Case #
In Citrix Workspace App Linux client (previous name Citrix Receiver) you receive the following error when you try to connect to the Citrix Storefront or Citrix Gateway server: Your account cannot be added using this server address. Make sure you entered it correctly. An SSL connection to the server couldn't be established because the server's certificate was not trusted.
A similar error may be encountered in other local clients, other than the Citrix Workspace App.
Solution #
The most likely cause of this error is that your Citrix Storefront or Citrix Gateway server is using a self-signed certificate or a public CA certificate whose root CA certificate is not trusted by your local endpoint. In order to establish trust with the server SSL certificate root CA, you need to ensure that the full certificate chain is imported into your client. The SSL certificate chain includes the intermediate and root certificates which must be present in the local endpoint SSL certificate store (computer/user). One common example of this issue is when utilizing Let's Encrypt certificates. The Let's Encrypt root CAs and intermediate CAs certificates are in some cases not imported by default in the client operating system, such as various Linux distributions or MacOSX machines.
Local clients other than Citrix Workspace App for Linux #
To resolve the error you need to first retrieve all the root and intermediate CA SSL certificates and then import them into your Linux client's certificate store. In the case of Let's Encrypt, these certificates can be found at: https://letsencrypt.org/certificates/. Download the root and intermediate certificates (choose Active certificates) which must be in .pem format in the case of a Linux import.
Run the following commands in Linux deb-based distributions to import the .pem certificates into the SSL certificate store under /usr/local. This folder is the equivalent of the SSL certificate user store of Windows.
sudo apt-get install -y ca-certificates
sudo cp myPEMCAcert.crt /usr/local/share/ca-certificates
sudo update-ca-certificates
In the following example three (3) Let's Encrypt certificates are added:
It is imperative that all imported certificates are in PEM format but with the .crt file extension.
If you have a .der certificate you can run the below command to convert it to .pem format (with .crt extension):
sudo openssl x509 -inform der -outform pem -in mycert.der -out mycert.crtCitrix Workspace App for Linux client #
If you receive the SSL error in Citrix Workspace App for Linux client, run the procedure below.
- Download all Let's Encrypt or other public CA root certificate chain as explained above and save all certificate with the .crt file extension.
- Switch to root user and copy the .crt CA certificate file to /opt/Citrix/ICAClient/keystore/cacerts/ folder. This folder is the equivalent of the SSL certificate computer store in Windows. Run the following commands:
- Make sure the CA certificate file is owned by Root user and Group, and it has -rw-r--r-- or 644 as the File permissions.
- Run /opt/Citrix/ICAClient/util/ctx_rehash
Please note that the location of /opt/Citrix/ICAClient/keystore/cacerts/ and /opt/Citrix/ICAClient/util/ctx_rehash may vary depending on the distribution and location you would be installing Citrix Worskpace App for Linux. The above commands and locations assume a Linux Ubuntu distribution with the Citrix Workspace App directory being /opt/Citrix/ICAClient/.
For further troubleshooting of Citrix Workspace App client for Linux issues, refer to the Sources section below. Also you can refer to my "Citrix Virtual Apps and Desktops Troubleshooting" e-book.
Sources #
https://docs.citrix.com/en-us/citrix-workspace-app-for-linux/troubleshooting.html
https://letsencrypt.org/certificates/
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
https://community.letsencrypt.org/t/production-chain-changes/150739
