LND TLS Certificate Error — Regenerate and Fix Connection Issues

Getting 'certificate signed by unknown authority' or 'TLS handshake failed'? Here's how to fix LND TLS errors.

Common TLS errors

# Errors you might see:
# x509: certificate signed by unknown authority
# x509: certificate has expired or is not yet valid
# transport: Error while dialing dial tcp: connection refused
# rpc error: code = Unavailable

# Check certificate expiry
openssl x509 -in ~/.lnd/tls.cert -text -noout | grep 'Not After'

Regenerate TLS certificate

# Stop LND
sudo systemctl stop lnd

# Delete old TLS files (LND regenerates on next start)
rm ~/.lnd/tls.cert ~/.lnd/tls.key

# Start LND — new cert auto-generated
sudo systemctl start lnd

# Verify new cert
openssl x509 -in ~/.lnd/tls.cert -text -noout | grep -E 'Not Before|Not After|Subject'

Add IP/domain to TLS certificate (SAN)

# If connecting from remote IP, add it to lnd.conf:
[Application Options]
tlsextraip=1.2.3.4        # your server's public IP
tlsextradomain=mynode.com  # optional domain

# Then regenerate:
sudo systemctl stop lnd
rm ~/.lnd/tls.cert ~/.lnd/tls.key
sudo systemctl start lnd

# Verify the IP is in the cert:
openssl x509 -in ~/.lnd/tls.cert -text -noout | grep -A1 'Subject Alternative'

Connect with lncli using cert (remote)

# Copy cert to remote machine, then:
lncli --rpcserver=<your_node_ip>:10009 \
      --tlscertpath=/path/to/tls.cert \
      --macaroonpath=/path/to/admin.macaroon \
      getinfo

# Or use environment variables:
export LNCLI_RPCSERVER=1.2.3.4:10009
export LNCLI_TLSCERTPATH=~/.lnd/tls.cert
export LNCLI_MACAROONPATH=~/.lnd/data/chain/bitcoin/mainnet/admin.macaroon
lncli getinfo

Need TLS/connection help? $9

I fix LND TLS errors, remote connection issues, and macaroon authentication problems. USDT TRC-20.

→ Service page