Updated October 12th, 2011.
Everytime I install the Linux Citrix Client it seems like I run into problems with SSL-Certificates. The message usually sounds like this:
You have not chosen to trust “Thawte Server CA”, the issuer of the server’s security cerfiticate (SSL error 61).
You might have another company listet as issuer on your server.
Anyway, let’s fix it.
Run the following command as a superuser, also known as root:
cp /usr/share/ca-certificates/mozilla/* /usr/lib/ICAClient/keystore/cacerts/
That’s it!
Updated: The new client, version 12.0, also called Citrix Receiver, is by default installed under /opt/Citrix/ICAClient/. So then the command will be:
sudo /user/share/ca-certificates/mozilla/* /opt/Client/ICAClient/keystore/cacerts/
This assumes that the ICA Client is installed in the default directory. Also you need to have Mozilla Firefox a package called ca-certificates installed since we are using its certificats.
If you have installed the client as a normal user, the keystore will most likely be placed under $HOME/ICAClient/linuxx86/keystore/cacerts/, note that the double x in linuxx86 is not a typo.
Please leave a comment if you found this useful.
I have done all of the above, but when I click on the icon for the Citrix Application I get:
Client Error: The SOCKS 5 handshake failed (SSL error 29).
Any suggestions?
Im using debian 2.6.24-1-amd64, installed the ca-certificates and copied the line, but same error message still.
I assume the ca-certificates are missing something, any idee
David: Strange, never seen that one. But I have only testet this on Ubuntu though. What distribution did you use?
Thanks for the great tip…. after a day search on the internet to get my Citrix ICA working, I have put in the command as discribed and gues what… it works!!!!
You have not chosen to trust “equifax secure global ebusiness ac-1” ssl error 61.
This is what I had all the time and without any luck I added certificates (entrust_ssl_ac.cer) but didn’t work eather… very frustrating but luckely found your website….
Thanks again for a this….great job !!!!!
Richard
(Linux mint 4.0)
Firefox 2.0.0.13
I have been dealing with this same issue for about a month. I got to the point of giving up, but this article fixed my problem completely. I can now use Citrix on Ubuntu 8.04. Thanks.
Just wanted to say – I’ve been looking for a simple solution to this problem a while – thanks!
I tried your tip here on a Ubuntu 8.04, but did not work, I received a message:
“You have not chosen to trust “UTN-USERFirst-Hardware”, the issuer of the server’s security certificate (SSL error 61)”
More tips anyone?
I have also followed the instructions on this site about installing the certificates etc. This has fixed my initial problem but now I get the SOCKS 5 handshake failed (SSL error 29) problem described by David Wright.
Does anyone else anywhere on the internet get this issue ????
I am running Ubuntu 7.04 and trying to connect to Citrix Presentation Server 4.5 via Secure Gateway using the Linux ICA client.
@Andy:
This is probably because UTN-USERFirst-Hardware isn’t a big and trusted supplier of certificates. However you can visit this site http://www.usertrust.com/cacerts/ and download the appropriate certificate file and save it in the directory mentioned earlier. No guarantee though :)
Got same error in Windows 7 and did same steps has told by Andy its working fine.Thanks.
Thank you torh!
I downloaded the crt-file and saved it into the ICAClient/linuxx86/keystore/cacerts/ folder, now everything works! Thank you!
@Andy: Glad to hear that it worked.
+1 for orignal post working… Ubuntu Hardy.
Thanks!!!
Yes!!!! Your suggestion fixed my ssl error 61 problem!!! Thank you so much!!!
Thank you very much, I finally have Citrix working!
Thanks for great issue.
A strange thing is that couple months ago everything was working without magic cp string. I had successfully connected to my company server from Ubuntu 8.04 and PCLOS, but today on new Ubuntu installation the problem appeared.
It’s OK now.
Hi
I am facing a problem while copying any text from Ubuntu(Linux Debian Flavour)application like open-office or any other text displaying or writing application to citrix client application, text formatting gone away like if i copy two different paragraphs to citrix it just concatenate the two paragraphs or remove all the blank lines from the text. If anybody having the solution plz help me.
Thanks a lot …. It worked the first time (after many searches) .
I have xubuntu, xfce, mozilla.
Thanx Thanx Thanx!!!!
I’ve had lot’s of problem getting this to work. I’ve googled myself through half of the web and I’ve found many different and complicated sollutions, wich never helped me. But this post solved the problem for me once and for all. So easy! thanx again
Still doesn’t work for me. :(
@Agneta: Hmm.. what does your error message say?
Works just fine, thanks. One question though: when Citrix runs in seamless mode, I can’t find how to switch back and forth between Citrix window and local PC (Ubuntu 8.04). Any idea? Is there, like VirtualBox, a special key to use before using CTRL right/left arrow?
Hi Tor,
Wondering if you can help me as well. I am trying to connect to my office remotely using a mac os x v10.4 via citrix ICA and get the following error message every time:
ssl error 29: the socks 5 handshake failed. Error number: 183
I have tried using both firefox v2.0 and safari v3.1 and the citrix blog is full of questions but short on solutions.
Thanks!
Thanks a lot! This seems to be the only place on the web where you find this solution although I would imagine that the problem is common! I’m running Ubuntu 8.04.
I consider myself pretty proficient at systems, but this had me stumped!!!!
Thanks for the post. Saw a lot of errors when I ran the command, but it works!!!!!!!!!!!!!
Bloody Marvelous –
As a company we have had no success it getting this to work – and I know of 3 people who have spent a lot of time following the copying of certificates etc etc
We are not worthy ……..
Thanks a lot
@torh
Had the same problem as Andy, used same solution, got same result: worked.
on bended knee with tears of joy … I proclaim my gratitude!
I don’t have a dir /ca-certificates/mozilla/*
I do have:
jss@suse11:/usr/lib/ICAClient/keystore/cacerts> ls
BTCTRoot.crt Class4PCA_G2_v2.crt Pcs3ss_v4.crt
Class3PCA_G2_v2.crt GTECTGlobalRoot.crt SecureServer.crt
When I connect via Citrix nothing happens when I launch an app. It asks to save the ica file then nothing.
Thoughts?
Jeff:
If you get a question about saving the .ica file, the Citrix application is most likely not installed correctly.
Which web browser are you using?
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.7)
Thanks a lot, good tip !!
THANKS AGAIN !!.
JP
Thank you a lot. You fixed my issue. Everywhere else gave me a bum steer. You rock!
Now I am running Jaunty Jackalope, and ver 11 of the ICA client, but I still get:
Client Error: The SOCKS 5 handshake failed (SSL error 29)
I don’t think this is a problem in the ICA client, as I can connect to one site, L, while I am unable to connect to another site, G, where I receive the SOCKS 5 handshake error. I am using Citrix client version 11.0-1 in openSUSE 11.1
To make matters worse, I only receive the error when connecting over Internet, not when I am on-site and connect over their LAN. I am able to connect to L from the wireless network on-site in G’s offices, but not able to connect to G over the same connection.
I reported the problem to the IT service desk of the company responsible for the solution. After a while I was called back, and they don’t have a solution. So far what he had found out was that this could be related to the server-side, where it seems this problem occurs only for the more recent version of the software.
What I currently do is connect to L and then connect from there (Windows environment) to G – awkward, but it got me connected!
I used the solution from
http://support.citrix.com/article/CTX122965
I.e. I opened port 1495 on my router/firewall. and Bingo!
Thanks! This was very much to the point and did the job for me at once.
Thank you, thank you, thank you.
After fighting with this for a a couple of day this was the solution that worked for me!
Thanks again.
Thank you. I can now get past error 61. However, I now get error 70 (expired certificate). Yes, the certificate has expired, but how can I tell the Linux client to go ahead and connect anyway? The Windows client gives a warning, but allows you to connect if you want.
Same problem for me… My government employer seems reluctant to update their certificate for one of the systems they make us use. Fortunately my main role does not see me needing to access it much, so I can use Windows computers when I need to… But it’s still annoying.
I have not found a way to bypass expired server certificates when using the Linux client.
You star! I’ve been fiddling around for a couple of days now trying to get Citrix to work on Ubuntu. Now it does! :-)
Thanks Tor. That was bugging me for a while. Downloading the certs for Equifax Secure Global from geotrust.com worked for 32 bit systems but it didn’t work on my amd64 system. This however solved the problem nicely thank you very much.
Ken.
Another vote of thanks. This worked in seconds after a couple of hours w other “tips”…
Ubuntu 9.10
Firefox 3.5.5
Citrix Receiver for Linux
You rock, I installed and configured Citrix and was able to log into my companies portal but when I lunched an app I’d get a Equifax cert error. I did all kinds of searches and could fins a solution until I came across this site.I did what you suggested about and coping everything to the ICA folder no Citrix works like a charm. Thanks so much
Ubuntu 9.10
Firefox 3.5.5
Works for me too! Thanks a lot!!!
Ubuntu 9.10
Firefox 3.5.8
Incredible. I too had spent at least a day trawling the net and reading many confusing and sometimes confused suggestions of how to resolve this.
Thanks a million
perfect, it works!!
Many thanks
Thank you so much Tor – ‘t works like charm!
Only wish I’d found your post earlier :-)
Engelbert
Same as some others — I wish I’d have found this first. This fixed the exact issue with certificates I have been having.
Specifically: I’m running Ubuntu 10.04.1 LTS which I installed from the Minimal CD. I’ve added Firefox, openmotif & the Citrix Receiver from Linux. I had been receiving the “you have chosen not to trust blah blah .. ” error. This took care of it.
THANK YOU.
-R
I was copying into $HOME/ICAClient/keystore/cacert since thats where I installed the client, But was still getting the error.
Unknown to me there was already an installation in the /usr directory and it worked once I copied the certificates there.
Thanks,
parakram
Hi,
I was searching for solution of this problem for quite a long time and after following this blog i could actually fix this.
Thanks and keep it up.
Thank you very much. I have been at it for the past 2 hours and have installed everything as indicated on the following page:
http://support.citrix.com/article/CTX118280
But your one line of code made it all fall into place, and worked without errors.
BTW I used Ubuntu 10.10 with firefox.
I have a CA Cert unique to my company. It’s in DER format, and looks very similar to the other .crt files in keystore/cacerts/ when opened with a hex editor. But regardless, I still get Error 61 – ICAClient just won’t acknowledge my certificate. File permissions are ok. Any idea if there are
Worked like a charm for me, thanks!
simple was that? Thanks a bunch!
Just thanks! :-)
Thx, it worked like a magic ….. thanks a ton :)
Worked… but the new version install in /opt/Citrix/ICAClient … not /usr/lib/ICAClient
and for now a was able to start in root mode.
Thanks,
I haven’t used the Citrix client on Linux for years. Maybe I should just do a test and update the guide. It still gets quite a few hits each month.
Thanks so much for updating your post to match the latest citrix changes. The instructions are perfect. Cheers!
You’re welcome. :-)
Thanks much for your guidance. In Linux Mint 12, I had to slightly modify your command:
sudo cp /usr/share/ca-certificates/mozilla/* /opt/Citrix/ICAClient/keystore/cacerts/
Note change to “usr” and “Citrix.” Again many thanks!
Worked Great, Thank you!
Excellent, worked like a charm. Thank you very much
In Fedora 17 the CA-certificates package puts files in /etc/pki/tls/certs/ so you probably need to copy from there.
However, that didn’t help me. The certificate issuer I “have not chosen to trust” is not one of the big CAs. I have been given a file with the certificate – a binary file xxx.cer – but copying it into the ICAClient certificates directory doesn’t fix the problem. Is there a way to just turn off certificate checking?
P.S. this site gives an example of using openssl tools to check the format of a certificate file and convert between formats: http://hintshop.ludvig.co.nz/show/citrix-certificate/
The certificate file I am using is indeed DER format, the same as the existing files in /opt/Citrix/ICAClient/keystore/cacerts/, but copying it into that directory does not help. Just before the ‘you have not chosen to trust…’ message, the ICA client pops up some other message box with a long hex string (key signature?) but it disappears too fast to read it.
What is the name of your CA? Have you tried searching for the root certificate from the CAs website?
The organization name in the certificate is “CE NIs” and I believe it is a self-signed certificate. I did get it working with an earlier version of the Citrix client on Linux just by copying the certificate file into the right directory.
sudo cp /usr/share/ca-certificates/mozilla/* /opt/Citrix/ICAClient/keystore/cacerts/