Howto: Citrix Receiver on Fedora 30

It took a few tweaks to get Citrix Receiver up and running on Fedora 30. Here are the steps:

Download the latest “Redhat Web Package (Web Workspace app only).”

As I am writing this, the latest version is 1903: https://www.citrix.com/downloads/workspace-app/linux/workspace-app-for-linux-latest.html

sudo dnf install ./ICAClientWeb-rhel-19.3.0.5-0.x86_64.rpm

Install supporting packages

sudo dnf install motif motif.i686 libXaw libXaw.i686 libidn1.34

Update Certificates (as root)

ALL_CERTS='/etc/pki/ca-trust/extracted/pem/*.pem /etc/pki/tls/*.pem /usr/share/pki/ca-trust-source/ca-bundle.trust.crt'
CITRIX=/opt/Citrix/ICAClient/keystore/cacerts
 
for x in ${ALL_CERTS}; do
     ln -sf "${x}" "${CITRIX}"
done

Edit /usr/share/applications/wfica.desktop (as root)

Change:

Exec=/opt/Citrix/ICAClient/wfica -icaroot /opt/Citrix/ICAClient %f

To:

Exec=env LD_PRELOAD="/lib64/libcrypto.so.1.0.2o" /opt/Citrix/ICAClient/wfica -icaroot /opt/Citrix/ICAClient %f
8 Likes

Hi @pegleg3941—welcome to the community! Thanks very much for this. I’ve reformatted it a bit to make the code blocks render properly.

If you’ve not already done so, please take a few minutes to go through the introductory posts in #start-here here also.

1 Like

Hello @FranciscoD and thank you for cleaning up my post. Those backticks will be really useful. I see that I also posted this in the top-level category and should not have – I will read more in #start-here.

2 Likes

Hi @FranciscoD and @pegleg3941

I followed every steps provided but i am getting a error.

Would you guys be able to assist ?

I really appreciate any help

Thanks in advance !
Dee

Fedora 30_KDE

Selection_001

2 Likes

Hey @dee,

With the instructions in the OP I have been able to open .ica files directly from my browser. Is that the same workflow that you are using, or are you launching Citrix directly from the Applications menu (or the KDE equivalent)?

When I launch the .ica file, the command works out to this (no brackets):

env LD_PRELOAD="/lib64/libcrypto.so.1.0.2o" /opt/Citrix/ICAClient/wfica -icaroot /opt/Citrix/ICAClient [file.ica]

Can you run that from the Terminal and report back with the output?

2 Likes

Yes, i am running directly from the browser ( Firefox or Chrome )…
Selection_002

Hey @dee. Thank you for starting wfica from the command line. Everything looks good so far for wfica and its libraries. I think this means that there is still a problem with the SSL certificates.

Does the server use a self-signed SSL certificate? If not, can we see the output of this command?:

ls -l /opt/Citrix/ICAClient/keystore/cacerts

Hi @pegleg3941. I really appreciate your time and effort !

Using RSA_Token →


1ec4d31a.0 -> Class3PCA_G2_v2.pem
2c543cd1.0 -> GeoTrust_Global_CA.pem
3513523f.0 -> DigiCertGlobalRootCA.pem
399e7759.0 -> DigiCertGlobalRootCA.pem
3ad48a91.0 -> BTCTRoot.pem
415660c1.0 -> Pcs3ss_v4.pem
4bcd7fc4.0 -> DigiCertSHA2SecureServerCA.pem
4d654d1d.0 -> GTECTGlobalRoot.pem
653b494a.0 -> BTCTRoot.pem
6faac4e3.0 -> Class4PCA_G2_v2.pem
72fa7371.0 -> Class3PCA_G2_v2.pem
7651b327.0 -> Pcs3ss_v4.pem
7999be0d.0 -> GeoTrust_Global_CA.pem
85cf5865.0 -> DigiCertSHA2SecureServerCA.pem
BTCTRoot.pem
c692a373.0 -> GTECTGlobalRoot.pem
lrwxrwxrwx. 1 root root  107 May 20 22:32 ca-bundle.trust.crt -> '/etc/pki/ca-trust/extracted/pem/*.pem /etc/pki/tls/*.pem /usr/share/pki/ca-trust-source/ca-bundle.trust.crt'
Class3PCA_G2_v2.pem
Class4PCA_G2_v2.pem
DigiCertGlobalRootCA.pem
DigiCertSHA2SecureServerCA.pem -> ../intcerts/DigiCertSHA2SecureServerCA.pem
ed049835.0 -> Class4PCA_G2_v2.pem
GeoTrust_Global_CA.pem
GTECTGlobalRoot.pem
Pcs3ss_v4.pem

``

Hey @dee. I think at least part of your problem is related to how these certificates were linked. For instance, look at ca-bundle.trust.crt:

'/etc/pki/ca-trust/extracted/pem/*.pem /etc/pki/tls/*.pem /usr/share/pki/ca-trust-source/ca-bundle.trust.crt'

I have been playing with a couple things over here and am not yet sure how that happened, but I did discover that my path to ca-bundle.trust.crt is an older path from a non-standard package. Could you try copying all of the certificate files into the Citrix directory?:

sudo cp -f /etc/pki/ca-trust/extracted/pem/*.pem /opt/Citrix/ICAClient/keystore/cacerts/
sudo cp -f /etc/pki/tls/*.pem /opt/Citrix/ICAClient/keystore/cacerts/
sudo cp -f /etc/pki/tls/certs/ca-bundle.trust.crt /opt/Citrix/ICAClient/keystore/cacerts/

Let me know how that goes. I’m going to play with a couple more things here as I have time.

I can see some problem here:

  1. The packages Provide is for RedHat I dont’ know the difference in this kind of packaged altought pegleg3941 instruction seem to work follow the Product procedure with a limitation …
  2. See this comment → Citrix Receiver for Linux 13.10 won't start on Fedora 29 - Page 4 - Receiver for Linux 13.x - Discussions
  3. The basic and install and setup and is up-to-date February 20, 2019
  4. Why you need i686 packages? is needed in execution time? I just do I can’t see any dependency package problem
    • sudo dnf install ICAClient-rhel-19.3.0.5-0.x86_64.rpm
  5. Start citrix receiver see TIP, The following instruction does not apply to installations made from the Web packages Why you don’t use ICAClient-rhel

If all of this doesn’t work, I think you can get more assistant in CITRIX forum → Citrix

Regards.,

Hi @pegleg3941 … i tried to copy all 3x certificate files mentioned. Only the first 2x were done without errors. The 3dr one was showing the output;

cp: not writing through dangling symlink ‘/opt/Citrix/ICAClient/keystore/cacerts/ca-bundle.trust.crt’

But i noticed that the file its already in the directory:

Selection_004.png

→ Still showing the same error " Cannot connect to “0.0.02 - Apple2Office”

Please let me know if you have any other suggestions…

Thanks again for your time !

Great instructions. I followed and had the same “cannot connect” error. I followed the instructions @ ssl certificate - Cannot connect to "0.0.0.2 - Published app name" in Citrix Receiver (ICA Client 13.10.x) - Stack Overflow and worked like a charm

pegleg3941, thank you for taking the time to figure out how to make citrix receiver work. On each fedora release, this app can be a hit or miss.

After following your steps on a fresh install of F30, the libcrypto.so.1.0.2o library was not available on my system. I had to install the rpm compat-openssl10-1.0.2o-5.fc30.x86_64.rpm to get it.

As a note to others, the citrix receiver does not work well under wayland. So you will have to use X.

When logging to a windows machine with this version of citrix, the app switch functionality of the ALT + tab hot key does not work. You will have to use meta + alt + tab to get it to work…

1 Like

Thanks a bunch, too! I was struggling with providing the right libraries for the client. Also the X tipp is great, I have been wondering.

Me too, I have been getting the error “Cannot connect to …”

After the great hints towards the certificate issue, I tried to download the ICA file, and execute it from the shell directly, which actually gave me a different error message that statet I didn’t trust Entrust CA. So I went and manually downloaded and added the cert to keystore.

That solved it for me – yay!

To reproduce:

  1. Execute the ICA file in your terminal to get the real error message
    env LD_PRELOAD="/lib64/libcrypto.so.1.0.2o" /opt/Citrix/ICAClient/wfica -icaroot /opt/Citrix/ICAClient [file.ica]
  2. Download the missing CA certificate and copy it to /opt/Citrix/ICAClient/keystore/cacerts
2 Likes

I think this thread has brought me inches away from the finish line, so big thanks to all contributors!
@theonlyandy Can you share a bit more info on how you got the error message in which the missing trust is stated?
Which “initial tutorial” command did you use?
I tried any sensible command I could find above and none of them gave me a ‘real error’ message, in which the name of an untrusted CA pops up.

Sorry that wasn’t clear, I updated my answer. Hope it helps?

1 Like

@theonlyandy It didn’t and yet it did! I still got the same non-informational Cannot connect to “0.0.0.2 something" error. But that got me thinking that I needed to check out the debug settings for the icaclient.
When I run your command, while in the same (working) directory as this file (or a copy of it): /opt/Citrix/ICAClient/nls/en/debug.ini, then I get the prophetic missing CA!

Just to report in I tried the instructions but was unable to launch anything from a webpage that has all our ICA files. Seems that Firefox or other browsers actually start Citrix using a small shell script /opt/Citrix/ICAClient/wfica.sh

I modified it to include the LD_PRELOAD library and works fine now. Otherwise it wouldn’t open up the ICA files from the web.

#!/bin/sh
ICAROOT=/opt/Citrix/ICAClient
export ICAROOT
LD_LIBRARY_PATH=/opt/Citrix/ICAClient/lib
export LD_LIBRARY_PATH
LD_PRELOAD=/lib64/libcrypto.so.1.0.2o
export LD_PRELOAD
$ICAROOT/wfica -file $1

Hope that helps someone.

3 Likes

Hi Everyone, I am new to Fedora but loving it so far. Wanted to contribute to this topic as I was struggling to get Citrix Workspace working and found this thread. Many helpful tips on there that got me 99% there. After following the many tips here, I was still getting an SSL error 61 saying that I had not trusted the godaddy root certificate. I tried exporting the godaddy certificates from firefox and then copying them to the /opt/Citrix/ICAClient/keystore/cacerts folder and then running the ./ctx_rehash command in the /opt/Citrix/ICAClient/util folder, but still got the error. Finally, I decided to go to the godaddy certificate repository and download and install the Intermediate certificate. It’s name is gdig2.crt.pem. I copied it to the cacerts folder as I had done before and then ran the ctx_rehash command again. BAM! that was it! I was in! So whoever your CA is, if you are getting the SSL error 61, try getting and installing the Intermediate certificate.
Thanks to all on this thread that helped me. I love working in Linux. It’s harder and you have to figure out things for yourself, but that’s not a bad thing.

3 Likes

Awesome! Thanks. This got citrix to work just fine via the browser. To get the Workspaces app to work as an app from the gnome shell, I modified the serlfservice.desktop file

sudo vim /usr/share/applications/selfservice.desktop
Changed the exec line to be:

Exec=env LD_PRELOAD="/lib64/libcrypto.so.1.0.2o" /opt/Citrix/ICAClient/selfservice --icaroot /opt/Citrix/ICAClient

1 Like