Jump to content
Welcome to our new Citrix community!
  • 0

Icaclient error SSL 61


Gian Luca Rocchi

Question

Hi all,

I'm not able to connect my laptop to the office network. I'm running icaclient 22.12.0.12 on a Debian 11 system.

I'm getting the famous SSL error 61. I already tried with the solutions proposed in this forum to make symlinks from Firefox's certificates to /opt/Citrix/ICAClient/keystore/cacerts/ but it did not solve.

Below the cmd line:

:~$ /opt/Citrix/ICAClient/wfica.sh Scrivania/Q29udHJvbGxlci5Db25uZXNzaW9uZSBEZXNrdC00.ica

and the resulting log to the terminal:

[W]==> CSDKInitialise:96> (C)2021 Citrix CryptoSDK v14.2.2.0 (OpenSSL 1.1.1n  15 Mar 2022 (Citrix FIPS-capable)) built on Mar 24 2022 14:07:08
[W]==> initialiseSSLSDKWithParameter:168> (C)2021 Citrix CryptoKit v14.2.2.0 (OpenSSL 1.1.1n  15 Mar 2022 (Citrix FIPS-capable)) built on Mar 24 2022 14:07:13
[W]==> initialiseSSLSDKWithParameter:199> SSLSDK initialized WITHOUT smartcard support. Compliance Mode is OPEN
[E]==> certCheckValidityPeriod:668> Certificate (Sonera Class2 CA) is already expired!
[E]==> certCheckValidityPeriod:668> Certificate (DST Root CA X3) is already expired!
[E]==> certCheckValidityPeriod:668> Certificate (GlobalSign) is already expired!
[E]==> certCheckValidityPeriod:668> Certificate (Staat der Nederlanden EV Root CA) is already expired!
[E]==> certCheckValidityPeriod:668> Certificate (Cybertrust Global Root) is already expired!
[E]==> certCheckValidityPeriod:668> Certificate (QuoVadis Root Certification Authority) is already expired!
[E]==> certCheckValidityPeriod:668> Certificate (Sonera Class2 CA) is already expired!
[E]==> certCheckValidityPeriod:668> Certificate (DST Root CA X3) is already expired!
[E]==> certCheckValidityPeriod:668> Certificate (GlobalSign) is already expired!
[E]==> certCheckValidityPeriod:668> Certificate (Staat der Nederlanden EV Root CA) is already expired!
[E]==> certCheckValidityPeriod:668> Certificate (Cybertrust Global Root) is already expired!
[E]==> certCheckValidityPeriod:668> Certificate (QuoVadis Root Certification Authority) is already expired!
[E]==> checkCertificateRootTrust:1616> Can't find trusted cert
[E]==> checkCertificateRootTrust:1616> Can't find trusted cert
[E]==> validateChain:1718> Can't find trusted root
[E]==> checkCertificateRootTrust:1616> Can't find trusted cert
[E]==> checkCertificateRootTrust:1616> Can't find trusted cert
[E]==> validateChain:1718> Can't find trusted root
[E]==> verifyPeerIdentityCallback:88> status: 61.
[E]==> certCheckValidityPeriod:668> Certificate (Sonera Class2 CA) is already expired!
[E]==> certCheckValidityPeriod:668> Certificate (DST Root CA X3) is already expired!
[E]==> certCheckValidityPeriod:668> Certificate (GlobalSign) is already expired!
[E]==> certCheckValidityPeriod:668> Certificate (Staat der Nederlanden EV Root CA) is already expired!
[E]==> certCheckValidityPeriod:668> Certificate (Cybertrust Global Root) is already expired!
[E]==> certCheckValidityPeriod:668> Certificate (QuoVadis Root Certification Authority) is already expired!
[E]==> certCheckValidityPeriod:668> Certificate (Sonera Class2 CA) is already expired!
[E]==> certCheckValidityPeriod:668> Certificate (DST Root CA X3) is already expired!
[E]==> certCheckValidityPeriod:668> Certificate (GlobalSign) is already expired!
[E]==> certCheckValidityPeriod:668> Certificate (Staat der Nederlanden EV Root CA) is already expired!
[E]==> certCheckValidityPeriod:668> Certificate (Cybertrust Global Root) is already expired!
[E]==> certCheckValidityPeriod:668> Certificate (QuoVadis Root Certification Authority) is already expired!
[E]==> checkCertificateRootTrust:1616> Can't find trusted cert
[E]==> checkCertificateRootTrust:1616> Can't find trusted cert
[E]==> validateChain:1718> Can't find trusted root
[E]==> checkCertificateRootTrust:1616> Can't find trusted cert
[E]==> checkCertificateRootTrust:1616> Can't find trusted cert
[E]==> validateChain:1718> Can't find trusted root
[E]==> verifyPeerIdentityCallback:88> status: 61.

and the popup window which appears reporting the error which says more or less to contact the helpdesk with the following info: you chose not to trust the certification authority  "CA Sogei", the certification authority which supplied the server certificate.

1981333590_Schermataa2023-01-2215-51-10.thumb.png.26d8fba255b6ee7931ae182cbac7bfab.png

 

any suggestion is welcome..

Thanks

 

Link to comment

3 answers to this question

Recommended Posts

  • 0
18 hours ago, Jeff Riechers1709152667 said:

Looks like the intermediate and root certificates expired on your machine.  

Hi Jeff, thank you for your reply. Would you please suggest me a path to follow to be able to connect?

The certificate I installed even in /opt/Citrix/ICAClient/keystore/cacerts is the one whose informations are displayed from firefox here below.

It appears that the expiry date will be 23 June 2023.

 

cert_mozilla.thumb.PNG.2f00650281ec37c5b349d6e4f99a1906.PNG

Link to comment
  • 0

The intermediate and root certificates don't seem to be linked on the NetScaler you are connecting to.  I did a scan on the common name on https://www.ssllabs.com/ssltest/ and it shows the chain is not correct.

 

Linux machines are very very particular about certificate chains existing on the local device, and on the remote connection.  Windows machines tend to ignore the server side if the client is good.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...