RE: FW: Java Keystore

[Devine, Harry (FAA)]

The file system had gotten corrupted and they fixed that.  Once the VM came 
back online, we were unable to get the web interface to come up.  We are using 
Apache with a RapidSSL certificate, and we proxy the requests to the guacamole 
backend as non ssl (i.e ProxyPass http://localhost:8080/guacamole).

Here’s what Red Hat had found in the logs that made them point me towards the 
keystore, even though I know that the SSL certificate was working before the 
disk corruption:

And you have some SEVERE logs in Tomcat:

~~~
INFO: Deploying web application archive /var/lib/tomcat/webapps/guacamole.war
Dec 26, 2019 10:48:10 AM org.apache.catalina.startup.TldConfig execute
INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug 
logging for this logger for a complete list of JARs that were scanned but no 
TLDs were found in them. Skipping u
nneeded JARs during scanning can improve startup time and JSP compilation time.
Dec 26, 2019 10:48:10 AM org.apache.catalina.startup.HostConfig deployWARs
SEVERE: Error waiting for multi-thread deployment of WAR files to complete
java.util.concurrent.ExecutionException: java.lang.InternalError: internal 
error: SHA-1 not available.
        at java.util.concurrent.FutureTask.report(FutureTask.java:122)
        at java.util.concurrent.FutureTask.get(FutureTask.java:192)
        at 
org.apache.catalina.startup.HostConfig.deployWARs(HostConfig.java:832)
        at 
org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:495)
        at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1713)
        at 
org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:337)
        at 
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
        at 
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
        at 
org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:388)
        at 
org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:333)
        at 
org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:1136)
        at 
org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:819)
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
        at 
org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1571)
        at 
org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1561)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.InternalError: internal error: SHA-1 not available.
        (...)
Caused by: java.security.NoSuchAlgorithmException: SHA MessageDigest not 
available
        at sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
        at java.security.Security.getImpl(Security.java:695)
        at java.security.MessageDigest.getInstance(MessageDigest.java:167)
        at sun.security.provider.SecureRandom.init(SecureRandom.java:106)
        ... 34 more
~~~

It seems that you tried to set up an SSL configuration, but your certificate 
and keystore are incomplete. This is causing an error while deploying all 
artifacts of Tomcat including the ROOT, manager and guacamole applications.

Thanks,
Harry

From: Mike Jumper <mike.jum...@glyptodon.com>
Sent: Monday, December 30, 2019 4:53 PM
To: user@guacamole.apache.org
Subject: Re: FW: Java Keystore

What was the nature of the issue that RedHat resolved and what changes did they 
make between when things worked and when things stopped working?

Is Tomcat configured for SSL, or are you using a proxy to provide SSL 
termination with internal communication between that proxy and Tomcat using 
unencrypted HTTP?

- Mike

On Mon, Dec 30, 2019, 13:27 Devine, Harry (FAA) 
<harry.dev...@faa.gov.invalid<mailto:harry.dev...@faa.gov.invalid>> wrote:
Anyone have any insights on this?  Our production server using Guacamole is 
down until I get this piece resolved.

Thanks,
Harry

From: Devine, Harry (FAA) 
<harry.dev...@faa.gov.INVALID<mailto:harry.dev...@faa.gov.INVALID>>
Sent: Friday, December 27, 2019 9:32 AM
To: user@guacamole.apache.org<mailto:user@guacamole.apache.org>
Subject: Java Keystore

We had an issue with one of our servers that Red Hat helped us fix.  It had a 
package corruption.  Now, even though HTTP and guac are started, I can’t get 
the guacamole interface to show up.  We have our own SSL certificate and we 
forward requests to the guacamole backend.  Red Hat is telling us that we need 
to update the keystore to reflect our SSL certificate but we can’t find it.  I 
looked in /etc/tomcat/server.xml but nothing was shown.

We are on RHEL 7.7 and Guacamole 0.9.13-incubating.  The system has 2 java 1.7 
packages and 2 1.8 packages installed, but I’m not sure which is being used by 
guacamole.

Thanks for any help,
Harry

Harry Devine
DOT/FAA/AJM-2431
Terminal Server (NASDAC) Adminstrator
Red Hat Certfied System Adminstrator (RHCSA)
harry.dev...@faa.gov<mailto:harry.dev...@faa.gov>
(609)485-4218
Building 300, 3rd Floor, Column L20 (3L20)