[ 
https://issues.apache.org/jira/browse/GUACAMOLE-694?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Nick Couchman resolved GUACAMOLE-694.
-------------------------------------
    Resolution: Fixed

Package ca-certificates has been added to build.

> guacd docker container can't validate RDP certificate
> -----------------------------------------------------
>
>                 Key: GUACAMOLE-694
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-694
>             Project: Guacamole
>          Issue Type: Bug
>          Components: guacamole-docker
>    Affects Versions: 1.0.0
>            Reporter: Andrin
>            Assignee: Nick Couchman
>            Priority: Minor
>             Fix For: 1.1.0
>
>
> The guacd docker container marks my certificate as invalid:
> {code:java}
> guacd[5]: INFO: Guacamole proxy daemon (guacd) version 1.0.0 started
> guacd[5]: INFO: Listening on host 0.0.0.0, port 4822
> guacd[5]: INFO: Creating new client for protocol "rdp"
> guacd[5]: INFO: Connection ID is "$8791f12e-0d99-4aac-8ddf-b893c60e387c"
> guacd[7]: INFO: Security mode: ANY
> guacd[7]: INFO: Resize method: display-update
> guacd[7]: INFO: User "@4dae41b2-c439-4175-9543-39509c737706" joined 
> connection "$8791f12e-0d99-4aac-8ddf-b893c60e387c" (1 users now present)
> guacd[7]: INFO: Loading keymap "base"
> guacd[7]: INFO: Loading keymap "en-us-qwerty"
> connected to winpc.[domainname].com:3389
> creating directory /root/.config/freerdp
> creating directory /root/.config/freerdp/certs
> creating directory /root/.config/freerdp/server
> certificate_store_open: error opening [/root/.config/freerdp/known_hosts] for 
> writing
> guacd[7]: INFO: Certificate validation failed
> tls_connect: certificate not trusted, aborting.
> Error: protocol security negotiation or connection failure
> guacd[7]: ERROR:        Error connecting to RDP server
> guacd[7]: INFO: User "@4dae41b2-c439-4175-9543-39509c737706" disconnected (0 
> users remain)
> guacd[7]: INFO: Last user of connection 
> "$8791f12e-0d99-4aac-8ddf-b893c60e387c" disconnected
> {code}
> However when connected via Windows & Mac client the certificate is shown as 
> valid. The same with an Centos 7 installation with OpenSSL:
> {code:java}
> # openssl s_client -showcerts -connect winpc.[domainname].com:3389
> CONNECTED(00000003)
> depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, 
> CN = COMODO RSA Certification Authority
> verify return:1
> depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, 
> CN = COMODO RSA Domain Validation Secure Server CA
> verify return:1
> depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = 
> winpc.[domainname].com
> verify return:1
> ---
> Certificate chain
>  0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=winpc.[domainname].com
>    i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA 
> Domain Validation Secure Server CA
> -----BEGIN CERTIFICATE-----
> [Cert Data]
> -----END CERTIFICATE-----
>  1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA 
> Domain Validation Secure Server CA
>    i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA 
> Certification Authority
> -----BEGIN CERTIFICATE-----
> [Cert Data]
> -----END CERTIFICATE-----
> ---
> Server certificate
> subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=winpc.[domainname].com
> issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO 
> RSA Domain Validation Secure Server CA
> ---
> No client certificate CA names sent
> Peer signing digest: SHA256
> Server Temp Key: ECDH, P-384, 384 bits
> ---
> SSL handshake has read 4333 bytes and written 447 bytes
> ---
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
> Server public key is 4096 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : ECDHE-RSA-AES256-GCM-SHA384
>     Session-ID: 
> 01310000F93A78635295B0F5A5458E9AEC16BF70B72E28052D201B6B8DE6661B
>     Session-ID-ctx:
>     Master-Key: 
> FFFDC45C96C282A330BF878272FD243783425508ED6CB43492C127431492B04089AC8630E509B42DD909DF042286F913
>     Key-Arg   : None
>     Krb5 Principal: None
>     PSK identity: None
>     PSK identity hint: None
>     Start Time: 1547126917
>     Timeout   : 300 (sec)
>     Verify return code: 0 (ok)
> ---
> {code}
> I assume that the ca-certificates package inside the container is missing:
> {code:java}
> root@a218bfbd187e:/# dpkg -l | grep cert
> root@a218bfbd187e:/#
> root@a218bfbd187e:/# ls /etc/ssl/certs/
> ls: cannot access '/etc/ssl/certs/': No such file or directory
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to