Apache Guacamole under docker with an external database requires SSL database connection

Question

Background

• Apache guacamole running under docker using the default guacamole images.
• External Microsoft Azure-managed MySQL database.
• Azure by default requires SSL connections to the managed db service.
• This can be disabled but that is not an option for this environment.

Settings

Docker-compose.yml has the following section:

 environment:
      - "GUACD_HOSTNAME=127.0.0.1"
      - "GUACD_PORT=4822"
      - "MYSQL_PORT=3306"
      - "MYSQL_DATABASE=guacamole"
      - "GUACAMOLE_HOME=/data"
      - "MYSQL_USER=******************"
      - "MYSQL_PASSWORD=******************"
      - "MYSQL_HOSTNAME=******************"

Issue

With it enabled in Azure I get the following:

guacamole    | 09:34:53.998 [http-nio-8080-exec-5] WARN  o.a.g.e.AuthenticationProviderFacade - The "mysql" authentication provider has encountered an internal error which will halt the authentication process. If this is unexpected or you are the developer of this authentication provider, you may wish to enable debug-level logging. If this is expected and you wish to ignore such failures in the future, please set "skip-if-unavailable: mysql" within your guacamole.properties.
guacamole    | 09:34:53.999 [http-nio-8080-exec-5] ERROR o.a.g.rest.RESTExceptionMapper - Unexpected internal error:
guacamole    | ### Error querying database.  Cause: java.sql.SQLException: SSL connection is required. Please specify SSL options and retry.
guacamole    | ### The error may exist in org/apache/guacamole/auth/jdbc/user/UserMapper.xml
guacamole    | ### The error may involve org.apache.guacamole.auth.jdbc.user.UserMapper.selectOne
guacamole    | ### The error occurred while executing a query
guacamole    | ### Cause: java.sql.SQLException: SSL connection is required. Please specify SSL options and retry.

I know that (outside of docker) if i do a mysql client command line connection I can use the option --ssl and then everything connects ok.

But as i’m very new to docker I’m stumped as to how to set that option in my docker-compose file.

And my google fu has failed me and is taking me down rabbit holes about TLS access to the docker containers or setting https for websites.

How do I enable the mysql connection to use ssl in my docker-compose.yml?

Answer 1

Make a Java keystore with the relevant certs in it:

keytool -import -alias mySQLServerCACert -file /path/to/server-ca.pem -keystore /path/to/jks/truststore.jks

Add that as a volume mount:

volumes:
  - /path/to/jks:/etc/jks

Pass the MySQL Configuration Parameters appended to the database name:

MYSQL_DATABASE=guacamole-db?verifyServerCertificate=true&useSSL=true&requireSSL=true&trustCertificateKeyStoreUrl=file:/etc/jks/truststore.jks&trustCertificateKeyStorePassword=password