Re: guacd with SSL
Hi Nick. It worked, it was that detail that was missing in Java certs. There are so many details, :-) I'll have to write down all the steps here or set up an updated tutorial. I believe to be safe now, with SSL certified in the three phases of connection: - Tomcat Web User with proxy SSL - Tomcat with guacd SSL - Guacd with AD LDAP SSL Thank you all for your help. Henri. Em seg., 6 de jul. de 2020 às 09:30, Nick Couchman escreveu: > On Sun, Jul 5, 2020 at 7:28 PM Henri Alves de Godoy > wrote: > >> Hi Mike, thanks for your reply. >> >> Communication between the web user on tomcat is already done. I was able >> to configure the reverse proxy in apache without any problems. >> >> Now I want to do the configuration even between Tomcat and quacd. >> >> I put the option in properties: >> >> guacd-ssl: true >> >> I restarted tomcat >> >> I started quacd with the line: >> >> / usr / local / sbin / guacd -f -C /etc/httpd/certs/remoto-final.pem -K >> /etc/pki/tls/certs/remoto-key.pem -L debug & >> >> Log error >> >> guacd[14818]: Unable to set up SSL/TLS: SSL accept failed >> >> The certificates that I am informing in guacd are the same ones that I >> used for the tomcat ssl web >> >> What can I be wrong? >> >> > Is the certificate issuer in the Java trusted certificates store (cacerts) > for the Java version running Tomcat? > > -Nick > >> -- -- Henri Alves Godoy Tecnologia da Informação e Comunicação Faculdade de Ciências Aplicadas - FCA Universidade Estadual de Campinas - UNICAMP Fone: (19) 3701-6682
Re: guacd with SSL
On Sun, Jul 5, 2020 at 7:28 PM Henri Alves de Godoy wrote: > Hi Mike, thanks for your reply. > > Communication between the web user on tomcat is already done. I was able > to configure the reverse proxy in apache without any problems. > > Now I want to do the configuration even between Tomcat and quacd. > > I put the option in properties: > > guacd-ssl: true > > I restarted tomcat > > I started quacd with the line: > > / usr / local / sbin / guacd -f -C /etc/httpd/certs/remoto-final.pem -K > /etc/pki/tls/certs/remoto-key.pem -L debug & > > Log error > > guacd[14818]: Unable to set up SSL/TLS: SSL accept failed > > The certificates that I am informing in guacd are the same ones that I > used for the tomcat ssl web > > What can I be wrong? > > Is the certificate issuer in the Java trusted certificates store (cacerts) for the Java version running Tomcat? -Nick >
Re: guacd with SSL
Hi Mike, thanks for your reply. Communication between the web user on tomcat is already done. I was able to configure the reverse proxy in apache without any problems. Now I want to do the configuration even between Tomcat and quacd. I put the option in properties: guacd-ssl: true I restarted tomcat I started quacd with the line: / usr / local / sbin / guacd -f -C /etc/httpd/certs/remoto-final.pem -K /etc/pki/tls/certs/remoto-key.pem -L debug & Log error guacd[14818]: Unable to set up SSL/TLS: SSL accept failed The certificates that I am informing in guacd are the same ones that I used for the tomcat ssl web What can I be wrong? Thanks Henri Em dom., 5 de jul. de 2020 às 20:13, Mike Jumper escreveu: > First, if you are trying to set up SSL/TLS in front of the web > application, this is not the way. This affects only the (internal) > communication between Tomcat and guacd. > > Assuming this is indeed what you're looking for (you are trying to encrypt > the internal, non-user-facing communication between Tomcat and guacd), did > you set the corresponding properties in guacamole.properties? When > encrypting communication between Tomcat and guacd, both ends need to be > configured for this: > > > https://guacamole.apache.org/doc/gug/configuring-guacamole.html#initial-setup > > If you are just looking to encrypt the user-facing side of things, you > don't need to do any of this. You should instead look to set up Apache or > Nginx as a reverse proxy to provide SSL termination in front of Tomcat: > > https://guacamole.apache.org/doc/gug/proxying-guacamole.html > > - Mike > > On Sun, Jul 5, 2020, 16:07 Henri Alves de Godoy > wrote: > >> I promise it's my last question for today ;-) >> >> When I put the certificate settings in guacd, I have in the log: >> >> Jul 5 20:00:34 guacd[14248]: Guacamole proxy daemon (guacd) version >> 1.2.0 started >> Jul 5 20:00:34 guacd[14248]: Communication will require SSL/TLS. >> Jul 5 20:00:34 guacd[14248]: Using PEM keyfile >> /etc/pki/tls/certs/cert-key.pem >> Jul 5 20:00:34 guacd[14248]: Using certificate file >> /etc/httpd/certs/cert-final.pem >> Jul 5 20:00:34 guacd[14248]: Listening on host 127.0.0.1, port 4822 >> >> However when establishing a connection to Windows via RDP, I can't. and >> appears in the log: >> >> guacd[14248]: ERROR:Unable to set up SSL/TLS: SSL accept failed >> guacd[14248]: ERROR:Unable to set up SSL/TLS: SSL accept failed >> guacd[14248]: ERROR:Unable to set up SSL/TLS: SSL accept failed >> >> Any tips on what might be happening? >> >> Thank you >> >> -- >> Henri Alves Godoy >> Tecnologia da Informação e Comunicação >> Faculdade de Ciências Aplicadas - FCA >> Universidade Estadual de Campinas - UNICAMP >> Fone: (19) 3701-6682 >> > -- -- Henri Alves Godoy Tecnologia da Informação e Comunicação Faculdade de Ciências Aplicadas - FCA Universidade Estadual de Campinas - UNICAMP Fone: (19) 3701-6682
Re: guacd with SSL
First, if you are trying to set up SSL/TLS in front of the web application, this is not the way. This affects only the (internal) communication between Tomcat and guacd. Assuming this is indeed what you're looking for (you are trying to encrypt the internal, non-user-facing communication between Tomcat and guacd), did you set the corresponding properties in guacamole.properties? When encrypting communication between Tomcat and guacd, both ends need to be configured for this: https://guacamole.apache.org/doc/gug/configuring-guacamole.html#initial-setup If you are just looking to encrypt the user-facing side of things, you don't need to do any of this. You should instead look to set up Apache or Nginx as a reverse proxy to provide SSL termination in front of Tomcat: https://guacamole.apache.org/doc/gug/proxying-guacamole.html - Mike On Sun, Jul 5, 2020, 16:07 Henri Alves de Godoy wrote: > I promise it's my last question for today ;-) > > When I put the certificate settings in guacd, I have in the log: > > Jul 5 20:00:34 guacd[14248]: Guacamole proxy daemon (guacd) version 1.2.0 > started > Jul 5 20:00:34 guacd[14248]: Communication will require SSL/TLS. > Jul 5 20:00:34 guacd[14248]: Using PEM keyfile > /etc/pki/tls/certs/cert-key.pem > Jul 5 20:00:34 guacd[14248]: Using certificate file > /etc/httpd/certs/cert-final.pem > Jul 5 20:00:34 guacd[14248]: Listening on host 127.0.0.1, port 4822 > > However when establishing a connection to Windows via RDP, I can't. and > appears in the log: > > guacd[14248]: ERROR:Unable to set up SSL/TLS: SSL accept failed > guacd[14248]: ERROR:Unable to set up SSL/TLS: SSL accept failed > guacd[14248]: ERROR:Unable to set up SSL/TLS: SSL accept failed > > Any tips on what might be happening? > > Thank you > > -- > Henri Alves Godoy > Tecnologia da Informação e Comunicação > Faculdade de Ciências Aplicadas - FCA > Universidade Estadual de Campinas - UNICAMP > Fone: (19) 3701-6682 >
