Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL handshake failed: sslv3 alert certificate unknown #631

Open
bitcodee opened this issue Apr 3, 2022 · 5 comments
Open

SSL handshake failed: sslv3 alert certificate unknown #631

bitcodee opened this issue Apr 3, 2022 · 5 comments
Assignees
@GreaterFire
Labels
bug

Comments

@bitcodee
Copy link

bitcodee commented Apr 3, 2022

大佬们好,

已经重新更新过证书,但是还是会出现这个问题,请问如何解决。

谢谢
@bitcodee bitcodee added the bug label Apr 3, 2022
@arloan
Copy link

arloan commented Sep 29, 2022
edited
Loading

I encount the same problem, trojan client handshake failed due to this error, while the fake https site works fine with correct ssl cert.

EDIT: I fixed this problem by modifying trojan's config, using fullchain.pem instead of cert.pem, while another comment says one should use cert.pem to avoid this error, really interesting.
@martyn0ff
Copy link

I had the similar problem and was using Lets Encrypt. The issue was on client side's config.json: "remote_addr" key should have a hostname that you have a certificate for, and not an IP address. After I've changed my server's IP to its hostname everything worked flawlessly. cert points to fullchain.pem, key points to privkey.pem, trojan 1.16.0
@teadrinker2015
Copy link

teadrinker2015 commented Mar 29, 2023
edited
Loading

cert points to fullchain.pem

That saved my day. ( never read the doc QAQ )
btw, It can still work perfectly with cert point to the cert.pem, only on clash for windows, and either of the android clients can work.
@changeforan
Copy link

Same problem here, fixed by using full chain pem instead of single cert pem.
Just as the Trojan official doc said:

It’s preferred to use the full chain certificate here instead of the certificate alone.
@iFHiGM
Copy link

iFHiGM commented Oct 20, 2023

I just ran into this problem the other day, post the solution:

Prerequisite:

  1. a valid domain name domain.com (use this as an example).
  2. use fullchain certificate.
  3. using acme.sh.

Error Scenario/Steps:

  1. Use acme.sh to add certificates for "www.domain.com" and "*.domain.com".
  2. Shunt "x.y.domain.com" to trojan in the nginx stream.
  3. then the logs record the sslv3 handshake error.

My solution:

  1. reuse acme.sh to add certificate for *.y.domain.com (append).
  2. nginx configuration unchanged, restart nginx and trojan.
  3. became available.

How it was found:
I tried to add new subdomains to my nginx site like "x.y.domain.com", but after adding certificates for "www.domain.com" and "*.domain.com" using just acme.sh, my Firefox browser prompts:

  1. "www.domain.com" is safe
  2. "x.y.domain.com" domain is not secure
    When I checked the browser information further and found a message saying that the certificate was only registered to "*.domain.com" and not "x.y.domain.com", I think I found a solution to my problem scenario.

Of course, I'm not sure if this scenario works for everyone, but I thought it could be a reference for those who come after me.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug
7 participants
@arloan @changeforan @teadrinker2015 @GreaterFire @martyn0ff @iFHiGM @bitcodee