The lnd.conf documentation says:
; Adds an extra ip to the generated certificate. Setting multiple tlsextraip= entries is allowed.
; (old tls files must be deleted if changed)
; tlsextraip=
I think the idea is that you can add tlsextraip settings as a type of host-based authentication, so that when you start the server with this setting it will generate a certificate that allows that ip address to connect to it. Then you can send that certificate to the client along with the chosen macaroon and the client will be allowed to connect. Is that how the tlsextraip setting is supposed to work?
I am running LND 0.15.5-beta and tlsextraip seems to have no effect at all. The only thing I need to do to connect remotely is put the certificate and macaroon on the client.
I tested this theory by doing the following:
- Shut down LND on the server.
- Delete the
tls.certandtls.keyfiles. - Remove all tls-related settings from the config file.
- Start the server. It creates new
tls.certandtls.keyfiles. - Attempt to connect from the client. It fails.
- Copy the newly-created
tls.certto the client. (It also needs one of the macaroon files.) - Attempt to connect from the client again. It works.
The command that I run from the client is the following:
lncli --rpcserver=192.168.1.38:10009 --tlscertpath=./tls.cert --macaroonpath=./readonly.macaroon describegraph
I can do this repeatedly with or without the tlsextraip setting being set. Am I doing this incorrectly? Is the tlsextraip setting used for some other purpose? Is this a bug? Has it been deprecated? Any explanation would be appreciated.
