I am using system.net.httpGet() function to read data from server,
When I have bypassCertValidation=True, I get the proper result.
However when bypassCertValidation=False, I get exception <type 'exceptions.IOError'>
This is a industrial application and I need to install the certificate in proper location.
I tried to put the root certificate in the following folders, but result is the same.
/Ignition/dada/certificate/supplemental
/Ignition/data.Getway-network/server/security/pki/issuer/certs
/Ignition/data/Getway-network/server/security/pki/trusted/certs
/Ignition/data/Getway-network/client/security/pki/issuer/certs
/Ignition/data/Getway-network/client/security/pki/trusted/certs
What folder should be the right one?
I also installed the certificate in the windows system using "Manage computer certificates" and the webpage could be opened from browser and have show the proper certificate (lock).
Need help urgently. Thanks
This is the correct location, other than the spelling errors and assuming /Ignition is where Ignition is installed. The docs say a gateway restart is required, so make sure you've done that.
Take care that you are executing the script from the gateway scope, though. Executing it from the Designer script console, for example, would not use this certificate store.
Thank you very much Kevin.
I restarted the ignition form the "services" and in "data" folder as well. I called it from gateway timer and the result is the same.
One more thing I forget to mention:
The server is on the AWS and I only could reach it with IP address.
I add a line in the hosts file to let the system to find the IP from the host name.
Look like the Ignition could get the data form the server using host name, but somehow do not recognize the certificate.
What else could go wrong?
Thanks
The certificate or certificate chain may not be valid for some reason. You can share those (there's no real private data in just the certificates, only the private keys) and we can take a look.
Thanks, It is a self signed certificate. web browser shows the certificate is ok after installed the root certificate to the trusted third party folder. I can run the same application when point to a internal server that have certificate from same root CA. but when point to the AWS server, system.net.httpGet() do not like the certificate any more even browser show the certificate is valid.
Would you mind if I send you the certificate in an email?
Ok. If you've for sure put this root CA into the supplemental dir and restarted the gateway, and for sure are calling the script from gateway scope... more difficult troubleshooting is needed.
You need to start the gateway with -Djavax.net.debug=all added to one of the "Additional parameters" entries in ignition.conf. Then Java will spit out crazy amounts of logging to the wrapper.log files when it tries to do the PKIX validation, and hopefully the problem can be spotted.
My guess before doing any of that, though, is that the leaf certificate does not have an Authority Key Identifier extension, which means the only way to identify the issuer is via name chaining, which is a bit dodgy.