Certificate configuration for Impervious browser


I’ve been trying to configure my node with Impervious browser, with no luck.

Amongst the required configs, there is TLS Cert (Hex String).

For that, I’ve executed the following command:

xxd -ps -u -c 1000 ~/umbrel/app-data/lightning/data/lnd/tls.cert

Still, impervious is not able to connect, and the error message I’m getting is:

transport: authentication handshake failed: x509: certificate is valid for, ::1,, not <xx.xxx.xxx.xxx> [My internet-facing IP]

Upon checking with impervious’ support, I’ve got the following comment:

according to the error, the TLS cert is only valid for the private IP…not <xx.xxx.xxx.xxx>. This is an Umbrel certificate configuration.

What am I missing in all this? I’ve got a hybrid node.

I have further researched within the forum and found this thread here, where it’s said that Umbrel does not support gRPC connections, which seem to be the case for Impervious browser.

I wonder if that’s still the case.

Okay, it’s working now!

Since Impervious does not currently support TOR connections, a hybrid node becomes a pre-requisite.

Umbrel certificate is generated to support only internal hosts, therefore the following steps need to be taken:

  1. In your lnd.conf, add the following entry under [Application Options]:
    tlsextradomain=[YOUR_DOMAIN] where you replace [YOUR_DOMAIN] with the DNS created during your hybrid configuration.
    There’s also the tlsextraip=[YOUR_IP] entry, but that one would need to be updated every time the node IP changes, so I did not bother adding it.

  2. Remove the certificate and key files so that they can be re-generated with the new configs upon node restart:
    rm ~/umbrel/app-data/lightning/data/lnd/tls.cert ~/umbrel/app-data/lightning/data/lnd/tls.key

  3. Restart the lightning service

And that’s it! After that, once you generate the hex for your tls.cert file, it will have the proper contents for Impervious browser to reach it and establish a successful connection.


For TLS hex string you can copy the cert file contents ( ~/umbrel/app-data/core-lightning/data/lnd/tls.cert ) and put it into a cert-2-hex converter, or pem-2-hex convert (google it). Then you have the hex string.

You could otherwise install: sudo apt-get install -y xxd to do it like others have said.

xxd -ps -u -c 1000 ~/umbrel/app-data/core-lightning/data/lnd/tls.cert

1 Like