In most situation, if you get this error, it means that there are some configuration errors in your Citrix environment. You can refer to below Citrix article for more information.
https://support.citrix.com/article/CTX124143
But, this week when we tried to renewal our netscaler certificate, we got a problem that:
1. Windows Machines works well with the new certificate. End users can start their VDIs with out any problem;
2. Windows Thin client which is running Windows Embedded XP can’t start VDI. They always got the error code’1030′
3. Some Linux thin client users can start their VDI, while some of them can’t. For who can’t start their VDI they got an error message said that S’SSL error’
Finally, after two days investigation, we fixed this issue.
1. Use Symantec SSL toolbox to scan the certificate installed on our server. We found below error message
It means that for some old client, they may get problem without the chain. So download the chain and put it into the certificate on Netscaler.
2. After we fixed the chain issue, our thin client still can’t connect. And we found that for the thin client which is running Citrix Receiver 13.1, it can connect. And then we checked Citrix Receiver version changelog and we found
New features in this release Native Smartcard authentication to StoreFront Session Reliability for robust HDX connection SHA-2 encryption for enhanced security Improved 64-bit packaging to enable access from 64-bit Linux distributions https://www.citrix.com/downloads/citrix-receiver/linux/receiver-for-linux-131.html
Well, that’s the key point. For thin client have, they are still using citrix online plugin 11.2 or Citrix Receiver 13.0 for Linux.
So we changed our certificate to SHA1, and all works.
The next step is to upgrade Citrix Receiver to the latest version on all Thin Client and then deprecation SHA-1 certificate and moving to SHA-2.