[GH-ISSUE #4812] TLS双向加密证书无法验证 #3801

New issue

Closed

opened 2026-05-05 14:25:57 -06:00 by gitea-mirror · 3 comments

gitea-mirror commented 2026-05-05 14:25:57 -06:00

Owner

Copy link

Originally created by @yuzi-ska on GitHub (May 24, 2025).
Original GitHub issue: https://github.com/fatedier/frp/issues/4812

Bug Description

主机结构大致如下

在FRPS开启ca证书验证后访问出现ERR_SSL_UNRECOGNIZED_NAME_ALERT，证书文件使用opensll单独验证是通过的，双端证书均为https://gofrp.org/zh-cn/docs/features/common/network/network-tls/ 示例中生成，其中DNS改为所需的泛域名地址，IP改为服务器公网IP地址，不开启FRPS的ca证书验证进行单向验证可正常访问，但任然会在随机时间无法验证（较频繁），防火墙未拦截，非DNS问题，大约十分钟后正常，在FRPS服务无法验证期间使用客户端自带的公网进行直接连接是可以正常连接，应该可以说明并非客户端证书以及服务错误。
只需将frps的ca证书验证去除所以服务均正常访问，日志内没有报错提示，无法了解具体出现在哪，望解答，感谢。

frpc Version

0.61.1

frps Version

0.61.1

System Architecture

linux/amd64

Configurations

FRPS 服务器端配置

绑定监听地址
bindAddr = "0.0.0.0"

服务器监听端口
bindPort = 7000
quicBindPort = 7000

HTTP 端口（用于内网 HTTP 代理穿透）
vhostHTTPPort = 80

HTTPS 端口（用于内网 HTTPS 代理穿透）
vhostHTTPSPort = 443

log.to = "/frps/fprs.log"
log.level = "trace"

认证方式
auth.method = "token"

Token 认证
auth.token = "xxxxx"

transport.tls.certFile = "/frps/ssl/server.crt"
transport.tls.keyFile = "/frps/ssl/server.key"
transport.tls.trustedCaFile = "/frps/ssl/ca.crt"

FRPC 服务器端配置

[common]
server_addr = ip地址
server_port = 7000
token = "xxxx"
transport.tls.certFile = "/client.crt"
transport.tls.keyFile = "/client.key"
transport.tls.trustedCaFile = "/cer/ca.crt"
transport.protocol = "quic"

[http]
type = http
local_ip = 127.0.0.1
local_port = 80
custom_domains = *.my.domain
transport.useCompression = true

[https]
type = https
local_ip = 127.0.0.1
local_port = 443
custom_domains = *.my.domain
transport.useCompression = true

CA

cat > my-openssl.cnf << EOF
[ ca ]
default_ca = CA_default
[ CA_default ]
x509_extensions = usr_cert
[ req ]
default_bits = 2048
default_md = sha256
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca
string_mask = utf8only
[ req_distinguished_name ]
[ req_attributes ]
[ usr_cert ]
basicConstraints = CA:FALSE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = CA:true
EOF

openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -subj "/CN=example.ca.com" -days 5000 -out ca.crt

服务端

openssl genrsa -out server.key 2048

openssl req -new -sha256 -key server.key
-subj "/C=XX/ST=DEFAULT/L=DEFAULT/O=DEFAULT/CN=server.com"
-reqexts SAN
-config <(cat my-openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:my.domain,IP:服务器IP,DNS:*.my.doamin"))
-out server.csr

openssl x509 -req -days 365 -sha256
-in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial
-extfile <(printf "subjectAltName=DNS:my.domain,IP:服务端IP,DNS:*.my.domain")
-out server.crt

客户端

openssl genrsa -out client.key 2048

openssl req -new -sha256 -key client.key
-subj "/C=XX/ST=DEFAULT/L=DEFAULT/O=DEFAULT/CN=client.com"
-reqexts SAN
-config <(cat my-openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:*.my.domain"))
-out client.csr

openssl x509 -req -days 365 -sha256
-in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial
-extfile <(printf "subjectAltName=DNS:*.my.domain")
-out client.crt

Logs

client login info: ip [frpc ip地址:17363] version [0.61.1] hostname [] os [linux] arch [amd64]

client exit success

无其他显示日志

Steps to reproduce

...

Affected area

• Docs
• Installation
• Performance and Scalability
• Security
• User Experience
• Test and Release
• Developer Infrastructure
• Client Plugin
• Server Plugin
• Extensions
• Others

Originally created by @yuzi-ska on GitHub (May 24, 2025). Original GitHub issue: https://github.com/fatedier/frp/issues/4812 ### Bug Description 主机结构大致如下  在FRPS开启ca证书验证后访问出现ERR_SSL_UNRECOGNIZED_NAME_ALERT，证书文件使用opensll单独验证是通过的，双端证书均为https://gofrp.org/zh-cn/docs/features/common/network/network-tls/ 示例中生成，其中DNS改为所需的泛域名地址，IP改为服务器公网IP地址，不开启FRPS的ca证书验证进行单向验证可正常访问，但任然会在随机时间无法验证（较频繁），防火墙未拦截，非DNS问题，大约十分钟后正常，在FRPS服务无法验证期间使用客户端自带的公网进行直接连接是可以正常连接，应该可以说明并非客户端证书以及服务错误。 只需将frps的ca证书验证去除所以服务均正常访问，日志内没有报错提示，无法了解具体出现在哪，望解答，感谢。 ### frpc Version 0.61.1 ### frps Version 0.61.1 ### System Architecture linux/amd64 ### Configurations # FRPS 服务器端配置 绑定监听地址 bindAddr = "0.0.0.0" 服务器监听端口 bindPort = 7000 quicBindPort = 7000 HTTP 端口（用于内网 HTTP 代理穿透） vhostHTTPPort = 80 HTTPS 端口（用于内网 HTTPS 代理穿透） vhostHTTPSPort = 443 log.to = "/frps/fprs.log" log.level = "trace" 认证方式 auth.method = "token" Token 认证 auth.token = "xxxxx" transport.tls.certFile = "/frps/ssl/server.crt" transport.tls.keyFile = "/frps/ssl/server.key" transport.tls.trustedCaFile = "/frps/ssl/ca.crt" # FRPC 服务器端配置 [common] server_addr = ip地址 server_port = 7000 token = "xxxx" transport.tls.certFile = "/client.crt" transport.tls.keyFile = "/client.key" transport.tls.trustedCaFile = "/cer/ca.crt" transport.protocol = "quic" [http] type = http local_ip = 127.0.0.1 local_port = 80 custom_domains = *.my.domain transport.useCompression = true [https] type = https local_ip = 127.0.0.1 local_port = 443 custom_domains = *.my.domain transport.useCompression = true # CA cat > my-openssl.cnf << EOF [ ca ] default_ca = CA_default [ CA_default ] x509_extensions = usr_cert [ req ] default_bits = 2048 default_md = sha256 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca string_mask = utf8only [ req_distinguished_name ] [ req_attributes ] [ usr_cert ] basicConstraints = CA:FALSE nsComment = "OpenSSL Generated Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer [ v3_ca ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = CA:true EOF openssl genrsa -out ca.key 2048 openssl req -x509 -new -nodes -key ca.key -subj "/CN=example.ca.com" -days 5000 -out ca.crt # 服务端 openssl genrsa -out server.key 2048 openssl req -new -sha256 -key server.key \ -subj "/C=XX/ST=DEFAULT/L=DEFAULT/O=DEFAULT/CN=server.com" \ -reqexts SAN \ -config <(cat my-openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:my.domain,IP:服务器IP,DNS:*.my.doamin")) \ -out server.csr openssl x509 -req -days 365 -sha256 \ -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial \ -extfile <(printf "subjectAltName=DNS:my.domain,IP:服务端IP,DNS:*.my.domain") \ -out server.crt # 客户端 openssl genrsa -out client.key 2048 openssl req -new -sha256 -key client.key \ -subj "/C=XX/ST=DEFAULT/L=DEFAULT/O=DEFAULT/CN=client.com" \ -reqexts SAN \ -config <(cat my-openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:*.my.domain")) \ -out client.csr openssl x509 -req -days 365 -sha256 \ -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial \ -extfile <(printf "subjectAltName=DNS:*.my.domain") \ -out client.crt ### Logs client login info: ip [frpc ip地址:17363] version [0.61.1] hostname [] os [linux] arch [amd64] client exit success 无其他显示日志 ### Steps to reproduce 1. 2. 3. ... ### Affected area - [ ] Docs - [ ] Installation - [ ] Performance and Scalability - [ ] Security - [x] User Experience - [ ] Test and Release - [ ] Developer Infrastructure - [ ] Client Plugin - [ ] Server Plugin - [ ] Extensions - [ ] Others

gitea-mirror 2026-05-05 14:25:57 -06:00

• closed this issue
• added the
  lifecycle/stale
  label

gitea-mirror commented 2026-05-05 14:26:00 -06:00

Author

Owner

Copy link

@Vekixx commented on GitHub (May 24, 2025):

给你参考一下：

1. 文件路径使用挂载后的相对路径，（也应该可以使用绝对完整路径 未验证）
   docker-compose文件

    volumes:
      - ./frps.toml:/etc/frp/frps.toml
      - ./ssl:/etc/frp/ssl

frps.toml

transport.tls.certFile = "/etc/frp/ssl/server.crt"
transport.tls.keyFile = "/etc/frp/ssl/server.key"
transport.tls.trustedCaFile = "/etc/frp/ssl/ca.crt"

2.生成client证书时少了个dns

openssl req -new -sha256 -key client.key
-subj "/C=XX/ST=DEFAULT/L=DEFAULT/O=DEFAULT/CN=client.com"
-reqexts SAN
# 你的
-config <(cat my-openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:*.my.domain"))
#应该是
-config <(cat my-openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:*.my.domain,DNS:*.my.domain"))  
-out client.csr

openssl x509 -req -days 365 -sha256
-in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial
# 你的
-extfile <(printf "subjectAltName=DNS:*.my.domain")
#应该是
-extfile <(printf "subjectAltName=DNS:*.my.domain,DNS:*.my.domain")   
-out client.crt

不知道能否解决问题

<!-- gh-comment-id:2906797965 --> @Vekixx commented on GitHub (May 24, 2025): 给你参考一下： 1. 文件路径使用挂载后的相对路径，（也应该可以使用绝对完整路径 未验证） docker-compose文件 ```yaml volumes: - ./frps.toml:/etc/frp/frps.toml - ./ssl:/etc/frp/ssl ``` frps.toml ```toml transport.tls.certFile = "/etc/frp/ssl/server.crt" transport.tls.keyFile = "/etc/frp/ssl/server.key" transport.tls.trustedCaFile = "/etc/frp/ssl/ca.crt" ``` 2.生成client证书时少了个dns ```bash openssl req -new -sha256 -key client.key -subj "/C=XX/ST=DEFAULT/L=DEFAULT/O=DEFAULT/CN=client.com" -reqexts SAN # 你的 -config <(cat my-openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:*.my.domain")) #应该是 -config <(cat my-openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:*.my.domain,DNS:*.my.domain")) -out client.csr openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial # 你的 -extfile <(printf "subjectAltName=DNS:*.my.domain") #应该是 -extfile <(printf "subjectAltName=DNS:*.my.domain,DNS:*.my.domain") -out client.crt ``` 不知道能否解决问题

gitea-mirror commented 2026-05-05 14:26:01 -06:00

Author

Owner

Copy link

@yuzi-ska commented on GitHub (May 24, 2025):

给你参考一下：

1. 文件路径使用挂载后的相对路径，（也应该可以使用绝对完整路径 未验证）
   docker-compose文件

   volumes:

   • ./frps.toml:/etc/frp/frps.toml
   • ./ssl:/etc/frp/ssl
     frps.toml

transport.tls.certFile = "/etc/frp/ssl/server.crt"
transport.tls.keyFile = "/etc/frp/ssl/server.key"
transport.tls.trustedCaFile = "/etc/frp/ssl/ca.crt"
2.生成client证书时少了个dns

openssl req -new -sha256 -key client.key
-subj "/C=XX/ST=DEFAULT/L=DEFAULT/O=DEFAULT/CN=client.com"
-reqexts SAN

你的

-config <(cat my-openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:.my.domain"))
#应该是
-config <(cat my-openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:.my.domain,DNS:*.my.domain"))
-out client.csr

openssl x509 -req -days 365 -sha256
-in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial

你的

-extfile <(printf "subjectAltName=DNS:.my.domain")
#应该是
-extfile <(printf "subjectAltName=DNS:.my.domain,DNS:*.my.domain")
-out client.crt
不知道能否解决问题

1.使用的是当时在releases下载打包好的文件，并未使用docker部署。
2.添加后问题依旧，无法解决

<!-- gh-comment-id:2906807663 --> @yuzi-ska commented on GitHub (May 24, 2025): > 给你参考一下： > > 1. 文件路径使用挂载后的相对路径，（也应该可以使用绝对完整路径 未验证） > docker-compose文件 > > volumes: > - ./frps.toml:/etc/frp/frps.toml > - ./ssl:/etc/frp/ssl > frps.toml > > transport.tls.certFile = "/etc/frp/ssl/server.crt" > transport.tls.keyFile = "/etc/frp/ssl/server.key" > transport.tls.trustedCaFile = "/etc/frp/ssl/ca.crt" > 2.生成client证书时少了个dns > > openssl req -new -sha256 -key client.key > -subj "/C=XX/ST=DEFAULT/L=DEFAULT/O=DEFAULT/CN=client.com" > -reqexts SAN > # 你的 > -config <(cat my-openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:*.my.domain")) > #应该是 > -config <(cat my-openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:*.my.domain,DNS:*.my.domain")) > -out client.csr > > openssl x509 -req -days 365 -sha256 > -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial > # 你的 > -extfile <(printf "subjectAltName=DNS:*.my.domain") > #应该是 > -extfile <(printf "subjectAltName=DNS:*.my.domain,DNS:*.my.domain") > -out client.crt > 不知道能否解决问题 1.使用的是当时在releases下载打包好的文件，并未使用docker部署。 2.添加后问题依旧，无法解决

gitea-mirror commented 2026-05-05 14:26:02 -06:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (Jun 8, 2025):

Issues go stale after 14d of inactivity. Stale issues rot after an additional 3d of inactivity and eventually close.

<!-- gh-comment-id:2953311068 --> @github-actions[bot] commented on GitHub (Jun 8, 2025): Issues go stale after 14d of inactivity. Stale issues rot after an additional 3d of inactivity and eventually close.

gitea-mirror referenced this issue 2026-05-05 14:49:35 -06:00

[PR #3801] [MERGED] optimize some code #4832

gitea-mirror referenced this issue 2026-05-05 14:49:51 -06:00

[PR #3845] [MERGED] bump version to v0.53.0 #4845

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

dev

new

master

copilot/review-pull-request-5198

v0.68.1

v0.68.0

v0.67.0

v0.66.0

v0.65.0

v0.64.0

v0.63.0

v0.62.1

v0.62.0

v0.61.2

v0.61.1

v0.61.0

v0.60.0

v0.59.0

v0.58.1

v0.58.0

v0.57.0

v0.56.0

v0.55.1

v0.55.0

v0.54.0

v0.53.2

v0.53.1

v0.53.0

v0.52.3

v0.52.2

v0.52.1

v0.52.0

v0.51.3

v0.51.2

v0.51.1

v0.51.0

v0.50.0

v0.49.0

v0.48.0

v0.47.0

v0.46.1

v0.46.0

v0.45.0

v0.44.0

v0.43.0

v0.42.0

v0.41.0

v0.40.0

v0.39.1

v0.39.0

v0.38.0

v0.37.1

v0.37.0

v0.36.2

v0.36.1

v0.36.0

v0.35.1

v0.35.0

v0.34.3

v0.34.2

v0.34.1

v0.34.0

v0.33.0

v0.32.1

v0.32.0

v0.31.2

v0.31.1

v0.31.0

v0.30.0

v0.29.1

v0.29.0

v0.28.2

v0.28.1

v0.28.0

v0.27.1

v0.27.0

v0.26.0

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.1

v0.24.0

v0.23.3

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.0

v0.19.1

v0.19.0

v0.18.0

v0.17.0

v0.16.1

v0.16.0

v0.15.1

v0.15.0

v0.14.1

v0.14.0

v0.13.0

v0.12.0

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.1

v0.8.0

v0.7.0

v0.6.0

v0.5.0

v0.3.0

v0.2.0

v0.1.0

Labels

Clear labels   

In Progress

  

WIP

  

WaitingForInfo

  

bug

  

doc

  

duplicate

  

easy

  

enhancement

  

future

  

help wanted

  

invalid

  

lifecycle/stale

  

need-issue-template

  

need-usage-help

  

no plan

  

proposal

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

todo

No labels

In Progress

WIP

WaitingForInfo

bug

doc

duplicate

easy

enhancement

future

help wanted

invalid

lifecycle/stale

need-issue-template

need-usage-help

no plan

proposal

pull-request

question

todo

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/frp#3801

No description provided.