github-starred/frp
2
0
Fork 0
mirror of https://github.com/fatedier/frp.git synced 2026-05-15 08:05:49 -06:00
Code Issues 40 Projects Packages Wiki Activity Actions 1

[GH-ISSUE #2957] x509: certificate signed by unknown authority (possibly because of "x509: cannot verify signature: insecure algorithm SHA1-RSA (temporarily override with GODEBUG=x509sha1=1)" while trying to verify candidate authority certificate "exam… #2361

New issue
Closed
opened 2026-05-05 13:31:16 -06:00 by gitea-mirror · 3 comments
gitea-mirror commented 2026-05-05 13:31:16 -06:00
Owner
Copy link

Originally created by @Yellowpal on GitHub (May 28, 2022).
Original GitHub issue: https://github.com/fatedier/frp/issues/2957

Bug Description

根据文档https://gofrp.org/docs/features/common/network/network-tls/ 生成证书,只改了server生成时的IP地址,客户端启动就报这个错。没找到有人遇到这个问题,是我的证书生成有问题?

frpc Version

0.41.0

frps Version

0.41.0

System Architecture

linux/amd64

Configurations

frpc.ini
[common]
server_addr = xxxxxx
server_port = 7001
protocol = kcp
tls_enable = true
tls_cert_file = client.crt
tls_key_file = client.key
tls_trusted_ca_file = ca.crt

frps.ini
[common]
bind_port = 7001
kcp_bind_port = 7001
log_file = /tmp/frp.log
tls_cert_file = /usr/local/frp/ca/server.crt
tls_key_file = /usr/local/frp/ca/server.key
tls_trusted_ca_file = /usr/local/frp/ca/ca.crt
tls_enable = true

Logs

2022/05/28 19:26:07 [W] [service.go:105] login to server failed: x509: certificate signed by unknown authority (possibly because of "x509: cannot verify signature: insecure algorithm SHA1-RSA (temporarily override with GODEBUG=x509sha1=1)" while trying to verify candidate authority certificate "example.ca.com")
x509: certificate signed by unknown authority (possibly because of "x509: cannot verify signature: insecure algorithm SHA1-RSA (temporarily override with GODEBUG=x509sha1=1)" while trying to verify candidate authority certificate "example.ca.com")

Steps to reproduce

No response

Affected area

  • Docs
  • Installation
  • Performance and Scalability
  • Security
  • User Experience
  • Test and Release
  • Developer Infrastructure
  • Client Plugin
  • Server Plugin
  • Extensions
  • Others
Originally created by @Yellowpal on GitHub (May 28, 2022). Original GitHub issue: https://github.com/fatedier/frp/issues/2957 ### Bug Description 根据文档https://gofrp.org/docs/features/common/network/network-tls/ 生成证书,只改了server生成时的IP地址,客户端启动就报这个错。没找到有人遇到这个问题,是我的证书生成有问题? ### frpc Version 0.41.0 ### frps Version 0.41.0 ### System Architecture linux/amd64 ### Configurations frpc.ini [common] server_addr = xxxxxx server_port = 7001 protocol = kcp tls_enable = true tls_cert_file = client.crt tls_key_file = client.key tls_trusted_ca_file = ca.crt frps.ini [common] bind_port = 7001 kcp_bind_port = 7001 log_file = /tmp/frp.log tls_cert_file = /usr/local/frp/ca/server.crt tls_key_file = /usr/local/frp/ca/server.key tls_trusted_ca_file = /usr/local/frp/ca/ca.crt tls_enable = true ### Logs 2022/05/28 19:26:07 [W] [service.go:105] login to server failed: x509: certificate signed by unknown authority (possibly because of "x509: cannot verify signature: insecure algorithm SHA1-RSA (temporarily override with GODEBUG=x509sha1=1)" while trying to verify candidate authority certificate "example.ca.com") x509: certificate signed by unknown authority (possibly because of "x509: cannot verify signature: insecure algorithm SHA1-RSA (temporarily override with GODEBUG=x509sha1=1)" while trying to verify candidate authority certificate "example.ca.com") ### Steps to reproduce _No response_ ### Affected area - [ ] Docs - [X] Installation - [ ] Performance and Scalability - [ ] Security - [ ] User Experience - [ ] Test and Release - [ ] Developer Infrastructure - [ ] Client Plugin - [ ] Server Plugin - [ ] Extensions - [ ] Others
gitea-mirror 2026-05-05 13:31:16 -06:00
gitea-mirror commented 2026-05-05 13:31:20 -06:00
Author
Owner
Copy link

@iGuan7u commented on GitHub (Jun 18, 2022):

我也遇到了这个问题,最后发现是生成出来的 server.crt 以及 client.crt 文件默认采用了 sha1 的算法,只要在生成 *.crt 文件命令强制使用 sha256 算法即可。如 client.crt

openssl x509 -req -days 365 -sha256\
    -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
	-extfile <(printf "subjectAltName=DNS:client.com,DNS:example.client.com") \
	-out client.crt
<!-- gh-comment-id:1159350315 --> @iGuan7u commented on GitHub (Jun 18, 2022): 我也遇到了这个问题,最后发现是生成出来的 `server.crt` 以及 `client.crt` 文件默认采用了 sha1 的算法,只要在生成 *.crt 文件命令强制使用 sha256 算法即可。如 `client.crt`: ``` openssl x509 -req -days 365 -sha256\ -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial \ -extfile <(printf "subjectAltName=DNS:client.com,DNS:example.client.com") \ -out client.crt ```
gitea-mirror commented 2026-05-05 13:31:20 -06:00
Author
Owner
Copy link

@github-actions[bot] commented on GitHub (Jul 19, 2022):

Issues go stale after 30d of inactivity. Stale issues rot after an additional 7d of inactivity and eventually close.

<!-- gh-comment-id:1188468938 --> @github-actions[bot] commented on GitHub (Jul 19, 2022): Issues go stale after 30d of inactivity. Stale issues rot after an additional 7d of inactivity and eventually close.
gitea-mirror commented 2026-05-05 13:31:21 -06:00
Author
Owner
Copy link

@korenyoni commented on GitHub (Aug 16, 2022):

Ran into the same issue resolved by this comment. I believe the README should be updated to reflect this.

<!-- gh-comment-id:1216522117 --> @korenyoni commented on GitHub (Aug 16, 2022): Ran into the same issue resolved by [this comment](https://github.com/fatedier/frp/issues/2957#issuecomment-1159350315). I believe the README should be updated to reflect this.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
dev
new
master
copilot/review-pull-request-5198
v0.68.1
v0.68.0
v0.67.0
v0.66.0
v0.65.0
v0.64.0
v0.63.0
v0.62.1
v0.62.0
v0.61.2
v0.61.1
v0.61.0
v0.60.0
v0.59.0
v0.58.1
v0.58.0
v0.57.0
v0.56.0
v0.55.1
v0.55.0
v0.54.0
v0.53.2
v0.53.1
v0.53.0
v0.52.3
v0.52.2
v0.52.1
v0.52.0
v0.51.3
v0.51.2
v0.51.1
v0.51.0
v0.50.0
v0.49.0
v0.48.0
v0.47.0
v0.46.1
v0.46.0
v0.45.0
v0.44.0
v0.43.0
v0.42.0
v0.41.0
v0.40.0
v0.39.1
v0.39.0
v0.38.0
v0.37.1
v0.37.0
v0.36.2
v0.36.1
v0.36.0
v0.35.1
v0.35.0
v0.34.3
v0.34.2
v0.34.1
v0.34.0
v0.33.0
v0.32.1
v0.32.0
v0.31.2
v0.31.1
v0.31.0
v0.30.0
v0.29.1
v0.29.0
v0.28.2
v0.28.1
v0.28.0
v0.27.1
v0.27.0
v0.26.0
v0.25.3
v0.25.2
v0.25.1
v0.25.0
v0.24.1
v0.24.0
v0.23.3
v0.23.2
v0.23.1
v0.23.0
v0.22.0
v0.21.0
v0.20.0
v0.19.1
v0.19.0
v0.18.0
v0.17.0
v0.16.1
v0.16.0
v0.15.1
v0.15.0
v0.14.1
v0.14.0
v0.13.0
v0.12.0
v0.11.0
v0.10.0
v0.9.3
v0.9.2
v0.9.1
v0.9.0
v0.8.1
v0.8.0
v0.7.0
v0.6.0
v0.5.0
v0.3.0
v0.2.0
v0.1.0
Labels
Clear labels   
In Progress

   
WIP

   
WaitingForInfo

   
bug

   
doc

   
duplicate

   
easy

   
enhancement

   
future

   
help wanted

   
invalid

   
lifecycle/stale

   
need-issue-template

   
need-usage-help

   
no plan

   
proposal

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
todo
No labels
In Progress
WIP
WaitingForInfo
bug
doc
duplicate
easy
enhancement
future
help wanted
invalid
lifecycle/stale
need-issue-template
need-usage-help
no plan
proposal
pull-request
question
todo
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/frp#2361
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?