tls: failed to verify certificate: x509: certificate is valid for new.download.the-best-airport.com, www.new.download.the-best- airport.com, not hk1.2220c5ef-679-3419-6ed9-4800 - Githubissues

SagerNet / sing-box

The universal proxy platform

https://sing-box.sagernet.org/

Other

17.98k stars 2.15k forks source link

tls: failed to verify certificate: x509: certificate is valid for new.download.the-best-airport.com, www.new.download.the-best- airport.com, not hk1.2220c5ef-679-3419-6ed9-4800 #1935

Closed aipame closed 1 month ago

aipame commented 1 month ago

Operating system

iOS

System version

16.7.8

Installation type

sing-box for iOS Graphical Client

If you are using a graphical client, please provide the version of the client.

1.9.3

Version

No response

Description

(packet-tunnel) error: start service: Get "https://github.com/SagerNet/ sing-geoip/releases/latest/download/ geoip.db": tls: failed to verify certificate: x509: certificate is valid for new.download.the-best-airport.com, www.new.download.the-best- airport.com, not hk1.2220c5ef-679-3419-6ed9-4800 53ddff96.6df03129.the-best-

Reproduction

Logs

No response

Supporter

[ ] I am a sponsor

Integrity requirements

[X] I confirm that I have read the documentation, understand the meaning of all the configuration items I wrote, and did not pile up seemingly useful options or default values.
[X] I confirm that I have provided the server and client configuration files and process that can be reproduced locally, instead of a complicated client configuration file that has been stripped of sensitive data.
[X] I confirm that I have provided the simplest configuration that can be used to reproduce the error I reported, instead of depending on remote servers, TUN, graphical interface clients, or other closed-source software.
[X] I confirm that I have provided the complete configuration files and logs, rather than just providing parts I think are useful out of confidence in my own intelligence.

simplerick-simplefun commented 1 month ago

the outbound.tls.server_name you provided is "hk1.2220c5.......", however the server of the ip it resolves to does not provide certificate for that specific FQDN you should either modify your server to include your desired fqdn in your cert, or change your client settings to use one of the two domains included in the cert as outbound.tls.server_name your last resort is to change outbound.tls.insecure to true, however it's not recommended and have security issues.