[
https://issues.apache.org/jira/browse/GUACAMOLE-1738?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17695319#comment-17695319
]
Michael Magill edited comment on GUACAMOLE-1738 at 3/2/23 2:06 AM:
-------------------------------------------------------------------
Thanks [~phreakocious] ! ssl=0 did not work for me, but it did change the
error to something about private key requests not permitted. After fooling
around with it for a while, and being very confused when a non-docker fresh
install worked just fine, I think I finally nailed down the culprit. Or in
this case, combination of culprits.
The docker container uses the MySQL Connector/J JDBC driver
mysql-connector-java-5.1.46.jar. In my bare metal installed I followed the
link in the docs to the MySQL site for download, and it offered me version
8.0.32. If I swap my bare metal install to the 5.1.46 version instead, it
breaks.
Adding this to the guacamole/guacamole section of my docker-compose stack works
around the issue:
*volumes:*
*-
/etc/guacamole/lib/mysql-connector-j-8.0.32.jar:/opt/guacamole/mysql/mysql-connector-java-5.1.46.jar*
That replaces the 5.1.46 version in the container with the 8.0.32 version I
downloaded and saved to /etc/guacamole/lib, which has no problem connecting to
MySQL, even without the ssl=0 command
As for what is actually going on - the MySQL auth provider
([https://github.com/apache/guacamole-client/blob/master/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLAuthenticationProviderModule.java)]
changed how the connection is built. In earlier versions when building the
connection it would check MYSQL_SSL_MODE and if it was disabled, it would set
useSSL to false, otherwise it wouldn't set useSSL {_}at all{_}. In Guacamole
1.5.0, lines 93 & 94 were added so if MYSQL_SSL_MODE isn't disabled, it sets
useSSL to true.
I believe that matters because the older version of the MySQL connector library
seems to require a valid SSL cert/truststore config when useSSL is set. The
new version will use SSL if available, but not verify the certificate unless
MYSQL_SSL_MODE is set to either verify-ca or verify-identity. If I am wrong
about that, maybe it has to do with allowed SSL/TLS versions or something.
Either way the new version works
The real fix for this is for the docker container to pull the newer version of
the connector library. I just created a PR to do it:
[https://github.com/apache/guacamole-client/pull/802|https://github.com/apache/guacamole-client/pull/802]
was (Author: kelderek):
Thanks [~phreakocious] ! ssl=0 did not work for me, but it did change the
error to something about private key requests not permitted. After fooling
around with it for a while, and being very confused when a non-docker fresh
install worked just fine, I think I finally nailed down the culprit. Or in
this case, combination of culprits.
The docker container uses the MySQL Connector/J JDBC driver
mysql-connector-java-5.1.46.jar. In my bare metal installed I followed the
link in the docs to the MySQL site for download, and it offered me version
8.0.32. If I swap my bare metal install to the 5.1.46 version instead, it
breaks.
Adding this to the guacamole/guacamole section of my docker-compose stack works
around the issue:
*volumes:*
*-
/etc/guacamole/lib/mysql-connector-j-8.0.32.jar:/opt/guacamole/mysql/mysql-connector-java-5.1.46.jar*
That replaces the 5.1.46 version in the container with the 8.0.32 version I
downloaded and saved to /etc/guacamole/lib, which has no problem connecting to
MySQL, even without the ssl=0 command
As for what is actually going on - the MySQL auth provider
([https://github.com/apache/guacamole-client/blob/master/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLAuthenticationProviderModule.java)]
changed how the connection is built. In earlier versions when building the
connection it would check MYSQL_SSL_MODE and if it was disabled, it would set
useSSL to false, otherwise it wouldn't set useSSL {_}at all{_}. In Guacamole
1.5.0, lines 93 & 94 were added so if MYSQL_SSL_MODE isn't disabled, it sets
useSSL to true.
I believe that matters because the older version of the MySQL connector library
seems to require a valid SSL cert/truststore config when useSSL is set. The
new version will use SSL if available, but not verify the certificate unless
MYSQL_SSL_MODE is set to either verify-ca or verify-identity. If I am wrong
about that, maybe it has to do with allowed SSL/TLS versions or something.
Either way the new version works
The real fix for this is for the docker container to pull the newer version of
the connector library. I just created a PR to do it:
[https://github.com/apache/guacamole-client/pull/802|https://github.com/apache/guacamole-client/pull/801]
> Docker Guacamole 1.5.0 Mysql Connection Error
> ---------------------------------------------
>
> Key: GUACAMOLE-1738
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1738
> Project: Guacamole
> Issue Type: Bug
> Affects Versions: 1.5.0
> Reporter: Jonathan Kwan
> Priority: Major
>
> Ever since I upgraded my docker instance of Guacamole from 1.4.0 to 1.5.0,
> Guacamole is unable to connect to my mysql instance. Previously on 1.4.0 it
> was working flawlessly without issue.
>
> I've ensure the following are up to date at the moment:
> nginx - 1.22.1
> mysql - 8.0.32
> docker engine - 23.0.1 (i was previously on 20.x, and it was causing weird
> issues with the Java components in Docker to indicate "out of memory" which
> wasn't the case)
>
> Based on the error messages my hunch is it might be to do with
> guacamole-auth-jdbc-mysql-1.5.0.jar.
>
> Below is the error message from Guacamole:
>
> [0m 04:05:17.030 [localhost-startStop-1] INFO
> o.a.g.environment.LocalEnvironment - GUACAMOLE_HOME is
> "/home/guacamole/.guacamole".
> [0m 04:05:17.117 [localhost-startStop-1] INFO
> o.a.g.GuacamoleServletContextListener - Read configuration parameters from
> "/home/guacamole/.guacamole/guacamole.properties".
> [0m 04:05:17.118 [localhost-startStop-1] INFO
> o.a.g.rest.auth.HashTokenSessionMap - Sessions will expire after 60 minutes
> of inactivity.
> [0m 04:05:17.505 [localhost-startStop-1] INFO
> o.a.g.extension.ExtensionModule - Multiple extensions are installed and will
> be loaded in order of decreasing priority:
> [0m 04:05:17.506 [localhost-startStop-1] INFO
> o.a.g.extension.ExtensionModule - - [duo] "Duo TFA Authentication Backend"
> (/home/guacamole/.guacamole/extensions/guacamole-auth-duo-1.5.0.jar)
> [0m 04:05:17.506 [localhost-startStop-1] INFO
> o.a.g.extension.ExtensionModule - - [mysql] "MySQL Authentication"
> (/home/guacamole/.guacamole/extensions/guacamole-auth-jdbc-mysql-1.5.0.jar)
> [0m 04:05:17.506 [localhost-startStop-1] INFO
> o.a.g.extension.ExtensionModule - To change this order, set the
> "extension-priority" property or rename the extension files. The default
> priority of extensions is dictated by the sort order of their filenames.
> [0m 04:05:17.783 [localhost-startStop-1] INFO
> o.a.g.extension.ExtensionModule - Extension "Duo TFA Authentication Backend"
> (duo) loaded.
> [0m 04:05:17.797 [localhost-startStop-1] INFO
> o.a.g.a.mysql.conf.MySQLEnvironment - Installed JDBC driver for MySQL/MariaDB
> detected as "MySQL Connector/J".
> [0m 04:05:18.558 [localhost-startStop-1] INFO
> o.a.g.extension.ExtensionModule - Extension "MySQL Authentication" (mysql)
> loaded.
> [0m 04:05:18.644 [localhost-startStop-1] INFO
> o.a.g.t.w.WebSocketTunnelModule - Loading JSR-356 WebSocket support...
> [0m 22-Feb-2023 04:05:19.453 INFO [localhost-startStop-1]
> org.apache.catalina.startup.HostConfig.deployWAR Deployment of web
> application archive [/home/guacamole/tomcat/webapps/guacamole.war] has
> finished in [3,996] ms
> [0m 22-Feb-2023 04:05:19.454 INFO [main]
> org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler
> ["http-nio-8080"]
> [0m 22-Feb-2023 04:05:19.464 INFO [main]
> org.apache.catalina.startup.Catalina.start Server startup in 4047 ms
> [0m 04:05:44.963 [http-nio-8080-exec-4] WARN
> o.a.g.e.AuthenticationProviderFacade - The "mysql" authentication provider
> has encountered an internal error which will halt the authentication process.
> If this is unexpected or you are the developer of this authentication
> provider, you may wish to enable debug-level logging. If this is expected and
> you wish to ignore such failures in the future, please set
> "skip-if-unavailable: mysql" within your guacamole.properties.
> [0m 04:05:44.967 [http-nio-8080-exec-4] ERROR o.a.g.rest.RESTExceptionMapper
> - Unexpected internal error:
> [0m ### Error querying database. Cause:
> com.mysql.jdbc.exceptions.jdbc4.CommunicationsException: Communications link
> failure
> [0m
> [0m The last packet successfully received from the server was 111
> milliseconds ago. The last packet sent successfully to the server was 105
> milliseconds ago.
> [0m ### The error may exist in
> org/apache/guacamole/auth/jdbc/user/UserMapper.xml
> [0m ### The error may involve
> org.apache.guacamole.auth.jdbc.user.UserMapper.selectOne
> [0m ### The error occurred while executing a query
> [0m ### Cause: com.mysql.jdbc.exceptions.jdbc4.CommunicationsException:
> Communications link failure
> [0m
> [0m The last packet successfully received from the server was 111
> milliseconds ago. The last packet sent successfully to the server was 105
> milliseconds ago.
> [0m 04:05:54.434 [http-nio-8080-exec-1] WARN
> o.a.g.e.AuthenticationProviderFacade - The "mysql" authentication provider
> has encountered an internal error which will halt the authentication process.
> If this is unexpected or you are the developer of this authentication
> provider, you may wish to enable debug-level logging. If this is expected and
> you wish to ignore such failures in the future, please set
> "skip-if-unavailable: mysql" within your guacamole.properties.
> [0m 04:05:54.434 [http-nio-8080-exec-1] ERROR o.a.g.rest.RESTExceptionMapper
> - Unexpected internal error:
> [0m ### Error querying database. Cause:
> com.mysql.jdbc.exceptions.jdbc4.CommunicationsException: Communications link
> failure
> [0m
> [0m The last packet successfully received from the server was 5 milliseconds
> ago. The last packet sent successfully to the server was 5 milliseconds ago.
> [0m ### The error may exist in
> org/apache/guacamole/auth/jdbc/user/UserMapper.xml
> [0m ### The error may involve
> org.apache.guacamole.auth.jdbc.user.UserMapper.selectOne
> [0m ### The error occurred while executing a query
> [0m ### Cause: com.mysql.jdbc.exceptions.jdbc4.CommunicationsException:
> Communications link failure
> [0m
> [0m The last packet successfully received from the server was 5 milliseconds
> ago. The last packet sent successfully to the server was 5 milliseconds ago.
> [0m 04:10:34.913 [http-nio-8080-exec-1] WARN
> o.a.g.e.AuthenticationProviderFacade - The "mysql" authentication provider
> has encountered an internal error which will halt the authentication process.
> If this is unexpected or you are the developer of this authentication
> provider, you may wish to enable debug-level logging. If this is expected and
> you wish to ignore such failures in the future, please set
> "skip-if-unavailable: mysql" within your guacamole.properties.
>
> Any assistance on this issue would be greatly appreciated, thanks!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
