Hello Dirk,
Thanks for your reply. As I have written in other posts in the meantime, the URI is set up correctly and this warning appears every time even in working IOCs using open62541 client for security policy None. If the URI is not set up correctly (we had that issue before), the warning appears for every security policy and the IOC doesn't work.
We have used Wireshark to determine that the problem is not server trust. The client closes TCP connection after receiving OpenSecureChannelResponse from the server, before the client certificate is even sent. Although the warning suggests trust issue on the client side, the server certificate is OK, because we can connect with UAExpert and we finally got the IOC built with UA SDK running as well. OpenSSL is used in all cases. I think the issue is some incompatibility between open62541 client and the ProSoft server which we connect to. I had a look at open62541 source code and I think that error in parsing the server response would manifest as BadCertificateUntrusted, but I'm not skilled enough with C++ to know for sure.
Best regards,
Karel
-----Original Message-----
From: Zimoch Dirk <dirk.zimoch at psi.ch>
Sent: Thursday, October 10, 2024 6:06 PM
To: Majer Karel <Karel.Majer at eli-beams.eu>; tech-talk at aps.anl.gov
Subject: Re: OPCUA SSL problem
Your OPCUA client warns: The configured ApplicationURI does not match the URI specified in the certificate for the SecurityPolicy Your OPCUA server may not like that and refuse connection with BadCertificateUntrusted.
You can see your ApplicationURI with: opcuaShowSecurity You can see the URI in your certificate with:
openssl x509 -noout -text -in /usr/openssl/cert.der | grep grep URI
IOC name and host name must match.
On Wed, 2024-10-02 at 13:16 +0000, Majer Karel via Tech-talk wrote:
Hello,
I am using EPICS OPCUA module built with Open62541 v1.3.10 and OpenSSL, running on Rocky Linux 9. It is mostly used to connect to B&R PLCs which have self-signed server certificate and then it runs without problems.
I need to communicate also with another server which has certificate signed by a certification authority. The authority uses a self-signed certificate. I cannot get this communication working in any setup.
This is the output of EPICS shell:
[root@fct-deploy20 iocopcua]# ./st.cmd #!../../bin/linux-x86_64/opcua
< envPaths
epicsEnvSet("IOC","iocopcua")
epicsEnvSet("TOP","/usr/EPICS/IOCs/opcua")
epicsEnvSet("EPICS_BASE","/usr/EPICS/epics-base")
epicsEnvSet("OPCUA","/usr/EPICS/support/opcua")
cd "/usr/EPICS/IOCs/opcua"
## Register all support components
dbLoadDatabase "dbd/opcua.dbd"
opcua_registerRecordDeviceDriver pdbbase opcuaSession PLC
opc.tcp://192.168.0.250:4840 opcuaOptions PLC debug=1 Session PLC:
setting option debug to 1 opcuaSetupPKI /usr/PKI OPC UA: Warning - a
PKI directory is writable, which may compromise security.
(/usr/PKI/trusted/certs) OPC UA: Warning - a PKI directory is
writable, which may compromise security. (/usr/PKI/trusted/crl) OPC
UA: Warning - a PKI directory is writable, which may compromise
security. (/usr/PKI/issuers/certs) OPC UA: Warning - a PKI directory
is writable, which may compromise security. (/usr/PKI/issuers/crl)
opcuaClientCertificate /usr/openssl/cert.der /usr/openssl/key.pem
opcuaOptions PLC sec-policy=Basic256Sha256 Session PLC: setting option
sec-policy to Basic256Sha256 opcuaSubscription RockwellPSI PLC 100
dbLoadRecords("db/FCT-RockwellPSI.db")
cd "/usr/EPICS/IOCs/opcua/iocBoot/iocopcua"
iocInit
Starting iocInit
######################################################################
######
## EPICS R7.0.8
## Rev. 2024-05-07T19:43+0000
## Rev. Date build date/time:
######################################################################
###### OPC UA Client Device Support 0.10.0-dev (-); using Open62541
Client API v1.3.10
iocRun: All initialization complete
OPC UA: Autoconnecting sessions
Session PLC already disconnected
Session PLC: (initClientSecurity) loading client certificate
/usr/openssl/cert.der Session PLC: (initClientSecurity) loading client private key /usr/openssl/key.pem
[2024-10-02 12:46:41.325 (UTC+0000)] warn/userland AcceptAll Certificate Verification. Any remote certificate will be accepted.
[2024-10-02 12:46:41.326 (UTC+0000)] info/securitypolicy The Basic128Rsa15 security policy with openssl is added.
[2024-10-02 12:46:41.328 (UTC+0000)] info/securitypolicy The basic256 security policy with openssl is added.
[2024-10-02 12:46:41.329 (UTC+0000)] info/securitypolicy The basic256sha256 security policy with openssl is added.
[2024-10-02 12:46:41.330 (UTC+0000)] info/securitypolicy The Aes128Sha256RsaOaep security policy with openssl is added.
Session PLC: (connect) setting up PKI provider Session PLC:
(setupIdentity) setting Anonymous token Session PLC: (setupSecurity)
reading endpoints from opc.tcp://192.168.0.250:4840
[2024-10-02 12:46:41.331 (UTC+0000)] warn/client The configured ApplicationURI does not match the URI specified in the certificate for the SecurityPolicy https://urldefense.us/v3/__http://opcfoundation.org/UA/SecurityPolicy*None__;Iw!!G_uCfscf7eWS!fCZnrySsvi7YYgcw1Bmk0M1UCNrZ2PUUvYPCHpK8jMURBNDaoylL4_5PUb5jXbUCGPMI6qehuTFljJdm-B9Zt3rUJAMn5Q$
[2024-10-02 12:46:41.335 (UTC+0000)] info/server Reloading the trust-list
[2024-10-02 12:46:41.336 (UTC+0000)] info/server Reloading the issuer-list
[2024-10-02 12:46:41.336 (UTC+0000)] info/server Reloading the revocation-list
[2024-10-02 12:46:41.336 (UTC+0000)] warn/channel Connection 8 | SecureChannel 0 | Receiving the response failed with StatusCode BadCertificateUntrusted
[2024-10-02 12:46:41.336 (UTC+0000)] info/client Client Status: ChannelState: Closed, SessionState: Closed, ConnectStatus: BadConnectionClosed
Session PLC: (setupSecurity) UaDiscovery::getEndpoints from
opc.tcp://192.168.0.250:4840 failed with status BadConnectionClosed
OPC UA session PLC: security discovery and setup failed with status
cantConnect
We used tcpdump to capture TCP communication, it shows TCP is closed by client after receiving OpenSecureChannelResponse from the server.
We have certificate of both the authority and the server and crl of the authority. This is a list of steps which we tried and still got BadCertificateUntrusted:
· Putting server certificate into PKI/trusted/certs
· Putting CA certificate into PKI/trusted/certs and crl into PKI/trusted/crl
· Putting CA certificate into PKI/issuers/certs and crl into PKI/issuers/crl
· Combinations of all of the above
· Adding certificates to the system
· Running with sec-mode=None and commenting out opcuaSetupPKI command
We also tried running the IOC with strace to see system calls and noticed that PKI/trusted/crl directory was not opened during IOC startup.
We have used openssl verify to check the server certificate against the CA with OK result.
And perhaps most importantly, we can connect to the server with UAExpert without any issues when we use the same certificates.
Do you have any experience with this behavior and any advice how to fix it or even where to look for the problem?
Kind regards,
Karel Majer
Karel Majer | Senior Software Developer
Tel: +420 266 051 514
Email: karel.majer at eli-beams.eu
ELI Beamlines Facility|The Extreme Light Infrastructure ERIC Za
Radnicí 835, 252 41 Dolní Břežany, Czech Republic
https://urldefense.us/v3/__http://www.eli-laser.eu__;!!G_uCfscf7eWS!fCZnrySsvi7YYgcw1Bmk0M1UCNrZ2PUUvYPCHpK8jMURBNDaoylL4_5PUb5jXbUCGPMI6qehuTFljJdm-B9Zt3rk_zZNVQ$ |https://urldefense.us/v3/__http://www.eli-beams.eu__;!!G_uCfscf7eWS!fCZnrySsvi7YYgcw1Bmk0M1UCNrZ2PUUvYPCHpK8jMURBNDaoylL4_5PUb5jXbUCGPMI6qehuTFljJdm-B9Zt3rGat2W7w$
