[
https://issues.apache.org/jira/browse/GUACAMOLE-1544?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17500100#comment-17500100
]
Nick Couchman commented on GUACAMOLE-1544:
------------------------------------------
What tag are you using? If you use the "latest" tag (instead of 1.4.0), you
will probably get these updates, as the image is rebuilt on a nightly basis in
order to pull in updates associated with the underlying container packages. I
would imagine such updates would include things like CA Certificates.
> Update guacamoles docker image with updated Lets Encrypts ROOT CA
> -----------------------------------------------------------------
>
> Key: GUACAMOLE-1544
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1544
> Project: Guacamole
> Issue Type: Bug
> Components: guacamole
> Affects Versions: 1.4.0
> Reporter: Joakim Westlund
> Priority: Major
>
> Existing cacerts files for the docker version of guacamole 1.4.0 contains
> expired certificates.
> I have configured guacamole to use OIDC for authentication, my IDP is
> Keycloak and I use Lets Encrypt certificates. I get this error on the
> guacamole pod when the token is validated:
> `INFO o.a.g.a.o.t.TokenValidationService - Rejected invalid OpenID token:
> JWT processing failed. Additional details: [[17] Unable to process JOSE
> object (cause: org.jose4j.lang.UnresolvableKeyException: Unable to find a
> suitable verification key for JWS w/ header \{"alg":"RS256","typ" :
> "JWT","kid" : "WM-ogAal55OPBtmtP5AuXZH5MKKGhORIJ-Vboiqe2bk"} due to an
> unexpected exception (javax.net.ssl.SSLHandshakeException: PKIX path
> validation failed: java.security.cert.CertPathValidatorException: validity
> check failed) while obtaining or using keys from JWKS endpoint at
> https://login.xxxxx.xxx/auth/realms/xxxxx/protocol/openid-connect/certs):
> JsonWebSignature\{"alg":"RS256","typ" : "JWT","kid" :
> "WM-ogAal55OPBtmtP5AuXZH5MKKGhORIJ-Vboiqe2bk"}->xxxxxxxxxxxxxxx]
> `
>
> guacamole@guacamole-6f85dbdcfb-9cvgv:/opt/guacamole$ openssl s_client
> -connect login.xxxxx.xxx:443
> CONNECTED(00000003)
> depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
> verify error:num=10:certificate has expired
> notAfter=Sep 30 14:01:15 2021 GMT
> verify return:1
> depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
> notAfter=Sep 30 14:01:15 2021 GMT
> verify return:1
> depth=1 C = US, O = Let's Encrypt, CN = R3
> verify error:num=10:certificate has expired
> notAfter=Sep 29 19:21:40 2021 GMT
> verify return:1
> depth=1 C = US, O = Let's Encrypt, CN = R3
> notAfter=Sep 29 19:21:40 2021 GMT
> verify return:1
> depth=0 CN = *.xxxxx.xxx
> notAfter=May 27 01:16:38 2022 GMT
> verify return:1
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
