CTX203362
{{tooltipText}}
Article
|
How To / General Question
Security Vulnerability
|
{{likeCount}} found this helpful
|
Created:
{{articleFormattedCreatedDate}}
|
Modified:
{{articleFormattedModifiedDate}}
Symptoms or Error
This article is intended for Citrix administrators and technical teams only.Non-admin users must contact their company’s Help Desk/IT support team and can refer to CTX297149 for more information
Receiver for Linux displays the following error when launching published desktops/applications:
You have not chosen to trust «Certificate Authority», the issuer of the server’s security certificate (SSL error 61).
Solution
Important! This article is intended for use by System Administrators. If you are experiencing this issue and you are not a System Administrator, contact your organization’s Help Desk for assistance and refer them to this article.
Update to the Latest Receiver Version
- Upgrade to the latest version of Receiver to verify if this resolves the issue.
- If you are using SHA2 certificates then the older version of Receiver does not support these certificate. Refer to CTX200114 — Citrix Receiver Support for SHA-2 to view the Receiver versions which supports SHA-2 certificates.
If this does not resolve the issue then proceed to the next section.
For information on Receiver feature updates refer to — Citrix Receiver Feature Matrix.
Missing Root/Intermediate Certificate
This error message suggests that the client device does not have the required root certificate/intermediate certificate to establish trust with the certificate authority who issued the server certificate.
Use a root certificate
If you need to authenticate a server certificate that was issued by a certificate authority and is not yet trusted by the user device, follow these instructions before adding a StoreFront store.
- Obtain the root certificate in PEM format.
Tip: If you cannot find a certificate in this format, use the openssl utility to convert a certificate in CRT format to a .pem file. - As the user who installed the package (usually root):
- Copy the file to $ICAROOT/keystore/cacerts.
- Run the following command:
$ICAROOT/util/ctx_rehash
Use an intermediate certificate
If your StoreFront server is not able to provide the intermediate certificates that match the certificate it is using, or you need to install intermediate certificates to support smart card users, follow these steps before adding a StoreFront store.
- Obtain the intermediate certificate(s) separately in PEM format.
Tip: If you cannot find a certificate in this format, use the openssl utility to convert a certificate in CRT format to a .pem file. - As the user who installed the package (usually root):
- Copy the file(s) to $ICAROOT/keystore/intcerts.
- Run the following command as the user who installed the package:
$ICAROOT/util/ctx_rehash
Additional Resources
I admit, the title is quite specific and will certainly appeal to only a small readership. But anyone who is facing the problem will be, like me, grateful for a solution.
In particular, the problem is about the SSL error 61 in the Citrix (Web) receiver under Linux and how to fix it. Since I have been running almost exclusively under Kubuntu for several months, the Citrix Reiceiver also moved into the new Linux box. Unfortunately, no connection to systems could be established, since the receiver disconnected with the following error message.
SSL Error 61: You have not chosen to trust “Go Daddy Root Certificate Authority – G2”, the issuer to the server’s security certificate.
What does that tell us? The web receiver wants to check the certificate of the server while connecting, but fails because it does not know the root certificate or better said it does not trust it. Accordingly, you can actually use an arbitrary root authority in the error message, since the error message would raise up with every missing authority certificate.
Now there are two solutions. Either you get the missing certificates and insert them into the following directory:
/opt/Citrix/ICAClient/keystore/cacerts
Or you have Firefox installed… How does Firefox help us? Because the root certificates of Firefox can be shared with the Citrix receiver with only one command via symbolic links. The whole works as follows:
sudo ln -s /usr/share/ca-certificates/mozilla/* /opt/Citrix/ICAClient/keystore/cacerts
In this case, a symbolic link for each root certificate that the Firefox knows is created in the Citrix directory, so that it can participate. Now your SSL error 61 should be gone.
If, for whatever reason, you want to undo the changes, you can run the following two commands:
cd /opt/Citrix/ICAClient/keystore/cacerts sudo find -type l -delete
- Forum
- The Ubuntu Forum Community
- Ubuntu Official Flavours Support
- Networking & Wireless
- [SOLVED] Citrix and SSL Error 61
-
Citrix and SSL Error 61
I’m using Ubuntu 12.04 LTS (32bit) and the latest Linux version of Citrix Receiver. Whenever I try to connect to my work network through Citrix I get the error message below. As far as I can see it’s not true, I *am* trusting the issuer of the server’s security certificate. This error message, (with different issuers) is frequently mentioned on the net but I cannot get any of the many many solutions to work in my case. Any advice would be gratefully received.
SSL error : Contact your help desk with the following information: You have not chosen to trust «/C=US/ST=/L=/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority/CN=», the issuer of the server’s security certificate (SSL error 61).
-
Re: Citrix and SSL Error 61
Originally Posted by halfhearted
I’m using Ubuntu 12.04 LTS (32bit) and the latest Linux version of Citrix Receiver. Whenever I try to connect to my work network through Citrix I get the error message below. As far as I can see it’s not true, I *am* trusting the issuer of the server’s security certificate. This error message, (with different issuers) is frequently mentioned on the net but I cannot get any of the many many solutions to work in my case. Any advice would be gratefully received.
SSL error : Contact your help desk with the following information: You have not chosen to trust «/C=US/ST=/L=/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority/CN=», the issuer of the server’s security certificate (SSL error 61).
This is actually straight from Ubuntu’s Citrix help page:
To prevent the following error when accessing remote sessions:
Citrix Receiver
SSL error
Contact your help desk with the following information:
You have not chosen to trust»/C=US/ST=/L=/O=Equifax/OU=Equifax Secure Certificate Authority/CN=», the issuer of the server’s security certificate ((SSL error 61).Make Firefox’s certificates accessible to Citrix, e.g.,
Code:
sudo ln -s /usr/share/ca-certificates/mozilla/* /opt/Citrix/ICAClient/keystore/cacerts
It worked perfectly for me.
-
Re: Citrix and SSL Error 61
Thanks very much damage84. It worked but I don’t understand why. What does «ln -s» mean? Thanks for your help.
-
Re: Citrix and SSL Error 61
Originally Posted by halfhearted
Thanks very much damage84. It worked but I don’t understand why. What does «ln -s» mean? Thanks for your help.
No problem, it works because the root problem is Citrix doesn’t have access to the SSL certificate required to make a secure connection. Since it has no way of guranteeing the connection it rejects / doesn’t connect. What that command does is create a link to Mozilla’s SSL certificates in Citrix’s certificate folder. That’s what ln -s does, it creates a link, like a Windows shortcut so that when Citrix looks in it’s own certicate folder, it sees Mozilla’s certificates so instead of seeing a folder that lacks the right certificate, it sees a folder that has the right certificate so it can verify and make the connection securely.
-
Re: Citrix and SSL Error 61
Hi damaged84.
I’ve tried the solution you gave but got an error :
ln: target `/opt/Citrix/ICAClient/keystore/cacerts’ is not a directoryWhat am I doing wrong?
Thanks!
-
Re: Citrix and SSL Error 61
Well fbrites (if you are still looking) it could be that Citrix hasn’t installed properly and created the folder. See if the other folders in the pathname exist in /opt.
-
Re: Citrix and SSL Error 61
ln -s of certificates from mozilla to citrix is not enough some times.
i had to install the Go Daddy root certificate and the Intermediate certificate, copy them in citrix cacerts dir and it finally works
-
Re: Citrix and SSL Error 61
Originally Posted by rigobertomanchu
ln -s of certificates from mozilla to citrix is not enough some times.
i had to install the Go Daddy root certificate and the Intermediate certificate, copy them in citrix cacerts dir and it finally works
How did you do this?
-
Re: Citrix and SSL Error 61
This Error 61 has been a recurring problem for me. On Windows it seems to come and go in association with Firefox updates.
I haven’t been able to resolve the issue in Ubuntu. I tried the ln -s command above but the problem persists. I checked the contents of
/opt/Citrix/ICAClient/keystore/cacerts
and all the links are there that appear in the Mozilla certificate directory.The specific error I get now includes that I have chosen not to trust «Entrust Certification Authority — L1C», but there are three Entrust certificates in the cacerts directory:
Entrust.net_Premium_2048_Secure_Server_CA.crt
Entrust.net_Secure_Server_CA.crt
Entrust_Root_Certification_Authority.crtAny help would be appreciated. Thanks.
Last edited by pdowty; December 18th, 2012 at 10:07 PM.
-
Re: Citrix and SSL Error 61
Resolved my Error 61 after finding a post that suggested finding a working Windows Citrix Receiver and exporting the problem certificate from the Windows browser and placing in the Ubuntu directory. It worked. Whew! What a pain.
Bookmarks
Bookmarks
Posting Permissions
In your browser goto the site where you launch your citrix session from and click on the padlock widget on far left part of the url
-> click on «Connection is secure»
______ on chrome browser ______
-> click on «Certificate is valid»
this will open a popup window
-> on chrome click on tab «Details»
-> look at the field «Certificate Hierarchy»
-> click on the bottom most line which is the name of your cert
-> hit Export (which will download the cert file)
______ on firefox ______
-> click on «More information»
this will open a popup window get into its «Security» tab
-> click on «View Certificate»
-> this will open a page click on the «DigiCert High Assurance EV Root CA» tab
-> look at «Miscellaneous» -> Download
-> click on «PEM (cert)» and it will download the cert file
we are done with the browser
rename the cert file you just downloaded so it ends with .pem … my freshly downloaded file lives at ~/Downloads/foo.bar.pem
in a terminal issue following commands
cd /opt/Citrix/ICAClient/keystore/
sudo mv cacerts cacerts~~ignore
sudo ln -s /etc/ssl/certs cacerts
sudo cp ~/Downloads/foo.bar.pem /opt/Citrix/ICAClient/keystore/cacerts
if your box does not have dir /opt/Citrix/ICAClient/keystore/cacerts then you can identify your correct path by issuing
dpkg -L icaclient | grep cacerts
finally issue
# this engages above new .pem file
/opt/Citrix/ICAClient/util/ctx_rehash
PS … if Citrix is reading this please slurp this up and post on your Citrix workspace install site to help folks like me who had to struggle for hours first time as nowhere is this documented
The following Error occures when trying to use Citrix (access SAP Training via Citrix) on Ubuntu 15.10:
Citrix Receiver
SSL error
Contact your helpdesk with th following inofrmation:
You have not chosen to trust «Symantec Class 3 Secure Server CA / G4», the issuer of ther server’s security certificate (SSL error 61).
I installed Citrix according the Tutorial How to install Citrix Receiver icaclient in Ubuntu 14.04 LTS 64-bit The installation completed without any errors.
I also made sure that the certificates are there according to the CitrixXenAppPlugin — configure certificates:
Additionally I checked in Firefox if the certificates are known and even checked all marks (which where not checked before) (Under Settings -> Advanced -> Certificates):
What am I missing?
asked Mar 15, 2016 at 15:17
Thorsten NiehuesThorsten Niehues
1,1875 gold badges15 silver badges31 bronze badges
1
Solution 1
OK thx to the hints from @sletarte here the solution:
- Place certificate to be trusted in
/usr/local/share/ca-certificates - Execute
sudo update-ca-certificates
You should see something line this:
1 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d.... Adding debian:SymantecClass3SecureServerCA-G4.pem - Use Google Chrome instead of Firefox
Solution 2
Follow the steps from Citrix Workspace App for Linux: How to trust a CA certificate?
answered Mar 21, 2016 at 8:55
Thorsten NiehuesThorsten Niehues
1,1875 gold badges15 silver badges31 bronze badges
I’m using Ubuntu 16.04.1, Firefox 50 and Citrix Receiver 13.4.
@thorsten-niehues solution didn’t work for me unfortunately.
To solve the problem, I had to copy the .crt file to /opt/Citrix/ICAClient/keystore/cacerts
I was then able to connect to Citrix with Firefox and with Chrome without any problem.
d a i s y
5,4019 gold badges41 silver badges59 bronze badges
answered Jan 27, 2017 at 10:40
Not sure what scripts are run in your Citrix install, but I believe you may still need to tell Ubuntu to trust the root CA — you can do that by running sudo dpkg-reconfigure ca-certificates from the directory where you have the .crt files for Citrix. mozilla has its own directory (/usr/share/ca-certificates/mozilla) and that may be where it is looking to show the list of trusted certs that you see in Firefox.
answered Mar 15, 2016 at 15:34
2