Can't connect Zeus to CLNRest onion interface

Services Support
1

Hello,

Since Core Lightning’s latest update (v 26.6.1:0), I can’t connect my CLN Node through Tor with Zeus (v 13.0.2).

When trying to create a CLNRest interface with Tor without SSL, I now get an error (“RPC ERROR: Action Failed Error: Cannot create a non-SSL onion service for “c-lightning”: its interface is SSL-only. Create an SSL onion service instead”). It used to be possible to create CLNRest interfaces without SSL when using Tor, seems it’s not the case anymore. I tried disabling and reenabling CLNRest in Actions then restarting Core Lightning, but the SSL constraint remains. When trying to connect to Core Lightning with Zeus, one can either choose TLS or Tor (but not both).

Since it seems it’s now impossible to connect remotely to CLNRest via Tor without SSL, I tried adding the ca.pem file from my Start9’s c-lightning container, located at /root/.lightning/bitcoin/ca.pem, to my phone, install and activate it, but Zeus still returns me the same TLS error: “Error: A TLS error caused the secure connection to fail.“

Does anyone have a clue, what the problem is ? Is it due to recent changes in Core Lightning (main Corelightning repository or Start9’s Core Lightning repository. I did not find any changes related to SSL … Does anyone know how I could connect Zeus to my Core Lightning then ?

I am using Start9’s latest version (0.4.0-beta.9).

Thank you.

2

It does look like a recent change to the Core Lightning package switched the CLNrest connection to SSL-only. That’s why StartOS now refuses to create the non-SSL Tor (onion) connection you used before. Non SSL of TOR the the norm and the kind of connection Zeus expects. It could allow for both, but doesn’t.

The certificate you tried won’t help here, unfortunately: the ca.pem at /root/.lightning/bitcoin/ belongs to a different part of Core Lightning (the gRPC interface), not CLNrest. CLNrest’s encryption is handled by StartOS itself, so that file will never match — hence the “TLS error” no matter what.

I don’t know the full context of how/why this change was made. I could look to see if it can be reverted.

In the meantime — if it’s at all an option for you, I’d genuinely recommend connecting Zeus without Tor (e.g. via a VPN back to your server or just opening ports on your router). It’s faster, more reliable.