How to fix SSL error 61 in Citrix Web Receiver on Linux

How to fix SSL error 61 in Citrix on LinuxI admit, the title is quite specific and will certainly appeal to only a small readership. But anyone who is facing the problem will be, like me, grateful for a solution.

In particular, the problem is about the SSL error 61 in the Citrix (Web) receiver under Linux and how to fix it. Since I have been running almost exclusively under Kubuntu for several months, the Citrix Reiceiver also moved into the new Linux box. Unfortunately, no connection to systems could be established, since the receiver disconnected with the following error message.

SSL Error 61: You have not chosen to trust “Go Daddy Root Certificate Authority – G2”, the issuer to the server’s security certificate.

Citrix-SSL-Fehler-61What does that tell us? The web receiver wants to check the certificate of the server while connecting, but fails because it does not know the root certificate or better said it does not trust it. Accordingly, you can actually use an arbitrary root authority in the error message, since the error message would raise up with every missing authority certificate.

Now there are two solutions. Either you get the missing certificates and insert them into the following directory:

/opt/Citrix/ICAClient/keystore/cacerts

Or you have Firefox installed… How does Firefox help us? Because the root certificates of Firefox can be shared with the Citrix receiver with only one command via symbolic links. The whole works as follows:

sudo ln -s /usr/share/ca-certificates/mozilla/* /opt/Citrix/ICAClient/keystore/cacerts

In this case, a symbolic link for each root certificate that the Firefox knows is created in the Citrix directory, so that it can participate. Now your SSL error 61 should be gone.

If, for whatever reason, you want to undo the changes, you can run the following two commands:

cd /opt/Citrix/ICAClient/keystore/cacerts
sudo find -type l -delete 

32 Comments

  1. Lukasays:

    running ubuntu 22.10, this one worked for me
    sudo ln -s /etc/ssl/certs/* /opt/Citrix/ICAClient/keystore/cacerts

    thanks for pointing me in the right direction!

  2. Calum MacKinnonsays:

    If anyone having the same issue still after this fix. Might want to check your keystore/cacerts isn’t stored elsewhere depending on where you installed the citrix client.

    i.e. /home/user/ICAClient/* rather than /opt/citrix

    need to link to the keystore that’s in use.

  3. Abhinav Shuklasays:

    Hi,
    Thank you for posting this, Saved my day.

  4. John Rosssays:

    I am still getting SSL error 61 message on my Ubuntu 20.04 desktop. WHen I type I get these error messages (see below). ANy ideas?

    sudo ln -s /usr/share/ca-certificates/mozilla/* /opt/Citrix/ICAClient/keystore/cacerts/

    I get the following messages in Terminal:
    ln: failed to create symbolic link ‘/opt/Citrix/ICAClient/keystore/cacerts/T-TeleSec_GlobalRoot_Class_2.crt’: File exists

    ln: failed to create symbolic link ‘/opt/Citrix/ICAClient/keystore/cacerts/T-TeleSec_GlobalRoot_Class_3.crt’: File exists
    ln: failed to create symbolic link ‘/opt/Citrix/ICAClient/keystore/cacerts/TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.crt’: File exists
    ln: failed to create symbolic link ‘/opt/Citrix/ICAClient/keystore/cacerts/TWCA_Global_Root_CA.crt’: File exists
    ln: failed to create symbolic link ‘/opt/Citrix/ICAClient/keystore/cacerts/TWCA_Root_Certification_Authority.crt’: File exists
    ln: failed to create symbolic link ‘/opt/Citrix/ICAClient/keystore/cacerts/UCA_Extended_Validation_Root.crt’: File exists
    ln: failed to create symbolic link ‘/opt/Citrix/ICAClient/keystore/cacerts/UCA_Global_G2_Root.crt’: File exists
    ln: failed to create symbolic link ‘/opt/Citrix/ICAClient/keystore/cacerts/USERTrust_ECC_Certification_Authority.crt’: File exists
    ln: failed to create symbolic link ‘/opt/Citrix/ICAClient/keystore/cacerts/USERTrust_RSA_Certification_Authority.crt’: File exists
    ln: failed to create symbolic link ‘/opt/Citrix/ICAClient/keystore/cacerts/VeriSign_Universal_Root_Certification_Authority.crt’: File exists
    ln: failed to create symbolic link ‘/opt/Citrix/ICAClient/keystore/cacerts/XRamp_Global_CA_Root.crt’: File exists

  5. Sriramsays:

    Thanks a ton. It was of a lot of help.

  6. Vincentsays:

    Thank you! It works perfectly now

  7. Thomas Ulrichsays:

    Thanks a lot – you saved me a lot of time!

  8. Thanks so much – this fixed me up on Ubuntu 20.x

  9. Wooow, thanks man. I was struggling to get this working on my linux laptop.

  10. Bubens Van Lykasays:

    I must have read this article at least three times by now. Such a simple and elegant solution, but I keep forgetting until the next time I get stuck on this really very stupid bug. Thanks so much!

  11. Lucasays:

    Bravissimo mi hai salvato il culo

  12. Lucasays:

    Bravissimo mi hai salvato il culo!

  13. Net Ssays:

    Thanks. You saved my day. Been scratching my head

  14. twistedsays:

    Even on Raspberry Pi with Pi OS out of the box the ln … statement works

  15. Juliansays:

    Same here, working now, thanks for sharing.

  16. Bobsays:

    Thanks buddy! Its working !

  17. You saved my day, thanks a lot.

  18. Thomas Schwabsays:

    Hi guys, I fixed it on my Linux Mint , but I’m not able to fix this certificate issue on SuSe Leap 15.1. May be threre is a SuSe expert out there who can give me a hint.
    Thanks & Regards
    Thomas

  19. Muhammad Muzammilsays:

    I have done same steps but i am still getting SSL error 61
    I ran
    sudo ln -s /usr/share/ca-certificates/mozilla/* /opt/Citrix/ICAClient/keystore/cacerts

    Please help me solving this, i have ubuntu 16.04

    • John Rosssays:

      I still have the same problem -ssl error 61 – on my ubuntu 20.04.

      These are my terminal replies to the command you put to enter:
      ln: failed to create symbolic link ‘/opt/Citrix/ICAClient/keystore/cacerts/TWCA_Root_Certification_Authority.crt’: File exists
      ln: failed to create symbolic link ‘/opt/Citrix/ICAClient/keystore/cacerts/UCA_Extended_Validation_Root.crt’: File exists
      ln: failed to create symbolic link ‘/opt/Citrix/ICAClient/keystore/cacerts/UCA_Global_G2_Root.crt’: File exists
      ln: failed to create symbolic link ‘/opt/Citrix/ICAClient/keystore/cacerts/USERTrust_ECC_Certification_Authority.crt’: File exists
      ln: failed to create symbolic link ‘/opt/Citrix/ICAClient/keystore/cacerts/USERTrust_RSA_Certification_Authority.crt’: File exists
      ln: failed to create symbolic link ‘/opt/Citrix/ICAClient/keystore/cacerts/VeriSign_Universal_Root_Certification_Authority.crt’: File exists
      ln: failed to create symbolic link ‘/opt/Citrix/ICAClient/keystore/cacerts/XRamp_Global_CA_Root.crt’: File exists

      • Gusisays:

        Had the same problem today after a receiver upgrade. Deleting and recreating the symlinks helped.
        sudo find -type l -delete
        sudo ln -s /etc/ssl/certs/* /opt/Citrix/ICAClient/keystore/cacerts

  20. Jasonsays:

    Months of on and off searches, including the Citrix sites, and the fix was this simple. Give this man a raise.

  21. Noice.
    Thank you for your time.

  22. Barry D McCarter - IASsays:

    Thank you, great post. Very helpful.

  23. Harry Collinssays:

    Thank you so much – I was completely stuck on this

Leave a comment

Please be polite. We appreciate that. Your email address will not be published and required fields are marked