Citrix Cloud Connector Installation does not complete: Unable to validate certificate chain

Citrix Cloud Connector does not complete its initial installation or is unable to upgrade to the latest Cloud Connector version. The installation is blocked because it’s not able to validate the code signing certificate of the Citrix Cloud Components downloaded, which may be due to the certificates installed, or an expired signature. To verify this is occurring

• Navigate to the local logs generated by the connector at: %ProgramData%\Citrix\WorkspaceCloud\InstallLogs
• Open the most recent logs and search for one of the following strings: “Verified download failed EdgeServiceComponents”. This will indicate if there are issues with downloading and verifying the Cloud Connector components.

The Root and Intermediate Certificate authority used to sign the Citrix Cloud Connector need to be trusted on the local machine where the Citrix Cloud Connector is being installed. Cloud Connector binaries and endpoints that the Cloud Connector contacts are protected by X.509 certificates issued by DigiCert, a widely respected enterprise certificate authority (CA). DigiCert employs Certificate Revocation List (CRL) servers using HTTP on port 80 instead of HTTPS on port 443 to verify these certificates during Cloud Connector installation. Cloud Connector components, themselves, do not communicate over external port 80. The need for external port 80 is a byproduct of the certificate verification process that the operating system performs.

Here is the primary way to resolve this issue:

• Download a new Connector installation package from the resource location page on Citrix Cloud.
• Open HTTP port 80 to *.digicert.com on the Cloud Connector. This port is used during Cloud Connector installation and during the periodic CRL checks. For more information about how to test for CRL and OCSP connectivity, seehttps://www.digicert.com/kb/util/utility-test-ocsp-and-crl-access-from-a-server.htmon the DigiCert web site.
• Ensure Windows Update are enabled and there’s connectivity from the Citrix Cloud Connector to the following URIs:
  • https://dl.cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
  • https://dl.cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt
• The following address needs to be contactable from the Cloud Connector machine(s) to ensure proper certificate validation: Ensure the machine has the Root and Intermediate certificates (used by the Citrix Cloud Installer) installed in the certificate store on the local machine. You can manually install the certificates by following the instructions below.
  • http://crl3.digicert.com
    http://crl4.digicert.com
    http://ocsp.digicert.com
    http://www.d-trust.net
    http://root-c3-ca2-2009.ocsp.d-trust.net
    http://crl.microsoft.com
    http://oneocsp.microsoft.com
    http://ocsp.msocsp.com
• Communication with the following addresses is enabled:
  • [https://*.digicert.com]https://*.digicert.com
• 需要安装以下证书:
  • https://dl.cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
  • https://dl.cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt
  • https://cacerts.digicert.com/DigiCertGlobalRootG2.crt
  • https://cacerts.digicert.com/DigiCertGlobalRootCA.crt
  • https://cacerts.digicert.com/BaltimoreCyberTrustRoot.crt
  • https://www.d-trust.net/cgi-bin/D-TRUST_Root_Class_3_CA_2_2009.crt
  • https://www.microsoft.com/pkiops/certs/Microsoft%20RSA%20Root%20Certificate%20Authority%202017.crt
  • https://www.microsoft.com/pkiops/certs/Microsoft%20EV%20ECC%20Root%20Certificate%20Authority%202017.crt

  • Installing the certificate

1. Open the MMC certificate store on the Citrix Cloud Connector exhibiting the behavior
   https://msdn.microsoft.com/en-us/library/ms788967 (v=vs.110).aspx. Make sure to select theComputer accountoption when prompted by the Certificates snap-in.

2. Navigate tohttps://dl.cacerts.digicert.com/DigiCertAssuredIDRootCA.crtand download the Root certificate.

3. Open the certificate and choose “Install Certificate…”

4. Ensure that the “local machine” option is targeted

5. Validate that the Root certificate shows up under the proper Certificate Store
   

6. Navigate tohttps://dl.cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crtand download the Intermediate certificate.

7. Open the certificate and choose “Install Certificate…”

8. Ensure that the “local machine” option is targeted

9. Validate that the Intermediate certificate shows up under the proper Certificate Store.
   

10. Repeat the above steps for missing required certificates listed in "The following certificates need to be installed:" section.

The Citrix Cloud Connector installer is signed with a DigiCert signing certificate. During installation this certificate is programmatically validated in order to ensure integrity of the components downloaded. If the Root and Intermediate certificates are not trusted on the local machine, the installer cannot be successfully verified, preventing the installation from continuing.

Note: This is usually not an issue if Windows Updates are automatically allowed.