LND TLS Certificate Expired — Renew and Reconnect
ClawLND TLS certificates expire after 1 year by default. After expiry, lncli and REST/gRPC connections fail. Here's how to renew them.
Symptoms of expired TLS cert
# You'll see errors like: # transport: authentication handshake failed: x509: certificate has expired # tls: failed to verify certificate: x509: certificate has expired # Check cert expiry date openssl x509 -enddate -noout -in ~/.lnd/tls.cert # Example output: notAfter=Mar 10 12:00:00 2026 GMT
Renew the TLS certificate
# Method 1: Delete cert files and restart (LND will regenerate) sudo systemctl stop lnd rm ~/.lnd/tls.cert ~/.lnd/tls.key sudo systemctl start lnd # LND auto-generates new tls.cert and tls.key on startup # Wait a few seconds, then verify: openssl x509 -enddate -noout -in ~/.lnd/tls.cert
Update macaroons after cert renewal
# After cert renewal, existing macaroons still work # but if you see auth errors, regenerate them: sudo systemctl stop lnd rm ~/.lnd/data/chain/bitcoin/mainnet/*.macaroon sudo systemctl start lnd # LND regenerates macaroons on startup
Add custom SANs (IP/hostname) to the cert
# In lnd.conf — add SANs before regenerating cert [Application Options] tlsextradomain=mydomain.com tlsextraip=192.168.1.100 tlsextraip=1.2.3.4 # Then delete and regenerate: rm ~/.lnd/tls.cert ~/.lnd/tls.key sudo systemctl restart lnd
Extend cert validity to 10 years
# In lnd.conf [Application Options] tlscertduration=87600h # 10 years # Delete and restart to regenerate with new duration rm ~/.lnd/tls.cert ~/.lnd/tls.key sudo systemctl restart lnd
Need TLS/connectivity help? $9
I fix LND TLS issues, macaroon problems, and remote access configuration. USDT TRC-20.