相关文章推荐
小百科  ›  [BUG] 证书更新后报错 tlsv1 alert unknown ca · Issue #513 · trojan-gfw/trojan · GitHub
软件 ssl alert
满身肌肉的山羊
2 年前

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement . We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

之前 Trojan 一直在正常工作,macOS Windows iOS Android 客户端开启 SSL 证书验证下,代理没问题。最近证书过期了,用 Let's Encrypt 的 acme.sh 工具更新证书后,发现客户端不验证才可以使用,一旦开启 SSL 认证,就会无法代理。服务端会不断报错: 

[2020-08-18 09:55:03] [ERROR] SSL handshake failed: tlsv1 alert unknown ca
[2020-08-18 09:55:03] [INFO] disconnected, 0 bytes received, 0 bytes sent, lasted for 0 seconds

Windows 端客户端配置(其他系统里都是用现成的 app):

    "run_type": "client",
    "local_addr": "127.0.0.1",
    "local_port": 8080,
    "remote_addr": "mydomain.com",
    "remote_port": 443,
    "password": [
        "mypassword"
    "log_level": 1,
    "ssl": {
        "verify": true,
        "verify_hostname": true,
        "cert": "mydomain.com.cer",
        "cipher": "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA",
        "cipher_tls13": "TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384",
        "sni": "",
        "alpn": [
            "h2",
            "http/1.1"
        "reuse_session": true,
        "session_ticket": false,
        "curves": ""
    "tcp": {
        "no_delay": true,
        "keep_alive": true,
        "reuse_port": false,
        "fast_open": false,
        "fast_open_qlen": 20

服务端配置:

    "run_type": "server",
    "local_addr": "0.0.0.0",
    "local_port": 443,
    "remote_addr": "127.0.0.1",
    "remote_port": 80,
    "password": [
        "mypassword"
    "log_level": 1,
    "ssl": {
        "cert": "/usr/local/etc/mydomain.com.crt",
        "key": "/usr/local/etc/mydomain.com.key",
        "key_password": "",
        "cipher": "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384",
        "cipher_tls13": "TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384",
        "prefer_server_cipher": true,
        "alpn": [
            "http/1.1"
        "reuse_session": true,
        "session_ticket": false,
        "session_timeout": 600,
        "plain_http_response": "",
        "curves": "",
        "dhparam": ""
    "tcp": {
        "prefer_ipv4": false,
        "no_delay": true,
        "keep_alive": true,
        "reuse_port": false,
        "fast_open": false,
        "fast_open_qlen": 20
    "mysql": {
        "enabled": false,
        "server_addr": "127.0.0.1",
        "server_port": 3306,
        "database": "trojan",
        "username": "trojan",
        "password": ""

但是第一次签发出来的证书没问题的,一直可以用,更新之后反而不行了,网上也搜不到 tlsv1 alert unknown ca 的相关解决思路。


关于同步最新的证书这件事,有两种情况。


1、从你们 Releases 里下载 Windows 客户端和 macOS 客户端的 zip ,解压后在文件夹里放入最新的证书,用透明代理能正常使用,服务端也没有报错。


2、iOS 客户端 Shadowrocket 和 Android 客户端 Igniter 均不清楚其证书获取原理,但是尝试卸载 app 并重新填写配置,只要勾上校验证书,就会报错,特意分辨服务端日志,Shadowrocket 的报错是 SSL handshake failed: sslv3 alert certificate unknown,而 Igniter 的报错是 SSL handshake failed: tlsv1 alert unknown ca


Post a screenshot of your certificate including the certification path, which can be displayed on Windows.


再明确一点,根据 三楼 里我说所的情况,Windows 和 macOS 端是正常工作的,有问题的是手机 app 端。


您那个截图我找不到相似的,在 certmgr.msc 里找到这三张截图,可能敏感的信息我已经涂掉了,不知道是否有你想要的信息。
 
推荐文章
Link管理   ·   Sov5搜索   ·   小百科
小百科 - 百科知识指南