[GH-ISSUE #1071] [Bug] failed to create ssh client: ssh: unknown cipher "aes256-gcm@openssh.com", only supports "aes256-ctr" or "aes256-cbc" #723

New issue

Closed

opened 2026-03-03 01:05:30 +03:00 by kerem · 1 comment

kerem commented

2026-03-03 01:05:30 +03:00

Owner

Originally created by @ZeroClover on GitHub (Nov 30, 2025).
Original GitHub issue: https://github.com/certimate-go/certimate/issues/1071

Release Version / 软件版本

0.4.7

Description / 缺陷描述

尝试通过 SSH 部署证书时，无法连接到服务器

Steps to reproduce / 复现步骤

通过 SSH 部署证书到服务器

Logs / 日志


[2025-11-30 05:45:01]
ready to deploy certificate ...
config:
{"certificateOutputNodeId":"JBtH6ihYOwMsXGGVMmyWS","provider":"ssh","providerAccessId":"0iznugl13ztdyge","providerConfig":{"certPath":"/path/to/pub.pem","certPathForIntermediaOnly":"/path/to/ca.pem","certPathForServerOnly":"","format":"PEM","keyPath":"/path/to/pri.pem","postCommand":"REDACTED","preCommand":"REDACTED"},"skipOnLastSucceeded":true}
[2025-11-30 05:45:01]
could not deploy certificate
[2025-11-30 05:45:01]
failed to create ssh client: ssh: unknown cipher "aes256-gcm@openssh.com", only supports "aes256-ctr" or "aes256-cbc"

Miscellaneous / 其他

sshd_config 为 Debian 12 的默认配置


# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/bin:/usr/games

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

Include /etc/ssh/sshd_config.d/*.conf

Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
KbdInteractiveAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin prohibit-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
ClientAliveInterval 5
ClientAliveCountMax 12
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

# override default of no subsystems
Subsystem	sftp	/usr/lib/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	PermitTTY no
#	ForceCommand cvs server

Contribution / 贡献代码

I am interested in contributing a PR for this! / 我乐意为此提交代码并发起 PR！

Originally created by @ZeroClover on GitHub (Nov 30, 2025). Original GitHub issue: https://github.com/certimate-go/certimate/issues/1071 ### Release Version / 软件版本 0.4.7 ### Description / 缺陷描述尝试通过 SSH 部署证书时，无法连接到服务器 ### Steps to reproduce / 复现步骤通过 SSH 部署证书到服务器 ### Logs / 日志 <details> ```console [2025-11-30 05:45:01] ready to deploy certificate ... config: {"certificateOutputNodeId":"JBtH6ihYOwMsXGGVMmyWS","provider":"ssh","providerAccessId":"0iznugl13ztdyge","providerConfig":{"certPath":"/path/to/pub.pem","certPathForIntermediaOnly":"/path/to/ca.pem","certPathForServerOnly":"","format":"PEM","keyPath":"/path/to/pri.pem","postCommand":"REDACTED","preCommand":"REDACTED"},"skipOnLastSucceeded":true} [2025-11-30 05:45:01] could not deploy certificate [2025-11-30 05:45:01] failed to create ssh client: ssh: unknown cipher "aes256-gcm@openssh.com", only supports "aes256-ctr" or "aes256-cbc" ``` </details> ### Miscellaneous / 其他 sshd_config 为 Debian 12 的默认配置 ``` # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/bin:/usr/games # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. Include /etc/ssh/sshd_config.d/*.conf Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key #HostKey /etc/ssh/ssh_host_ed25519_key # Ciphers and keying #RekeyLimit default none # Logging #SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 2m PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 #PubkeyAuthentication yes # Expect .ssh/authorized_keys2 to be disregarded by default in future. #AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 #AuthorizedPrincipalsFile none #AuthorizedKeysCommand none #AuthorizedKeysCommandUser nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! PasswordAuthentication yes #PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) KbdInteractiveAuthentication no # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the KbdInteractiveAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via KbdInteractiveAuthentication may bypass # the setting of "PermitRootLogin prohibit-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and KbdInteractiveAuthentication to 'no'. UsePAM yes #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes PrintMotd no #PrintLastLog yes TCPKeepAlive yes #PermitUserEnvironment no #Compression delayed ClientAliveInterval 5 ClientAliveCountMax 12 #UseDNS no #PidFile /run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none #VersionAddendum none # no default banner path #Banner none # Allow client to pass locale environment variables AcceptEnv LANG LC_* # override default of no subsystems Subsystem sftp /usr/lib/openssh/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # PermitTTY no # ForceCommand cvs server ``` ### Contribution / 贡献代码 - [ ] I am interested in contributing a PR for this! / 我乐意为此提交代码并发起 PR！

kerem

2026-03-03 01:05:30 +03:00

closed this issue
added the
bug
label

kerem commented

2026-03-03 01:05:31 +03:00

Author

Owner

@ZeroClover commented on GitHub (Nov 30, 2025):

阅读代码后发现这个错误和 SSH 服务器的算法无关，而是和 SSH 私钥的加密算法有关

Go 目前支持 aes256-gcm@openssh.com 用于 SSH 会话加解密，但暂时不支持用作私钥加解密

@ZeroClover commented on GitHub (Nov 30, 2025): 阅读代码后发现这个错误和 SSH 服务器的算法无关，而是和 SSH 私钥的加密算法有关 Go 目前支持 `aes256-gcm@openssh.com` 用于 SSH 会话加解密，但暂时不支持用作私钥加解密

kerem referenced this issue

2026-03-03 01:07:20 +03:00

[PR #725] [MERGED] bugfix #1024