Description
I think the xfreerdp is saving the gateway's fingerprint and then gets the fingerprint of the actual server I am connecting to through the gateway to. It then thinks that the gateway's certificate has changed. Using /ignore-cert is a workaround.
xfreerdp /g:remote.example.com /v:srv1 /u:srvadmin /p:password
connected to remote.example.com:443
connected to remote.example.com:443
Certificate details:
Subject: O = remote.example.com, OU = Domain Control Validated, CN = remote.example.com
Issuer: C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certificates.godaddy.com/repository, CN = Go Daddy Secure Certification Authority, serialNumber = 12345678
Thumbprint: 26:b7:22:e9:04:12:f8:43:29:e4:25:05:9d:74:f6:9f:af:e5:62:d6
The above X.509 certificate could not be verified, possibly because you do not have the CA certificate in your certificate store, or the certificate has expired. Please look at the documentation on how to create local certificate store for a private CA.
Do you trust the above certificate? (Y/N) y
TS Gateway Connection Success
The host key for remote.example.com has changed
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the host key sent by the remote host is
d3:da:b5:ab:03:4d:d9:11:4c:b5:e9:70:3f:fa:4e:a5:88:c1:e3:e8
Please contact your system administrator.
Add correct host key in /home/william/.config/freerdp/known_hosts to get rid of this message.
Host key for remote.example.com has changed and you have requested strict checking.
Host key verification failed.
tls_connect: certificate not trusted, aborting.
Error: protocol security negotiation or connection failure