3

Citrix workspace app fails to launch after downloading the .ica file. The error says:

SSL Error Contact your help desk with the following information: You have not chosen to trust "DigiCert High Assurance EV Root CA", the issuer of the server's security certificate (SSL error 61).

I was able to easily fix it on Ubuntu (20.04) by linking the certificates:

 sudo ln -s /usr/share/ca-certificates/mozilla/* /opt/Citrix/ICAClient/keystore/cacerts

But on Fedora v34 (derived from Redhat) that fix doesn't work. /usr/share/ca-certificates/mozilla does not exist.

I have also tried linking the files in /etc/ssl/certs to the ICAClient path as well as:

sudo ln -s /etc/pki/ca-trust/extracted/pem/* /opt/Citrix/ICAClient/keystore/cacerts
Scott Stensland
  • 2,673
  • 2
  • 25
  • 24
yitzchak24
  • 33
  • 1
  • 5
  • You can download the certificate here: https://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt.pem and then please have a look at the following: https://docs.fedoraproject.org/en-US/quick-docs/using-shared-system-certificates/ – Valentin Bajrami Sep 07 '21 at 20:46

3 Answers3

7

In your browser goto the site where you launch your citrix session from and click on the padlock widget on far left part of the url

-> click on "Connection is secure"

______ on chrome browser ______

-> click on "Certificate is valid"

this will open a popup window

-> on chrome click on tab "Details"

-> look at the field "Certificate Hierarchy"

-> click on the bottom most line which is the name of your cert

-> hit Export (which will download the cert file)

______ on firefox ______

-> click on "More information"

this will open a popup window get into its "Security" tab

-> click on "View Certificate"

-> this will open a page click on the "DigiCert High Assurance EV Root CA" tab

-> look at "Miscellaneous" -> Download

-> click on "PEM (cert)" and it will download the cert file

we are done with the browser

rename the cert file you just downloaded so it ends with .pem ... my freshly downloaded file lives at ~/Downloads/foo.bar.pem

in a terminal issue following commands

cd /opt/Citrix/ICAClient/keystore/
sudo mv cacerts  cacerts~~ignore
sudo ln -s /etc/ssl/certs cacerts
sudo cp ~/Downloads/foo.bar.pem  /opt/Citrix/ICAClient/keystore/cacerts

if your box does not have dir /opt/Citrix/ICAClient/keystore/cacerts then you can identify your correct path by issuing

dpkg -L  icaclient | grep cacerts

finally issue

# this engages above new .pem file
/opt/Citrix/ICAClient/util/ctx_rehash

PS ... if Citrix is reading this please slurp this up and post on your Citrix workspace install site to help folks like me who had to struggle for hours first time as nowhere is this documented

MrKumar
  • 103
  • 3
Scott Stensland
  • 2,673
  • 2
  • 25
  • 24
  • 1
    Man, thank you _so much_! It's a shame Citrix provides an rpm package and doesn't bother detailing that procedure (or at least nowhere easy to be found). – Nicolas Seiller Apr 29 '22 at 20:35
  • 2
    On Chrome it doesn't work for me if I export the bottom certificate - I have to export the top one. I'm guessing the server is not the same in my case, but the certificate authority being used is the same. – Robin Green Sep 13 '22 at 14:14
0

Based on the comment, downloading the cert itself and copying to /opt/Citrix/ICAClient/keystore/cacerts worked. (Made sure to do chmod 444 on the cert).

Though there should be a more elegant solution since /etc/ssl/certs/ca-bundl.trust.crt has the correct DigiCert already downloaded, so does /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem.

Vojtech Trefny
  • 16,922
  • 6
  • 24
  • 48
yitzchak24
  • 33
  • 1
  • 5
0

In three easy steps

$ cd /opt/Citrix/ICAClient/keystore/cacerts

$ sudo ln -s /usr/share/ca-certificates/mozilla/USERTrust_RSA_Certification_Authority.crt

$ /opt/Citrix/ICAClient/util/ctx_rehash
Serge Stroobandt
  • 2,314
  • 3
  • 32
  • 36