I’m managing a handful of Linux installations for a client in Belgium. His main workstation is currently running OpenSUSE Tumbleweed, and I’d like to move it to my personal blend of Rocky Linux 8 and KDE. So far I’ve found viable solutions for all the applications he needs. I’m having one last issue with the Citrix Workspace App. He needs this one to connect online to his accountant’s server.
I’ve documented the installation procedure for Citrix Workspace on OpenSUSE here. It’s in French, but the Linux bits are universal:
In a nutshell, the Citrix website offers the application as an RPM package to download. After installing it using rpm -ivh, everything is in /opt/Citrix.
One tweak I had to perform under OpenSUSE to avoid an SSL connection error was to replace the shipped certificates with those already present in the system:
On a vanilla Rocky Linux 8 installation I got the same SSL error in the default setup of Citrix Workspace, so I tried to tweak it as I had done previously on OpenSUSE:
Only this time I still got the same SSL error. One thing that worked though was to take all the content of /etc/ssl/certs from an OpenSUSE installation and move it to /opt/Citrix/ICAClient/keystore/cacerts on my Rocky Linux installation. But this is a bit of an ugly hack.
Since I’m curious and I like to know why things work or don’t work, I thought I’d post this here.
I vaguely know these files are certificates, but what exactly does the stuff in /etc/ssl/certs (OpenSUSE) or /etc/pki/tls/certs do ? Where do all these files come from ?
What would be an orthodox way to make my Rocky Linux installation behave like OpenSUSE (as described above) ?
I’m not a lamer for RTFM, so feel free to send me a curt link to the relevant documentation.
great to see that the Citrix Workspace app also works on Rocky 8, we are running it on Rocky 9, so good to know
And so, this is basically the shared certificate store in the whole Fedora / EL world, I don’t really understand why everyone (Ubuntu, Debian, Alpine, OpenSuSE, …) put them where ever they think is the best place and not all of them at the same one. But here is basically the documentation from Fedora about this topic:
Copy certificate authority to trusted ca path: ‘/etc/pki/ca-trust/source/anchors/’
Run ‘update-ca-trust’
That adds your CA certs to the list of CAs that we do trust. The distro applications
do use that list. There seem to be just the “Ca bundle” in /etc/pki/tls/certs:
Assumedly the Citrix config points to CA (chain/bundle), key, and the public part of its certificate.
The CA bundle includes the CA that did sign the services certificate (key&public).
Does the config of Citrix use the correct names of the files?
Are (all) the certificates where they are expected to be?
I know, and this is how I found out about /etc/pki/tls/certs in the first place. But the contents of these respective directories is quite different under OpenSUSE and Rocky Linux. And I wonder how I could make Rocky Linux behave without copying the whole load of files over from OpenSUSE.
Not sure of how it looks in OpenSUSE or the included cacerts in the package, but I know on Debian the /etc/ssl/certs directory has all the files with pem extensions. In Rocky these have .crt extensions. So I’m unsure if that would make a difference or not, if for example Citrix Workspace is looking for .pem files. You could always try symlinking all the .crt files in Rocky to the same name but with a pem extension and see if that helps? In Debian everything in /etc/ssl/certs are pem symlinks to crt files in /usr/share/ca-certificates.
Looks like we’re coming closer. I gave it another spin in a fresh VM. Installed the latest Citrix Receiver, initiated a connection to a Windows server, and got the following SSL error:
The “Go Daddy” is one vendor that sells certificates, isn’t it?
On another system certificates were bought from “GEANT” (or smh).
Certificates created by vendor X are verified by comparing with (public part of) CA of X.
We have the bundle of CAs so that we can verify certificates originating from those “trusted vendors”.
Both Go Daddy Class 2 CA and Go Daddy Root Certificate Authority - G2 CAs are probably included in the ca-bundle of Rocky. If they are, it is issue with Citrix that it does not use the ca-bundle.
Furthermore, within the server certificate there are identifiers and if the service that we try to access does not have those same names, then we don’t trust it. For example, the certificate of this Forum appears to be issued by vendor “Let’s Encrypt” and is valid for accessing HTTPS server that has DNS name forums.rockylinux.org.
Red Hat probably assumes that each site procures their own valid certificates. For example, the Apache package includes only a “self-signed certificate” {localhost.key, localhost.crt}. (Browser does note about it that its CA is not in the bundle.)
Since you don’t seem to have such server-specific certificates, the Citrix does not use them like Apache does?