Pi4 Umbrel LN Node x Fiatjaf LN address bridge = fails + need debug
226 sats \ 0 comments \ @Matty 10 May lightning
zaps forwarded to @fiatjaf (7%)
I wish I could just enter my LUD-16 self-custody LN address somewhere private and receive a responsive dump with all the data about its configuration for testing purposes. I'm not getting the connections right with basic security in mind.
Hi - I'm an independent Web App Sec bug bounty hunter and security researcher learning on the peripheries of my specialization, looking for pointers about basic self-custody Lightning Network node implementations, primarily for personal Nostr zapping use cases. I had researched the easiest setups shown below because that is how I learn. The following might seem like a lot of text but it should be easy and fairly quick to follow for those close to the matter.
If you have any tips, in the sense of responses, please refer to the numbered points in return. Once I map the functional version of this information, I can help many others through my upcoming podcast "Bitcoin Security Maps" on which I plan to continue publishing in this direction.
========================================= FOUNDATION: I believe that the holistic ecological decentralization of "freedom tech" hardware among the civilian populations is a necessary thermodynamic connection between physical and virtual realities that can enable, as example, the Bitcoin movement to succeed in aligning civilization towards more normal aims.
========================================= ARTICLE: I have written an article on Medium about an experimental home closet setup for a Bitcoin Lightning Node Podcasting 2.0 zap station: "Vulnerable Podcasting 2.0 — Bitcoin LN Node Monetization Setup (2024)". It's long, meant for those few who see the value of an early V4V podcast. https://medium.com/cyberpower-telenoia/vulnerable-podcasting-2-0-bitcoin-ln-node-monetization-setup-2024-7a7f1484cb4f
========================================= 1 - WHAT WORKS: Currently testing:
Raspberry Pi 4B with Umbrel OS 1.1.2 Bitcoin Core 27.0.0 app, and LN node LND 0.17.5-beta app.
I haven't been tweaking these in any deep experimental ways yet, they are close to default settings.
My Lightning Network node works for basic receiving and sending, which means my router is doing the right forwarding, and my node channels work over TOR. The bitcoin node can connect with clearnet, TOR and I2P peers. This setup also works when I use various custodial LN addresses and LN wallets to transact with it, including #Nostr clients.
I am not choosing to run my own web server and I am not choosing a federated service. I am using a bridge server, the fiatjaf bridge at: https://bridgeaddr.fiatjaf.com/. I have done all ordinary steps to make the entrusted Mr fiatjaf bridge work, as per documentation.
I have read the Github documentation for LUD-06: payRequest base spec https://github.com/lnurl/luds/blob/luds/06.md
LUD-16: paying to static internet identifiers https://github.com/lnurl/luds/blob/luds/16.md
========================================= 2 - THE LN ADDRESS SETUP according to the mentioned BRIDGEADDR: In my own domain's DNS settings, I am configuring a subdomain named "bla":
CNAME bla bridgeaddr.fiatjaf.com TXT _host.bla https://<<TOR ONION ADDRESS>>.onion:8080 TXT _kind.bla lnd TXT _macaroon.bla <<BASE64 MACAROON SET TO "CREATE INVOICES" ONLY>>
FOR THE ABOVE SETTINGS:
The TOR onion address is the REST TOR host address portion. I baked the macaroon on Umbrel's Thunderhub App. There are other DNS settings on this domain, which includes emails for the root domain which I also use normally as a website.
========================================= 3 - CONFIRMED LIMITED WORKING ORDER: (testing LUD-16 LN address: wow@bla.blabla.com)
AT URL: https://bla.blabla.com RESPONSE: "hosted by https://bridgeaddr.fiatjaf.com"
AT URL: https://bla.blabla.com/.well-known/lnurlp/wow RESPONSE: {"status":"OK","callback":"https://bla.blabla.com/.well-known/lnurlp/wow%22,%22tag%22:%22payRequest%22,%22maxSendable%22:100000000,%22minSendable%22:1000,%22metadata%22:%22%5B%5B%5C%22text/identifier%5C%22,%5C%22wow@bla.blabla.com%5C%22%5D,%5B%5C%22text/plain%5C%22,%5C%22Satoshis to wow@bla.blabla.com."]]","commentAllowed":0}
FIATJAF BRIDGEADDR QUESTIONS: a) Are the above changeable by me in my setup? (Can I allow comments?) b) Does the minimum sats refer to actual sats being transmitted or some channel minimum? I tried above this minimum and it still won't process.
========================================= 4 - WHAT DOESN'T WORK: The problem is that my own custodial LUD-16 LN address such as wow@bla.blabla.com does not work with my node. I wish to have one such public LN address to use for my LN node for receiving payments. On fiatjaf's bridgeaddr everything seems to work but something is not right on my end.
a) SENDING MYSELF SATS FROM STANDALONE WALLETOFSATOSHI: Error: Failed to create invoice "https://<<LN NODE ONION ADDRESS>>.onion:8080/v1/invoices proxyconnect tcp: dial tcp 127.0.0.1:9050: connect: connection refused
b) SENDING MYSELF SATS FROM STANDALONE MUTINY WALLET: Error: Failed to call on the given LNURL
c) USING TOR BROWSER TO TEST INVOICE: https://<<LN NODE ONION ADDRESS>>.onion:8080/v1/getinfo RESPONSE: Tor Browser does not trust this site because it uses a certificate that is not valid for <<LN NODE ONION ADDRESS>>.onion:8080. The certificate is only valid for the following names: umbrel.local, localhost, unix, unixpacket, bufconn
Error code: SSL_ERROR_BAD_CERT_DOMAIN lnd autogenerated cert
WHEN I ACCEPT "THE RISK" AND CONTINUE: JSON RESPONSE: code 2 message "expected 1 macaroon, got 0" details []
========================================= 5 - LOOKING AT THE GITHUB SOURCE CODE: https://github.com/fiatjaf/bridgeaddr/blob/master/makeinvoice.go
May 9 2024 line 89: case "lnd":
It makes an invoice from the "cert, host and macaroon". a) What cert?
========================================= 6 - A MISSING CERTIFICATE SEEMS TO BE THE PROBLEM: a) Am I not authenticating or not authorizing something?
b) Is there an http/https issue? In the mentioned LUD-16 documentation: "Upon seeing such an address, WALLET makes a GET request to https://... endpoint if domain is clearnet or http://... if domain is onion." My LN address domain/subdomain points to an onion addressed node. How is the http/https considered in this bridged case?
Is it looking for a certificate because I wrote "https" for my node's onion address? I try "http" in TOR URL: RESPONSE: "Client sent an HTTP request to an HTTPS server."
I try "http" in TXT _host.bla http://<<ONION LN ADDRESS>> and "http" in TOR browser URL: REPONSE: "Client sent an HTTP request to an HTTPS server."
c) In the mentioned BRIDGEADDR documentation, do the following instruction refer to this certificate issue?
"If you use a self-signed certificate and want that to be checked:" TXT _cert.domain.com -----BEGIN CERTIFICATE...
I added the above certificate and surely the TOR browser now has no issue retreiving the site at homebase: domain DNS settings: TXT _cert.bla <<MY CERT AS PER cert=XXXXX in my LNDconnect URL (unescaped) and the same one that the TOR browser sees as valid for umbrel.local>>
RESPONSE when asking for LN node onion address in TOR browser: code 5 message "Not Found" details []
========================================= 7 - EXTRA SECURITY QUESTIONS
a) Is it even right to have a public LUD-16 connected directly to my node? b) To what extent is it risky that a LN node is used as a wallet to send from in any public internet software such as nostr clients? c) Should a Nostr client LN address ever be a LN node address?
========================================= 8 - EXTRA INFO
In Umbrel OS command line terminal: sudo docker exec -it <<MY BITCOIN CONTAINER NAME>> bitcoin-cli -getinfo
RESPONSE: It's synched. my proxies: 10.xa.xa.xa:9050 (onion) 10.xb.xb.xb:7656 (i2p)
========================================= 9 - FINALS
Ultimately I am wondering where the best current literary repository is for this knowledge, for example top 3 books and the online communities where the authors hang out.
Good morning.
write
preview
related posts