
Jul 21 11:15:24 host litd[49929]:  Lightning Terminal (LiT) by Lightning Labs
Jul 21 11:15:24 host litd[49929]:
Jul 21 11:15:24 host litd[49929]:  LND Operating mode      remote
Jul 21 11:15:24 host litd[49929]:  LND Node status         locked
Jul 21 11:15:24 host litd[49929]:  LND Alias               ???? (node is locked)
Jul 21 11:15:24 host litd[49929]:  LND Version             ???? (node is locked)
Jul 21 11:15:24 host litd[49929]:  LiT Version             0.10.2-alpha commit=v0.10.2-alpha
Jul 21 11:15:24 host litd[49929]:  Web interface           127.0.0.1:8443, 0.0.0.0:8040 (open https://127.0.0.1:8443 or http://localhost:8040 in your browser)
Jul 21 11:15:24 host litd[49929]: ----------------------------------------------------------
Jul 21 11:15:24 host litd[49929]: 2023-07-21 11:15:24.753 [INF] LITD: Connecting basic lnd client
Jul 21 11:15:24 host litd[49929]: 2023-07-21 11:15:24.954 [INF] LITD: Connecting full lnd client
Jul 21 11:15:24 host litd[49929]: 2023-07-21 11:15:24.954 [INF] LNDC: Creating lnd connection to 127.0.0.1:10009
Jul 21 11:15:24 host litd[49929]: 2023-07-21 11:15:24.955 [INF] LNDC: Connected to lnd
Jul 21 11:15:24 host litd[49929]: 2023-07-21 11:15:24.957 [WRN] GRPC: [core] grpc: addrConn.createTransport failed to connect to {127.0.0.1:10009 127.0.0.1:10009 <nil> 0 <nil>}. Err: connection error: desc = "transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority". Reconnecting...
Jul 21 11:15:24 host litd[49929]: 2023-07-21 11:15:24.958 [WRN] GRPC: [core] grpc: addrConn.createTransport failed to connect to {127.0.0.1:10009 127.0.0.1:10009 <nil> 0 <nil>}. Err: connection error: desc = "transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority". Reconnecting...
Jul 21 11:15:24 host litd[49929]: 2023-07-21 11:15:24.958 [ERR] LITD: Could not set up LND clients: %!w(*errors.errorString=&{could not create LND Services client: error subscribing to lnd wallet state: lnd version incompatible, need at least v0.13.0-beta, got error on state subscription: rpc error: code = Unavailable desc = connection error: desc = "transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority"})
Jul 21 11:15:24 host litd[49929]: 2023-07-21 11:15:24.958 [ERR] LITD: Error starting Lightning Terminal: could not create LND Services client: error subscribing to lnd wallet state: lnd version incompatible, need at least v0.13.0-beta, got error on state subscription: rpc error: code = Unavailable desc = connection error: desc = "transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority"
Jul 21 11:15:24 host litd[49929]: could not create LND Services client: error subscribing to lnd wallet state: lnd version incompatible, need at least v0.13.0-beta, got error on state subscription: rpc error: code = Unavailable desc = connection error: desc = "transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority"

Here is my config:

network=mainnet

lnd-mode=remote
remote.lnd.rpcserver=127.0.0.1:10009
remote.lnd.macaroonpath=/home/user/data/chain/bitcoin/mainnet/admin.macaroon
remote.lnd.tlscertpath=/home/user/tls.cert

faraday-mode=integrated
pool-mode=integrated
loop-mode=integrated

httpslisten=0.0.0.0:8443
uipassword=supersecretpassword-pleasedonthack

So far I’ve

  • recreated lnd tls.cert and tls.key
  • recreated all macaroons
  • deleted my .lit directory
  • updated litd to the latest version

The other services I have running against port 10009 are giving no other indications of a problem. Is this an issue with my config or is something else at play here?

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Comments: 19 (9 by maintainers)

Most upvoted comments

Thanks for the keys. I can confirm this has something to do with the encryption. Because the keys used to decrypt the certificate is only obtained after unlocking the node, lnd creates an ephemeral key (that is only valid for 2 days). After decrypting the key, it should switch over to the “long-term” TLS key that matches the certificate in tls.cert. But it looks like that did not happen (you can confirm you definitely unlocked the node before pulling the cert with openssl s_client right?).

Could you perhaps try if this was fixed by https://github.com/lightningnetwork/lnd/pull/7739 (would require to run lnd on the master branch).

In any case, I’m going to close the issue, as it’s definitely not LiT related. If you can’t test if this is fixed in master, could you please open an issue in lnd, giving the info in this comment (or just linking to it)?

Thanks for helping to debug this!

+1
guggero on Jul 24, 2023

Absolutely! I’ll send via the email you have listed on your profile if that works.

+1
theLockesmith on Jul 24, 2023

That was what I needed! Thank you so much for working through this with me!

+1
theLockesmith on Jul 24, 2023
Read more comments on GitHub
← chantools: Removechannel: Error: channel not found
lightning-terminal: getting "Unable to fetch sessions proxy error" after updating from 0.7.0 to 0.8.3 →