Hello, I’ve been really sad trying to fix my umbrel lightning node. I got it all set up a few days ago, opened all channels, and was super excited it was functioning. I’m running the latest version It then just stopped working out of nowhere. I tried following everything i’ve seen and nothing works.
I have downloaded the logs. Looking at the logs this is what I see to be the main problem after it starts up:
1.http: TLS handshake error from 10.21.0.33:38846: local error: tls: bad record MAC
2.) lightning_app_1 30 ssl_transport_security.cc:1245] Handshake failed with fatal error SSL_ERROR_SSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed.
It looks like the error in the logs occurs when I try to go to http://umbrel.local:2101/. The node seems to be working fine? right?
OK, guys. Hope this doesn’t happen to you all given how hard it is to diagnose. Literally could be 20 things. It looks like this SSL handshake issue can come out of nowhere from what support told me. Here’s what worked for me:
SSH to ~/umbrel/app-data/lightning/data/lnd/
Once in the lnd directory, you can generate new TLS certificates. lnd has its own mechanism for generating certificates, but you can also use openssl if you need to manually create them. Here’s how to generate new certificates using openssl:
This creates a new TLS private key (tls.key) and a self-signed certificate (tls.cert), valid for approximately 10 years (3650 days). Adjust the -days parameter if you prefer a different validity period. RESTART ALL LND SERVICES & TOR SERVICES. I was dumb by restarting every docker image (like docker restart lightning_lnd_1), but you can easily do restart all services by going into umbrel and restarting through the settings (or clicking the button on your umbrel home).
If you run the snippet below, do you sill get the same issue? I get the same response you get if I make a typo ```
openssl ecparam -name prime256v1 -genkey -out tls.key
Thx man, first command worked but I’m stuck on the second “openssl req -new -sha256 -key tls.key -out csr.csr -subj ‘/CN=localhost/O=lnd’”
req: subject name is expected to be in the format /type0=value0/type1=value1/type2=… where characters may be escaped by . This name is not in that format: ‘‘/CN=localhost/O=lnd’’
Edit: got it to work with this command (no quotes) openssl req -new -sha256 -key tls.key -out csr.csr -subj /CN=localhost/O=lnd
Another simple fix for this is to simply delete tls.cert/tls.key and restart lightning. You can do so with the following steps:
Open a terminal window on your computer. On macOS, you can open the Terminal app that’s installed by default on every Mac. On Windows, you can open Command Prompt or the PowerShell app.
Type in the following command ssh -t umbrel@umbrel.local and press the Enter key
Run sudo rm ~/umbrel/app-data/lightning/data/lnd/tls.cert and sudo rm ~/umbrel/app-data/lightning/data/lnd/tls.key
You can then run umbreld client apps.restart.mutate --appId lightning. After restarting, new certs will be populated for you.
