Professional OPC
Development Tools

logos

Online Forums

Technical support is provided through Support Forums below. Anybody can view them; you need to Register/Login to our site (see links in upper right corner) in order to Post questions. You do not have to be a licensed user of our product.

Please read Rules for forum posts before reporting your issue or asking a question. OPC Labs team is actively monitoring the forums, and replies as soon as possible. Various technical information can also be found in our Knowledge Base. For your convenience, we have also assembled a Frequently Asked Questions page.

Do not use the Contact page for technical issues.

BadSecurityChecksFailed error

More
28 Oct 2021 13:58 - 28 Oct 2021 17:46 #10314 by support
As it turns out, the "Certificate chain not complete." is reproducible without the server authenticating the client first (our client .DER file for the server is not thus currently needed).

The server's certificate is not a self-signed certificate. It is a certificate issued by a CA, because the issuer name differs from the subject name.

Subject: O=Siemens, C=DE, CN=PLC-Model/OPCUAServerClient
Issuer: O=Siemens, C=DE, CN=Siemens TIA Project(Qiang-sha256)

This means that 1) it cannot be made trusted on the client by putting into "trusted peers", and 2) AcceptAnyCertificate won't work either.

The proper solution, if the server certificate is "constant" and cannot be replaced by a self-signed cert, requires that

1) You obtain the certificate of the CA that has issued the server certificate, and place it into the "Trusted issuers" store (note: not just "trusted peers")
2) and, there may be an issue with the fact that the root (CA) cert is not in the chain. Hopefully not.

Regards
Last edit: 28 Oct 2021 17:46 by support.

Please Log in or Create an account to join the conversation.

More
28 Oct 2021 13:00 #10313 by Mirhaj
Hi,

Yes, it has been set to true since I started to test connection to this server.

Best,
Ahmad

Please Log in or Create an account to join the conversation.

More
28 Oct 2021 12:57 #10312 by support
Hello.

Is your code currently setting AcceptAnyCertificate to 'true'? If not, can you test it out? (this is not a secure solution, but a troubleshooting helper in order to get us further).

Regards

Please Log in or Create an account to join the conversation.

More
28 Oct 2021 12:34 #10311 by Mirhaj
Hi,

No, I do not get any RejectedCertificates in OPC Foundation.

Best,
Ahmad

Please Log in or Create an account to join the conversation.

More
28 Oct 2021 12:14 - 28 Oct 2021 12:14 #10309 by support
Hello.

As far I can tell, it is now your QuickOPC client application rejecting the server's certificate. Do you find that certificate in RejectedCertificates? If so, move it the the trusted peers store (UA Applications).

This said, the actual error may indicate that the server's certificate is not a self-signed certificate, but a certificate signed by a Certificate Authority (CA). But hopefully it would be possible to make it trusted just as if it were self-signed.

Regards
Last edit: 28 Oct 2021 12:14 by support.

Please Log in or Create an account to join the conversation.

More
28 Oct 2021 10:12 #10305 by Mirhaj
Hi,
Now I have sent the right and latest .der file in MachineDefault folder to our customer and he has put that in the Trust list but I am now getting a bit different but might relevant to the previous issue;
{
The SDK action called was "static Session.Create".
+ Following (1) events were gathered during the action on activity ID [9], in the order of first occurrence:
Exception: {Opc.Ua.ServiceResultException} Certificate chain not complete. SubjectName: O=Siemens, C=DE, CN=PLC-Model/OPCUAServerClient IssuerName: O=Siemens, C=DE, CN=Siemens TIA Project(Qiang-sha256)
+ The client method called was 'ReadMultiple'.
}

How this error should be handled?
found a similar post regarding the chain not complete but could figure out how the problem was solved for the person who was asking.

Best,
Ahmad

Please Log in or Create an account to join the conversation.

More
27 Oct 2021 15:48 #10302 by support
Oh, I see, I think I know understand what has happened:

The local server you are referring to is based on the same/similar OPC Foundation code we are using in the lower layers of our QuickOPC. This means it is using the same shared certificate stores/directories. The certificates of your client app were not copied to the RejectedCertificates by QuickOPC. They were copied there by this local server, when the QuickOPC app was connecting to it. Which is kind of normal.

By copying or moving them to "UA Applications", you made this local server trust the client certificates. This might be the only way to do it, or there might be other, more user-friendly way provided by that server, but in general it is the right approach.

There are still some less clear parts: why does private key part (PFX) also appear in RejectedCertificates, and why did not your QuickOPC client app also put the copy into UA Applications (it is supposed to do that for convenience for usage with local servers). You saometimes say "I deleted XXXX folder" - even if you decide to remove everything from cert store folder for a good reason, you should not delete the folder as such - you should only delete the files in it, but keep the folder itself. I suspect this might be behind some of these issues.

Regards

Please Log in or Create an account to join the conversation.

More
27 Oct 2021 13:02 #10300 by Mirhaj
Hi,

I moved the certs and private subfolders (with .der and .pfx files inside) in the RejectedCertificates folder into the UA Applications folder in CertificateStores. Actually there was no UA Applications folder in CertificateStores folder. I created a folder and then moved what I said from RejectedCertificates to UA Applications folder. Then I deleted RejectedCertificates folder. Then I ran the client and it connected to the local server fine. Is this a reasonale approach finally? :)

I sent the same .der file in MachineDefault (that I will not delete anymore) to the customer to add it to his trust list.

Will revert if there are more questions.

Please Log in or Create an account to join the conversation.

More
27 Oct 2021 12:14 #10299 by support
Hello.

1.

What I was trying to say is that by deleting the MachineDefault store, if there were any certificates that are already trusted by other parties, they would be lost, so new certs will have to be created and the trust will have to be reestablished. So it is OK to remove a certificate if you know what you are doing, but not to routinely remove the folder "just in case".

If the certificate for your own application gets copied to RejectedCertificates (did I understand that correctly?), then this would be the first really unexpected behavior. It *may* happen in some rare cases, but it should not in your case.

It may be necessary that you repeat the test with recent QuickOPC version - because we cannot rule out a problem in the earlier version, plus there is an improved error diagnostics in newer versions.

2. I do not know in which state you got into the project. It is possible that the certificates used with other client were made trusted before you took it over.

3. In order to troubleshoot the crash, try to obtain the exception that has caused it, and the call stack associated with it. Also, any .InnerException object, its call stack, etc. recursively. It should be possible to set the debugger to stop only on "unhandled" exceptions, not on all that are thrown and handled internally.

Regards

Please Log in or Create an account to join the conversation.

More
27 Oct 2021 10:35 #10298 by Mirhaj
Hi,

1- Ok, I see. I didn't delete the MachineDefault folder anymore. So the thumbprint will stay the same as you mentioned. But now I see that the same .DER file (with the same thumbprint) was thrown into the RejectedCertificates folder in CertificateStores. Actually the RejectedCertificates folder contains two sub-folders; certs wth the .der file and private folder with .pfx file. What should I do with these rejected ones now? should it be moved?
Another thing is that sometimes I noticed that an UA Applications folder (with certs subfolder and the same .der file as in certs subfolder of MachinDefault folder) also was created in CertificateStore folder but I don't see that folder to be thrown/created anymore.

2- I didn't mean to undermine your product. Just wanted to inform you that it might not be anything wrong on the server sides because I can connect to both servers that I am trying to connect with QuickOPC based client, with the other SDK based client and I have not set any certificates configuration as the servers side. But it might be the other client manage certificates automatically somehow.

3- Because the application crashes while running. For me to see what are exceptions I enabled the feature and the OPCForms was one of the exceptions I noticed.
I have installed all QuickOPC with using nuget package manager and I was consistent on that in the entire work. That's why I am surprised why it is complaining about that. But as you mentioned I need to probably continue on that.

Best,
Ahmad

Please Log in or Create an account to join the conversation.

Moderators: support
Time to create page: 0.062 seconds