I am encountering a challenge with my client application (node-opcua) while attempting to connect to the Ignition server. Initially, I was able to establish a connection using the None mode. However, when attempting to switch to a secure connection using a self-signed certificate, I encountered issues. Despite receiving and trusting the certificate on the Ignition side, I am unable to establish a successful connection.
The error message received states:
"The connection may have been rejected by server,
Err = (ClientTCP_transport0: socket has been disconnected by third party)"
This error suggests that the server may be rejecting the connection attempt, leading to a disconnection of the socket. Despite following the necessary steps to trust the certificate on the Ignition platform, the connection remains unsuccessful.
Check the Ignition logs to see if there's anything, and get a Wireshark capture and upload it here.
Thank you for your reply. The ignition and wirshark logs are attached.
Wireshark_log.pcapng (9.4 KB)
wrapper.log (469.4 KB)
So the problem is that your client is trying to open a secure channel against the discovery endpoint:
| E [o.e.m.o.s.s.t.u.UascServerAsymmetricHandler] [21:28:27]: Error installing security token: StatusCode{name=Bad_SecurityChecksFailed, value=0x80130000, quality=bad}
| org.eclipse.milo.opcua.stack.core.UaException: no matching endpoint found: transportProfile=TCP_UASC_UABINARY, endpointUrl=opc.tcp://172.19.192.1:62541/discovery, securityPolicy=Basic256Sha256, sec
| at org.eclipse.milo.opcua.stack.server.transport.uasc.UascServerAsymmetricHandler.lambda$openSecureChannel$3(UascServerAsymmetricHandler.java:410)
| at java.base/java.util.Optional.orElseThrow(Unknown Source)
| at org.eclipse.milo.opcua.stack.server.transport.uasc.UascServerAsymmetricHandler.openSecureChannel(UascServerAsymmetricHandler.java:400)
| at org.eclipse.milo.opcua.stack.server.transport.uasc.UascServerAsymmetricHandler.lambda$sendOpenSecureChannelResponse$1(UascServerAsymmetricHandler.java:311)
| at org.eclipse.milo.opcua.stack.core.channel.SerializationQueue.lambda$encode$0(SerializationQueue.java:59)
| at org.eclipse.milo.opcua.stack.core.util.TaskQueue$TaskWrapper.run(TaskQueue.java:273)
| at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
| at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
| at java.base/java.lang.Thread.run(Unknown Source)
You can see in the GetEndpointsResponse that the endpoint URL of the secured session endpoint is opc.tcp://172.19.192.1:62541 (no /discovery suffx):
Thank you for your answer and for highlighting the issue with the client attempting to open a secure channel against the discovery endpoint.
I've taken your suggestion into consideration and tested the connection without specifying the discovery endpoint. Unfortunately, I encountered the same error despite omitting the discovery endpoint from the configuration.
It seems that the problem persists even when excluding the discovery suffix from the endpoint URL. This suggests that the issue may lie elsewhere in the configuration or in the handling of security tokens.
I appreciate your assistance in troubleshooting this matter and would welcome any further insights or suggestions you may have to resolve this issue.
INFO | jvm 1 | 2024/01/25 23:20:25 | E [o.e.m.o.s.s.t.u.UascServerAsymmetricHandler] [22:20:25]: [remote=/172.19.198.204:57832] Exception caught; sent ErrorMessage{error=StatusCode{name=Bad_SecurityChecksFailed, value=0x80130000, quality=bad}, reason=no certificate for provided thumbprint}
INFO | jvm 1 | 2024/01/25 23:20:25 | io.netty.handler.codec.DecoderException: UaException: status=Bad_SecurityChecksFailed, message=no certificate for provided thumbprint
INFO | jvm 1 | 2024/01/25 23:20:25 | at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:499)
INFO | jvm 1 | 2024/01/25 23:20:25 | at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290)
INFO | jvm 1 | 2024/01/25 23:20:25 | at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
INFO | jvm 1 | 2024/01/25 23:20:25 | at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
INFO | jvm 1 | 2024/01/25 23:20:25 | at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
INFO | jvm 1 | 2024/01/25 23:20:25 | at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
INFO | jvm 1 | 2024/01/25 23:20:25 | at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)
INFO | jvm 1 | 2024/01/25 23:20:25 | at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
INFO | jvm 1 | 2024/01/25 23:20:25 | at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
INFO | jvm 1 | 2024/01/25 23:20:25 | at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
INFO | jvm 1 | 2024/01/25 23:20:25 | at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:788)
INFO | jvm 1 | 2024/01/25 23:20:25 | at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:724)
INFO | jvm 1 | 2024/01/25 23:20:25 | at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:650)
INFO | jvm 1 | 2024/01/25 23:20:25 | at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562)
INFO | jvm 1 | 2024/01/25 23:20:25 | at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997)
INFO | jvm 1 | 2024/01/25 23:20:25 | at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
INFO | jvm 1 | 2024/01/25 23:20:25 | at java.base/java.lang.Thread.run(Unknown Source)
INFO | jvm 1 | 2024/01/25 23:20:25 | Caused by: org.eclipse.milo.opcua.stack.core.UaException: no certificate for provided thumbprint
INFO | jvm 1 | 2024/01/25 23:20:25 | at org.eclipse.milo.opcua.stack.server.transport.uasc.UascServerAsymmetricHandler.onOpenSecureChannel(UascServerAsymmetricHandler.java:214)
INFO | jvm 1 | 2024/01/25 23:20:25 | at org.eclipse.milo.opcua.stack.server.transport.uasc.UascServerAsymmetricHandler.decode(UascServerAsymmetricHandler.java:119)
INFO | jvm 1 | 2024/01/25 23:20:25 | at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:529)
INFO | jvm 1 | 2024/01/25 23:20:25 | at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:468)
INFO | jvm 1 | 2024/01/25 23:20:25 | ... 16 common frames omitted
Your latest capture shows a connection to the session endpoint (opc.tcp://172.19.192.1:62541) but the OpenSecureChannelRequest is specifying no security:
Etienne, the maintainer of the NodeJS OPC UA stack, is usually pretty responsive and may be able to help you troubleshoot this.
1 Like
This means the thumbprint sent in an OpenSecureChannelRequest doesn't actually match any of the certs the server has. Whatever caused this wasn't present in your Wireshark capture. I usually only see this if the server certificate is re-generated but the client is still sending the thumbprint of the previous one.
I appreciate your assistance and wanted to update you that I have managed to successfully establish a connection. Interestingly, I realized that the issue stemmed from using the same certificate for the None security mode. This oversight led to the connectivity problem I was experiencing earlier.
Thank you for your support and suggestions throughout this troubleshooting process. If you have any further insights or recommendations, please feel free to share them.
