Results 1 to 5 of 5

Thread: Citrix Error 61 ("not chosen to trust"): All files and certificates seem to be correct

  1. #1

    Post Citrix Error 61 ("not chosen to trust"): All files and certificates seem to be correct

    I am getting SSL Error 61 ("You have not chosen to trust … ") when running appications on my company's Citrix server using Firefox on OpenSUSE 13.1, with two different computers. In one, the Citrix client application is in /usr/lib/ICAClient/. In the other, it is in /opt/Citrix/ICAClient/, but with a symbolic link from /usr/lib/ICAClient/. Details and checks done are below.

    • The certificates are in /usr/share/pki/trust/, to which I have created a symbolic link from /usr/share/ca-certificates/mozilla/. These include the one that the error message claims not to be trusted (Verisign Class 3 G5)
    • In Edit → Preferences → Advanced → Certificates → View Certificates, the one I want is listed, and looks correct. All three "Trust settings" are ticked.
    • The directory …/ICAClient/keystore/cacerts/ contains symbolic links to all the certificates in /usr/share/ca-certificates/mozilla/.
    • The server validates according to http://www.sslshopper.com/ssl-checker.html.
    • The applications run under Windows.
    • They used to run under OpenSUSE 12.3. They did not initially, but did after I ensured there were links to the certificates in the correct places. The same procedure did not work under OpenSUSE 13.1.

    So is there anything else I need to check and correct to make it work? Or is it a problem with the server? If so, then what do I need to tell my company's IT servicedesk to do (I have no admin access to the server)?

    Thanks

    Alex

  2. #2
    Join Date
    Oct 2012
    Location
    India
    Posts
    332

    Default Re: Citrix Error 61 ("not chosen to trust"): All files and certificates seem to be correct

    Could you please post the complete error.

    If you are getting a certificate related error then you need to download that certificate and copy that to cacerts directory in /opt/Citrix/ICAClient/keystore/cacerts and run update-ca-certificates and reboot.

  3. #3

    Arrow Re: Citrix Error 61 ("not chosen to trust"): All files and certificates seem to be correct

    Quote Originally Posted by nishanth9042 View Post
    Could you please post the complete error.
    Here it is:
    SSL Error

    Contact your help desk with the following information:
    You have not chosen to trust "Verisign Class 3 Public Primary Certification Authority - G5", the issuer of the server's security certificate (SSL error 61).
    Quote Originally Posted by nishanth9042 View Post
    If you are getting a certificate related error then you need to download that certificate and copy that to cacerts directory in /opt/Citrix/ICAClient/keystore/cacerts and run update-ca-certificates and reboot.
    There is VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem in /opt/Citrix/ICAClient/keystore/cacerts, so the certificate is definitely there. I have run update-ca-certificates and rebooted, still getting the same error.
    I don't know how relevant this is, but I got the following error message when running update-ca-certificates:
    Code:
    alex@tosh:~> sudo /usr/sbin/update-ca-certificates 
    root's password:
    p11-kit: invalid basic constraints certificate extension
    p11-kit: 'node != NULL' not true at lookup_extension
    ×4

  4. #4
    Join Date
    Jul 2008
    Location
    Sweden
    Posts
    170

    Default Re: Citrix Error 61 ("not chosen to trust"): All files and certificates seem to be correct

    A while ago I hade a similar error, maby the same, can't remember. I had to convert from one type (.pem certs) of certs to the other (.crt certs) and used this code to convert (place yourself in right folder (/usr/share/ca-certificates/mozilla/). My Citrix is 12.1.0

    Code:
    for file in *.pem ; do openssl x509 -outform der -in "$file" -out "$(echo "$file" | sed 's/\.pem/\.crt/')" ; done
    That solved it for me that time.

  5. #5

    Thumbs up Re: Citrix Error 61 ("not chosen to trust"): All files and certificates seem to be correct

    Quote Originally Posted by quinness View Post
    A while ago I hade a similar error, maby the same, can't remember. I had to convert from one type (.pem certs) of certs to the other (.crt certs) and used this code to convert (place yourself in right folder (/usr/share/ca-certificates/mozilla/). My Citrix is 12.1.0

    Code:
    for file in *.pem ; do openssl x509 -outform der -in "$file" -out "$(echo "$file" | sed 's/\.pem/\.crt/')" ; done
    That solved it for me that time.
    Thanks, that worked for me as well, although I also had to symlink them from the /opt/Citrix/ICAClient/keystore/cacerts directory

    Code:
    cd /opt/Citrix/ICAClient/keystore/cacerts
    for a in `ls /usr/share/ca-certificates/mozilla/*.crt`; do ln -s $a ; done

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •