Guacamole Dropping Connections

[Carter Sema <CS...@acschools.org>]

Installed Fresh Guacamole 0.9.13, using mysql database backend for user and LetsEncrypt! For SSL with Apache2 for a reverse proxy. Guacamole won't allow sessions to connect. Checked my catalina.out log and I'm seeing the following error

12:05:27.501 [http-nio-8080-exec-1] ERROR o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request failed: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
12:06:26.882 [http-nio-8080-exec-9] ERROR o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request failed: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
12:07:00.277 [http-nio-8080-exec-1] ERROR o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request failed: Connection to guacd timed out.
12:07:30.391 [http-nio-8080-exec-5] ERROR o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request failed: Connection to guacd timed out.
12:12:19.578 [http-nio-8080-exec-7] ERROR o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request failed: java.net.ConnectException: Connection refused (Connection refused)

Checked my /var/log/syslog and nothing from guacd that I can see.

Any idea's?

Thanks!
Carter Sema
Network Support Specialist
CSema@acschools.org<ma...@acschools.org>
[CertBadge_Administrator_web]

Re: Guacamole Dropping Connections

[Carter Sema <CS...@acschools.org>]

Turns out, my DNS wasn't set on my eth0 adapter. Since I use DNS names to connect, it couldn't resolve. Thanks for your help!

Get Outlook for iOS<https://aka.ms/o0ukef>
________________________________
From: Carter Sema <CS...@acschools.org>
Sent: Thursday, October 12, 2017 3:16:20 PM
To: user@guacamole.incubator.apache.org
Subject: RE: Guacamole Dropping Connections

Check /var/log/messages or journalctl = see screenshot attached. This is all I have under /var/log. My Distro is Ubuntu Server 16.04. Any other locations where those guacd logs might live?


Carter Sema
Network Support Specialist
CSema@acschools.org<ma...@acschools.org>
[CertBadge_Administrator_web]

From: Nick Couchman [mailto:nick.e.couchman@gmail.com]
Sent: Thursday, October 12, 2017 2:40 PM
To: user@guacamole.incubator.apache.org
Subject: Re: Guacamole Dropping Connections



On Thu, Oct 12, 2017 at 2:33 PM, Carter Sema <CS...@acschools.org>> wrote:
OK! That seemed to work… But now there another error.
When trying to connect to a machine it says “
The remote desktop server is currently unreachable. If the problem persists, please notify your system administrator, or check your system logs.”

And catalina.out says-
“Thu Oct 12 14:19:21 EDT 2017 WARN: Establishing SSL connection without server's identity verification is not recommended. According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established by default if explicit option isn't set. For compliance with existing applications not using SSL the verifyServerCertificate property is set to 'false'. You need either to explicitly disable SSL by setting useSSL=false, or set useSSL=true and provide truststore for server certificate verification.

I don’t think the SQL error is causing the problem, but I might be wrong..


Check /var/log/messages or journalctl, depending on your Linux distro, to see what the error is from guacd.  The catalina.out file will tell you the errors for the gaucamole-client stuff, but the error you're getting seems to be coming from the guacamole-server side, when it tries to make the connection via RDP.

One thing I've noticed in my experience with Guacamole + RDP - if you're using Windows 8 or newer or Windows 2012 or newer, NLA is required by default.  If you've saved your username/password in Guacamole and have turned on NLA, this will work - otherwise, if you have not saved your credentials, and/or not enabled NLA, you might receive that error message.  You'll either need to relax Windows' restrictions on RDP connections such that you can connect with older RDP clients, or you'll need to save your credentials in the connection info.  The other option is to log in to Guacamole with the same credentials you'd use to connect to Windows (enable LDAP authentication module, or set your username/password the same) and then use the ${GUAC_USERNAME} and ${GUAC_PASSWORD} tokens to pass the authentication information through.  Hopefully at some point we'll get parameter prompting into the Guacamole Client, which will allow for the preferred combination: Use NLA, don't save credentials, but allow user to enter credentials at connection time.  Again, not sure if that's what you're running into, but it could be.

-Nick

RE: Guacamole Dropping Connections

[Carter Sema <CS...@acschools.org>]

Everything looked good when I ran “journalctl –f” below is the output, but the connections still died. I have another guac that uses version 0.9.10 and I can connect to windows2012r2 just fine which is all I need. Once im in, I can hit 2016 from internal RDP. Log Output=
Oct 12 15:21:20 guacamoletesting guacd[4122]: User "@90858207-e718-4093-aabb-f590f3626ba8" disconnected (0 users remain)
Oct 12 15:21:20 guacamoletesting guacd[4122]: Last user of connection "$fbf98964-ddbf-46b6-8e91-6369ea2f56ed" disconnected
Oct 12 15:21:20 guacamoletesting guacd[1303]: Connection "$fbf98964-ddbf-46b6-8e91-6369ea2f56ed" removed.
Oct 12 15:22:35 guacamoletesting guacd[1303]: Creating new client for protocol "rdp"
Oct 12 15:22:35 guacamoletesting guacd[1303]: Connection ID is "$be415e4d-16c8-44b6-8caf-5d70fb488911"
Oct 12 15:22:35 guacamoletesting guacd[4130]: Security mode: RDP
Oct 12 15:22:35 guacamoletesting guacd[4130]: Resize method: none
Oct 12 15:22:35 guacamoletesting guacd[4130]: User "@9b86d96b-1e53-4b95-bedb-ea4c4391edc9" joined connection "$be415e4d-16c8-44
Oct 12 15:22:35 guacamoletesting guacd[4130]: Loading keymap "base"
Oct 12 15:22:35 guacamoletesting guacd[4130]: Loading keymap "en-us-qwerty"
Oct 12 15:22:35 guacamoletesting guacd[4130]: Error connecting to RDP server
Oct 12 15:22:35 guacamoletesting guacd[4130]: User "@9b86d96b-1e53-4b95-bedb-ea4c4391edc9" disconnected (0 users remain)
Oct 12 15:22:35 guacamoletesting guacd[4130]: Last user of connection "$be415e4d-16c8-44b6-8caf-5d70fb488911" disconnected
Oct 12 15:22:35 guacamoletesting guacd[1303]: Connection "$be415e4d-16c8-44b6-8caf-5d70fb488911" removed.

I tried ssh, to a known good source and it just hangs. Could a ufw firewall be causing some problems? Do I need to configure anything with the Guacamole Proxy Parameter’s (GUACD). Or the Remote Desktop Gateway or Preconnection PDU / Hyper-V ?
Just trying to understand whats going on and why it doesn’t work!

Carter Sema
Network Support Specialist
CSema@acschools.org<ma...@acschools.org>
[CertBadge_Administrator_web]

From: Nick Couchman [mailto:vnick@apache.org]
Sent: Thursday, October 12, 2017 3:20 PM
To: user@guacamole.incubator.apache.org
Subject: Re: Guacamole Dropping Connections



On Thu, Oct 12, 2017 at 3:16 PM, Carter Sema <CS...@acschools.org>> wrote:
Check /var/log/messages or journalctl = see screenshot attached. This is all I have under /var/log. My Distro is Ubuntu Server 16.04. Any other locations where those guacd logs might live?


You can check /var/log/syslog.  journalctl is a command, not a file - so you'd just run "journalctl" at the command line, or "journalctl -f" if you want to tail the file.  I'm not sure if Ubuntu uses that or not.  The /var/log/syslog file might have information for you.

Alternatively you can start guacd in the foreground with debug:
/path/to/sbin/guacd -L debug -f

(after first stopping/killing any running guacd instances).  That will print out all of the guacd output to the terminal - then retry your connection and see what errors you get.

-Nick

Re: Guacamole Dropping Connections

[Nick Couchman <vn...@apache.org>]

On Thu, Oct 12, 2017 at 3:16 PM, Carter Sema <CS...@acschools.org> wrote:

> Check /var/log/messages or journalctl = see screenshot attached. This is
> all I have under /var/log. My Distro is Ubuntu Server 16.04. Any other
> locations where those guacd logs might live?
>
>
>

You can check /var/log/syslog.  journalctl is a command, not a file - so
you'd just run "journalctl" at the command line, or "journalctl -f" if you
want to tail the file.  I'm not sure if Ubuntu uses that or not.  The
/var/log/syslog file might have information for you.

Alternatively you can start guacd in the foreground with debug:
/path/to/sbin/guacd -L debug -f

(after first stopping/killing any running guacd instances).  That will
print out all of the guacd output to the terminal - then retry your
connection and see what errors you get.

-Nick

RE: Guacamole Dropping Connections

[Carter Sema <CS...@acschools.org>]

Check /var/log/messages or journalctl = see screenshot attached. This is all I have under /var/log. My Distro is Ubuntu Server 16.04. Any other locations where those guacd logs might live?


Carter Sema
Network Support Specialist
CSema@acschools.org<ma...@acschools.org>
[CertBadge_Administrator_web]

From: Nick Couchman [mailto:nick.e.couchman@gmail.com]
Sent: Thursday, October 12, 2017 2:40 PM
To: user@guacamole.incubator.apache.org
Subject: Re: Guacamole Dropping Connections



On Thu, Oct 12, 2017 at 2:33 PM, Carter Sema <CS...@acschools.org>> wrote:
OK! That seemed to work… But now there another error.
When trying to connect to a machine it says “
The remote desktop server is currently unreachable. If the problem persists, please notify your system administrator, or check your system logs.”

And catalina.out says-
“Thu Oct 12 14:19:21 EDT 2017 WARN: Establishing SSL connection without server's identity verification is not recommended. According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established by default if explicit option isn't set. For compliance with existing applications not using SSL the verifyServerCertificate property is set to 'false'. You need either to explicitly disable SSL by setting useSSL=false, or set useSSL=true and provide truststore for server certificate verification.

I don’t think the SQL error is causing the problem, but I might be wrong..


Check /var/log/messages or journalctl, depending on your Linux distro, to see what the error is from guacd.  The catalina.out file will tell you the errors for the gaucamole-client stuff, but the error you're getting seems to be coming from the guacamole-server side, when it tries to make the connection via RDP.

One thing I've noticed in my experience with Guacamole + RDP - if you're using Windows 8 or newer or Windows 2012 or newer, NLA is required by default.  If you've saved your username/password in Guacamole and have turned on NLA, this will work - otherwise, if you have not saved your credentials, and/or not enabled NLA, you might receive that error message.  You'll either need to relax Windows' restrictions on RDP connections such that you can connect with older RDP clients, or you'll need to save your credentials in the connection info.  The other option is to log in to Guacamole with the same credentials you'd use to connect to Windows (enable LDAP authentication module, or set your username/password the same) and then use the ${GUAC_USERNAME} and ${GUAC_PASSWORD} tokens to pass the authentication information through.  Hopefully at some point we'll get parameter prompting into the Guacamole Client, which will allow for the preferred combination: Use NLA, don't save credentials, but allow user to enter credentials at connection time.  Again, not sure if that's what you're running into, but it could be.

-Nick

Re: Guacamole Dropping Connections

[Nick Couchman <ni...@gmail.com>]

On Thu, Oct 12, 2017 at 2:33 PM, Carter Sema <CS...@acschools.org> wrote:

> OK! That seemed to work… But now there another error.
>
> When trying to connect to a machine it says “
>
> The remote desktop server is currently unreachable. If the problem
> persists, please notify your system administrator, or check your system
> logs.”
>
>
>
> And catalina.out says-
>
> “Thu Oct 12 14:19:21 EDT 2017 WARN: Establishing SSL connection without
> server's identity verification is not recommended. According to MySQL
> 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established
> by default if explicit option isn't set. For compliance with existing
> applications not using SSL the verifyServerCertificate property is set to
> 'false'. You need either to explicitly disable SSL by setting useSSL=false,
> or set useSSL=true and provide truststore for server certificate
> verification.
>
>
>
> I don’t think the SQL error is causing the problem, but I might be wrong..
>
>
>

Check /var/log/messages or journalctl, depending on your Linux distro, to
see what the error is from guacd.  The catalina.out file will tell you the
errors for the gaucamole-client stuff, but the error you're getting seems
to be coming from the guacamole-server side, when it tries to make the
connection via RDP.

One thing I've noticed in my experience with Guacamole + RDP - if you're
using Windows 8 or newer or Windows 2012 or newer, NLA is required by
default.  If you've saved your username/password in Guacamole and have
turned on NLA, this will work - otherwise, if you have not saved your
credentials, and/or not enabled NLA, you might receive that error message.
You'll either need to relax Windows' restrictions on RDP connections such
that you can connect with older RDP clients, or you'll need to save your
credentials in the connection info.  The other option is to log in to
Guacamole with the same credentials you'd use to connect to Windows (enable
LDAP authentication module, or set your username/password the same) and
then use the ${GUAC_USERNAME} and ${GUAC_PASSWORD} tokens to pass the
authentication information through.  Hopefully at some point we'll get
parameter prompting into the Guacamole Client, which will allow for the
preferred combination: Use NLA, don't save credentials, but allow user to
enter credentials at connection time.  Again, not sure if that's what
you're running into, but it could be.

-Nick

RE: Guacamole Dropping Connections

[Carter Sema <CS...@acschools.org>]

OK! That seemed to work… But now there another error.
When trying to connect to a machine it says “
The remote desktop server is currently unreachable. If the problem persists, please notify your system administrator, or check your system logs.”

And catalina.out says-
“Thu Oct 12 14:19:21 EDT 2017 WARN: Establishing SSL connection without server's identity verification is not recommended. According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established by default if explicit option isn't set. For compliance with existing applications not using SSL the verifyServerCertificate property is set to 'false'. You need either to explicitly disable SSL by setting useSSL=false, or set useSSL=true and provide truststore for server certificate verification.

I don’t think the SQL error is causing the problem, but I might be wrong..

Thanks!

Carter Sema
Network Support Specialist
CSema@acschools.org<ma...@acschools.org>
[CertBadge_Administrator_web]

From: Nick Couchman [mailto:vnick@apache.org]
Sent: Thursday, October 12, 2017 12:57 PM
To: user@guacamole.incubator.apache.org
Subject: Re: Guacamole Dropping Connections



On Thu, Oct 12, 2017 at 12:52 PM, Carter Sema <CS...@acschools.org>> wrote:
Installed Fresh Guacamole 0.9.13, using mysql database backend for user and LetsEncrypt! For SSL with Apache2 for a reverse proxy. Guacamole won’t allow sessions to connect. Checked my catalina.out log and I’m seeing the following error

12:05:27.501 [http-nio-8080-exec-1] ERROR o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request failed: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
12:06:26.882 [http-nio-8080-exec-9] ERROR o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request failed: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target


 This seems to indicate that Java does not trust whatever certificate you're using.  You might need to import either the server certificate or the root certificate for that server cert into the Java keystore.  This will vary based on what type/version of Java you're using - in the Sun/Oracle versions of Java, if you look in the JRE base directory, under lib/security, you'll find a cacerts file that contains known CA certificates.  You can use the keytool binary to import your certificate(s) into that file, then restart Tomcat.  OpenJDK maintains a file somewhere else, and that depends on what Linux distribution you're using.

-Nick

Re: Guacamole Dropping Connections

[Nick Couchman <vn...@apache.org>]

On Thu, Oct 12, 2017 at 12:52 PM, Carter Sema <CS...@acschools.org> wrote:

> Installed Fresh Guacamole 0.9.13, using mysql database backend for user
> and LetsEncrypt! For SSL with Apache2 for a reverse proxy. Guacamole won’t
> allow sessions to connect. Checked my catalina.out log and I’m seeing the
> following error
>
>
>
> 12:05:27.501 [http-nio-8080-exec-1] ERROR o.a.g.s.GuacamoleHTTPTunnelServlet
> - HTTP tunnel request failed: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
>
> 12:06:26.882 [http-nio-8080-exec-9] ERROR o.a.g.s.GuacamoleHTTPTunnelServlet
> - HTTP tunnel request failed: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
>
>
>
 This seems to indicate that Java does not trust whatever certificate
you're using.  You might need to import either the server certificate or
the root certificate for that server cert into the Java keystore.  This
will vary based on what type/version of Java you're using - in the
Sun/Oracle versions of Java, if you look in the JRE base directory, under
lib/security, you'll find a cacerts file that contains known CA
certificates.  You can use the keytool binary to import your certificate(s)
into that file, then restart Tomcat.  OpenJDK maintains a file somewhere
else, and that depends on what Linux distribution you're using.

-Nick

>