Cant get Citrix Workspace on Linux to work with Ubuntu 20.04

Hi yesterday I downloaded Citrix Workspace (latest version) for Linux on my Ubuntu 20.04 desktop. I tried .deb then .rpm then finally .tar. I connected yesterday then it suddenly cut out and work had a message saying in December Citrix was updated. So I updated mine.

However, as soon as I downloaded it, when I tried to connect to “dreams” and citrix came up, I got this message:

“SSL error - contact your help desk with the following information - You have not chosen to trust “Digicert High Assurance EV Root CA”, the issuer of the server’s security certificate (SSL error 61)”

I then called my work’s IT help desk and they could not help me saying that this is a Citrix and Linux issue, beyond their capability. I tried contacting Citrix help desk and they said to contact my work help desk.

Troubleshooting steps:

  1. I rebooted my machine

  2. I tried installing Citrix Workspace for Linux debian version, rpm version then tarballs version, which seems to at least get me to a login. Debian and rpm versions did not work at all.

  3. I tried going to my Ubuntu Terminal and typing the command: “sudo ln -s /usr/share/ca-certificates/mozilla/* /opt/Citrix/ICAClient/keystore/cacerts” but this resulted in at least a hundred error messages in terminal saying "ln: failed to create symbolic link ‘/opt/Citrix/ICAClient/keystore/cacerts/USERTrust_ECC_Certification_Authority.crt’: File exists
    ln: failed to create symbolic link ‘/opt/Citrix/ICAClient/keystore/cacerts/USERTrust_RSA_Certification_Authority.crt’: File exists

  4. I tried using different browsers, i.e. Mozilla Firefox, Chrome, then Brave. But Mozilla and Chrome showed the same SSL error 61 message and Brave only downloaded a certificate into a word-type document. Not sure what that means.

  5. I tried deleting the latest Citrix Workspace 2112 for Linux and downloading Citrix Receiver in tar format, but that only gave me an error message: “Cannot connect to 0.0.0.2 - Windows 10”. So I reverted back to Citrix Workspace for Linux.

  6. I tried downloading some of your certificates, but I still get SSL error 61 message blocking me.

Hi Jubileevdsl,

Welcome to our forums.

I am by no means a Citrix Workpace expert, but let’s see what we can find out. Please run the following in your Ubuntu terminal:

$ sudo ls -al /opt/Citrix/ICAClient/keystore/cacerts/

And share the results with us. This step should show us what Certificate Authorities your client is configured to trust (or at least their filenames), and where they are in your filesystem.

Hi

sudo ls -al /opt/Citrix/ICAClient/keystore/cacerts/

This is what I got back:

lrwxrwxrwx 1 root root 58 Jan 15 12:39 TWCA_Global_Root_CA.crt → /usr/share/ca-certificates/mozilla/TWCA_Global_Root_CA.crt
lrwxrwxrwx 1 root root 72 Jan 15 12:39 TWCA_Root_Certification_Authority.crt → /usr/share/ca-certificates/mozilla/TWCA_Root_Certification_Authority.crt
lrwxrwxrwx 1 root root 67 Jan 15 12:39 UCA_Extended_Validation_Root.crt → /usr/share/ca-certificates/mozilla/UCA_Extended_Validation_Root.crt
lrwxrwxrwx 1 root root 57 Jan 15 12:39 UCA_Global_G2_Root.crt → /usr/share/ca-certificates/mozilla/UCA_Global_G2_Root.crt
lrwxrwxrwx 1 root root 76 Jan 15 12:39 USERTrust_ECC_Certification_Authority.crt → /usr/share/ca-certificates/mozilla/USERTrust_ECC_Certification_Authority.crt
lrwxrwxrwx 1 root root 76 Jan 15 12:39 USERTrust_RSA_Certification_Authority.crt → /usr/share/ca-certificates/mozilla/USERTrust_RSA_Certification_Authority.crt
lrwxrwxrwx 1 root root 86 Jan 15 12:39 VeriSign_Universal_Root_Certification_Authority.crt → /usr/share/ca-certificates/mozilla/VeriSign_Universal_Root_Certification_Authority.crt
lrwxrwxrwx 1 root root 59 Jan 15 12:39 XRamp_Global_CA_Root.crt → /usr/share/ca-certificates/mozilla/XRamp_Global_CA_Root.crt

I typed this also:

sudo ln -s /usr/share/ca-certificates/mozilla/* /opt/Citrix/ICAClient/keystore/cacerts/

I get the following messages in Terminal:
ln: failed to create symbolic link ‘/opt/Citrix/ICAClient/keystore/cacerts/T-TeleSec_GlobalRoot_Class_2.crt’: File exists

ln: failed to create symbolic link ‘/opt/Citrix/ICAClient/keystore/cacerts/T-TeleSec_GlobalRoot_Class_3.crt’: File exists
ln: failed to create symbolic link ‘/opt/Citrix/ICAClient/keystore/cacerts/TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.crt’: File exists
ln: failed to create symbolic link ‘/opt/Citrix/ICAClient/keystore/cacerts/TWCA_Global_Root_CA.crt’: File exists
ln: failed to create symbolic link ‘/opt/Citrix/ICAClient/keystore/cacerts/TWCA_Root_Certification_Authority.crt’: File exists
ln: failed to create symbolic link ‘/opt/Citrix/ICAClient/keystore/cacerts/UCA_Extended_Validation_Root.crt’: File exists
ln: failed to create symbolic link ‘/opt/Citrix/ICAClient/keystore/cacerts/UCA_Global_G2_Root.crt’: File exists
ln: failed to create symbolic link ‘/opt/Citrix/ICAClient/keystore/cacerts/USERTrust_ECC_Certification_Authority.crt’: File exists
ln: failed to create symbolic link ‘/opt/Citrix/ICAClient/keystore/cacerts/USERTrust_RSA_Certification_Authority.crt’: File exists
ln: failed to create symbolic link ‘/opt/Citrix/ICAClient/keystore/cacerts/VeriSign_Universal_Root_Certification_Authority.crt’: File exists
ln: failed to create symbolic link ‘/opt/Citrix/ICAClient/keystore/cacerts/XRamp_Global_CA_Root.crt’: File exists
On 20/1/22 01:21, sandmann via Linux Config Forum wrote:

This may be a permission issue. Can you read the certificates as the normal user you run the Workspace with? You can check this by running something like:

$ cat /usr/share/ca-certificates/mozilla/UCA_Extended_Validation_Root.crt

If you can read it, you would get some base64 encoded certificate (in that case, don’t paste it here). If there is an issue, you would get an error message, “permission denied” most likely. The default permissions would let you read these, but let’s just move this possibility out of the way.

Ok I inputted that command and it came back with a long series of letters and numbers - no permission denied message.

That’s great results. My next tip may be a bit tricky, but could work out of the box.

First, download the latest Workspace app for Linux in tarball format. Extract it to some temporary directory where it does not effect anything, or just use a GUI app to browse the contents. What you’ll need is the contents of the subdirectory linuxx64/linux64.cor/keystore/cacerts within the archive.

Now create a backup from your /opt/Citrix/ICAClient/keystore/cacerts directory, before making any changes on it. Close the Workspace app beforehand if it is running.

Copy the certificate files obtained from the archive into the /opt/Citrix/ICAClient/keystore/cacerts/ directory (only the files, no directory). Since the archive contains .pem files and you have .crt files linked, there should be nothing overwritten, only added.

Now it is time to test your application and see if it can read the certificates added and thus able to create a secure connection to the server.

Hi
Thanks for the above instructions. I checked /opt/Citrix/ICAClient/keystore/cacerts and it has all the certs from the latest download in linuxx64/linux64.cor/keystore/cacerts. I tried testing the application and I still get the same error message. SSl error 61. I cant connect.

@jubileevdsl

According to this page, the administrator of your service provider has to upgrade the certificates that are installed on the server, otherwise your upgraded client will try to match the newer certificates installed on your machine with the older certificates on the server and this will return that aforementioned SSL error 61.

If you uninstall Citrix Workspace 2112, then go to the Citrix Workspace App download page, download and install the older-but-functional version that you were previously using (e.g. version 2109, 2108, 2106…), and then your Citrix Workspace client app works again, then you have the confirmation that the administrator of your service provider definitely has to upgrade the certificates that are installed on the server.

The whole reason I upgraded my Citrix to Workspace 2112 is because the previous version stopped working. It just cut out on me - no error message. The message on my work help desk was that I needed to upgrade my “dreams” connection, i.e. Citrix, which I then did, but then started getting SSL error messages and Citrix not connecting.

@jubileevdsl

Either your work’s IT help desk (if they’re the ones responsible for keeping the Citrix server/receiver up and running) or the Citrix help desk is mistaken. Based on the previously mentioned article, your work’s IT help desk is the one to blame, here. Maybe they (for whatever reason) are unable to update the server certificate (or they may have changed some certificate files to client-unmatching versions, since you mentioned that your former client install stopped working) and, therefore, told you that this issue is beyond their capability, even though it’s up to them to be capable of solving this issue and they (not you – i.e. assuming that you’re an end-user) are the ones that must go through the hassle of contacting the Citrix help desk and working this out with the Citrix staff.

I’m under the impression that changing your local files and configurations won’t solve this because this isn’t client-related but server-related.

@jubileevdsl

Assuming that I might be wrong about my previous statement, I’m going to suppose here that there’s something actually wrong involving the certificates in your local install, so if it’s fixed then it accesses the remote Citrix service.

There’s a missing / character at the end of the cacerts string. The command that should work is this:

sudo ln -sf /usr/share/ca-certificates/mozilla/* /opt/Citrix/ICAClient/keystore/cacerts/

Also, run the command below to make sure that all certificates under /usr/share/ca-certificates/ are trusted by Ubuntu:

sudo dpkg-reconfigure ca-certificates

The command above will take you to a window where you will be asked to either trust all found certificates, do not trust them, or let the utility ask you one by one. I recommend selecting the “ask me” option and then marking (i.e. trusting) all certificates under mozilla/.

On Firefox, you may access the about:preferences#privacy address, then click on View Certificates... :arrow_right: Authorities :arrow_right: Digicert High Assurance EV Root CA :arrow_right: Edit Trust... and mark/select :white_check_mark: all boxes, click :ok: and then on :ok: again.

I also downloaded the tarball package available for version 2112 and extracted its content. There’s a file there (linuxx64.psf) whose contents has some config lines pointing to keystore/cacerts/DigiCert*.pem i.e. several certificate public key (e.g. .pem) files under /opt/Citrix/ICAClient/keystore/cacerts/.

Hence, I’m under the impression that your client Citrix install may be expecting the .pem files in /etc/ssl/certs/ to be found under /opt/Citrix/ICAClient/keystore/cacerts/, thus I think it might be useful to symbolically link them to that same folder, i.e.:

sudo ln -sf /etc/ssl/certs/* /opt/Citrix/ICAClient/keystore/cacerts/

That same .psf file indicates that it expects those certificates under /opt/Citrix/ICAClient/keystore/cacerts/ to belong to the sys group, so it doesn’t hurt to change their group to sys:

sudo chgrp -R sys /opt/Citrix/ICAClient/keystore/cacerts/*

If you perform all the above steps, restart your computer, but the same issue remains, then it’s even less likely that your client install is the problem and even more likely that it’s indeed a server-related issue.