** Troubleshooting ** "You have not chosen to trust "DigiCert SHA2 Secure Server CA", the issuer of the server's security certificate" errors launching Controller on Cloud

Troubleshooting

Problem

User authenticates to the Citrix storefront website, powered by IBM Cloud. User clicks on the Controller icon. An error appears.

Symptom

The exact error will vary depending on environment, but it will look similar to:

Windows PC:

image-20190905160957-1
Cannot connect to the Citrix XenApp server
SSL Error 61: You have not chosen to trust "DigiCert SHA2 Secure Server CA", the issuer of the server's security certificate.

Mac:
image-20190905161003-2
You have not chosen to trust "DigiCert SHA2 Secure Server CA", the issuer of the server's security certificate.
Contact your help desk for assistance.

Cause

There are several different possible causes:

Scenario #1 (most likely) - User's client device needs their Citrix client upgraded (or re-installed)
- For example, perhaps they are using an old (unsupported) Citrix client.
- For more details, see separate IBM Technote #1700416.

Scenario #2 - (rare) User's client device does not trust the relevant SSL certificate.
- In one real-life customer case, the client MAC device did not trust the 'intermediate' certificate.

Resolving The Problem

Scenario #1 (likely)

Upgrade client device to the latest Citrix client (currently called 'Citrix Workspace', but previously known as 'Citrix Receiver' and 'Citrix ICA client').

Steps:

1. Uninstall the current version of Citrix client (for example Citrix Receiver) on the client device

2. Download the latest version of Citrix client

At the time of writing, this is Citrix Workspace version 1909
The latest version of Citrix workspace client can always be downloaded from this third party (non-IBM) site: https://www.citrix.com/en-gb/downloads/workspace-app/

[For more details, see separate IBM Technote #1700416].

Scenario #2 (rare)

Install relevant SSL certificate on your client device.

Steps:

In one real-life example, where the client device was based on MacOS, the following steps solved the problem:

1. Check which certificate needs to be installed

TIP: This can be checked by opening the wild certificate ("*.controller.ibmcloud.com") from the IBM cloud website:

image-20181105190512-1

2. Select the 'details' drop-down:

image-20181105190718-3

3. At the bottom of the certificate, find the location of where digicert holds its intermediate cert.

In the above example, the link is: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt

4. Click on that link to download the required certificate

5. Add this CRT file to your client device's keystore:

image-20181105190941-1

6. Test.

Related Information

1700416 - "SSL Error 61: You have not chosen to trust "DigiCert ..."" when laun…

Third Party (Citrix) - Download latest (English) Citrix Workspace App

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSMRTZ","label":"IBM Cognos Controller on Cloud"},"Component":"","Platform":[{"code":"PF017","label":"Mac OS"},{"code":"PF033","label":"Windows"}],"Version":"10.3.1;10.4.1","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Tips

Troubleshooting "You have not chosen to trust "DigiCert SHA2 Secure Server CA", the issuer of the server's security certificate" errors launching Controller on Cloud