Citrix Error 61 ("not chosen to trust"): All files and certificates seem to be correct

cgcenet · June 29, 2014, 4:12pm

I am getting SSL Error 61 ("You have not chosen to trust … ") when running appications on my company’s Citrix server using Firefox on OpenSUSE 13.1, with two different computers. In one, the Citrix client application is in /usr/lib/ICAClient/. In the other, it is in /opt/Citrix/ICAClient/, but with a symbolic link from /usr/lib/ICAClient/. Details and checks done are below.

The certificates are in /usr/share/pki/trust/, to which I have created a symbolic link from /usr/share/ca-certificates/mozilla/. These include the one that the error message claims not to be trusted (Verisign Class 3 G5)
In Edit → Preferences → Advanced → Certificates → View Certificates, the one I want is listed, and looks correct. All three “Trust settings” are ticked.
The directory …/ICAClient/keystore/cacerts/ contains symbolic links to all the certificates in /usr/share/ca-certificates/mozilla/.
The server validates according to http://www.sslshopper.com/ssl-checker.html.
The applications run under Windows.
They used to run under OpenSUSE 12.3. They did not initially, but did after I ensured there were links to the certificates in the correct places. The same procedure did not work under OpenSUSE 13.1.

So is there anything else I need to check and correct to make it work? Or is it a problem with the server? If so, then what do I need to tell my company’s IT servicedesk to do (I have no admin access to the server)?

Thanks

Alex

nishanth9042 · July 2, 2014, 8:17pm

Could you please post the complete error.

If you are getting a certificate related error then you need to download that certificate and copy that to cacerts directory in /opt/Citrix/ICAClient/keystore/cacerts and run update-ca-certificates and reboot.

cgcenet · July 4, 2014, 8:00am

Here it is:

SSL Error

Contact your help desk with the following information:
You have not chosen to trust “Verisign Class 3 Public Primary Certification Authority - G5”, the issuer of the server’s security certificate (SSL error 61).

There is VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem in /opt/Citrix/ICAClient/keystore/cacerts, so the certificate is definitely there. I have run update-ca-certificates and rebooted, still getting the same error.
I don’t know how relevant this is, but I got the following error message when running update-ca-certificates:

alex@tosh:~> sudo /usr/sbin/update-ca-certificates 
root's password:
p11-kit: invalid basic constraints certificate extension
p11-kit: 'node != NULL' not true at lookup_extension
×4

quinness · July 5, 2014, 2:03pm

A while ago I hade a similar error, maby the same, can’t remember. I had to convert from one type (.pem certs) of certs to the other (.crt certs) and used this code to convert (place yourself in right folder (/usr/share/ca-certificates/mozilla/). My Citrix is 12.1.0

for file in *.pem ; do openssl x509 -outform der -in "$file" -out "$(echo "$file" | sed 's/\.pem/\.crt/')" ; done

That solved it for me that time.

cgcenet · July 5, 2014, 3:34pm

quinness:

A while ago I hade a similar error, maby the same, can’t remember. I had to convert from one type (.pem certs) of certs to the other (.crt certs) and used this code to convert (place yourself in right folder (/usr/share/ca-certificates/mozilla/). My Citrix is 12.1.0
for file in *.pem ; do openssl x509 -outform der -in "$file" -out "$(echo "$file" | sed 's/\.pem/\.crt/')" ; done
That solved it for me that time.

Thanks, that worked for me as well, although I also had to symlink them from the /opt/Citrix/ICAClient/keystore/cacerts directory

cd /opt/Citrix/ICAClient/keystore/cacerts
for a in `ls /usr/share/ca-certificates/mozilla/*.crt`; do ln -s $a ; done