MMAgeek
Enthusiast
Enthusiast

workspace agent sign-in error "unable to get local issuer certificate"

We are running Horizon Workspace 1.5 and Agents 1.5.2. The users are Windows 7 linked clones. Workspace SSL cert is a GlobalSign cert. The full chain is presented on the load balancer and connector VA including the server, intermediate and root CA certs.

User access to the internet (ie to verify the Root CA) is via a proxy server that uses their AD credentials. IE is configured via group policy to use this proxy. proxy is bypassed for internal LAN connectivity to Workspace.

If a user opens the workspace URL https://workspace.domain.org  using Internet Explorer they get no SSL certificate errors and it validates the complete SSL chain.

When the user opens the workspace agent they get an error prior to logging on "unable to get local issuer certificate". Once they accept this error and login they never see it again - unless they log out of workspace and need to log in again

Is it possible that the workspace agent is not using the IE proxy configuration initially, hence the reason it cannot validate the SSL chain?

How can we resolve this? Its not breaking anything but we are getting helpdesk calls sometimes about this.

0 Kudos
3 Replies
Seb1180
Enthusiast
Enthusiast

If you figure this out I would be curious to know the answer as I think I have the same "issue". Not really an issue as you click once and then it is gone but indeed always better to avoid those calls.

For me it started to happen as soon as I started using a wildcard certificate instead of a SAN cert.

Cheers

Seb

0 Kudos
rtindall
Enthusiast
Enthusiast

How many connectors do you have? Have you verified that the certificate you loaded for the Globalsign cert on the connectors as well?

0 Kudos
rtindall
Enthusiast
Enthusiast

This command can be run from the gateway-va or other va's, trying to verify certificate

Or from a machine that has openssl installed

OpenSSL> s_client -connect connector-hostname:443

0 Kudos