diff --git a/common/net/tls.go b/common/net/tls.go
index e51324f7c..b28655031 100644
--- a/common/net/tls.go
+++ b/common/net/tls.go
@@ -10,7 +10,11 @@ import (
 	"math/big"
 )
 
-func ParseCert(certificate, privateKey string) (tls.Certificate, error) {
+type Path interface {
+	Resolve(path string) string
+}
+
+func ParseCert(certificate, privateKey string, path Path) (tls.Certificate, error) {
 	if certificate == "" && privateKey == "" {
 		return newRandomTLSKeyPair()
 	}
@@ -19,6 +23,8 @@ func ParseCert(certificate, privateKey string) (tls.Certificate, error) {
 		return cert, nil
 	}
 
+	certificate = path.Resolve(certificate)
+	privateKey = path.Resolve(privateKey)
 	cert, loadErr := tls.LoadX509KeyPair(certificate, privateKey)
 	if loadErr != nil {
 		return tls.Certificate{}, fmt.Errorf("parse certificate failed, maybe format error:%s, or path error: %s", painTextErr.Error(), loadErr.Error())
diff --git a/hub/route/server.go b/hub/route/server.go
index 3d0df95e9..aa2d03b88 100644
--- a/hub/route/server.go
+++ b/hub/route/server.go
@@ -112,7 +112,7 @@ func Start(addr string, tlsAddr string, secret string,
 
 	if len(tlsAddr) > 0 {
 		go func() {
-			c, err := CN.ParseCert(certificat, privateKey)
+			c, err := CN.ParseCert(certificat, privateKey, C.Path)
 			if err != nil {
 				log.Errorln("External controller tls listen error: %s", err)
 				return
diff --git a/listener/sing_hysteria2/server.go b/listener/sing_hysteria2/server.go
index 7897bd84f..bc25ec2a1 100644
--- a/listener/sing_hysteria2/server.go
+++ b/listener/sing_hysteria2/server.go
@@ -50,10 +50,7 @@ func New(config LC.Hysteria2Server, tunnel C.Tunnel, additions ...inbound.Additi
 
 	sl = &Listener{false, config, nil, nil}
 
-	config.Certificate = C.Path.Resolve(config.Certificate)
-	config.PrivateKey = C.Path.Resolve(config.PrivateKey)
-
-	cert, err := CN.ParseCert(config.Certificate, config.PrivateKey)
+	cert, err := CN.ParseCert(config.Certificate, config.PrivateKey, C.Path)
 	if err != nil {
 		return nil, err
 	}
diff --git a/listener/tuic/server.go b/listener/tuic/server.go
index 12a6ac6d9..70cf4a015 100644
--- a/listener/tuic/server.go
+++ b/listener/tuic/server.go
@@ -44,10 +44,7 @@ func New(config LC.TuicServer, tunnel C.Tunnel, additions ...inbound.Addition) (
 		Additions: additions,
 	}
 
-	config.Certificate = C.Path.Resolve(config.Certificate)
-	config.PrivateKey = C.Path.Resolve(config.PrivateKey)
-
-	cert, err := CN.ParseCert(config.Certificate, config.PrivateKey)
+	cert, err := CN.ParseCert(config.Certificate, config.PrivateKey, C.Path)
 	if err != nil {
 		return nil, err
 	}