Guacamole Dropping Connections

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Guacamole Dropping Connections

Carter Sema

Installed Fresh Guacamole 0.9.13, using mysql database backend for user and LetsEncrypt! For SSL with Apache2 for a reverse proxy. Guacamole won’t allow sessions to connect. Checked my catalina.out log and I’m seeing the following error

 

12:05:27.501 [http-nio-8080-exec-1] ERROR o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request failed: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

12:06:26.882 [http-nio-8080-exec-9] ERROR o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request failed: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

12:07:00.277 [http-nio-8080-exec-1] ERROR o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request failed: Connection to guacd timed out.

12:07:30.391 [http-nio-8080-exec-5] ERROR o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request failed: Connection to guacd timed out.

12:12:19.578 [http-nio-8080-exec-7] ERROR o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request failed: java.net.ConnectException: Connection refused (Connection refused)

 

Checked my /var/log/syslog and nothing from guacd that I can see.

 

Any idea’s?

 

Thanks!

Carter Sema

Network Support Specialist

[hidden email]

CertBadge_Administrator_web

 

Reply | Threaded
Open this post in threaded view
|

Re: Guacamole Dropping Connections

vnick


On Thu, Oct 12, 2017 at 12:52 PM, Carter Sema <[hidden email]> wrote:

Installed Fresh Guacamole 0.9.13, using mysql database backend for user and LetsEncrypt! For SSL with Apache2 for a reverse proxy. Guacamole won’t allow sessions to connect. Checked my catalina.out log and I’m seeing the following error

 

12:05:27.501 [http-nio-8080-exec-1] ERROR o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request failed: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

12:06:26.882 [http-nio-8080-exec-9] ERROR o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request failed: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target



 This seems to indicate that Java does not trust whatever certificate you're using.  You might need to import either the server certificate or the root certificate for that server cert into the Java keystore.  This will vary based on what type/version of Java you're using - in the Sun/Oracle versions of Java, if you look in the JRE base directory, under lib/security, you'll find a cacerts file that contains known CA certificates.  You can use the keytool binary to import your certificate(s) into that file, then restart Tomcat.  OpenJDK maintains a file somewhere else, and that depends on what Linux distribution you're using.

-Nick 


Reply | Threaded
Open this post in threaded view
|

RE: Guacamole Dropping Connections

Carter Sema

OK! That seemed to work… But now there another error.

When trying to connect to a machine it says “

The remote desktop server is currently unreachable. If the problem persists, please notify your system administrator, or check your system logs.”

 

And catalina.out says-

Thu Oct 12 14:19:21 EDT 2017 WARN: Establishing SSL connection without server's identity verification is not recommended. According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established by default if explicit option isn't set. For compliance with existing applications not using SSL the verifyServerCertificate property is set to 'false'. You need either to explicitly disable SSL by setting useSSL=false, or set useSSL=true and provide truststore for server certificate verification.

 

I don’t think the SQL error is causing the problem, but I might be wrong..

 

Thanks!

 

Carter Sema

Network Support Specialist

[hidden email]

CertBadge_Administrator_web

 

From: Nick Couchman [mailto:[hidden email]]
Sent: Thursday, October 12, 2017 12:57 PM
To: [hidden email]
Subject: Re: Guacamole Dropping Connections

 

 

 

On Thu, Oct 12, 2017 at 12:52 PM, Carter Sema <[hidden email]> wrote:

Installed Fresh Guacamole 0.9.13, using mysql database backend for user and LetsEncrypt! For SSL with Apache2 for a reverse proxy. Guacamole won’t allow sessions to connect. Checked my catalina.out log and I’m seeing the following error

 

12:05:27.501 [http-nio-8080-exec-1] ERROR o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request failed: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

12:06:26.882 [http-nio-8080-exec-9] ERROR o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request failed: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

 

 

 This seems to indicate that Java does not trust whatever certificate you're using.  You might need to import either the server certificate or the root certificate for that server cert into the Java keystore.  This will vary based on what type/version of Java you're using - in the Sun/Oracle versions of Java, if you look in the JRE base directory, under lib/security, you'll find a cacerts file that contains known CA certificates.  You can use the keytool binary to import your certificate(s) into that file, then restart Tomcat.  OpenJDK maintains a file somewhere else, and that depends on what Linux distribution you're using.

 

-Nick 

 

Reply | Threaded
Open this post in threaded view
|

Re: Guacamole Dropping Connections

Nick Couchman


On Thu, Oct 12, 2017 at 2:33 PM, Carter Sema <[hidden email]> wrote:

OK! That seemed to work… But now there another error.

When trying to connect to a machine it says “

The remote desktop server is currently unreachable. If the problem persists, please notify your system administrator, or check your system logs.”

 

And catalina.out says-

Thu Oct 12 14:19:21 EDT 2017 WARN: Establishing SSL connection without server's identity verification is not recommended. According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established by default if explicit option isn't set. For compliance with existing applications not using SSL the verifyServerCertificate property is set to 'false'. You need either to explicitly disable SSL by setting useSSL=false, or set useSSL=true and provide truststore for server certificate verification.

 

I don’t think the SQL error is causing the problem, but I might be wrong..

 


Check /var/log/messages or journalctl, depending on your Linux distro, to see what the error is from guacd.  The catalina.out file will tell you the errors for the gaucamole-client stuff, but the error you're getting seems to be coming from the guacamole-server side, when it tries to make the connection via RDP.

One thing I've noticed in my experience with Guacamole + RDP - if you're using Windows 8 or newer or Windows 2012 or newer, NLA is required by default.  If you've saved your username/password in Guacamole and have turned on NLA, this will work - otherwise, if you have not saved your credentials, and/or not enabled NLA, you might receive that error message.  You'll either need to relax Windows' restrictions on RDP connections such that you can connect with older RDP clients, or you'll need to save your credentials in the connection info.  The other option is to log in to Guacamole with the same credentials you'd use to connect to Windows (enable LDAP authentication module, or set your username/password the same) and then use the ${GUAC_USERNAME} and ${GUAC_PASSWORD} tokens to pass the authentication information through.  Hopefully at some point we'll get parameter prompting into the Guacamole Client, which will allow for the preferred combination: Use NLA, don't save credentials, but allow user to enter credentials at connection time.  Again, not sure if that's what you're running into, but it could be.

-Nick
Reply | Threaded
Open this post in threaded view
|

RE: Guacamole Dropping Connections

Carter Sema

Check /var/log/messages or journalctl = see screenshot attached. This is all I have under /var/log. My Distro is Ubuntu Server 16.04. Any other locations where those guacd logs might live?

 

 

Carter Sema

Network Support Specialist

[hidden email]

CertBadge_Administrator_web

 

From: Nick Couchman [mailto:[hidden email]]
Sent: Thursday, October 12, 2017 2:40 PM
To: [hidden email]
Subject: Re: Guacamole Dropping Connections

 

 

 

On Thu, Oct 12, 2017 at 2:33 PM, Carter Sema <[hidden email]> wrote:

OK! That seemed to work… But now there another error.

When trying to connect to a machine it says “

The remote desktop server is currently unreachable. If the problem persists, please notify your system administrator, or check your system logs.”

 

And catalina.out says-

Thu Oct 12 14:19:21 EDT 2017 WARN: Establishing SSL connection without server's identity verification is not recommended. According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established by default if explicit option isn't set. For compliance with existing applications not using SSL the verifyServerCertificate property is set to 'false'. You need either to explicitly disable SSL by setting useSSL=false, or set useSSL=true and provide truststore for server certificate verification.

 

I don’t think the SQL error is causing the problem, but I might be wrong..

 

 

Check /var/log/messages or journalctl, depending on your Linux distro, to see what the error is from guacd.  The catalina.out file will tell you the errors for the gaucamole-client stuff, but the error you're getting seems to be coming from the guacamole-server side, when it tries to make the connection via RDP.

 

One thing I've noticed in my experience with Guacamole + RDP - if you're using Windows 8 or newer or Windows 2012 or newer, NLA is required by default.  If you've saved your username/password in Guacamole and have turned on NLA, this will work - otherwise, if you have not saved your credentials, and/or not enabled NLA, you might receive that error message.  You'll either need to relax Windows' restrictions on RDP connections such that you can connect with older RDP clients, or you'll need to save your credentials in the connection info.  The other option is to log in to Guacamole with the same credentials you'd use to connect to Windows (enable LDAP authentication module, or set your username/password the same) and then use the ${GUAC_USERNAME} and ${GUAC_PASSWORD} tokens to pass the authentication information through.  Hopefully at some point we'll get parameter prompting into the Guacamole Client, which will allow for the preferred combination: Use NLA, don't save credentials, but allow user to enter credentials at connection time.  Again, not sure if that's what you're running into, but it could be.

 

-Nick


Ubuntu16.04.PNG (13K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Guacamole Dropping Connections

vnick


On Thu, Oct 12, 2017 at 3:16 PM, Carter Sema <[hidden email]> wrote:

Check /var/log/messages or journalctl = see screenshot attached. This is all I have under /var/log. My Distro is Ubuntu Server 16.04. Any other locations where those guacd logs might live?

 


You can check /var/log/syslog.  journalctl is a command, not a file - so you'd just run "journalctl" at the command line, or "journalctl -f" if you want to tail the file.  I'm not sure if Ubuntu uses that or not.  The /var/log/syslog file might have information for you.

Alternatively you can start guacd in the foreground with debug:
/path/to/sbin/guacd -L debug -f

(after first stopping/killing any running guacd instances).  That will print out all of the guacd output to the terminal - then retry your connection and see what errors you get.

-Nick
Reply | Threaded
Open this post in threaded view
|

RE: Guacamole Dropping Connections

Carter Sema

Everything looked good when I ran “journalctl –f” below is the output, but the connections still died. I have another guac that uses version 0.9.10 and I can connect to windows2012r2 just fine which is all I need. Once im in, I can hit 2016 from internal RDP. Log Output=

Oct 12 15:21:20 guacamoletesting guacd[4122]: User "@90858207-e718-4093-aabb-f590f3626ba8" disconnected (0 users remain)

Oct 12 15:21:20 guacamoletesting guacd[4122]: Last user of connection "$fbf98964-ddbf-46b6-8e91-6369ea2f56ed" disconnected

Oct 12 15:21:20 guacamoletesting guacd[1303]: Connection "$fbf98964-ddbf-46b6-8e91-6369ea2f56ed" removed.

Oct 12 15:22:35 guacamoletesting guacd[1303]: Creating new client for protocol "rdp"

Oct 12 15:22:35 guacamoletesting guacd[1303]: Connection ID is "$be415e4d-16c8-44b6-8caf-5d70fb488911"

Oct 12 15:22:35 guacamoletesting guacd[4130]: Security mode: RDP

Oct 12 15:22:35 guacamoletesting guacd[4130]: Resize method: none

Oct 12 15:22:35 guacamoletesting guacd[4130]: User "@9b86d96b-1e53-4b95-bedb-ea4c4391edc9" joined connection "$be415e4d-16c8-44

Oct 12 15:22:35 guacamoletesting guacd[4130]: Loading keymap "base"

Oct 12 15:22:35 guacamoletesting guacd[4130]: Loading keymap "en-us-qwerty"

Oct 12 15:22:35 guacamoletesting guacd[4130]: Error connecting to RDP server

Oct 12 15:22:35 guacamoletesting guacd[4130]: User "@9b86d96b-1e53-4b95-bedb-ea4c4391edc9" disconnected (0 users remain)

Oct 12 15:22:35 guacamoletesting guacd[4130]: Last user of connection "$be415e4d-16c8-44b6-8caf-5d70fb488911" disconnected

Oct 12 15:22:35 guacamoletesting guacd[1303]: Connection "$be415e4d-16c8-44b6-8caf-5d70fb488911" removed.

 

I tried ssh, to a known good source and it just hangs. Could a ufw firewall be causing some problems? Do I need to configure anything with the Guacamole Proxy Parameter’s (GUACD). Or the Remote Desktop Gateway or Preconnection PDU / Hyper-V ?

Just trying to understand whats going on and why it doesn’t work!

 

Carter Sema

Network Support Specialist

[hidden email]

CertBadge_Administrator_web

 

From: Nick Couchman [mailto:[hidden email]]
Sent: Thursday, October 12, 2017 3:20 PM
To: [hidden email]
Subject: Re: Guacamole Dropping Connections

 

 

 

On Thu, Oct 12, 2017 at 3:16 PM, Carter Sema <[hidden email]> wrote:

Check /var/log/messages or journalctl = see screenshot attached. This is all I have under /var/log. My Distro is Ubuntu Server 16.04. Any other locations where those guacd logs might live?

 

 

You can check /var/log/syslog.  journalctl is a command, not a file - so you'd just run "journalctl" at the command line, or "journalctl -f" if you want to tail the file.  I'm not sure if Ubuntu uses that or not.  The /var/log/syslog file might have information for you.

 

Alternatively you can start guacd in the foreground with debug:

/path/to/sbin/guacd -L debug -f

 

(after first stopping/killing any running guacd instances).  That will print out all of the guacd output to the terminal - then retry your connection and see what errors you get.

 

-Nick

Reply | Threaded
Open this post in threaded view
|

Re: Guacamole Dropping Connections

Carter Sema
In reply to this post by Carter Sema
Turns out, my DNS wasn't set on my eth0 adapter. Since I use DNS names to connect, it couldn't resolve. Thanks for your help!


From: Carter Sema <[hidden email]>
Sent: Thursday, October 12, 2017 3:16:20 PM
To: [hidden email]
Subject: RE: Guacamole Dropping Connections
 

Check /var/log/messages or journalctl = see screenshot attached. This is all I have under /var/log. My Distro is Ubuntu Server 16.04. Any other locations where those guacd logs might live?

 

 

Carter Sema

Network Support Specialist

[hidden email]

CertBadge_Administrator_web

 

From: Nick Couchman [mailto:[hidden email]]
Sent: Thursday, October 12, 2017 2:40 PM
To: [hidden email]
Subject: Re: Guacamole Dropping Connections

 

 

 

On Thu, Oct 12, 2017 at 2:33 PM, Carter Sema <[hidden email]> wrote:

OK! That seemed to work… But now there another error.

When trying to connect to a machine it says “

The remote desktop server is currently unreachable. If the problem persists, please notify your system administrator, or check your system logs.”

 

And catalina.out says-

Thu Oct 12 14:19:21 EDT 2017 WARN: Establishing SSL connection without server's identity verification is not recommended. According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established by default if explicit option isn't set. For compliance with existing applications not using SSL the verifyServerCertificate property is set to 'false'. You need either to explicitly disable SSL by setting useSSL=false, or set useSSL=true and provide truststore for server certificate verification.

 

I don’t think the SQL error is causing the problem, but I might be wrong..

 

 

Check /var/log/messages or journalctl, depending on your Linux distro, to see what the error is from guacd.  The catalina.out file will tell you the errors for the gaucamole-client stuff, but the error you're getting seems to be coming from the guacamole-server side, when it tries to make the connection via RDP.

 

One thing I've noticed in my experience with Guacamole + RDP - if you're using Windows 8 or newer or Windows 2012 or newer, NLA is required by default.  If you've saved your username/password in Guacamole and have turned on NLA, this will work - otherwise, if you have not saved your credentials, and/or not enabled NLA, you might receive that error message.  You'll either need to relax Windows' restrictions on RDP connections such that you can connect with older RDP clients, or you'll need to save your credentials in the connection info.  The other option is to log in to Guacamole with the same credentials you'd use to connect to Windows (enable LDAP authentication module, or set your username/password the same) and then use the ${GUAC_USERNAME} and ${GUAC_PASSWORD} tokens to pass the authentication information through.  Hopefully at some point we'll get parameter prompting into the Guacamole Client, which will allow for the preferred combination: Use NLA, don't save credentials, but allow user to enter credentials at connection time.  Again, not sure if that's what you're running into, but it could be.

 

-Nick