Self-generated certificates are deemed invalid on macOS Catalina #4201
Comments
|
It seems the bullet point about the ExtendedKeyUsage (EKU) was not satisfied by our self-signed certs. |
@guggero just installed https://github.com/guggero/lnd/tree/tls-ext-key-usage and ran it against our code including the certificate check. I can confirm that your change fixes the problem on my machine! :) |
|
Nice, thank you for testing! I'll create the PR right away. Because the diff is very small, this might even make it into the RC phase of |
Background
When using
lndto create a self-signed certificate, this certificate is deemed invalid on macOS Catalina, most likely due to new requirements for trusted certificates.Your environment
lnd version 0.9.1-beta commit=v0.9.1-beta19.0.0 Darwin Kernel Version 19.0.0: Thu Oct 17 16:17:15 PDT 2019; root:xnu-6153.41.3~29/RELEASE_X86_64 x86_64macOS Catalina 10.15.1 (19B88)0.17.0Steps to reproduce
Could not pinpoint why exactly the certificate is deemed invalid.
We started tracking an issue of failing requests to
lndusing the self-signed certificate.Details (related to our code):
Figured out that both
native-tlsandrustls-tlsrust-libraries return an error for the given certificate on macOS Catalina.Note, that on macOS Mojave we did not encounter that problem, and we did not encounter this problem on Linux.
Workaround: Forcing the TLS library to ignore certificate validation for requests to lnd with the invalid certificate.
Expected behaviour
Generation of a valid certificate.
Actual behaviour
Generation of a certificate that is deemed invalid.
The text was updated successfully, but these errors were encountered: