I am having an issue with OPC Server connection. I am communicating to a Prosoft PLX32 OPC, MODBUS, ETH IP module. I had this all set up and working with Version 7.8 and decided to upgrade to 8.0 for further application development. I struggled with certificates with the original 7.8 set up, so i believe this will be something similar.
I will take any guidance or suggestions!!
-Blake
In the Ignition gateway config section, go to OPC UA > Security. On the Client tab you should see a Quarantined Certificates section with an entry for the certificate of the server youâre connecting to. Youâll need to mark that as trusted.
There may be a similar procedure you need to go through with the configuration software for the server youâre connecting to.
Thanks for the speedy response yesterday!! I am just now looking at this again. On the client security page I see a trusted certificate and a quarantined certificate with the same fingerprint. If i trust the quarantined one it comes back within a minute. The best i can tell I have completed this with the OPC server as well.
On the logging page in the gateway you can set log levels for the various loggers.
Search for âCertificateValidationUtilâ on log level config dialog and turn it to DEBUG level.
Itâs possible that even though youâve added the server certificate to the trust list itâs invalid for some other reason.
I guess I should clarify. I am in ignition 8. I have this all working currently on 7.6
In the logger in 8, with set to debug, i get certificate path validation failed: unable to find valid cert path to requested target.
Can you try turning the logger for âDefaultCertificateValidatorâ onto DEBUG as well?
Also, if you look under wherever Ignition is installed, then data/opcua/client/security/pki/trusted/certs is the serverâs certificate in there?
Also if youâre not on version 8.0.2 it might be worth upgrading just in case.
Also, if you can send the server certificate to me I can take a look at it real quick and see if thereâs anything weird.
I sent you the cert in an email
Did you send it to kevin at inductiveautomation.com? I donât see anything.
I replied to your email from yesterday
âKevin Herron via Inductive Automation Forumâ no-reply@inductiveautomation.com
ooops. Ill send it to you!
Okay, this certificate is not correctly indicating that itâs a self-signed certificate (the Certificate Authority Basic Constraint is not set).
This worked in 7.6 7.8 because there was no validation or trust chain verification happening back then.
If you canât get that server to generate a certificate that correctly indicates itâs self-signed (or is actually signed by another certificate) then youâll probably need to connect without security as the workaround.
Ah, I took another look at this certificate, and it is signed by another certificate, and is not self-signed.
The issuing certificate is the âProSoft OPC UA Server Configuration Manager - Certificate Authorityâ. If you can place that certificate into the trusted certs dir I think youâll be able to connect.
This worked!! I was able to export the certificate and place it in the Ignition Trusted certs dir, as instructed. We are now communicating with Ignition 8.0 to our microprocessor with the Prosoft module.
Thanks for your time!
-Blake
Glad you got this working.
I made a change so that the entire certificate chain gets added to the rejected certificate list, which should make it much more obvious whatâs happening in situations like this.
Running into the same issue here⌠Created a self-signed X509 certificate using openssl tool and Ignition is reporting a validation issue.