If you are a Linux user, have gotten SSL Error 61, and would like to know to fix it you have come to the right place. Getting computer error messages can be very frustrating but we are here to help.
Out of all the possible errors that you could get if you are a Linux user, SSL Error 61 is one of the most annoying of them all.
In this article, we will explain everything that you will need to know in order to fix the error including, of course, how to go about fixing it once and for all.
What Is SSL Error 61?
Before we can go into what how to fix this problem it is important that we know when and why it happens.
First, let’s clarify what the error so you can be sure that this is indeed the tutorial for you.
(Lots of people are experiencing the error over on Twitter)
citrixsupport: @aseedling Seeing a SSL Error 61? I posted some info that should help resolve this at the followi.. http://tinyurl.com/mchvyv
— Citrix (@citrix) June 16, 2009
The error that we are talking about in this article can have different text, so the best way for you to know if this tutorial article is suitable for you or not is to check whether the error that you have encountered has any of these messages:
The most common one is “The Server certificate received is not trusted (SSL Error 61)” but there could be others such as “Your app is not available. Try again later.” Or, even the following, longer, message: “Cannot connect to the Citrix XenApp Server. SSL Error 61: you have not chosen to trust ‘Certificate Authority’, the issuer to the server’s security certificate”.
If you get any of those three messages then you will know you are in the right place. As you would have probably already noticed if you have read this far into the tutorial, this particular error is notified when you are using either interface apps or store front.
The products affected by this error are the following:
- Receiver for Windows.
- Secure Gateway.
- Net Scaler Gateway.
This error has always something to do with certificates. Very often the solution is quite simple but there is a specific scenario (that we have left ‘till last takes a little bit more time). In the next section of this tutorial, we will go through the solutions beginning with the simple ones you can do yourself and leaving the most complex ‘till last.
How to Fix It
As usual with computer errors, there are several possible solutions to it depending on what is actually causing it. Because it can be hard to know what could be causing the error, we recommend you try out different ones until you stumble upon one that does the trick for you.
Before we go into what those possible solutions are and how you would go about it, we should warn you that not everyone would be able to follow the instructions in this tutorial. You will need to be authorized as a system administration. If you happen not to be an authorized system administration, you will need to contact someone who is (for example, if you get this error on a work computer, then you would most probably need to contact your IT department).
Having made that warning, let’s look at how you would go about fixing SSL Error 61. The best way to proceed is to follow our instructions in the exact order (we strongly discourage you skip steps or attempt to take any shortcuts).
Update The Receiver
The first thing that you need to do is to update the receiver to its latest versions. In many cases, this is, fortunately, all you will need to do to get rid of this problem. This is because very often SHA 2 certificates (do not worry too much if you do not know what this is) are not compatible with older versions of the Receiver. So, making sure that you are using the latest and most up-to-date version of the Receiver is the best way to prevent this error.
However, there is a chance that an old version of the Receiver may not be the reason behind this error, in which case this simple fix will not work.
Because this error is always caused by an issue related to certificates there are other routes that should be explored should the update not work.
Fix Missing Certificates
The next thing you should attempt would be to ensure that there are no certificates missing. This is because if the problem is not caused by the Receiver been unable to be compatible with a specific certificate it could be the case that there is actually a certificate missing.
A common cause for this problem is that there is either a root certificate or an intermediate certificate missing. To verify whether this is the reason or not and, more importantly, to fix it if it indeed is the reason, just follow these simple steps:
- The first thing you will need to do would be head over to the provider of the SSL certificate and download the relevant certificate: either the root certificate (.crt) or the intermediate certificate (.cer). In order to obtain this certificate, you will need to head over to the official website of your SSL provider (if you do not know what this is, you could just Google it). Once on the relevant website, look for the certificate bundle there and download the relevant one.
- Once you have located the certificate you will need to download it and install it on your computer (or the computer you are fixing).
- As an additional step, you might need to ask the antivirus program (if there is, indeed, one installed) to trust the certificate. Otherwise, the certificate might not install successfully.
These are all the steps you will normally need to take. Doing this will pair up the certificate that you download with the server, thus fixing the problem.
The only problem left is when the server certificate may not be compliant. If this is the case nothing we have so far discussed will work for you. Fortunately, there is something that you can do to fix.
If the server certificate happens to not be compliant with the RFC 3280 (again, do not worry too much if you are not sure what this means as it is not essential), then you will get this error.
There are actually several ways of fixing this problem. One of them would be to obtain a certificate that is compatible. This is normally done by informing the authority that sold the violating certificate and asking them to issue you with a new one.
If you decide to do this (and it is certainly what we would advice), you will have to make sure to tell the certificate authority they issue with a certificate that has a very specific key usage value: server authentication (220.127.116.11.18.104.22.168.1).
If this key usage value is listed among all others, it will be valid. And, of course, if it is not included the certificate will be invalid.
One way of verifying this is to check that the only two key usages listed are not the following: (2.16.840.1.113730.41) or (22.214.171.124.4.1.3126.96.36.199). If they are the only ones listed, you can know for sure that the certificate is invalid.
So, why would that happen? Well, there is a reason why they are there. Generally, they serve as some kind of signal to the following web browsers: Internet Explorer and Netscape to basically let them know about a 128-bit encryption. That is good in a way but when the server authentication (188.8.131.52.184.108.40.206.1) is missing and the only ones are available are (2.16.840.1.113730.41) and (220.127.116.11.4.1.318.104.22.168), the certificate in question is actually not compliant because it would be violating RF 3280.
The place where you would actually need to check for these key usage values is known as the enhanced key usage field. The incompatibility has to do with the SGC (this acronym stands for server gated cryptography).
Contact Certificate Seller
If this is the case, there are no quick fixes other than contacting whoever sold you the certificate and asking for a new one.
We do recommend however that you do not do this until you have exhausted the two possible solutions that we went through earlier. Only is the do not fix the problem should you proceed to this final fix.
We are aware that this can be inconvenient because you will need to wait until you receive the new certificate. Once you do receive the new certificate you should check it is indeed correct by verifying that the enhance key usage on the new certificate has the correct server authentications.
If the new certificate that you received as a replacement seems okay to you, then you will have to replace the old (violating) one on the Net Scaler Gateway server. In order to do this, you will need to use the snap-in for MMC (Microsoft Management Console) certificates. With the new certificate in place, the error will be fixed for good.
We hope we have helped you fix Linux SSL Error 61, if you have any other tips or would like to share your experience dealing with this error, please consider leaving us a message in the comments section below.