Jump to content


Photo

The certificate is not trusted

Started by Brian Cross , 13 August 2009 - 04:14 AM
40 replies to this topic

Brian Cross Members

Brian Cross
  • 67 posts

Posted 13 August 2009 - 04:14 AM

Secure Gateway 3
Citrix Dazzle (new client)

Getting this error when trying to connect:

The Certificate is Not Trusted.

I don't get this error when connecting to my internal PNAgent, just through the Secure Gateway from the inside.

I can connect inside, just not outside.

This works with the Citrix Receiver for Iphone, and with WI, just not with this.



Scott McDonald Citrix Employees

Scott McDonald
  • 1,837 posts

Posted 13 August 2009 - 01:22 PM

Brian, what kind of certificate is in use?

Are you getting this error when retrieving the list of published resources or when trying to launch an application?



Oliver Wolf Members

Oliver Wolf
  • 17 posts

Posted 13 August 2009 - 02:10 PM

Hey Folks,

got the same error when trying to connect to our Access Gateway 4.5.8 via Dazzle from Mac OS 10.5.8:
issuer here is "TC Trustcenter SSL CA 1" - where can I trust this one? /keystore/cacerts does not exist anymore...

Regards,
Oliver Wolf



Brian Cross Members

Brian Cross
  • 67 posts

Posted 13 August 2009 - 03:13 PM

I get the error when I'm trying to retrieve the list. It keeps asking me to add it to my keychain, which I went ahead and added all 3.

The certificate is the same that I used to get the Citrix Receiver for iPhone working (evidently with Go Daddy, they updated their cert with a new secure CA root cert, which is how I fixed the Receiver issue with the iPhone.



Scott McDonald Citrix Employees

Scott McDonald
  • 1,837 posts

Posted 13 August 2009 - 06:02 PM

Are you entering the address by the FQDN on the certificate? Are you using Secure Gateway or just a standard HTTPS protected IIS site?



Brian Cross Members

Brian Cross
  • 67 posts

Posted 13 August 2009 - 06:06 PM

Yes, I'm entering the FQDN and yes on the outside I'm using Secure Gateway.

On the inside I'm using secure HTTP IIS site.



Scott McDonald Citrix Employees

Scott McDonald
  • 1,837 posts

Posted 13 August 2009 - 06:11 PM

Brian, can you private message me with your site's address so I can see if I can reproduce this?



Scott McDonald Citrix Employees

Scott McDonald
  • 1,837 posts

Posted 13 August 2009 - 06:21 PM

Brian, I'm still testing this in my lab, in your environment is WI behind a CSG server or does the external facing WI site have it's own certificate?



Brian Cross Members

Brian Cross
  • 67 posts

Posted 13 August 2009 - 06:24 PM

WI is behind CSG



Andy Stadtlander Members
  • #10

Andy Stadtlander
  • 145 posts

Posted 13 August 2009 - 09:04 PM

Scott, I'm having a similar situation.

When I try to connect via Dazzle to our CAG, I'm getting a error "an error has occurred, BadConfigurationFile". I'm using the FQDN of the server on the cert. It worked fine when I had the old Mac client installed.

If I try to access it via the CAG/WI login on the internet, I get a "Launching Application" box and then an error "SSL Error 61: You have not chosen to trust the Go Daddy Certification Authority". When this came up with the old client, I did directions similar to this post to get it to work - http://forums.citrix.com/thread.jspa?threadID=249720&tstart=0. However, I don't see that "/Applications/Citrix ICA Client" folder in the new Mac Plugin.



David David Members
  • #11

David David
  • 2 posts

Posted 14 August 2009 - 02:06 AM

Ditto Andy's error.

I got the same thing with the Citrix 11.x plug-in for the Mac.

I added the GoDaddy CA Root and Intermediate to both my login and system keychains with "Always Trusted" however that made no change.

Still getting the "SSL Error 61" I ended up having to roll the client back the last 10.x client to get my system back on.



Scott McDonald Citrix Employees
  • #12

Scott McDonald
  • 1,837 posts

Posted 14 August 2009 - 03:52 PM

Andy, are you using Access Gateway Standard Edition?
Is authentication being done on the CAG?

If the CAG requires authentication Dazzle will not be able to access the PNAgent site through the CAG, it does not have a method to authenticate to the Access Gateway. The Win32 PNAgent client also has the same limitation.

Currently the only client that can access a PNAgent site through Access Gateway (standard and Enterprise) that requires authentication is the Reciever for iPhone.



Scott McDonald Citrix Employees
  • #13

Scott McDonald
  • 1,837 posts

Posted 14 August 2009 - 03:53 PM

David, are you using Access Gateway Standard or the software Secure Gateway?



David David Members
  • #14

David David
  • 2 posts

Posted 14 August 2009 - 05:00 PM

Since this is a test environment I am using the software CSG 3.0

I tried adding the intermediate and root CA's to the actual CSG CA store (in the hopes it might push the cert as it sometimes does for the test PC's) but no dice.



Andy Stadtlander Members
  • #15

Andy Stadtlander
  • 145 posts

Posted 14 August 2009 - 05:48 PM

CAG w/ AAC & using the CAG login page for auth.

I guess I thought you could use this new Mac Client with Dazzle outside the network, guess I missed that part of the documentation.

So which client am I suppose to use externally then, the new v11 client & just disregard Dazzle? If that's the case, why doesn't it have an option to choose which plugins to install (so I can choose not to install Dazzle) - like v11 does with the Windows client.

How do you address this Cert error with the new Mac Client since the directory structure is not the same as it was in the previous client?



Arne Johannesen Members
  • #16

Arne Johannesen
  • 1 posts

Posted 15 August 2009 - 03:49 AM

Am getting the same. Inside the network it runs fine, server "http://....". Ouside, server "https://....." I get the error "An error has occurred. BadConfigurationFile".



TYRONE THOMAS Members
  • #17

TYRONE THOMAS
  • 1 posts

Posted 17 August 2009 - 09:54 AM

Also have this issue - downloaded and installed new client w/Dazzle - attempted to use outside of my network.

SSL Error 61.

Have had to roll back to 10.x client.

Just like other - I re-added all of the certs pertaining to CAG and even recreated Applications/Citrix ICA Client/Keystore/cacerts and re-added all the certs into there like with 10.x - no joy.

Logged into my machine as root and made sure certs were properly applied in keychain.

Using verisign EV certs

Edited by: Tyrone Thomas on Aug 17, 2009 5:55 AM



Scott McDonald Citrix Employees
  • #18

Scott McDonald
  • 1,837 posts

Posted 19 August 2009 - 01:23 PM

Andy, you can use Dazzle externally, it sounds like the Intermediate certificate is not installed on the CAG itself. To install the intermediate on the CAG requires us to modify the config.restore - I'll PM you about this.



Tim Weatherford Members
  • #19

Tim Weatherford
  • 7 posts

Posted 19 August 2009 - 04:11 PM

First, I'd like to thank whatever braintrust thought deleting an existing WORKING solution from the Mac would be smart. The work you've created for our Mac support team will keep us employed for a few more weeks so we are indebted to you. Not only did you delete my users working Citrix ICA Client folder from Applications, but also my Keystore/cacerts directory that contained the certificates necessary to get logged in, you also forced the OS to try to open Dazzle instead of Citrix ICA Client app when a launch.ica file fits the Downloads folder. Reinstalling 10.00.603 doesn't help the situation as we have to then walk the user through deleting the plugin from /Library/Application Support/Citrix, find a launch.ica file to then have the user re associate with the old client. Couldn't think of more ways to make this any worse...
We've been able to send an e-mail to existing users who have not updated on their own to NOT do so. Our internal Mac users can't update on their machines but our external users use personally owned Macs so we have no control over them but we ARE expected to try and fix and connectivity issues they may have.

The Dazzle installer needs to be changed post haste to eliminate the removal of the old apps or allow the user to choose to do so.



Scott McDonald Citrix Employees
  • #20

Scott McDonald
  • 1,837 posts

Posted 19 August 2009 - 04:34 PM

Tim, I will pass these concerns to Product Management.

Dazzle should use the certificates stored in the Macintosh keystore. In the case of Intermediate certificates these need to be installed on the SSL server you are connecting to.

A workaround is to create the folders keystore/cacerts under /Library/Application Support/keystore/cacerts and put the certs in there. You may need to do this from the terminal window with the sudo command.



Give Us feedback