Handling changes to ca-certificates correctly

micsnare · 2014-12-15 10:10:21

did anyone got it working so far?
how do would you know if the above steps worked for you?

basically what my problem right now is, that the Citrix Receiver (icaclient) has a problem with the VeriSign certificates and therefore isn't working properly/at all ...

berbae · 2014-12-15 10:15:58

micsnare wrote:

I basically followed the steps mentioned in the Arch News.....

The news applies only 'If you have added any locally trusted certificates': is this your case?
If not, I suggest that you undo all you have done, and re-install the ca-certificates* packages.

micsnare · 2014-12-15 10:23:47

berbae wrote:

micsnare wrote:
I basically followed the steps mentioned in the Arch News.....
The news applies only 'If you have added any locally trusted certificates': is this your case?
If not, I suggest that you undo all you have done, and re-install the ca-certificates* packages.

Yes, I have had a few *.pem files in /etc/ssl/certs/
I renamed them to *.crt and then moved them to /etc/ca-certificates/trust-source/anchors/
after that I ran "sudo trust extract-compat"

shall I still undo this?
many thanks for your help in advance,
theresa

micsnare · 2014-12-15 10:43:06

if it helps i'm receiving the following error since the ca-certification updates

SSL Error 61: You have not chosen to trust "VeriSign Class 3
International Server CA - G3", the issuer to the server's security
certificate.

I'm not sure, but it might be something to do with the p11-kit messages that I'm seeing....
p11-kit: certificate with distrust in location for anchors: VeriSign_Class_3_Secure_Server_CA_-_G2.crt

and so on......

berbae · 2014-12-15 10:44:42

Were these '*.pem files in /etc/ssl/certs/' added by you apart from the ones from the ca-certificates-* packages?

micsnare · 2014-12-15 10:47:02

berbae wrote:

Were these '*.pem files in /etc/ssl/certs/' added by you apart from the ones from the ca-certificates-* packages?

Not that I can *actively* remember.....could this be that the browser or the Citrix plugin added them there?

berbae · 2014-12-15 11:15:15

I think that in your case you had not to do anything after the ca-certificates update:
the Verisign certificates are already included.
So I suggest that you remove the files you moved to 'etc/ca-certificates/trust-source/anchors/',
and re-install the ca-certificates-* packages: this will create files (mainly .pem files and links) in the '/etc/ssl/certs' directory.

After that you need to cope with 'the Citrix Receiver (icaclient) has a problem with the VeriSign certificates': what exactly is the error?

Last edited by berbae (2014-12-15 11:17:24)

micsnare · 2014-12-15 11:21:25

berbae wrote:

I think that in your case you had not to do anything after the ca-certificates update:
the Verisign certificates are already included.
So I suggest that you remove the files you moved to 'etc/ca-certificates/trust-source/anchors/',
and re-install the ca-certificates-* packages: this will create files (mainly .pem files and links) in the '/etc/ssl/certs' directory.
After that you need to cope with 'the Citrix Receiver (icaclient) has a problem with the VeriSign certificates': what exactly is the error?

ok, thank you for your help. I just did that...
the Citrix Error that I'm receiving is the following:

SSL Error 61: You have not chosen to trust "VeriSign Class 3
International Server CA - G3", the issuer to the server's security
certificate.

it also happens with the G5 certificate...

Edit: the Citrix Receiver (icaclient) used to work fine till friday.....after I ran the arch update (ca-certificates) it stopped working...

Last edited by micsnare (2014-12-15 11:30:54)

vicharas · 2014-12-15 12:22:32

micsnare wrote:

ok, thank you for your help. I just did that...
the Citrix Error that I'm receiving is the following:
SSL Error 61: You have not chosen to trust "VeriSign Class 3
International Server CA - G3", the issuer to the server's security
certificate.
it also happens with the G5 certificate...

Edit: the Citrix Receiver (icaclient) used to work fine till friday.....after I ran the arch update (ca-certificates) it stopped working...

Hello,

I had the same problem. Citrix Receiver will look for a certificate under

ICAClient/linuxx64/keystore/cacerts

and it appears it also needs one certificate per file.

The following fixed the problem for me:

cp /etc/ssl/certs/ca-certificates.crt ICAClient/linuxx64/keystore/cacerts/
cd ICAClient/linuxx64/keystore/cacerts/
awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert." c ".pem"}' < ca-certificates.crt

The last command extracts the certificates from ca-certificates.crt and writes them in separate files.

micsnare · 2014-12-15 15:52:39

thanks, i eventually got it working by downloading a root-certificate bundle from the versign/symantec website....

then copied the *.pem and *.crt into the Citrix keystore.....

man, this was a pain in the ass

Zappo-II · 2014-12-18 10:15:15

vicharas wrote:

micsnare wrote:
SSL Error 61: You have not chosen to trust "...", the issuer to the server's security
certificate.
Edit: the Citrix Receiver (icaclient) used to work fine till friday.....after I ran the arch update (ca-certificates) it stopped working...
The following fixed the problem for me:
cp /etc/ssl/certs/ca-certificates.crt ICAClient/linuxx64/keystore/cacerts/
cd ICAClient/linuxx64/keystore/cacerts/
awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert." c ".pem"}' < ca-certificates.crt
The last command extracts the certificates from ca-certificates.crt and writes them in separate files.

Same issue with me, proposed procedure also fixed it for me...
BeAware: "ICAClient/" was "/opt/Citrix/ICAClient/..." in my case...

firecat53 · 2014-12-21 02:47:29

Thanks for that fix! Here's a PKGBUILD that incorporates those commands and also upgrades the Citrix client to 13.1 (thanks to @hnws). I also posted the link on the AUR page. Let me know if anything needs fixing. I'm not sure if this location '/etc/ca-certificates/extracted/tls-ca-bundle.pem' is going to be valid on everyone's system or not.

Scott

c0da · 2015-05-13 07:50:22

Hi. The latest Arch update brings so many problems...

Now i can't add our Institute CA certificate to the systems. Last time i did this everything worked fine with instructions from: https://www.archlinux.org/news/ca-certificates-update/

And now, after dm-crypt crashed my system and i've reinstalled everything, it does not work. When i do the same things certificate does not appear visible for epiphany, evolution, mutt, etc.

But trust extract-compat command does not report any errors. What am i doing wrong?

Thanks for any help.

Last edited by c0da (2015-05-13 07:52:07)

Arch Linux

#26 2014-12-15 10:10:21

Re: Handling changes to ca-certificates correctly

#27 2014-12-15 10:15:58

Re: Handling changes to ca-certificates correctly

#28 2014-12-15 10:23:47

Re: Handling changes to ca-certificates correctly

#29 2014-12-15 10:43:06

Re: Handling changes to ca-certificates correctly

#30 2014-12-15 10:44:42

Re: Handling changes to ca-certificates correctly

#31 2014-12-15 10:47:02

Re: Handling changes to ca-certificates correctly

#32 2014-12-15 11:15:15

Re: Handling changes to ca-certificates correctly

#33 2014-12-15 11:21:25

Re: Handling changes to ca-certificates correctly

#34 2014-12-15 12:22:32

Re: Handling changes to ca-certificates correctly

#35 2014-12-15 15:52:39

Re: Handling changes to ca-certificates correctly

#36 2014-12-18 10:15:15

Re: Handling changes to ca-certificates correctly

#37 2014-12-21 02:47:29

Re: Handling changes to ca-certificates correctly

#38 2015-05-13 07:50:22

Re: Handling changes to ca-certificates correctly

Board footer