[GH-ISSUE #2320] Error occurs with TLS encryption: [W] [service.go:103] login to server failed: session shutdown

gitea-mirror commented

2026-05-05 13:11:23 -06:00

Owner

Originally created by @villivateur on GitHub (Mar 21, 2021).
Original GitHub issue: https://github.com/fatedier/frp/issues/2320

Version: 0.35.1

OS: Ubuntu 18.04 LTS
CPU architecture: AMD64

Everything went well until I want to change my FRP service to TLS enctrypted mode.
I started frps in server A, then start frpc in server B. server B shows the following log:

$ frpc -c /etc/frp/frpc.ini
2021/03/21 13:54:24 [W] [service.go:103] login to server failed: session shutdown
session shutdown

But nothing in server A:

$ frps -c /etc/frp/frps.ini
2021/03/21 22:01:22 [I] [root.go:108] frps uses config file: /etc/frp/frps.ini
2021/03/21 22:01:23 [I] [service.go:190] frps tcp listen on 0.0.0.0:8877
2021/03/21 22:01:23 [I] [root.go:217] frps started successfully

I promise that before I add the TLS function, the frps and frpc worked well.

No more logs are available.

confile

# frps.ini
[common]
bind_port = 8877
#log_file = /var/log/frp/frps.log
token = 1230456
tls_enable = true
tls_cert_file = /etc/frp/frp.crt
tls_key_file = /etc/frp/frp.key
tls_trusted_ca_file = /etc/frp/ca.pem

# frpc.ini
[common]
server_addr = frp.example.com
server_port = 8877
token = 1230456
tls_enable = true
tls_cert_file = /etc/frp/frp.crt
tls_key_file = /etc/frp/frp.key
tls_trusted_ca_file = /etc/frp/ca.pem

[proxy]
type = tcp
local_ip = 127.0.0.1
local_port = 443
remote_port = 2133
use_encryption = true
use_compression = true

The frp.crt and ca.pem are self-signed using openssl. I'm sure the CN in frp.crt is frp.example.com.

Can you guess what caused this issue

I've tryed removing tls_trusted_ca_file = /etc/frp/ca.pem line in frpc.ini. The frpc worked. But it seems that it does not work in TLS mode.

So, I guess that frpc had errors in processing ca.pem. Did I do something wrong?

Checklist:

I included all information required in the sections above
I made sure there are no duplicates of this report (Use Search)

Originally created by @villivateur on GitHub (Mar 21, 2021). Original GitHub issue: https://github.com/fatedier/frp/issues/2320 Version: 0.35.1 OS: Ubuntu 18.04 LTS CPU architecture: AMD64 Everything went well until I want to change my FRP service to TLS enctrypted mode. I started frps in server A, then start frpc in server B. server B shows the following log: ``` $ frpc -c /etc/frp/frpc.ini 2021/03/21 13:54:24 [W] [service.go:103] login to server failed: session shutdown session shutdown ``` But nothing in server A: ``` $ frps -c /etc/frp/frps.ini 2021/03/21 22:01:22 [I] [root.go:108] frps uses config file: /etc/frp/frps.ini 2021/03/21 22:01:23 [I] [service.go:190] frps tcp listen on 0.0.0.0:8877 2021/03/21 22:01:23 [I] [root.go:217] frps started successfully ``` I promise that before I add the TLS function, the frps and frpc worked well. No more logs are available. **confile** ```ini # frps.ini [common] bind_port = 8877 #log_file = /var/log/frp/frps.log token = 1230456 tls_enable = true tls_cert_file = /etc/frp/frp.crt tls_key_file = /etc/frp/frp.key tls_trusted_ca_file = /etc/frp/ca.pem ``` ```ini # frpc.ini [common] server_addr = frp.example.com server_port = 8877 token = 1230456 tls_enable = true tls_cert_file = /etc/frp/frp.crt tls_key_file = /etc/frp/frp.key tls_trusted_ca_file = /etc/frp/ca.pem [proxy] type = tcp local_ip = 127.0.0.1 local_port = 443 remote_port = 2133 use_encryption = true use_compression = true ``` The `frp.crt` and `ca.pem` are self-signed using openssl. I'm sure the `CN` in `frp.crt` is `frp.example.com`. **Can you guess what caused this issue** I've tryed removing `tls_trusted_ca_file = /etc/frp/ca.pem` line in `frpc.ini`. The frpc worked. But it seems that it does not work in TLS mode. So, I guess that frpc had errors in processing ca.pem. Did I do something wrong? **Checklist**: - [x] I included all information required in the sections above - [x] I made sure there are no duplicates of this report [(Use Search)](https://github.com/fatedier/frp/issues?q=is%3Aissue)

gitea-mirror

2026-05-05 13:11:23 -06:00

closed this issue
added the
lifecycle/stale
label

gitea-mirror commented

2026-05-05 13:11:27 -06:00

Author

Owner

@yuyulei commented on GitHub (Mar 22, 2021):

can you follow tls_demo and try it again, I want to make sure whether some mistake happens when generating the certificates.

@yuyulei commented on GitHub (Mar 22, 2021): can you follow [tls_demo](https://github.com/fatedier/frp#tls) and try it again, I want to make sure whether some mistake happens when generating the certificates.

gitea-mirror commented

2026-05-05 13:11:28 -06:00

Author

Owner

@villivateur commented on GitHub (Mar 22, 2021):

can you follow tls_demo and try it again, I want to make sure whether some mistake happens when generating the certificates.

@yuyulei Thank you for your reply. I followed the tls_demo exactly and it worked (only replaced the example.ca.com when generating the ca cert and server.com when genarate the server cert).

But I still want to know where I missed for generating the certs. I've followed this link (language: zh-cn) to do that, and set my frps server's hostname to Common Name field.

Am I wrong? Or, how can I figure out where I am wrong? How can I debug in frpc? session shutdown means nothing to me.

@villivateur commented on GitHub (Mar 22, 2021): > can you follow [tls_demo](https://github.com/fatedier/frp#tls) and try it again, I want to make sure whether some mistake happens when generating the certificates. @yuyulei Thank you for your reply. I followed the tls_demo exactly and it worked (only replaced the `example.ca.com` when generating the ca cert and `server.com` when genarate the server cert). But I still want to know where I missed for generating the certs. I've followed [this](https://blog.vvzero.com/2021/01/24/Become-a-CA-and-generate-self-signed-certificate/) link (language: zh-cn) to do that, and set my frps server's hostname to `Common Name` field. Am I wrong? Or, how can I figure out where I am wrong? How can I debug in frpc? `session shutdown` means nothing to me.

gitea-mirror commented

2026-05-05 13:11:29 -06:00

Author

Owner

@villivateur commented on GitHub (Mar 23, 2021):

BTW, I used the same certificate for frps and frpc. Will it cause session shutdown?

@villivateur commented on GitHub (Mar 23, 2021): BTW, I used the same certificate for frps and frpc. Will it cause session shutdown?

gitea-mirror commented

2026-05-05 13:11:30 -06:00

Author

Owner

@zed76r commented on GitHub (Apr 29, 2021):

我也是同样的问题，多次连接的话可以看到提示是时间认证不通过：

❯ frpc -c $HOME/.local/etc/frpc.ini
2021/04/29 12:00:08 [W] [service.go:102] login to server failed: x509: certificate has expired or is not yet valid: current time 2021-04-29T12:00:08+08:00 is after 0001-01-01T00:00:00Z
x509: certificate has expired or is not yet valid: current time 2021-04-29T12:00:08+08:00 is after 0001-01-01T00:00:00Z

但是两个证书通过openssl和windows的证书查看都是在有效期内的。

server.crt

ca.crt

我的证书也是根据TLS章节的内容生成的，只不过把CA的CN换成了别的名字，server证书的CN换成了我公网的IP。

另外，不确实是否相关，我通过s_client尝试获取服务器端证书的时候是没有的：

~
❯ openssl s_client -connect MY_HOST_IP:PORT -showcerts < /dev/null
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 283 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

frps.ini

[common]
bind_port = 8443
bind_udp_port = 8443
token = 
log_file = /var/log/frp/frp.log
tls_only = true
tls_enable = true
tls_cert_file = /etc/frp/certs/server.crt
tls_cert_file = /etc/frp/certs/server.key
tls_trusted_ca_file = /etc/frp/certs/ca.crt

@zed76r commented on GitHub (Apr 29, 2021): 我也是同样的问题，多次连接的话可以看到提示是时间认证不通过： ``` ❯ frpc -c $HOME/.local/etc/frpc.ini 2021/04/29 12:00:08 [W] [service.go:102] login to server failed: x509: certificate has expired or is not yet valid: current time 2021-04-29T12:00:08+08:00 is after 0001-01-01T00:00:00Z x509: certificate has expired or is not yet valid: current time 2021-04-29T12:00:08+08:00 is after 0001-01-01T00:00:00Z ``` 但是两个证书通过openssl和windows的证书查看都是在有效期内的。 server.crt ![image](https://user-images.githubusercontent.com/7886856/116501866-88704100-a8e4-11eb-81b0-e22a8a01c192.png) ca.crt ![image](https://user-images.githubusercontent.com/7886856/116501880-932ad600-a8e4-11eb-8c29-47c5c31ceff3.png) 我的证书也是根据TLS章节的内容生成的，只不过把CA的CN换成了别的名字，server证书的CN换成了我公网的IP。另外，不确实是否相关，我通过s_client尝试获取服务器端证书的时候是没有的： ``` ~ ❯ openssl s_client -connect MY_HOST_IP:PORT -showcerts < /dev/null CONNECTED(00000003) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 283 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- ``` frps.ini ```ini [common] bind_port = 8443 bind_udp_port = 8443 token = log_file = /var/log/frp/frp.log tls_only = true tls_enable = true tls_cert_file = /etc/frp/certs/server.crt tls_cert_file = /etc/frp/certs/server.key tls_trusted_ca_file = /etc/frp/certs/ca.crt ```

gitea-mirror commented

2026-05-05 13:11:30 -06:00

Author

Owner

@zhanghe1993 commented on GitHub (May 21, 2021):

can you follow tls_demo and try it again, I want to make sure whether some mistake happens when generating the certificates.

When FRPS and FRPC are in different countries, is it useful to create a certificate by way of tls_demo? According to the method tls_demo, my host in China can connect normally, but the host abroad cannot. Fortunately, it is working when I copy the ca and client files of the domestic client host to a foreign host.

@zhanghe1993 commented on GitHub (May 21, 2021): > can you follow [tls_demo](https://github.com/fatedier/frp#tls) and try it again, I want to make sure whether some mistake happens when generating the certificates. ![image](https://user-images.githubusercontent.com/65702058/119117931-29b16980-ba43-11eb-8210-b68637b29616.png) When FRPS and FRPC are in different countries, is it useful to create a certificate by way of [tls_demo](https://github.com/fatedier/frp#tls)? According to the method [tls_demo](https://github.com/fatedier/frp#tls), my host in China can connect normally, but the host abroad cannot. Fortunately, it is working when I copy the ca and client files of the domestic client host to a foreign host.

gitea-mirror commented

2026-05-05 13:11:31 -06:00

Author

Owner

@github-actions[bot] commented on GitHub (Jul 6, 2021):

Issues go stale after 45d of inactivity. Stale issues rot after an additional 10d of inactivity and eventually close.

@github-actions[bot] commented on GitHub (Jul 6, 2021): Issues go stale after 45d of inactivity. Stale issues rot after an additional 10d of inactivity and eventually close.

gitea-mirror commented

2026-05-05 13:11:31 -06:00

Author

Owner

@shagunkam commented on GitHub (Jan 11, 2024):

2024/01/11 12:03:03 [I] [root.go:141] start frpc service for config file [frpc.toml]
2024/01/11 12:03:03 [I] [service.go:287] try to connect to server...
2024/01/11 12:03:04 [W] [service.go:290] connect to server error: session shutdown
2024/01/11 12:03:04 [I] [root.go:159] frpc service for config file [frpc.toml] stopped
login to the server failed: session shutdown. With loginFailExit enabled, no additional retries will be attempted

serverAddr = "127.0.0.1"
serverPort = 7000

proxies
name = "test-tcp"
type = "tcp"
localIP = "127.0.0.1"
localPort = 22
remotePort = 6000
How i resolve this session shutdown. error?? anyone @villivateur

@shagunkam commented on GitHub (Jan 11, 2024): 2024/01/11 12:03:03 [I] [root.go:141] start frpc service for config file [frpc.toml] 2024/01/11 12:03:03 [I] [service.go:287] try to connect to server... 2024/01/11 12:03:04 [W] [service.go:290] connect to server error: session shutdown 2024/01/11 12:03:04 [I] [root.go:159] frpc service for config file [frpc.toml] stopped login to the server failed: session shutdown. With loginFailExit enabled, no additional retries will be attempted serverAddr = "127.0.0.1" serverPort = 7000 [[proxies]] name = "test-tcp" type = "tcp" localIP = "127.0.0.1" localPort = 22 remotePort = 6000 How i resolve this session shutdown. error?? anyone @villivateur

gitea-mirror commented

2026-05-05 13:11:32 -06:00

Author

Owner

@vule20 commented on GitHub (Mar 14, 2024):

have you been able to solve it ? @shagunkam

@vule20 commented on GitHub (Mar 14, 2024): have you been able to solve it ? @shagunkam

gitea-mirror commented

2026-05-05 13:11:32 -06:00

Author

Owner

@8ebb82 commented on GitHub (May 30, 2025):

Same error as @shagunkam. Anyone solve it?

@8ebb82 commented on GitHub (May 30, 2025): Same error as @shagunkam. Anyone solve it?

Rows
Columns

[GH-ISSUE #2320] Error occurs with TLS encryption: [W] [service.go:103] login to server failed: session shutdown #1841