ssl error 61

SSL Error 61 using Citrix ICA Client on Linux

You have chosen not to trust “Thawte Premium Server CA”, the issuer of the server’s security certificate (SSL error 61).

If you hit this infuriating error, which seems to be common, it means that your particular Citrix endpoint (what you’re connecting to with the Citrix client) is using a certificate that the client doesn’t trust. The client doesn’t trust it probably because Citrix didn’t bundle a new or full enough set of root certificates with the client.

The fix is to get the client using an existing set of root certificates and I’d found the easiest way to achieve this is to symlink to the Mozilla Firefox certificates. This way, if those certs are updated, then the Citrix client will continue pointing to them.

NOTE: This guide is a re-post from many years ago, so details most probably have changed and need updating. I’ve posted this up again as there were so many links to this guide that are still receiving active traffic so the problem must still be bugging many people. The guide was originally written and tested on Ubuntu 8.10.

My quick solution (making a backup of whatever you change first) was to simply point the ICA certs dir at the mozilla one and my citrix client started working immediately:

sudo mv /opt/Citrix/ICAClient/keystore/cacerts /opt/Citrix/ICAClient/keystore/cacerts_old
sudo cp /opt/Citrix/ICAClient/keystore/cacerts_old/* /usr/share/ca-certificates/mozilla/
sudo ln -s /usr/share/ca-certificates/mozilla /opt/Citrix/ICAClient/keystore/cacerts

Some caveats are that there might be differing locations for the install of the Citrix client as well as the cacerts location depending on distro/version of linux and version of the citrix installer.

ICA Client might install to one of these locations depending on install method and version:

/opt/ICAClient/
/usr/lib/ICAClient/
/home/XXX/ICAClient/linuxx86/ - (where XXX is your user home)

and so your Citrix client’s cacerts dir would be located in keystore/cacerts/ inside whichever of the above locations your Citrix client installed to.

Mozilla CACerts should be located at the following location but may differ per distro:

/usr/share/ca-certificates/mozilla/

I’m still investigating the following error codes if anyone wants to help out:

SSL Error 26
SSL Error 47

 

Write a Comment

Comment

22 Comments

  1. I have also solved the SSL error 61 problem like you, but now when I got SSL error 26 it turns out the directory /usr/share/ca-certificates/mozilla doesn’t exist.

    In openSUSE 13.1 the location has changed to /usr/share/pki/trust

    Fixing that brought me back to SSL error 61 (You have not chosen to trust “AddTrust External CA Root”…) Here we go again…

    • You could add the root CA certificate that your citrix endpoint’s ssl certificate is signed by to the /usr/share/pki/trust/whatever root ca certificate. Have you tried that?

  2. Sorry about not coming back to you on this sooner, I probably didn’t turn on notifications for comments. I can’t recall now how I solved that issue, but I recently got the issue back – and you seem to be the definitive authority on this issue since I always come back here via Google 🙂

    I have updated to Citrix Receiver 13.0 – but I am not sure if that is why I got the issue. I believe not. Anyway, I updated to Receiver 13.1 (on openSUSE 13.1) using the tar.gz download for 64-bit installations as recommended by Citrix. It all worked fine, although I had to install one 32-bit library.

    I then downloaded the AddTrust External CA Root certificate from Comodo – and that revealed that the one I had copied from /usr/share/pki/trust was not the correct one. The name of the one I had copied was AddTrust_External_Root.pem while the new file is addtrustexternalcaroot.crt – and I converted it to PEM format using a single command:
    openssl x509 -in addtrustexternalxaroot.crt -out AddTrust_External_CA_Root.pem -outform PEM

    Credit goes to http://stackoverflow.com/questions/4691699/how-to-convert-crt-to-pem for the above one-liner.

    • Hi everyone

      OpenSuse 13.1, Citrix Receiver 13.1

      Actually for me worked a mixed solution + something 🙂
      I had “SSL error 61” with certificate “DigiCert_High_Assurance_EV_Root_CA”.
      What I’ve done is the following:
      1 – Applying the quick solution of Pete (with the correct file locations, for me /usr/share/pki/trust for modzilla)
      2 – Converted the *.pem certificate (already present in the folder /usr/share/pki/trust) with the command suggested from Kjetil, but from a *.pem (not a *.crt) file to another *.pem file (I thought the result should be just a copy of the file, but it is not)
      3 – run the command “ctx_rehash” under the folder “util” of “ICAclient”. In a terminal one should see that the result should be the creation of 2 new files with extension *.0

      Thanks for the help, now I can work from home!! 🙂 ….. 🙁 oh no…now I think it’d have been better not to have found the solution….

  3. A similar issue has come up now, except now it is because the client does not support SHA2.
    The error is more or less the same, but if you google that error you will not find the correct solution.
    The solution is to install the latest icaclient, 13.1
    I post this here so others can spend a little less time googling for the correct solution than I did.

    • Hi Steini,

      That sha256 is certainly a gotcha, thanks for the info, I’ll try to get my post updated to reflect this info soon.

      SHA256 certs will become much more of a problem for older software within the next year or so when Google start showing SHA-1 certs as insecure with no lock.

  4. Works with 15.04. Great indeed. Thanks.
    As has been said, take out those erroneous spaces:
    before /cacerts_old
    and before /mozilla/
    and you’re done.

  5. A.W.E.S.O.M.E…..thank you so much. I can’t tell you how many times I attempted the Citrix solution, including importing the root cert. Yours did the trick.

  6. I previously tried to install citrix reciever on my linux mint computer. And it worked. Now they changed something at the office and I had to install a new version. It seemed that I was successful………but no I wasn´t. 🙁
    Now, when I try to login I got the message:
    “Enter your work email or server adress provided by your IT department So what is the problem?

    • Hey Nol,

      Not sure on this one, I haven’t actually tried any of the latest citrix clients for linux.

      Maybe I should test again, I do need a remote citrix server to test against though.

  7. Using everyone’s advice I found another solution that may be a little ‘cleaner’:
    Following are steps on CentOS 7 (Fedora and RedHat):

    If you start in your /home/[user name]/Downloads/
    sudo ln -s /usr/share/pki/* /opt/Citrix/ICAClient/keystore/cacerts/
    (on the newest ver. of FireFox)

    wget http://www.symantec.com/content/en/us/enterprise/verisign/roots/roots.zip

    unzip roots.zip
    #Unzip it right to my current directory

    cd VeriSign\ Root\ Certificates/
    pwd
    Verify you are were you should be

    sudo mv /home/ {user_name} /Downloads/VeriSign\ Root\ Certificates/* /usr/share/pki/*

    If you started in your home directory and the download section, you shouldn’t have to change much but this immediately got me going. Now if I have future certificate problems, I can just drop them into /usr/share/pki/*

  8. I had this error, downloaded the certificate using my browser, moved it into the certs directory and ran c_rehash, and it still didn’t work. Then I tried the steps above (copying the certificates into /etc/ssl/certs and running c_rehash there, renaming the cacerts directory and linking it to /etc/ssl/certs) and it still didn’t work. Finally I realised that the certificate files (saved by the browser) had restrictive permissions and ordinary applications couldn’t read them. After I chmodded them to world-readable (chmod a+r) I was able to connect fine with Citrix Receiver for the first time from Linux!

    • Thanks for your comment Chris, I’m sure many others will benefit from your hard work finding this little gotcha!

      -Pete

  9. For me the key was the ctx_rehash. I copied and copied and copied files to the /opt/Citrix/ICAClient/keystore/cacerts folder. None of what I did seemed to make any difference in the behavior of Citrix. It still would give me certificate warnings. Eventually I googled onto a post talking about the utility ctx_rehash. Running the utility ctx_rehash as root (sudo) prompted the creation of what appears to be randomly named .0 files. After this I reopened the Citrix Receiver application and received no certificate errors.