Allow loopd autogenerated TLS cert validity override with a new loopd…

… flag Co-authored-by: George Tsagkarelis <34623190+GeorgeTsagk@users.noreply.github.com>
lightninglabs · Jul 27, 2023 · 96b2d83 · 96b2d83
1 parent 2a8a6ce
commit 96b2d83
Showing 1 changed file with 13 additions and 5 deletions.
diff --git a/loopd/config.go b/loopd/config.go
@@ -99,9 +99,8 @@ var (
 	)
 
 	// DefaultAutogenValidity is the default validity of a self-signed
-	// certificate. The value corresponds to 14 months
-	// (14 months * 30 days * 24 hours).
-	DefaultAutogenValidity = 14 * 30 * 24 * time.Hour
+	// certificate in number of days. The value corresponds to 420 days (~14 months)
+	DefaultAutogenValidity = 420
 )
 
 type lndConfig struct {
@@ -152,6 +151,7 @@ type Config struct {
 	TLSExtraDomains    []string `long:"tlsextradomain" description:"Adds an extra domain to the generated certificate."`
 	TLSAutoRefresh     bool     `long:"tlsautorefresh" description:"Re-generate TLS certificate and key if the IPs or domains are changed."`
 	TLSDisableAutofill bool     `long:"tlsdisableautofill" description:"Do not include the interface IPs or the system hostname in TLS certificate, use first --tlsextradomain as Common Name instead, if set."`
+	TLSValidity        int      `long:"tlsvalidity" description:"Loop's TLS certificate validity period in days. Defaults to 420 (roughly 14 months)"`
 
 	MacaroonPath string `long:"macaroonpath" description:"Path to write the macaroon for loop's RPC and REST services if it doesn't exist."`
 
@@ -204,6 +204,7 @@ func DefaultConfig() Config {
 		DebugLevel:          defaultLogLevel,
 		TLSCertPath:         DefaultTLSCertPath,
 		TLSKeyPath:          DefaultTLSKeyPath,
+		TLSValidity:         DefaultAutogenValidity,
 		MacaroonPath:        DefaultMacaroonPath,
 		MaxLSATCost:         lsat.DefaultMaxCostSats,
 		MaxLSATFee:          lsat.DefaultMaxRoutingFeeSats,
@@ -348,7 +349,12 @@ func Validate(cfg *Config) error {
 
 	// At least one retry.
 	if cfg.MaxPaymentRetries < 1 {
-		return fmt.Errorf("max payment retries must be positive")
+		return fmt.Errorf("max payment retries must be at least 1")
+	}
+
+	// At least 1 day for TLS validity.
+	if cfg.TLSValidity < 1 {
+		return fmt.Errorf("TLS certificate minimum validity period is 1 day")
 	}
 
 	return nil
@@ -411,11 +417,13 @@ func loadCertWithCreate(cfg *Config) (tls.Certificate, *x509.Certificate,
 	if !lnrpc.FileExists(cfg.TLSCertPath) &&
 		!lnrpc.FileExists(cfg.TLSKeyPath) {
 
+		validity := time.Duration(cfg.TLSValidity) * 24 * time.Hour
+
 		log.Infof("Generating TLS certificates...")
 		certBytes, keyBytes, err := cert.GenCertPair(
 			defaultSelfSignedOrganization, cfg.TLSExtraIPs,
 			cfg.TLSExtraDomains, cfg.TLSDisableAutofill,
-			DefaultAutogenValidity,
+			validity,
 		)
 		if err != nil {
 			return tls.Certificate{}, nil, err