Shane Smith1709161035 Posted June 9, 2019 Share Posted June 9, 2019 An upgrade of OS from Mojave to Catalina as resulted in an error when using the Workspace app or url to launch Citrix Workspace applications the error is : You have not chosen to trust "GlobalSign Root CA", the issuer of the server's security certificate. When looking in the keychain the cert is trusted. Link to comment
4 Miguel Resende1709151399 Posted August 26, 2019 Share Posted August 26, 2019 Citrix Workspace app Technology Preview for macOS - https://www.citrix.com/downloads/workspace-app/betas-and-tech-previews-000/workspace-app-tp-for-mac.html for feedback or reporting any other issues found with this EAR\TP release please use this link: https://podio.com/webforms/22969502/1632225 4 Link to comment
3 Richard Bukovansky Posted June 10, 2019 Share Posted June 10, 2019 Hi @Tejus Adiga M, it's OK to not support beta versions, but at least somebody could take a look on this issue I'm experiencing too and release an unsupported beta version of CWA for Mac, right? Please? Pretty please! Thank you. 3 Link to comment
3 JIM WILSON1709157784 Posted June 11, 2019 Share Posted June 11, 2019 I also am having this issue. My point as well is how does Citrix find out about these issues if we don't tell you. A beta version of the CWA might be a good idea. 3 Link to comment
3 Chris Lewis1709161061 Posted July 10, 2019 Share Posted July 10, 2019 So to summarise the issues: TejusAdigaM incorrectly believes that the issue is not related to the Citrix workspace app for Mac, despite the fact that the issue is not present on the equivalent apps on iOS and Google Chrome Citrix appears to have a general policy of not providing beta versions of their app in order to facilitate user testing on beta versions of operating systems, which kind of defeats the purpose of OS vendors releasing beta versions: so that developers can get their apps working in time for the official OS release The most recent update (1906, released July 8th 2019) has not been notarised by Citrix, which prevents the app from bypassing Gatekeeper checks on all versions of macOS since 10.14.5 The release notes on the 1906 update page aren't actually release notes for version 1906, they point to a piece of PR last updated in April 2019 All that aside, it's going really well. 3 Link to comment
3 Sacha81 Posted August 28, 2019 Share Posted August 28, 2019 5 hours ago, Gregory Bastug said: Doesn't work for me with .ica files from Morgan Stanley... same error, different trust certificate - USERTrust Try this as Workaround, set the Cryptomodule from FIPS to Standard: I have the same problem, but not yet found out what the problem is. 3 Link to comment
2 Shane Smith1709161035 Posted June 11, 2019 Author Share Posted June 11, 2019 20 hours ago, Tejus Adiga M said: Hi pacmanNL, Citrix does not support Beta versions of macOS. However, when macOS Catalina is released, we will be having a compatible version of CWA mac that supports macOS Catalina. Tejus Thanks for you response but I wasn't asking for support I get the nature of Beta's but this is a discussion forum where I am free to post an issue maybe someone else has had and there is a known workaround. But it is a known issue I have and its reproducible. On the other Beta iOS13 and iPadOS versions I am not having the issue its unique to Catalina 2 Link to comment
2 Mark Lajer Posted June 20, 2019 Share Posted June 20, 2019 9 hours ago, Jeff Schaffer said: I am also having this same problem. And I use my Macbook Pro to connect to my work. It is critical usage. Hospital and patient care. So your response that we do not support beta software is pretty callous and basically blows off your clientele. If Apple has a beta version, then I am sure they expect their 3rd party's to follow suit. Jschaff - if you have Chrome browser you can use the Citrix Workspace extension - it worked for me (a little laggy though)https://chrome.google.com/webstore/detail/citrix-workspace/haiffjcadagjlijoggckpgfnoeiflnem Hope to see a new release/beta release of Citrix Workspace soon with Catalina support. 2 Link to comment
2 Evgeny Matohin Posted July 17, 2019 Share Posted July 17, 2019 Well, it's 2 months till release and no update here. Pretty disappointing. It affects certificates that 100% comply with Apple rules. All browsers are able to verify the certificate chain and Workspace still doesn't work. Kind of defeats the purpose of beta testing. Service providers building their solutions on top of Citrix products must have some time for testing before release and we start running out of time pretty soon. 2 Link to comment
2 Paul Kirvan Posted August 13, 2019 Share Posted August 13, 2019 58 minutes ago, Arvind SankaraSubramanian said: We will continue to do the same by releasing a new version Citrix Workspace app for Mac that supports macOS Catalina that will coincide with release date of macOS Catalina. Having a beta is a great step forward, however I'm concerned that you still don't get it. Using proper security certificates is not a feature of Catalina- it works on all operating systems and there is no reason why users should be deprived of modern security simply to wait for an arbitrary release date. You should be shipping proper security as soon as you are able without regard to Apple's schedule. 2 Link to comment
2 Mark Lajer Posted August 21, 2019 Share Posted August 21, 2019 Need an explanation from Citrix why some got this and other doesn't.. we have a lot of customers waiting for this...... 2 Link to comment
2 George Culainn Posted August 21, 2019 Share Posted August 21, 2019 Right, let's flip this on its head. Here's your (Citrix's) GA feature availability matrix for Receiver / Workspace (including Mac): https://www.citrix.com/content/dam/citrix/en_us/documents/data-sheet/citrix-workspace-app-feature-matrix.pdf?_ga=2.18168633.103060667.1566411595-1920900594.1564131053 Let me draw your attention to the section where it says: 'Mac 1906 - Supported OS version: 10.11 and above'. Now unless you want to go full legal on us and claim that under Mac you are referring to PowerPC, there's really no two ways about it: any release that comes out should support 10.11 and ABOVE. Why is it not supporting the latest? You may say you don't develop for betas, but we didn't ask you to. We simply want a version that works on X and above. Are you saying that even though you claim in your supported versions that it works, you won't future-proof your in-house developed applications? Why say above? You obviously did not test it on above, hence the thread. See, that problem is that you expect paying users to be patient, but you're running an enterprise. No one has to be patient. Everyone already paid up. And what's even worse that everyone WAS actually patient. People waited months before even politely suggesting that maybe you should start work on a newer version. I think that's food for thought. On a different note, however, I investigated more and I can say with almost complete certainty that it won't be the SHA1 issue. G2 signs for SHA256, so it should not be a SHA1 problem (https://knowledge.digicert.com/generalinformation/digicert-root-compatibility.html). Interestingly, DigiCert is running a test site for each of their certs, so I opened this in Safari as that's using the MacOS trust store (and not its own like Chrome) and it does show up as trusted since I've imported the G2 and the old Root CA. So that confused me, as that should mean that apps should be trusting it too. However researching the error more I found this old article: https://support.citrix.com/article/CTX224709. I followed it and it does seem to be accurate for our problems. I have problems with DigiCert, others get messages from other CAs, meaning it's not the Citrix built-in trust and cert, but each organisation's NetScaler enterprise gateway in front of the Citrix cluster. The article says to compare each cert down the chain, starting from the root, going intermediary and then the actual client cert. I did that, but I can't make sense of it as it trusts them all in both Chrome and Safari, based on the imported G2, however the app is still saying I chose not to trust it. To be completely blunt, I don't see how this wouldn't be the app's fault. Everything else is trusting it (like they should) and it's still popping with a trust issue. We also have the backing evidence of this still working on the previous MacOS, so it can't be that everyone's NetScaler certs suddenly became invalid simultaneously. I have a feeling though, that the NetScaler may be doing something dodgy for everyone when it comes to the handshakes and Catalina's new requirements (e.g. downgrading or using an older cipher suite), so potentially a network dump may be required. I'll come back around when I find out more. Oh yeah, to answer your question: 1 hour ago, Christopher Orlandella said: Anyone else receive the email ? Really looking to get back to working correctly and not on the chrome light version. Marco......... No, I don't think anyone got it, and I think I know why: https://docs.citrix.com/en-us/citrix-workspace-app/release-timelines.html Target release Mac Workspace app - Aug 16-31. So nevermind the EAR, they have 10 days left to release a new GA version... I'm calling it now, the EAR form is just their attempt to stall this. 2 Link to comment
2 Nathan Shaw Posted August 24, 2019 Share Posted August 24, 2019 4 hours ago, George Culainn said: Alright, so I think we need to steer this back to the real topic - why this particular version isn't working with Catalina. I concur on the NetScaler cert issue, but keep in mind we followed the documentation (details in my previous post) that's Citrix's old way of fixing this issue to get the certs trusted. Everything else (browsers, etc.) actually trust them too after that in Catalina. Except for CX Workspace/Receiver. The warning only comes up in the app, nothing else says it's not trusted. Then you need to compare to Mojave / Sierra, where the 1906 release is still working fine with the SAME netscaler certs. And then you also need to compare with some people's feedback in this thread that the Catalina EAR fixed the issue for them. So I think there's sufficient evidence that the issue is coming from the app code and not from the OS functionality changes. To rephrase the complaint, I'd say Citrix hard-defined trusts in the app code as nothing we do on the OS level affects how the app sees the cert (potentially hard-linking to the built-in trust store, disregarding user imported CAs). SHA1 isn't an issue from what I can see (at least not to the company I work with) as the DigiCert CA signed with SHA256. I'd propose to ask a different question: why don't we have the EAR links? Why are only some people getting it when it's affecting everyone? Is it too much to ask after 3 months to get a workaround for this? Agreed, the app-specific cert trust model has always seemed a bit odd. However, macOS 10.14 works fine. I don't see how some people's vitriol helps, when they have chosen to run an Apple beta. Glad they're not looking after my production environment. Betas are for finding issues, we've all found an issue. BAU. 2 Link to comment
2 Paul Kirvan Posted August 24, 2019 Share Posted August 24, 2019 1 minute ago, Nathan Shaw said: Don’t forget whose beta this is. Apple’s. It is Apple’s beta that has triggered this issue. Citrix Workspace continues to work on all my production Apple systems. No, Apple's beta did not trigger this issue. That's nonsense. The Citrix app has been flawed for years. Apple simply changed the failure behavior from opening in an insecure state (which you gleefully accept) to not opening which is entirely reasonable. It's Citrix's job, not Apple's, to write their own code that conforms to modern standards. If they had done so, their app would run fine in Catalina just like 99% of the software out there. 2 Link to comment
1 Gus Galeano Posted June 25, 2019 Share Posted June 25, 2019 From a very non technical perspective it looks like the solution would be fairly simple. Citrix needs to issue an updated Root Certificate that complies with the newest security protocols required by Mac OS Catalina. This same thing happened before and the solution was the same one. 1 Link to comment
1 Joseph Soldner Posted June 27, 2019 Share Posted June 27, 2019 On 6/20/2019 at 2:43 AM, Mark Lajer said: Jschaff - if you have Chrome browser you can use the Citrix Workspace extension - it worked for me (a little laggy though)https://chrome.google.com/webstore/detail/citrix-workspace/haiffjcadagjlijoggckpgfnoeiflnem Hope to see a new release/beta release of Citrix Workspace soon with Catalina support. I was able to use the web version of Workspace using Safari. 1 Link to comment
1 Tejus Adiga M Posted July 3, 2019 Share Posted July 3, 2019 In Catalina Apple has tightened its rules to trust the certificates. All the certificates which do not comply with new Apple Cert guidelines will be revoked in Catalina. Administrators have to generate new CA certificates as per Apple guidelines and distribute it to their clients. https://support.apple.com/en-in/HT210176 1 Link to comment
1 Tejus Adiga M Posted July 10, 2019 Share Posted July 10, 2019 Hi, The certificate issue on Catalina has nothing to do with Citrix Workspace app for macOS. Citrix does not issue these certificates. To resolve the issue kindly ask your Administrator to get the new set of Certificates from your respective Certificate provider. These newly generated certificates must follow Apple guidelines as mentioned in https://support.apple.com/en-in/HT210176. 1 Link to comment
1 Mark Lajer Posted July 10, 2019 Share Posted July 10, 2019 New update released - but still doesn't work with Catalina. https://www.citrix.com/downloads/workspace-app/mac/workspace-app-for-mac-latest.html They don't even notarizing there apps (requirement from macOS 10.14.5) - so Citrix Workspace is from an unverified developer and doesn't pass gatekeeper without bypass. Holy sX!*t Citrix is old school.... in the bad way. 1 Link to comment
1 George Culainn Posted July 30, 2019 Share Posted July 30, 2019 On 10/07/2019 at 6:49 AM, Tejus Adiga M said: Hi, The certificate issue on Catalina has nothing to do with Citrix Workspace app for macOS. Citrix does not issue these certificates. To resolve the issue kindly ask your Administrator to get the new set of Certificates from your respective Certificate provider. These newly generated certificates must follow Apple guidelines as mentioned in https://support.apple.com/en-in/HT210176. This is incorrect on multiple levels: 1. The issue only has to do with the workspace app, as many other apps operate fine regardless of the upgrade, it's this specific app that's affected 2. Citrix doesn't issue the certificates, but no one said they do? Citrix, however, is requesting the certificates so it's their responsibility to ensure that the CA that signs for their cert is trusted by the OS. They should regularly check whether a CA is being deprecated or expiring in MacOS. 3. Obtaining 'new set of certificates' solves nothing (disregarding the fact that the G2 Citrix is using to sign the app is superseded by the G3). Even when manually importing the G2 signing CAs, the app is still flagging them to be untrusted. Please read the issue descriptions before coming back with a proposition. 4. Why tell people what guidelines define how certs should be generated? Do you think the people reporting this issue can generate a new cert for the Citrix app? There is no control people outside Citrix have on which certs are used in the app and how. In all likelihood the issue stems from Apple's choice to deprecate SHA1 (https://www.macrumors.com/2019/06/06/apple-deprecates-sha1-macos-catalina-ios-13/) and the Citrix app certs being SHA1. The app certs will need to be recreated using a SHA2 signing method *by Citrix*. Consumers have no way to fix this for Citrix. The only workaround for now is to use OS-es and devices that still support TLS over SHA1 cyphers. Take a look at this to understand why: https://en.wikipedia.org/wiki/SHA-1#Attacks I recommend to make the feedback constructive next time as this type of communication just makes the company appear amateurish. 1 Link to comment
1 Paul Kirvan Posted August 1, 2019 Share Posted August 1, 2019 4 hours ago, Mark Lajer said: Status: Citrix won't release new versions for macOS betas. They only start working on a new release once the new version is GM. Which is most likely 1-2 weeks before release.. Will NOT recommend using Citrix for any of our customers in future.. You're too kind. This isn't about releasing versions for the betas, its about releasing versions for the actual release. It's not like this is some bug in the beta that we want them to work around for us that Apple might fix in a later beta. This is a conscious decision by Apple to require decent security in the Catalina release version. Why would Citrix want to postpone using modern security certificates? If they cared about security as much as they tell their customers they do they'd already be using the latest and this would never have happened. Instead, they are going to wait until Catalina ships and it starts causing problems for end users... 1 Link to comment
1 Arvind SankaraSubramanian Posted August 13, 2019 Share Posted August 13, 2019 Hi Everyone, Citrix has been traditionally supporting new macOS versions with Citrix Receiver/Citrix Workspace app from day zero of macOS' general availability. We will continue to do the same by releasing a new version Citrix Workspace app for Mac that supports macOS Catalina that will coincide with release date of macOS Catalina. However, Citrix is aware of the issues and has been working actively on the recent changes in macOS Catalina with respect to new Apple Policies. In this regard, Citrix is targeting an Early Access Release (EAR)(beta) that will install & function on macOS Catalina Beta for customers to verify and provide us feedback. You can sign up for EAR program at https://podio.com/webforms/15680558/1051209, You will be added to the email list for EAR notifications. Note: You should trust/Mark as Known Sender the following email address - Citrix_Systems@mail.vresp.com. We will update this forum as soon as we have an update on the Early Access Release. Thanks 1 Link to comment
1 Gus Galeano Posted August 19, 2019 Share Posted August 19, 2019 On 8/12/2019 at 11:42 PM, Arvind SankaraSubramanian said: Hi Everyone, Citrix has been traditionally supporting new macOS versions with Citrix Receiver/Citrix Workspace app from day zero of macOS' general availability. We will continue to do the same by releasing a new version Citrix Workspace app for Mac that supports macOS Catalina that will coincide with release date of macOS Catalina. However, Citrix is aware of the issues and has been working actively on the recent changes in macOS Catalina with respect to new Apple Policies. In this regard, Citrix is targeting an Early Access Release (EAR)(beta) that will install & function on macOS Catalina Beta for customers to verify and provide us feedback. You can sign up for EAR program at https://podio.com/webforms/15680558/1051209, You will be added to the email list for EAR notifications. Note: You should trust/Mark as Known Sender the following email address - Citrix_Systems@mail.vresp.com. We will update this forum as soon as we have an update on the Early Access Release. Thanks So when is this happening? I have not received any information on how to participate or activate a beta. Thanks in advance. 1 Link to comment
1 Paul Kirvan Posted August 19, 2019 Share Posted August 19, 2019 1 hour ago, Gus Galeano said: So when is this happening? I have not received any information on how to participate or activate a beta. Thanks in advance. You can sign up but I haven’t actually gotten any software. I would suggest not thanking them in advance. Doing so suggests that it can be taken for granted that they will help their customers and keep their software working. The fact that they need Apple to tell them to use the proper certificates says otherwise. 1 Link to comment
1 Paul Kirvan Posted August 20, 2019 Share Posted August 20, 2019 6 hours ago, Sacha Thomet1709152826 said: please be a bit patient, I can say from a very secure source that they are near to release a first working EAR for this. I'm not allowed to explain more. But wait is over very soon... ;-) Patience would be totally appropriate if this was just a bug or whatever. But the fact is, Citrix has been using obsolete, insecure certificates for years and would gleefully be doing it forever if it weren't for Apple. That's right, users have to rely on Apple to sort Citrix out because Citrix it self couldn't care less about security. That's unfortunate. And its been going on for years. So patience isn't warranted. 1 Link to comment
1 Paul Kirvan Posted August 21, 2019 Share Posted August 21, 2019 51 minutes ago, Sacha Thomet1709152826 said: This thread is about the Problem that CWA is not working on Catalina Beta. I'm not working for Citrix. I don't know why you quote my post and attack Citrix in it. In my case, the Cert which was mentioned in the Error message that the Cert is "not trusted" was not issued or placed by Citrix. The message that the Cert is not ok was not correct, that was the Bug imho. I don't agree that Citrix couldn't care less about security. This forum is to help each other, and my post from yesterday should be an info that there is light at the end of the tunnel... I'm happy to hear that you believe Citrix will fix this soon. That's good news. However, anyone who has the option should move away from Citrix. We want software providers who care about security enough to proactively use the latest standards. Citrix should not have been sitting around waiting for Apple to school them. They also should not be saving this fix up for when Catalina releases- it's not like we're talking about Dark Mode support or some other Catalina specific feature. Using obsolete security is a risk on all versions of macOS and should be dealt with ASAP. 1 Link to comment
Question
Shane Smith1709161035
An upgrade of OS from Mojave to Catalina as resulted in an error when using the Workspace app or url to launch Citrix Workspace applications
the error is :
You have not chosen to trust "GlobalSign Root CA", the issuer of the server's security certificate.
When looking in the keychain the cert is trusted.
Link to comment
Top Posters For This Question
17
9
5
5
Popular Days
Oct 9
26
Oct 8
19
Aug 21
16
Aug 24
10
Top Posters For This Question
Paul Kirvan 17 posts
Mark Lajer 9 posts
Shane Smith1709161035 5 posts
Gus Galeano 5 posts
Popular Days
Oct 9 2019
26 posts
Oct 8 2019
19 posts
Aug 21 2019
16 posts
Aug 24 2019
10 posts
Posted Images
156 answers to this question
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now