Uploaded image for project: 'Guacamole'
  1. Guacamole
  2. GUACAMOLE-694

guacd docker container can't validate RDP certificate

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 1.0.0
    • Fix Version/s: 1.1.0
    • Component/s: guacamole-docker
    • Labels:
      None

      Description

      The guacd docker container marks my certificate as invalid:

      guacd[5]: INFO: Guacamole proxy daemon (guacd) version 1.0.0 started
      guacd[5]: INFO: Listening on host 0.0.0.0, port 4822
      guacd[5]: INFO: Creating new client for protocol "rdp"
      guacd[5]: INFO: Connection ID is "$8791f12e-0d99-4aac-8ddf-b893c60e387c"
      guacd[7]: INFO: Security mode: ANY
      guacd[7]: INFO: Resize method: display-update
      guacd[7]: INFO: User "@4dae41b2-c439-4175-9543-39509c737706" joined connection "$8791f12e-0d99-4aac-8ddf-b893c60e387c" (1 users now present)
      guacd[7]: INFO: Loading keymap "base"
      guacd[7]: INFO: Loading keymap "en-us-qwerty"
      connected to winpc.[domainname].com:3389
      creating directory /root/.config/freerdp
      creating directory /root/.config/freerdp/certs
      creating directory /root/.config/freerdp/server
      certificate_store_open: error opening [/root/.config/freerdp/known_hosts] for writing
      guacd[7]: INFO: Certificate validation failed
      tls_connect: certificate not trusted, aborting.
      Error: protocol security negotiation or connection failure
      guacd[7]: ERROR:        Error connecting to RDP server
      guacd[7]: INFO: User "@4dae41b2-c439-4175-9543-39509c737706" disconnected (0 users remain)
      guacd[7]: INFO: Last user of connection "$8791f12e-0d99-4aac-8ddf-b893c60e387c" disconnected
      

      However when connected via Windows & Mac client the certificate is shown as valid. The same with an Centos 7 installation with OpenSSL:

      # openssl s_client -showcerts -connect winpc.[domainname].com:3389
      CONNECTED(00000003)
      depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
      verify return:1
      depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
      verify return:1
      depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = winpc.[domainname].com
      verify return:1
      ---
      Certificate chain
       0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=winpc.[domainname].com
         i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
      -----BEGIN CERTIFICATE-----
      [Cert Data]
      -----END CERTIFICATE-----
       1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
         i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
      -----BEGIN CERTIFICATE-----
      [Cert Data]
      -----END CERTIFICATE-----
      ---
      Server certificate
      subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=winpc.[domainname].com
      issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
      ---
      No client certificate CA names sent
      Peer signing digest: SHA256
      Server Temp Key: ECDH, P-384, 384 bits
      ---
      SSL handshake has read 4333 bytes and written 447 bytes
      ---
      New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
      Server public key is 4096 bit
      Secure Renegotiation IS supported
      Compression: NONE
      Expansion: NONE
      No ALPN negotiated
      SSL-Session:
          Protocol  : TLSv1.2
          Cipher    : ECDHE-RSA-AES256-GCM-SHA384
          Session-ID: 01310000F93A78635295B0F5A5458E9AEC16BF70B72E28052D201B6B8DE6661B
          Session-ID-ctx:
          Master-Key: FFFDC45C96C282A330BF878272FD243783425508ED6CB43492C127431492B04089AC8630E509B42DD909DF042286F913
          Key-Arg   : None
          Krb5 Principal: None
          PSK identity: None
          PSK identity hint: None
          Start Time: 1547126917
          Timeout   : 300 (sec)
          Verify return code: 0 (ok)
      ---
      
      

      I assume that the ca-certificates package inside the container is missing:

      root@a218bfbd187e:/# dpkg -l | grep cert
      root@a218bfbd187e:/#
      root@a218bfbd187e:/# ls /etc/ssl/certs/
      ls: cannot access '/etc/ssl/certs/': No such file or directory
      

        Attachments

          Activity

            People

            • Assignee:
              vnick Nick Couchman
              Reporter:
              andrin Andrin
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: