V2ray-core: 启用tls后,服务器出现remote error: tls: bad certificate

Created on 30 Jul 2017  ·  11Comments  ·  Source: v2ray/v2ray-core

提交 Issue 之前请先阅读 Issue 指引,然后回答下面的问题,谢谢。
Please read the instruction and answer the following questions before submitting your issue. Thank you.

1) 你正在使用哪个版本的 V2Ray?(如果服务器和客户端使用了不同版本,请注明)
What version of V2Ray are you using (If you deploy different version on server and client, please explicitly point out)?
v.2.33

2) 你的使用场景是什么?比如使用 Chrome 通过 Socks/VMess 代理观看 YouTube 视频。
What's your scenario of using V2Ray? E.g., Watching YouTube videos in Chrome via Socks/VMess proxy.
chrome+SwichyOmega, google, youtube等被墙网站

3) 你看到的不正常的现象是什么?
What did you see?
打不开网页,显示“无法访问此网站”

4) 你期待看到的正确表现是怎样的?
What's your expectation?
能打开网页,正常浏览内容

5) 请附上你的配置文件(提交 Issue 前请隐藏服务器端IP地址)。
Please attach your configuration file (Mask IP addresses before submit this issue).

Server Configuration File(服务器端配置文件):

    // 在这里附上服务器端配置文件
    // Please attach your server configuration file here.

{
"log": {
"access": "/var/log/v2ray/access.log",
"error": "/var/log/v2ray/error.log",
"loglevel": "warning"
},

"inbound": {
"port": 11111,
"protocol": "vmess",
"settings": {
"clients": [
{
"id": "xxxxxxxxxxxxxx",
"level": 1,
"alterId": 64
}
],
"features": {
"detour": {
"to": "detourHandler"
}
}
},
"streamSettings": {
"network": "kcp",
"security": "tls",
"tlsSettings": {
"certificates": [
{
"certificateFile": "/etc/letsencrypt/live/abcd.xyz/cert.pem",
"keyFile": "/etc/letsencrypt/live/abcd.xyz/privkey.pem"
}
]
}
}
},

"inboundDetour": [
{
"protocol": "shadowsocks",
"port": 1111,
"settings": {
"method": "aes-256-cfb",
"password": "hello",
"udp": false
}
},
{
"protocol": "shadowsocks",
"port": 2222,
"settings": {
"method": "chacha20",
"password": "hello",
"udp": false
}
},
{
"protocol": "dokodemo-door",
"port":5353,
"settings": {
"address": "8.8.8.8",
"port":53,
"network": "tcp",
"timeout": 0
}
},
{
"protocol": "http",
"port": "2525",
"settings": {}
},
{
"port": 22222,
"protocol": "vmess",
"settings": {
"clients": [
{
"id": "yyyyyyyyyyy",
"level": 1,
"alterId": 64
}
]
}
},
{
"port": 33333,
"protocol": "vmess",
"settings": {
"clients": [
{
"id": "zzzzzzzzzzzz",
"level": 1,
"alterId": 64
}
],
"detour": {
"to": "detour-kcp"
}
},
"streamSettings": {
"network": "kcp"
}
},
{
"port": 44444,
"protocol": "vmess",
"settings": {
"clients": [
{
"id": "wwwwwwwwwww",
"level": 1,
"alterId": 64
}
],
"detour": {
"to": "detour-tcp"
}
}
},
{
"protocol": "vmess",
"port": "10001-10100",
"tag": "detour-kcp",
"settings": {},
"allocate": {
"strategy": "random",
"concurrency": 2,
"refresh": 5
},
"streamSettings": {
"network": "kcp"
}
},
{
"protocol": "vmess",
"port": "20001-20100",
"tag": "detour-tcp",
"settings": {},
"allocate": {
"strategy": "random",
"concurrency": 2,
"refresh": 5
}
}
],

"outbound": {
"protocol": "freedom",
"settings": {}
},

"outboundDetour": [
{
"protocol": "blackhole",
"settings": {},
"tag": "blocked"
}
],

"routing": {
"strategy": "rules",
"settings": {
"rules": [
{
"type": "field",
"ip": [
"0.0.0.0/8",
"10.0.0.0/8",
"100.64.0.0/10",
"127.0.0.0/8",
"169.254.0.0/16",
"172.16.0.0/12",
"192.0.0.0/24",
"192.0.2.0/24",
"192.168.0.0/16",
"198.18.0.0/15",
"198.51.100.0/24",
"::1/128",
"fc00::/7",
"fe80::/10"
],
"outboundTag": "blocked"
}
]
}
},

"transport": {
"tcpSettings": {
"connectionReuse": true
},
"kcpSettings": {
"mtu": 1350,
"tti": 20,
"uplinkCapacity": 12,
"downlinkCapacity": 100,
"congestion": false,
"readBufferSize": 1,
"writeBufferSize": 1,
"header": {
"type": "none"
}
}
}
}
Client Configuration File(客户端配置文件):

    // 在这里附上客户端配置文件
    // Please attach your client configuration file here.

{
"log": {
"loglevel": "warning"
},
"inbound": {
"port": 1080,
"listen": "127.0.0.1",
"protocol": "socks",
"settings": {
"auth": "noauth",
"udp": false,
"ip": "127.0.0.1"
}
},
"outbound": {
"protocol": "vmess",
"settings": {
"vnext": [
{
"address": "abcd.xyz",
"port": 11111,
"users": [
{
"id": "xxxxxxxxxxxxxx",
"alterId": 64
}
]
}
]
},
"streamSettings": {
"network": "kcp",
"security": "tls"
},
"mux":{
"enabled":true
}
},
"outboundDetour": [
{
"protocol": "freedom",
"settings": {},
"tag": "direct"
}
],
"dns": {
"servers": [
"8.8.8.8",
"8.8.4.4",
"localhost"
]
},
"routing": {
"strategy": "rules",
"settings": {
"domainStrategy": "IPIfNonMatch",
"rules": [
{
"type": "field",
"port": "1-52",
"outboundTag": "direct"
},
{
"type": "field",
"port": "54-79",
"outboundTag": "direct"
},
{
"type": "field",
"port": "81-442",
"outboundTag": "direct"
},
{
"type": "field",
"port": "444-65535",
"outboundTag": "direct"
},
{
"type": "chinasites",
"outboundTag": "direct"
},
{
"type": "field",
"ip": [
"0.0.0.0/8",
"10.0.0.0/8",
"100.64.0.0/10",
"127.0.0.0/8",
"169.254.0.0/16",
"172.16.0.0/12",
"192.0.0.0/24",
"192.0.2.0/24",
"192.168.0.0/16",
"198.18.0.0/15",
"198.51.100.0/24",
"203.0.113.0/24",
"::1/128",
"fc00::/7",
"fe80::/10"
],
"outboundTag": "direct"
},
{
"type": "chinaip",
"outboundTag": "direct"
}
]
}
},
"transport": {
"kcpSettings": {
"uplinkCapacity": 1,
"downlinkCapacity": 10
}
}
}

6) 请附上出错时软件输出的日志。在 Linux 中,日志通常在 /var/log/v2ray/error.log 文件中。
Please attach the log file, especially the bottom lines if the file is large. Log file is usually /var/log/v2ray/error.log on Linux.

Server Log File(服务器端日志):

    // 在这里附上服务器端日志
    // Please attach your server log here.

2017/07/30 07:00:46 aa.bb.cc.dd:43213 rejected Proxy|VMess|Encoding: failed to read request header > remote error: tls: bad certificate
2017/07/30 07:00:57 aa.bb.cc.dd:54368 rejected Proxy|VMess|Encoding: failed to read request header > remote error: tls: bad certificate
2017/07/30 07:01:08 aa.bb.cc.dd:58251 rejected Proxy|VMess|Encoding: failed to read request header > remote error: tls: bad certificate
2017/07/30 07:01:09 aa.bb.cc.dd:38910 rejected Proxy|VMess|Encoding: failed to read request header > remote error: tls: bad certificate
2017/07/30 07:01:19 aa.bb.cc.dd:54406 rejected Proxy|VMess|Encoding: failed to read request header > remote error: tls: bad certificate
2017/07/30 07:01:30 aa.bb.cc.dd:37038 rejected Proxy|VMess|Encoding: failed to read request header > remote error: tls: bad certificate
2017/07/30 07:01:34 aa.bb.cc.dd:54772 rejected Proxy|VMess|Encoding: failed to read request header > remote error: tls: bad certificate
2017/07/30 07:01:36 aa.bb.cc.dd:50333 rejected Proxy|VMess|Encoding: failed to read request header > remote error: tls: bad certificate
2017/07/30 07:01:47 aa.bb.cc.dd:52932 rejected Proxy|VMess|Encoding: failed to read request header > remote error: tls: bad certificate
2017/07/30 07:01:49 aa.bb.cc.dd:44131 rejected Proxy|VMess|Encoding: failed to read request header > remote error: tls: bad certificate
2017/07/30 07:02:02 aa.bb.cc.dd:48906 rejected Proxy|VMess|Encoding: failed to read request header > remote error: tls: bad certificate
2017/07/30 07:02:08 aa.bb.cc.dd:45342 rejected Proxy|VMess|Encoding: failed to read request header > remote error: tls: bad certificate
2017/07/30 07:02:20 aa.bb.cc.dd:55336 rejected Proxy|VMess|Encoding: failed to read request header > remote error: tls: bad certificate
2017/07/30 07:02:20 aa.bb.cc.dd:41918 rejected Proxy|VMess|Encoding: failed to read request header > remote error: tls: bad certificate
2017/07/30 07:02:21 aa.bb.cc.dd:40176 rejected Proxy|VMess|Encoding: failed to read request header > remote error: tls: bad certificate
2017/07/30 07:02:32 aa.bb.cc.dd:58428 rejected Proxy|VMess|Encoding: failed to read request header > remote error: tls: bad certificate
2017/07/30 07:02:45 aa.bb.cc.dd:35100 rejected Proxy|VMess|Encoding: failed to read request header > remote error: tls: bad certificate
Client Log File(客户端日志):

    // 在这里附上客户端日志
    // Please attach your client log here.

显示v2ray已经启动,但是无其他输出。

picture tonyshaoxu

Most helpful comment

Windows认的是 DST Root X3 这个根证书

picture husy8 on 1 Aug 2017
👍2

All 11 comments

相同的客户端配置在win10上可以正常运行,服务端不会报上述错误。在linux和mac上会报上述错误。

tonyshaoxu picture tonyshaoxu on 30 Jul 2017

@tonyshaoxu Reply #1

  1. 为什么要给 kcp 协议加上 TLS 呢,VMess 加密不够用吗?
  2. 请把客户端配置文件里的 "loglevel": "warning" 改为 "loglevel": "info",然后再把客户端日志贴出来
oing9179 picture oing9179 on 30 Jul 2017
  1. 纯粹是为了测试tls
  2. 客户端日志
    V2Ray v2.33 (One for all) 20170609
    An unified platform for anti-censorship.
    2017/07/30 20:12:14 [Debug]App|Proxyman|Inbound: creating tcp worker on 127.0.0.1:1080
    2017/07/30 20:12:14 [Info]Transport|Internet|TCP: listening TCP on 127.0.0.1:1080
    2017/07/30 20:12:14 [Warning]Core: V2Ray started
    2017/07/30 20:12:23 [Info]Proxy|Socks: TCP Connect request to tcp:www.google.ca:443
    2017/07/30 20:12:23 [Info]App|Router: looking up IP for tcp:www.google.ca:443
    2017/07/30 20:12:23 [Info]Transport|Internet|UDP: establishing new connection for udp:8.8.8.8:53
    2017/07/30 20:12:23 [Info]App|Dispatcher|Default: default route for udp:8.8.8.8:53
    2017/07/30 20:12:23 [Info]App|Proxyman|Mux: dispatching request to udp:8.8.8.8:53
    2017/07/30 20:12:23 [Info]Transport|Internet|mKCP: dialing mKCP to udp:abcd.xyz:11111
    2017/07/30 20:12:23 [Info]Proxy|Socks: TCP Connect request to tcp:ssl.gstatic.com:443
    2017/07/30 20:12:23 [Info]App|Router: looking up IP for tcp:ssl.gstatic.com:443
    2017/07/30 20:12:23 [Info]Proxy|Socks: TCP Connect request to tcp:ssl.gstatic.com:443
    2017/07/30 20:12:23 [Info]App|Router: looking up IP for tcp:ssl.gstatic.com:443
    2017/07/30 20:12:23 [Info]Proxy|Socks: TCP Connect request to tcp:www.google.ca:443
    2017/07/30 20:12:23 [Info]App|Router: looking up IP for tcp:www.google.ca:443
    2017/07/30 20:12:23 [Info]Proxy|Socks: TCP Connect request to tcp:www.google.ca:443
    2017/07/30 20:12:23 [Info]App|Router: looking up IP for tcp:www.google.ca:443
    2017/07/30 20:12:23 [Info]Proxy|Socks: TCP Connect request to tcp:www.google.ca:443
    2017/07/30 20:12:23 [Info]App|Router: looking up IP for tcp:www.google.ca:443
    2017/07/30 20:12:23 [Info]Proxy|Socks: TCP Connect request to tcp:www.google.ca:443
    2017/07/30 20:12:23 [Info]App|Router: looking up IP for tcp:www.google.ca:443
    2017/07/30 20:12:23 [Info]Proxy|Socks: TCP Connect request to tcp:www.google.ca:443
    2017/07/30 20:12:23 [Info]App|Router: looking up IP for tcp:www.google.ca:443
    2017/07/30 20:12:25 [Info]Transport|Internet|UDP: establishing new connection for udp:8.8.8.8:53
    2017/07/30 20:12:25 [Info]App|Dispatcher|Default: default route for udp:8.8.8.8:53
    2017/07/30 20:12:25 [Info]App|Proxyman|Mux: dispatching request to udp:8.8.8.8:53
    2017/07/30 20:12:25 [Info]Transport|Internet|UDP: establishing new connection for udp:8.8.8.8:53
    2017/07/30 20:12:25 [Info]App|Dispatcher|Default: default route for udp:8.8.8.8:53
    2017/07/30 20:12:25 [Info]App|Proxyman|Mux: dispatching request to udp:8.8.8.8:53
    2017/07/30 20:12:25 [Info]Transport|Internet|UDP: establishing new connection for udp:8.8.8.8:53
    2017/07/30 20:12:25 [Info]App|Dispatcher|Default: default route for udp:8.8.8.8:53
    2017/07/30 20:12:25 [Info]App|Proxyman|Mux: dispatching request to udp:8.8.8.8:53
    2017/07/30 20:12:25 [Info]Transport|Internet|UDP: establishing new connection for udp:8.8.8.8:53
    2017/07/30 20:12:25 [Info]App|Dispatcher|Default: default route for udp:8.8.8.8:53
    2017/07/30 20:12:25 [Info]App|Proxyman|Mux: dispatching request to udp:8.8.8.8:53
    2017/07/30 20:12:25 [Info]Transport|Internet|UDP: establishing new connection for udp:8.8.8.8:53
    2017/07/30 20:12:25 [Info]App|Dispatcher|Default: default route for udp:8.8.8.8:53
    2017/07/30 20:12:25 [Info]App|Proxyman|Mux: dispatching request to udp:8.8.8.8:53
    2017/07/30 20:12:25 [Info]Transport|Internet|UDP: establishing new connection for udp:8.8.8.8:53
    2017/07/30 20:12:25 [Info]App|Dispatcher|Default: default route for udp:8.8.8.8:53
    2017/07/30 20:12:25 [Info]App|Proxyman|Mux: dispatching request to udp:8.8.8.8:53
    2017/07/30 20:12:25 [Info]Transport|Internet|UDP: establishing new connection for udp:8.8.8.8:53
    2017/07/30 20:12:25 [Info]App|Dispatcher|Default: default route for udp:8.8.8.8:53
    2017/07/30 20:12:25 [Info]App|Proxyman|Mux: dispatching request to udp:8.8.8.8:53
    2017/07/30 20:12:28 [Info]Proxy|Socks: TCP Connect request to tcp:www.google.com:443
    2017/07/30 20:12:28 [Info]App|Router: looking up IP for tcp:www.google.com:443
    2017/07/30 20:12:28 [Info]Transport|Internet|UDP: establishing new connection for udp:8.8.8.8:53
    2017/07/30 20:12:28 [Info]App|Dispatcher|Default: default route for udp:8.8.8.8:53
    2017/07/30 20:12:28 [Info]App|Proxyman|Mux: dispatching request to udp:8.8.8.8:53
    2017/07/30 20:12:31 [Info]Transport|Internet|UDP: establishing new connection for udp:8.8.4.4:53
    2017/07/30 20:12:31 [Info]App|Dispatcher|Default: default route for udp:8.8.4.4:53
    2017/07/30 20:12:31 [Info]App|Proxyman|Mux: dispatching request to udp:8.8.4.4:53
    2017/07/30 20:12:33 [Info]Transport|Internet|UDP: establishing new connection for udp:8.8.4.4:53
    2017/07/30 20:12:33 [Info]App|Dispatcher|Default: default route for udp:8.8.4.4:53
    2017/07/30 20:12:33 [Info]App|Proxyman|Mux: dispatching request to udp:8.8.4.4:53
    2017/07/30 20:12:33 [Info]Transport|Internet|UDP: establishing new connection for udp:8.8.4.4:53
    2017/07/30 20:12:33 [Info]App|Dispatcher|Default: default route for udp:8.8.4.4:53
    2017/07/30 20:12:33 [Info]App|Proxyman|Mux: dispatching request to udp:8.8.4.4:53
    2017/07/30 20:12:33 [Info]Transport|Internet|UDP: establishing new connection for udp:8.8.4.4:53
    2017/07/30 20:12:33 [Info]App|Dispatcher|Default: default route for udp:8.8.4.4:53
    2017/07/30 20:12:33 [Info]App|Proxyman|Mux: dispatching request to udp:8.8.4.4:53
    2017/07/30 20:12:33 [Info]Transport|Internet|UDP: establishing new connection for udp:8.8.4.4:53
    2017/07/30 20:12:33 [Info]App|Dispatcher|Default: default route for udp:8.8.4.4:53
    2017/07/30 20:12:33 [Info]App|Proxyman|Mux: dispatching request to udp:8.8.4.4:53
    2017/07/30 20:12:33 [Info]Transport|Internet|UDP: establishing new connection for udp:8.8.4.4:53
    2017/07/30 20:12:33 [Info]App|Dispatcher|Default: default route for udp:8.8.4.4:53
    2017/07/30 20:12:33 [Info]App|Proxyman|Mux: dispatching request to udp:8.8.4.4:53
    2017/07/30 20:12:33 [Info]Transport|Internet|UDP: establishing new connection for udp:8.8.4.4:53
    2017/07/30 20:12:33 [Info]App|Dispatcher|Default: default route for udp:8.8.4.4:53
    2017/07/30 20:12:33 [Info]App|Proxyman|Mux: dispatching request to udp:8.8.4.4:53
    2017/07/30 20:12:33 [Info]Transport|Internet|mKCP: creating connection 10090
    2017/07/30 20:12:33 [Info]Proxy|VMess|Outbound: tunneling request to tcp:v1.mux.cool:9527 via tcp:abcd.xyz:11111
    2017/07/30 20:12:34 [Info]Proxy|VMess|Encoding: failed to read response header > x509: certificate signed by unknown authority
    2017/07/30 20:12:34 [Info]Transport|Internet|mKCP: closing connection to xxx.xxx.xxx.xxx:11111
    2017/07/30 20:12:36 [Info]Transport|Internet|UDP: establishing new connection for udp:8.8.4.4:53
    2017/07/30 20:12:36 [Info]App|Dispatcher|Default: default route for udp:8.8.4.4:53
    2017/07/30 20:12:36 [Info]App|Proxyman|Mux: dispatching request to udp:8.8.4.4:53
    2017/07/30 20:12:36 [Info]Transport|Internet|mKCP: dialing mKCP to udp:abcd.xyz:11111
    2017/07/30 20:12:39 [Info]App|Dispatcher|Default: default route for tcp:www.google.ca:443
    2017/07/30 20:12:39 [Info]App|Proxyman|Mux: dispatching request to tcp:www.google.ca:443
    2017/07/30 20:12:39 [Info]App|Dispatcher|Default: default route for tcp:ssl.gstatic.com:443
    2017/07/30 20:12:39 [Info]App|Proxyman|Mux: dispatching request to tcp:ssl.gstatic.com:443
    2017/07/30 20:12:39 [Info]App|Dispatcher|Default: default route for tcp:ssl.gstatic.com:443
    2017/07/30 20:12:39 [Info]App|Proxyman|Mux: dispatching request to tcp:ssl.gstatic.com:443
    2017/07/30 20:12:39 [Info]App|Dispatcher|Default: default route for tcp:www.google.ca:443
    2017/07/30 20:12:39 [Info]App|Proxyman|Mux: dispatching request to tcp:www.google.ca:443
    2017/07/30 20:12:39 [Info]App|Dispatcher|Default: default route for tcp:www.google.ca:443
    2017/07/30 20:12:39 [Info]App|Proxyman|Mux: dispatching request to tcp:www.google.ca:443
    2017/07/30 20:12:39 [Info]App|Dispatcher|Default: default route for tcp:www.google.ca:443
    2017/07/30 20:12:39 [Info]App|Proxyman|Mux: dispatching request to tcp:www.google.ca:443
    2017/07/30 20:12:39 [Info]App|Dispatcher|Default: default route for tcp:www.google.ca:443
    2017/07/30 20:12:39 [Info]App|Proxyman|Mux: dispatching request to tcp:www.google.ca:443
    2017/07/30 20:12:39 [Info]App|Dispatcher|Default: default route for tcp:www.google.ca:443
    2017/07/30 20:12:39 [Info]App|Proxyman|Mux: dispatching request to tcp:www.google.ca:443
    2017/07/30 20:12:40 [Info]Proxy|Socks: TCP Connect request to tcp:i.ytimg.com:443
    2017/07/30 20:12:40 [Info]App|Router: looking up IP for tcp:i.ytimg.com:443
    2017/07/30 20:12:40 [Info]Transport|Internet|UDP: establishing new connection for udp:8.8.8.8:53
    2017/07/30 20:12:40 [Info]Proxy|Socks: TCP Connect request to tcp:yt3.ggpht.com:443
    2017/07/30 20:12:40 [Info]App|Router: looking up IP for tcp:yt3.ggpht.com:443
    2017/07/30 20:12:40 [Info]Proxy|Socks: TCP Connect request to tcp:googleads.g.doubleclick.net:443
    2017/07/30 20:12:40 [Info]App|Dispatcher|Default: default route for udp:8.8.8.8:53
    2017/07/30 20:12:40 [Info]App|Proxyman|Mux: dispatching request to udp:8.8.8.8:53
    2017/07/30 20:12:40 [Info]Transport|Internet|mKCP: dialing mKCP to udp:abcd.xyz:11111
    2017/07/30 20:12:40 [Info]Proxy|Socks: TCP Connect request to tcp:apis.google.com:443
    2017/07/30 20:12:40 [Info]Proxy|Socks: TCP Connect request to tcp:www.gstatic.com:443
    2017/07/30 20:12:40 [Info]App|Router: looking up IP for tcp:apis.google.com:443
    2017/07/30 20:12:40 [Info]Proxy|Socks: TCP Connect request to tcp:www.youtube.com:443
    2017/07/30 20:12:40 [Info]App|Router: looking up IP for tcp:www.gstatic.com:443
    2017/07/30 20:12:40 [Info]App|Router: looking up IP for tcp:www.youtube.com:443
    2017/07/30 20:12:40 [Info]Proxy|Socks: TCP Connect request to tcp:www.googleadservices.com:443
    2017/07/30 20:12:40 [Info]Proxy|Socks: TCP Connect request to tcp:s.youtube.com:443
    2017/07/30 20:12:40 [Info]App|Router: looking up IP for tcp:www.googleadservices.com:443
    2017/07/30 20:12:40 [Info]App|Router: looking up IP for tcp:s.youtube.com:443
    2017/07/30 20:12:40 [Info]App|Router: looking up IP for tcp:googleads.g.doubleclick.net:443
    2017/07/30 20:12:41 [Info]Transport|Internet|mKCP: creating connection 10091
    2017/07/30 20:12:41 [Info]Transport|Internet|mKCP: creating connection 10092
    2017/07/30 20:12:41 [Info]Proxy|VMess|Outbound: tunneling request to tcp:v1.mux.cool:9527 via tcp:abcd.xyz:11111
    2017/07/30 20:12:41 [Info]Proxy|VMess|Outbound: tunneling request to tcp:v1.mux.cool:9527 via tcp:abcd.xyz:11111
    2017/07/30 20:12:41 [Info]Proxy|VMess|Encoding: failed to read response header > x509: certificate signed by unknown authority
    2017/07/30 20:12:41 [Info]Transport|Internet|mKCP: closing connection to xxx.xxx.xxx.xxx:11111
    2017/07/30 20:12:41 [Info]Proxy|VMess|Encoding: failed to read response header > x509: certificate signed by unknown authority
    2017/07/30 20:12:41 [Info]Transport|Internet|mKCP: closing connection to xxx.xxx.xxx.xxx:11111
    2017/07/30 20:12:42 [Info]Transport|Internet|UDP: establishing new connection for udp:8.8.8.8:53
    2017/07/30 20:12:42 [Info]Transport|Internet|UDP: establishing new connection for udp:8.8.8.8:53
    2017/07/30 20:12:42 [Info]App|Dispatcher|Default: default route for udp:8.8.8.8:53
    2017/07/30 20:12:42 [Info]App|Dispatcher|Default: default route for udp:8.8.8.8:53
    2017/07/30 20:12:42 [Info]App|Proxyman|Mux: dispatching request to udp:8.8.8.8:53
    2017/07/30 20:12:42 [Info]App|Proxyman|Mux: dispatching request to udp:8.8.8.8:53
    2017/07/30 20:12:42 [Info]Transport|Internet|UDP: establishing new connection for udp:8.8.8.8:53
    2017/07/30 20:12:42 [Info]Transport|Internet|mKCP: dialing mKCP to udp:abcd.xyz:11111
    2017/07/30 20:12:42 [Info]App|Dispatcher|Default: default route for udp:8.8.8.8:53
    2017/07/30 20:12:42 [Info]App|Proxyman|Mux: dispatching request to udp:8.8.8.8:53
    2017/07/30 20:12:42 [Info]Transport|Internet|UDP: establishing new connection for udp:8.8.8.8:53
    2017/07/30 20:12:42 [Info]Transport|Internet|UDP: establishing new connection for udp:8.8.8.8:53
    2017/07/30 20:12:42 [Info]App|Dispatcher|Default: default route for udp:8.8.8.8:53
    2017/07/30 20:12:42 [Info]App|Proxyman|Mux: dispatching request to udp:8.8.8.8:53
    2017/07/30 20:12:42 [Info]App|Dispatcher|Default: default route for udp:8.8.8.8:53
    2017/07/30 20:12:42 [Info]Transport|Internet|UDP: establishing new connection for udp:8.8.8.8:53
    2017/07/30 20:12:42 [Info]Transport|Internet|UDP: establishing new connection for udp:8.8.8.8:53
    2017/07/30 20:12:42 [Info]App|Proxyman|Mux: dispatching request to udp:8.8.8.8:53
    2017/07/30 20:12:42 [Info]App|Dispatcher|Default: default route for udp:8.8.8.8:53
    2017/07/30 20:12:42 [Info]Transport|Internet|UDP: establishing new connection for udp:8.8.8.8:53
    2017/07/30 20:12:42 [Info]App|Dispatcher|Default: default route for udp:8.8.8.8:53
    2017/07/30 20:12:42 [Info]App|Proxyman|Mux: dispatching request to udp:8.8.8.8:53
    2017/07/30 20:12:42 [Info]App|Proxyman|Mux: dispatching request to udp:8.8.8.8:53
    2017/07/30 20:12:42 [Info]App|Dispatcher|Default: default route for udp:8.8.8.8:53
    2017/07/30 20:12:42 [Info]App|Proxyman|Mux: dispatching request to udp:8.8.8.8:53
    2017/07/30 20:12:44 [Info]App|Dispatcher|Default: default route for tcp:www.google.com:443
    2017/07/30 20:12:44 [Info]App|Proxyman|Mux: dispatching request to tcp:www.google.com:443
    2017/07/30 20:12:47 [Info]Transport|Internet|mKCP: creating connection 10093
    2017/07/30 20:12:47 [Info]Proxy|VMess|Outbound: tunneling request to tcp:v1.mux.cool:9527 via tcp:abcd.xyz:11111
    2017/07/30 20:12:47 [Info]Proxy|VMess|Encoding: failed to read response header > x509: certificate signed by unknown authority
    2017/07/30 20:12:47 [Info]Transport|Internet|mKCP: closing connection to xxx.xxx.xxx.xxx:11111
    2017/07/30 20:12:48 [Info]Transport|Internet|UDP: establishing new connection for udp:8.8.4.4:53
    2017/07/30 20:12:48 [Info]App|Dispatcher|Default: default route for udp:8.8.4.4:53
    2017/07/30 20:12:48 [Info]App|Proxyman|Mux: dispatching request to udp:8.8.4.4:53
    2017/07/30 20:12:48 [Info]Transport|Internet|mKCP: dialing mKCP to udp:abcd.xyz:11111
    2017/07/30 20:12:48 [Info]Transport|Internet|mKCP: terminating connection to xxx.xxx.xxx.xxx:11111
    2017/07/30 20:12:50 [Info]Transport|Internet|UDP: establishing new connection for udp:8.8.4.4:53
    2017/07/30 20:12:50 [Info]Transport|Internet|UDP: establishing new connection for udp:8.8.4.4:53
    2017/07/30 20:12:50 [Info]App|Dispatcher|Default: default route for udp:8.8.4.4:53
    2017/07/30 20:12:50 [Info]App|Dispatcher|Default: default route for udp:8.8.4.4:53
    2017/07/30 20:12:50 [Info]App|Proxyman|Mux: dispatching request to udp:8.8.4.4:53
    2017/07/30 20:12:50 [Info]App|Proxyman|Mux: dispatching request to udp:8.8.4.4:53
    2017/07/30 20:12:53 [Info]Transport|Internet|mKCP: creating connection 10094
    2017/07/30 20:12:53 [Info]Proxy|VMess|Outbound: tunneling request to tcp:v1.mux.cool:9527 via tcp:abcd.xyz:11111
    2017/07/30 20:12:53 [Info]Proxy|VMess|Encoding: failed to read response header > x509: certificate signed by unknown authority
    2017/07/30 20:12:53 [Info]Transport|Internet|mKCP: closing connection to xxx.xxx.xxx.xxx:11111
    2017/07/30 20:12:56 [Info]App|Dispatcher|Default: default route for tcp:apis.google.com:443
    2017/07/30 20:12:56 [Info]App|Proxyman|Mux: dispatching request to tcp:apis.google.com:443
    2017/07/30 20:12:56 [Info]App|Dispatcher|Default: default route for tcp:www.youtube.com:443
    2017/07/30 20:12:56 [Info]App|Proxyman|Mux: dispatching request to tcp:www.youtube.com:443
    2017/07/30 20:12:56 [Info]App|Dispatcher|Default: default route for tcp:yt3.ggpht.com:443
    2017/07/30 20:12:56 [Info]App|Dispatcher|Default: default route for tcp:www.gstatic.com:443
    2017/07/30 20:12:56 [Info]App|Proxyman|Mux: dispatching request to tcp:yt3.ggpht.com:443
    2017/07/30 20:12:56 [Info]App|Proxyman|Mux: dispatching request to tcp:www.gstatic.com:443
    2017/07/30 20:12:56 [Info]App|Dispatcher|Default: default route for tcp:s.youtube.com:443
    2017/07/30 20:12:56 [Info]Transport|Internet|mKCP: dialing mKCP to udp:abcd.xyz:11111
    2017/07/30 20:12:56 [Info]App|Proxyman|Mux: dispatching request to tcp:s.youtube.com:443
    2017/07/30 20:12:56 [Info]App|Dispatcher|Default: default route for tcp:i.ytimg.com:443
    2017/07/30 20:12:56 [Info]App|Proxyman|Mux: dispatching request to tcp:i.ytimg.com:443
    2017/07/30 20:12:56 [Info]App|Dispatcher|Default: default route for tcp:googleads.g.doubleclick.net:443
    2017/07/30 20:12:56 [Info]App|Proxyman|Mux: dispatching request to tcp:googleads.g.doubleclick.net:443
    2017/07/30 20:12:56 [Info]Transport|Internet|mKCP: creating connection 10095
    2017/07/30 20:12:56 [Info]Proxy|VMess|Outbound: tunneling request to tcp:v1.mux.cool:9527 via tcp:abcd.xyz:11111
    2017/07/30 20:12:56 [Info]App|Dispatcher|Default: taking detour [direct] for [tcp:www.googleadservices.com:443]
    2017/07/30 20:12:56 [Info]Proxy|Freedom: opening connection to tcp:www.googleadservices.com:443
    2017/07/30 20:12:56 [Info]Transport|Internet|TCP: dailing TCP to tcp:www.googleadservices.com:443
    2017/07/30 20:12:56 [Info]Proxy|VMess|Encoding: failed to read response header > x509: certificate signed by unknown authority
    2017/07/30 20:12:56 [Info]Transport|Internet|mKCP: closing connection to xxx.xxx.xxx.xxx:11111
    2017/07/30 20:12:56 [Info]Transport|Internet|mKCP: terminating connection to xxx.xxx.xxx.xxx:11111
    2017/07/30 20:12:56 [Info]Transport|Internet|mKCP: terminating connection to xxx.xxx.xxx.xxx:11111
    2017/07/30 20:13:02 [Info]Transport|Internet|mKCP: terminating connection to xxx.xxx.xxx.xxx:11111
    2017/07/30 20:13:08 [Info]Transport|Internet|mKCP: terminating connection to xxx.xxx.xxx.xxx:11111
    2017/07/30 20:13:10 [Info]Proxy|Socks: TCP Connect request to tcp:www.google.ca:443
    2017/07/30 20:13:10 [Info]App|Router: looking up IP for tcp:www.google.ca:443
    2017/07/30 20:13:10 [Info]App|Dispatcher|Default: default route for tcp:www.google.ca:443
    2017/07/30 20:13:10 [Info]App|Proxyman|Mux: dispatching request to tcp:www.google.ca:443
    2017/07/30 20:13:10 [Info]Transport|Internet|mKCP: dialing mKCP to udp:abcd.xyz:11111
    2017/07/30 20:13:10 [Info]Proxy|Socks: TCP Connect request to tcp:www.youtube.com:443
    2017/07/30 20:13:10 [Info]App|Router: looking up IP for tcp:www.youtube.com:443
    2017/07/30 20:13:10 [Info]App|Dispatcher|Default: default route for tcp:www.youtube.com:443
    2017/07/30 20:13:10 [Info]App|Proxyman|Mux: dispatching request to tcp:www.youtube.com:443
    2017/07/30 20:13:11 [Info]Transport|Internet|mKCP: terminating connection to xxx.xxx.xxx.xxx:11111
    2017/07/30 20:13:15 [Info]Transport|Internet|mKCP: creating connection 10096
    2017/07/30 20:13:15 [Info]Proxy|VMess|Outbound: tunneling request to tcp:v1.mux.cool:9527 via tcp:abcd.xyz:11111
    2017/07/30 20:13:16 [Info]Proxy|VMess|Encoding: failed to read response header > x509: certificate signed by unknown authority
    2017/07/30 20:13:16 [Info]Transport|Internet|mKCP: closing connection to xxx.xxx.xxx.xxx:11111
tonyshaoxu picture tonyshaoxu on 30 Jul 2017

@tonyshaoxu Reply #4

看上去你的 SSL 证书是用 Let's Encrypt 生成的,你试试在客户端配置文件里的 "security":"tls" 下面加上:

"tlsSettings": {
    "serverName": "abcd.xyz",
    "allowInsecure": false // 改成 "true" 如果 false 不好使的话.
}

然后再看看效果吧.

oing9179 picture oing9179 on 31 Jul 2017

多谢!

经测试,设置成“true”后,工作正常了。

tonyshaoxu picture tonyshaoxu on 31 Jul 2017

那问题就更大了,检查 ServerName 和服务器给你的证书是不是对应域名的证书,按道理来说Let's Encrypt的根证书应该各大平台都有内置才对。尽可能不要使用 allowInsecure

husy8 picture husy8 on 31 Jul 2017

奇怪的是win10上客户端配置文件无需添加你上面提供的那段就可以正常上网,在ubuntu的配置文件里必须添加那段而且设置成true才能上网。
我还没在mac上测试你提供的方法,但是之前mac也是无法正常上网的,客户端报错内容和ubuntu是一样的。

tonyshaoxu picture tonyshaoxu on 31 Jul 2017

改成false后,客户端报错 failed to process outbound traffic > Proxy|VMess|Outbound: connection ends > x509: certificate signed by unknown authority

检查 ServerName 和服务器给你的证书是不是对应域名的证书
域名的证书的确是letsencrypt颁发的,而且通过https://域名可以打开网页,可以看到证书和域名是对应的。

tonyshaoxu picture tonyshaoxu on 31 Jul 2017

Ubuntu:

apt-get update && apt-get -y install ca-certificates

重新装一下根证书试试,Debian 9 早已包含 Let's Encrypt 根证书,Ubuntu 用的 testing 代码不可能不包含的。 如果还不行

dpkg-reconfigure ca-certificates

在证书列表里找Let's Encrypt 根证书并选中(空格选中
MAC 没用过不知道怎么做(´;ω;`)

husy8 picture husy8 on 1 Aug 2017

我用的是ubuntu 14.04 LTS,/etc/ca-certificates.conf里确实没有letsencrypt的ca证书。
貌似我找到解决方法了(参考https://github.com/certbot/certbot/issues/2026),我在服务器的配置文件里使用fullchain证书而不是ca证书,现在ubuntu已经可以正常浏览网页和观看油管了。
mac稍后再试一下。
很奇怪为什么无论我在服务器段用fullchain还是ca证书,windows10都能正常工作,我看了一下win10信任的根证书里没有letsencrypt的CA证书啊。

tonyshaoxu picture tonyshaoxu on 1 Aug 2017
👍1

Windows认的是 DST Root X3 这个根证书

husy8 picture husy8 on 1 Aug 2017
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

gzzchh picture gzzchh  ·  3Comments
sunsan05 picture sunsan05  ·  3Comments
choicky picture choicky  ·  4Comments
limaofu picture limaofu  ·  3Comments
supersonic600 picture supersonic600  ·  3Comments