Get You have not chosen to trust "GeoTrust TLS RSA CA G1 when MAC users try to launch Published App in Citrix.

jnordeng
jnordeng used Ask the Experts™
on
We are running Netscaler MPX9700 FIPS devices (11.1.57) with StoreFront to access our XenApp 6.5 and new XenApp 7.15 environments.  I have found recently that our Mac Users are getting the following message "You have not chosen to trust "GeoTrust TLS RSA CA G1", the issuer of the server's security certificate" when trying to launch a published app.  PC users are not having this issue with Chrome, Internet Explorer or Firefox.  MAC users on the other hand see this issue if using Chrome.  They are using version 1912 of Citrix Workspace.  

The Mac users are able to get around this message by installing the certificates in their browser.  From reading, this is something I need to address on the Netscaler rather than users having to address something on their side.  I believe our PC users will receive the same message when they move to a newer Workspace client.  We are currently using Receiver 14.12 on the PC side.

I'm looking for more information as the Certs on the Netscaler are not showing a missing path and can't determine what is missing.

Thanks for any help to point us in the right direction.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Sam JacobsCitrix Technology Professional / Director of TechDev Services, IPM

Commented:
Maybe one of the intermediate certificates is missing (or not linked) on the ADC.
Go to https://www.digicert.com/help/ and enter your FQDN. It will check the certificate chain to see if it's complete.
You can also check for SSL vulnerabilities at the same time (e.g. did you disable SSLv3?).

Author

Commented:
Awe, good call.  It showed me this "The server is not sending the required intermediate certificate.
In most cases, solving this problem in Apache is as simple as adding "SSLCertificateChainFile /path/to/DigiCertCA.crt" to your apache configuration file after/near your SSLCertificateFile line.

You can find the missing intermediate in the zip file containing your certificate, or download it from your customer account area.

Follow the directions on our certificate installation guide to install the missing intermediate.

If you have any problems correcting this issue, please contact our helpful support team and we would be happy to assist."

Thanks, I'll try that.
Sam JacobsCitrix Technology Professional / Director of TechDev Services, IPM

Commented:
You should upload the intermediate certificates into the CA Certificates section of the ADC.
You then need to link your server certificate to the intermediate certificate.
If you uploaded the correct intermediate cert, it should come up automatically when you select your server certificate and click Link...

Author

Commented:
Well still looking.  I found the intermediate and when in Netscaler says it's already installed.  So back to the drawing board.
Sam JacobsCitrix Technology Professional / Director of TechDev Services, IPM

Commented:
Did you link the web server certificate to the intermediate?

Author

Commented:
Yes, I have verified that I had originally put the intermediate here, CA Certificates section of the ADC.  So this one is present that it is complaining about.  As far as the linking.....  can you please explain, I don't know what you mean?
CACerts.png
Citrix Technology Professional / Director of TechDev Services, IPM
Commented:
You need to right-click your server certificate and select Link ...

NetScaler---Link-Certificate.jpg

Author

Commented:
Awe, thanks.  Just did that and then reran https://www.digicert.com/help/, so looks good here.  I'll check with a Mac Client and see if this resolves this.

Thanks a mil, must have missed that in the documentation during the original setup.

Author

Commented:
One more question, where do you look to see what is 'linked'?  Just wondering for troubleshooting in the future when certs are updated.

Thanks

Author

Commented:
Thank you for your quick responses and explanation, always appreciated.
Sam JacobsCitrix Technology Professional / Director of TechDev Services, IPM

Commented:
If you are looking to see to what objects the certificates are bound (linked), in the same right-click context menu, select
Show Bindings.

NetScaler--Certificate-Bindings.jpg
Sam JacobsCitrix Technology Professional / Director of TechDev Services, IPM

Commented:
BTW, the certificate chain expects the root certificate to be on the client's machine.
The root certificate store is updated every time there is an operating system update.
If you have a machine with an old OS (or one that hasn't been updated in a few years), it's quite possible that it may not have the right root certificate on it. That's when you might need to download and install a root certificate on the client machine. Otherwise, you should not have to.
Top Expert 2016

Commented:
Are you using the Citrix workspace app for chrome?
https://docs.citrix.com/en-us/citrix-workspace-app-for-chrome.html

Author

Commented:
David, I am going to be testing Workspace (1909 and 1911) shortly but our Windows users are currently using Receiver 14.12.0.18020.

Thanks

Author

Commented:
Having a hard time with my testing, I can't find the executable or where the Receiver/Workspace client lives on my workstation.  I tried to install Citrix Workspace 1909 and 1911, they both give me the same messages to 'uninstall' the workspace client first.  

How is this not visible in Add/remove programs, program list or in the file structure?  I don't understand how my Windows 10 client is actually able to execute published apps in Citrix right now.  In the systray I see the Receiver client option, but nothing works.  Tried the Receiver Cleanup utility and it is sitting on uninstalling msi products.  Though I can actually still launch a published app.

Thoughts on how to clear my workstation so I can test these versions of Workspace properly?

Thanks in Advance.
Sam JacobsCitrix Technology Professional / Director of TechDev Services, IPM

Commented:

Author

Commented:
Thanks Sam, I tried that, rebooted, tried again, the utility says it's complete.  Is there some light-web web client that I ended up with accidentally?  It's great that my client is working to launch published apps, but not great that I have no way to test the other workspace versions. :(
Sam JacobsCitrix Technology Professional / Director of TechDev Services, IPM

Commented:
The "light" client is the HTML5 client, which opens up in a browser window.
Is that what's happening?

Author

Commented:
Hmm.. the app still launches in a separate window, so don't think so... but perhaps since I don't see in the control panel add/remove programs.
Sam JacobsCitrix Technology Professional / Director of TechDev Services, IPM

Commented:
Separate window is the native client … not HTML5.
Maybe try installing the version that you currently have...it might give you a Repair option.
After running that, you might be able to uninstall it.

Author

Commented:
Ok, thanks I'll try that.

Author

Commented:
No repair option, it's trying to install... this is so much fun.  I've actually never had an issue with Citrix clients in the past, so this is weird for me...

Author

Commented:
Alas, monkeying around I can now see Citrix Receiver 4.12 in my add/remove programs.  The fact it was a wall has me a bit concerned.  After it reappeared, I tried to perform an upgrade to workspace and got the same message.  So removed the 4.12 client and then it brought me to the installation wizard when I went to install 1909.  Testing 1909 and then will try 1911.

Though I finally got this workspace wizard and was able to install, I have great concerns asking our user base (which is global) to upgrade off of 4.12 with these issues.  I'm hoping just my workstation, but wondering if anyone else has seen this flakiness?

Author

Commented:
I know this is a side topic, but wanted to share a response in my testing for others out there.  Though I finally got Citrix Workspace 1909 working and works like a charm with my XenApp 7.15 farm, this produces the following error in the XenApp 6.5 farm:

"Unable to connect to the server.  Contact your system administrator with the following error:  SSL Error 47: The server sent an SSL alert:  sslv3 alert handshake failure (alert number unavailable)."  

The difference here is that the XenApp environment currently runs through Secure Gateway.  This will work for those users when they are forced through the Netscaler/Storefront front-end to the XenApp 6.5 or XenApp 7.15 farm.

We are shutting down Secure Gateway end of this month, so we should be good to go with Workspace 1909.  I'll test 1911 which I suspect will have the same result but will post here.
Sam JacobsCitrix Technology Professional / Director of TechDev Services, IPM

Commented:
I went from Receiver to Workspace 1810 without issue, so I don't know if I would have had similar issues going straight to 19xx.

Author

Commented:
Awe, good to know Sam.  Thanks

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial