On Thu, Oct 12, 2017 at 12:52 PM, Carter Sema <cs...@acschools.org> wrote:
> Installed Fresh Guacamole 0.9.13, using mysql database backend for user > and LetsEncrypt! For SSL with Apache2 for a reverse proxy. Guacamole won’t > allow sessions to connect. Checked my catalina.out log and I’m seeing the > following error > > > > 12:05:27.501 [http-nio-8080-exec-1] ERROR o.a.g.s.GuacamoleHTTPTunnelServlet > - HTTP tunnel request failed: javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to > find valid certification path to requested target > > 12:06:26.882 [http-nio-8080-exec-9] ERROR o.a.g.s.GuacamoleHTTPTunnelServlet > - HTTP tunnel request failed: javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to > find valid certification path to requested target > > > This seems to indicate that Java does not trust whatever certificate you're using. You might need to import either the server certificate or the root certificate for that server cert into the Java keystore. This will vary based on what type/version of Java you're using - in the Sun/Oracle versions of Java, if you look in the JRE base directory, under lib/security, you'll find a cacerts file that contains known CA certificates. You can use the keytool binary to import your certificate(s) into that file, then restart Tomcat. OpenJDK maintains a file somewhere else, and that depends on what Linux distribution you're using. -Nick >