An Engineers Notebook

Common SSL Errors

Common causes of SSL
errors, from the client side:

 

1. Ensure that your
systems date/time is correct.

2. Ensure that you
are running the latest service pack and hotfixes

3. Ensure that you
apply any “optional” root cert updates from the Windows update site.

4. Ensure that the
Citrix ICA client is up to date and any older versions are removed.

5. If using Java,
ensure that you are on the latest version of Sun Java.

6. Disable any local
firewalls to ensure that a mis-configuration is not interfering with access to
the Citrix servers.

7. Disable the VPN
client prior to connecting to Citrix

8. Attempting to
access Citrix from another organizations network that may not permit such
access. (Usually they are running a proxy server that brokers Internet access)

 

 

SSL Error 15: SSL
security contact is invalid or expired

Resolution: Ensure
that the Citrix ICA client is current. Also ensure all other Citrix client
versions are removed. Look in Add/Remove programs for anything related to
Citrix or Metaframe and uninstall those instances. Then install the latest
version of the Citrix ICA client.

 

SSL Error 29: Proxy
denied access to port 1494 STA… from Web Resource in an Advanced Access
Control Farm.

Resolution: Escalate
to the Citrix team for immediate attention

 

SSL Error 37: Cannot
connect to the citrix Metaframe server. There is no route from the Citrix SSL
Relay to the specified subnet address.

Resolution: Escalate
to the Citrix team for immediate attention

 

SSL Error 40: The
Citrix SSL relay name could not be resolved

Resolution: Check
local software firewalls. Norton 360, Symantec Security Suite and ZoneAlarm
have been known to cause problems when incorrectly configured

 

SSL Error 45: The
Citrix Relay sent an alert. Please contact your Citrix Administrator

Resolution: ?

 

SSL Error 49: The
Remote SSL peer sent a bad certificate alert

Resolution: Ensure
all other Citrix client versions are removed. Look in Add/Remove programs for
anything related to Citrix or Metaframe and uninstall those instances. Then
install the latest version of the Citrix ICA client.

 

SSL Error 55: The
remote SSL peer sent an unrecognized alert

Resolution: The SSL
Error 55 is caused by an invalid (or missing root) certificate. Ensure that the
date/Time on your workstation is correct and that you have all the latest
patches AND root cert updates.

 

SSL Error 59:
Security alert: The name on the security certificate does not match the name of
the server

Resolution: User has
a VPN client installed and needs to disable this service before connecting to
CITGO. Also check local software firewalls. Norton 360 and ZoneAlarm have been
known to cause problems when incorrectly configured. Ensure the last Service
Packs, hotfixes and root certs have been updated.

 

SSL Error 61: The
server certificate received is not trusted

Resolution: Ensure
that the date/Time on your workstation is correct and that you have all the
latest patches AND root cert updates.

 

SSL Error 68: the
SSL certificate is not yet valid

Resolution: Ensure
that the date/Time on your workstation is correct and that you have all the
latest patches AND root cert updates.

 

SSL Error 70: The
connection was rejected. The SSL certificate is no longer valid. Please contact
your Citrix Administrator.

Resolution: Single
user incident, ensure that the date/Time on your workstation is correct and
that you have all the latest patches AND root cert updates. Multiple user
incident, escalate to the Citrix team for immediate attention.

Also reported:
Create an exception in Windows Firewall for IE, per below. If this works,
please report the incident to level 2 support for further evaluation.

 

SSL Error 73: One or
more of the root certificates in the keystore are not valid

While not confirmed
to resolve the issue, the Macintosh root certificate was determined to be in a
CER format. Mac certificates need to be in a DER format with an extension of
“.crt”.

-Or –

On the Macintosh,
the root certificate has been copied properly to the keystore/cacerts folder,
but the user is receiving the above SSL Error when trying to connect. (See
CTX104638 for resolution)

 

SSL Error 78:
Certificate could not be checked for Revocation. Cannot connect to the citrix
metaframe server.

Resolution: The
client device does not have an installed or registered DLL for verifying the
Certificate Revocation List (CRL). The Win9x/WinNT 4 operating systems do not
support CRL checking. Additionally, ensure that the latest Citrix client is
installed. If using an older OS, it might be possible to use the Java client to
work around this issue. Uninstall the ICA client and do not install the ICA
client when prompted. This will default you to the Java client.

Leave a Reply

Your email address will not be published.