-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug] LND REST Proxy stop working if gRPC is exposed on 0.0.0.0 #1567
Comments
Please don't run with this setting on mainnet. As is, it means you won't get a recovery phrase and also the contents on disk will be encrypted with a default passphrase. |
I might change it later. I am currently working with Zap wallet guys to get something working. If Zap wallet can handle the initialization of the recovery phrase, I will do this. I can't ask BTCPay users to use command line. |
Why would they have to use the command line? It's possible to do it all programmatically over the REST interface. If Zap is skipping this all together, that's pretty dangerous... (users have no way to recover on chain funds) |
They probably do already, need to check. |
Also this is the Let's Encrypt cert right? Not the default cert that lnd generates? |
Yes. Technically it is possible to initialize the wallet from Zap. I just don't know if they do it now. (they probably do, I just need to ask) But anyway for this issue, it is unrelated to all of that. In my case, the REST Proxy just seem to connect to gRPC server by using This is completely unrelated to how btcpay do things. |
I think keeping The reason is that I don't want the user to manually enter a password if his server restart for some reason. I could unlock it automatically via the API, but what is the point? If the server get pwnd the password will also leak and thus the attacker can unlock himself. |
Do you understand that the user doesn't get a backup phrase with that a
option?
…On Fri, Jul 27, 2018, 2:03 AM Nicolas Dorier ***@***.***> wrote:
I think keeping noencryptwallet=0.
The reason is that I don't want the user to manually enter a password if
his server restart for some reason.
I could unlock it automatically via the API, but what is the point? If the
server get pwnd the password will also leak and thus the attacker can
unlock himself.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#1567 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AA87LuvwLfI95O9J5N0Wrj7uNq0vQtAlks5uKq1NgaJpZM4VSCay>
.
|
@Roasbeef nop, this is problematic indeed. I need to think more about it. |
How do you handle the password for bitcoind?
…On Fri, Jul 27, 2018, 8:41 AM Nicolas Dorier ***@***.***> wrote:
@Roasbeef <https://github.com/Roasbeef> nop, this is problematic indeed.
I need to think more about it.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1567 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AA87LqWYrVC24gYFmfuIOLRuB7HmjF_Gks5uKwpqgaJpZM4VSCay>
.
|
I don't BTCPay does not need to sign any transaction as the money goes directly into the Ledger Wallet of the user. |
I got an idea where I can set it up which would fit well in the UX... The passphrase to unlock the wallet will be saved in BTCPay, but at least the user would be able to restore. |
@NicolasDorier Thanks for the workaround.
Once I added the |
I encountered the same issue. For me adding this line fixed it, though I don't think this is the appropriate way to handle it:
|
I ran into this exact problem too and was messing around with different ways for quite some time. Nicolas's "add an extra line with tl;dr: add |
I've just tested this and it still doesn't work, even with the fix #2247 which is now in master. Version: 0.5.2-99-beta commit=queue/v1.0.1-106-g9143067014bcde14f1e8f7eb515bae1ccccb97c5, build=development, logging=default (which is master as of right now).
And then trying to unlock the wallet via the rest api fails with:
Yes I've deleted the certificate and key before starting lnd. |
I see. #2247 only fixed the issue with the rpc server, but the password rpc server is started somewhere else (in lnd.go instead of rpcserver.go), and probably requires the same changes. |
I probably don't have this error because my fork of LND disable SSL. |
Background
When I added
rpclisten=0.0.0.0:10009
, then the rest endpoint sends me error 500:Config:
Error:
Workaround
Adding an unused rpclisten endpoint fix the situation.
The text was updated successfully, but these errors were encountered: