You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@guacamole.apache.org by "Nick Couchman (Jira)" <ji...@apache.org> on 2022/03/02 12:21:00 UTC

[jira] [Updated] (GUACAMOLE-1544) Update guacamoles docker image with updated Lets Encrypts ROOT CA

     [ https://issues.apache.org/jira/browse/GUACAMOLE-1544?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Nick Couchman updated GUACAMOLE-1544:
-------------------------------------
    Priority: Minor  (was: Major)

> Update guacamoles docker image with updated Lets Encrypts ROOT CA
> -----------------------------------------------------------------
>
>                 Key: GUACAMOLE-1544
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1544
>             Project: Guacamole
>          Issue Type: Bug
>          Components: guacamole
>    Affects Versions: 1.4.0
>            Reporter: Joakim Westlund
>            Priority: Minor
>
> Existing cacerts files for the docker version of guacamole 1.4.0 contains expired certificates.
> I have configured guacamole to use OIDC for authentication, my IDP is Keycloak and I use Lets Encrypt certificates. I get this error on the guacamole pod when the token is validated:
> `INFO  o.a.g.a.o.t.TokenValidationService - Rejected invalid OpenID token: JWT processing failed. Additional details: [[17] Unable to process JOSE object (cause: org.jose4j.lang.UnresolvableKeyException: Unable to find a suitable verification key for JWS w/ header \{"alg":"RS256","typ" : "JWT","kid" : "WM-ogAal55OPBtmtP5AuXZH5MKKGhORIJ-Vboiqe2bk"} due to an unexpected exception (javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed) while obtaining or using keys from JWKS endpoint at https://login.xxxxx.xxx/auth/realms/xxxxx/protocol/openid-connect/certs): JsonWebSignature\{"alg":"RS256","typ" : "JWT","kid" : "WM-ogAal55OPBtmtP5AuXZH5MKKGhORIJ-Vboiqe2bk"}->xxxxxxxxxxxxxxx]
> `
>  
> guacamole@guacamole-6f85dbdcfb-9cvgv:/opt/guacamole$ openssl s_client -connect login.xxxxx.xxx:443
> CONNECTED(00000003)
> depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
> verify error:num=10:certificate has expired
> notAfter=Sep 30 14:01:15 2021 GMT
> verify return:1
> depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
> notAfter=Sep 30 14:01:15 2021 GMT
> verify return:1
> depth=1 C = US, O = Let's Encrypt, CN = R3
> verify error:num=10:certificate has expired
> notAfter=Sep 29 19:21:40 2021 GMT
> verify return:1
> depth=1 C = US, O = Let's Encrypt, CN = R3
> notAfter=Sep 29 19:21:40 2021 GMT
> verify return:1
> depth=0 CN = *.xxxxx.xxx
> notAfter=May 27 01:16:38 2022 GMT
> verify return:1



--
This message was sent by Atlassian Jira
(v8.20.1#820001)