Professional OPC
Development Tools

logos

Online Forums

Technical support is provided through Support Forums below. Anybody can view them; you need to Register/Login to our site (see links in upper right corner) in order to Post questions. You do not have to be a licensed user of our product.

Please read Rules for forum posts before reporting your issue or asking a question. OPC Labs team is actively monitoring the forums, and replies as soon as possible. Various technical information can also be found in our Knowledge Base. For your convenience, we have also assembled a Frequently Asked Questions page.

Do not use the Contact page for technical issues.

Exception while trying to connect to an OPC UA Server

More
19 Sep 2023 12:19 #12160 by support
Hello.

Yes, the key delivered with the latest upgrade assurance extension you have purchased covers version 2023.1.

Here are the instructions:

- opclabs.doc-that.com/files/onlinedocs/QuickOpc/Latest/User%2...UA%20Application%20Dialog.html

Regards

Please Log in or Create an account to join the conversation.

More
19 Sep 2023 12:09 #12159 by micham
Hi,

Thank you. Yes, I will rebuild my application using the latest version 2023.1.

Two questions:
1. Do I need a new license for this version?

2. How can the user invoke the OPC UA Application Administration dialog?

Thank you.

Michael

Please Log in or Create an account to join the conversation.

More
19 Sep 2023 08:15 #12158 by support
Hello,

going back to the "concepts" of the PKI, I was told that a good introduction is here (haven't really checked it):
.

I understand that now you might have that part (certificate placement) correctly in place and the problem could be elsewhere; I just wanted to provide additional info.

Regards

Please Log in or Create an account to join the conversation.

More
19 Sep 2023 07:19 #12157 by support
Hello,
Thank you.

I can confirm that these are probably the rights certificates. At least, their subject names are the same as in the original error message, and the server certificate states the name of the issuer name properly.

Can you confirm that the error message you are now getting on the client is precisely the same as before? Ideally, grab it again and post it here?

Secondly, it looks like you are in position to make some changes/rebuild your application, right? Would it be possible that you upgrade to the newest QuickOPC version (if you have not done that yet), and extend the application so that the end user can invoke the OPC UA Application Administration dialog? Not only would that greatly enhance your product , but it would make it easier to troubleshoot further.

Regards

Please Log in or Create an account to join the conversation.

More
19 Sep 2023 05:14 #12156 by micham
Hi,

Thank you for your answer. It appears that there are 2 certificates files for this Honeywell OPC UA server:
GTCHVE3SA01 OPCUA Server [0A28546080771BC34C980B975E14BEE7A5B42D21].der
rootCA.der

These 2 certificate files are placed together in the folders that you have suggested creating.
So it looks as if the "rootCA.der" certificate is the CA (issuer) certificate that you have mentioned. See attached zip file.

Despite all that our OPC Client fails to connect and an error is displayed.

Any idea what is wrong?

Thank you.

Michael

File Attachment:

File Name: Certificates.zip
File Size:3 KB
Attachments:

Please Log in or Create an account to join the conversation.

More
17 Sep 2023 13:55 #12154 by support
Hello.

In general I recommend you look around for information about OPC UA security with CA certificates - in OPC UA specifications, or elsewhere on the Web, or via some trainings. It is a long subject.

But I will try in the briefest form:

The server you are trying to connect to does not have "just" its own, self-signed certificate, which was what you were probably dealing with so far in other setups. Its certificate (server certificate) has been issued by some other entity - certificate authority (CA). And inside the server certificate, there is a reference to the issuer certificate (a simple two-element chain; in other cases the chain be longer).

This is usually done in this way so certificates for various client and servers cannot "just" be created on the fly, but are created by the CA, and somebody (the CA operator) actually has control of what goes into the system. And certificates created without the CA won't work.

OPC UA specification requires that the client *must* validate the whole chain - not just the server certificate, but also all issuer certificates in its chain. I have sent you the references to those specs. But your client application has not been given the issuer (CA) certificate. So it will keep rejecting the server until this is fixed.

Whoever had set up the OPC UA server, must have been the using the CA, because the server has the certificate that was generated by the CA.

In some cases, the CA is "inside" the OPC UA system, and is represented by GDS/CM (Global Discovery Server/Certificate Manager services). In other cases, it is some system unrelated to OPC UA. This is something your customer must know, otherwise there is no help. I have no way of knowing.

In order to resolve the issue, you/your customer's task is to obtain the CA certificate (public part) from the CA, and place it onto the client side in the way I described.

Note that the OPC UA server must also have it somewhere, currently.

Regards

Please Log in or Create an account to join the conversation.

More
17 Sep 2023 13:40 #12153 by micham
Hi,

Yes, I don't know what is a "CA (issuer) certificate" is...

Can you explain and assist?

Thank you.

Please Log in or Create an account to join the conversation.

More
17 Sep 2023 13:35 #12152 by support
Hello.

From your description, you/your customer have not done what I have instructed you to do. There are at least two significant differences:

1) You wrote "... and placed the server's certificate in it. ". I have not instructed you to place the server certificate there. I have instructed you to place the CA (issuer) certificate there. Without understanding the difference between the server certificate and issuer certificate, and dealing with them correctly, you will not be able to make it work.

2) In addition, I instructed you to put the certificate into two places, not just the one you listed - but that would only make difference after you actually place there the issuer certificate, and not the server certificate.

Regards

Please Log in or Create an account to join the conversation.

More
16 Sep 2023 15:16 #12151 by micham
Hi,

Thank you for your answer. We have manually created the "C:\ProgramData\OPC Foundation\CertificateStores\UA Certificate Authorities\certs" folder and placed the server's certificate in it. Now UA Expert connects with the server with no errors. See the attached video.

Our OPC UA Client that is based on your component still fails to connect. Do you understand why UA Experts can connect with no errors and our OPC client is unable to connect?

Thank you.
Michael

UAExpertGo...tion.mp4

Attachments:

Please Log in or Create an account to join the conversation.

More
15 Sep 2023 12:57 #12148 by support
Thank you.

It looks like that the newer UA stack from OPC Foundation (which we link to) has stricter checks. Specifically, it is now compliant with OPC UA specification which, for Bad_CertificateChainIncomplete error, says that "An error during the chain creation may not be suppressed." (there are errors that the spec allows the user to suppress, and other errors that must not be suppressed). This explains three things at once: 1) why AcceptAnyCertificate = true does not work in this case, 2) why the application doe snot show a pop-up to the user showing the error and offering him the choice to accept the certificate, and 3) why no RejectedCertificates folder has been created yet.

Reference: reference.opcfoundation.org/Core/Part4/v105/docs/6.1.3 - Table 106

So the only option is to do it right: I.e. place the CA (issuer) certificate as described earlier.

Best regards

Please Log in or Create an account to join the conversation.

Moderators: support
Time to create page: 0.091 seconds