Refactor ACME support to certificate provider

2026-04-14 20:58:33 +10:00 · 2026-03-23 20:04:36 +08:00
parent 733361c567
commit cc2098c0da
48 changed files with 3084 additions and 173 deletions
--- a/docs/configuration/shared/certificate-provider/acme.md
+++ b/docs/configuration/shared/certificate-provider/acme.md
@@ -0,0 +1,150 @@
+---
+icon: material/new-box
+---
+
+!!! quote "Changes in sing-box 1.14.0"
+
+    :material-plus: [account_key](#account_key)  
+    :material-plus: [key_type](#key_type)  
+    :material-plus: [detour](#detour)
+
+# ACME
+
+!!! quote ""
+
+    `with_acme` build tag required.
+
+### Structure
+
+```json
+{
+  "type": "acme",
+  "tag": "",
+
+  "domain": [],
+  "data_directory": "",
+  "default_server_name": "",
+  "email": "",
+  "provider": "",
+  "account_key": "",
+  "disable_http_challenge": false,
+  "disable_tls_alpn_challenge": false,
+  "alternative_http_port": 0,
+  "alternative_tls_port": 0,
+  "external_account": {
+    "key_id": "",
+    "mac_key": ""
+  },
+  "dns01_challenge": {},
+  "key_type": "",
+  "detour": ""
+}
+```
+
+### Fields
+
+#### domain
+
+==Required==
+
+List of domains.
+
+#### data_directory
+
+The directory to store ACME data.
+
+`$XDG_DATA_HOME/certmagic|$HOME/.local/share/certmagic` will be used if empty.
+
+#### default_server_name
+
+Server name to use when choosing a certificate if the ClientHello's ServerName field is empty.
+
+#### email
+
+The email address to use when creating or selecting an existing ACME server account.
+
+#### provider
+
+The ACME CA provider to use.
+
+| Value                   | Provider      |
+|-------------------------|---------------|
+| `letsencrypt (default)` | Let's Encrypt |
+| `zerossl`               | ZeroSSL       |
+| `https://...`           | Custom        |
+
+When `provider` is `zerossl`, sing-box will automatically request ZeroSSL EAB credentials if `email` is set and
+`external_account` is empty.
+
+When `provider` is `zerossl`, at least one of `external_account`, `email`, or `account_key` is required.
+
+#### account_key
+
+!!! question "Since sing-box 1.14.0"
+
+The PEM-encoded private key of an existing ACME account.
+
+#### disable_http_challenge
+
+Disable all HTTP challenges.
+
+#### disable_tls_alpn_challenge
+
+Disable all TLS-ALPN challenges
+
+#### alternative_http_port
+
+The alternate port to use for the ACME HTTP challenge; if non-empty, this port will be used instead of 80 to spin up a
+listener for the HTTP challenge.
+
+#### alternative_tls_port
+
+The alternate port to use for the ACME TLS-ALPN challenge; the system must forward 443 to this port for challenge to
+succeed.
+
+#### external_account
+
+EAB (External Account Binding) contains information necessary to bind or map an ACME account to some other account known
+by the CA.
+
+External account bindings are used to associate an ACME account with an existing account in a non-ACME system, such as
+a CA customer database.
+
+To enable ACME account binding, the CA operating the ACME server needs to provide the ACME client with a MAC key and a
+key identifier, using some mechanism outside of ACME. §7.3.4
+
+#### external_account.key_id
+
+The key identifier.
+
+#### external_account.mac_key
+
+The MAC key.
+
+#### dns01_challenge
+
+ACME DNS01 challenge field. If configured, other challenge methods will be disabled.
+
+See [DNS01 Challenge Fields](/configuration/shared/dns01_challenge/) for details.
+
+#### key_type
+
+!!! question "Since sing-box 1.14.0"
+
+The private key type to generate for new certificates.
+
+| Value      | Type    |
+|------------|---------|
+| `ed25519`  | Ed25519 |
+| `p256`     | P-256   |
+| `p384`     | P-384   |
+| `rsa2048`  | RSA     |
+| `rsa4096`  | RSA     |
+
+#### detour
+
+!!! question "Since sing-box 1.14.0"
+
+The tag of the upstream outbound.
+
+All provider HTTP requests will use this outbound.
--- a/docs/configuration/shared/certificate-provider/acme.zh.md
+++ b/docs/configuration/shared/certificate-provider/acme.zh.md
@@ -0,0 +1,145 @@
+---
+icon: material/new-box
+---
+
+!!! quote "sing-box 1.14.0 中的更改"
+
+    :material-plus: [account_key](#account_key)  
+    :material-plus: [key_type](#key_type)  
+    :material-plus: [detour](#detour)
+
+# ACME
+
+!!! quote ""
+
+    需要 `with_acme` 构建标签。
+
+### 结构
+
+```json
+{
+  "type": "acme",
+  "tag": "",
+
+  "domain": [],
+  "data_directory": "",
+  "default_server_name": "",
+  "email": "",
+  "provider": "",
+  "account_key": "",
+  "disable_http_challenge": false,
+  "disable_tls_alpn_challenge": false,
+  "alternative_http_port": 0,
+  "alternative_tls_port": 0,
+  "external_account": {
+    "key_id": "",
+    "mac_key": ""
+  },
+  "dns01_challenge": {},
+  "key_type": "",
+  "detour": ""
+}
+```
+
+### 字段
+
+#### domain
+
+==必填==
+
+域名列表。
+
+#### data_directory
+
+ACME 数据存储目录。
+
+如果为空则使用 `$XDG_DATA_HOME/certmagic|$HOME/.local/share/certmagic`。
+
+#### default_server_name
+
+如果 ClientHello 的 ServerName 字段为空，则选择证书时要使用的服务器名称。
+
+#### email
+
+创建或选择现有 ACME 服务器帐户时使用的电子邮件地址。
+
+#### provider
+
+要使用的 ACME CA 提供商。
+
+| 值                  | 提供商           |
+|--------------------|---------------|
+| `letsencrypt (默认)` | Let's Encrypt |
+| `zerossl`          | ZeroSSL       |
+| `https://...`      | 自定义           |
+
+当 `provider` 为 `zerossl` 时，如果设置了 `email` 且未设置 `external_account`，
+sing-box 会自动向 ZeroSSL 请求 EAB 凭据。
+
+当 `provider` 为 `zerossl` 时，必须至少设置 `external_account`、`email` 或 `account_key` 之一。
+
+#### account_key
+
+!!! question "自 sing-box 1.14.0 起"
+
+现有 ACME 帐户的 PEM 编码私钥。
+
+#### disable_http_challenge
+
+禁用所有 HTTP 质询。
+
+#### disable_tls_alpn_challenge
+
+禁用所有 TLS-ALPN 质询。
+
+#### alternative_http_port
+
+用于 ACME HTTP 质询的备用端口；如果非空，将使用此端口而不是 80 来启动 HTTP 质询的侦听器。
+
+#### alternative_tls_port
+
+用于 ACME TLS-ALPN 质询的备用端口； 系统必须将 443 转发到此端口以使质询成功。
+
+#### external_account
+
+EAB（外部帐户绑定）包含将 ACME 帐户绑定或映射到 CA 已知的其他帐户所需的信息。
+
+外部帐户绑定用于将 ACME 帐户与非 ACME 系统中的现有帐户相关联，例如 CA 客户数据库。
+
+为了启用 ACME 帐户绑定，运行 ACME 服务器的 CA 需要使用 ACME 之外的某种机制向 ACME 客户端提供 MAC 密钥和密钥标识符。§7.3.4
+
+#### external_account.key_id
+
+密钥标识符。
+
+#### external_account.mac_key
+
+MAC 密钥。
+
+#### dns01_challenge
+
+ACME DNS01 质询字段。如果配置，将禁用其他质询方法。
+
+参阅 [DNS01 质询字段](/zh/configuration/shared/dns01_challenge/)。
+
+#### key_type
+
+!!! question "自 sing-box 1.14.0 起"
+
+为新证书生成的私钥类型。
+
+| 值         | 类型      |
+|-----------|----------|
+| `ed25519` | Ed25519 |
+| `p256`    | P-256   |
+| `p384`    | P-384   |
+| `rsa2048` | RSA     |
+| `rsa4096` | RSA     |
+
+#### detour
+
+!!! question "自 sing-box 1.14.0 起"
+
+上游出站的标签。
+
+所有提供者 HTTP 请求将使用此出站。
--- a/docs/configuration/shared/certificate-provider/cloudflare-origin-ca.md
+++ b/docs/configuration/shared/certificate-provider/cloudflare-origin-ca.md
@@ -0,0 +1,82 @@
+---
+icon: material/new-box
+---
+
+!!! question "Since sing-box 1.14.0"
+
+# Cloudflare Origin CA
+
+### Structure
+
+```json
+{
+  "type": "cloudflare-origin-ca",
+  "tag": "",
+
+  "domain": [],
+  "data_directory": "",
+  "api_token": "",
+  "origin_ca_key": "",
+  "request_type": "",
+  "requested_validity": 0,
+  "detour": ""
+}
+```
+
+### Fields
+
+#### domain
+
+==Required==
+
+List of domain names or wildcard domain names to include in the certificate.
+
+#### data_directory
+
+Root directory used to store the issued certificate, private key, and metadata.
+
+If empty, sing-box uses the same default data directory as the ACME certificate provider:
+`$XDG_DATA_HOME/certmagic` or `$HOME/.local/share/certmagic`.
+
+#### api_token
+
+Cloudflare API token used to create the certificate.
+
+Get or create one in [Cloudflare Dashboard > My Profile > API Tokens](https://dash.cloudflare.com/profile/api-tokens).
+
+Requires the `Zone / SSL and Certificates / Edit` permission.
+
+Conflict with `origin_ca_key`.
+
+#### origin_ca_key
+
+Cloudflare Origin CA Key.
+
+Get it in [Cloudflare Dashboard > My Profile > API Tokens > API Keys > Origin CA Key](https://dash.cloudflare.com/profile/api-tokens).
+
+Conflict with `api_token`.
+
+#### request_type
+
+The signature type to request from Cloudflare.
+
+| Value                | Type        |
+|----------------------|-------------|
+| `origin-rsa`         | RSA         |
+| `origin-ecc`         | ECDSA P-256 |
+
+`origin-rsa` is used if empty.
+
+#### requested_validity
+
+The requested certificate validity in days.
+
+Available values: `7`, `30`, `90`, `365`, `730`, `1095`, `5475`.
+
+`5475` days (15 years) is used if empty.
+
+#### detour
+
+The tag of the upstream outbound.
+
+All provider HTTP requests will use this outbound.
--- a/docs/configuration/shared/certificate-provider/cloudflare-origin-ca.zh.md
+++ b/docs/configuration/shared/certificate-provider/cloudflare-origin-ca.zh.md
@@ -0,0 +1,82 @@
+---
+icon: material/new-box
+---
+
+!!! question "自 sing-box 1.14.0 起"
+
+# Cloudflare Origin CA
+
+### 结构
+
+```json
+{
+  "type": "cloudflare-origin-ca",
+  "tag": "",
+
+  "domain": [],
+  "data_directory": "",
+  "api_token": "",
+  "origin_ca_key": "",
+  "request_type": "",
+  "requested_validity": 0,
+  "detour": ""
+}
+```
+
+### 字段
+
+#### domain
+
+==必填==
+
+要写入证书的域名或通配符域名列表。
+
+#### data_directory
+
+保存签发证书、私钥和元数据的根目录。
+
+如果为空，sing-box 会使用与 ACME 证书提供者相同的默认数据目录：
+`$XDG_DATA_HOME/certmagic` 或 `$HOME/.local/share/certmagic`。
+
+#### api_token
+
+用于创建证书的 Cloudflare API Token。
+
+可在 [Cloudflare Dashboard > My Profile > API Tokens](https://dash.cloudflare.com/profile/api-tokens) 获取或创建。
+
+需要 `Zone / SSL and Certificates / Edit` 权限。
+
+与 `origin_ca_key` 冲突。
+
+#### origin_ca_key
+
+Cloudflare Origin CA Key。
+
+可在 [Cloudflare Dashboard > My Profile > API Tokens > API Keys > Origin CA Key](https://dash.cloudflare.com/profile/api-tokens) 获取。
+
+与 `api_token` 冲突。
+
+#### request_type
+
+向 Cloudflare 请求的签名类型。
+
+| 值                   | 类型        |
+|----------------------|-------------|
+| `origin-rsa`         | RSA         |
+| `origin-ecc`         | ECDSA P-256 |
+
+如果为空，使用 `origin-rsa`。
+
+#### requested_validity
+
+请求的证书有效期，单位为天。
+
+可用值：`7`、`30`、`90`、`365`、`730`、`1095`、`5475`。
+
+如果为空，使用 `5475` 天（15 年）。
+
+#### detour
+
+上游出站的标签。
+
+所有提供者 HTTP 请求将使用此出站。
--- a/docs/configuration/shared/certificate-provider/index.md
+++ b/docs/configuration/shared/certificate-provider/index.md
@@ -0,0 +1,32 @@
+---
+icon: material/new-box
+---
+
+!!! question "Since sing-box 1.14.0"
+
+# Certificate Provider
+
+### Structure
+
+```json
+{
+  "certificate_providers": [
+    {
+      "type": "",
+      "tag": ""
+    }
+  ]
+}
+```
+
+### Fields
+
+| Type   | Format           |
+|--------|------------------|
+| `acme` | [ACME](/configuration/shared/certificate-provider/acme)   |
+| `tailscale` | [Tailscale](/configuration/shared/certificate-provider/tailscale) |
+| `cloudflare-origin-ca` | [Cloudflare Origin CA](/configuration/shared/certificate-provider/cloudflare-origin-ca) |
+
+#### tag
+
+The tag of the certificate provider.
--- a/docs/configuration/shared/certificate-provider/index.zh.md
+++ b/docs/configuration/shared/certificate-provider/index.zh.md
@@ -0,0 +1,32 @@
+---
+icon: material/new-box
+---
+
+!!! question "自 sing-box 1.14.0 起"
+
+# 证书提供者
+
+### 结构
+
+```json
+{
+  "certificate_providers": [
+    {
+      "type": "",
+      "tag": ""
+    }
+  ]
+}
+```
+
+### 字段
+
+| 类型   | 格式             |
+|--------|------------------|
+| `acme` | [ACME](/zh/configuration/shared/certificate-provider/acme)   |
+| `tailscale` | [Tailscale](/zh/configuration/shared/certificate-provider/tailscale) |
+| `cloudflare-origin-ca` | [Cloudflare Origin CA](/zh/configuration/shared/certificate-provider/cloudflare-origin-ca) |
+
+#### tag
+
+证书提供者的标签。
--- a/docs/configuration/shared/certificate-provider/tailscale.md
+++ b/docs/configuration/shared/certificate-provider/tailscale.md
@@ -0,0 +1,27 @@
+---
+icon: material/new-box
+---
+
+!!! question "Since sing-box 1.14.0"
+
+# Tailscale
+
+### Structure
+
+```json
+{
+  "type": "tailscale",
+  "tag": "ts-cert",
+  "endpoint": "ts-ep"
+}
+```
+
+### Fields
+
+#### endpoint
+
+==Required==
+
+The tag of the [Tailscale endpoint](/configuration/endpoint/tailscale/) to reuse.
+
+[MagicDNS and HTTPS](https://tailscale.com/kb/1153/enabling-https) must be enabled in the Tailscale admin console.
--- a/docs/configuration/shared/certificate-provider/tailscale.zh.md
+++ b/docs/configuration/shared/certificate-provider/tailscale.zh.md
@@ -0,0 +1,27 @@
+---
+icon: material/new-box
+---
+
+!!! question "自 sing-box 1.14.0 起"
+
+# Tailscale
+
+### 结构
+
+```json
+{
+  "type": "tailscale",
+  "tag": "ts-cert",
+  "endpoint": "ts-ep"
+}
+```
+
+### 字段
+
+#### endpoint
+
+==必填==
+
+要复用的 [Tailscale 端点](/zh/configuration/endpoint/tailscale/) 的标签。
+
+必须在 Tailscale 管理控制台中启用 [MagicDNS 和 HTTPS](https://tailscale.com/kb/1153/enabling-https)。
--- a/docs/configuration/shared/dns01_challenge.md
+++ b/docs/configuration/shared/dns01_challenge.md
@@ -2,6 +2,14 @@
 icon: material/new-box
 ---

+!!! quote "Changes in sing-box 1.14.0"
+
+    :material-plus: [ttl](#ttl)  
+    :material-plus: [propagation_delay](#propagation_delay)  
+    :material-plus: [propagation_timeout](#propagation_timeout)  
+    :material-plus: [resolvers](#resolvers)  
+    :material-plus: [override_domain](#override_domain)
+
 !!! quote "Changes in sing-box 1.13.0"

    :material-plus: [alidns.security_token](#security_token)  
@@ -12,12 +20,57 @@ icon: material/new-box

 ```json
 {
+  "ttl": "",
+  "propagation_delay": "",
+  "propagation_timeout": "",
+  "resolvers": [],
+  "override_domain": "",
  "provider": "",

  ... // Provider Fields
 }
 ```

+### Fields
+
+#### ttl
+
+!!! question "Since sing-box 1.14.0"
+
+The TTL of the temporary TXT record used for the DNS challenge.
+
+#### propagation_delay
+
+!!! question "Since sing-box 1.14.0"
+
+How long to wait after creating the challenge record before starting propagation checks.
+
+#### propagation_timeout
+
+!!! question "Since sing-box 1.14.0"
+
+The maximum time to wait for the challenge record to propagate.
+
+Set to `-1` to disable propagation checks.
+
+#### resolvers
+
+!!! question "Since sing-box 1.14.0"
+
+Preferred DNS resolvers to use for DNS propagation checks.
+
+#### override_domain
+
+!!! question "Since sing-box 1.14.0"
+
+Override the domain name used for the DNS challenge record.
+
+Useful when `_acme-challenge` is delegated to a different zone.
+
+#### provider
+
+The DNS provider. See below for provider-specific fields.
+
 ### Provider Fields

 #### Alibaba Cloud DNS
--- a/docs/configuration/shared/dns01_challenge.zh.md
+++ b/docs/configuration/shared/dns01_challenge.zh.md
@@ -2,6 +2,14 @@
 icon: material/new-box
 ---

+!!! quote "sing-box 1.14.0 中的更改"
+
+    :material-plus: [ttl](#ttl)  
+    :material-plus: [propagation_delay](#propagation_delay)  
+    :material-plus: [propagation_timeout](#propagation_timeout)  
+    :material-plus: [resolvers](#resolvers)  
+    :material-plus: [override_domain](#override_domain)
+
 !!! quote "sing-box 1.13.0 中的更改"

    :material-plus: [alidns.security_token](#security_token)  
@@ -12,12 +20,57 @@ icon: material/new-box

 ```json
 {
+  "ttl": "",
+  "propagation_delay": "",
+  "propagation_timeout": "",
+  "resolvers": [],
+  "override_domain": "",
  "provider": "",

  ... // 提供商字段
 }
 ```

+### 字段
+
+#### ttl
+
+!!! question "自 sing-box 1.14.0 起"
+
+DNS 质询临时 TXT 记录的 TTL。
+
+#### propagation_delay
+
+!!! question "自 sing-box 1.14.0 起"
+
+创建质询记录后，在开始传播检查前要等待的时间。
+
+#### propagation_timeout
+
+!!! question "自 sing-box 1.14.0 起"
+
+等待质询记录传播完成的最长时间。
+
+设为 `-1` 可禁用传播检查。
+
+#### resolvers
+
+!!! question "自 sing-box 1.14.0 起"
+
+进行 DNS 传播检查时优先使用的 DNS 解析器。
+
+#### override_domain
+
+!!! question "自 sing-box 1.14.0 起"
+
+覆盖 DNS 质询记录使用的域名。
+
+适用于将 `_acme-challenge` 委托到其他 zone 的场景。
+
+#### provider
+
+DNS 提供商。提供商专有字段见下文。
+
 ### 提供商字段

 #### Alibaba Cloud DNS
--- a/docs/configuration/shared/tls.md
+++ b/docs/configuration/shared/tls.md
@@ -2,6 +2,11 @@
 icon: material/new-box
 ---

+!!! quote "Changes in sing-box 1.14.0"
+
+    :material-plus: [certificate_provider](#certificate_provider)  
+    :material-delete-clock: [acme](#acme-fields)
+
 !!! quote "Changes in sing-box 1.13.0"

    :material-plus: [kernel_tx](#kernel_tx)  
@@ -49,6 +54,10 @@ icon: material/new-box
  "key_path": "",
  "kernel_tx": false,
  "kernel_rx": false,
+  "certificate_provider": "",
+
+  // Deprecated
+
  "acme": {
    "domain": [],
    "data_directory": "",
@@ -408,6 +417,18 @@ Enable kernel TLS transmit support.

 Enable kernel TLS receive support.

+#### certificate_provider
+
+!!! question "Since sing-box 1.14.0"
+
+==Server only==
+
+A string or an object.
+
+When string, the tag of a shared [Certificate Provider](/configuration/shared/certificate-provider/).
+
+When object, an inline certificate provider. See [Certificate Provider](/configuration/shared/certificate-provider/) for available types and fields.
+
 ## Custom TLS support

 !!! info "QUIC support"
@@ -469,7 +490,7 @@ The ECH key and configuration can be generated by `sing-box generate ech-keypair

 !!! failure "Deprecated in sing-box 1.12.0"

-    ECH support has been migrated to use stdlib in sing-box 1.12.0, which does not come with support for PQ signature schemes, so `pq_signature_schemes_enabled` has been deprecated and no longer works.
+    `pq_signature_schemes_enabled` is deprecated in sing-box 1.12.0 and removed in sing-box 1.13.0.

 Enable support for post-quantum peer certificate signature schemes.

@@ -477,7 +498,7 @@ Enable support for post-quantum peer certificate signature schemes.

 !!! failure "Deprecated in sing-box 1.12.0"

-    `dynamic_record_sizing_disabled` has nothing to do with ECH, was added by mistake, has been deprecated and no longer works.
+    `dynamic_record_sizing_disabled` is deprecated in sing-box 1.12.0 and removed in sing-box 1.13.0.

 Disables adaptive sizing of TLS records.

@@ -566,6 +587,10 @@ Fragment TLS handshake into multiple TLS records to bypass firewalls.

 ### ACME Fields

+!!! failure "Deprecated in sing-box 1.14.0"
+
+    Inline ACME options are deprecated in sing-box 1.14.0 and will be removed in sing-box 1.16.0, check [Migration](/migration/#migrate-inline-acme-to-certificate-provider).
+
 #### domain

 List of domain.
@@ -677,4 +702,4 @@ A hexadecimal string with zero to eight digits.

 The maximum time difference between the server and the client.

-Check disabled if empty.
+Check disabled if empty.
--- a/docs/configuration/shared/tls.zh.md
+++ b/docs/configuration/shared/tls.zh.md
@@ -2,6 +2,11 @@
 icon: material/new-box
 ---

+!!! quote "sing-box 1.14.0 中的更改"
+
+    :material-plus: [certificate_provider](#certificate_provider)  
+    :material-delete-clock: [acme](#acme-字段)
+
 !!! quote "sing-box 1.13.0 中的更改"

    :material-plus: [kernel_tx](#kernel_tx)  
@@ -49,6 +54,10 @@ icon: material/new-box
  "key_path": "",
  "kernel_tx": false,
  "kernel_rx": false,
+  "certificate_provider": "",
+
+  // 废弃的
+
  "acme": {
    "domain": [],
    "data_directory": "",
@@ -407,6 +416,18 @@ echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/

 启用内核 TLS 接收支持。

+#### certificate_provider
+
+!!! question "自 sing-box 1.14.0 起"
+
+==仅服务器==
+
+字符串或对象。
+
+为字符串时，共享[证书提供者](/zh/configuration/shared/certificate-provider/)的标签。
+
+为对象时，内联的证书提供者。可用类型和字段参阅[证书提供者](/zh/configuration/shared/certificate-provider/)。
+
 ## 自定义 TLS 支持

 !!! info "QUIC 支持"
@@ -465,7 +486,7 @@ ECH 密钥和配置可以通过 `sing-box generate ech-keypair` 生成。

 !!! failure "已在 sing-box 1.12.0 废弃"

-    ECH 支持已在 sing-box 1.12.0 迁移至使用标准库，但标准库不支持后量子对等证书签名方案，因此 `pq_signature_schemes_enabled` 已被弃用且不再工作。
+    `pq_signature_schemes_enabled` 已在 sing-box 1.12.0 废弃且已在 sing-box 1.13.0 中被移除。

 启用对后量子对等证书签名方案的支持。

@@ -473,7 +494,7 @@ ECH 密钥和配置可以通过 `sing-box generate ech-keypair` 生成。

 !!! failure "已在 sing-box 1.12.0 废弃"

-    `dynamic_record_sizing_disabled` 与 ECH 无关，是错误添加的，现已弃用且不再工作。
+    `dynamic_record_sizing_disabled` 已在 sing-box 1.12.0 废弃且已在 sing-box 1.13.0 中被移除。

 禁用 TLS 记录的自适应大小调整。

@@ -561,6 +582,10 @@ ECH 配置路径，PEM 格式。

 ### ACME 字段

+!!! failure "已在 sing-box 1.14.0 废弃"
+
+    内联 ACME 选项已在 sing-box 1.14.0 废弃且将在 sing-box 1.16.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移内联-acme-到证书提供者)。
+
 #### domain

 域名列表。