Troubleshooting
Problem
User authenticates to the Citrix storefront website, powered by IBM Cloud. User clicks on the Controller icon. An error appears.
Symptom
The exact error will vary depending on environment, but it will look similar to:
Windows PC:
Cannot connect to the Citrix XenApp server
SSL Error 61: You have not chosen to trust "DigiCert SHA2 Secure Server CA", the issuer of the server's security certificate.
Mac:
You have not chosen to trust "DigiCert SHA2 Secure Server CA", the issuer of the server's security certificate.
Contact your help desk for assistance.
Cause
There are several different possible causes:
- Scenario #1 (most likely) - User's client device needs their Citrix client upgraded (or re-installed)
- For example, perhaps they are using an old (unsupported) Citrix client.
- For more details, see separate IBM Technote #1700416.
- Scenario #2 - (rare) User's client device does not trust the relevant SSL certificate.
- In one real-life customer case, the client MAC device did not trust the 'intermediate' certificate.
Resolving The Problem
Scenario #1 (likely)
Upgrade client device to the latest Citrix client (currently called 'Citrix Workspace', but previously known as 'Citrix Receiver' and 'Citrix ICA client').
- At the time of writing, this is Citrix Workspace version 1909
- The latest version of Citrix workspace client can always be downloaded from this third party (non-IBM) site: https://www.citrix.com/en-gb/downloads/workspace-app/
Scenario #2 (rare)
Install relevant SSL certificate on your client device.
Steps:
In one real-life example, where the client device was based on MacOS, the following steps solved the problem:
1. Check which certificate needs to be installed
- TIP: This can be checked by opening the wild certificate ("*.controller.ibmcloud.com") from the IBM cloud website:
2. Select the 'details' drop-down:
3. At the bottom of the certificate, find the location of where digicert holds its intermediate cert.
- In the above example, the link is: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt
4. Click on that link to download the required certificate
5. Add this CRT file to your client device's keystore:
6. Test.
Related Information
Was this topic helpful?
Document Information
Modified date:
12 October 2021
UID
ibm10738725