If you have configured TLS inbound on your Sing-Box VPN server, it will require a valid certificate. Sing-Box makes it easy to request, save, and renew certificates as needed.
To ensure your server can be accessed through port 443, you may need to stop any programs that are currently using that port. For example, if you are running nginx, you should stop it:
service nginx stopCode language: Bash (bash)Change to the Sing-Box directory:
cd /etc/sing-boxCode language: Bash (bash)Run Sing-Box:
sing-box runCode language: Bash (bash)If it encounters a problem, it will exit:
FATAL[0016] start service: initialize inbound/trojan[trojan-ws]: create TLS config: trojan-ws.example.com: obtaining certificate: [trojan-ws.example.com] Obtain: [trojan-ws.example.com] solving challenge: trojan-ws.example.com: [trojan-ws.example.com] authorization failed: HTTP 403 urn:ietf:params:acme:error:unauthorized - Cannot negotiate ALPN protocol "acme-tls/1" for tls-alpn-01 challenge (ca=https://acme-v02.api.letsencrypt.org/directory)Code language: Shell Session (shell)- Check if you have created the required subdomain correctly. Subdomain should resolve to your VPS public IP address. Cloud proxy should be turned off.
- Check for any firewall blocking inbound connections.
- Check if nginx is stopped.
- Read the error.
Your last lines of output should be something like the below:
.
.
.
1.671085205408839e+09 info obtain certificate obtained successfully {"identifier": "hysteria.example.com"}
1.671085205409201e+09 info obtain releasing lock {"identifier": "hysteria.example.com"}
INFO[0025] inbound/hysteria[hysteria-in]: udp server started at 127.0.0.1:52006
1.671085205482756e+09 info obtain acquiring lock {"identifier": "naive.example.com"}
1.671085205485794e+09 info obtain lock acquired {"identifier": "naive.example.com"}
1.6710852054862309e+09 info obtain obtaining certificate {"identifier": "naive.example.com"}
1.67108520548713e+09 info waiting on internal rate limiter {"identifiers": ["naive.example.com"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": "singbox@example.com"}
1.6710852054874985e+09 info done waiting on internal rate limiter {"identifiers": ["naive.example.com"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": "singbox@example.com"}
1.6710852058596175e+09 info acme_client trying to solve challenge {"identifier": "naive.example.com", "challenge_type": "http-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
1.6710852059782019e+09 info served key authentication {"identifier": "naive.example.com", "challenge": "http-01", "remote": "xx.xx.xx.xx:56908", "distributed": false}
1.6710852060162573e+09 info served key authentication {"identifier": "naive.example.com", "challenge": "http-01", "remote": "xx.xx.xx.xx:49636", "distributed": false}
1.6710852060687323e+09 info served key authentication {"identifier": "naive.example.com", "challenge": "http-01", "remote": "xx.xx.xx.xx:35060", "distributed": false}
1.6710852065598474e+09 info acme_client authorization finalized {"identifier": "naive.example.com", "authz_status": "valid"}
1.6710852065602903e+09 info acme_client validations succeeded; finalizing order {"order": "https://acme-v02.api.letsencrypt.org/acme/order/872321867/152827503507"}
1.671085207032615e+09 info acme_client successfully downloaded available certificate chains {"count": 2, "first_url": "https://acme-v02.api.letsencrypt.org/acme/cert/03cbdc4aa486bba0c71ea0a410aa46d2cdbb"}
1.6710852070336227e+09 info obtain certificate obtained successfully {"identifier": "naive.example.com"}
1.671085207036012e+09 info obtain releasing lock {"identifier": "naive.example.com"}
INFO[0026] inbound/naive[naive-in]: tcp server started at 127.0.0.1:52007
INFO[0026] sing-box started (26.955s)Code language: Shell Session (shell)All is well on your server. Stop the Sing-Box with Ctrl + C.
Now you can enable the Sing-Box service and start the Nginx by running:
service nginx startCode language: Bash (bash)