[ https://issues.apache.org/jira/browse/GUACAMOLE-1544?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17500100#comment-17500100 ]
Nick Couchman commented on GUACAMOLE-1544: ------------------------------------------ What tag are you using? If you use the "latest" tag (instead of 1.4.0), you will probably get these updates, as the image is rebuilt on a nightly basis in order to pull in updates associated with the underlying container packages. I would imagine such updates would include things like CA Certificates. > Update guacamoles docker image with updated Lets Encrypts ROOT CA > ----------------------------------------------------------------- > > Key: GUACAMOLE-1544 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-1544 > Project: Guacamole > Issue Type: Bug > Components: guacamole > Affects Versions: 1.4.0 > Reporter: Joakim Westlund > Priority: Major > > Existing cacerts files for the docker version of guacamole 1.4.0 contains > expired certificates. > I have configured guacamole to use OIDC for authentication, my IDP is > Keycloak and I use Lets Encrypt certificates. I get this error on the > guacamole pod when the token is validated: > `INFO o.a.g.a.o.t.TokenValidationService - Rejected invalid OpenID token: > JWT processing failed. Additional details: [[17] Unable to process JOSE > object (cause: org.jose4j.lang.UnresolvableKeyException: Unable to find a > suitable verification key for JWS w/ header \{"alg":"RS256","typ" : > "JWT","kid" : "WM-ogAal55OPBtmtP5AuXZH5MKKGhORIJ-Vboiqe2bk"} due to an > unexpected exception (javax.net.ssl.SSLHandshakeException: PKIX path > validation failed: java.security.cert.CertPathValidatorException: validity > check failed) while obtaining or using keys from JWKS endpoint at > https://login.xxxxx.xxx/auth/realms/xxxxx/protocol/openid-connect/certs): > JsonWebSignature\{"alg":"RS256","typ" : "JWT","kid" : > "WM-ogAal55OPBtmtP5AuXZH5MKKGhORIJ-Vboiqe2bk"}->xxxxxxxxxxxxxxx] > ` > > guacamole@guacamole-6f85dbdcfb-9cvgv:/opt/guacamole$ openssl s_client > -connect login.xxxxx.xxx:443 > CONNECTED(00000003) > depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 > verify error:num=10:certificate has expired > notAfter=Sep 30 14:01:15 2021 GMT > verify return:1 > depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 > notAfter=Sep 30 14:01:15 2021 GMT > verify return:1 > depth=1 C = US, O = Let's Encrypt, CN = R3 > verify error:num=10:certificate has expired > notAfter=Sep 29 19:21:40 2021 GMT > verify return:1 > depth=1 C = US, O = Let's Encrypt, CN = R3 > notAfter=Sep 29 19:21:40 2021 GMT > verify return:1 > depth=0 CN = *.xxxxx.xxx > notAfter=May 27 01:16:38 2022 GMT > verify return:1 -- This message was sent by Atlassian Jira (v8.20.1#820001)