Upgrade broke xrdp

phillhs · May 23, 2026, 6:54pm

Hi all,

Yesterday I did an update of one of my tumbleweed systems (zypper dup), everything seemed to go as it should with no error messages. I rebooted as required and since then I have been unable to connect to the machine using remmina using xrdp, it was working before the upgrade.

Remmina just gives the error that it can’t connect to the target machine. and I get the following errors in the target machine’s /var/log/xrdp.log

[20260523-19:48:49] [ERROR] Cannot read certificate file /etc/xrdp/cert.pem: No such file or directory
[20260523-19:48:49] [ERROR] Cannot read private key file /etc/xrdp/key.pem: No such file or directory
[20260523-19:48:50] [ERROR] MAC checksum error for non-FIPS PDU
[20260523-19:48:50] [ERROR] xrdp_rdp_recv: xrdp_sec_recv failed
[20260523-19:48:50] [ERROR] libxrdp_process_data: xrdp_rdp_recv failed
[20260523-19:48:50] [ERROR] xrdp_process_data_in: xrdp_process_loop failed

I’m not sure if X is up and running, as the machine is at another location.

Any idea what might have broken?

Cheers.

Phill.

deano_ferrari · May 23, 2026, 10:17pm

The first two errors are the crux of the issue. Speculating that the upgrade has either removed (or replaced) the XRDP TLS certificate symlinks, or perhaps changed permissions such that xrdp can no longer access them?

Anyway, check ls -l /etc/xrdp/ first, and see if the expected symlinks are present.

I assume you can still reach the machine via SSH?

phillhs · May 23, 2026, 10:45pm

Humm, I’ve never had those certificate files, and have another machine that also has that error but I can connect to, though it has not had the latest update on it.

Yes I can still reach the misbehaving machine via ssh without problems, so it is alive.

Cheers.

Phill.

deano_ferrari · May 23, 2026, 11:36pm

Well my initial comments were based on the errors in the log file snippet you shared. I can only refer you to
https://manpages.opensuse.org/Tumbleweed/xrdp/xrdp.ini.5.en.html
and

github.com/neutrinolabs/xrdp

Unable to make xRDP connection using TLS certificate

opened 01:03AM - 29 Jun 22 UTC

closed 02:50PM - 11 Aug 22 UTC

greped

I'm a novice to much of this, so I decided to use this github guide suggested to… me by a nice person on this subreddit: https://github.com/neutrinolabs/xrdp/wiki/TLS-security-layer I followed the github instructions as described, but I'm now no longer able to xRDP in with or without an SSH tunnel. To provide some perspective, I'm using an Ubuntu 20.04.4 client to access a Debian 11 remote server. Both machines are updated and placed on the same VLAN. Here were the exact steps I took in my Debian server as root: 1. Security changes made to xrdp.ini and xRDP was restarted >tls_cipher=high >security_layer=tls >The system was restarted, there were no issues yet 2. Generate a private key and self-signed certificate $ openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 3650 3. Move key.pem (private key) and cert.pem (self-signed certificate) to /etc/xrdp/ 4. The path to the key.pem and cert.pem was specified in xrdp.ini (global) >certificate=/etc/xrdp/cert.pem >key_file=/etc/xrdp/key.pem 5. Users were added to ssl-cert group 6. xRDP service was restarted, server was restarted 7. Was not able to log into xRDP, but SSH worked just fine For reference, here is my xrdp.ini file: https://pastebin.com/Su2igSwn Here were the outputs I received when I switched security_layer from rdp to tls: https://imgur.com/a/cgRqL7D I was able to temporarily fix the issue by going into xrdp.ini (global) and changing security_layer from tls to rdp. When I did that, xRDP worked again. Any suggestions?

deano_ferrari · May 23, 2026, 11:42pm

Further thoughts…since SSH still works, I would probably next check whether xrdp is actually running and listening after the update…

systemctl status xrdp xrdp-sesman
sudo ss -ltnp | grep 3389
sudo journalctl  -b | grep "xrdp"

…and compare the output against the still-working TW machine.

phillhs · May 24, 2026, 7:29am

Ok, on a whim I tried connecting from a Windows 11 machine, using it’s built in RDP client, and that connected and let me login without problems, so looks like the problem might be with remmina. Will do some updates and see if that fixes it.

Cheers.

Phill.

phillhs · May 24, 2026, 3:11pm

Ok, on a whim I tried connecting from a Windows 11 machine, using it’s built in RDP client, and that connected and let me login without problems, so looks like the problem might be with remmina. Will do some updates and see if that fixes it.

On investigating on windows I get the graphical Xrdp login dialog. From here I can login with either an Xvnc or Xrdp connection.

So the problem may be in remmina.

Cheers.

Phill.

lively.factsheet · May 27, 2026, 10:45pm

Chiming in as I’ve encountered the same thing, and can add some data points:

I’m usually using xfreerdp2 as the client, which is throwing an error for me on connect since yesterday upgrading the instance running xrdp (I think Remmina uses the same backend).
Testing connecting from a Windows mstsc client is fine.
Looking at /var/log/xrdp.log*, I have previously alway had the “Cannot read certificate/private key” errors, and have connected OK.
What is new in the logs since the most recent update is the MAC checksum error for non-FIPS PDU
If I boot the remote instance running xrdp to a read-only snapshot zypper/pre, the problem vanishes.

Taking these in I feel safe in concluding the problem is a change in the xrdp server (per item 4), not an issue with the xfreerdp2 client.

lively.factsheet · May 27, 2026, 11:06pm

Hey deano
As with the OP xrdp is definitely running after the update and I can connect with windows client, the error that is new for me (see my other post) is the MAC checksum error for non-FIPS PDU.
This is way over my head - is there a switch to tell the client backend (xfreerdp for me, Remmina for the OP) to do whatever the Windows client does?

deano_ferrari · May 28, 2026, 1:11am

I can only offer basic advice here (I don’t use it), and it may well be the Remmina needs to be updated as well. AFAIU it uses the FreeRDP backend?

For diagnostic purposes, it may be worth trying
xfreerdp /v:host /u:user /sec:tls
Do xfreerdp2 /help for more security negotiation options.

Forcing different /sec or --sec negotiation modes may help narrow down where compatibility broke.

lively.factsheet · May 28, 2026, 1:39am

Thanks! I’d actually had a spin through the available xfreerdp options during the 20 minutes between my two earlier posts, in case I could find something constructive to add!
My findings were the ability to trigger slightly different error logs at the server side, but none of the listed options (see bottom for everything attempted) helped. The +fipsmode gave the most interesting errors…

It may be relevant that the server logs when connecting from the windows mstsc.exe log only the missing cert/key, and nothing subsequent - and I do dismiss a Windows warning about “The identity of the remote computer cannot be verified”.
I suspect that saying ‘connect anyway’ is triggering a relatively insecure fallback that xrdp would previously have negotiated with Remmina/xfreerdp.

/encryption-methods:FIPS
/encryption-methods:128
/encryption-methods:40
/sec:rdp
/sec:tls
/sec:ext
/sec:nla
+sec-ext
+fipsmode

deano_ferrari · May 28, 2026, 1:48am

Bug report time ^^

malcolmlewis · May 28, 2026, 2:10am

@deano_ferrari There is already a discussion on the Mailing List https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/EP3K6LLBJWGXD66K7GEJGJKA333KQXEF/

lively.factsheet · May 28, 2026, 2:15am

Awesome, I like it when smarter people than me know how to report bugs properly!!

malcolmlewis · May 28, 2026, 2:20am

The update has been pushed https://build.opensuse.org/package/show/openSUSE:Factory/xrdp next snapshot should have it…

deano_ferrari · May 28, 2026, 2:54am

Thanks Malcolm. As I’d hoped would be the case.

lively.factsheet · June 1, 2026, 10:34pm

SOLVED: Confirming after update Tumbleweed 20260531 on one of my victims is all back to normal.