Certificate error when using Citrix Receiver
Solution 1
To prevent the SSL error 61 when accessing remote sessions:
Make Firefox's certificates accessible to Citrix,
sudo ln -s /usr/share/ca-certificates/mozilla/* /opt/Citrix/ICAClient/keystore/cacerts
sudo /opt/Citrix/ICAClient/util/ctx_rehash
Source: Citrix help page
Solution 2
Newer versions of the receiver require you to convert the , place the crt in a specific directory, and run a citrix utility.CRT
file to PEM
If your installation is in /opt/Citrix/ICAClient
and assuming the signing root certificate or CA is an existing one in ca-certificates:
- Get to the certificates directory:
cd /usr/share/ca-certificates/mozilla/
2. Convert the desired CRT
to PEM
:
sudo openssl x509 -outform pem -in [SIGNING_CERTIFICATE_YOU_ID_FROM_COMPANY_WEBSITE.crt] -out [NEW_CERT_PICK_YOUR_NAME.pem]
3. Link it to the Citrix directory and rehash:
sudo ln -s NEW_CERT /opt/Citrix/ICAClient/keystore/cacerts/
cd /opt/Citrix/ICAClient/util
sudo ./ctx_rehash
If the CA is not a known and trusted one present in the /usr/share/ca-certificates/mozilla
directory mentioned above:
Download it using your browser's security info on the site
Convert it toMove it, and rehash: Step 3 above.PEM
Left the crossed out text for anyone needing those instructions for whatever reason but I recently tested just moving the CRT to the directory and the rehash utility will convert as needed.
Solution 3
some users (like me) might find that even after linking Firefox to the cacerts folder the error persists.
That appears to be because Citrix does not supply all of the latest certificates.
The solution appears to be to note the certificate said to be "not trusted" (eg "Verisign Class 3 Public Primary Certification Authority - G5") then export it from Firefox (under the Preferences menu then Certificates) to */ICAClient/keystore/cacerts.
Worked for me. Hope this helps.
Related videos on Youtube
Comments
-
gravity over 1 year
I am getting this error when attempting to load a Desktop module up within Citrix Receiver:
What I don't understand is I can see this particular certificate is set to "Trust.." under any/all circumstances that I can find. This only happens in Ubuntu, and I did not installed any certificates (manually) on either partition when trying to correct the issue. The browser also appears to be irrelevant (Chrome/Firefox both generate the same error). Forgive my ignorance on certificates, but this seems to be beyond my expertise.
There are a few places I've looked through various search engines, and I found other users who have had similar issues with certificates in the Linux Citrix Receiver, but I'm not sure what's wrong with this certificate, as none of the other suggestions I've tried have worked so far, and they're too numerous to go into detail... so I'd like to take it from here and see what you all can offer up.
-
gravity almost 11 yearsWorked like a charm. Don't know how I missed this on Citrix's own site, I guess I was looking too much at user-centric help/forums.
-
LRE almost 10 yearsso close yet so far! No joy for me I'm afraid
-
blvdeer over 7 yearsWorks on Linux Mint 18 based on Ubuntu 16.04
-
RuntimeException over 6 yearsI did a copy instead of symbolic link. Works good. I copied only the certificate it complained about -->
sudo cp /etc/ssl/certs/DigiCert_High_Assurance_EV_Root_CA.pem /opt/Citrix/ICAClient/keystore/cacerts/
--- Using Citrix Receiver Full 13.6 on Ubuntu 16.04.3 -
kidmose over 6 yearsThe
sudo /opt/Citrix/ICAClient/util/ctx_rehash
bit did it for me (Skipped the conversion withsudo openssl ...
, though my export appears to be a pem) -
kidmose over 6 yearsNote @marlon 's comment: After copying/linking you must run
sudo /opt/Citrix/ICAClient/util/ctx_rehash
-
Marlon over 6 yearsif the certificate is in PEM this works, if not look at my answer.
-
Thomas about 6 yearsFor me, the pem trick worked once (thanks). But not after the reboot. I tried again the same steps, no more luck. I reverted to icaclient 13.4 and it just works. Looks like verions >13.4 are broken.
-
Marlon about 6 yearsNot broken but rather they changed they way they worked to be more secure. If that didn't work the second time then something else is the cause? I use the client daily and it works just fine. As long as your company wont require a specific version higher than 13.4 you can keep it.
-
Rocologo almost 6 yearsWorks on Linux Mint 19 (Ubuntu 18.04) (I had to both link the files and run ctx_rehash) and then it worked perfectly
-
Andreas J over 4 yearsStill relevant and working for Ubuntu 19.10
-
Muposat over 3 yearsThis fixed "0.0.0.2 No such file or directory" error for me. Ubuntu 20.04
-
Merlijn Sebrechts almost 3 yearsYou might need to run
sudo /opt/Citrix/ICAClient/util/ctx_rehash
for the latest version of the workspace app.