LND gRPC TLS Certificate Error — Fix tls.cert and macaroon Issues
ClawGetting 'transport: authentication handshake failed' or 'permission denied' when connecting to LND via gRPC or lncli? Here's how to fix TLS and macaroon errors.
Diagnose the error type
# Run lncli and check exact error lncli getinfo # Common errors: # 'transport: authentication handshake failed: tls: failed to verify certificate' # → TLS cert mismatch (IP changed, cert expired, or wrong tls.cert) # 'permission denied' or 'invalid macaroon' # → Wrong or corrupted macaroon # 'connection refused' # → LND not running or wrong port
Fix 1: Regenerate TLS certificate
# Stop LND sudo systemctl stop lnd # Delete old certs (LND will regenerate on next start) rm ~/.lnd/tls.cert ~/.lnd/tls.key # If your IP changed, add it to lnd.conf first: # tlsextraip=<YOUR_NEW_IP> # tlsextradomain=<YOUR_DOMAIN> # Start LND — new certs generated automatically sudo systemctl start lnd # Verify new cert openssl x509 -in ~/.lnd/tls.cert -text -noout | grep -E 'IP|DNS|Not After'
Fix 2: Regenerate macaroons
# Stop LND sudo systemctl stop lnd # Delete macaroon database (will regenerate) rm ~/.lnd/data/chain/bitcoin/mainnet/*.macaroon # Note: this invalidates all existing macaroons! # Start LND sudo systemctl start lnd # Bake a new admin macaroon lncli bakemacaroon --save_to ~/admin.macaroon \ invoices:read invoices:write \ onchain:read onchain:write \ offchain:read offchain:write \ address:read address:write \ message:read message:write \ peers:read peers:write \ info:read \ router:read router:write \ invoices:read invoices:write \ --root_key_id 0
Fix 3: Remote lncli (connecting from another machine)
# Copy cert and macaroon to remote machine scp user@lnd-host:~/.lnd/tls.cert ~/ scp user@lnd-host:~/.lnd/data/chain/bitcoin/mainnet/admin.macaroon ~/ # Use with lncli lncli --rpcserver=<LND_IP>:10009 \ --tlscertpath=~/tls.cert \ --macaroonpath=~/admin.macaroon \ getinfo
Need TLS/macaroon help? $9
I debug LND authentication and certificate issues remotely. USDT TRC-20.