- Posts: 89
- Thank you received: 2
Online Forums
Technical support is provided through Support Forums below. Anybody can view them; you need to Register/Login to our site (see links in upper right corner) in order to Post questions. You do not have to be a licensed user of our product.
Please read Rules for forum posts before reporting your issue or asking a question. OPC Labs team is actively monitoring the forums, and replies as soon as possible. Various technical information can also be found in our Knowledge Base. For your convenience, we have also assembled a Frequently Asked Questions page.
Do not use the Contact page for technical issues.
Impossible to connect client UA to TOP SERVER in same network
- gkalipershad
- Offline
- Platinum Member
Thank you. The last solution that was offered back in October 2020 worked for me in my testing and ended up working for my customer as well. I apologize for not circling back around to notify you of this.
I will keep this new potential solution in mind in the event that I have a user that encounters this again.
Regards,
GK
Please Log in or Create an account to join the conversation.
Please Log in or Create an account to join the conversation.
- gkalipershad
- Offline
- Platinum Member
- Posts: 89
- Thank you received: 2
Thanks a bunch, that worked for me. I will try that with the customer and see if manually generating the cert and then doing this works for him.
I will let you know how that turns out and whether I need anything else.
Regards,
GK
Please Log in or Create an account to join the conversation.
I get the same.
For whatever reason, the (OPC Foundation) code also requires the application certificate be present in the trusted peers certificate store ("UA Applications", normally).
The issue can be resolved from the UA Configuration Tool by doing a right-click and "Copy" on the certificate you placed into "MachineDefault", and then switching to "UA Applications" store and doing "Paste".
But beware: I found that this also copies the private key. And the private key should not be in the "UA Applications". I went to the file system and deleted the .pfx file from "C:\ProgramData\OPC Foundation\CertificateStores\UA Applications\private" to correct this. It should also be possible, instead of Copy/Paste, to Export the certificate without its private key, and then Import it to the new store. And I could Export the .DER file well, but the Import option remains disabled in the UA Configuration Tool for me.
Best regards
Please Log in or Create an account to join the conversation.
- gkalipershad
- Offline
- Platinum Member
- Posts: 89
- Thank you received: 2
I have not been able to create a reproducible scenario for the unable to create certificate error. So instead, I have been trying to manually create the client certificate on my machine to then have the customer try it.
I ran a Command Prompt with elevated privileges, changed the directory to be where Opc.Ua.CertificateGenerator.exe is stored, which is my case is C:\Program Files (x86)\Software Toolbox OPC Data Client 2020.2\Bonus\Opc.Ua.ConfigurationTool
Then, I ran the following command: Opc.Ua.CertificateGenerator.exe -cmd issue -sp "C:\ProgramData\OPC Foundation\CertificateStores\MachineDefault" -an "EasyOPC-UA Demo"
This successfully creates certificates in the certs and private folders under MachineDefault, and I know the EasyOpcUADemo application tries to use these certificates because new certificates do not get generated. Instead, what is happening it the certificates are copied to the RejectedCertificates folder and I am met with this error:
OPC-UA service result - Self Signed Certificate is not trusted.
IssuerName: CN=EasyOPC-UA Demo, DC=kubernetes.docker.internal = BadCertificateUntrusted.
---- SERVICE RESULT ----
Status Code: {BadCertificateUntrusted} = 0x801A0000 (2149187584)
-=-=-Description: Self Signed Certificate is not trusted.
IssuerName: CN=EasyOPC-UA Demo, DC=kubernetes.docker.internal
Additional Info: <ExceptionTrace>
It is quite possible that there is a step I am missing when generating the certificate, and maybe there is something else I need to do to trust it. I have tried a bunch of things, but there were just guesses and didn't change the behavior. This is not the OPC Server certificate that is untrusted, but rather the client app is not trusting its own certificate. Any feedback you can provide is much appreciated.
Thanks,
GK
Please Log in or Create an account to join the conversation.
I had similar reports multiple times in the past. The problem is that
- they come from OPC Foundation stack/SDK part
- there is very little available runtime diagnostics in that code
- I could never reproduce these problems myself - allowing me to get around the missing diagnostics by actually debugging the code.
Do you think you might be able to put together reproducible scenario or set of conditions under which this happens?
If the application fails to create the instance certificate, there is still a chance to generate the certificate manually and store into the cert store - the idea being that it will then be found and used by the application. Some useful info: opcfoundation.github.io/UA-.NETStandard/help/certificate_generator.htm . The subject name (which is the "key" for lookup of the certs in the store) should either a) be the same as in the certificates that the application create son computers where it does work, or b) can be different, but in that case the application itself needs to be modified to set the name before it starts doing any OPC operations - more info (and example): opclabs.doc-that.com/files/onlinedocs/QuickOpc/Latest/User%2...%20Instance%20Certificate.html .
Best regards
Please Log in or Create an account to join the conversation.
- gkalipershad
- Offline
- Platinum Member
- Posts: 89
- Thank you received: 2
The customer and I got on a remote session and were able to have IT log in with an admin account so we could run applications as admin freely.
The EasyOpcUADemo was able to create its own certificate and connect to the OPC UA Server once it was run as admin. We could not get the VBA examples to create the certificate, even when running Excel as admin. Because he had another machine run the VBA examples fine, he decided that this might just be a machine specific issue and he is going to switch out his production machine for this other one that works well.
However, I have another customer faced with the exact same error. See attached. They saw this behavior with their custom app connecting to TOP Server, but for testing, I am having them use the EasyOpcUADemo connecting to the default UA SampleServer, where the problem also occurs.
I had them use the OPC UA Configuration Tool to delete all the certificates and try again to run the EasyOpcUADemo app as admin, but the same error is thrown. A new certificate is not generated. The only one in the MachineDefault directory is the one for the UA Configuration Tool.
They are using V2018.2 (5.53.405.1) because they need to target .NET Framework 4.6. They are just testing this version currently and considering an upgrade from V5.2.
Please let me know what additional information you need about this second occurrence and whether you have any suggestions for them.
Regards,
GK
Please Log in or Create an account to join the conversation.
I apologize for the incorrect link, it should have been kb.opclabs.com/Tool_Downloads#UA_Configuration_Tool . But yes, it is the same tool as the one you described.
Application certificates need to be protected so that malicious actors cannot replace them. That's why elevated privileges are needed. If they haven't ever run the app that way (this is not clear from the report), then no wonder it does not work (although I would expect it to show a different error). But, it is possible that they have not the certificate stores fully protected. So let the user try the described steps just with his/her normal account, and see what happens. If the tool allows the certificates be removed, then creating new ones without elevated privileges is probably going to work well too.
Best regards
Please Log in or Create an account to join the conversation.
- gkalipershad
- Offline
- Platinum Member
- Posts: 89
- Thank you received: 2
Thank you for this.
The link to the UA Configuration Tool said Page Not Found. Is that any different that the one that installs to C:\Program Files (x86)\Software Toolbox OPC Data Client 2020.2\Bonus\Opc.Ua.ConfigurationTool?
I will pass this info along, but the customer said that they have restrictions on this PC and they can only run applications with elevated privileges using an admin password from IT and it can take weeks for IT to have someone available. Is it possible to generate a UA certificate without elevated privileges?
Thanks,
GK
Please Log in or Create an account to join the conversation.
this probably has nothing to do with prerequisite boxing.
Likely, there is something wrong with the client application certificate created for the client application. Try this:
1. Download and install www.opclabs.com/products/ua-configuration-tool .
2. Run it.
3. Switch to the "Manage Certificates" tab.
4. Make sure that "Store Type" is set to Directory.
5. In the "Store Path", drop-down the list, and select the path ending with "Machine Default". The, press the "View Certificates" button. This is the store for the instance certificates of the UA apps on this computer. Delete all of them (right-click and choose "Delete"), or at least those that corresponds to the apps that have the problem.
6. Restart your application, making sure it is done under elevated privileges (so that it has write access to the stores). This should re-create the app certificate and store it where it belongs to - if that was the cause of the problem.
In step 5, if you can only afford to delete specific certification, and the application uses VBA, the name of the certificates you need to delete will contain ther name of the host application - such as Excel.
Best regards
Please Log in or Create an account to join the conversation.