Jump to content
Welcome to our new Citrix community!
  • 0

Cannot validate SSL certificate on one client

J.R. van Doornik


Using Citrix Receiver on Windows 8.1. Connecting to a server on the network. All machines on the network work without a problem, this one machine does not. As a result I surmise the problem is with the machine and not with the servers or the farm.


User receives a notice when accessing the app-part of the application:


Your apps are not available at this time. Please try again in a few minutes or contact your helpdesk with this information: Cannot Contact Appstore.


Removed the Citrix Receiver from the system, ran the Citrix Receiver Removal utility (multiple times), wiped all reference to Citrix in the registry, and reinstalled the Citrix Receiver through the command line:


citrixreceiver.exe /IncludeSSON /ALLOWSAVEPWD=A ENABLE_SSON=Yes STORE0=ÄppStore;https://receiver.domain.nl/Citrix/XenApp/discovery;on;Store Apps on XenApp"


Tried the 'discovery' URL in IE on my system and got a request to add "XenApp" provided by "*.domain.nl". Did the same on the system of the affected user,and was presented with:


Cannot process provisiong file


To resolve this issue, contact your help desk with this information.

Cannot validate SSL certificate.


Found this document: http://support.citrix.com/article/CTX132169 and tried solution 3. This did not resolve the issue.


Checked the eventlog, and found a 5061 eventID that stated that upon opening the key a resultcode of 0x80090016 was generated.


I tried reimporting the required Trusted Root Certificate holders, tried solution found on http://discussions.citrix.com/topic/347776-cannot-validate-ssl-certificate-with-storefront-21-receiver-41/ which points at http://support.citrix.com/article/CTX134341 but still no change in behavior.


I'm pretty sure the certificate can't be authenticated by either Receiver and IE and as such any and all contact to the Citrix environment through the app is disallowed.


If I open the internal portal-webpage for the farm, I'm able to start programs, so there is that. But where does the issue come from regarding the certificate? Since this 'suddenly' started happening on one individual system. Any and all thoughts are appreciated.

Link to comment

6 answers to this question

Recommended Posts

  • 2
We've got this same issue here. 


In my scenario, the root and intermediate certs were installed on StoreFront Server and client machine. The Receiver AuthManager Logs we saw "The HTTPS response does not have a server certificate set on it"; when try to configure receiver manually "Cannot validate SSL certificate" was displayed on my screen. Our browser configuration haven't proxy configured.


We've solved this issue using NETSH to remove proxy from system configuration.


"netsh winhttp reset proxy"


I hope that it'll work to you all.
  • Like 2
Link to comment
  • 0

The certificate is issued by a trusted root certificate holder that is known on the machine. It's known on my machine (which works) as well, and I ran an export and import just to make sure. I can see the trusted root certification holder (Starfield) in the list of Trusted Root Certificates.


If I decline the check for the CRS (in other words the client does NOT check for the revokation of the certificate), it also doesn't work. So the CRS servers aren't the ones to blame.


From what I can verify on my machine, our *.domain.nl certificate is received and verified against a Starfield root-certificate holder. I specifically get asked if I want to add "XenApp" provided by "*.domain.nl".


It is further stated:


You should only proceed if you trust *.domain.nl. *.domain.nl was verified by Starfield Technologies, Inc.


As a result, the certificate is apparently issued, the CRS are not to blame, and the link to the root certificate is solid. It works for my machine, and a heap of others in the Enterprise.


On the one machine that doesn't work, it just tosses the notice:


Cannot validate SSL certificate.


At this point I'm suspecting that in the local certificate-store on the device something is going wrong, causing the affected device to have trouble reading and/or validating certificates, and thus causing issues for Citrix.

Link to comment
  • 0

Exported the *.domain.nl certificate from the server that provides the service. Left the private key.


Imported on the workstation that had issues, then started IE and tried opening the URL Same error cropped up. The certificate is available locally, and yet it's not being validated.


I've got half a mind to spend a day on this, and reinstall the thing from scratch, tho I'd much rather have a quicker and less invasive means of solving this.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...