Can't connect Zeus to CLNRest onion interface

Hello,

Since Core Lightning’s latest update (v 26.6.1:0), I can’t connect my CLN Node through Tor with Zeus (v 13.0.2).

When trying to create a CLNRest interface with Tor without SSL, I now get an error (“RPC ERROR: Action Failed Error: Cannot create a non-SSL onion service for “c-lightning”: its interface is SSL-only. Create an SSL onion service instead”). It used to be possible to create CLNRest interfaces without SSL when using Tor, seems it’s not the case anymore. I tried disabling and reenabling CLNRest in Actions then restarting Core Lightning, but the SSL constraint remains. When trying to connect to Core Lightning with Zeus, one can either choose TLS or Tor (but not both).

Since it seems it’s now impossible to connect remotely to CLNRest via Tor without SSL, I tried adding the ca.pem file from my Start9’s c-lightning container, located at /root/.lightning/bitcoin/ca.pem, to my phone, install and activate it, but Zeus still returns me the same TLS error: “Error: A TLS error caused the secure connection to fail.“

Does anyone have a clue, what the problem is ? Is it due to recent changes in Core Lightning (main Corelightning repository or Start9’s Core Lightning repository. I did not find any changes related to SSL … Does anyone know how I could connect Zeus to my Core Lightning then ?

I am using Start9’s latest version (0.4.0-beta.9).

Thank you.

It does look like a recent change to the Core Lightning package switched the CLNrest connection to SSL-only. That’s why StartOS now refuses to create the non-SSL Tor (onion) connection you used before. Non SSL of TOR the the norm and the kind of connection Zeus expects. It could allow for both, but doesn’t.

The certificate you tried won’t help here, unfortunately: the ca.pem at /root/.lightning/bitcoin/ belongs to a different part of Core Lightning (the gRPC interface), not CLNrest. CLNrest’s encryption is handled by StartOS itself, so that file will never match — hence the “TLS error” no matter what.

I don’t know the full context of how/why this change was made. I could look to see if it can be reverted.

In the meantime — if it’s at all an option for you, I’d genuinely recommend connecting Zeus without Tor (e.g. via a VPN back to your server or just opening ports on your router). It’s faster, more reliable.

The SSL change was made in August 2025. A recent change may have broken the certs, but those shouldn’t be related to the REST interface.

Did you mean this stopped working when you updated from StartOS 0351 to StartOS 040 and it’s complete different packaged services??

Hello again,

Thank you for the explanation and hints, I’ll definitely spend some time trying to connect Zeus using a VPN or Tunnel. StartTunnel’s gateway would fit well in that scenario I think.

To answer your second message: no. I was already using StartOS 040 in the last weeks and I did not have any problems to connect Zeus to CLN with Tor and no-SSL. This appeared during this week, potentially when I updated Core Lightning to the latest version (26.6.1:0)

And I also tried to connect my Start9’s LND node’s Rest Interface over Tor with Zeus. Exactly like Core Lightning, LND requires the Rest interface to be with SSL, even when using Tor. However, using the macaroon I could establish the connection (Did not need to make any certificate stuff on my phone). So I guess it’s a very narrow issue, between Zeus and Core Lightning, or that concerns just the latest Core Lightning bundled version for Start9OS.

I can report that there are definitely some issues with this, it’s being worked on now.

Thanks a lot for your help

I’ll learn the way you suggested me in the meantime

This is being built. You’ll find it on the Beta Registry soon for testing if you have that set up, but it’ll move quite fast to production I think.

I installed the latest version from the Beta registry and I could connect again with Zeus using an SSL-onion CLNRest interface. Thanks a lot for the quick fix, it’s great !

2 Likes

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.