You are not logged in.

#26 2014-12-15 10:10:21

micsnare
Member
Registered: 2013-08-25
Posts: 57

Re: Handling changes to ca-certificates correctly

did anyone got it working so far?
how do would you know if the above steps worked for you?

basically what my problem right now is, that the Citrix Receiver (icaclient) has a problem with the VeriSign certificates and therefore isn't working properly/at all ... sad

Offline

#27 2014-12-15 10:15:58

berbae
Member
From: France
Registered: 2007-02-12
Posts: 1,304

Re: Handling changes to ca-certificates correctly

micsnare wrote:

I basically followed the steps mentioned in the Arch News.....

The news applies only 'If you have added any locally trusted certificates': is this your case?
If not, I suggest that you undo all you have done, and re-install the ca-certificates* packages.

Offline

#28 2014-12-15 10:23:47

micsnare
Member
Registered: 2013-08-25
Posts: 57

Re: Handling changes to ca-certificates correctly

berbae wrote:
micsnare wrote:

I basically followed the steps mentioned in the Arch News.....

The news applies only 'If you have added any locally trusted certificates': is this your case?
If not, I suggest that you undo all you have done, and re-install the ca-certificates* packages.


Yes, I have had a few *.pem files in /etc/ssl/certs/
I renamed them to *.crt and then moved them to /etc/ca-certificates/trust-source/anchors/
after that I ran "sudo trust extract-compat"

shall I still undo this?
many thanks for your help in advance,
theresa

Offline

#29 2014-12-15 10:43:06

micsnare
Member
Registered: 2013-08-25
Posts: 57

Re: Handling changes to ca-certificates correctly

if it helps i'm receiving the following error since the ca-certification updates

SSL Error 61: You have not chosen to trust "VeriSign Class 3
International Server CA - G3", the issuer to the server's security
certificate.

I'm not sure, but it might be something to do with the p11-kit messages that I'm seeing....
p11-kit: certificate with distrust in location for anchors: VeriSign_Class_3_Secure_Server_CA_-_G2.crt

and so on......

Offline

#30 2014-12-15 10:44:42

berbae
Member
From: France
Registered: 2007-02-12
Posts: 1,304

Re: Handling changes to ca-certificates correctly

Were these '*.pem files in /etc/ssl/certs/' added by you apart from the ones from the ca-certificates-* packages?

Offline

#31 2014-12-15 10:47:02

micsnare
Member
Registered: 2013-08-25
Posts: 57

Re: Handling changes to ca-certificates correctly

berbae wrote:

Were these '*.pem files in /etc/ssl/certs/' added by you apart from the ones from the ca-certificates-* packages?

Not that I can *actively* remember.....could this be that the browser or the Citrix plugin added them there?

Offline

#32 2014-12-15 11:15:15

berbae
Member
From: France
Registered: 2007-02-12
Posts: 1,304

Re: Handling changes to ca-certificates correctly

I think that in your case you had not to do anything after the ca-certificates update:
the Verisign certificates are already included.
So I suggest that you remove the files you moved to 'etc/ca-certificates/trust-source/anchors/',
and re-install the ca-certificates-* packages: this will create files (mainly .pem files and links) in the '/etc/ssl/certs' directory.

After that you need to cope with 'the Citrix Receiver (icaclient) has a problem with the VeriSign certificates': what exactly is the error?

Last edited by berbae (2014-12-15 11:17:24)

Offline

#33 2014-12-15 11:21:25

micsnare
Member
Registered: 2013-08-25
Posts: 57

Re: Handling changes to ca-certificates correctly

berbae wrote:

I think that in your case you had not to do anything after the ca-certificates update:
the Verisign certificates are already included.
So I suggest that you remove the files you moved to 'etc/ca-certificates/trust-source/anchors/',
and re-install the ca-certificates-* packages: this will create files (mainly .pem files and links) in the '/etc/ssl/certs' directory.

After that you need to cope with 'the Citrix Receiver (icaclient) has a problem with the VeriSign certificates': what exactly is the error?


ok, thank you for your help. I just did that...
the Citrix Error that I'm receiving is the following:

SSL Error 61: You have not chosen to trust "VeriSign Class 3
International Server CA - G3", the issuer to the server's security
certificate.

it also happens with the G5 certificate...


Edit: the Citrix Receiver (icaclient) used to work fine till friday.....after I ran the arch update (ca-certificates) it stopped working...

Last edited by micsnare (2014-12-15 11:30:54)

Offline

#34 2014-12-15 12:22:32

vicharas
Member
Registered: 2014-12-15
Posts: 1

Re: Handling changes to ca-certificates correctly

micsnare wrote:

ok, thank you for your help. I just did that...
the Citrix Error that I'm receiving is the following:

SSL Error 61: You have not chosen to trust "VeriSign Class 3
International Server CA - G3", the issuer to the server's security
certificate.

it also happens with the G5 certificate...


Edit: the Citrix Receiver (icaclient) used to work fine till friday.....after I ran the arch update (ca-certificates) it stopped working...

Hello,

I had the same problem. Citrix Receiver will look for a certificate under

ICAClient/linuxx64/keystore/cacerts

and it appears it also needs one certificate per file.

The following fixed the problem for me:

cp /etc/ssl/certs/ca-certificates.crt ICAClient/linuxx64/keystore/cacerts/
cd ICAClient/linuxx64/keystore/cacerts/
awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert." c ".pem"}' < ca-certificates.crt

The last command extracts the certificates from ca-certificates.crt and writes them in separate files.

Offline

#35 2014-12-15 15:52:39

micsnare
Member
Registered: 2013-08-25
Posts: 57

Re: Handling changes to ca-certificates correctly

thanks, i eventually got it working by downloading a root-certificate bundle from the versign/symantec website....

then copied the *.pem and *.crt into the Citrix keystore.....

man, this was a pain in the ass sad

Offline

#36 2014-12-18 10:15:15

Zappo-II
Member
Registered: 2014-10-16
Posts: 11

Re: Handling changes to ca-certificates correctly

vicharas wrote:
micsnare wrote:
SSL Error 61: You have not chosen to trust "...", the issuer to the server's security
certificate.

Edit: the Citrix Receiver (icaclient) used to work fine till friday.....after I ran the arch update (ca-certificates) it stopped working...

The following fixed the problem for me:

cp /etc/ssl/certs/ca-certificates.crt ICAClient/linuxx64/keystore/cacerts/
cd ICAClient/linuxx64/keystore/cacerts/
awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert." c ".pem"}' < ca-certificates.crt

The last command extracts the certificates from ca-certificates.crt and writes them in separate files.

Same issue with me, proposed procedure also fixed it for me...
BeAware: "ICAClient/" was "/opt/Citrix/ICAClient/..." in my case...

Offline

#37 2014-12-21 02:47:29

firecat53
Member
From: Lake Stevens, WA, USA
Registered: 2007-05-14
Posts: 1,542
Website

Re: Handling changes to ca-certificates correctly

Thanks for that fix! Here's a PKGBUILD that incorporates those commands and also upgrades the Citrix client to 13.1 (thanks to @hnws). I also posted the link on the AUR page. Let me know if anything needs fixing. I'm not sure if this location '/etc/ca-certificates/extracted/tls-ca-bundle.pem' is going to be valid on everyone's system or not.

Scott

Offline

#38 2015-05-13 07:50:22

c0da
Member
Registered: 2009-08-24
Posts: 12

Re: Handling changes to ca-certificates correctly

Hi. The latest Arch update brings so many problems... sad

Now i can't add our Institute CA certificate to the systems. Last time i did this everything worked fine with instructions from: https://www.archlinux.org/news/ca-certificates-update/

And now, after dm-crypt crashed my system and i've reinstalled everything, it does not work. When i do the same things certificate does not appear visible for epiphany, evolution, mutt, etc.

But trust extract-compat command does not report any errors. What am i doing wrong?

Thanks for any help.

Last edited by c0da (2015-05-13 07:52:07)

Offline

Board footer

Powered by FluxBB