clnrest: self-signed certificates error with curl

[tonyaldon]

clnrest self-signed certificates error with curl

Let's use contrib/startup_regtest.sh to show what is the problem.

With CLN v23.08.1

We source it, start 2 nodes on regtest and we check that we are running CLN v23.08.1:

$ source contrib/startup_regtest.sh
$ start_ln
[...]
$ l1-cli getinfo | jq -r .version
v23.08.1

Now we stop l1 node by running:

$ l1-cli stop

Then we restart lightningd with both clnrest plugin and cln-grpc plugin by running:

$ lightningd --lightning-dir=/tmp/l1-regtest \
             --rest-port=3010 --grpc-port=4010 --daemon

Now if we do a GET request to https://127.0.0.1:3010/v1/list-methods with the certificates generated (by cln-grpc):

$ curl --cacert /tmp/l1-regtest/regtest/ca.pem \
       --request GET \
       --url https://127.0.0.1:3010/v1/list-methods

we get the following error:

curl: (60) SSL: no alternative certificate subject name matches target host name '127.0.0.1'
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

But if we use localhost instead of 127.0.0.1 in the url like this

$ curl --cacert /tmp/l1-regtest/regtest/ca.pem \
       --request GET \
       --url https://localhost:3010/v1/list-methods

this works and we get

Command: addgossip message
Category: utility
[...]

Now let's stop the node again and remove the certificates generated by cln-grpc:

$ l1-cli stop
"Shutdown complete"
$ rm /tmp/l1-regtest/regtest/*.pem

We restart the node with no port specified for cln-grpc

$ lightningd --lightning-dir=/tmp/l1-regtest --rest-port=3010 --daemon

Now we encounter PR #6755. Specifically, before disabling itself at startup, cln-grpc generates the mTLS certificates and consequently clnrest uses them and we encounter the same error as above:

Running that request

$ curl --cacert /tmp/l1-regtest/regtest/ca.pem \
       --request GET \
       --url https://127.0.0.1:3010/v1/list-methods

gives us that error:

curl: (60) SSL: no alternative certificate subject name matches target host name '127.0.0.1'
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

And we have no problem if we use localhost instead of 127.0.0.1.

For the exact same reason (dependency on cln-grpc certificates) if we restart the node with rest-host option being 127.0.0.2 like this

$ l1-cli stop
$ rm /tmp/l1-regtest/regtest/*.pem
$ lightningd --lightning-dir=/tmp/l1-regtest \
             --rest-port=3010 --rest-host=127.0.0.2 --daemon

and we issue the following request

$ curl --cacert /tmp/l1-regtest/regtest/ca.pem \
       --request GET \
       --url https://127.0.0.2:3010/v1/list-methods

we get a similar error:

curl: (60) SSL: no alternative certificate subject name matches target host name '127.0.0.2'
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Now if we explicitly disable the plugin cln-grpc we can't do a curl request with the self-signed certificates because ca.pem file is not generated with CLN v23.08.1 as we can see below:

$ l1-cli stop
$ rm /tmp/l1-regtest/regtest/*.pem
$ lightningd --lightning-dir=/tmp/l1-regtest \
             --rest-port=3010 --disable-plugin=cln-grpc --daemon
$ ls /tmp/l1-regtest/regtest/
accounts.sqlite3  client.pem         gossip_store  lightningd.sqlite3
client-key.pem    emergency.recover  hsm_secret    lightning-rpc

With CLN on master - v23.08.1-205-g1a46b37 - (after the commit that adds complete clnrest generation of the certificates)

$ l1-cli getinfo | jq -r .version

gives us:

v23.08.1-205-g1a46b37

If we use the defaults (meaning 127.0.0.1 for the host) and cln-grpc explicitly disabled we can do GET request to both (using ca.pem file)

• https://127.0.0.1:3010/v1/list-methods and
• https://localhost:3010/v1/list-methods.

But if cln-grpc is not explicitly disabled a GET request to https://127.0.0.1:3010/v1/list-methods (using ca.pem file) fails as above.

Now if we start lightningd with the option rest-host set to 127.0.0.2 like this

$ l1-cli stop
$ rm /tmp/l1-regtest/regtest/*.pem
$ ./lightningd/lightningd --lightning-dir=/tmp/l1-regtest \
             --rest-port=3010 --rest-host=127.0.0.2 \
             --disable-plugin=cln-grpc --daemon

and we issue the following request

$ curl --cacert /tmp/l1-regtest/regtest/ca.pem \
       --request GET \
       --url https://127.0.0.2:3010/v1/list-methods

we get the following error:

curl: (60) SSL: no alternative certificate subject name matches target host name '127.0.0.2'
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Fix

If this issue is considered to be a bug, (part of) #6749 fixes it.