Guacamole, Tomcat and LetsEncrypt, for VPN-less CCIE Lab Access

So you just built your CCIE lab but you can't access it from work because VPNs are restricted?  No problem!  Guacamole solves this issue, below is a quick dirty method of implementing it properly.

I highly recommend that you use the most current Guacamole release always (not Git).  Once you have compiled Guacamole from source (binaries generally do not work as well and I run my portal on a 7watt ARM dev board).  You can simply follow the guide off the Guacamole site: you may have unmet dependencies prior to doing this. For Ubuntu, the following is done:

add-apt-repository ppa:webupd8team/java
apt -y update
apt -y upgrade
apt -y dist-upgrade
apt -y install libcairo2-dev libjpeg-turbo8-dev libpng12-dev libossp-uuid-dev \

libfreerdp-dev libpango1.0-dev libssh2-1-dev libtelnet-dev libvncserver-dev \
libpulse-dev libssl-dev libvorbis-dev libwebp-dev git build-essential autoconf \
libtool oracle-java8-installer tomcat8 tomcat8-admin tomcat8-common tomcat8-docs \
tomcat8-user maven mysql-server mysql-client mysql-common mysql-utilities \
libpulse-dev libvorbis-dev freerdp ghostscript wget

Once this is complete you should be good.  Next, you will need to get Letsencrypt:

git clone ~/letsencrypt
cd ~/letsencrypt
./letsencrypt-auto certonly --expand --webroot --webroot-path \

/<CATALINA_HOME>/webapps/ROOT/ -d <YOURDOMAIN> --staging

Ensure you are using staging until successful, once successful, drop the --staging and rerun.  At this point we now have our certificate issued by LetsEncrypt.  For Tomcat, it's easiest to convert it into a .jks  Once you get the success, cd into the proper directory where your certs are stored.
Then do the following:

openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out cert_and_key.p12 \
-name tomcat -CAfile chain.pem -caname root

fullchain.pem should be the host and the intermediate certificate in a single file, or else you will only present a single certificate, which is a security risk.

Convert the pkcs12 into a jks now:

keytool -importkeystore -deststorepass <changeit> -destkeypass <changeit> \
-destkeystore myKeyStore.jks -srckeystore cert_and_key.p12 -srcstoretype \
PKCS12 -srcstorepass <PasswordUsedAbove> -alias tomcat

Now edit your /<CATALINA_HOME>/server.xml with the following connector options:

scheme="https" secure="true" SSLEnabled="true"
clientAuth="false" sslProtocol="TLS"

keystorePass="<changeit>" keyAlias="tomcat" keyPass="<changeit>"

Next, lets forward port 443 to 8443 since tomcat doesn't always run on 443 and it's much quicker to do it this way:

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8443

Test your connection from an outside source and done!
I recommend using

If you want to install Tomcat 8 from source, use this guide:

And if you need an init.d script, here's mine:
export CATALINA_HOME=/opt/tomcat
export PATH=$JAVA_HOME/bin:$PATH

start() {
 echo "Starting Tomcat 8..."
stop() {
 echo "Stopping Tomcat 8..."
case $1 in
  start|stop) $1;;
  restart) stop; start;;
  *) echo "Usage : $0 <start|stop|restart>"; exit 1;;

exit 0


Popular posts from this blog

Policy Based Routing on a Nexus

Adding 2 Factor Authentication to Guacamole through Duo and Yubikey