Jump to content
Welcome to our new Citrix community!
  • 1

Citrix Workspace Linux 22.9.0.21 SSL Error


Miguel Francis

Question

I am getting the dreaded SSL error when trying to use the current version of Citrix Workspace on Ubuntu 22.04.1 LTS. When I try to launch one our applications from our Citrix portal, I get this error:

 

Screenshot from 2022-10-15 15-19-22.png

"Contact your help desk with the following information: You have not chosen to trust 'AAA Certificate Services', the issuer of the server's security certificate (SSL error 61)"

 

I checked Mozilla's directory and the most current cert was there so I tried the method mentioned on other posts:

  •      sudo ln -s /usr/share/ca-certificates/mozilla/* /opt/Citrix/ICAClient/keystore/cacerts
  •      /opt/Citrix/ICAClient/util/ctx_rehash

 

Doesn't fix the issue and still get the same error message.

 

Link to comment

6 answers to this question

Recommended Posts

  • 0

I was actually able to get this to work. I noticed:

  • all the symbolic link names in /opt/Citrix/ICAClient/keystore/cacerts generated by the command above ended in .crt.. but most of the existing files in there were .pem
  • and all the symbolic link names in /etc/ssl/certs ended in .pem

I know very little about certs (obviously) but I figured the file had the right content but maybe needed the .pem extension. So I:

  • Deleted the symbolic /opt/Citrix/ICAClient/keystore/cacerts/Comodo_AAA_Services_root.crt (which pointed to the Mozilla .crt)
  • Copied the Comodo_AAA_Services_root.crt from Mozilla directory to the Citrix directory but renamed it to .pem (like the symbolic link I saw in /etc/ssl/certs)
  • Reran /opt/Citrix/ICAClient/util/ctx_rehash
  • Tried open a Citrix application and it now opened successfully.
Link to comment
  • 0

Citrix receiver SSL Error 61: You have not chosen to trust “add Trust External CA Root”, the issuer of the server’s security certificate (SSL error 61) on Receiver for Linux

image.thumb.png.930e96a9b94457bb83101b962600340d.png

A thorough search on official and unofficial channels and forums revealed that this error has been here for years. Citrix error 61, possibly since 2014

 

·       https://support.citrix.com/article/CTX101990/error-ssl-error-61-you-have-not-chosen-to-trust-certificate-authority-on-receiver-for-windows

·       https://support.citrix.com/article/CTX203362/error-ssl-error-61-you-have-not-chosen-to-trust-certificate-authority-on-receiver-for-linux

 

It is a security error that occurs when the client device does not have the required root certificate/intermediate certificate to establish trust with the certificate authority that issued the server certificate. This error can be caused by a number of factors, including:

·       A missing or expired root certificate

·       A misconfigured certificate authority

·       A problem with the client device's security settings

Citrix Workspace App for Linux often encounters SSL Error 61 when it cannot verify the identity of the server it is trying to connect to. Various reasons may cause this, including expired, revoked, or untrusted server certificates. The solution to this problem is to add the certificates of the provider or the relevant ones in the SSL folder (etc/ssl) or app certificate (Firefox cacerts/Comodo) to the list of trusted certificates on your device in order to resolve it. This means that if you encounter problems running the workspace on Firefox, you will need to add the Firefox certificates to this directory. If you encounter problems with other apps or the workspace itself, you will need to add a symbolic link or add the appropriate certificates to this folder: "/opt/Citrix/ICAClient/keystore/".

 

Scenario/Case/Solution No.1 (symbolic link etc/ssl):

·       cd /opt/Citrix/ICAClient/keystore/

·       ln -s /etc/ssl/certs cacerts

Then run:

·       /opt/Citrix/ICAClient/util/ctx_rehash

·       $ICAROOT/util/ctx_rehash

 

Scenario/Case/Solution No.2; Deleting the cacerts; etc/ssl and symbolic links

Log in as root:

·       rm -rfv /opt/Citrix/ICAClient/keystore/cacerts

then:

·       cd /opt/Citrix/ICAClient/keystore/

·       ln -s /etc/ssl/certs cacerts

Then run:

·       /opt/Citrix/ICAClient/util/ctx_rehash

·       $ICAROOT/util/ctx_rehash

 

Scenario/Case/Solution No.3 (Citrix App certificates)

Make sure you are logged in as root, or use sudo.

Download CA certificates in “pem” format from “/opt/Citrix/ICAClient/keystore/cacerts/” directory of another machine/provider or from a VM from an image/backup that contains the Citrix Workspace.

Save the certificate with a .crt file extension.

Copy the .crt CA certificate file to the /opt/Citrix/ICAClient/keystore/cacerts/ folder of the new machine.

Then run:

·       /opt/Citrix/ICAClient/util/ctx_rehash

·       $ICAROOT/util/ctx_rehash

 

Scenario/Case/Solution No.4; App (Mozilla certificates)

4.1 copy

In this process, you should have the Comodo certificate in “crt” not “pem”.

In the event that the symbolic link was previously created, it should be deleted since it may have pointed to the Mozilla .crt

·       file/opt/Citrix/ICAClient/keystore/cacerts/Comodo_AAA_Services_root.crt

Copy the Comodo_AAA_Services_root.crt from the Mozilla directory to the Citrix directory and rename it to .pem

Then run:

·       /opt/Citrix/ICAClient/util/ctx_rehash

·       $ICAROOT/util/ctx_rehash

 

4.2 Symbolic link

·       sudo ln -s /usr/share/ca-certificates/mozilla/* /opt/Citrix/ICAClient/keystore/cacerts

Then run:

·       /opt/Citrix/ICAClient/util/ctx_rehash

·       $ICAROOT/util/ctx_rehash

 

Scenario/Case/Solution No.4; Fix the revoked, and expired certificates.

Make sure that the server certificate is valid and has not expired. Verify that the certificate has not been revoked on the server certificate revocation list (CRL).

 

Scenario/Case/Solution No.5; fix dependencies, and investigate the logs.

In the event that you have encountered this error following an update to Citrix, please check the dependencies and upgrade to the latest version. To collect the logs, run the following command and look for missing dependencies in the logs.

·       workspacecheck.sh

·       hdxcheck.sh

In the installation directory, type “util/lurdump” to obtain diagnostic information about the Citrix Workspace app. This modification should be done while the session is open and, if possible, while the issue is occurring. The diagnostic information file includes version details, the contents of the Citrix Workspace app's configuration files, and the values of various system variables.

 

Notes:

Directories to consider

·       etc/ssl/certs

·       /opt/Citrix/ICAClient/util/ctx_rehash

·       /usr/share/ca-certificates/mozilla

Citrix Workspace App for Linux should be updated to the most recent version.

·       Depending on the distribution and location of where you would be installing Citrix Workspace App for Linux, the location of /opt/Citrix/ICAClient/keystore/cacerts/ and /opt/Citrix/ICAClient/util/ctx_rehash may differ. /opt/Citrix/ICAClient/ is the default installation directory for Debian Distributions

·       In one case, the issue with one endpoint could only be resolved by adding both the /etc/ssl/certs and app certificates.

 

Thank you,

Kourosh Maheri

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...