Citrix Cloud Connector does not complete its initial installation or is unable to upgrade to the latest Cloud Connector version. The installation is blocked because it’s not able to validate the code signing certificate of the Citrix Cloud Components downloaded, which may be due to the certificates installed, or an expired signature. To verify this is occurring

• Navigate to the local logs generated by the connector at: %ProgramData%\Citrix\WorkspaceCloud\InstallLogs
• Open the most recent logs and search for one of the following strings: “Verified download failed EdgeServiceComponents”. This will indicate if there are issues with downloading and verifying the Cloud Connector components. ​

The Root and Intermediate Certificate authority used to sign the Citrix Cloud Connector needs to be trusted on the local machine where the Citrix Cloud Connector is being installed. Cloud Connector binaries and endpoints that the Cloud Connector contacts are protected by X.509 certificates issued by DigiCert, a widely respected enterprise certificate authority (CA). DigiCert employs Certificate Revocation List (CRL) servers using HTTP on port 80 instead of HTTPS on port 443 to verify these certificates during Cloud Connector installation. Cloud Connector components themselves do not communicate over external port 80. The need for external port 80 is a byproduct of the certificate verification process that the operating system performs

To resolve this issue:

• Download a new Connector installation package from the resource location page on Citrix Cloud.   
• Open HTTP port 80 to *.digicert.com on the Cloud Connector. This port is used during Cloud Connector installation and during the periodic CRL checks. For more information about how to test for CRL and OCSP connectivity, see https://www.digicert.com/kb/util/utility-test-ocsp-and-crl-access-from-a-server.htm on the DigiCert website.
• Ensure that Windows updates are enabled and that the server is up to date on Windows updates because the certificate vendor collaborates with Microsoft to distribute root certificates via Windows updates.
• Review the list of addresses in Citrix Cloud Connector Technical Details - Certificate validation requirements   to ensure they are contactable from the Cloud Connector machine(s) to ensure proper certificate validation. https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-resource-locations/citrix-cloud-connector/technical-details
• Ensure that the Cloud Connector machine has the Root and Intermediate certificates (used by the Citrix Cloud Installer) installed in the certificate store on the local machine. You can manually install the certificates by following the instructions below.

Install the root certificates

1. Open the MMC certificate store on the Citrix Cloud Connector exhibiting the behavior
   https://msdn.microsoft.com/en-us/library/ms788967(v=vs.110).aspx. Select the Computer account option when prompted by the Certificates snap-in.

2. Download the root certificate https://dl.cacerts.digicert.com/DigiCertAssuredIDRootCA.crt.

3. Open the certificate and choose "Install Certificate…".

4. In the "Certificate Import Wizard", select "Local Machine" for the "Store Location".

5. Validate that the Root certificate shows up under the proper Certificate Store.
   
   

6. Repeat the above steps with the rest of the root certificates.

Install the intermediate certificates

1. Open the MMC certificate store on the Citrix Cloud Connector exhibiting the behavior
   https://msdn.microsoft.com/en-us/library/ms788967(v=vs.110).aspx. Select the Computer account option when prompted by the Certificates snap-in.

2. Download the intermediate certificate https://dl.cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt.

3. Open the certificate and choose "Install Certificate…".

4. In the "Certificate Import Wizard," select "Local Machine" for the "Store Location".

5. Verify that the Intermediate certificate shows up under the proper Certificate Store.

6.  Repeat the above steps with https://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt. Install this certificate into the "Machine store" too.

Install the rest of the required certificates listed in "The following certificates need to be installed:" section from https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-resource-locations/citrix-cloud-connector/technical-details

Problem Cause

The Citrix Cloud Connector installer is signed with a DigiCert signing certificate. During installation this certificate is programmatically validated in order to ensure integrity of the components downloaded. If the Root and Intermediate certificates are not trusted on the local machine, the installer cannot be successfully verified, preventing the installation from continuing.

Note: This is usually not an issue if Windows Updates are automatically allowed.