Hybrid Mode: LND REST TLS Error with Cloudflare Tunnel

Hi folks, I’ve got an issue that is almost certainly related to networking and not Umbrel itself. Nevertheless, I wasn’t able to find a good resource for this elsewhere and I was helping one of you folks could help out.

My objective is to be able to access my node via Zeus wallet over LND REST / HTTPS without needing to be on my VPN.

I’m running LND and followed @Hakuna’s excellent guide for setting up my node in hybrid mode. I do have a VPS that I’m using as the proxy for LND, but would rather use cloudflare tunnels for REST access rather than dealing with a reverse proxy etc (just trying to reduce my self-managed footprint a bit).

My request path goes like:

[Internet] > Cloudflare [DNS] > Cloudflare tunnel > cloudflared container on Umbrel > LND on umbrel

In lnd.conf I have the following settings configured that should allow me to do this:

  • externalip=(my VPS IP address:port)
  • nat=false
  • restlisten=0.0.0.0:8080
  • tlsextradomain=(the subdomain i’m using for LND REST in the ‘my.domain.com’ format)
  • tlsextraip = a bunch of IPs for various interfaces i.e. my docker network gateway, my host machine’s local IP address, etc.

When I attempt to connect to my node from Zeus, I get a 502 error in Zeus and bunch of the following errors in LND logs:

2024/03/18 15:11:13 http: TLS handshake error from 172.5.0.1:35394: remote error: tls: bad certificate
2024/03/18 15:11:13 http: TLS handshake error from 172.5.0.1:35402: remote error: tls: bad certificate
2024/03/18 15:11:13 http: TLS handshake error from 172.5.0.1:35404: remote error: tls: bad certificate
2024/03/18 15:11:13 http: TLS handshake error from 172.5.0.1:35416: remote error: tls: bad certificate
2024/03/18 15:11:13 http: TLS handshake error from 172.5.0.1:35428: remote error: tls: bad certificate
2024/03/18 15:11:13 http: TLS handshake error from 172.5.0.1:35436: remote error: tls: bad certificate
2024/03/18 15:11:13 http: TLS handshake error from 172.5.0.1:35450: remote error: tls: bad certificate
2024/03/18 15:11:13 http: TLS handshake error from 172.5.0.1:35458: remote error: tls: bad certificate

In this case, 172.5.0.1 is the gateway IP for my docker network, but if I change the hostname in my cloudflare tunnel to point to my machine’s IP instead of localhost i still get similar errors.

I have added all imaginable IPs as tlsextraip values, nuked and regenerated my tls.key and tls.cert files every time, changed SSL security settings on Cloudflare from Full to Strict to Flexible to Off… nothing fixes the issue for me.

Any pointers on where to look next would be greatly appreciated!

SOLVED IT FOR MYSELF (lol)

It was a Cloudflare issue. I guess Cloudflare expected a different cert than the one that was generated by LND. Or something like that.

In the hostname as defined in the Cloudflare tunnel, I went into “additional options” and checked the “No TLS Verify” setting.

With the LND-generated cert installed on my phone, I can confirm that I’m able to use Cloudflare tunnels to proxy traffic from a domain name to LND if I check “No TLS Verify” in settings for that tunnel!

I think we faced the same issue once with LNBits via cloudflare managed DNS.

For this, in cloudflare I’ve enabled Rules > Configuration Rules > for specific sub-domains set the SSL/TLS encryption rule to Full
This way, the TLS gets handed through and not wrapped in another cloudflare TLS cert.
image

But glad you got this working. Cries for a guide :loud_sound: