You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@guacamole.apache.org by "Andrin (JIRA)" <ji...@apache.org> on 2019/01/10 14:09:01 UTC

[jira] [Created] (GUACAMOLE-694) guacd docker container can't validate certificate

Andrin created GUACAMOLE-694:
--------------------------------

             Summary: guacd docker container can't validate certificate
                 Key: GUACAMOLE-694
                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-694
             Project: Guacamole
          Issue Type: Bug
          Components: guacamole-docker
    Affects Versions: 1.0.0
            Reporter: Andrin


The guacd docker container marks my certificate as invalid:
{code:java}
guacd[5]: INFO: Guacamole proxy daemon (guacd) version 1.0.0 started guacd[5]: INFO: Listening on host 0.0.0.0, port 4822 guacd[5]: INFO: Creating new client for protocol "rdp" guacd[5]: INFO: Connection ID is "$8791f12e-0d99-4aac-8ddf-b893c60e387c" guacd[7]: INFO: Security mode: ANY guacd[7]: INFO: Resize method: display-update guacd[7]: INFO: User "@4dae41b2-c439-4175-9543-39509c737706" joined connection "$8791f12e-0d99-4aac-8ddf-b893c60e387c" (1 users now present) guacd[7]: INFO: Loading keymap "base" guacd[7]: INFO: Loading keymap "en-us-qwerty" connected to winpc.[domainname].com:3389 creating directory /root/.config/freerdp creating directory /root/.config/freerdp/certs creating directory /root/.config/freerdp/server certificate_store_open: error opening [/root/.config/freerdp/known_hosts] for writing guacd[7]: INFO: Certificate validation failed tls_connect: certificate not trusted, aborting. Error: protocol security negotiation or connection failure guacd[7]: ERROR: Error connecting to RDP server guacd[7]: INFO: User "@4dae41b2-c439-4175-9543-39509c737706" disconnected (0 users remain) guacd[7]: INFO: Last user of connection "$8791f12e-0d99-4aac-8ddf-b893c60e387c" disconnected
{code}

However when connected via Windows & Mac client the certificate is shown as valid. The same with an Centos 7 installation with OpenSSL:

{code:java}
# openssl s_client -showcerts -connect winpc.[domainname].com:3389
CONNECTED(00000003)
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = winpc.[domainname].com
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=winpc.[domainname].com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
-----BEGIN CERTIFICATE-----
[Cert Data]
-----END CERTIFICATE-----
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
-----BEGIN CERTIFICATE-----
[Cert Data]
-----END CERTIFICATE-----
---
Server certificate
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=winpc.[domainname].com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 4333 bytes and written 447 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 01310000F93A78635295B0F5A5458E9AEC16BF70B72E28052D201B6B8DE6661B
    Session-ID-ctx:
    Master-Key: FFFDC45C96C282A330BF878272FD243783425508ED6CB43492C127431492B04089AC8630E509B42DD909DF042286F913
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1547126917
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

{code}

I assume that the ca-certificates package inside the container is missing:

{code:java}
root@a218bfbd187e:/# dpkg -l | grep cert
root@a218bfbd187e:/#
root@a218bfbd187e:/# ls /etc/ssl/certs/
ls: cannot access '/etc/ssl/certs/': No such file or directory
{code}




--
This message was sent by Atlassian JIRA
(v7.6.3#76005)