Failed to start: main: failed to load config files: [/usr/local/etc/xray/config.json] > infra/conf: Failed to build TLS config. > infra/conf: failed to parse certificate >

[nenakatu]

Help solve the problem with certificates. I can't figure out what's wrong with them. Ways in a config are registered correctly several times checked. With certificates (from letsencrypt) everything is also in order to be opened using cat.

-- Reboot -- Aug 25 00:11:46 vm43 systemd[1]: Started Xray Service. Aug 25 00:11:46 vm43 xray[428]: Xray 1.7.5 (Xray, Penetrates Everything.) Custom (go1.20 linux/amd64) Aug 25 00:11:46 vm43 xray[428]: A unified platform for anti-censorship. Aug 25 00:11:46 vm43 xray[428]: 2023/08/25 00:11:46 [Info] infra/conf/serial: Reading config: /usr/local/etc/xray/config.json Aug 25 00:11:46 vm43 xray[428]: Failed to start: main: failed to load config files: [/usr/local/etc/xray/config.json] > infra/conf: Failed to build TLS config. > infra/conf: failed to parse certificate > ope> Aug 25 00:11:46 vm43 systemd[1]: xray.service: Main process exited, code=exited, status=23/n/a Aug 25 00:11:46 vm43 systemd[1]: xray.service: Failed with result 'exit-code'.

[zxbiao]

please show your config file code

[nenakatu]

{ "log": { "loglevel": "info" }, "routing": { "rules": [], "domainStrategy": "AsIs" }, "inbounds": [ { "port": 23, "tag": "ss", "protocol": "shadowsocks", "settings": { "method": "2022-blake3-aes-128-gcm", "password": "aaaaaaaaaaaaaaaabbbbbbbbbbbbbbbb", "network": "tcp,udp" } }, { "port": 443, "protocol": "vless", "tag": "vless_tls", "settings": { "clients": [ { "id": "7957c33c-d9ca-11ed-afa1-0242ac120002", "email": "user1@myserver", "flow": "xtls-rprx-vision" } ], "decryption": "none", "fallbacks": [ { "path": "/myverysecretpath", "dest": "@vless-ws" }, { "dest": "8080" } ] }, "streamSettings": { "network": "tcp", "security": "tls", "tlsSettings": { "alpn": [ "http/1.1", "h2" ], "certificates": [ { "certificateFile": "/etc/letsencrypt/live/example.com/fullchain.pem", "keyFile": "/etc/letsencrypt/live/example.com/privkey.pem" } ] } }, "sniffing": { "enabled": true, "destOverride": [ "http", "tls" ] } }, { "listen": "@vless-ws", "protocol": "vless", "tag": "vless_ws", "settings": { "clients": [ { "id": "7957c33c-d9ca-11ed-afa1-0242ac120002", "email": "user2@myserver" } ], "decryption": "none" }, "streamSettings": { "network": "ws", "security": "none", "wsSettings": { "path": "/myverysecretpath" } } } ], "outbounds": [ { "protocol": "freedom", "tag": "direct" }, { "protocol": "blackhole", "tag": "block" } ] }

The config is like this. Of course, I have my own paths to the privkey.pem and fullchain.pem files, here I specify others, because they contain the name of my domain (but I checked them several times, they are correct)

[zxbiao]

…… "certificateFile": "/etc/letsencrypt/live/example.com/fullchain.pem", "keyFile": "/etc/letsencrypt/live/example.com/privkey.pem" ……

Are the permissions of those 2 files 755? Is xray is managed by systemd? Maybe you should use the ln command to connect these two files to another place (for example: /home/ssl) and grant 755 and user group permissions

[nenakatu]

The permission on them is rwx, they are already symbolic links are "certificateFile": "/etc/letsencrypt/archive/example.com/fullchain.pem", "keyFile": "/etc/letsencrypt/archive/example.com/privkey .pem" yes sustemd init system. Previously, I installed XTLS via install script link "bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ install" Now I tried to do it myself and it worked, I did not change the config.

[zxbiao]

This situation is generally:

1. File permission problem, the permissions of the user running xray and the SSL file are inconsistent.
2. The content of the SSL certificate is incomplete

The one-click script of xray is adapted for the more popular Linux distributions. After all, most of them use systemd to manage the process, so the usability is relatively high.

[chika0801]

https://github.com/v2fly/fhs-install-v2ray/wiki/Insufficient-permissions-when-using-certificates-zh-Hans-CN

chown -R nobody:nogroup /etc/letsencrypt/live/example.com/

"certificateFile": "/etc/letsencrypt/live/example.com/fullchain.pem", "keyFile": "/etc/letsencrypt/live/example.com/privkey.pem"

[nenakatu]

And such a question, if you install it through the script using the link I mentioned above, then a new user is created for the xtls daemon or does it work under root? Just when I set it up on my own, it turns out it works under the root.

[chika0801]

https://github.com/XTLS/Xray-install

bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ install -u root

The user is root after this installation.

If it is not installed this way and the user is nobody, it will ask for SSL certificate with permission issues.

[nenakatu]

And by default, which user's script hangs nobody?

[chika0801]

https://github.com/XTLS/Xray-core/issues/2488#issuecomment-1693694669

bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ install

The reasoning is that when installing with the above command, you will only need to be aware of SSL certificate permissions when using this combination VLESS-XTLS-Vision of protocols.

[nenakatu]

Yes, I understood it, now I'm trying to understand under which user this script launches xray? Creates a new or uses an existing "nobody"? That is, I do not want my xray to run under root, as I have it set up now, but under another user with less privileges.

[chika0801]

bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ install

After installing it this way, it is using nobody and nogroup.

https://github.com/XTLS/Xray-install

Here's the link to the install script so you can check it out.

[nenakatu]

Is it possible to install it myself without a script, on a clean ubuntu 20.04 server system using the following method, correct if it's not correct ..

Will create a new user "xrayuser" des home directory and shell access. # sudo adduser --shell /usr/sbin/nologin --no-create-home xrayuser

Download the archive with the program to the server. # wget https://github.com/XTLS/Xray-core/releases/download/v1.8.0/Xray-linux-64.zip

Create a directory, unpack the archive into it and make and give the rights to run the xray file. # mkdir /opt/xray\ # unzip ./Xray-linux-64.zip -d /opt/xray\ # chmod +x /opt/xray/xray

Allows a process to open sockets on these privileged ports without having to run the entire process as superuser (root). setcap cap_net_bind_service=+ep /opt/xray/xray

Create a systemd unit with the following content. nano /etc/systemd/system/xray.service

[Unit]
Description=Xray Service
After=network.target

[Service]
ExecStart=/opt/xray/xray run -c /opt/xray/config.json
Restart=on-failure
RestartSec=30
User=xrayuser
Type=simple

[Install]
WantedBy=multi-user.target

I transfer the certificates to another directory and give the appropriate permission according to this recommendation

https://github.com/XTLS/Xray-core/issues/2488#issuecomment-1693694669

But for some reason it does not start, and if I do everything the same (with minor exceptions) only from the root, then everything works. What am I doing wrong?

[chika0801]

I'm limited, I can't help you with this one problem of yours.

[us254]

The steps you tried to install Xray manually without a script seem to be correct, except for one thing: you need to change the owner and group of the /opt/xray directory and its contents to xrayuser, otherwise Xray will not be able to access them. You can do this by running the following command:

sudo chown -R xrayuser:xrayuser /opt/xray

After that, you should be able to start Xray with your systemd unit.

[nenakatu]

After that, you should be able to start Xray with your systemd unit.

Thank you, it really helped, the service started!