Certificate error when using Citrix Receiver

Question

I am getting this error when attempting to load a Desktop module up within Citrix Receiver:

enter image description here

What I don't understand is I can see this particular certificate is set to "Trust.." under any/all circumstances that I can find. This only happens in Ubuntu, and I did not installed any certificates (manually) on either partition when trying to correct the issue. The browser also appears to be irrelevant (Chrome/Firefox both generate the same error). Forgive my ignorance on certificates, but this seems to be beyond my expertise.

There are a few places I've looked through various search engines, and I found other users who have had similar issues with certificates in the Linux Citrix Receiver, but I'm not sure what's wrong with this certificate, as none of the other suggestions I've tried have worked so far, and they're too numerous to go into detail... so I'd like to take it from here and see what you all can offer up.

score 55 · Accepted Answer · edited Jun 01 '22 at 08:12

55

To prevent the SSL error 61 when accessing remote sessions:

Make Firefox's certificates accessible to Citrix,

sudo ln -s /usr/share/ca-certificates/mozilla/* /opt/Citrix/ICAClient/keystore/cacerts
sudo /opt/Citrix/ICAClient/util/ctx_rehash

^{Source: Citrix help page}

edited Jun 01 '22 at 08:12

sebisnow

109
3

answered May 31 '13 at 06:57

Mitch

107,631

Worked like a charm. Don't know how I missed this on Citrix's own site, I guess I was looking too much at user-centric help/forums. – gravity May 31 '13 at 13:03
3

Works on Linux Mint 18 based on Ubuntu 16.04 – blvdeer Jan 27 '17 at 15:25
2

I did a copy instead of symbolic link. Works good. I copied only the certificate it complained about --> sudo cp /etc/ssl/certs/DigiCert_High_Assurance_EV_Root_CA.pem /opt/Citrix/ICAClient/keystore/cacerts/ --- Using Citrix Receiver Full 13.6 on Ubuntu 16.04.3 – RuntimeException Sep 14 '17 at 07:53
3

Note @marlon 's comment: After copying/linking you must run sudo /opt/Citrix/ICAClient/util/ctx_rehash – kidmose Dec 22 '17 at 11:45
1

Works on Linux Mint 19 (Ubuntu 18.04) (I had to both link the files and run ctx_rehash) and then it worked perfectly – Rocologo Jul 15 '18 at 08:54
1

Still relevant and working for Ubuntu 19.10 – Andreas J Jan 16 '20 at 20:52
1

This fixed "0.0.0.2 No such file or directory" error for me. Ubuntu 20.04 – Muposat Oct 14 '20 at 21:02
You might need to run sudo /opt/Citrix/ICAClient/util/ctx_rehash for the latest version of the workspace app. – Merlijn Sebrechts May 20 '21 at 22:27
1

Another year, another change to the citrix app. Now you also need to run sudo ln -s /etc/ssl/certs/* /opt/Citrix/ICAClient/keystore/cacerts, because it wants the certificates in pem format instead. After this, run the rehash function again. – Merlijn Sebrechts Feb 01 '23 at 10:13

Marlon · Answer 2 · 2018-12-07T05:09:46.777

8

Newer versions of the receiver require you to ~~convert the CRT file to PEM~~, place the crt in a specific directory, and run a citrix utility.

If your installation is in /opt/Citrix/ICAClient and assuming the signing root certificate or CA is an existing one in ca-certificates:

Get to the certificates directory:

cd /usr/share/ca-certificates/mozilla/

~~2. Convert the desired CRT to PEM :~~

sudo openssl x509 -outform pem -in [SIGNING_CERTIFICATE_YOU_ID_FROM_COMPANY_WEBSITE.crt] -out [NEW_CERT_PICK_YOUR_NAME.pem]

3. Link it to the Citrix directory and rehash:

sudo ln -s NEW_CERT /opt/Citrix/ICAClient/keystore/cacerts/
cd /opt/Citrix/ICAClient/util
sudo ./ctx_rehash

If the CA is not a known and trusted one present in the /usr/share/ca-certificates/mozilla directory mentioned above:

Download it using your browser's security info on the site
~~Convert it to PEM~~ Move it, and rehash: Step 3 above.

Left the crossed out text for anyone needing those instructions for whatever reason but I recently tested just moving the CRT to the directory and the rehash utility will convert as needed.

edited Dec 07 '18 at 05:09

answered Nov 01 '17 at 02:33

Marlon

916

1

The sudo /opt/Citrix/ICAClient/util/ctx_rehash bit did it for me (Skipped the conversion withsudo openssl ..., though my export appears to be a pem) – kidmose Dec 22 '17 at 11:44
For me, the pem trick worked once (thanks). But not after the reboot. I tried again the same steps, no more luck. I reverted to icaclient 13.4 and it just works. Looks like verions >13.4 are broken. – Thomas Mar 04 '18 at 21:15
Not broken but rather they changed they way they worked to be more secure. If that didn't work the second time then something else is the cause? I use the client daily and it works just fine. As long as your company wont require a specific version higher than 13.4 you can keep it. – Marlon Mar 17 '18 at 16:23

score 4 · Answer 3 · answered Jan 07 '14 at 23:58

4

some users (like me) might find that even after linking Firefox to the cacerts folder the error persists.

That appears to be because Citrix does not supply all of the latest certificates.

The solution appears to be to note the certificate said to be "not trusted" (eg "Verisign Class 3 Public Primary Certification Authority - G5") then export it from Firefox (under the Preferences menu then Certificates) to */ICAClient/keystore/cacerts.

Worked for me. Hope this helps.

answered Jan 07 '14 at 23:58

Greenant

41
2

so close yet so far! No joy for me I'm afraid – LRE Jun 10 '14 at 21:22
if the certificate is in PEM this works, if not look at my answer. – Marlon Jan 14 '18 at 00:19

score 2 · Answer 4 · answered Mar 27 '23 at 14:43

2

a bit late to the discussion, but found the below to work for version 23.3.0.32. got this from Peter Smith's answer here. i was having a difficult time with .crt vs .pem certificate extensions and this resolved my issue.

sudo rm -rfv /opt/Citrix/ICAClient/keystore/cacerts
cd /opt/Citrix/ICAClient/keystore/    
sudo ln -s /etc/ssl/certs cacerts
/opt/Citrix/ICAClient/util/ctx_rehash

answered Mar 27 '23 at 14:43

jellz77

201
1
2
10

That did it for me! Lifesaver, as my company is moving an important part of work from remote desktop to citrix – IIVQ May 06 '23 at 10:45

score 0 · Answer 5 · answered May 29 '15 at 10:02

0

I've the same error, but with a certificates trusted by my FireFox. So after copy the root ca certificate and converted these in crt files, the ICA client run without problem. Hope this info will be useful

answered May 29 '15 at 10:02

Pablo

1

score 0 · Answer 6 · answered Mar 21 '16 at 09:01

I had the same issue and solved it this way:

Place certificate to be trusted in /usr/local/share/ca-certificates
Execute sudo update-ca-certificates
You should see something line this:
1 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d.... Adding debian:SymantecClass3SecureServerCA-G4.pem
Use Google Chrome instead of Firefox

Certificate error when using Citrix Receiver

6 Answers6

Linked