config+shushtar: add letsencrypt options

Author: guggero

config.go

@@ -2,9 +2,11 @@ package shushtar
 
 import (
 	"crypto/tls"
+	"errors"
 	"fmt"
 	"io/ioutil"
 	"net"
+	"net/http"
 	"os"
 	"path/filepath"
 	"strings"
@@ -17,6 +19,7 @@ import (
 	"github.com/lightningnetwork/lnd/cert"
 	"github.com/lightningnetwork/lnd/lncfg"
 	"github.com/mwitkow/go-conntrack/connhelpers"
+	"golang.org/x/crypto/acme/autocert"
 )
 
 const (
@@ -25,17 +28,41 @@ const (
 	uiPasswordMinLength = 8
 )
 
+var (
+	lndDefaultConfig     = lnd.DefaultConfig()
+	faradayDefaultConfig = faraday.DefaultConfig()
+	loopDefaultConfig    = loopd.DefaultConfig()
+
+	defaultLetsEncryptDir = filepath.Join(lnd.DefaultLndDir, "letsencrypt")
+)
+
 // Config is the main configuration struct of shushtar. It contains all config
 // items of its enveloping subservers, each prefixed with their daemon's short
 // name.
 type Config struct {
-	HTTPSListen    string          `long:"httpslisten" description:"host:port to listen for incoming HTTP/2 connections on"`
-	UIPassword     string          `long:"uipassword" description:"the password that must be entered when using the loop UI. use a strong password to protect your node from unauthorized access through the web UI"`
-	UIPasswordFile string          `long:"uipassword_file" description:"same as uipassword but instead of passing in the value directly, read the password from the specified file"`
-	UIPasswordEnv  string          `long:"uipassword_env" description:"same as uipassword but instead of passing in the value directly, read the password from the specified environment variable"`
-	Lnd            *lnd.Config     `group:"lnd" namespace:"lnd"`
-	Faraday        *faraday.Config `group:"faraday" namespace:"faraday"`
-	Loop           *loopd.Config   `group:"loop" namespace:"loop"`
+	HTTPSListen    string `long:"httpslisten" description:"host:port to listen for incoming HTTP/2 connections on"`
+	UIPassword     string `long:"uipassword" description:"the password that must be entered when using the loop UI. use a strong password to protect your node from unauthorized access through the web UI"`
+	UIPasswordFile string `long:"uipassword_file" description:"same as uipassword but instead of passing in the value directly, read the password from the specified file"`
+	UIPasswordEnv  string `long:"uipassword_env" description:"same as uipassword but instead of passing in the value directly, read the password from the specified environment variable"`
+
+	LetsEncrypt     bool   `long:"letsencrypt" description:"use Let's Encrypt to create a TLS certificate for the UI instead of using lnd's TLS certificate. port 80 must be free to listen on and must be reachable from the internet for this to work"`
+	LetsEncryptHost string `long:"letsencrypthost" description:"the host name to create a Let's Encrypt certificate for'"`
+	LetsEncryptDir  string `long:"letsencryptdir" description:"the directory where the Let's Encrypt library will store its key and certificate"`
+
+	Lnd     *lnd.Config     `group:"lnd" namespace:"lnd"`
+	Faraday *faraday.Config `group:"faraday" namespace:"faraday"`
+	Loop    *loopd.Config   `group:"loop" namespace:"loop"`
+}
+
+// defaultConfig returns a configuration struct with all default values set.
+func defaultConfig() *Config {
+	return &Config{
+		HTTPSListen:    defaultHTTPSListen,
+		LetsEncryptDir: defaultLetsEncryptDir,
+		Lnd:            &lndDefaultConfig,
+		Faraday:        &faradayDefaultConfig,
+		Loop:           &loopDefaultConfig,
+	}
 }
 
 // loadLndConfig loads and sanitizes the lnd main configuration and hooks up all
@@ -163,18 +190,57 @@ func readUIPassword(config *Config) error {
 		"variable that contains the password")
 }
 
-func buildTLSConfigForHttp2(config *lnd.Config) (*tls.Config, error) {
-	tlsCert, _, err := cert.LoadCert(config.TLSCertPath, config.TLSKeyPath)
-	if err != nil {
-		return nil, fmt.Errorf("failed reading TLS server keys: %v",
-			err)
+func buildTLSConfigForHttp2(config *Config) (*tls.Config, error) {
+	var tlsConfig *tls.Config
+
+	switch {
+	case config.LetsEncrypt:
+		serverName := config.LetsEncryptHost
+		if serverName == "" {
+			return nil, errors.New("let's encrypt host name " +
+				"option is required for using let's encrypt")
+		}
+
+		log.Infof("Setting up Let's Encrypt for server %v", serverName)
+
+		certDir := config.LetsEncryptDir
+		log.Infof("Setting up Let's Encrypt with cache dir %v", certDir)
+
+		manager := autocert.Manager{
+			Cache:      autocert.DirCache(certDir),
+			Prompt:     autocert.AcceptTOS,
+			HostPolicy: autocert.HostWhitelist(serverName),
+		}
+
+		go func() {
+			err := http.ListenAndServe(
+				":http", manager.HTTPHandler(nil),
+			)
+			if err != nil {
+				log.Errorf("Error starting Let's Encrypt "+
+					"HTTP listener on port 80: %v", err)
+			}
+		}()
+		tlsConfig = &tls.Config{
+			GetCertificate: manager.GetCertificate,
+		}
+
+	default:
+		tlsCert, _, err := cert.LoadCert(
+			config.Lnd.TLSCertPath, config.Lnd.TLSKeyPath,
+		)
+		if err != nil {
+			return nil, fmt.Errorf("failed reading TLS server keys: %v",
+				err)
+		}
+		tlsConfig = cert.TLSConfFromCert(tlsCert)
+		tlsConfig.CipherSuites = append(
+			tlsConfig.CipherSuites,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+		)
 	}
-	tlsConfig := cert.TLSConfFromCert(tlsCert)
-	tlsConfig.CipherSuites = append(
-		tlsConfig.CipherSuites,
-		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-	)
-	tlsConfig, err = connhelpers.TlsConfigWithHttp2Enabled(tlsConfig)
+
+	tlsConfig, err := connhelpers.TlsConfigWithHttp2Enabled(tlsConfig)
 	if err != nil {
 		return nil, fmt.Errorf("can't configure h2 handling: %v", err)
 	}

go.mod

@@ -16,6 +16,7 @@ require (
 	github.com/prometheus/client_golang v1.5.1 // indirect
 	github.com/rakyll/statik v0.1.7
 	github.com/rs/cors v1.7.0 // indirect
+	golang.org/x/crypto v0.0.0-20200510223506-06a226fb4e37
 	golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e // indirect
 	golang.org/x/sys v0.0.0-20200406155108-e3b113bbe6a4 // indirect
 	google.golang.org/grpc v1.28.0

go.sum

@@ -19,6 +19,7 @@ github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuy
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/antihax/optional v0.0.0-20180407024304-ca021399b1a6/go.mod h1:V8iCPQYkqmusNa815XgQio277wI47sdRh1dUOLdyC6Q=
+github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a h1:idn718Q4B6AGu/h5Sxe66HYVdqdGu2l9Iebqhi/AEoA=
 github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
@@ -108,8 +109,11 @@ github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2
 github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
+github.com/go-openapi/errors v0.19.2 h1:a2kIyV3w+OS3S97zxUndRVD46+FhGOUBDFY7nmu4CsY=
 github.com/go-openapi/errors v0.19.2/go.mod h1:qX0BLWsyaKfvhluLejVpVNwNRdXZhEbTA4kxxpKBC94=
+github.com/go-openapi/strfmt v0.19.5 h1:0utjKrw+BAh8s57XE9Xz8DUBsVvPmRUB6styvl9wWIM=
 github.com/go-openapi/strfmt v0.19.5/go.mod h1:eftuHTlB/dI8Uq8JJOyRlieZf+WkkxUuk0dgdHXr2Qk=
+github.com/go-stack/stack v1.8.0 h1:5SgMzNM5HxrEjV0ww2lTmX6E2Izsfxas4+YHWRs3Lsk=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/godbus/dbus/v5 v5.0.3/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gogo/protobuf v1.1.1 h1:72R+M5VuhED/KujmZVcIquuo8mBgX4oVda//DQb3PXo=
@@ -154,6 +158,7 @@ github.com/jackpal/gateway v1.0.5 h1:qzXWUJfuMdlLMtt0a3Dgt+xkWQiA5itDEITVJtuSwMc
 github.com/jackpal/gateway v1.0.5/go.mod h1:lTpwd4ACLXmpyiCTRtfiNyVnUmqT9RivzCDQetPfnjA=
 github.com/jackpal/go-nat-pmp v0.0.0-20170405195558-28a68d0c24ad h1:heFfj7z0pGsNCekUlsFhO2jstxO4b5iQ665LjwM5mDc=
 github.com/jackpal/go-nat-pmp v0.0.0-20170405195558-28a68d0c24ad/go.mod h1:QPH045xvCAeXUZOxsnwmrtiCoxIr9eob+4orBN1SBKc=
+github.com/jedib0t/go-pretty v4.3.0+incompatible h1:CGs8AVhEKg/n9YbUenWmNStRW2PHJzaeDodcfvRAbIo=
 github.com/jedib0t/go-pretty v4.3.0+incompatible/go.mod h1:XemHduiw8R651AF9Pt4FwCTKeG3oo7hrHJAoznj9nag=
 github.com/jessevdk/go-flags v0.0.0-20141203071132-1679536dcc89/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
 github.com/jessevdk/go-flags v1.4.0 h1:4IU2WS7AumrZ/40jfhf4QVDMsQwqA7VEHozFRrGARJA=
@@ -202,6 +207,7 @@ github.com/lightninglabs/loop v0.6.2-beta.0.20200528104150-c281cab8a036/go.mod h
 github.com/lightninglabs/neutrino v0.11.0/go.mod h1:CuhF0iuzg9Sp2HO6ZgXgayviFTn1QHdSTJlMncK80wg=
 github.com/lightninglabs/neutrino v0.11.1-0.20200316235139-bffc52e8f200 h1:j4iZ1XlUAPQmW6oSzMcJGILYsRHNs+4O3Gk+2Ms5Dww=
 github.com/lightninglabs/neutrino v0.11.1-0.20200316235139-bffc52e8f200/go.mod h1:MlZmoKa7CJP3eR1s5yB7Rm5aSyadpKkxqAwLQmog7N0=
+github.com/lightninglabs/protobuf-hex-display v1.3.3-0.20191212020323-b444784ce75d h1:QWD/5MPnaZfUVP7P8wLa4M8Td2DI7XXHXt2vhVtUgGI=
 github.com/lightninglabs/protobuf-hex-display v1.3.3-0.20191212020323-b444784ce75d/go.mod h1:KDb67YMzoh4eudnzClmvs2FbiLG9vxISmLApUkCa4uI=
 github.com/lightningnetwork/lightning-onion v1.0.2-0.20200501022730-3c8c8d0b89ea h1:oCj48NQ8u7Vz+MmzHqt0db6mxcFZo3Ho7M5gCJauY/k=
 github.com/lightningnetwork/lightning-onion v1.0.2-0.20200501022730-3c8c8d0b89ea/go.mod h1:rigfi6Af/KqsF7Za0hOgcyq2PNH4AN70AaMRxcJkff4=
@@ -218,11 +224,13 @@ github.com/lightningnetwork/lnd/ticker v1.0.0/go.mod h1:iaLXJiVgI1sPANIF2qYYUJXj
 github.com/ltcsuite/ltcd v0.0.0-20190101042124-f37f8bf35796 h1:sjOGyegMIhvgfq5oaue6Td+hxZuf3tDC8lAPrFldqFw=
 github.com/ltcsuite/ltcd v0.0.0-20190101042124-f37f8bf35796/go.mod h1:3p7ZTf9V1sNPI5H8P3NkTFF4LuwMdPl2DodF60qAKqY=
 github.com/ltcsuite/ltcutil v0.0.0-20181217130922-17f3b04680b6/go.mod h1:8Vg/LTOO0KYa/vlHWJ6XZAevPQThGH5sufO0Hrou/lA=
+github.com/mattn/go-runewidth v0.0.9 h1:Lm995f3rfxdpd6TSmuVCHVb/QhupuXlYr8sCI/QdE+0=
 github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
 github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/miekg/dns v0.0.0-20171125082028-79bfde677fa8 h1:PRMAcldsl4mXKJeRNB/KVNz6TlbS6hk2Rs42PqgU3Ws=
 github.com/miekg/dns v0.0.0-20171125082028-79bfde677fa8/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
+github.com/mitchellh/mapstructure v1.1.2 h1:fmNYVwqnSfB9mZU6OS2O6GsXM+wcskZDuKQzvN1EDeE=
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
@@ -297,11 +305,13 @@ github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1
 github.com/tv42/zbase32 v0.0.0-20160707012821-501572607d02 h1:tcJ6OjwOMvExLlzrAVZute09ocAGa7KqOON60++Gz4E=
 github.com/tv42/zbase32 v0.0.0-20160707012821-501572607d02/go.mod h1:tHlrkM198S068ZqfrO6S8HsoJq2bF3ETfTL+kt4tInY=
 github.com/urfave/cli v1.18.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
+github.com/urfave/cli v1.20.0 h1:fDqGv3UG/4jbVl/QkFwEdddtEDjh/5Ov6X+0B/3bPaw=
 github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
 github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2 h1:eY9dn8+vbi4tKz5Qo6v2eYzo7kUS51QINcR5jNpbZS8=
 github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
 go.etcd.io/bbolt v1.3.3 h1:MUGmc65QhB3pIlaQ5bB4LwqSj6GIonVJXpZiaKNyaKk=
 go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
+go.mongodb.org/mongo-driver v1.0.3 h1:GKoji1ld3tw2aC+GX1wbr/J2fX13yNacEYoJ8Nhr0yU=
 go.mongodb.org/mongo-driver v1.0.3/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM=
 go.uber.org/atomic v1.6.0 h1:Ezj3JGmsOnG1MoRWQkPBsKLe9DwWD9QeXzTRzzldNVk=
 go.uber.org/atomic v1.6.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=

shushtar.go

@@ -17,12 +17,12 @@ import (
 	restProxy "github.com/grpc-ecosystem/grpc-gateway/runtime"
 	"github.com/improbable-eng/grpc-web/go/grpcweb"
 	"github.com/jessevdk/go-flags"
-	"github.com/lightninglabs/faraday"
 	"github.com/lightninglabs/faraday/frdrpc"
 	"github.com/lightninglabs/loop/lndclient"
 	"github.com/lightninglabs/loop/loopd"
 	"github.com/lightninglabs/loop/looprpc"
 	"github.com/lightningnetwork/lnd"
+	"github.com/lightningnetwork/lnd/lncfg"
 	"github.com/lightningnetwork/lnd/lnrpc"
 	"github.com/lightningnetwork/lnd/lntest/wait"
 	"github.com/lightningnetwork/lnd/macaroons"
@@ -45,6 +45,7 @@ import (
 
 const (
 	defaultServerTimeout  = 10 * time.Second
+	defaultConnectTimeout = 5 * time.Second
 	defaultStartupTimeout = 5 * time.Second
 )
 
@@ -56,10 +57,6 @@ var (
 	authError = status.Error(
 		codes.Unauthenticated, "authentication required",
 	)
-
-	lndDefaultConfig     = lnd.DefaultConfig()
-	faradayDefaultConfig = faraday.DefaultConfig()
-	loopDefaultConfig    = loopd.DefaultConfig()
 )
 
 // Shushtar is the main grand unified binary instance. Its task is to start an
@@ -88,12 +85,7 @@ type Shushtar struct {
 // New creates a new instance of the shushtar daemon.
 func New() *Shushtar {
 	return &Shushtar{
-		cfg: &Config{
-			HTTPSListen: defaultHTTPSListen,
-			Lnd:         &lndDefaultConfig,
-			Faraday:     &faradayDefaultConfig,
-			Loop:        &loopDefaultConfig,
-		},
+		cfg:        defaultConfig(),
 		lndErrChan: make(chan error, 1),
 	}
 }
@@ -108,6 +100,11 @@ func (g *Shushtar) Run() error {
 		return err
 	}
 
+	// Validate the shushtar config options.
+	g.cfg.LetsEncryptDir = lncfg.CleanAndExpandPath(g.cfg.LetsEncryptDir)
+	if g.cfg.LetsEncrypt && g.cfg.LetsEncryptHost == "" {
+		return fmt.Errorf("host must be set when using let's encrypt")
+	}
 	err = readUIPassword(g.cfg)
 	if err != nil {
 		return fmt.Errorf("could not read UI password: %v", err)
@@ -472,7 +469,7 @@ func (g *Shushtar) startGrpcWebProxy() error {
 		return fmt.Errorf("unable to listen on %v: %v",
 			g.cfg.HTTPSListen, err)
 	}
-	tlsConfig, err := buildTLSConfigForHttp2(g.cfg.Lnd)
+	tlsConfig, err := buildTLSConfigForHttp2(g.cfg)
 	if err != nil {
 		return fmt.Errorf("unable to create TLS config: %v", err)
 	}
@@ -590,7 +587,7 @@ func dialLnd(lndAddr string, config *lnd.Config) (*grpc.ClientConn, error) {
 		grpc.WithDefaultCallOptions(maxMsgRecvSize),
 		grpc.WithConnectParams(grpc.ConnectParams{
 			Backoff:           backoff.DefaultConfig,
-			MinConnectTimeout: 5 * time.Second,
+			MinConnectTimeout: defaultConnectTimeout,
 		}),
 	}