Online Forums
Technical support is provided through Support Forums below. Anybody can view them; you need to Register/Login to our site (see links in upper right corner) in order to Post questions. You do not have to be a licensed user of our product.
Please read Rules for forum posts before reporting your issue or asking a question. OPC Labs team is actively monitoring the forums, and replies as soon as possible. Various technical information can also be found in our Knowledge Base. For your convenience, we have also assembled a Frequently Asked Questions page.
Do not use the Contact page for technical issues.
- Forum
- Discussions
- QuickOPC-UA in .NET
- Connections, Reconnections, Certificates
- Certificate Failure in windows services
Certificate Failure in windows services
We rely on certificate checking code from OPC Foundation. The code for .NET Core is newer, and stricter, than the code that is used under .NET Framework.
For reference, this is in CertificateValidator.InternalValidate method. See github.com/OPCFoundation/UA-.NETStandard/blob/master/Stack/O...icates/CertificateValidator.cs .
You are getting beaten by these lines:
// check whether the chain is complete (if there is a chain)
bool issuedByCA = !Utils.CompareDistinguishedName(certificate.Subject, certificate.Issuer);
bool chainIncomplete = false;
if (issuers.Count > 0)
{
var rootCertificate = issuers[issuers.Count - 1].Certificate;
if (!Utils.CompareDistinguishedName(rootCertificate.Subject, rootCertificate.Issuer))
{
chainIncomplete = true;
}
}
else
{
if (issuedByCA)
{
// no issuer found at all
chainIncomplete = true;
}
}
if (issuedByCA && (!chainStatusChecked || chainIncomplete))
{
throw ServiceResultException.Create(
StatusCodes.BadCertificateChainIncomplete,
"Certificate chain validation incomplete.\r\nSubjectName: {0}\r\nIssuerName: {1}",
certificate.SubjectName.Name,
certificate.IssuerName.Name);
}
Proper certificate checking is quite complicated, and we have no reason to diverge from the "almost-official" OPC Foundation code. You need to work on the server side to assure that the SubjectName and IssuerName are the same, *or* that the certificate contains a complete chain (and you trust the CA).
Regards
Please Log in or Create an account to join the conversation.
- Ureña
- Topic Author
- Visitor
Please Log in or Create an account to join the conversation.
Thank you
Please Log in or Create an account to join the conversation.
- Ureña
- Topic Author
- Visitor
Please Log in or Create an account to join the conversation.
In picture for Step 4, the certificate that came from the server has a thumbprint that starts with 5F9A... This certificate is not among the trusted certificates.
Please Log in or Create an account to join the conversation.
- Ureña
- Topic Author
- Visitor
In snapshot 1 you can see the folders tree I have inside OPC fundation
First of all, I removed all the OPC Foundation folders, then started the application and dont accept the certificate, then I had the certificate in rejectedCertificates(Snap2).
I cut the certificate from the folder and pasted to UA Applications/certs.(Snap3). Then I started again the application(Snap 4) but it tells me to trust again, I accepted the certificate so i had the certificate in UA applications and not in rejectedCertificates. However, if i restart the application it tells me again to accept the certificate and if I say no, it copies again the certificate to RejectedCertificates so i have the same certificate in the both folders.
finally, I attach the last snapshot of the server certificate, maybe with this kind of certificate I have to do something different.
Regards,
Please Log in or Create an account to join the conversation.
After running your application at least once, you should see an "OPC Foundation" directory next to your application binaries, and underneath, subdirectories like "MachineDefault" and "UA Applications". If you tried to connect to the server at least once, there should also be "RejectedCertificates" subdirectory.
If you do not have these directories, then most likely you have permissions problem related to the account you use to run the Windows Service.
If you have these directories, then probably the easiest way to overcome the extra prompt is to copy the server certificate file you will find under RejectedCertificates\certs directory to the UA Applications\certs (see opclabs.doc-that.com/files/onlinedocs/QuickOpc/Latest/User%2...%20Instance%20Certificate.html ).
In a simple case where you do not have too many certificates, this is probably done at easiest simply by file copy. The UA Configuration tool can be used as well, but in my opinion it would be more work. The functions you would use for that are under the "Manage Certificates" tab, not the "Manage Security" tab. You will need to browse to your RejectedCertificates store, view its certs, "Copy" the one your would liek to trust, then select your "UA Applications" store, and Paste.
Best regards
Please Log in or Create an account to join the conversation.
- Ureña
- Topic Author
- Visitor
1- There are both connected to the same server, using the same endpoing URL, The only difference is the first program which runs properly has .NET FRAMEWORK 4.72. as Target framework, the second uses .NET CORE 3.1, there is the only difference
2- Is it the way to put the server certificate in trusted peers certifcate store? (see photo)
3-It's because is programmed with .NET Core so i can obtaint a .exe where I'm able to print "logs" in the console.
We still talking,
Regards
Attachments:
Please Log in or Create an account to join the conversation.
can you please answer some additional questions?
1. Are both programs connecting to the same server, using the same endpoint URL?
2. Do you have the server certificate in Trusted peers certificate store?
3. Under which account is the Windows Service running?
4. It is not clear to me how could you make the console screenshot. Windows Services do not have GUI or console interface. Please explain.
Best regards
Please Log in or Create an account to join the conversation.
- Ureña
- Topic Author
- Visitor
I'm using quickopc to work with OPC UA, I have the same code in 2 differents programs, the first one is based on winforms and it's working fine, but the second, is a microsoft services and when it starts every time ask for a validation on the opc certificate which says that the certificate is not trusted.
Could it be becuase it's a windows services?
I attach an snapshot
Attachments:
Please Log in or Create an account to join the conversation.
- Forum
- Discussions
- QuickOPC-UA in .NET
- Connections, Reconnections, Certificates
- Certificate Failure in windows services