Icaclient error SSL 61

[Gian Luca Rocchi]

Hi all,

I'm not able to connect my laptop to the office network. I'm running icaclient 22.12.0.12 on a Debian 11 system.

I'm getting the famous SSL error 61. I already tried with the solutions proposed in this forum to make symlinks from Firefox's certificates to /opt/Citrix/ICAClient/keystore/cacerts/ but it did not solve.

Below the cmd line:

:~$ /opt/Citrix/ICAClient/wfica.sh Scrivania/Q29udHJvbGxlci5Db25uZXNzaW9uZSBEZXNrdC00.ica

and the resulting log to the terminal:

[W]==> CSDKInitialise:96> (C)2021 Citrix CryptoSDK v14.2.2.0 (OpenSSL 1.1.1n  15 Mar 2022 (Citrix FIPS-capable)) built on Mar 24 2022 14:07:08
[W]==> initialiseSSLSDKWithParameter:168> (C)2021 Citrix CryptoKit v14.2.2.0 (OpenSSL 1.1.1n  15 Mar 2022 (Citrix FIPS-capable)) built on Mar 24 2022 14:07:13
[W]==> initialiseSSLSDKWithParameter:199> SSLSDK initialized WITHOUT smartcard support. Compliance Mode is OPEN
[E]==> certCheckValidityPeriod:668> Certificate (Sonera Class2 CA) is already expired!
[E]==> certCheckValidityPeriod:668> Certificate (DST Root CA X3) is already expired!
[E]==> certCheckValidityPeriod:668> Certificate (GlobalSign) is already expired!
[E]==> certCheckValidityPeriod:668> Certificate (Staat der Nederlanden EV Root CA) is already expired!
[E]==> certCheckValidityPeriod:668> Certificate (Cybertrust Global Root) is already expired!
[E]==> certCheckValidityPeriod:668> Certificate (QuoVadis Root Certification Authority) is already expired!
[E]==> certCheckValidityPeriod:668> Certificate (Sonera Class2 CA) is already expired!
[E]==> certCheckValidityPeriod:668> Certificate (DST Root CA X3) is already expired!
[E]==> certCheckValidityPeriod:668> Certificate (GlobalSign) is already expired!
[E]==> certCheckValidityPeriod:668> Certificate (Staat der Nederlanden EV Root CA) is already expired!
[E]==> certCheckValidityPeriod:668> Certificate (Cybertrust Global Root) is already expired!
[E]==> certCheckValidityPeriod:668> Certificate (QuoVadis Root Certification Authority) is already expired!
[E]==> checkCertificateRootTrust:1616> Can't find trusted cert
[E]==> checkCertificateRootTrust:1616> Can't find trusted cert
[E]==> validateChain:1718> Can't find trusted root
[E]==> checkCertificateRootTrust:1616> Can't find trusted cert
[E]==> checkCertificateRootTrust:1616> Can't find trusted cert
[E]==> validateChain:1718> Can't find trusted root
[E]==> verifyPeerIdentityCallback:88> status: 61.
[E]==> certCheckValidityPeriod:668> Certificate (Sonera Class2 CA) is already expired!
[E]==> certCheckValidityPeriod:668> Certificate (DST Root CA X3) is already expired!
[E]==> certCheckValidityPeriod:668> Certificate (GlobalSign) is already expired!
[E]==> certCheckValidityPeriod:668> Certificate (Staat der Nederlanden EV Root CA) is already expired!
[E]==> certCheckValidityPeriod:668> Certificate (Cybertrust Global Root) is already expired!
[E]==> certCheckValidityPeriod:668> Certificate (QuoVadis Root Certification Authority) is already expired!
[E]==> certCheckValidityPeriod:668> Certificate (Sonera Class2 CA) is already expired!
[E]==> certCheckValidityPeriod:668> Certificate (DST Root CA X3) is already expired!
[E]==> certCheckValidityPeriod:668> Certificate (GlobalSign) is already expired!
[E]==> certCheckValidityPeriod:668> Certificate (Staat der Nederlanden EV Root CA) is already expired!
[E]==> certCheckValidityPeriod:668> Certificate (Cybertrust Global Root) is already expired!
[E]==> certCheckValidityPeriod:668> Certificate (QuoVadis Root Certification Authority) is already expired!
[E]==> checkCertificateRootTrust:1616> Can't find trusted cert
[E]==> checkCertificateRootTrust:1616> Can't find trusted cert
[E]==> validateChain:1718> Can't find trusted root
[E]==> checkCertificateRootTrust:1616> Can't find trusted cert
[E]==> checkCertificateRootTrust:1616> Can't find trusted cert
[E]==> validateChain:1718> Can't find trusted root
[E]==> verifyPeerIdentityCallback:88> status: 61.

and the popup window which appears reporting the error which says more or less to contact the helpdesk with the following info: you chose not to trust the certification authority  "CA Sogei", the certification authority which supplied the server certificate.

 

any suggestion is welcome..

Thanks

 

[Jeff Riechers]

Looks like the intermediate and root certificates expired on your machine.  

[Gian Luca Rocchi]

18 hours ago, Jeff Riechers1709152667 said:

Looks like the intermediate and root certificates expired on your machine.  

Hi Jeff, thank you for your reply. Would you please suggest me a path to follow to be able to connect?

The certificate I installed even in /opt/Citrix/ICAClient/keystore/cacerts is the one whose informations are displayed from firefox here below.

It appears that the expiry date will be 23 June 2023.

 

[Jeff Riechers]

The intermediate and root certificates don't seem to be linked on the NetScaler you are connecting to.  I did a scan on the common name on https://www.ssllabs.com/ssltest/ and it shows the chain is not correct.

 

Linux machines are very very particular about certificate chains existing on the local device, and on the remote connection.  Windows machines tend to ignore the server side if the client is good.