From 123d531c8bda4881246748822d403a820d556d7a Mon Sep 17 00:00:00 2001
From: gcaracuel <633810+gcaracuel@users.noreply.github.com>
Date: Thu, 27 Jul 2023 11:24:55 +0200
Subject: [PATCH 1/2] Allow loopd autogenerated TLS cert validity override with
 a new loopd flag

Co-authored-by: George Tsagkarelis <34623190+GeorgeTsagk@users.noreply.github.com>
---
 loopd/config.go | 28 +++++++++++++++++-----------
 1 file changed, 17 insertions(+), 11 deletions(-)

diff --git a/loopd/config.go b/loopd/config.go
index 7ed020b..d428e10 100644
--- a/loopd/config.go
+++ b/loopd/config.go
@@ -99,9 +99,8 @@ var (
 	)
 
 	// DefaultAutogenValidity is the default validity of a self-signed
-	// certificate. The value corresponds to 14 months
-	// (14 months * 30 days * 24 hours).
-	DefaultAutogenValidity = 14 * 30 * 24 * time.Hour
+	// certificate in number of days.
+	DefaultAutogenValidity = 365 * 24 * time.Hour
 )
 
 type lndConfig struct {
@@ -146,12 +145,13 @@ type Config struct {
 	Sqlite          *loopdb.SqliteConfig   `group:"sqlite" namespace:"sqlite"`
 	Postgres        *loopdb.PostgresConfig `group:"postgres" namespace:"postgres"`
 
-	TLSCertPath        string   `long:"tlscertpath" description:"Path to write the TLS certificate for loop's RPC and REST services."`
-	TLSKeyPath         string   `long:"tlskeypath" description:"Path to write the TLS private key for loop's RPC and REST services."`
-	TLSExtraIPs        []string `long:"tlsextraip" description:"Adds an extra IP to the generated certificate."`
-	TLSExtraDomains    []string `long:"tlsextradomain" description:"Adds an extra domain to the generated certificate."`
-	TLSAutoRefresh     bool     `long:"tlsautorefresh" description:"Re-generate TLS certificate and key if the IPs or domains are changed."`
-	TLSDisableAutofill bool     `long:"tlsdisableautofill" description:"Do not include the interface IPs or the system hostname in TLS certificate, use first --tlsextradomain as Common Name instead, if set."`
+	TLSCertPath        string        `long:"tlscertpath" description:"Path to write the TLS certificate for loop's RPC and REST services."`
+	TLSKeyPath         string        `long:"tlskeypath" description:"Path to write the TLS private key for loop's RPC and REST services."`
+	TLSExtraIPs        []string      `long:"tlsextraip" description:"Adds an extra IP to the generated certificate."`
+	TLSExtraDomains    []string      `long:"tlsextradomain" description:"Adds an extra domain to the generated certificate."`
+	TLSAutoRefresh     bool          `long:"tlsautorefresh" description:"Re-generate TLS certificate and key if the IPs or domains are changed."`
+	TLSDisableAutofill bool          `long:"tlsdisableautofill" description:"Do not include the interface IPs or the system hostname in TLS certificate, use first --tlsextradomain as Common Name instead, if set."`
+	TLSValidity        time.Duration `long:"tlsvalidity" description:"Loop's TLS certificate validity period in days. Defaults to 8760h (1 year)"`
 
 	MacaroonPath string `long:"macaroonpath" description:"Path to write the macaroon for loop's RPC and REST services if it doesn't exist."`
 
@@ -204,6 +204,7 @@ func DefaultConfig() Config {
 		DebugLevel:          defaultLogLevel,
 		TLSCertPath:         DefaultTLSCertPath,
 		TLSKeyPath:          DefaultTLSKeyPath,
+		TLSValidity:         DefaultAutogenValidity,
 		MacaroonPath:        DefaultMacaroonPath,
 		MaxLSATCost:         lsat.DefaultMaxCostSats,
 		MaxLSATFee:          lsat.DefaultMaxRoutingFeeSats,
@@ -348,7 +349,12 @@ func Validate(cfg *Config) error {
 
 	// At least one retry.
 	if cfg.MaxPaymentRetries < 1 {
-		return fmt.Errorf("max payment retries must be positive")
+		return fmt.Errorf("max payment retries must be at least 1")
+	}
+
+	// TLS Valisity period to be at least 24 hours
+	if cfg.TLSValidity < time.Hour*24 {
+		return fmt.Errorf("TLS certificate minimum validity period is 24h")
 	}
 
 	return nil
@@ -415,7 +421,7 @@ func loadCertWithCreate(cfg *Config) (tls.Certificate, *x509.Certificate,
 		certBytes, keyBytes, err := cert.GenCertPair(
 			defaultSelfSignedOrganization, cfg.TLSExtraIPs,
 			cfg.TLSExtraDomains, cfg.TLSDisableAutofill,
-			DefaultAutogenValidity,
+			cfg.TLSValidity,
 		)
 		if err != nil {
 			return tls.Certificate{}, nil, err

From 7b31f1f64d61ea2b12ed9db2b2f5c1a8073d0320 Mon Sep 17 00:00:00 2001
From: Guillermo Caracuel <633810+gcaracuel@users.noreply.github.com>
Date: Thu, 27 Jul 2023 16:12:20 +0200
Subject: [PATCH 2/2] Update loopd/config.go

Co-authored-by: George Tsagkarelis <34623190+GeorgeTsagk@users.noreply.github.com>
---
 loopd/config.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/loopd/config.go b/loopd/config.go
index d428e10..6e92912 100644
--- a/loopd/config.go
+++ b/loopd/config.go
@@ -352,7 +352,7 @@ func Validate(cfg *Config) error {
 		return fmt.Errorf("max payment retries must be at least 1")
 	}
 
-	// TLS Valisity period to be at least 24 hours
+	// TLS Validity period to be at least 24 hours
 	if cfg.TLSValidity < time.Hour*24 {
 		return fmt.Errorf("TLS certificate minimum validity period is 24h")
 	}