pull down to refresh

Here follows the tale of how I managed to get my CLN node connected to Stacker.News today. One section for each required field in https://stacker.news/wallets/cln. Hopefully it will help another wallet-straggler like me.

rest host and port

In the StartOS web UI: Go to Core Lighting -> Properties.
Make the "CLNRest Quick Connect"-section visible. (If it's not shown, you need to enable the CLNRest plugin under Core Lightning -> Config -> Advanced -> Plugins).
Copy the "foo.onion:3010" part from clnrest://<nodeid>@foo.onion:3010?rune=yadayada into the 1st field.

invoice only rune

The StartOS web interface for Core Lightning allows creating full-capability runes, but Stacker News requires a restricted rune, so we have to drop to CLI.
In the StartOS web UI: Go to System -> SSH and add a new SSH key in order to be able to connect via the command line (docs). Once set up, login to your node:
ssh start9@<address of your StartOS node>
sudo podman exec -it c-lightning.embassy bash
Create an invoice-only rune using slightly different syntax than in the SN help, note the extra angle brackets(!):
lightning-cli createrune restrictions='[["method=invoice"]]'
The output should be
{ "rune": "<base64-value>", "unique_id": "1" }
base64-value is what you need to copy into the 2nd field.

cert

(I was surprised this was required as we are running behind a Tor hidden service, but okay...)
Open up your node's certificate (downloadable from the StartOS web UI under System -> Root CA).
Copy the public key value, it may be displayed in Base64 or in hex. For me, Firefox was showing it in hexadecimal with extra ":"-delimiters that I needed to discard. This is the value for the 3rd field.
@ek Please note that I needed an extra pair of angle brackets. With the single brackets my CLN log showed:
INFO lightningd: JSON COMMAND createrune: Invalid parameter restrictions (not a valid restriction (should be array)): token '"method=invoice"'
Might want to change/amend https://github.com/stackernews/stacker.news/blob/53b8f6f9564bee813c8e0dfd9f7295ea164d3256/wallets/cln/index.js#L24 (Not logging into Github because reasons 😎).
reply
0 sats \ 5 replies \ @ek 25 Jan
Which CLN version are you running? It works with a single bracket for me:
$ lightning-cli createrune restrictions='["method=invoice"]'
We are testing with v23.08
reply
I'm on v24.11.1
reply
0 sats \ 3 replies \ @ek 25 Jan
Did you use first ' and then inside " or the other way around?
I also get an error if I run
$ lightning-cli createrune restrictions="['method=invoice']" lightning-cli: Some parameters are malformed, cannot create a valid JSON-RPC request: { "jsonrpc" : "2.0", "method" : "createrune", "id" : "cli:createrune#3018", "params" :{ "restrictions" : ['method=invoice']} }
but I don't if I run
$ lightning-cli createrune restrictions='["method=invoice"]'
It's probably some shell expansion that is consuming the brackets if you use " since " does not disable shell expansion but ' does.
reply
1010 sats \ 2 replies \ @Lumor OP 25 Jan
I was trying the second one ('["method=invoice"]'). $SHELL is bash. Maybe something in newer CLN versions made the parameter actually be an array of arrays?
reply
21 sats \ 1 reply \ @ek 25 Jan
Mhh, reading the createrune docs, that might indeed be the case:
restrictions (one of, optional): It can be the string readonly, or an array of restrictions. Each restriction is an array of one or more alternatives
Will test with v24.11
update: you are right, on v24.11, I need to run this:
$ lightning-cli createrune restrictions='[["method=invoice"]]'
and this throws:
$ lightning-cli createrune restrictions='["method=invoice"]' { "code": -32602, "message": "restrictions: not a valid restriction (should be array): invalid token (see logs for details)" }
reply
10 sats \ 6 replies \ @ek 25 Jan
I was surprised this was required as we are running behind a Tor hidden service, but okay...
Oh, it shouldn't be required for hidden services but I see in our local dev setup that it throws "socket hang up" if you don't give it a cert. That's a bug!
reply
21 sats \ 2 replies \ @ek 25 Jan
Mhh, or maybe this is actually not a bug because CLNRest uses HTTPS by default, see docs. Are you sure you passed --clnrest-protocol=http?
It works without a cert if I do so.
reply
Oh, I'm trying to keep my StartOS config as "dumb" as possible, so I only try to mess with configuration via the web UI, and it doesn't expose the option of changing the protocol for CLNRest, just enabling/disabling the whole plugin. Guess they leave that HTTPS-default, which makes sense as they are/have added clearnet-support for StartOS.
reply
10 sats \ 0 replies \ @ek 25 Jan
makes sense, just wanted to let you know that we do allow onion without cert :)
reply
Ah, thanks for noticing! Yes, I think I was getting exactly the same error.
Was getting some exception thrown from here I think: https://github.com/gevent/gevent/blob/master/src/gevent/ssl.py#L319
reply
10 sats \ 1 reply \ @ek 25 Jan
That's SSL code so your CLN node is expecting HTTPS and therefore we need a cert to talk to it. You need to configure it appropriately to not expect HTTPS, see my other comment.
reply
Yup, realizing it was SSL-related is what made me give up on trying with an empty cert-field and dig up the public key.
reply
0 sats \ 1 reply \ @anon 22h
So anybody on the Tor network can create invoices on your node at foo.onion:3010? It better be rate limited.
reply
0 sats \ 0 replies \ @ek 22h
It requires a rune and lightning addresses are also usually not rate-limited afaict.
reply
thank you, the cert part was never clear to me when trying to set this up
reply
@remindme in 73 days
reply
That’s oddly specific
reply