**UPDATE** This issue has been corrected as of Receiver 5.9 for iOS**
So I’ve been running into this problem now a few times over the past couple of weeks and wanted to get the word out. Apparently the timing is just right and people who put SSL certificates on their NetScaler Gateway, Secure Gateway, or CAG are hitting that refresh cycle and renewing their SSL certificates and a lot of times it appears that went well…UNTIL they test and realize their mobile devices can no longer connect and are getting a generic “Connection Error. Citrix Receiver could not establish connection with the remote host/server”. If this is you..then read on..
So what is happening here is a Citrix known issue and there is a KB, see CTX136348 for the “Citrix” detailed explanation. In a nutshell, all certificates issued with an expiration date past January 2017 are now requiring SHA2 as the hashing algorithm. This is a Microsoft forced hand, and they have a security advisory HERE you can review if you’re bored. This pretty much affects all the mobile Receivers, and you can verify that with the latest Receiver Client Feature Matrix.
You can also further proof this by pulling down the advanced trace logs from the mobile Receiver. On iOS, you enable Advanced Logging under Settings->Advanced in the app. Once done, try to launch an app to get the error, then go back to Settings->Send Feedback and select “Request Help from Support” and email yourself the log ZIP file.
Once you have the zip file extracted, review the latest log and you will find a line like this:
18-02-2014 10:21:45 – INFO: host_error_dialog error:183, options: 1, error string: You have not chosen to trust “Go Daddy Secure Certificate Authority – G2”, the issuer of the server’s security certificate.
Error Number: 183.
I don’t have an ETA on when this is expected to be corrected, I’m trying to find out. In the meantime, you will want to call your SSL provider (or if available, just do it via their website GUI)..but make sure to get a SHA1 cert that expires before 2017. I know I’ve had both GoDaddy and DigiCert clients who have done this without issue. That’s the only workaround until Receiver is corrected.
And in fairness, I should point out that a man much smarter than I, Phillip Jones (@P2Vme on Twitter) beat me to blogging about this by a couple of days but I had it in my drafts!! 😉 But you can read his much more eloquently worded and detailed article at his blog HERE. Both he and his blog are good ones to follow.