acme功能无法正常使用

[ghitori]

操作系统

Linux

系统版本

Ubuntu 20.04 / Windows 10

安装类型

sing-box 原始命令行程序

如果您使用图形客户端程序，请提供该程序版本。

No response

版本

singbox (linux|windows) 1.7.6
singbox (windows) 1.8.0-rc.4

sing-box version 1.7.6

Environment: go1.21.5 windows/amd64 | go1.21.5 linux/amd64
Tags: with_gvisor,with_quic,with_dhcp,with_wireguard,with_ech,with_utls,with_reality_server,with_acme,with_clash_api
Revision: aeb7308e81263bd1a4671710a1027dfc8fc6174b
CGO: disabled

描述

使用sing-box作为服务器使用，当使用acme作为tls证书获取与使用方式时，可正常获取证书并存放在本地，但未被调用

以下内容为windows端本地搭建测试，使用dns_challenge01验证方法，linux表现与之相同，不使用dns_challenge01表现相同

当sing-box作为hysteria2 server，使用clash-meta日志: error: CRYPTO_ERROR 0x178 (remote): tls: no application protocol，使用sing-box日志: remote error: tls: no application protocol 当sing-box作为trojan-ws server，使用clash-meta日志: error: 127.0.0.1:443 connect error: dial example.com:443 error: remote error: tls: no application protocol，使用浏览器访问返回错误信息ERR_SSL_PROTOCOL_ERROR

修改配置文件，使其直接使用acme获取到的证书，两个inbounds服务器均工作正常

重现方式

服务端配置文件

{
  "log": {
    "level": "trace"
  },
  "inbounds": [
    {
      "type": "trojan",
      "tag": "trojan-in",
      "listen": "::",
      "listen_port": 443,
      "users": [
        {
          "name": "Shan_shanHY",
          "password": "XWM4UX5xhJmEjTtgJLmBeA=="
        }
      ],
      "tls": {
        "enabled": true,
        "server_name": "bacdn.starrycraft.cn",
        "acme": {
          "domain": "bacdn.starrycraft.cn",
          "email": "[email protected]",
          "data_directory": "acme",
          "dns01_challenge": {
            "provider": "cloudflare",
            "api_token": "*****************************************"
          }
        }
      },
      "multiplex": {
        "enabled": true
      },
      "transport": {
        "type": "ws"
      }
    },
    {
      "type": "hysteria2",
      "listen": "::",
      "listen_port": 8443,
      "up_mbps": 100,
      "down_mbps": 100,
      "users": [
        {
          "name": "shan_shanhy",
          "password": "XWM4UX5xhJmEjTtgJLmBeA=="
        }
      ],
      "tls": {
        "enabled": true,
        "server_name": "bacdn.starrycraft.cn",
        "acme": {
          "domain": "bacdn.starrycraft.cn",
          "email": "[email protected]",
          "data_directory": "acme",
          "dns01_challenge": {
            "provider": "cloudflare",
            "api_token": "****************************************"
          }
        }
      }
    }
  ],
  "outbounds": [
    {
      "type": "direct"
    }
  ]
}

sing-box 客户端配置文件

{
  "inbounds": [
    {
      "type": "mixed",
      "tag": "mixed-in",
      "listen": "::",
      "listen_port": 7898
    }
  ],
  "outbounds": [
    {
      "type": "trojan",
      "server": "127.0.0.1",
      "server_port": 443,
      "password": "XWM4UX5xhJmEjTtgJLmBeA==",
      "tls": {
        "enabled": true,
        "server_name": "bacdn.starrycraft.cn",
        "utls": {
          "enabled": true,
          "fingerprint": "firefox"
        }
      },
      "multiplex": {
        "enabled": true
      },
      "transport": {
        "type": "ws"
      }
    }
  ]
}

日志

服务端日志（包括获取证书）：
1.7034092749349136e+09  info    maintenance     started background certificate maintenance      {"cache": "0xc00011c400"}
1.7034092749349136e+09  info    maintenance     started background certificate maintenance      {"cache": "0xc00011c300"}
[36mINFO[0m[0000] router: updated default interface WLAN, index 17
[37mTRACE[0m[0000] initializing inbound/trojan[trojan-in]
1.703409274945093e+09   info    obtain  acquiring lock  {"identifier": "bacdn.starrycraft.cn"}
1.703409274956196e+09   info    obtain  lock acquired   {"identifier": "bacdn.starrycraft.cn"}
1.703409274956196e+09   info    obtain  obtaining certificate   {"identifier": "bacdn.starrycraft.cn"}
1.70340927660381e+09    info    waiting on internal rate limiter        {"identifiers": ["bacdn.starrycraft.cn"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": "[email protected]"}
1.70340927660381e+09    info    done waiting on internal rate limiter   {"identifiers": ["bacdn.starrycraft.cn"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": "[email protected]"}
1.7034092772729704e+09  info    acme_client     trying to solve challenge       {"identifier": "bacdn.starrycraft.cn", "challenge_type": "dns-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
1.7034093268203695e+09  info    acme_client     authorization finalized {"identifier": "bacdn.starrycraft.cn", "authz_status": "valid"}
1.7034093268203695e+09  info    acme_client     validations succeeded; finalizing order {"order": "https://acme-v02.api.letsencrypt.org/acme/order/*****/*********"}
1.7034093281289275e+09  info    acme_client     successfully downloaded available certificate chains    {"count": 2, "first_url": "https://acme-v02.api.letsencrypt.org/acme/cert/********************"}
1.7034093281321461e+09  info    obtain  certificate obtained successfully       {"identifier": "bacdn.starrycraft.cn"}
1.7034093281321461e+09  info    obtain  releasing lock  {"identifier": "bacdn.starrycraft.cn"}
[36mINFO[0m[0054] inbound/trojan[trojan-in]: tcp server started at [::]:443
[37mTRACE[0m[0054] initializing inbound/hysteria2[1]
[36mINFO[0m[0054] inbound/hysteria2[1]: udp server started at [::]:8443
[37mTRACE[0m[0054] post-starting router
[36mINFO[0m[0054] sing-box started (54.11s)

完整性要求

• [X] 我保证

负责性要求

• [X] 我保证

[imshawin]

试一试：在服务端与客户端配置中，添加tls的alpn参数

[TAXUEZJU]

我遇到类似的问题，解决方法就是添加 tls 的 alpn 参数

"alpn": [
  "h3"
]

[ghitori]

我遇到类似的问题，解决方法就是添加 tls 的 alpn 参数

"alpn": [
  "h3"
]

alpn的h3对应的应该是hy2服务器 我在写hy2与trojan配置文件的时候参考了 Example中的写法，可能是文档中存在某些不够完善的地方 但同样的写法，将acme直接替换为证书路径便可正常工作 值得一提的是，trojan的这种证书错误在经过cf的反代后得以消除(hy2无反代未测试)

[github-actions[bot]]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days

[poyih]

我遇到类似的问题，解决方法就是添加 tls 的 alpn 参数

"alpn": [
  "h3"
]

Surge报错：err_draining，用你的方法可解