This article is intended for Citrix administrators and technical teams only.
 
Non-admin users must contact their company's Help Desk/IT support team and can refer to CTX297149 for more information.
 

With the Citrix Workspace App for Linux 1906 and above, if you are using a SAML store with AuthV3, a blank window with “Unacceptable TLS Certificate” error might appear before the logon prompt. This issue also appears if you run Fiddler with the Citrix Workspace App. This is an expected behavior because of Webkit migration from version 1 to 2. 

1. Add the root certificate of Storefront as a system cacert. Following are the steps on a Debian/Ubuntu machines to add a certificate as a system cert. (Note : The system CA cert path may differ across distributions)
   • Go to /usr/local/share/ca-certificates
     • cd /usr/local/share/ca-certificates
   • Create a new folder there 
     • (eg – mkdir samlstore)
   • Now copy the .crt version of the root certificate of Storefront (eg samlservercert.crt) to this folder.
     • cd samlstore
     • sudo cp ~/downloads/samlservercert.crt
2. Now update your CA certificates
   • sudo update-ca-certificates
3. Running the above command should show you that it added the certificate, and show you something like this on your console
4. Now just terminate your daemon processes
   • killall AuthManagerDaemon ServiceRecord
5. Launch your selfservice again and add the store. You shouldn't see the “Unacceptable TLS certificate” window anymore. 

Problem Cause

Webkit2 provides enhanced security, wherein TLS certificate validation failure is treated as a transport error by default, blocking any further operations.

This is because Webkit2 doesn't allow self-signed certificates. Also, ciphersuites based on RC4 are not allowed when performing TLS negotiation, because it is no longer considered secure. This causes it to give “Unacceptable TLS certificate” error whenever it accesses a site that uses a self-signed certificate with a weak cipher.
Also, Webkit2 reads the certificates from the system cacerts path and there seems to be no option to make it look at a custom path or custom ca-bundle.