Online Forums
Technical support is provided through Support Forums below. Anybody can view them; you need to Register/Login to our site (see links in upper right corner) in order to Post questions. You do not have to be a licensed user of our product.
Please read Rules for forum posts before reporting your issue or asking a question. OPC Labs team is actively monitoring the forums, and replies as soon as possible. Various technical information can also be found in our Knowledge Base. For your convenience, we have also assembled a Frequently Asked Questions page.
Do not use the Contact page for technical issues.
- Forum
- Discussions
- QuickOPC-UA in .NET
- Connections, Reconnections, Certificates
- Certificate chain not complete
Certificate chain not complete
I attempted to find something about this in OPC UA specs, but so far I was unsuccessful. The chapter in Part 4 (6.1.3 "Determining if a Certificate is Trusted" in version 1.03) which I suppose should describe this, is basically silent about it.
You are absolutely right about AcceptAnyCertificate. If that does not work I would like to know, and we will work on it.
Best regards
Please Log in or Create an account to join the conversation.
- chrisstankevitz
- Topic Author
- Offline
- Premium Member
- Posts: 9
- Thank you received: 0
I will confirm that whether or not AcceptAnyCertificate works. If I am correct and it doesn't work, it might be because OPCFoundation is throwing an exception that the chain is bad -- which may be handled differently in the QuickOPC code base than the error that is triggered when a cert is untrusted.
Chris
[1] security.stackexchange.com/questions/65332/ssl-root-certific...qa&utm_campaign=google_rich_qa
Please Log in or Create an account to join the conversation.
I have quickly checked this code and there must be a root in the chain; the error you are getting indicates that there isn't. So, if you do not have a root, attempts to resolve it by steps you described under (1) and (2) won't work. (3) should work, but that really is no solution - it is an insecure hack. I am surprised that it did not work - are you sure you received the *same* error when you tried it, and not something different?
Best regards
Please Log in or Create an account to join the conversation.
- chrisstankevitz
- Topic Author
- Offline
- Premium Member
- Posts: 9
- Thank you received: 0
Please Log in or Create an account to join the conversation.
Please Log in or Create an account to join the conversation.
- chrisstankevitz
- Topic Author
- Offline
- Premium Member
- Posts: 9
- Thank you received: 0
I have several Kepware clients that securely connect to this server. These other clients do not complain that the "certificate chain is not complete".
When I try to connect to this server with QuickOPC it fails with "certificate chain is not complete" (see below). The error is so offensive that QuickOPC does not even pop up the familiar QuickOPC "do you want to trust this server" dialog.
Does QuickOPC work with servers certs that were issued by a CA (not self-signed)?
What do I need to do to get QuickOPC to connect to OPC UA servers with certs signed by a CA?
Does QuickOPC require certs in "chain style"?
Is Kepware capable of supplying "chain style" certs?
I attempted to solve/workaround the problem (to no avail) with these steps:
1. Add the issuing CA's cert to the windows "Trusted Root Authorities" store on the computer running the QuickOPC software. I would not have expected this to help since QuickOPC has a long history of interactively allowing me at runtime to vouch for a server's trustworthiness.
2. Add the issuing CA's cert to c:\ProgramData\OPC Foundation\CertificateStores\UA Certificate Authorities\certs. I did not expect this to help for the same reason as 1.
3. Set AcceptAnyCertificate to true
I understand that PKI certs can optionally contain a 'chain' that includes issuing intermediate certs. My understanding is also that this chain traditionally does not include the root (as the root is assumed to exist on the client). I'm not sure how Kepware Kepserver handles this (I'm not sure if it includes the root or not) and I'm not sure what QuickOPCs very strict requirement is (although it appears to require the root to be provided by the server?).
Thank you,
Chris
Exception: OPC-UA service result - Certificate chain not complete.
SubjectName: CN=ds1-pri.foo.bar.local, OU=unk, O=unk, L=unk, S=unk, DC=foo.bar.local, C=Country
IssuerName: CN=foo-ca1, DC=foo, DC=bar, DC=local = BadSecurityChecksFailed.
---- SERVICE RESULT ----
StatusCode: {BadSecurityChecksFailed} = 0x80130000 (2148728832)
-----
StatusCode: {BadSecurityChecksFailed} = 0x80130000 (2148728832)
Description: Certificate chain not complete.
SubjectName: CN=ds1-pri.foo.bar.local, OU=unk, O=unk, L=unk, S=unk, DC=foo.bar.local, C=Country
IssuerName: CN=foo-ca1, DC=foo, DC=bar, DC=local
AdditionalInfo: >>> Certificate chain not complete.
SubjectName: CN=ds1-pri.foo.bar.local, OU=unk, O=unk, L=unk, S=unk, DC=foo.bar.local, C=Country
IssuerName: CN=foo-ca1, DC=foo, DC=bar, DC=local
--- at Opc.Ua.CertificateValidator.GetIssuersWithChainSupportEnabled(X509Certificate2Collection certificates, List`1 issuers)
--- at Opc.Ua.CertificateValidator.InternalValidateWithChainSupportEnabled(X509Certificate2Collection certificates)
--- at Opc.Ua.CertificateValidator.Validate(X509Certificate2Collection chain)
Please Log in or Create an account to join the conversation.
- Forum
- Discussions
- QuickOPC-UA in .NET
- Connections, Reconnections, Certificates
- Certificate chain not complete