citrix receiver linux breaks every couple years

and I spend a week looking for the answer – the basic searches lead to dead ends with old articles about server side stuff

searches like

citrix receiver COMODO RSA

don’t help you find the “good stuff”

the good stuff is #5 here:
quoteing for posterity

By default, Citrix Receiver only trusts a few root CA certificates, which causes connections to many Citrix servers to fail with an SSL error. The 'ca-certificates' package (already installed on most Ubuntu systems) provides additional CA certificates in /usr/share/ca-certificates/mozilla/ that can be conveniently added to Citrix Receiver to avoid these errors:

sudo ln -s /usr/share/ca-certificates/mozilla/* /opt/Citrix/ICAClient/keystore/cacerts/
sudo c_rehash /opt/Citrix/ICAClient/keystore/cacerts/