Problems with Citrix Client on Linux?

Updated October 12th, 2011.

Everytime I install the Linux Citrix Client it seems like I run into problems with SSL-Certificates. The message usually sounds like this:

You have not chosen to trust “Thawte Server CA”, the issuer of the server’s security cerfiticate (SSL error 61).

You might have another company listet as issuer on your server.
Anyway, let’s fix it.

Run the following command as a superuser, also known as root:

cp /usr/share/ca-certificates/mozilla/* /usr/lib/ICAClient/keystore/cacerts/

That’s it!

Updated: The new client, version 12.0, also called Citrix Receiver, is by default installed under /opt/Citrix/ICAClient/. So then the command will be:

sudo /user/share/ca-certificates/mozilla/* /opt/Client/ICAClient/keystore/cacerts/

This assumes that the ICA Client is installed in the default directory. Also you need to have Mozilla Firefox a package called ca-certificates installed since we are using its certificats.

If you have installed the client as a normal user, the keystore will most likely be placed under $HOME/ICAClient/linuxx86/keystore/cacerts/, note that the double x in linuxx86 is not a typo.

Please leave a comment if you found this useful.

71 thoughts on “Problems with Citrix Client on Linux?

  1. I have done all of the above, but when I click on the icon for the Citrix Application I get:
    Client Error: The SOCKS 5 handshake failed (SSL error 29).
    Any suggestions?

  2. Im using debian 2.6.24-1-amd64, installed the ca-certificates and copied the line, but same error message still.

    I assume the ca-certificates are missing something, any idee

  3. David: Strange, never seen that one. But I have only testet this on Ubuntu though. What distribution did you use?

  4. Thanks for the great tip…. after a day search on the internet to get my Citrix ICA working, I have put in the command as discribed and gues what… it works!!!!

    You have not chosen to trust “equifax secure global ebusiness ac-1” ssl error 61.
    This is what I had all the time and without any luck I added certificates (entrust_ssl_ac.cer) but didn’t work eather… very frustrating but luckely found your website….

    Thanks again for a this….great job !!!!!

    Richard

    (Linux mint 4.0)
    Firefox 2.0.0.13

  5. I have been dealing with this same issue for about a month. I got to the point of giving up, but this article fixed my problem completely. I can now use Citrix on Ubuntu 8.04. Thanks.

  6. Just wanted to say – I’ve been looking for a simple solution to this problem a while – thanks!

  7. I tried your tip here on a Ubuntu 8.04, but did not work, I received a message:
    “You have not chosen to trust “UTN-USERFirst-Hardware”, the issuer of the server’s security certificate (SSL error 61)”

    More tips anyone?

  8. I have also followed the instructions on this site about installing the certificates etc. This has fixed my initial problem but now I get the SOCKS 5 handshake failed (SSL error 29) problem described by David Wright.

    Does anyone else anywhere on the internet get this issue ????

    I am running Ubuntu 7.04 and trying to connect to Citrix Presentation Server 4.5 via Secure Gateway using the Linux ICA client.

  9. @Andy:
    This is probably because UTN-USERFirst-Hardware isn’t a big and trusted supplier of certificates. However you can visit this site http://www.usertrust.com/cacerts/ and download the appropriate certificate file and save it in the directory mentioned earlier. No guarantee though :)

  10. Thank you torh!
    I downloaded the crt-file and saved it into the ICAClient/linuxx86/keystore/cacerts/ folder, now everything works! Thank you!

  11. Thanks for great issue.
    A strange thing is that couple months ago everything was working without magic cp string. I had successfully connected to my company server from Ubuntu 8.04 and PCLOS, but today on new Ubuntu installation the problem appeared.
    It’s OK now.

  12. Hi

    I am facing a problem while copying any text from Ubuntu(Linux Debian Flavour)application like open-office or any other text displaying or writing application to citrix client application, text formatting gone away like if i copy two different paragraphs to citrix it just concatenate the two paragraphs or remove all the blank lines from the text. If anybody having the solution plz help me.

  13. Thanx Thanx Thanx!!!!

    I’ve had lot’s of problem getting this to work. I’ve googled myself through half of the web and I’ve found many different and complicated sollutions, wich never helped me. But this post solved the problem for me once and for all. So easy! thanx again

  14. Works just fine, thanks. One question though: when Citrix runs in seamless mode, I can’t find how to switch back and forth between Citrix window and local PC (Ubuntu 8.04). Any idea? Is there, like VirtualBox, a special key to use before using CTRL right/left arrow?

  15. Hi Tor,
    Wondering if you can help me as well. I am trying to connect to my office remotely using a mac os x v10.4 via citrix ICA and get the following error message every time:

    ssl error 29: the socks 5 handshake failed. Error number: 183

    I have tried using both firefox v2.0 and safari v3.1 and the citrix blog is full of questions but short on solutions.
    Thanks!

  16. Thanks a lot! This seems to be the only place on the web where you find this solution although I would imagine that the problem is common! I’m running Ubuntu 8.04.

  17. I consider myself pretty proficient at systems, but this had me stumped!!!!

    Thanks for the post. Saw a lot of errors when I ran the command, but it works!!!!!!!!!!!!!

  18. Bloody Marvelous –

    As a company we have had no success it getting this to work – and I know of 3 people who have spent a lot of time following the copying of certificates etc etc

    We are not worthy ……..

    Thanks a lot

  19. @torh

    Had the same problem as Andy, used same solution, got same result: worked.

    on bended knee with tears of joy … I proclaim my gratitude!

  20. I don’t have a dir /ca-certificates/mozilla/*
    I do have:

    jss@suse11:/usr/lib/ICAClient/keystore/cacerts> ls
    BTCTRoot.crt Class4PCA_G2_v2.crt Pcs3ss_v4.crt
    Class3PCA_G2_v2.crt GTECTGlobalRoot.crt SecureServer.crt

    When I connect via Citrix nothing happens when I launch an app. It asks to save the ica file then nothing.

    Thoughts?

  21. Now I am running Jaunty Jackalope, and ver 11 of the ICA client, but I still get:

    Client Error: The SOCKS 5 handshake failed (SSL error 29)

    1. I don’t think this is a problem in the ICA client, as I can connect to one site, L, while I am unable to connect to another site, G, where I receive the SOCKS 5 handshake error. I am using Citrix client version 11.0-1 in openSUSE 11.1

      To make matters worse, I only receive the error when connecting over Internet, not when I am on-site and connect over their LAN. I am able to connect to L from the wireless network on-site in G’s offices, but not able to connect to G over the same connection.

      I reported the problem to the IT service desk of the company responsible for the solution. After a while I was called back, and they don’t have a solution. So far what he had found out was that this could be related to the server-side, where it seems this problem occurs only for the more recent version of the software.

      What I currently do is connect to L and then connect from there (Windows environment) to G – awkward, but it got me connected!

  22. Thank you. I can now get past error 61. However, I now get error 70 (expired certificate). Yes, the certificate has expired, but how can I tell the Linux client to go ahead and connect anyway? The Windows client gives a warning, but allows you to connect if you want.

    1. Same problem for me… My government employer seems reluctant to update their certificate for one of the systems they make us use. Fortunately my main role does not see me needing to access it much, so I can use Windows computers when I need to… But it’s still annoying.

      I have not found a way to bypass expired server certificates when using the Linux client.

  23. You star! I’ve been fiddling around for a couple of days now trying to get Citrix to work on Ubuntu. Now it does! :-)

  24. Thanks Tor. That was bugging me for a while. Downloading the certs for Equifax Secure Global from geotrust.com worked for 32 bit systems but it didn’t work on my amd64 system. This however solved the problem nicely thank you very much.

    Ken.

  25. Another vote of thanks. This worked in seconds after a couple of hours w other “tips”…
    Ubuntu 9.10
    Firefox 3.5.5
    Citrix Receiver for Linux

  26. You rock, I installed and configured Citrix and was able to log into my companies portal but when I lunched an app I’d get a Equifax cert error. I did all kinds of searches and could fins a solution until I came across this site.I did what you suggested about and coping everything to the ICA folder no Citrix works like a charm. Thanks so much

    Ubuntu 9.10
    Firefox 3.5.5

  27. Incredible. I too had spent at least a day trawling the net and reading many confusing and sometimes confused suggestions of how to resolve this.

    Thanks a million

  28. Thank you so much Tor – ‘t works like charm!
    Only wish I’d found your post earlier :-)
    Engelbert

  29. Same as some others — I wish I’d have found this first. This fixed the exact issue with certificates I have been having.

    Specifically: I’m running Ubuntu 10.04.1 LTS which I installed from the Minimal CD. I’ve added Firefox, openmotif & the Citrix Receiver from Linux. I had been receiving the “you have chosen not to trust blah blah .. ” error. This took care of it.

    THANK YOU.

    -R

  30. I was copying into $HOME/ICAClient/keystore/cacert since thats where I installed the client, But was still getting the error.
    Unknown to me there was already an installation in the /usr directory and it worked once I copied the certificates there.

    Thanks,
    parakram

  31. Hi,
    I was searching for solution of this problem for quite a long time and after following this blog i could actually fix this.
    Thanks and keep it up.

  32. I have a CA Cert unique to my company. It’s in DER format, and looks very similar to the other .crt files in keystore/cacerts/ when opened with a hex editor. But regardless, I still get Error 61 – ICAClient just won’t acknowledge my certificate. File permissions are ok. Any idea if there are

  33. Thanks so much for updating your post to match the latest citrix changes. The instructions are perfect. Cheers!

  34. Thanks much for your guidance. In Linux Mint 12, I had to slightly modify your command:

    sudo cp /usr/share/ca-certificates/mozilla/* /opt/Citrix/ICAClient/keystore/cacerts/

    Note change to “usr” and “Citrix.” Again many thanks!

  35. In Fedora 17 the CA-certificates package puts files in /etc/pki/tls/certs/ so you probably need to copy from there.

    However, that didn’t help me. The certificate issuer I “have not chosen to trust” is not one of the big CAs. I have been given a file with the certificate – a binary file xxx.cer – but copying it into the ICAClient certificates directory doesn’t fix the problem. Is there a way to just turn off certificate checking?

    1. P.S. this site gives an example of using openssl tools to check the format of a certificate file and convert between formats: http://hintshop.ludvig.co.nz/show/citrix-certificate/

      The certificate file I am using is indeed DER format, the same as the existing files in /opt/Citrix/ICAClient/keystore/cacerts/, but copying it into that directory does not help. Just before the ‘you have not chosen to trust…’ message, the ICA client pops up some other message box with a long hex string (key signature?) but it disappears too fast to read it.

        1. The organization name in the certificate is “CE NIs” and I believe it is a self-signed certificate. I did get it working with an earlier version of the Citrix client on Linux just by copying the certificate file into the right directory.

Leave a Reply