-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
draft: Generate tls certificate with CA #9325
base: master
Are you sure you want to change the base?
Conversation
Important Review skippedAuto reviews are limited to specific labels. 🏷️ Labels to auto review (1)
Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media? 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
CodeRabbit Configuration File (
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Concept ACK! Thanks for looking into this!
BasicConstraintsValid: true, | ||
|
||
DNSNames: dnsNames, | ||
IPAddresses: ipAddresses, | ||
} | ||
|
||
if isCa { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We might want some explanatory comments around this.
|
||
// Always generate a new CA, regardless of whether it existed previously | ||
// or not. | ||
caBytes, caKeyBytes, err := cert.GenCertPair( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So the idea is to have this new CA cert generation turned on by default?
Which I guess wouldn't directly change any behavior for existing users that still use the tls.cert
on the client side directly to validate the server connection.
Though I still kind of would've expected this new behavior to be opt in, just to not confuse users that don't know what CAs are and what files can/should be copied to the client and which shouldn't.
So perhaps something like --tlsuseca
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for reviewing, and the concept ACK.
I thought to have it enabled by default. If clients still work with the existing tls.cert
, and only a new ca.cert
is added, that would be preferred in my opinion. That does depend on different clients not breaking obviously. I guess that's hard to predict.
I'll make it --tlsuseca
and try to make the generation flow simple enough.
Concept ACK! |
Change Description
The go-to grpc library for rust, tonic, uses rustls under the hood. rustls doesn't accept the endpoint of the certificate to also be the certificate authority. The best practice is to use a separate CA certificate that signs the tls certificate. Clients should then use this CA certificate for 'server' authentication. More and more clients use rust, this PR makes rust clients compatible with LND, and LND compatible with certificate best practices.
This is a draft PR. It is missing tests. I tested this with rust manually.
Fixes #5450
** Looking for a concept ACK before I continue writing the tests. **
Steps to Test
Steps for reviewers to follow to test the change.
Pull Request Checklist
Testing
Code Style and Documentation
[skip ci]
in the commit message for small changes.📝 Please see our Contribution Guidelines for further guidance.