Re: OPCUA SSL problem

[Zimoch Dirk via Tech-talk <tech-talk at aps.anl.gov>]

Your OPCUA client warns: The configured ApplicationURI does not match the URI
specified in the certificate for the SecurityPolicy
Your OPCUA server may not like that and refuse connection with
BadCertificateUntrusted.

You can see your ApplicationURI with: opcuaShowSecurity
You can see the URI in your certificate with:
openssl x509 -noout -text -in /usr/openssl/cert.der | grep grep URI

IOC name and host name must match.


On Wed, 2024-10-02 at 13:16 +0000, Majer Karel via Tech-talk wrote:
> Hello,
>  
> I am using EPICS OPCUA module built with Open62541 v1.3.10 and OpenSSL, running on Rocky Linux 9. It is mostly used to connect to B&R PLCs which have self-signed server certificate and then it runs without problems.
> I need to communicate also with another server which has certificate signed by a certification authority. The authority uses a self-signed certificate. I cannot get this communication working in any setup.
> This is the output of EPICS shell:
>  
> [root@fct-deploy20 iocopcua]# ./st.cmd
> #!../../bin/linux-x86_64/opcua
> < envPaths
> epicsEnvSet("IOC","iocopcua")
> epicsEnvSet("TOP","/usr/EPICS/IOCs/opcua")
> epicsEnvSet("EPICS_BASE","/usr/EPICS/epics-base")
> epicsEnvSet("OPCUA","/usr/EPICS/support/opcua")
> cd "/usr/EPICS/IOCs/opcua"
> ## Register all support components
> dbLoadDatabase "dbd/opcua.dbd"
> opcua_registerRecordDeviceDriver pdbbase
> opcuaSession PLC opc.tcp://192.168.0.250:4840
> opcuaOptions PLC debug=1
> Session PLC: setting option debug to 1
> opcuaSetupPKI /usr/PKI
> OPC UA: Warning - a PKI directory is writable, which may compromise security. (/usr/PKI/trusted/certs)
> OPC UA: Warning - a PKI directory is writable, which may compromise security. (/usr/PKI/trusted/crl)
> OPC UA: Warning - a PKI directory is writable, which may compromise security. (/usr/PKI/issuers/certs)
> OPC UA: Warning - a PKI directory is writable, which may compromise security. (/usr/PKI/issuers/crl)
> opcuaClientCertificate /usr/openssl/cert.der /usr/openssl/key.pem
> opcuaOptions PLC sec-policy=Basic256Sha256
> Session PLC: setting option sec-policy to Basic256Sha256
> opcuaSubscription RockwellPSI PLC 100
> dbLoadRecords("db/FCT-RockwellPSI.db")
> cd "/usr/EPICS/IOCs/opcua/iocBoot/iocopcua"
> iocInit
> Starting iocInit
> ############################################################################
> ## EPICS R7.0.8
> ## Rev. 2024-05-07T19:43+0000
> ## Rev. Date build date/time:
> ############################################################################
> OPC UA Client Device Support 0.10.0-dev (-); using Open62541 Client API v1.3.10
> iocRun: All initialization complete
> OPC UA: Autoconnecting sessions
> Session PLC already disconnected
> Session PLC: (initClientSecurity) loading client certificate /usr/openssl/cert.der
> Session PLC: (initClientSecurity) loading client private key /usr/openssl/key.pem
> [2024-10-02 12:46:41.325 (UTC+0000)] warn/userland      AcceptAll Certificate Verification. Any remote certificate will be accepted.
> [2024-10-02 12:46:41.326 (UTC+0000)] info/securitypolicy        The Basic128Rsa15 security policy with openssl is added.
> [2024-10-02 12:46:41.328 (UTC+0000)] info/securitypolicy        The basic256 security policy with openssl is added.
> [2024-10-02 12:46:41.329 (UTC+0000)] info/securitypolicy        The basic256sha256 security policy with openssl is added.
> [2024-10-02 12:46:41.330 (UTC+0000)] info/securitypolicy        The Aes128Sha256RsaOaep security policy with openssl is added.
> Session PLC: (connect) setting up PKI provider
> Session PLC: (setupIdentity) setting Anonymous token
> Session PLC: (setupSecurity) reading endpoints from opc.tcp://192.168.0.250:4840
> [2024-10-02 12:46:41.331 (UTC+0000)] warn/client        The configured ApplicationURI does not match the URI specified in the certificate for the SecurityPolicy https://urldefense.us/v3/__http://opcfoundation.org/UA/SecurityPolicy*None__;Iw!!G_uCfscf7eWS!b8fGnQAlern_A9cnytx15BOODZnd5Xxo8bNKy1xcVn3SyelTkxdx0Jg52STgMX_Sobvrlgq7qQ1Kdex1kP8olkUI1g$ 
> [2024-10-02 12:46:41.335 (UTC+0000)] info/server        Reloading the trust-list
> [2024-10-02 12:46:41.336 (UTC+0000)] info/server        Reloading the issuer-list
> [2024-10-02 12:46:41.336 (UTC+0000)] info/server        Reloading the revocation-list
> [2024-10-02 12:46:41.336 (UTC+0000)] warn/channel       Connection 8 | SecureChannel 0 | Receiving the response failed with StatusCode BadCertificateUntrusted
> [2024-10-02 12:46:41.336 (UTC+0000)] info/client        Client Status: ChannelState: Closed, SessionState: Closed, ConnectStatus: BadConnectionClosed
> Session PLC: (setupSecurity) UaDiscovery::getEndpoints from opc.tcp://192.168.0.250:4840 failed with status BadConnectionClosed
> OPC UA session PLC: security discovery and setup failed with status cantConnect
>  
> We used tcpdump to capture TCP communication, it shows TCP is closed by client after receiving OpenSecureChannelResponse from the server.
> We have certificate of both the authority and the server and crl of the authority. This is a list of steps which we tried and still got BadCertificateUntrusted:
> ·         Putting server certificate into PKI/trusted/certs
> ·         Putting CA certificate into PKI/trusted/certs and crl into PKI/trusted/crl
> ·         Putting CA certificate into PKI/issuers/certs and crl into PKI/issuers/crl
> ·         Combinations of all of the above
> ·         Adding certificates to the system
> ·         Running with sec-mode=None and commenting out opcuaSetupPKI command
> We also tried running the IOC with strace to see system calls and noticed that PKI/trusted/crl directory was not opened during IOC startup.
> We have used openssl verify to check the server certificate against the CA with OK result.
>  
> And perhaps most importantly, we can connect to the server with UAExpert without any issues when we use the same certificates.
>  
> Do you have any experience with this behavior and any advice how to fix it or even where to look for the problem?
>  
> Kind regards,
>  
> Karel Majer
>  
>  
> Karel Majer | Senior Software Developer
> Tel: +420 266 051 514
> Email: karel.majer at eli-beams.eu
>  	 ELI Beamlines Facility|The Extreme Light Infrastructure ERIC
> Za Radnicí 835, 252 41 Dolní Břežany, Czech Republic
> https://urldefense.us/v3/__http://www.eli-laser.eu__;!!G_uCfscf7eWS!b8fGnQAlern_A9cnytx15BOODZnd5Xxo8bNKy1xcVn3SyelTkxdx0Jg52STgMX_Sobvrlgq7qQ1Kdex1kP_eIGbl9g$ |https://urldefense.us/v3/__http://www.eli-beams.eu__;!!G_uCfscf7eWS!b8fGnQAlern_A9cnytx15BOODZnd5Xxo8bNKy1xcVn3SyelTkxdx0Jg52STgMX_Sobvrlgq7qQ1Kdex1kP9o08Adlw$      
>  
>