Professional OPC
Development Tools

logos

Online Forums

Technical support is provided through Support Forums below. Anybody can view them; you need to Register/Login to our site (see links in upper right corner) in order to Post questions. You do not have to be a licensed user of our product.

Please read Rules for forum posts before reporting your issue or asking a question. OPC Labs team is actively monitoring the forums, and replies as soon as possible. Various technical information can also be found in our Knowledge Base. For your convenience, we have also assembled a Frequently Asked Questions page.

Do not use the Contact page for technical issues.

QuickOPC on Windows Server by Apache webserver

More
15 Feb 2023 18:30 #11543 by Pala
the contents of the folders are identical

screenshot and after Error











Fatal error: Uncaught com_exception: <b>Source:</b> Opc.Ua.Configuration<br/><b>Description:</b> OPC UA service result - {BadConfigurationError}. Cannot access certificate private key. Subject=CN=CGI / FastCGI. Cannot access certificate private key. Subject=CN=CGI / FastCGI
Attachments:

Please Log in or Create an account to join the conversation.

More
15 Feb 2023 18:11 #11542 by support
Thank you,

this is interesting.

Can you try to copy the whole "C:\OPC Foundation" structure over to "c:\ProgramData\OPC Foundation"? (keeping the original contents where not replaced).

And, if you still get error, be careful in reading its details. It is really the same as before? (if things start working regarding the client certificate, the next common error is the validation of the server certificate, which looks similarly but is different).

Best regards

Please Log in or Create an account to join the conversation.

More
15 Feb 2023 18:06 #11541 by Pala
for A ) Create the "incorrect" folder (folder structure) and provide permissions to it

the folder already exists and inside there are the certificates
permission for this folder is ok for all users

Attachments:

Please Log in or Create an account to join the conversation.

More
15 Feb 2023 16:50 #11538 by support
Hello,
and thank you very much, this has helped.

There are entries in the log that indicate where the problem is probably coming from, such as:
Information(162): The OPC-UA engine will resolve the client instance certificate parameters directory store path to "\OPC Foundation\CertificateStores\MachineDefault".

The directory is not correct - it should be "c:\ProgramData\OPC Foundation\CertificateStores\MachineDefault". In the component configuration, it is defined as "%CommonApplicationData%\OPC Foundation\CertificateStores\MachineDefault", and %CommonApplicationData% should resolve to "C:\ProgramData", but it appears that under this host, it resolves to an empty string.

Will investigate further - but cannot do so right now, I am out of office this week. Possible workaround that come to my mind, and that we can explore then:

A ) Create the "incorrect" folder (folder structure) and provide permissions to it.
B ) Change the component configuration so that it specifies an absolute path directly and not with the %CommonApplicationData% symbol.
C ) Create the certificate manually and place it to the correct place.

You can provide try A ) yourself; instructions might be needed for B ) and C ).

Best regards

Please Log in or Create an account to join the conversation.

More
14 Feb 2023 16:28 #11532 by Pala
Hì new log file for you in attachment

File Attachment:

File Name: log.txt
File Size:9 KB
Attachments:

Please Log in or Create an account to join the conversation.

More
09 Feb 2023 19:10 #11526 by support
Hello, and thank you.

Regarding #3: This looks like misunderstanding. What you have posted is probably the outcome of the ReadValue operation in the example. But I wanted the whole series of events, the stuff that comes to the "function LogEntry($Sender, $E)". Obviously, the example is for PHP under console, you will need to modify it a bit to capture the incoming events somehow.

Regards

Please Log in or Create an account to join the conversation.

More
09 Feb 2023 17:36 #11525 by Pala
answer

Can you please answer additional questions:
1. Which version&build of QuickOPC are you using?
2022.2 (5.70.1053.1)

2. Are you absolutely sure that the permissions on folders under "c:\ProgramData\OPC Foundation\CertificateStores\MachineDefault" also allow writing from the Apache server?
yes

3. Can you please collect and report here the events generated by QuickOPC - see opclabs.doc-that.com/files/onlinedocs/QuickOpc/Latest/User%2...PC%20UA%20event%20logging.html .
Failure: Source: Opc.Ua.Configuration
Description: OPC UA service result - {BadConfigurationError}. Cannot access certificate private key. Subject=CN=CGI / FastCGI. Cannot access certificate private key. Subject=CN=CGI / FastCGI

Please Log in or Create an account to join the conversation.

More
09 Feb 2023 09:37 #11523 by support
Thank you.

The outcome is not precisely the same, there is now "+CGI + FastCGI+ [ABD53CDFA4029CC6E79A96ACFC62C33C408EFFDA].der" in "c:\ProgramData\OPC Foundation\CertificateStores\UA Applications\certs", and I assume this is for the Apache process. This is good.

However, the correct outcome would be that also
1. This file is also in "c:\ProgramData\OPC Foundation\CertificateStores\MachineDefault\certs". This couldbe fixed simply by copying it in there, BUT it's of no use without:
2. A file with the same name but .PFX extension would be in "c:\ProgramData\OPC Foundation\CertificateStores\MachineDefault\private". This will contain the private key of the certificate. Without it won't work, unfortunately.


Can you please answer additional questions:
1. Which version&build of QuickOPC are you using?
2. Are you absolutely sure that the permissions on folders under "c:\ProgramData\OPC Foundation\CertificateStores\MachineDefault" also allow writing from the Apache server?
3. Can you please collect and report here the events generated by QuickOPC - see opclabs.doc-that.com/files/onlinedocs/QuickOpc/Latest/User%2...PC%20UA%20event%20logging.html .

Best regards

Please Log in or Create an account to join the conversation.

More
08 Feb 2023 17:13 #11522 by Pala
We have enabled read/write permissions for users in the path indicated , but result does not change

I have created a news file out.txt

File Attachment:

File Name: out_2023-02-08-2.txt
File Size:2 KB
Attachments:

Please Log in or Create an account to join the conversation.

More
08 Feb 2023 12:19 #11521 by support
Thank you.
These are directories for OPC UA certificates. QuickOPC needs to have its own application certificate there. But, the certificate is not present...

Unfortunately, Web servers are tightly secured (for good reason), so the most likely reason is that the process that you app runs under does not have the necessary permissions to that folder structure.

There are two parts to this issue:

1) The process/the user account the Web server is is running *must* have read permissions to these folders. For secure OPC UA communication, there is no way around it. (to be more precise, it is possible to configure QuickOPC to use different directories elsewhere, if that would help; but the principle remains the same - the read access is needed)

2) Somehow, the application certificate must be placed onto the right spots in this directory structure.

2a) If the process/user has also write permissions to the folders, QuickOPC will automatically create the certificate and placed it there. If you can also grant write permissions to the Web server account *once*, only for this to happen, and then to set the permissions back to read-only, it should be enough.

2b) If you cannot do the above, there are ways to create the app certificate outside the application, and then you would manually copy it into the right place. That is a fairly involved sequence to describe, so let's go this way only if you cannot do 2a).

Best regards

Please Log in or Create an account to join the conversation.

Moderators: support
Time to create page: 0.079 seconds