It’s been a while since I’ve covered Citrix, so let’s cover Citrix Workspace app 2009 for Linux today.
There is good support for Linux as now they seem to be selling Raspberry Pis with custom versions of Citrix as thin clients.
I normally install the “Citrix Web Workspace app”, which appears to require a browser to work. So this time I decided to try out the “Citrix Workspace app” which is a stand alone application.
The install is easy enough on the Rasbian and Fedora installs I tried.
On Fedora this was
dnf install ./ICAClient-rhel-20.9.0.15-0.x86_64.rpm
For Raspberry Pi OS (Rasbian)
apt install ./icaclient_19.10.0.15_armhf.deb
To run it you run /opt/Citrix/ICAClient/selfservice and you get a popup asking you to add account. I entered the normal url that was supplied by our IT department.
But of course life would not be complete without our Good Old SSL error. This time it takes the form of the message. “Your account cannot be added using this server address. Make sure you entered it correctly. An SSL connection to the server couldn’t be established because the server’s certificate was not trusted.”
We have seen this before and on Rasbian the solution remains the same. The certs are provided as individual files on Debian based distributions through the package ca-certificates.
# ls -al /etc/ssl/certs/ | head
total 580
drwxr-xr-x 3 root root 12288 Aug 20 12:45 .
drwxr-xr-x 4 root root 4096 Aug 20 12:32 ..
lrwxrwxrwx 1 root root 45 Aug 20 12:32 02265526.0 -> Entrust_Root_Certification_Authority_-_G2.pem
lrwxrwxrwx 1 root root 36 Aug 20 12:32 03179a64.0 -> Staat_der_Nederlanden_EV_Root_CA.pem
lrwxrwxrwx 1 root root 27 Aug 20 12:32 062cdee6.0 -> GlobalSign_Root_CA_-_R3.pem
....
On Fedora they are also provided by the package ca-certificates but they are all bundled into one file. Which openssl has a problem with, and so will citrix.
# ls -al /etc/ssl/certs/
total 12
drwxr-xr-x. 2 root root 4096 Sep 18 20:15 .
drwxr-xr-x. 5 root root 4096 Apr 23 14:10 ..
lrwxrwxrwx. 1 root root 49 Jun 17 01:00 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx. 1 root root 55 Jun 17 01:00 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
-rw-r-----. 1 root root 1189 Dec 18 2018 nlwsu86237.crt
And the cert that I require is in the bundle:
# grep -A 3 "# GlobalSign Root CA - R3" /etc/ssl/certs/ca-bundle.crt
/etc/ssl/certs/ca-bundle.crt:# GlobalSign Root CA - R3
/etc/ssl/certs/ca-bundle.crt------BEGIN CERTIFICATE-----
/etc/ssl/certs/ca-bundle.crt-MIIDXzCCAkegAwIBAgILBAAAAAABIVhTCKIwDQYJKoZIhvcNAQELBQAwTDEgMB4G
/etc/ssl/certs/ca-bundle.crt-A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNp
Thankfully the the Citrix Page on the Arch Wiki has an explanation of what’s going on, and they also provide a solution. A slightly modified version for Fedora is provided:
cd /opt/Citrix/ICAClient/keystore/cacerts/
cp -v /etc/ssl/certs/ca-bundle.crt /opt/Citrix/ICAClient/keystore/cacerts/
awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert." c ".pem"}' < /etc/ssl/certs/ca-bundle.crt
openssl rehash /opt/Citrix/ICAClient/keystore/cacerts/*.pem
After that you should be able to login as normal and work productively.