Details
-
Bug
-
Status: Resolved
-
Minor
-
Resolution: Fixed
-
1.0.0
-
None
Description
The guacd docker container marks my certificate as invalid:
guacd[5]: INFO: Guacamole proxy daemon (guacd) version 1.0.0 started guacd[5]: INFO: Listening on host 0.0.0.0, port 4822 guacd[5]: INFO: Creating new client for protocol "rdp" guacd[5]: INFO: Connection ID is "$8791f12e-0d99-4aac-8ddf-b893c60e387c" guacd[7]: INFO: Security mode: ANY guacd[7]: INFO: Resize method: display-update guacd[7]: INFO: User "@4dae41b2-c439-4175-9543-39509c737706" joined connection "$8791f12e-0d99-4aac-8ddf-b893c60e387c" (1 users now present) guacd[7]: INFO: Loading keymap "base" guacd[7]: INFO: Loading keymap "en-us-qwerty" connected to winpc.[domainname].com:3389 creating directory /root/.config/freerdp creating directory /root/.config/freerdp/certs creating directory /root/.config/freerdp/server certificate_store_open: error opening [/root/.config/freerdp/known_hosts] for writing guacd[7]: INFO: Certificate validation failed tls_connect: certificate not trusted, aborting. Error: protocol security negotiation or connection failure guacd[7]: ERROR: Error connecting to RDP server guacd[7]: INFO: User "@4dae41b2-c439-4175-9543-39509c737706" disconnected (0 users remain) guacd[7]: INFO: Last user of connection "$8791f12e-0d99-4aac-8ddf-b893c60e387c" disconnected
However when connected via Windows & Mac client the certificate is shown as valid. The same with an Centos 7 installation with OpenSSL:
# openssl s_client -showcerts -connect winpc.[domainname].com:3389 CONNECTED(00000003) depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority verify return:1 depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA verify return:1 depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = winpc.[domainname].com verify return:1 --- Certificate chain 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=winpc.[domainname].com i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA -----BEGIN CERTIFICATE----- [Cert Data] -----END CERTIFICATE----- 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority -----BEGIN CERTIFICATE----- [Cert Data] -----END CERTIFICATE----- --- Server certificate subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=winpc.[domainname].com issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA --- No client certificate CA names sent Peer signing digest: SHA256 Server Temp Key: ECDH, P-384, 384 bits --- SSL handshake has read 4333 bytes and written 447 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 01310000F93A78635295B0F5A5458E9AEC16BF70B72E28052D201B6B8DE6661B Session-ID-ctx: Master-Key: FFFDC45C96C282A330BF878272FD243783425508ED6CB43492C127431492B04089AC8630E509B42DD909DF042286F913 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1547126917 Timeout : 300 (sec) Verify return code: 0 (ok) ---
I assume that the ca-certificates package inside the container is missing:
root@a218bfbd187e:/# dpkg -l | grep cert
root@a218bfbd187e:/#
root@a218bfbd187e:/# ls /etc/ssl/certs/
ls: cannot access '/etc/ssl/certs/': No such file or directory