We are running Horizon Workspace 1.5 and Agents 1.5.2. The users are Windows 7 linked clones. Workspace SSL cert is a GlobalSign cert. The full chain is presented on the load balancer and connector VA including the server, intermediate and root CA certs.
User access to the internet (ie to verify the Root CA) is via a proxy server that uses their AD credentials. IE is configured via group policy to use this proxy. proxy is bypassed for internal LAN connectivity to Workspace.
If a user opens the workspace URL https://workspace.domain.org using Internet Explorer they get no SSL certificate errors and it validates the complete SSL chain.
When the user opens the workspace agent they get an error prior to logging on "unable to get local issuer certificate". Once they accept this error and login they never see it again - unless they log out of workspace and need to log in again
Is it possible that the workspace agent is not using the IE proxy configuration initially, hence the reason it cannot validate the SSL chain?
How can we resolve this? Its not breaking anything but we are getting helpdesk calls sometimes about this.
If you figure this out I would be curious to know the answer as I think I have the same "issue". Not really an issue as you click once and then it is gone but indeed always better to avoid those calls.
For me it started to happen as soon as I started using a wildcard certificate instead of a SAN cert.
This command can be run from the gateway-va or other va's, trying to verify certificate
Or from a machine that has openssl installed
OpenSSL> s_client -connect connector-hostname:443