Hi,
I'm getting this error when connecting to a 3rd party OPC UA server (ibaPDA)
UaException: status=Bad_CertificateUriInvalid, message=The URI specified in the ApplicationDescription does not match the URI in the Certificate.
at org.eclipse.milo.opcua.stack.core.util.validation.CertificateValidationUtil.checkApplicationUri(CertificateValidationUtil.java:651)
at org.eclipse.milo.opcua.stack.client.security.DefaultClientCertificateValidator.validateCertificateChain(DefaultClientCertificateValidator.java:100)
at org.eclipse.milo.opcua.sdk.client.session.SessionFsmFactory.lambda$createSession$53(SessionFsmFactory.java:893)
ibaPDA@steelplantiba [B7496AEF148CD122D2537CF42018584428FEEA42].der (1.0 KB)
at java.base/java.util.concurrent.CompletableFuture$UniCompose.tryFire(Unknown Source)
at java.base/java.util.concurrent.CompletableFuture.postComplete(Unknown Source)
at java.base/java.util.concurrent.CompletableFuture.complete(Unknown Source)
at org.eclipse.milo.opcua.stack.client.UaStackClient.lambda$deliverResponse$5(UaStackClient.java:318)
at org.eclipse.milo.opcua.stack.core.util.ExecutionQueue$Task.run(ExecutionQueue.java:119)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.base/java.lang.Thread.run(Unknown Source)
8.1.44 (b2024102210)
Azul Systems, Inc. 17.0.12
I've checked the security policies and user and pass and the settings are definitely the same. I've checked the certificate used by the server (see attached) and it has the ip address of the OPC UA server that ignition is connected to. I've also attached the server's certificate
1 Like
This usually means there is a configuration problem or bug in the server. That “URL” field in the certificate is the application URI. The server also returns one in the endpoints returned by the GetEndpoints service. They must match, and this error suggests they don’t.
If you get a Wireshark capture of the connection attempt we can verify this is the issue.
1 Like
Do i run wireshark on the server the opc server sits on?
You can run it on either the Ignition server or the server where the OPC server resides, if that's different, and isn't some kind of embedded device that precludes running Wireshark on it.
1 Like
SP wireshark.pcapng (3.2 MB)
Does this look right, sorry first time using wireshark. This is running on the OPC UA client side.
I don't see any OPC UA traffic in there, so unless it's on a non-standard port there's something wrong with the capture.
If you ran it on the same server as the Ignition Gateway you might have selected the wrong ethernet adapter or something like that.
What are the IP addresses involved?
SP wireshark.pcapng (3.7 MB)
I didnt set opc ua to 48080, can you see it now?
IP addresses 172.20.251.46 (Client) & 172.20.64.151 (Server)
Yep, got it.
See here in the endpoints returned the application URI is urn:STEELPLANTIBA:ibaPDA
which doesn't match what you showed in your certificate.
You need to contact the vendor of this server for support about how to fix this mismatch. I wanted you to have some evidence in hand before I sent you that way saying "trust me".
1 Like
Should the applicationURI and the URL in the certificate be the same?
Yes, your certificate has urn:STEELPLANTIBA:ibaPDA@steelplantiba
(note the @steelplantiba stuffix)
sp not working.pcapng (522.0 KB)
[ibaPDA
HSM first.zip (2.6 MB)
[42589AE933D032B81C58EE598531D678584F2249].der|attachment](upload://9sVlCc0SCFQRg2A4MF
ibaPDA [42589AE933D032B81C58EE598531D678584F2249].der (945 Bytes)
HxttcUWhz.der) (945 Bytes)
I managed to fix the certificate to match the applicationURI. I have 1 opc ua server that works (172.20.160.151) and 1 that doesnt (172.20.64.151), i can't figure out what the issue is with the one not working
What's the status/error for that connection? Anything in the logs?
It looks like security is turned on, so I can't see anything that might help in the capture after the secure channel is established.
That could mean you haven't configured a username/password for that connection but the server requires one.
I've configured an username and password. I also tried the connection using UAExpert with the same user and pass credentials and it seems to connect without a problem
I can’t do any further diagnosis with security enabled but if you can turn off security and there’s still an error with the connection then another Wireshark capture could help.
It would be the wrong StatusCode, but maybe it’s just the wrong username/password?
sp not working.pcapng (591.0 KB)
is that better?
Yeah, that's better in that I can see the traffic, but I think someone from the vendor will have to help out now and tell us why this StatusCode is being returned. It all looks good to me 
same hardware, same firmware version?
Err... the client in this capture does not appear to be Ignition...
ignition sp failed.pcapng (791.1 KB)
oh sorry! i uploaded the wrong wireshark file
