github-starred/frp
2
0
Fork 0
mirror of https://github.com/fatedier/frp.git synced 2026-05-15 08:05:49 -06:00
Code Issues 40 Projects Packages Wiki Activity Actions 1

[GH-ISSUE #2000] 开启tls only失败,读取证书问题 #1591

New issue
Closed
opened 2026-05-05 13:00:49 -06:00 by gitea-mirror · 16 comments
gitea-mirror commented 2026-05-05 13:00:49 -06:00
Owner
Copy link

Originally created by @limaofu on GitHub (Sep 22, 2020).
Original GitHub issue: https://github.com/fatedier/frp/issues/2000

Originally assigned to: @yuyulei on GitHub.

C:\Users\Administrator\Documents\frp_0.34.0_windows_amd64>frpc.exe -c frpc.ini

2020/09/22 09:53:17 [W] [service.go:102] login to server failed: x509: certificate
relies on legacy Common Name field, use SANs or temporarily enable
Common Name matching with GODEBUG=x509ignoreCN=0

x509: certificate relies on legacy Common Name field, use SANs or temporarily
enable Common Name matching with GODEBUG=x509ignoreCN=0

Originally created by @limaofu on GitHub (Sep 22, 2020). Original GitHub issue: https://github.com/fatedier/frp/issues/2000 Originally assigned to: @yuyulei on GitHub. C:\Users\Administrator\Documents\frp_0.34.0_windows_amd64>frpc.exe -c frpc.ini 2020/09/22 09:53:17 [W] [service.go:102] login to server failed: x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0 x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0
gitea-mirror 2026-05-05 13:00:49 -06:00
  • closed this issue
  • added the
    question
         label
gitea-mirror commented 2026-05-05 13:00:53 -06:00
Author
Owner
Copy link

@limaofu commented on GitHub (Sep 22, 2020):

客户端:
[common]
server_addr =s.qq.com
server_port = 9833
token = 18xxxx6xx
tls_enable = true
tls_cert_file = c.qq.com.crt
tls_key_file = c.qq.com.key
tls_trusted_ca_file = frp_ca.crt

[testTls]
type = tcp
local_ip = 127.0.0.1
local_port = 3389
remote_port = 9844

<!-- gh-comment-id:696470989 --> @limaofu commented on GitHub (Sep 22, 2020): 客户端: [common] server_addr =s.qq.com server_port = 9833 token = 18xxxx6xx tls_enable = true tls_cert_file = c.qq.com.crt tls_key_file = c.qq.com.key tls_trusted_ca_file = frp_ca.crt [testTls] type = tcp local_ip = 127.0.0.1 local_port = 3389 remote_port = 9844
gitea-mirror commented 2026-05-05 13:00:53 -06:00
Author
Owner
Copy link

@limaofu commented on GitHub (Sep 22, 2020):

0.34.0的新版本,

<!-- gh-comment-id:696471474 --> @limaofu commented on GitHub (Sep 22, 2020): 0.34.0的新版本,
gitea-mirror commented 2026-05-05 13:00:54 -06:00
Author
Owner
Copy link

@limaofu commented on GitHub (Sep 22, 2020):

客户端证书
image

<!-- gh-comment-id:696471902 --> @limaofu commented on GitHub (Sep 22, 2020): 客户端证书 ![image](https://user-images.githubusercontent.com/54393027/93838006-c9530800-fcba-11ea-9c42-a87c4b36ab41.png)
gitea-mirror commented 2026-05-05 13:00:55 -06:00
Author
Owner
Copy link

@limaofu commented on GitHub (Sep 22, 2020):

证书都是v3的版本,客户端和服务端的证书都是由同一ca去签名的。客户端本地也做了hosts指向s.qq.com到服务端ip,但服务端没有指向c.qq.com到客户端ip,因为客户端没有公网ip

<!-- gh-comment-id:696472247 --> @limaofu commented on GitHub (Sep 22, 2020): 证书都是v3的版本,客户端和服务端的证书都是由同一ca去签名的。客户端本地也做了hosts指向s.qq.com到服务端ip,但服务端没有指向c.qq.com到客户端ip,因为客户端没有公网ip
gitea-mirror commented 2026-05-05 13:00:56 -06:00
Author
Owner
Copy link

@blizard863 commented on GitHub (Sep 22, 2020):

这个我测试下。

<!-- gh-comment-id:696480551 --> @blizard863 commented on GitHub (Sep 22, 2020): 这个我测试下。
gitea-mirror commented 2026-05-05 13:00:57 -06:00
Author
Owner
Copy link

@blizard863 commented on GitHub (Sep 22, 2020):

可以提供下 frps 的日志。

<!-- gh-comment-id:696480613 --> @blizard863 commented on GitHub (Sep 22, 2020): 可以提供下 frps 的日志。
gitea-mirror commented 2026-05-05 13:00:57 -06:00
Author
Owner
Copy link

@limaofu commented on GitHub (Sep 22, 2020):

客户端日志:
[W] [service.go:102] login to server failed: x509: certificate
relies on legacy Common Name field, use SANs or temporarily enable
Common Name matching with GODEBUG=x509ignoreCN=0

x509: certificate relies on legacy Common Name field, use SANs or temporarily
enable Common Name matching with GODEBUG=x509ignoreCN=0

<!-- gh-comment-id:696481743 --> @limaofu commented on GitHub (Sep 22, 2020): 客户端日志: [W] [service.go:102] login to server failed: x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0 x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0
gitea-mirror commented 2026-05-05 13:00:58 -06:00
Author
Owner
Copy link

@fatedier commented on GitHub (Sep 22, 2020):

@limaofu 执行 frpc 的时候加上提示的环境变量吧,GODEBUG=x509ignoreCN=0,这个是 go1.15 的变化。relies on legacy Common Name field 这个方式后面会逐渐废弃。

<!-- gh-comment-id:696483593 --> @fatedier commented on GitHub (Sep 22, 2020): @limaofu 执行 frpc 的时候加上提示的环境变量吧,`GODEBUG=x509ignoreCN=0`,这个是 go1.15 的变化。`relies on legacy Common Name field` 这个方式后面会逐渐废弃。
gitea-mirror commented 2026-05-05 13:00:59 -06:00
Author
Owner
Copy link

@fatedier commented on GitHub (Sep 22, 2020):

@yuyulei

<!-- gh-comment-id:696483615 --> @fatedier commented on GitHub (Sep 22, 2020): @yuyulei
gitea-mirror commented 2026-05-05 13:00:59 -06:00
Author
Owner
Copy link

@limaofu commented on GitHub (Sep 22, 2020):

OK了,加了环境变量名GODEBUG值为x509ignoreCN=0然后就行了。
image
不过要求使用证书里的域名,然后不是真实的域名的话,要在本地添加hosts文件解析

<!-- gh-comment-id:696485476 --> @limaofu commented on GitHub (Sep 22, 2020): OK了,加了环境变量名GODEBUG值为x509ignoreCN=0然后就行了。 ![image](https://user-images.githubusercontent.com/54393027/93840699-e213eb80-fcc3-11ea-9be1-e135ff11b92d.png) 不过要求使用证书里的域名,然后不是真实的域名的话,要在本地添加hosts文件解析
gitea-mirror commented 2026-05-05 13:01:00 -06:00
Author
Owner
Copy link

@fatedier commented on GitHub (Sep 22, 2020):

@limaofu 恩,这个问题我们再看一下,感觉可能是之前签证书的方法不规范,在新版本 go 里面开始不支持了。

<!-- gh-comment-id:696487913 --> @fatedier commented on GitHub (Sep 22, 2020): @limaofu 恩,这个问题我们再看一下,感觉可能是之前签证书的方法不规范,在新版本 go 里面开始不支持了。
gitea-mirror commented 2026-05-05 13:01:00 -06:00
Author
Owner
Copy link

@zzustu commented on GitHub (Sep 22, 2020):

2020-09-22-134803_844x265_scrot
如果不配环境变量,自签证书,怎么签才不报错呀

<!-- gh-comment-id:696520900 --> @zzustu commented on GitHub (Sep 22, 2020): ![2020-09-22-134803_844x265_scrot](https://user-images.githubusercontent.com/17822281/93847716-45107d00-fcda-11ea-869a-e071123e63b5.png) 如果不配环境变量,自签证书,怎么签才不报错呀
gitea-mirror commented 2026-05-05 13:01:00 -06:00
Author
Owner
Copy link

@yuyulei commented on GitHub (Sep 23, 2020):

CommonName 在 2000 年的时候已经开始废弃。RFC 6125 把 CommonName 作为一个可选项,关于使用方式详见:https://tools.ietf.org/html/rfc6125#section-6.4.4,与之前 go 版本处理方式是一致的。如果生成证书的时候没有提供其他Identity信息(比如说,DNS-ID, SRV-ID, URI-ID等),最后会选取 CommonName。

但是在最新 1.15 版本里面,官方正式废弃了 CommonName,也正是因此出现了上述报错。

x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0

  1. 临时方案是配置环境变量 GODEBUG=x509ignoreCN=0
  2. 推荐解决办法就是生成 SAN 证书, 可参考:http://liaoph.com/openssl-san/,这里就不展开了。

稍后,我们会在文档中心给一个证书生成示例。

<!-- gh-comment-id:697129541 --> @yuyulei commented on GitHub (Sep 23, 2020): CommonName 在 2000 年的时候已经开始废弃。RFC 6125 把 CommonName 作为一个可选项,关于使用方式详见:[https://tools.ietf.org/html/rfc6125#section-6.4.4](https://tools.ietf.org/html/rfc6125#section-6.4.4),与之前 go 版本处理方式是一致的。如果生成证书的时候没有提供其他Identity信息(比如说,DNS-ID, SRV-ID, URI-ID等),最后会选取 CommonName。 但是在最新 1.15 版本里面,官方正式废弃了 CommonName,也正是因此出现了上述报错。 ` x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0 ` 1. 临时方案是配置环境变量 GODEBUG=x509ignoreCN=0 2. 推荐解决办法就是生成 SAN 证书, 可参考:[http://liaoph.com/openssl-san/](http://liaoph.com/openssl-san/),这里就不展开了。 稍后,我们会在文档中心给一个证书生成示例。
gitea-mirror commented 2026-05-05 13:01:01 -06:00
Author
Owner
Copy link

@zzustu commented on GitHub (Sep 23, 2020):

CommonName 在 2000 年的时候已经开始废弃。RFC 6125 把 CommonName 作为一个可选项,关于使用方式详见:https://tools.ietf.org/html/rfc6125#section-6.4.4,与之前 go 版本处理方式是一致的。如果生成证书的时候没有提供其他Identity信息(比如说,DNS-ID, SRV-ID, URI-ID等),最后会选取 CommonName。

但是在最新 1.15 版本里面,官方正式废弃了 CommonName,也正是因此出现了上述报错。

x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0

  1. 临时方案是配置环境变量 GODEBUG=x509ignoreCN=0
  2. 推荐解决办法就是生成 SAN 证书, 可参考:http://liaoph.com/openssl-san,这里就不展开了。

稍后,我们会在文档中心给一个证书生成示例。

NICE

<!-- gh-comment-id:697137505 --> @zzustu commented on GitHub (Sep 23, 2020): > CommonName 在 2000 年的时候已经开始废弃。RFC 6125 把 CommonName 作为一个可选项,关于使用方式详见:[https://tools.ietf.org/html/rfc6125#section-6.4.4,与之前](https://tools.ietf.org/html/rfc6125#section-6.4.4%EF%BC%8C%E4%B8%8E%E4%B9%8B%E5%89%8D) go 版本处理方式是一致的。如果生成证书的时候没有提供其他Identity信息(比如说,DNS-ID, SRV-ID, URI-ID等),最后会选取 CommonName。 > > 但是在最新 1.15 版本里面,官方正式废弃了 CommonName,也正是因此出现了上述报错。 > > `x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0` > > 1. 临时方案是配置环境变量 GODEBUG=x509ignoreCN=0 > 2. 推荐解决办法就是生成 SAN 证书, 可参考:[http://liaoph.com/openssl-san](http://liaoph.com/openssl-san),这里就不展开了。 > > 稍后,我们会在文档中心给一个证书生成示例。 NICE
gitea-mirror commented 2026-05-05 13:01:01 -06:00
Author
Owner
Copy link

@yuyulei commented on GitHub (Sep 23, 2020):

文档链接:https://gofrp.org/docs/features/common/network/network-tls/

<!-- gh-comment-id:697152497 --> @yuyulei commented on GitHub (Sep 23, 2020): 文档链接:https://gofrp.org/docs/features/common/network/network-tls/
gitea-mirror commented 2026-05-05 13:01:02 -06:00
Author
Owner
Copy link

@limaofu commented on GitHub (Sep 23, 2020):

image
使用了带san扩展的证书后,去掉GODEBUG环境变量,也成功了

<!-- gh-comment-id:697153504 --> @limaofu commented on GitHub (Sep 23, 2020): ![image](https://user-images.githubusercontent.com/54393027/93972898-d862b480-fda5-11ea-825d-37e5580c6bfd.png) 使用了带san扩展的证书后,去掉GODEBUG环境变量,也成功了
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
dev
new
master
copilot/review-pull-request-5198
v0.68.1
v0.68.0
v0.67.0
v0.66.0
v0.65.0
v0.64.0
v0.63.0
v0.62.1
v0.62.0
v0.61.2
v0.61.1
v0.61.0
v0.60.0
v0.59.0
v0.58.1
v0.58.0
v0.57.0
v0.56.0
v0.55.1
v0.55.0
v0.54.0
v0.53.2
v0.53.1
v0.53.0
v0.52.3
v0.52.2
v0.52.1
v0.52.0
v0.51.3
v0.51.2
v0.51.1
v0.51.0
v0.50.0
v0.49.0
v0.48.0
v0.47.0
v0.46.1
v0.46.0
v0.45.0
v0.44.0
v0.43.0
v0.42.0
v0.41.0
v0.40.0
v0.39.1
v0.39.0
v0.38.0
v0.37.1
v0.37.0
v0.36.2
v0.36.1
v0.36.0
v0.35.1
v0.35.0
v0.34.3
v0.34.2
v0.34.1
v0.34.0
v0.33.0
v0.32.1
v0.32.0
v0.31.2
v0.31.1
v0.31.0
v0.30.0
v0.29.1
v0.29.0
v0.28.2
v0.28.1
v0.28.0
v0.27.1
v0.27.0
v0.26.0
v0.25.3
v0.25.2
v0.25.1
v0.25.0
v0.24.1
v0.24.0
v0.23.3
v0.23.2
v0.23.1
v0.23.0
v0.22.0
v0.21.0
v0.20.0
v0.19.1
v0.19.0
v0.18.0
v0.17.0
v0.16.1
v0.16.0
v0.15.1
v0.15.0
v0.14.1
v0.14.0
v0.13.0
v0.12.0
v0.11.0
v0.10.0
v0.9.3
v0.9.2
v0.9.1
v0.9.0
v0.8.1
v0.8.0
v0.7.0
v0.6.0
v0.5.0
v0.3.0
v0.2.0
v0.1.0
Labels
Clear labels   
In Progress

   
WIP

   
WaitingForInfo

   
bug

   
doc

   
duplicate

   
easy

   
enhancement

   
future

   
help wanted

   
invalid

   
lifecycle/stale

   
need-issue-template

   
need-usage-help

   
no plan

   
proposal

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
todo
No labels
In Progress
WIP
WaitingForInfo
bug
doc
duplicate
easy
enhancement
future
help wanted
invalid
lifecycle/stale
need-issue-template
need-usage-help
no plan
proposal
pull-request
question
todo
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/frp#1591
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?