Connection failures due to SSL certificate errors with Citrix Workspace app for Chrome / Citrix Receiver for Chrome

Connection failures due to SSL certificate errors with Citrix Workspace app for Chrome / Citrix Receiver for Chrome

book

Article ID: CTX231312

calendar_today

Updated On:

Description

Connection to StoreFront/VDA will fail and may show cannot connect to server error or some SSL Certificate error in console logs. One of the reason could be invalid SSL certificate.

User-added image

Applicable Products:

Citrix Receiver for HTML5, Citrix Receiver for Chrome, Citrix Workspace app for Chrome, Citrix workspace app for HTML5

Resolution

Recommended solution: Update the certificates.

Alternatively, you can try this workaround:

  1. Close the Citrix Workspace app for Chrome / Citrix Receiver for Chrome.

  2. Open Chrome browser in your Chromebook.

  3. Visit your site.
    User-added image

  4. It will show some error as below.

Now, open the Citrix Workspace app for Chrome or Citrix Receiver for Chrome and it might allow you to access your StoreFront/VDA.

Other possible workaround for specific certificate error:

  1. NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM error
    Latest Firefox and Chrome browsers  do not support SHA-1 certificate and StoreFront connection fails with error: NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM
    User-added image
    Citrix Receiver for Chrome/HTML5 or Citrix Workspace app for Chrome/HTML5 cannot establish secure connection and session launch will fail
    User-added image

  2. NET::ERR_CERT_COMMON_NAME_INVALID error
    Chrome requires Subject Alternative Name for SHA-2 certificate, without SAN (Subject Alternative Name) in the SHA-2 certificate, the connection will fail with error NET::ERR_CERT_COMMON_NAME_INVALID
    User-added image
    User-added image
    Session launch fails with CERT_COMMON_NAME_INVALID(-200) error dialog
    User-added image
    Workaround for NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM and 
    NET::ERR_CERT_COMMON_NAME_INVALID:

    • Mozilla:

      Enable network.websocket.allowInsecureFormHTTPS from about:config

    • Chrome:
      Chrome by default requires SHA2 Certificate with Subject Alternative Names (SAN) 
      Add the following registry keys at :  Software\Policies\Google\Chrome\

    • EnableCommonNameFallbackForLocalAnchors – true
      (Note: Chrome need SAN by default)

    • EnableSha1ForLocalAnchors – true
      (Note: SHA1 is not supported)
      Recommended Solution: Use SHA2 certificates with Subject Alternative Names (SAN).

      Problem Cause:

    • CTX134123 - Receiver for HTML5 - Unable to Launch Apps Using HTTPS URL

    • CTX217352 - How to Collect Logs in Receiver for Chrome and Receiver for HTML5

  3. NET::ERR_CERT_SYMANTEC_LEGACY
    From Chrome OS version 66 onwards the SSL certificate from Symantec is distrusted. You can go through https://security.googleblog.com/2018/03/distrust-of-symantec-pki-immediate.html to know more about it.
    User-added image
    User-added image
    Workaround: Try general workaround mention above.
    Recommended Solution: Update SSL certificates.

Problem Cause

Powered by Wolken Software