Nicolas Köhl created GUACAMOLE-1375:
---------------------------------------
Summary: GUACD Docker Image - Can not run update-ca-certificates
successfully
Key: GUACAMOLE-1375
URL: https://issues.apache.org/jira/browse/GUACAMOLE-1375
Project: Guacamole
Issue Type: Improvement
Components: guacd-docker
Affects Versions: 1.3.0
Environment: Docker
Reporter: Nicolas Köhl
When running GUACD-Docker image, in order to inject private CA certificates
into the certificate store, one is supposed to run update-ca-certificates in
order to rebuild the ca_certificates.crt file in /etc/ssl/certs folder to
include the additional CAs. I was able to place the 3 root certificates via a
bind mount into /usr/local/share/ca-certificates. When I run
*update-ca-certificates* as a command in the docker container at _entrypoint_,
it fails due to a permissions limitation.
The error message shown is that the command does not have permission to create
the symbolic link in the folder /etc/ssl/certs and the docker image will fail
to deploy.
ln: failed to create symbolic link '/etc/ssl/certs/xxxxxxxx.pem': Permission
denied
{{{{}}}}The guacd-docker image runs under user guacd and not root, so even if I
exec into the container I can't run it manually either. I realize this is a
good security measure but I'm wondering how to do this properly?
I'm hoping that guacd reads /etc/ssl/certs/ca_certificates.crt to authenticate
RDP connections, but I won't be able to RDP and verify the any certificate
based off my private PKI infrastructure until I can add trusted roots to that
store.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
