[ https://issues.apache.org/jira/browse/GUACAMOLE-694?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16739710#comment-16739710 ]
Michael Jumper commented on GUACAMOLE-694: ------------------------------------------ Darn, that's irksome. Thanks for investigating. The container should probably include that package. > guacd docker container can't validate RDP certificate > ----------------------------------------------------- > > Key: GUACAMOLE-694 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-694 > Project: Guacamole > Issue Type: Bug > Components: guacamole-docker > Affects Versions: 1.0.0 > Reporter: Andrin > Priority: Minor > > The guacd docker container marks my certificate as invalid: > {code:java} > guacd[5]: INFO: Guacamole proxy daemon (guacd) version 1.0.0 started > guacd[5]: INFO: Listening on host 0.0.0.0, port 4822 > guacd[5]: INFO: Creating new client for protocol "rdp" > guacd[5]: INFO: Connection ID is "$8791f12e-0d99-4aac-8ddf-b893c60e387c" > guacd[7]: INFO: Security mode: ANY > guacd[7]: INFO: Resize method: display-update > guacd[7]: INFO: User "@4dae41b2-c439-4175-9543-39509c737706" joined > connection "$8791f12e-0d99-4aac-8ddf-b893c60e387c" (1 users now present) > guacd[7]: INFO: Loading keymap "base" > guacd[7]: INFO: Loading keymap "en-us-qwerty" > connected to winpc.[domainname].com:3389 > creating directory /root/.config/freerdp > creating directory /root/.config/freerdp/certs > creating directory /root/.config/freerdp/server > certificate_store_open: error opening [/root/.config/freerdp/known_hosts] for > writing > guacd[7]: INFO: Certificate validation failed > tls_connect: certificate not trusted, aborting. > Error: protocol security negotiation or connection failure > guacd[7]: ERROR: Error connecting to RDP server > guacd[7]: INFO: User "@4dae41b2-c439-4175-9543-39509c737706" disconnected (0 > users remain) > guacd[7]: INFO: Last user of connection > "$8791f12e-0d99-4aac-8ddf-b893c60e387c" disconnected > {code} > However when connected via Windows & Mac client the certificate is shown as > valid. The same with an Centos 7 installation with OpenSSL: > {code:java} > # openssl s_client -showcerts -connect winpc.[domainname].com:3389 > CONNECTED(00000003) > depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, > CN = COMODO RSA Certification Authority > verify return:1 > depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, > CN = COMODO RSA Domain Validation Secure Server CA > verify return:1 > depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = > winpc.[domainname].com > verify return:1 > --- > Certificate chain > 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=winpc.[domainname].com > i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA > Domain Validation Secure Server CA > -----BEGIN CERTIFICATE----- > [Cert Data] > -----END CERTIFICATE----- > 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA > Domain Validation Secure Server CA > i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA > Certification Authority > -----BEGIN CERTIFICATE----- > [Cert Data] > -----END CERTIFICATE----- > --- > Server certificate > subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=winpc.[domainname].com > issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO > RSA Domain Validation Secure Server CA > --- > No client certificate CA names sent > Peer signing digest: SHA256 > Server Temp Key: ECDH, P-384, 384 bits > --- > SSL handshake has read 4333 bytes and written 447 bytes > --- > New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 > Server public key is 4096 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > SSL-Session: > Protocol : TLSv1.2 > Cipher : ECDHE-RSA-AES256-GCM-SHA384 > Session-ID: > 01310000F93A78635295B0F5A5458E9AEC16BF70B72E28052D201B6B8DE6661B > Session-ID-ctx: > Master-Key: > FFFDC45C96C282A330BF878272FD243783425508ED6CB43492C127431492B04089AC8630E509B42DD909DF042286F913 > Key-Arg : None > Krb5 Principal: None > PSK identity: None > PSK identity hint: None > Start Time: 1547126917 > Timeout : 300 (sec) > Verify return code: 0 (ok) > --- > {code} > I assume that the ca-certificates package inside the container is missing: > {code:java} > root@a218bfbd187e:/# dpkg -l | grep cert > root@a218bfbd187e:/# > root@a218bfbd187e:/# ls /etc/ssl/certs/ > ls: cannot access '/etc/ssl/certs/': No such file or directory > {code} -- This message was sent by Atlassian JIRA (v7.6.3#76005)