Merge PR cosmos#3938: Remove REST server's secure mode altogether

* Remove REST server's secure mode altogether
* Add changelog pending entry

.pending/breaking/gaiacli/Remove-REST-server-s

@@ -0,0 +1 @@
+#3938 Remove REST server's SSL support altogether.

client/flags.go

@@ -40,10 +40,6 @@ const (
 	FlagListenAddr         = "laddr"
 	FlagCORS               = "cors"
 	FlagMaxOpenConnections = "max-open"
-	FlagTLS                = "tls"
-	FlagSSLHosts           = "ssl-hosts"
-	FlagSSLCertFile        = "ssl-certfile"
-	FlagSSLKeyFile         = "ssl-keyfile"
 	FlagOutputDocument     = "output-document" // inspired by wget -O
 	FlagSkipConfirmation   = "yes"
 )
@@ -110,10 +106,6 @@ func PostCommands(cmds ...*cobra.Command) []*cobra.Command {
 func RegisterRestServerFlags(cmd *cobra.Command) *cobra.Command {
 	cmd = GetCommands(cmd)[0]
 	cmd.Flags().String(FlagListenAddr, "tcp://localhost:1317", "The address for the server to listen on")
-	cmd.Flags().Bool(FlagTLS, false, "Enable SSL/TLS layer")
-	cmd.Flags().String(FlagSSLHosts, "", "Comma-separated hostnames and IPs to generate a certificate for")
-	cmd.Flags().String(FlagSSLCertFile, "", "Path to a SSL certificate file. If not supplied, a self-signed certificate will be generated.")
-	cmd.Flags().String(FlagSSLKeyFile, "", "Path to a key file; ignored if a certificate file is not supplied.")
 	cmd.Flags().String(FlagCORS, "", "Set the domains that can make CORS requests (* for all)")
 	cmd.Flags().Int(FlagMaxOpenConnections, 1000, "The number of maximum open connections")
 

client/lcd/root.go

@@ -52,9 +52,7 @@ func NewRestServer(cdc *codec.Codec) *RestServer {
 }
 
 // Start starts the rest server
-func (rs *RestServer) Start(listenAddr string, sslHosts string,
-	certFile string, keyFile string, maxOpen int, secure bool) (err error) {
-
+func (rs *RestServer) Start(listenAddr string, maxOpen int) (err error) {
 	server.TrapSignal(func() {
 		err := rs.listener.Close()
 		rs.log.Error("error closing listener", "err", err)
@@ -70,43 +68,7 @@ func (rs *RestServer) Start(listenAddr string, sslHosts string,
 	rs.log.Info(fmt.Sprintf("Starting Gaia Lite REST service (chain-id: %q)...",
 		viper.GetString(client.FlagChainID)))
 
-	// launch rest-server in insecure mode
-	if !secure {
-		return rpcserver.StartHTTPServer(rs.listener, rs.Mux, rs.log)
-	}
-
-	// handle certificates
-	if certFile != "" {
-		// validateCertKeyFiles() is needed to work around tendermint/tendermint#2460
-		if err := validateCertKeyFiles(certFile, keyFile); err != nil {
-			return err
-		}
-
-		//  cert/key pair is provided, read the fingerprint
-		rs.fingerprint, err = fingerprintFromFile(certFile)
-		if err != nil {
-			return err
-		}
-	} else {
-		// if certificate is not supplied, generate a self-signed one
-		certFile, keyFile, rs.fingerprint, err = genCertKeyFilesAndReturnFingerprint(sslHosts)
-		if err != nil {
-			return err
-		}
-
-		defer func() {
-			os.Remove(certFile)
-			os.Remove(keyFile)
-		}()
-	}
-
-	rs.log.Info(rs.fingerprint)
-	return rpcserver.StartHTTPAndTLSServer(
-		rs.listener,
-		rs.Mux,
-		certFile, keyFile,
-		rs.log,
-	)
+	return rpcserver.StartHTTPServer(rs.listener, rs.Mux, rs.log)
 }
 
 // ServeCommand will start a Gaia Lite REST service as a blocking process. It
@@ -122,13 +84,8 @@ func ServeCommand(cdc *codec.Codec, registerRoutesFn func(*RestServer)) *cobra.C
 			registerRoutesFn(rs)
 
 			// Start the rest server and return error if one exists
-			err = rs.Start(
-				viper.GetString(client.FlagListenAddr),
-				viper.GetString(client.FlagSSLHosts),
-				viper.GetString(client.FlagSSLCertFile),
-				viper.GetString(client.FlagSSLKeyFile),
-				viper.GetInt(client.FlagMaxOpenConnections),
-				viper.GetBool(client.FlagTLS))
+			err = rs.Start(viper.GetString(client.FlagListenAddr),
+				viper.GetInt(client.FlagMaxOpenConnections))
 
 			return err
 		},

docs/clients/lite/getting_started.md

@@ -19,18 +19,4 @@ gaiacli rest-server --chain-id=test \
     --trust-node=false
 ```
 
-The server listens on HTTP by default. You can enable the secure layer by adding the `--tls` flag.
-By default a self-signed certificate will be generated and its fingerprint printed out. You can
-configure the server to use a SSL certificate by passing the certificate and key files via the
-`--ssl-certfile` and `--ssl-keyfile` flags:
-
-```bash
-gaiacli rest-server --chain-id=test \
-    --laddr=tcp://localhost:1317 \
-    --node tcp://localhost:26657 \
-    --trust-node=false \
-    --tls \
-    --ssl-certfile=mycert.pem --ssl-keyfile=mykey.key
-```
-
 For more information about the Gaia-Lite RPC, see the [swagger documentation](https://cosmos.network/rpc/)