Jump to content


Photo

SSL/TLS Error: The certificate validation failed.

Started by Ralph Herold , 02 February 2011 - 01:43 PM
15 replies to this topic

Ralph Herold Members

Ralph Herold
  • 35 posts

Posted 02 February 2011 - 01:43 PM

Hi,

We have a frustrating problem with our Android 2.1 (Update 1) phones (Samsung Galaxy S) and Receiver 2.0.1043.

User get a lot of 'SSL/TLS Error: The certificate validation failed' errors. About 1 in 5 attempts to start an application works, the other attempts get said error.

We use XenApp 5 FP3 on Windows Server 2008 Enterprise x86 SP2. We have an CAG Standard Edtion 4.6.3 Build 08.00 and WI 5.3.0.34.

As stated in the Citrix eDocs I made a separate XenApp Services Site for mobile devices. It uses Gateway Direct access method. Also I've checked the 'Use SSL/TLS for communication between plug-ins and the site' option (under Server Settings). With this option unchecked we've got the same errors and only 1 in 5 attempts to start an application works.

On the Android receiver side the config is as follows:

Address: https://FQDN/Citrix/Mobile/config.xml
Username: AD Username
Password: AD password
Domain: AD domain

Use Citrix Access Gateway checked
Gateway type: Standard Edition
Gateway Authentication: No Authentication

We have a Globalsign SSL certificate for our FQDN on the CAG.

Our web users can connect fine without any errors. It seems that this issue manifest itself only on Android Receivers. On Android the receiver connects list all available applications on the XenApp farm, but only 1 in 5 attempts to start an application are successful. The other attempts get the 'SSL/TLS....' error.

Any help would be appreciated.

Edited by: Ralph Herold on Feb 2, 2011 8:44 AM



Isaac Goldfarb Members

Isaac Goldfarb
  • 55 posts

Posted 04 February 2011 - 01:06 AM

You are not alone,
I have the same problem with Samsung Galaxy

ssl/tls error you have not chosen samsung to trust the issuer of the server security certificate
my SSL Cert. is from "Go to DADDY"
Any Ideas Citrix???



Philip Healy Citrix Employees

Philip Healy
  • 177 posts

Posted 06 February 2011 - 10:04 AM

try installed the root cert on the android.



Ralph Herold Members

Ralph Herold
  • 35 posts

Posted 17 February 2011 - 03:57 PM

Found it.

After reviewing the server list for STA's on the Citrix Access gateway Standard, I noticed 1 server was missing.
After adding that server everything works fine.



Adi Nugraha Members

Adi Nugraha
  • 3 posts

Posted 18 February 2011 - 10:02 AM

Hi, I have a similar problem but only when I'm trying it through Gingerbread, if i revert back to froyo I can use the citrix receiver just fine, but after I upgrade to Gingerbread all I get when trying to open the application is "Certificate validation error"

I've tried it with a access gateway 4.6.3 and WebInterface 5.3 and access gateway 5.0 with WebInterface 5.4 both give out the same error.

I can use direct connection to the web interface from within the internal lan,
any possible fix for this ?



Dan Murray Members

Dan Murray
  • 147 posts

Posted 23 February 2011 - 07:08 PM

I finally found a solution to my Android issue on another forum. Depending on the certificate you are using (in my case, one from GeoTrust) you need to install a "cross root CA" cert and bind it as the CA to your site certificate.



Lamont Chestnut Members

Lamont Chestnut
  • 1 posts

Posted 09 March 2011 - 06:48 PM

Dan...I have your specific issue. Can you explain in details how you resolved it? Thanks in advance.



Dan Ryan Members

Dan Ryan
  • 6 posts

Posted 17 May 2011 - 03:00 PM

I am also having this issue, can you send explain how you did this

Thanks



Scott McDonald Citrix Employees

Scott McDonald
  • 1,837 posts

Posted 17 May 2011 - 04:31 PM

Try this article on the Geo Trust forum:
http://www.geocerts.com/support/cross_root



Leon Platt Members
  • #10

Leon Platt
  • 14 posts

Posted 19 May 2011 - 02:45 PM

Scott,

Is there any similar help for people with Go Daddy certs? I would love to be able to use this bridge fix on our setup. As is right now, 25+% of our android users are unable to access apps because of the cert issue.

Thanks,

Chris



Scott McDonald Citrix Employees
  • #11

Scott McDonald
  • 1,837 posts

Posted 19 May 2011 - 04:39 PM

Leon - I'm not sure - you'd have to check with GoDaddy.

Quick question though - if you go in with the Android web browser to your site via HTTPS do you get a cert error there as well? If not it could be an intermediate certificate problem that can be resolved on the server.



BEN TUSA Members
  • #12

BEN TUSA
  • 106 posts

Posted 29 May 2011 - 01:42 AM

We use verisign certs. No errors browsing the website from any Android device.

On my Android 2.3.3 tablet the Citrix receiver works fine but the labs receiver gives the SSL validation error. On my Android 2.2 phone both work fine.



Jon Escombe Members
  • #13

Jon Escombe
  • 4 posts

Posted 26 August 2011 - 05:41 PM

Seem to have the same problem as Ben above..

Having recently refreshed our Verisign certs, the labs receiver now gives an SSL error on Android 2.3.4 but the regular receiver works ok.



Owen Brotherwood Members
  • #14

Owen Brotherwood
  • 14 posts

Posted 29 November 2011 - 06:59 PM

Same problem here on Android until I linked the certificates on the Netscaler

In the SSL area, look for the show link, link and unlink.
Make sure y have the verisign root,intermediate and server certs showing
Link the server to the intermediate
Link the intermediate to root.

Any talk about installing intermediate certs on Android is a waste of time.
The problem is the cert presented by the server not containing a chain of certs to a cert that is trusted by the Android
As the verisign root, almost per definition, is not changed a lot, the verisign root is the "root" of trust.

mvh Owen Brotherwood

Edited by: obrothe781 on Nov 29, 2011 2:01 PM



Nicandro Saucedo Members
  • #15

Nicandro Saucedo
  • 4 posts

Posted 20 August 2012 - 07:35 PM

Hi, what about when the certificate is issued by an Internal CA? and dont have intermediate. the one is the root certificate of the CA that already was installed on the device with a CRT file, and with a P12 file but the same error that the certificate is not trusted :(.

Someone can to helpme? Tnks



Rob Nicholson Members
  • #16

Rob Nicholson
  • 440 posts

Posted 29 August 2012 - 08:42 AM

Don't think earlier versions of Citrix Receiver played nicely with SAN certificates - multiple domain ones. We had to register a single site certificate and then all was well.

Not sure if this is connected.

Rob.