You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@guacamole.apache.org by "Andrin (JIRA)" <ji...@apache.org> on 2019/01/10 14:09:01 UTC
[jira] [Created] (GUACAMOLE-694) guacd docker container can't
validate certificate
Andrin created GUACAMOLE-694:
--------------------------------
Summary: guacd docker container can't validate certificate
Key: GUACAMOLE-694
URL: https://issues.apache.org/jira/browse/GUACAMOLE-694
Project: Guacamole
Issue Type: Bug
Components: guacamole-docker
Affects Versions: 1.0.0
Reporter: Andrin
The guacd docker container marks my certificate as invalid:
{code:java}
guacd[5]: INFO: Guacamole proxy daemon (guacd) version 1.0.0 started guacd[5]: INFO: Listening on host 0.0.0.0, port 4822 guacd[5]: INFO: Creating new client for protocol "rdp" guacd[5]: INFO: Connection ID is "$8791f12e-0d99-4aac-8ddf-b893c60e387c" guacd[7]: INFO: Security mode: ANY guacd[7]: INFO: Resize method: display-update guacd[7]: INFO: User "@4dae41b2-c439-4175-9543-39509c737706" joined connection "$8791f12e-0d99-4aac-8ddf-b893c60e387c" (1 users now present) guacd[7]: INFO: Loading keymap "base" guacd[7]: INFO: Loading keymap "en-us-qwerty" connected to winpc.[domainname].com:3389 creating directory /root/.config/freerdp creating directory /root/.config/freerdp/certs creating directory /root/.config/freerdp/server certificate_store_open: error opening [/root/.config/freerdp/known_hosts] for writing guacd[7]: INFO: Certificate validation failed tls_connect: certificate not trusted, aborting. Error: protocol security negotiation or connection failure guacd[7]: ERROR: Error connecting to RDP server guacd[7]: INFO: User "@4dae41b2-c439-4175-9543-39509c737706" disconnected (0 users remain) guacd[7]: INFO: Last user of connection "$8791f12e-0d99-4aac-8ddf-b893c60e387c" disconnected
{code}
However when connected via Windows & Mac client the certificate is shown as valid. The same with an Centos 7 installation with OpenSSL:
{code:java}
# openssl s_client -showcerts -connect winpc.[domainname].com:3389
CONNECTED(00000003)
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = winpc.[domainname].com
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=winpc.[domainname].com
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
-----BEGIN CERTIFICATE-----
[Cert Data]
-----END CERTIFICATE-----
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
-----BEGIN CERTIFICATE-----
[Cert Data]
-----END CERTIFICATE-----
---
Server certificate
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=winpc.[domainname].com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 4333 bytes and written 447 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 01310000F93A78635295B0F5A5458E9AEC16BF70B72E28052D201B6B8DE6661B
Session-ID-ctx:
Master-Key: FFFDC45C96C282A330BF878272FD243783425508ED6CB43492C127431492B04089AC8630E509B42DD909DF042286F913
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1547126917
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
{code}
I assume that the ca-certificates package inside the container is missing:
{code:java}
root@a218bfbd187e:/# dpkg -l | grep cert
root@a218bfbd187e:/#
root@a218bfbd187e:/# ls /etc/ssl/certs/
ls: cannot access '/etc/ssl/certs/': No such file or directory
{code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)