Professional OPC
Development Tools

logos

Online Forums

Technical support is provided through Support Forums below. Anybody can view them; you need to Register/Login to our site (see links in upper right corner) in order to Post questions. You do not have to be a licensed user of our product.

Please read Rules for forum posts before reporting your issue or asking a question. OPC Labs team is actively monitoring the forums, and replies as soon as possible. Various technical information can also be found in our Knowledge Base. For your convenience, we have also assembled a Frequently Asked Questions page.

Do not use the Contact page for technical issues.

Certificate Failure in windows services

More
02 Jun 2020 14:34 #8544 by support
The certificate subject is different from the certificate issuer. For that reason, it is considered to be a certificate issued by a CA - but there is no chain leading to a valid CA.
We rely on certificate checking code from OPC Foundation. The code for .NET Core is newer, and stricter, than the code that is used under .NET Framework.

For reference, this is in CertificateValidator.InternalValidate method. See github.com/OPCFoundation/UA-.NETStandard/blob/master/Stack/O...icates/CertificateValidator.cs .

You are getting beaten by these lines:
            // check whether the chain is complete (if there is a chain)
            bool issuedByCA = !Utils.CompareDistinguishedName(certificate.Subject, certificate.Issuer);
            bool chainIncomplete = false;
            if (issuers.Count > 0)
            {
                var rootCertificate = issuers[issuers.Count - 1].Certificate;
                if (!Utils.CompareDistinguishedName(rootCertificate.Subject, rootCertificate.Issuer))
                {
                    chainIncomplete = true;
                }
            }
            else
            {
                if (issuedByCA)
                {
                    // no issuer found at all
                    chainIncomplete = true;
                }
            }
 
            if (issuedByCA && (!chainStatusChecked || chainIncomplete))
            {
                throw ServiceResultException.Create(
                    StatusCodes.BadCertificateChainIncomplete,
                    "Certificate chain validation incomplete.\r\nSubjectName: {0}\r\nIssuerName: {1}",
                    certificate.SubjectName.Name,
                    certificate.IssuerName.Name);
            }

Proper certificate checking is quite complicated, and we have no reason to diverge from the "almost-official" OPC Foundation code. You need to work on the server side to assure that the SubjectName and IssuerName are the same, *or* that the certificate contains a complete chain (and you trust the CA).

Regards

Please Log in or Create an account to join the conversation.

  • Ureña
  • Topic Author
  • Visitor
  • Visitor
02 Jun 2020 13:39 #8543 by Ureña
Replied by Ureña on topic Certificate Failure in windows services
I attach the required snapshots

Please Log in or Create an account to join the conversation.

More
02 Jun 2020 13:13 #8542 by support
Plesae post a picture of the certificate (.DER in the UA Applications/certs) when opened for viewing by Windows - make sure you include all 3 tabs (General / Details / Certification Path ).

Thank you

Please Log in or Create an account to join the conversation.

  • Ureña
  • Topic Author
  • Visitor
  • Visitor
02 Jun 2020 12:34 #8541 by Ureña
Replied by Ureña on topic Certificate Failure in windows services
It seems I sended and old snap, i attach thr new one but the result is the same
Attachments:

Please Log in or Create an account to join the conversation.

More
02 Jun 2020 08:00 #8540 by support
In picture for Step 3, you show that the certificates you trust have thumbprints that start with 541C... and 52B9...
In picture for Step 4, the certificate that came from the server has a thumbprint that starts with 5F9A... This certificate is not among the trusted certificates.

Please Log in or Create an account to join the conversation.

  • Ureña
  • Topic Author
  • Visitor
  • Visitor
02 Jun 2020 06:49 #8539 by Ureña
Replied by Ureña on topic Certificate Failure in windows services
I attach some snapshots of the process.
In snapshot 1 you can see the folders tree I have inside OPC fundation
First of all, I removed all the OPC Foundation folders, then started the application and dont accept the certificate, then I had the certificate in rejectedCertificates(Snap2).
I cut the certificate from the folder and pasted to UA Applications/certs.(Snap3). Then I started again the application(Snap 4) but it tells me to trust again, I accepted the certificate so i had the certificate in UA applications and not in rejectedCertificates. However, if i restart the application it tells me again to accept the certificate and if I say no, it copies again the certificate to RejectedCertificates so i have the same certificate in the both folders.
finally, I attach the last snapshot of the server certificate, maybe with this kind of certificate I have to do something different.

Regards,

This browser does not support PDFs. Please download the PDF to view it: Download PDF

Attachments:

Please Log in or Create an account to join the conversation.

More
01 Jun 2020 16:27 #8538 by support
In .NET Core, your application uses directory certificate stores (opclabs.doc-that.com/files/onlinedocs/QuickOpc/Latest/User%2...ry%20Certificate%20Stores.html ) located under the application directory.

After running your application at least once, you should see an "OPC Foundation" directory next to your application binaries, and underneath, subdirectories like "MachineDefault" and "UA Applications". If you tried to connect to the server at least once, there should also be "RejectedCertificates" subdirectory.

If you do not have these directories, then most likely you have permissions problem related to the account you use to run the Windows Service.

If you have these directories, then probably the easiest way to overcome the extra prompt is to copy the server certificate file you will find under RejectedCertificates\certs directory to the UA Applications\certs (see opclabs.doc-that.com/files/onlinedocs/QuickOpc/Latest/User%2...%20Instance%20Certificate.html ).

In a simple case where you do not have too many certificates, this is probably done at easiest simply by file copy. The UA Configuration tool can be used as well, but in my opinion it would be more work. The functions you would use for that are under the "Manage Certificates" tab, not the "Manage Security" tab. You will need to browse to your RejectedCertificates store, view its certs, "Copy" the one your would liek to trust, then select your "UA Applications" store, and Paste.

Best regards

Please Log in or Create an account to join the conversation.

  • Ureña
  • Topic Author
  • Visitor
  • Visitor
01 Jun 2020 13:01 #8536 by Ureña
Replied by Ureña on topic Certificate Failure in windows services
I answer your questions:
1- There are both connected to the same server, using the same endpoing URL, The only difference is the first program which runs properly has .NET FRAMEWORK 4.72. as Target framework, the second uses .NET CORE 3.1, there is the only difference
2- Is it the way to put the server certificate in trusted peers certifcate store? (see photo)

3-It's because is programmed with .NET Core so i can obtaint a .exe where I'm able to print "logs" in the console.

We still talking,

Regards
Attachments:

Please Log in or Create an account to join the conversation.

More
29 May 2020 17:11 #8525 by support
Hello,

can you please answer some additional questions?

1. Are both programs connecting to the same server, using the same endpoint URL?
2. Do you have the server certificate in Trusted peers certificate store?
3. Under which account is the Windows Service running?
4. It is not clear to me how could you make the console screenshot. Windows Services do not have GUI or console interface. Please explain.

Best regards

Please Log in or Create an account to join the conversation.

  • Ureña
  • Topic Author
  • Visitor
  • Visitor
29 May 2020 09:57 #8523 by Ureña
Helo,
I'm using quickopc to work with OPC UA, I have the same code in 2 differents programs, the first one is based on winforms and it's working fine, but the second, is a microsoft services and when it starts every time ask for a validation on the opc certificate which says that the certificate is not trusted.
Could it be becuase it's a windows services?
I attach an snapshot
Attachments:

Please Log in or Create an account to join the conversation.

Moderators: support
Time to create page: 0.069 seconds