[jira] [Created] (GUACAMOLE-1544) Update guacamoles docker image with updated Lets Encrypts ROOT CA

Wed, 02 Mar 2022 02:43:06 -0800 

Joakim Westlund created GUACAMOLE-1544:
------------------------------------------

             Summary: Update guacamoles docker image with updated Lets Encrypts 
ROOT CA
                 Key: GUACAMOLE-1544
                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1544
             Project: Guacamole
          Issue Type: Bug
          Components: guacamole
    Affects Versions: 1.4.0
            Reporter: Joakim Westlund


Existing cacerts files for the docker version of guacamole 1.4.0 contains 
expired certificates.

I have configured guacamole to use OIDC for authentication, my IDP is Keycloak 
and I use Lets Encrypt certificates. I get this error on the guacamole pod when 
the token is validated:

`INFO  o.a.g.a.o.t.TokenValidationService - Rejected invalid OpenID token: JWT 
processing failed. Additional details: [[17] Unable to process JOSE object 
(cause: org.jose4j.lang.UnresolvableKeyException: Unable to find a suitable 
verification key for JWS w/ header \{"alg":"RS256","typ" : "JWT","kid" : 
"WM-ogAal55OPBtmtP5AuXZH5MKKGhORIJ-Vboiqe2bk"} due to an unexpected exception 
(javax.net.ssl.SSLHandshakeException: PKIX path validation failed: 
java.security.cert.CertPathValidatorException: validity check failed) while 
obtaining or using keys from JWKS endpoint at 
https://login.xxxxx.xxx/auth/realms/xxxxx/protocol/openid-connect/certs): 
JsonWebSignature\{"alg":"RS256","typ" : "JWT","kid" : 
"WM-ogAal55OPBtmtP5AuXZH5MKKGhORIJ-Vboiqe2bk"}->xxxxxxxxxxxxxxx]
`
 

guacamole@guacamole-6f85dbdcfb-9cvgv:/opt/guacamole$ openssl s_client -connect 
login.xxxxx.xxx:443

CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:1
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
notAfter=Sep 30 14:01:15 2021 GMT
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify error:num=10:certificate has expired
notAfter=Sep 29 19:21:40 2021 GMT
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
notAfter=Sep 29 19:21:40 2021 GMT
verify return:1
depth=0 CN = *.xxxxx.xxx
notAfter=May 27 01:16:38 2022 GMT
verify return:1



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to