guacd with SSL

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

guacd with SSL

Henri Alves de Godoy
I promise it's my last question for today ;-)

When I put the certificate settings in guacd, I have in the log:

Jul  5 20:00:34 guacd[14248]: Guacamole proxy daemon (guacd) version 1.2.0 started
Jul  5 20:00:34 guacd[14248]: Communication will require SSL/TLS.
Jul  5 20:00:34 guacd[14248]: Using PEM keyfile /etc/pki/tls/certs/cert-key.pem
Jul  5 20:00:34 guacd[14248]: Using certificate file /etc/httpd/certs/cert-final.pem
Jul  5 20:00:34 guacd[14248]: Listening on host 127.0.0.1, port 4822

However when establishing a connection to Windows via RDP, I can't. and appears in the log:

guacd[14248]: ERROR:    Unable to set up SSL/TLS: SSL accept failed
guacd[14248]: ERROR:    Unable to set up SSL/TLS: SSL accept failed
guacd[14248]: ERROR:    Unable to set up SSL/TLS: SSL accept failed

Any tips on what might be happening?

Thank you

-- 
Henri Alves Godoy
Tecnologia da Informação e Comunicação
Faculdade de Ciências Aplicadas - FCA
Universidade Estadual de Campinas - UNICAMP
Fone: (19) 3701-6682
Reply | Threaded
Open this post in threaded view
|

Re: guacd with SSL

mjumper
Administrator
First, if you are trying to set up SSL/TLS in front of the web application, this is not the way. This affects only the (internal) communication between Tomcat and guacd.

Assuming this is indeed what you're looking for (you are trying to encrypt the internal, non-user-facing communication between Tomcat and guacd), did you set the corresponding properties in guacamole.properties? When encrypting communication between Tomcat and guacd, both ends need to be configured for this:


If you are just looking to encrypt the user-facing side of things, you don't need to do any of this. You should instead look to set up Apache or Nginx as a reverse proxy to provide SSL termination in front of Tomcat:


- Mike

On Sun, Jul 5, 2020, 16:07 Henri Alves de Godoy <[hidden email]> wrote:
I promise it's my last question for today ;-)

When I put the certificate settings in guacd, I have in the log:

Jul  5 20:00:34 guacd[14248]: Guacamole proxy daemon (guacd) version 1.2.0 started
Jul  5 20:00:34 guacd[14248]: Communication will require SSL/TLS.
Jul  5 20:00:34 guacd[14248]: Using PEM keyfile /etc/pki/tls/certs/cert-key.pem
Jul  5 20:00:34 guacd[14248]: Using certificate file /etc/httpd/certs/cert-final.pem
Jul  5 20:00:34 guacd[14248]: Listening on host 127.0.0.1, port 4822

However when establishing a connection to Windows via RDP, I can't. and appears in the log:

guacd[14248]: ERROR:    Unable to set up SSL/TLS: SSL accept failed
guacd[14248]: ERROR:    Unable to set up SSL/TLS: SSL accept failed
guacd[14248]: ERROR:    Unable to set up SSL/TLS: SSL accept failed

Any tips on what might be happening?

Thank you

-- 
Henri Alves Godoy
Tecnologia da Informação e Comunicação
Faculdade de Ciências Aplicadas - FCA
Universidade Estadual de Campinas - UNICAMP
Fone: (19) 3701-6682
Reply | Threaded
Open this post in threaded view
|

Re: guacd with SSL

Henri Alves de Godoy
Hi Mike, thanks for your reply.

Communication between the web user on tomcat is already done. I was able to configure the reverse proxy in apache without any problems.

Now I want to do the configuration even between Tomcat and quacd.

I put the option in properties:

guacd-ssl: true

I restarted tomcat

I started quacd with the line:

 / usr / local / sbin / guacd -f -C /etc/httpd/certs/remoto-final.pem -K /etc/pki/tls/certs/remoto-key.pem -L debug &

Log error

 guacd[14818]: Unable to set up SSL/TLS: SSL accept failed

The certificates that I am informing in guacd are the same ones that I used for the tomcat ssl web

What can I be wrong?

Thanks
Henri


Em dom., 5 de jul. de 2020 às 20:13, Mike Jumper <[hidden email]> escreveu:
First, if you are trying to set up SSL/TLS in front of the web application, this is not the way. This affects only the (internal) communication between Tomcat and guacd.

Assuming this is indeed what you're looking for (you are trying to encrypt the internal, non-user-facing communication between Tomcat and guacd), did you set the corresponding properties in guacamole.properties? When encrypting communication between Tomcat and guacd, both ends need to be configured for this:


If you are just looking to encrypt the user-facing side of things, you don't need to do any of this. You should instead look to set up Apache or Nginx as a reverse proxy to provide SSL termination in front of Tomcat:


- Mike

On Sun, Jul 5, 2020, 16:07 Henri Alves de Godoy <[hidden email]> wrote:
I promise it's my last question for today ;-)

When I put the certificate settings in guacd, I have in the log:

Jul  5 20:00:34 guacd[14248]: Guacamole proxy daemon (guacd) version 1.2.0 started
Jul  5 20:00:34 guacd[14248]: Communication will require SSL/TLS.
Jul  5 20:00:34 guacd[14248]: Using PEM keyfile /etc/pki/tls/certs/cert-key.pem
Jul  5 20:00:34 guacd[14248]: Using certificate file /etc/httpd/certs/cert-final.pem
Jul  5 20:00:34 guacd[14248]: Listening on host 127.0.0.1, port 4822

However when establishing a connection to Windows via RDP, I can't. and appears in the log:

guacd[14248]: ERROR:    Unable to set up SSL/TLS: SSL accept failed
guacd[14248]: ERROR:    Unable to set up SSL/TLS: SSL accept failed
guacd[14248]: ERROR:    Unable to set up SSL/TLS: SSL accept failed

Any tips on what might be happening?

Thank you

-- 
Henri Alves Godoy
Tecnologia da Informação e Comunicação
Faculdade de Ciências Aplicadas - FCA
Universidade Estadual de Campinas - UNICAMP
Fone: (19) 3701-6682


--
-- 
Henri Alves Godoy
Tecnologia da Informação e Comunicação
Faculdade de Ciências Aplicadas - FCA
Universidade Estadual de Campinas - UNICAMP
Fone: (19) 3701-6682
Reply | Threaded
Open this post in threaded view
|

Re: guacd with SSL

vnick
On Sun, Jul 5, 2020 at 7:28 PM Henri Alves de Godoy <[hidden email]> wrote:
Hi Mike, thanks for your reply.

Communication between the web user on tomcat is already done. I was able to configure the reverse proxy in apache without any problems.

Now I want to do the configuration even between Tomcat and quacd.

I put the option in properties:

guacd-ssl: true

I restarted tomcat

I started quacd with the line:

 / usr / local / sbin / guacd -f -C /etc/httpd/certs/remoto-final.pem -K /etc/pki/tls/certs/remoto-key.pem -L debug &

Log error

 guacd[14818]: Unable to set up SSL/TLS: SSL accept failed

The certificates that I am informing in guacd are the same ones that I used for the tomcat ssl web

What can I be wrong?


Is the certificate issuer in the Java trusted certificates store (cacerts) for the Java version running Tomcat?

-Nick
Reply | Threaded
Open this post in threaded view
|

Re: guacd with SSL

Henri Alves de Godoy
Hi Nick.

It worked, it was that detail that was missing in Java certs.

There are so many details, :-)  I'll have to write down all the steps here or set up an updated tutorial.

I believe to be safe now, with SSL certified in the three phases of connection:

- Tomcat Web User with proxy SSL
- Tomcat with guacd SSL
- Guacd with AD LDAP SSL

Thank you all for your help.

Henri.


Em seg., 6 de jul. de 2020 às 09:30, Nick Couchman <[hidden email]> escreveu:
On Sun, Jul 5, 2020 at 7:28 PM Henri Alves de Godoy <[hidden email]> wrote:
Hi Mike, thanks for your reply.

Communication between the web user on tomcat is already done. I was able to configure the reverse proxy in apache without any problems.

Now I want to do the configuration even between Tomcat and quacd.

I put the option in properties:

guacd-ssl: true

I restarted tomcat

I started quacd with the line:

 / usr / local / sbin / guacd -f -C /etc/httpd/certs/remoto-final.pem -K /etc/pki/tls/certs/remoto-key.pem -L debug &

Log error

 guacd[14818]: Unable to set up SSL/TLS: SSL accept failed

The certificates that I am informing in guacd are the same ones that I used for the tomcat ssl web

What can I be wrong?


Is the certificate issuer in the Java trusted certificates store (cacerts) for the Java version running Tomcat?

-Nick


--
-- 
Henri Alves Godoy
Tecnologia da Informação e Comunicação
Faculdade de Ciências Aplicadas - FCA
Universidade Estadual de Campinas - UNICAMP
Fone: (19) 3701-6682