Computing, Cycling, horticulture, other stuff

Linux citrix client ssl error 61 on Ubuntu 8.10 Intrepid Ibex

UPDATE 09/02/2010:
If you have mozilla installed on your system, then you already have all the CA certs you need.

The trick is to tell ICA Client where they are. It looks for the certs in:
/usr/lib/ICAClient/keystore/cacert

On my Ubuntu 9.10 system, the mozilla certs are in:
/usr/share/ca-certificates/mozilla/

My quick solution (making a backup of whatever you change first) was to simply point the ICA certs dir at the mozilla one and my citrix client started working immediately:

mv /usr/lib/ICAClient/keystore/cacert /usr/lib/ICAClient/keystore/cacert_old
cp /usr/lib/ICAClient/keystore/cacert_old/* /usr/share/ca-certificates/mozilla/
ln -s /usr/share/ca-certificates/mozilla /usr/lib/ICAClient/keystore/cacert

UPDATE 22/05/2009: Version 0.2 of my script is now up (see below), Thawte changed the subdirectory structure of their certificate zip file, the script now handles this and the documentation below has been updated to reflect the root certifictae zip file changes. I can also confirm that this fix works on Ubuntu 9.04 Jaunty Jackalope. :)

This issue has bugged me for a while. I use citrix to access my employer’s corporate network as part of my job. As a Ubuntu Linux user, it’s not currently easy to get citrix working out of the box, even with the new Ubuntu 8.10 release – Intrepid Ibex.

My main problem is the package provided by Citrix requires extra steps to get it working, specifically adding a root certificate to a certain directory so that you can avoid this error:

You have chosen not to trust "Thawte Premium Server CA", 
the issuer of the server's security certificate (SSL error 61).

linux citrix client ssl error 61 certificate

So getting the client software and installing it is fairly simple. But many people have run into this SSL error 61. The fix for this is to get the certificate file and put it in the right directory for the citrix client to find when you log onto citrix and run your citrix apps.

I’ve created a very simple bash script to perform this task. You can download it here:

http://geekpete.com/blog/code/fix_citrix_cert_v0.2.sh

Otherwise, these are the steps you can perform manually that I’ve found this to work with Ubuntu 8.10.

  1. Download https://www.verisign.com/support/thawte-roots.zip
  2. Extract ThawtePremiumServerCA.cer from the “Thawte SSLWeb Server Roots” directory inside the zip.
  3. Copy the cert file to /usr/lib/ICAClient/keystore/cacerts and make sure you rename it to .crt

Note: If you install the citrix client as your local user (rather than installing as root) then your certs directory will be /home/yourusername/ICAClient/linuxx86/keystore/cacerts so your ThawtePremiumServerCA.crt should go there instead.

What the linux community needs is the ability to package and redistribute the client themselves, such as Ubuntu packaging up a .deb (including build in install script to fetch the CA root cert from Thawte during install, or just including the cert in the package). There doesn’t appear to be any documentation on restrictions of redistributing the citrix client on the citrix site, but I did find this:

http://forums.citrix.com/thread.jspa?threadID=92623&tstart=0

Efforts to get the citrix client into the Ubuntu repositories:

https://blueprints.launchpad.net/ubuntu/+spec/citrix-client-multiverse

And here’s a pretty good install guide for citrix clien on Ubuntut:

http://ubuntuguide.org/wiki/Ubuntu:Feisty/CommercialApplications#How_to_Install_Citrix_ICAClient_10

Anyway, I hope my script has helped someone out there to get citrix working, let me know if it helped you. :)

-Pete.

Can you Digg it?:
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • Sphinn
  • Pownce
  • Mixx
  • Reddit
  • Technorati
  • Slashdot
  • TwitThis
  • Furl
  • Live
  • Ma.gnolia
  • NewsVine
  • ThisNext
  • YahooMyWeb
  • BlogMemes
  • Fark
  • Yahoo! Buzz