Help getting umbrel lightning node working again - stopped out of nowhere. SSL error?

Hello, I’ve been really sad trying to fix my umbrel lightning node. I got it all set up a few days ago, opened all channels, and was super excited it was functioning. I’m running the latest version It then just stopped working out of nowhere. I tried following everything i’ve seen and nothing works.

I have downloaded the logs. Looking at the logs this is what I see to be the main problem after it starts up:

1.http: TLS handshake error from local error: tls: bad record MAC
2.) lightning_app_1 30] Handshake failed with fatal error SSL_ERROR_SSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed.

It looks like the error in the logs occurs when I try to go to http://umbrel.local:2101/. The node seems to be working fine? right?

any ideas on how to fix this handshake error?

OK, guys. Hope this doesn’t happen to you all given how hard it is to diagnose. Literally could be 20 things. It looks like this SSL handshake issue can come out of nowhere from what support told me. Here’s what worked for me:

  1. SSH to ~/umbrel/app-data/lightning/data/lnd/
  2. Once in the lnd directory, you can generate new TLS certificates. lnd has its own mechanism for generating certificates, but you can also use openssl if you need to manually create them. Here’s how to generate new certificates using openssl:
  3. openssl ecparam -name prime256v1 -genkey -out tls.key openssl req -new -sha256 -key tls.key -out csr.csr -subj ‘/CN=localhost/O=lnd’ openssl req -x509 -sha256 -days 3650 -key tls.key -in csr.csr -out tls.cert rm csr.csr
  4. This creates a new TLS private key (tls.key) and a self-signed certificate (tls.cert), valid for approximately 10 years (3650 days). Adjust the -days parameter if you prefer a different validity period. RESTART ALL LND SERVICES & TOR SERVICES. I was dumb by restarting every docker image (like docker restart lightning_lnd_1), but you can easily do restart all services by going into umbrel and restarting through the settings (or clicking the button on your umbrel home).
1 Like

Hey, I have just migrated from a raspi4 and have the same SSL handshake error all of a sudden. I tried step #3

openssl ecparam -name prime256v1 -genkey -out tls.key openssl req -new -sha256 -key tls.key -out csr.csr -subj ‘/CN=localhost/O=lnd’ openssl req -x509 -sha256 -days 3650 -key tls.key -in csr.csr -out tls.cert rm csr.csr

the response was “ecparam: Use -help for summary.

Seems it did not re-create the certs correctly?

If you run the snippet below, do you sill get the same issue? I get the same response you get if I make a typo ```
openssl ecparam -name prime256v1 -genkey -out tls.key

if that works, then run the rest of the blocks and so on. ```

  • openssl req -new -sha256 -key tls.key -out csr.csr -subj ‘/CN=localhost/O=lnd’
  • openssl req -x509 -sha256 -days 3650 -key tls.key -in csr.csr -out tls.cert
  • rm csr.csr

Thx man, first command worked but I’m stuck on the second “openssl req -new -sha256 -key tls.key -out csr.csr -subj ‘/CN=localhost/O=lnd’”

req: subject name is expected to be in the format /type0=value0/type1=value1/type2=… where characters may be escaped by . This name is not in that format: ‘‘/CN=localhost/O=lnd’’

Edit: got it to work with this command (no quotes)
openssl req -new -sha256 -key tls.key -out csr.csr -subj /CN=localhost/O=lnd

Finally for:
openssl req -x509 -sha256 -days 3650 -key tls.key -in csr.csr -out tls.cert

The response is this:
Warning: No -copy_extensions given; ignoring any extensions in the request ← is this okay?

Another simple fix for this is to simply delete tls.cert/tls.key and restart lightning. You can do so with the following steps:

  1. Open a terminal window on your computer. On macOS, you can open the Terminal app that’s installed by default on every Mac. On Windows, you can open Command Prompt or the PowerShell app.
  2. Type in the following command ssh -t umbrel@umbrel.local and press the Enter key
  3. Run sudo rm ~/umbrel/app-data/lightning/data/lnd/tls.cert and sudo rm ~/umbrel/app-data/lightning/data/lnd/tls.key
  4. You can then run umbreld client apps.restart.mutate --appId lightning. After restarting, new certs will be populated for you.

Worked for a bit then the same error returned. Any ideas why?

Happened to me as well, then i just re-ran it. and it went back. It’s clearly a bug.

1 Like

Any update on a permanent solution?