You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by Tom Lawson <to...@tomlawson.io.INVALID> on 2022/04/06 19:08:27 UTC
SSL Handshake to Guacd randomly failing
Hi all,
I've been using Guacamole/Guacd almost daily for months and months now with zero issues, but today the containers have started failing to connect to eachother and I can't figure out why. I've changed quite literally nothing as the setup has been working great. As the containers weren't working today, I stopped and removed them, then re-ran the docker-compose (settings untouched) to recreate the containers. I've since tried both 'latest' and specifying 1.4.0 images and neither seem to work. I've verified the VM I'm trying to connect to is both alive and acessible remotely via RDP directly.
I've also tried removing SSL and it still seems to fail:
[http-nio-8080-exec-1] ERROR o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request failed: javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake
guacd[7]: ERROR: Guacamole protocol violation. Perhaps the version of guacamole-client is incompatible with this version of guacd?
73a23c9d9382 guacamole/guacamole:1.4.0 "/opt/guacamole/bin/…" 8 minutes ago Up 8 minutes 0.0.0.0:9120->8080/tcp, :::9120->8080/tcp guacamole
0bd0484d1acd guacamole/guacd:1.4.0 "/bin/sh -c '/usr/lo…" 13 minutes ago Up 13 minutes (healthy) 4822/tcp
Any help greatly appreciated!
Re: SSL Handshake to Guacd randomly failing
Posted by Nick Couchman <vn...@apache.org>.
On Fri, Apr 8, 2022 at 2:10 AM Tom Lawson <to...@tomlawson.io.invalid> wrote:
> Thanks Ivanmarcus, I’ll take a look.
>
> Regards auto-updates, nothing is able to automatically update itself
> already.
>
> The containers run in a Debian 11 minimal VM and are launched via a
> docker-compose file. Config for both guacamole and guacd are bind mounted
> to the containers so that the configs are stored externally to the
> container, and an external MySQL database stores the data, with
> authentication being done externally with an IDP using OIDC extension.
>
> The odd part is that even turning SSL off doesn’t work, and rolling back
> to known working versions makes no difference.
The errors that you're seeing almost look like something is causing
problems in the conversation between the end client and guacd, somewhere
along the way. The fact that guacd is reporting protocol issues indicates
that something is disrupting the protocol stream - could be security
software of some sort or just a very unreliable network connection. The
message from Tomcat about the SSL error isn't necessarily about Tomcat <->
guacd communication, it could be browser -> Tomcat. Might just take a look
at the entire end-to-end connection and make sure there's no indication of
lost/missing/mangle packets along the way.
Keep in mind that, while Tomcat does help with some of the setup and
redirection of the tunnel to guacd, ultimately the tunnel is between the
web application running in the user's web browser and guacd.
-Nick
Re: SSL Handshake to Guacd randomly failing
Posted by Tom Lawson <to...@tomlawson.io.INVALID>.
Thanks Ivanmarcus, I’ll take a look.
Regards auto-updates, nothing is able to automatically update itself already.
The containers run in a Debian 11 minimal VM and are launched via a docker-compose file. Config for both guacamole and guacd are bind mounted to the containers so that the configs are stored externally to the container, and an external MySQL database stores the data, with authentication being done externally with an IDP using OIDC extension.
The odd part is that even turning SSL off doesn’t work, and rolling back to known working versions makes no difference.
I can’t see networking being an issue because both containers are running on the same VM and communicate internally via a docker network. Guacamole container can successfully ping the guacd one, and the problem only pertains to communication between those two containers. Every other container on the VM functions normally.
Cheers,
Tom
> On 7 Apr 2022, at 22:41, Ivanmarcus <iv...@yahoo.com.invalid> wrote:
>
> Tom,
>
> You've not given a lot of detail about your environment, however it's possible that one or more system/container auto-updated something that has resulted in what you see here.
>
> If it were me I'd have a look to see what updates have occurred between the time when the system was working, 'till it wasn't. This might assist you to focus on relevant areas.
>
> Other than that, this thread might add further insight:
>
> https://www.mail-archive.com/user@guacamole.apache.org/msg09388.html
>
> FWIW I turn off auto-updates. Too many times I've had something magically break overnight...
>
>> On 7/04/22 7:08 am, Tom Lawson wrote:
>> Hi all,
>> I've been using Guacamole/Guacd almost daily for months and months now with zero issues, but today the containers have started failing to connect to eachother and I can't figure out why. I've changed quite literally nothing as the setup has been working great. As the containers weren't working today, I stopped and removed them, then re-ran the docker-compose (settings untouched) to recreate the containers. I've since tried both 'latest' and specifying 1.4.0 images and neither seem to work. I've verified the VM I'm trying to connect to is both alive and acessible remotely via RDP directly.
>> I've also tried removing SSL and it still seems to fail:
>> [http-nio-8080-exec-1] ERROR o.a.g.s.GuacamoleHTTPTunnelServlet -
>> HTTP tunnel request failed: javax.net.ssl.SSLHandshakeException:
>> Remote host terminated the handshake
>> guacd[7]: ERROR: Guacamole protocol violation. Perhaps the
>> version of guacamole-client is incompatible with this version of guacd?
>> 73a23c9d9382 guacamole/guacamole:1.4.0 "/opt/guacamole/bin/…" 8 minutes ago Up 8
>> minutes 0.0.0.0:9120->8080/tcp,
>> :::9120->8080/tcp guacamole
>> 0bd0484d1acd guacamole/guacd:1.4.0 "/bin/sh -c '/usr/lo…" 13 minutes ago Up 13 minutes
>> (healthy) 4822/tcp
>> Any help greatly appreciated!
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
>> For additional commands, e-mail: user-help@guacamole.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
> For additional commands, e-mail: user-help@guacamole.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: SSL Handshake to Guacd randomly failing
Posted by Ivanmarcus <iv...@yahoo.com.INVALID>.
Tom,
You've not given a lot of detail about your environment, however it's
possible that one or more system/container auto-updated something that
has resulted in what you see here.
If it were me I'd have a look to see what updates have occurred between
the time when the system was working, 'till it wasn't. This might assist
you to focus on relevant areas.
Other than that, this thread might add further insight:
https://www.mail-archive.com/user@guacamole.apache.org/msg09388.html
FWIW I turn off auto-updates. Too many times I've had something
magically break overnight...
On 7/04/22 7:08 am, Tom Lawson wrote:
> Hi all,
>
> I've been using Guacamole/Guacd almost daily for months and months now
> with zero issues, but today the containers have started failing to
> connect to eachother and I can't figure out why. I've changed quite
> literally nothing as the setup has been working great. As the containers
> weren't working today, I stopped and removed them, then re-ran the
> docker-compose (settings untouched) to recreate the containers. I've
> since tried both 'latest' and specifying 1.4.0 images and neither seem
> to work. I've verified the VM I'm trying to connect to is both alive and
> acessible remotely via RDP directly.
>
> I've also tried removing SSL and it still seems to fail:
>
> [http-nio-8080-exec-1] ERROR o.a.g.s.GuacamoleHTTPTunnelServlet -
> HTTP tunnel request failed: javax.net.ssl.SSLHandshakeException:
> Remote host terminated the handshake
>
> guacd[7]: ERROR: Guacamole protocol violation. Perhaps the
> version of guacamole-client is incompatible with this version of guacd?
>
> 73a23c9d9382 guacamole/guacamole:1.4.0
> "/opt/guacamole/bin/…" 8 minutes ago Up 8
> minutes 0.0.0.0:9120->8080/tcp,
> :::9120->8080/tcp guacamole
> 0bd0484d1acd guacamole/guacd:1.4.0
> "/bin/sh -c '/usr/lo…" 13 minutes ago Up 13 minutes
> (healthy) 4822/tcp
>
>
>
>
> Any help greatly appreciated!
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
> For additional commands, e-mail: user-help@guacamole.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org