mirror of
https://github.com/fatedier/frp.git
synced 2026-05-15 08:05:49 -06:00
[GH-ISSUE #4463] TLS 双向认证连接时 ca.key 和 unknown authority 的问题 #3526
Labels
No labels
In Progress
WIP
WaitingForInfo
bug
doc
duplicate
easy
enhancement
future
help wanted
invalid
lifecycle/stale
need-issue-template
need-usage-help
no plan
proposal
pull-request
question
todo
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/frp#3526
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @hqoq on GitHub (Sep 29, 2024).
Original GitHub issue: https://github.com/fatedier/frp/issues/4463
Bug Description
我照文档先在本地生成了相关证书文件以配置 tls 双向验证。生成 server 证书时自填了服务器 IP 和服务器域名。client 证书使用了默认的 example.client.com
第一次 frpc 尝试连接时,报错:open /etc/frp/ssl/ca.key: no such file or directory.
这一点比较奇怪,根据说明和网上信息没有看到客户端连接时需要 ca.key 相关的信息,之后我把 ca.key 放进同个文件夹。
第二次 frpc 尝试连接时,报错:session shutdown.
这次我把生成的 ca.crt, client.crt 和 client.key 都导入到群晖证书信任列表。
第三次 frpc 尝试连接时:报错:failed to verify certificate: x509: certificate signed by unknown authority.
不知应该如何解决,谢谢!
frpc Version
0.60.0
frps Version
0.60.0
System Architecture
linux/amd64
Configurations
#########frps.toml#########
bindPort = 7000
auth.method = "token"
auth.token = "********"
transport.tls.force = true
transport.tls.certFile = "/root/frp/ssl/server.crt"
transport.tls.keyFile = "/root/frp/ssl/server.key"
transport.tls.trustedCaFile = "/root/frp/ssl/ca.crt"
log.to = "/root/frp/log/frps.log"
log.level = "info"
log.maxDays = 5
#########frpc.toml#########
user = "nas"
serverAddr = "xxx.xxx.xxx"
serverPort = 7000
auth.method = "token"
auth.token = "********"
transport.tls.enable = true
transport.tls.certFile = "/etc/frp/ssl/client.crt"
transport.tls.keyFile = "/etc/frp/ssl/client.key"
transport.tls.trustedCaFile = "/etc/frp/ssl/ca.key"
log.to = "/etc/frp/log/frpc-nas.log"
log.level = "info"
log.maxDays = 3
proxies
name = "nas"
type = "tcp"
localIP = "192.168.1.2"
localPort = 3000
remotePort = 3000
Logs
2024-09-29 15:49:14.859 [I] [sub/root.go:142] start frpc service for config file [/etc/frp/frpc.toml]
2024-09-29 15:49:14.859 [I] [client/service.go:295] try to connect to server...
2024-09-29 15:49:14.859 [W] [client/connector.go:167] fail to build tls configuration, err: open /etc/frp/ssl/ca.key: no such file or directory
2024-09-29 15:49:14.859 [W] [client/service.go:298] connect to server error: open /etc/frp/ssl/ca.key: no such file or directory
2024-09-29 15:49:14.859 [I] [sub/root.go:160] frpc service for config file [/etc/frp/frpc.toml] stopped
2024-09-29 15:53:19.115 [I] [sub/root.go:142] start frpc service for config file [/etc/frp/frpc.toml]
2024-09-29 15:53:19.115 [I] [client/service.go:295] try to connect to server...
2024-09-29 15:53:19.493 [W] [client/service.go:298] connect to server error: session shutdown
2024-09-29 15:53:19.494 [I] [sub/root.go:160] frpc service for config file [/etc/frp/frpc.toml] stopped
2024-09-29 15:56:43.788 [I] [sub/root.go:142] start frpc service for config file [/etc/frp/frpc.toml]
2024-09-29 15:56:43.789 [I] [client/service.go:295] try to connect to server...
2024-09-29 15:56:44.161 [W] [client/service.go:298] connect to server error: tls: failed to verify certificate: x509: certificate signed by unknown authority
2024-09-29 15:56:44.161 [I] [sub/root.go:160] frpc service for config file [/etc/frp/frpc.toml] stopped
Steps to reproduce
...
Affected area
@hqoq commented on GitHub (Sep 29, 2024):
抱歉,关闭这个 issue。
多次查看后才发现是自己的 frpc.toml 把 /ca.crt 路径写成了 /ca.key。
改正后已成功连接。
@mfblog commented on GitHub (Feb 17, 2025):
怎么判断是通过TLS 认证的呢 已经链接成功 但是日志里面没有显示TLS相关信息
@hqoq commented on GitHub (Feb 17, 2025):
参考 https://gofrp.org/zh-cn/docs/features/common/network/network-tls/
配置正确的前提下认证不成功不能连接,反过来连接成功即可认为是认证成功了呗