Avatar for Username

搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

Learn More

话题已存档。 如果需要帮助请提出新问题。

How do i "re-trust" the SSL certificate sent from a server I previously marked as untrusted?

  • 4 个回答
  • 4 人有此问题
  • 5 次查看
  • 最后回复者为 GregShaw

GregShaw
GregShaw
more options

I use Citrix Receiver to access my workplace Windows environment remotely from home, where I run Firefox 7.01 on Ubuntu 11.10. Two days ago the SSL certificate expired, so when I tried to logon remotely it failed. Now the company have renewed the certificate, but now when I try to logon I get an error from the Citrix ICA Client saying "You have not chosen to trust Verisign Class 3 Public Primary Certification Authority - G5, the issuer of the server's security certificate (SSL error 61)"

I have found a couple of similar queries here, but neither had a solution which worked for me. The entry for Verisign Clas 3... G5 is in /etc/ca-certificates.conf, also there's a link to it in /etc/ssl/certs to an existing ...G5.crt file in /usr/share/ca-certificates - Firefox seems to recognise the issuer as a valid existing certificate issuer. Firefox displays the certificate for the page when I use menu options Tools -> Page Info -> Security -> View Certificate, and the certificate shows as valid for today - for the life of me I can't find a way to make Firefox trust the darn issuer.

I get the same fault with Firefox 3.6.23 on Ubuntu 10.04.

(I'd rather not tell everyone here the URL of my company's remote access website)

I use Citrix Receiver to access my workplace Windows environment remotely from home, where I run Firefox 7.01 on Ubuntu 11.10. Two days ago the SSL certificate expired, so when I tried to logon remotely it failed. Now the company have renewed the certificate, but now when I try to logon I get an error from the Citrix ICA Client saying "You have not chosen to trust Verisign Class 3 Public Primary Certification Authority - G5, the issuer of the server's security certificate (SSL error 61)" I have found a couple of similar queries here, but neither had a solution which worked for me. The entry for Verisign Clas 3... G5 is in /etc/ca-certificates.conf, also there's a link to it in /etc/ssl/certs to an existing ...G5.crt file in /usr/share/ca-certificates - Firefox seems to recognise the issuer as a valid existing certificate issuer. Firefox displays the certificate for the page when I use menu options Tools -> Page Info -> Security -> View Certificate, and the certificate shows as valid for today - for the life of me I can't find a way to make Firefox trust the darn issuer. I get the same fault with Firefox 3.6.23 on Ubuntu 10.04. (I'd rather not tell everyone here the URL of my company's remote access website)

所有回复 (4)

cor-el
cor-el
  • Moderator
  • Top 10 Contributor
more options

Is that certificate listed on the Servers tab in the Certificate Manager?

  • Edit > Preferences > Advanced : Encryption: Certificates - View Certificates

In that case you can click the Edit button.

由cor-el于修改

GregShaw
GregShaw 提问者
more options

Thanks for the swift reply, cor-el - unfortunately, no joy with this approach.

A. As my named user (called "greg", surprise, surprise, no secret there...) Run Firefox; select Edit > Preferences > Advanced : Encryption:

Here I get no option for Certificates, but I do get View Certificates - then tabs for: 

- Servers, under which my company's remote logon URL is listed - Edit button is grey
- Authorities, under which the Verisign...G5 entry may be edited; 3 options:
        1. may identify websites (ticked)
        2. may identify mail users (unticked)
        3. may identify software makers (ticked)
  I ticked 2, tried again - same failure. Unticked it.

B. As root. Run Firefox; select Edit > Preferences > Advanced : Encryption:

Here I get no option for Certificates, but I do get View Certificates - then tabs for: 

- Servers, under which my company's remote logon URL is NOT listed
- Authorities, under which the Verisign...G5 entry may be edited; 3 options:
        1. may identify websites (ticked)
        2. may identify mail users (unticked)
        3. may identify software makers (unticked)
  I ticked 2 and 3, tried again - same failure. Unticked them.

Maybe a solution would be, in some way, to add my company's remote logon URL to the list of Servers while running Firefox as root. The Export and Import buttons may help here. However, when I first declined their certificate I was running Firefox as greg, not as root, so I am a bit suspicious there - what can be done as greg should be undoable as greg.

This is doing my head in. Maybe it's time to step back and think a bit. Maybe try Citrix's online help (already spent a fair amount of time there with no joy either).

So, thanks again for the reply - I've generally tried to provide a good list of what's up, and your reply has given me food for thought. OK, I'll keep trying.

cor-el
cor-el
  • Moderator
  • Top 10 Contributor
more options

If the problem is with Citrix then you need to install that certificate in the Citrix database.

GregShaw
GregShaw 提问者
more options

Thanks, cor-el. I had a look around the Citrix support site, and it seems mostly geared towards Windows users (fair enough, I suppose). Eventually I found a solution on the Ubuntu website which helped:

https://help.ubuntu.com/community/CitrixXenAppPlugin

I didn't follow the procedure to download the certificate, as I had already found it (as mentioned in OP), in /usr/share/ca-certificates/mozilla when looking for any *.crt on the system.

I did make use of the technique for telling where Citrix ICA Client expects to find its certificates, by looking for the wfica executable then following downwards through the filesystem - mine were in /opt/Citrix/ICAClient/keystore/cacerts.

Copy the Verisign certificates from the /usr/... directory to the /opt/Citrix/... directory.

Stop/start Firefox, try logging on to the work website - you see data being downloaded, and the Citrix client works fine.