IBM Support

** Troubleshooting ** "You have not chosen to trust "DigiCert SHA2 Secure Server CA", the issuer of the server's security certificate" errors launching Controller on Cloud

Troubleshooting


Problem

User authenticates to the Citrix storefront website, powered by IBM Cloud. User clicks on the Controller icon. An error appears.

Symptom

The exact error will vary depending on environment, but it will look similar to:

Windows PC:

image-20190905160957-1
Cannot connect to the Citrix XenApp server
SSL Error 61: You have not chosen to trust "DigiCert SHA2 Secure Server CA", the issuer of the server's security certificate.

Mac:
image-20190905161003-2
You have not chosen to trust "DigiCert SHA2 Secure Server CA", the issuer of the server's security certificate.
Contact your help desk for assistance.

Cause

There are several different possible causes:

  • Scenario #1 (most likely) - User's client device is using an old (unsupported) Citrix client.
    • For more details, see separate IBM Technote #1700416.

  • Scenario #2 - User's client device does not trust the relevant SSL certificate.
    • In one real-life customer case, the client MAC device did not trust the 'intermediate' certificate.

Resolving The Problem

Scenario #1

Upgrade client device to the latest Citrix client (also known as 'Citrix Receiver' and 'Citrix ICA client').

  • For more details, see separate IBM Technote #1700416.

Scenario #2

Install relevant SSL certificate on your client device.

Steps:

In one real-life example, where the client device was based on MacOS, the following steps solved the problem:

1. Check which certificate needs to be installed

  • TIP: This can be checked by opening the wild certificate ("*.controller.ibmcloud.com") from the IBM cloud website:

image-20181105190512-1

2. Select the 'details' drop-down:

image-20181105190718-3

3. At the bottom of the certificate, find the location of where digicert holds its intermediate cert.

  • In the above example, the link is:    http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt

4. Click on that link to download the required certificate

5. Add this CRT file to your client device's keystore:

image-20181105190941-1

6. Test.

Internal Use Only

RC Nov 5th 2018: Created to document TS001540320

============================

[{"Business Unit":{"code":"BU002","label":"Business Analytics"},"Product":{"code":"SSMRTZ","label":"Cognos Controller on Cloud"},"Component":"","Platform":[{"code":"PF017","label":"Mac OS"},{"code":"PF033","label":"Windows"}],"Version":"10.3.1","Edition":""}]

Document Information

Modified date:
05 September 2019

UID

ibm10738725