Fail to launch apps when rdp certificate is renewed · winapps-org/winapps#396

(3 留言) (2 反應) (1 負責人)Shell (15,020 star) (463 fork)batch import

freerdpgood first issue

描述

How to reproduce :

Install and run winapps during 3 months
at some point the RDP certificate will be renewed by Windows
after that , when launching a winapps app , you won't get any feedback because freerdp wants you to confirm you accept the new cert .

We need some way either for freerdp to always accept new cert or detect it and import it on the linux side

flatpak run --command=xfreerdp com.freerdp.FreeRDP /d: /u:Docker /p:Docker /scale:100 +auto-reconnect +clipboard +home-drive /audio-mode:1 -wallpaper +dynamic-resolution +span '/wm-class:Microsoft Word' '/app:program:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE,icon:/home/michel/.local/share/winapps/apps/word-o365/icon.svg,name:Microsoft Word' /v:127.0.0.1
[13:50:44:787] [2:00000003] [WARN][com.freerdp.crypto] - [verify_cb]: Certificate verification failure 'self-signed certificate (18)' at stack position 0
[13:50:44:787] [2:00000003] [WARN][com.freerdp.crypto] - [verify_cb]: CN = DOCKERW-J03S567
[13:50:44:788] [2:00000003] [ERROR][com.freerdp.crypto] - [tls_print_certificate_error]: New host key for 127.0.0.1:3389
[13:50:44:788] [2:00000003] [ERROR][com.freerdp.crypto] - [tls_print_certificate_error]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[13:50:44:788] [2:00000003] [ERROR][com.freerdp.crypto] - [tls_print_certificate_error]: @    WARNING: NEW HOST IDENTIFICATION!     @
[13:50:44:788] [2:00000003] [ERROR][com.freerdp.crypto] - [tls_print_certificate_error]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[13:50:44:788] [2:00000003] [ERROR][com.freerdp.crypto] - [tls_print_certificate_error]: The fingerprint for the host key sent by the remote host is 15:71:75:c8:42:18:21:bd:55:f5:a5:63:a3:e4:7d:83:0e:bd:61:85:5e:46:36:f6:b7:85:1b:e7:11:b2:c2:95
[13:50:44:788] [2:00000003] [ERROR][com.freerdp.crypto] - [tls_print_certificate_error]: Please contact your system administrator.
[13:50:44:788] [2:00000003] [ERROR][com.freerdp.crypto] - [tls_print_certificate_error]: Add correct host key in /home/michel/.var/app/com.freerdp.FreeRDP/config/freerdp/server/127.0.0.1_3389.pem to get rid of this message.
!!!Certificate for 127.0.0.1:3389 (RDP-Server) has changed!!!

New Certificate details:
	Common Name: DOCKERW-J03S567
	Subject:     CN = DOCKERW-J03S567
	Issuer:      CN = DOCKERW-J03S567
	Valid from:  Jan 15 05:18:53 2025 GMT
	Valid to:    Jul 17 05:18:53 2025 GMT
	Thumbprint:  15:71:75:c8:42:18:21:bd:55:f5:a5:63:a3:e4:7d:83:0e:bd:61:85:5e:46:36:f6:b7:85:1b:e7:11:b2:c2:95

Old Certificate details:
	Subject:     CN = DOCKERW-J03S567
	Issuer:      CN = DOCKERW-J03S567
	Valid from:  Aug 15 15:18:37 2024 GMT
	Valid to:    Feb 14 15:18:37 2025 GMT
	Thumbprint:  4e:d4:b3:89:e9:70:90:bb:dc:01:c5:09:05:eb:c3:8e:2c:34:c9:5e:44:fa:d0:53:29:f0:a6:54:8c:2a:1d:e8

The above X.509 certificate does not match the certificate used for previous connections.
This may indicate that the certificate has been tampered with.
Please contact the administrator of the RDP server and clarify.
Do you trust the above certificate? (Y/T/N) Y

貢獻者指南

技術棧: shell
領域: backend
議題類型: bug
難度: 3
預計時間: half day
活動狀態: active
清晰度: clear
前置要求: Basic understanding of RDP certificatesFamiliarity with FreeRDP command line
新手友善度: 40
研究方向: Examine the winapps launcher scripts (likely in the repository root or under 'scripts' directory) to see how xfreerdp is invoked. Investigate FreeRDP options to automatically accept certificates or suppress prompts. Look into using the '/cert ignore' or '/cert tofu' options. Also consider adding logic to detect certificate changes by comparing fingerprints and updating the known hosts file automatically. The issue provides the certificate file path; explore ways to handle certificate rotation without user intervention.