Failed to connect Ignition OPC-UA server using Sign And Encrypt mechanism via Python OPC-UA client

Ignition
1

I’ve to establish connection between Ignition OPC-UA server & Python OPC-UA client (Open Source) using security certificates provided by Ignition having Sign & Encrypt mechanism of OPC-UA endpoint connection.

For testing purpose, I’ve placed my security certificates in the same package as that of connection service. The path of certificate is configurable & they can be placed anywhere in the system.

With reference of this example, I wrote following code to establish connection between Ignition OPC-UA server & Python OPC-UA server:

client = Client(“opc.tcp://localhost:4096/iaopcua/Basic128Rsa15”)
client.load_client_certificate(“ignition-client.der")
client.load_private_key(“???")
client.connect()

I’ve downloaded Ignition client certificate from Manage Certificate of Ignition. To connect with server I also need private key. But, I am unable to get private key for Ignition (Trial Version).

I got following errors when trying to connect to Ignition server using above mentioned code:

A) When no private key given to OPC-UA client for connection, only certificate is there:

client = Client(“opc.tcp://localhost:4096/iaopcua/Basic128Rsa15”)
client.load_client_certificate(“ignition-client.der")
client.connect()

Exception:
Traceback (most recent call last):
File “…\opc_ua\service\opcua_utility.py”, line 123, in connect_opcua
client.connect()
File “C:\Users{username}\AppData\Local\Programs\Python\Python36-32\lib\site-packages\opcua\client\client.py”, line 247, in connect
self.activate_session(username=self._username, password=self._password, certificate=self.user_certificate)
File “C:\Users{username}\AppData\Local\Programs\Python\Python36-32\lib\site-packages\opcua\client\client.py”, line 416, in activate_session
self._add_certificate_auth(params, certificate, challenge)
File “C:\Users{username}\AppData\Local\Programs\Python\Python36-32\lib\site-packages\opcua\client\client.py”, line 431, in _add_certificate_auth
sig = uacrypto.sign_sha1(self.user_private_key, challenge)
File “C:\Users{username}\AppData\Local\Programs\Python\Python36-32\lib\site-packages\opcua\crypto\uacrypto.py”, line 46, in sign_sha1
signer = private_key.signer(
AttributeError: ‘NoneType’ object has no attribute ‘signer’

B) When private key (generated via OpenSSL) is given to OPC-UA client:

client = Client(“opc.tcp://localhost:4096/iaopcua/Basic128Rsa15”)
client.load_client_certificate(“ignition-client.der")
client.load_private_key(“private_key_generated_via_openssl")
client.connect()

Exception:
Traceback (most recent call last):
File “C:\Users{username}\AppData\Local\Programs\Python\Python36-32\lib\site-packages\opcua\client\client.py”, line 200, in load_private_key
self.user_private_key = uacrypto.load_private_key(path)
File “C:\Users{username}\AppData\Local\Programs\Python\Python36-32\lib\site-packages\opcua\crypto\uacrypto.py”, line 34, in load_private_key
return serialization.load_pem_private_key(f.read(), password=None, backend=default_backend())
File “C:\Users{username}\AppData\Local\Programs\Python\Python36-32\lib\site-packages\cryptography\hazmat\primitives\serialization.py”, line 20, in load_pem_private_key
return backend.load_pem_private_key(data, password)
File “C:\Users{username}\AppData\Local\Programs\Python\Python36-32\lib\site-packages\cryptography\hazmat\backends\openssl\backend.py”, line 1015, in load_pem_private_key
password,
File “C:\Users{username}\AppData\Local\Programs\Python\Python36-32\lib\site-packages\cryptography\hazmat\backends\openssl\backend.py”, line 1234, in _load_key
self._handle_key_loading_error()
File “C:\Users{username}\AppData\Local\Programs\Python\Python36-32\lib\site-packages\cryptography\hazmat\backends\openssl\backend.py”, line 1292, in _handle_key_loading_error
raise ValueError(“Could not deserialize key data.”)
ValueError: Could not deserialize key data.

I’ve also gone through Ignition documentation but didn’t get any help.

Target Machine Environment:
Ignition: 7.9.4 64-bit
Java: 1.8.0_151
OS: Windows 10 64-bit (Local) & CentOS 7 (IT Testing)

Any help from your side would be appreciated.

2

You should be generating your own private key and certificate for the Python client, not using Ignition’s.

3

I am using Ignition’s certificate but, didn’t find private key of Ignition.

Just for testing purpose I’ve tried with my certificate generated via OpenSSL. But no luck.

Could you please tell me from where I can download private key of Ignition ?

4

It’s in the keystore, but you are approaching this wrong. Figure out how to generate your own certificate. Hopefully the docs for the OPC UA library you’re using can help you.

5

openssl req -x509 -newkey rsa:2048 -keyout my_private_key.pem -out my_cert.pem -days 355 -nodes
openssl x509 -outform der -in my_cert.pem -out my_cert.der

Through this script, you can generate your .der and .pem files. I found this on https://github.com/FreeOpcUa/python-opcua/blob/master/examples/generate_certificate.sh

6

Is this OPC UA library still valid? The github page says this library is deprecated! Is there any other python based OPC UA library available?(Free or otherwise)

7

Hi @Kevin.Herron, I am using the freeopcua python library as client to connect with ignition opc UA server. I could able to download the server certificate(.der file) from gateway but still not sure where to get the server private key (.pem).
python documentation:

SmartSelect_20220704-191314_Bromite
SmartSelect_20220704-191314_Bromite939×1277 148 KB

Thanks,

8

You don’t need, and shouldn’t have access to in general, the private key of the server you are connecting to.

The certificate_path and private_key_path parameters are for your client certificate and private key.

9

Hi @Kevin.Herron ,

Thanks, Now i have updated the certificate_path and private_key_path parameters with self generated openssl files for my python client.

After running my python script, I can see the client certificate and trusted it in the gateway. I can also see the certificate in ignition directory (/usr/local/bin/ignition/data/opcua/server/security/pki/trusted/certs) However my python errored back as following

Received an error: MessageAbort(error:StatusCode(BadSecurityChecksFailed), reason:status=Bad_SecurityChecksFailed, description=An error occurred verifying security.)
Received an error: MessageAbort(error:StatusCode(BadSecurityChecksFailed), reason:status=Bad_SecurityChecksFailed, description=An error occurred verifying security.)
Protocol Error
Traceback (most recent call last):
  File "/usr/local/lib/python3.9/dist-packages/opcua/client/ua_client.py", line 101, in _run
    self._receive()
  File "/usr/local/lib/python3.9/dist-packages/opcua/client/ua_client.py", line 121, in _receive
    self._call_callback(0, ua.UaStatusCodeError(msg.Error.value))
  File "/usr/local/lib/python3.9/dist-packages/opcua/client/ua_client.py", line 129, in _call_callback
    raise ua.UaError(
opcua.ua.uaerrors._base.UaError: No future object found for request: 0, callbacks in list are dict_keys([1])
exception calling callback for <Future at 0x7f074cd94280 state=cancelled>
Traceback (most recent call last):
  File "/usr/lib/python3.9/concurrent/futures/_base.py", line 329, in _invoke_callbacks
    callback(self)
  File "/usr/local/lib/python3.9/dist-packages/opcua/client/ua_client.py", line 201, in clb
    response = struct_from_binary(ua.OpenSecureChannelResponse, future.result())
  File "/usr/lib/python3.9/concurrent/futures/_base.py", line 431, in result
    raise CancelledError()
concurrent.futures._base.CancelledError
Traceback (most recent call last):
  File "/root/py_factory/opcua_client.py", line 28, in <module>
    client.connect()
  File "/usr/local/lib/python3.9/dist-packages/opcua/client/client.py", line 275, in connect
    self.open_secure_channel()
  File "/usr/local/lib/python3.9/dist-packages/opcua/client/client.py", line 335, in open_secure_channel
    result = self.uaclient.open_secure_channel(params)
  File "/usr/local/lib/python3.9/dist-packages/opcua/client/ua_client.py", line 275, in open_secure_channel
    return self._uasocket.open_secure_channel(params)
  File "/usr/local/lib/python3.9/dist-packages/opcua/client/ua_client.py", line 209, in open_secure_channel
    response = clb.future.result(self.timeout)
  File "/usr/lib/python3.9/concurrent/futures/_base.py", line 442, in result
    raise TimeoutError()
concurrent.futures._base.TimeoutError

When I was checking Ignition logs it shows the following error

io.netty.handler.codec.DecoderException: UaException: status=Bad_SecurityChecksFailed, message=An error occurred verifying security.
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:480)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:279)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:722)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:658)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:584)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:496)
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:995)
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at java.base/java.lang.Thread.run(Unknown Source)
Caused by: org.eclipse.milo.opcua.stack.core.UaException: status=Bad_SecurityChecksFailed, description=An error occurred verifying security.
at org.eclipse.milo.opcua.stack.server.security.DefaultServerCertificateValidator.validateCertificateChain(DefaultServerCertificateValidator.java:87)
at org.eclipse.milo.opcua.stack.server.transport.uasc.UascServerAsymmetricHandler.onOpenSecureChannel(UascServerAsymmetricHandler.java:197)
at org.eclipse.milo.opcua.stack.server.transport.uasc.UascServerAsymmetricHandler.decode(UascServerAsymmetricHandler.java:119)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:510)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:449)
... 16 common frames omitted

I am not sure where I am making mistake, Can you please help me resolve it.

Thanks,
Hari G B.

10

Anything else in the logs? That message was either before you marked the client certificate trusted in Ignition, or there’s still something else wrong with the certificate.

11

No I don’t see anything more in the logs, The above ignition error log appeared before i am trusting the client certificate. After trusting the certificate I don’t see any updates in logs.

Just to clarify do I need to place/trust the Ignition server certificate in python client. ?

12

Yes, you likely do, but that error you posted is from the Ignition OPC UA server rejecting the client certificate.

Try setting these loggers to TRACE and then connect again and get the logs:

  • org.eclipse.milo.opcua.stack.core.util.validation.CertificateValidationUtil
  • org.eclipse.milo.opcua.stack.server.security.DefaultServerCertificateValidator
1 Like
13

Please find the logs after enabling the said items to trace


 org.eclipse.milo.opcua.stack.core.util.validation.CertificateValidationUtil------certificateChain: [[ [ Version: V3 Subject: EMAILADDRESS=cookies2eat@outlook.com, CN=harigb, OU=opcua, O=cookies-factory, L=IN, ST=IN, C=IN Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun RSA public key, 2048 bits params: null modulus: 30031146288935868854545238433337845429382043856516144905043261118363410971811668032113774053881214669186962053932195394522954461801833460559257507351367082508059071370916576685796581127417433782857126577468575869460886829839674965183940630871456303916206496856778274747310805369436209549749955900863555456398285825583953971293424473683456195538304469369116856888080793925601092564140105874731495685716096282772147893425578011757068485188944460903598455844195533081731355945901408808312009623357055459701511119247694381803743799398596549612183789680910572918090776355009765144207418302622268897499818701084706141887329 public exponent: 65537 Validity: [From: Sun Jul 24 00:24:29 IST 2022, To: Fri Jul 14 00:24:29 IST 2023] Issuer: EMAILADDRESS=cookies2eat@outlook.com, CN=harigb, OU=opcua, O=cookies-factory, L=IN, ST=IN, C=IN SerialNumber: [ 67a7d0f7 33cd4f90 b6b3704f 9ecac4e4 b2981cea] Certificate Extensions: 4 [1]: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 79 3C 22 4B BC 1A 2A D5 30 0E 61 BC 85 74 0B 6A y<"K..*.0.a..t.j 0010: 17 31 90 1D .1.. ] ] [2]: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen:2147483647 ] [3]: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ URIName: urn:cookies-factory.org:FreeOpcUa:python-opcua IPAddress: 127.0.0.1 ] [4]: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 79 3C 22 4B BC 1A 2A D5 30 0E 61 BC 85 74 0B 6A y<"K..*.0.a..t.j 0010: 17 31 90 1D .1.. ] ] ] Algorithm: [SHA256withRSA] Signature: 0000: 73 DA 41 65 6D B9 26 18 E2 F9 5E 78 29 4B 9B 64 s.Aem.&...^x)K.d 0010: F9 93 78 7A 78 AF E6 E1 34 6F 94 ED ED F6 F2 FB ..xzx...4o...... 0020: 9C 15 56 58 E7 D6 E5 5E ED 13 63 A1 E9 E2 85 4D ..VX...^..c....M 0030: 01 80 61 DC 29 B1 7B 71 05 7E 63 A6 EC FA ED EB ..a.)..q..c..... 0040: 12 24 52 67 9B BD 19 E7 64 13 9A B3 DE 12 68 4B .$Rg....d.....hK 0050: FA 32 14 CB 50 D9 F4 30 CA ED 09 D7 C7 57 BE 78 .2..P..0.....W.x 0060: 5F 80 5D 24 4B 45 64 87 A4 C8 55 30 2A 30 BB F9 _.]$KEd...U0*0.. 0070: D5 92 AB 5E 48 7F 44 39 D6 8F 45 A6 F6 C6 45 E7 ...^H.D9..E...E. 0080: 48 39 96 F0 7F 85 63 95 1F B7 B2 22 7D CA 21 0A H9....c...."..!. 0090: E6 57 CD C8 66 FA FB 3D EC 44 A2 8E 76 39 80 72 .W..f..=.D..v9.r 00A0: 31 B5 FE D4 A6 8F ED 94 7D 71 87 27 55 D2 0F 3B 1........q.'U..; 00B0: 98 CC F4 E0 23 D1 D6 48 7E B2 43 FA 43 6D 50 2B ....#..H..C.CmP+ 00C0: FA 34 E6 0D 2A 91 A1 D8 EA 03 A8 09 46 5F 67 66 .4..*.......F_gf 00D0: 75 BA FC F0 C1 F1 CE 36 28 9C 0F DA AE A4 57 C7 u......6(.....W. 00E0: 87 D2 13 57 A7 F8 C4 42 C3 E6 51 22 51 63 70 97 ...W...B..Q"Qcp. 00F0: C6 90 82 42 ED BF D4 93 DA D5 CB D4 3D 0A 92 B7 ...B........=... ]]
 ----------------------------------------------
 org.eclipse.milo.opcua.stack.core.util.validation.CertificateValidationUtil------trustedCertificates: [[ [ Version: V3 Subject: CN=UaExpert@DESKTOP-OIEM90O, O=Saint-Gobain Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun RSA public key, 2048 bits params: null modulus: 21461343112859627390761395615957735808361425239518911224340259597717781708051525815966270055383835809270722112551586715522445005018084471101521854205935867554884460120924575048483725158112874694058672554830217420432722428381497233100197693955196378136008001688843809232572449586203357528468837287545302698104994924277948488505196053817260974821527545701846889795086581938463873379792093126577620935366370872891857278726507146656834285556345641380145251477335816043965032964122926850325736951986717940914229653873546676027053109945970498188107155809084901185536392375392926721692840390331567575381292502032138441222511 public exponent: 65537 Validity: [From: Sun Jul 03 18:02:03 IST 2022, To: Fri Jul 02 18:02:03 IST 2027] Issuer: CN=UaExpert@DESKTOP-OIEM90O, O=Saint-Gobain SerialNumber: [ 62c18c43] Certificate Extensions: 7 [1]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false Extension unknown: DER encoded OCTET string = 0000: 04 43 16 41 22 47 65 6E 65 72 61 74 65 64 20 77 .C.A"Generated w 0010: 69 74 68 20 55 6E 69 66 69 65 64 20 41 75 74 6F ith Unified Auto 0020: 6D 61 74 69 6F 6E 20 55 41 20 42 61 73 65 20 4C mation UA Base L 0030: 69 62 72 61 72 79 20 75 73 69 6E 67 20 4F 70 65 ibrary using Ope 0040: 6E 53 53 4C 22 nSSL" [2]: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 4A 0B 08 40 7E 9A 5D 83 2A F5 D9 61 44 28 06 10 J..@..].*..aD(.. 0010: 1B F0 93 DB .... ] [CN=UaExpert@DESKTOP-OIEM90O, O=Saint-Gobain] SerialNumber: [ 62c18c43] ] [3]: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen:0 ] [4]: ObjectId: 2.5.29.37 Criticality=true ExtendedKeyUsages [ serverAuth clientAuth ] [5]: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ DigitalSignature Non_repudiation Key_Encipherment Data_Encipherment Key_CertSign ] [6]: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ URIName: urn:DESKTOP-OIEM90O:UnifiedAutomation:UaExpert DNSName: DESKTOP-OIEM90O ] [7]: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 4A 0B 08 40 7E 9A 5D 83 2A F5 D9 61 44 28 06 10 J..@..].*..aD(.. 0010: 1B F0 93 DB .... ] ] ] Algorithm: [SHA256withRSA] Signature: 0000: 46 F6 4F 9B CE C2 69 34 56 67 7A A2 C3 D4 E6 F0 F.O...i4Vgz..... 0010: 2D F8 50 B6 97 28 97 9A 79 25 02 DC 64 54 62 D3 -.P..(..y%..dTb. 0020: 93 68 49 20 00 28 E8 DB 9D DA D2 4B 32 1C 7F 78 .hI .(.....K2..x 0030: B9 BD 0A 88 39 B5 81 D2 6A E1 B5 8A B4 E4 16 FD ....9...j....... 0040: EE 94 AA C4 3D D5 BB BE 77 10 55 0E 4B 59 DF BA ....=...w.U.KY.. 0050: C8 C2 E1 5B 6D D8 84 4B 96 51 FF D3 58 8F 2A 2F ...[m..K.Q..X.*/ 0060: 79 04 26 6A B8 05 2F 4D BD F1 42 27 7D 99 46 31 y.&j../M..B'..F1 0070: 91 79 EE 6C 6F 75 D1 AE FF 9D 51 1D 9A 07 9F 46 .y.lou....Q....F 0080: FD 40 AC 26 E6 50 25 BF 7C 25 5A 3E 10 45 61 D8 .@.&.P%..%Z>.Ea. 0090: 5A 2E EC BA ED 24 E7 0E 81 10 B1 F0 8E 8A 82 7A Z....$.........z 00A0: A4 EE 97 87 DC D2 A0 F9 A9 C9 46 6F 3F BF DC 6C ..........Fo?..l 00B0: BA 69 0D 12 F5 91 DC 56 AC 40 A0 4D 6A F3 97 AF .i.....V.@.Mj... 00C0: A5 A4 B9 19 73 F3 92 FE CD BD F9 7A 60 CD E9 F4 ....s......z`... 00D0: 72 1C D8 35 D3 65 33 79 4F 23 08 F3 F2 76 34 CE r..5.e3yO#...v4. 00E0: 50 86 BD 1D 79 6D FF E1 84 D2 93 82 DF BE 84 60 P...ym.........` 00F0: 8E 50 8E 36 00 B2 33 86 54 65 CF 25 D1 5E 0D 64 .P.6..3.Te.%.^.d ], [ [ Version: V3 Subject: EMAILADDRESS=cookies2eat@outlook.com, CN=DATA_CENTER_OPCUA, OU=DATA-CENTER, O=COOKIES-FACTORY, L=CHENNAI, ST=TAMIL NADU, C=IN Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun RSA public key, 2048 bits params: null modulus: 25565943898705119197152361891587397429240053057299336030637414846240296312821242907581037559057993619400479783630981008397788651346353034735153442114092718923357469599897065683386588967970294239264181073250464435192130918229042118968093891146316951543355840107457714490700481202022909409935672026387676219088815060423673630387406733042416042870721541691906748528246965494144989468586164297223725372148392819874353775255049644360051875542780869469844448650944843901740320733070038516822710548326242589858672734621129059357229860554493407427172832922809179881377188031174346864108050027830083851860005906119733735156179 public exponent: 65537 Validity: [From: Mon Jul 04 17:55:51 IST 2022, To: Sat Jun 24 17:55:51 IST 2023] Issuer: EMAILADDRESS=cookies2eat@outlook.com, CN=DATA_CENTER_OPCUA, OU=DATA-CENTER, O=COOKIES-FACTORY, L=CHENNAI, ST=TAMIL NADU, C=IN SerialNumber: [ 0d4d2289 b3b706c3 6e5529dd b2cebe8d Contents hidden due to size, download the logs to view the contents of this message...
 ----------------------------------------------
 org.eclipse.milo.opcua.stack.server.security.DefaultServerCertificateValidator-----	validateCertificateChain failed, underlying status: 2148728832
 org.eclipse.milo.opcua.stack.core.UaException: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at org.eclipse.milo.opcua.stack.core.util.validation.CertificateValidationUtil.buildCertPath(CertificateValidationUtil.java:413)
at org.eclipse.milo.opcua.stack.core.util.validation.CertificateValidationUtil.buildTrustedCertPath(CertificateValidationUtil.java:120)
at org.eclipse.milo.opcua.stack.server.security.DefaultServerCertificateValidator.validateCertificateChain(DefaultServerCertificateValidator.java:68)
at org.eclipse.milo.opcua.stack.server.transport.uasc.UascServerAsymmetricHandler.onOpenSecureChannel(UascServerAsymmetricHandler.java:197)
at org.eclipse.milo.opcua.stack.server.transport.uasc.UascServerAsymmetricHandler.decode(UascServerAsymmetricHandler.java:119)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:510)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:449)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:279)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:722)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:658)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:584)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:496)
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:995)
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at java.base/java.lang.Thread.run(Unknown Source)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.base/java.security.cert.CertPathBuilder.build(Unknown Source)
at org.eclipse.milo.opcua.stack.core.util.validation.CertificateValidationUtil.buildCertPath(CertificateValidationUtil.java:411)
... 22 common frames omitted
-------------------------------------------------
org.eclipse.milo.opcua.stack.server.transport.uasc.UascServerAsymmetricHandler - -----[remote=/192.168.47.128:48926] Exception caught; sent ErrorMessage{error=StatusCode{name=Bad_SecurityChecksFailed, value=0x80130000, quality=bad}, reason=status=Bad_SecurityChecksFailed, description=An error occurred verifying security.}
io.netty.handler.codec.DecoderException: UaException: status=Bad_SecurityChecksFailed, message=An error occurred verifying security.
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:480)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:279)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:722)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:658)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:584)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:496)
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:995)
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at java.base/java.lang.Thread.run(Unknown Source)
Caused by: org.eclipse.milo.opcua.stack.core.UaException: status=Bad_SecurityChecksFailed, description=An error occurred verifying security.
at org.eclipse.milo.opcua.stack.server.security.DefaultServerCertificateValidator.validateCertificateChain(DefaultServerCertificateValidator.java:87)
at org.eclipse.milo.opcua.stack.server.transport.uasc.UascServerAsymmetricHandler.onOpenSecureChannel(UascServerAsymmetricHandler.java:197)
at org.eclipse.milo.opcua.stack.server.transport.uasc.UascServerAsymmetricHandler.decode(UascServerAsymmetricHandler.java:119)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:510)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:449)
... 16 common frames omitted
---------------------------------------------------
14

I think I’ll need the full logs by email or DM and a copy of the certificate, not just a copy/paste that is being truncated.

15

Hi @Kevin.Herron , I have messaged you directly from the forum with files.

Thanks,
Hari GB.

16

It looks like the most recent error in the logs doesn’t have anything to do with certificates now:

E [o.e.m.o.s.s.t.u.UascServerAsymmetricHandler] [12:54:16]: Error installing security token: StatusCode{name=Bad_SecurityChecksFailed, value=0x80130000, quality=bad} 
org.eclipse.milo.opcua.stack.core.UaException: no matching endpoint found: transportProfile=TCP_UASC_UABINARY, endpointUrl=opc.tcp://192.168.47.128:62541/discovery, securityPolicy=Basic256Sha256, securityMode=SignAndEncrypt
 	at org.eclipse.milo.opcua.stack.server.transport.uasc.UascServerAsymmetricHandler.lambda$openSecureChannel$3(UascServerAsymmetricHandler.java:397)
 	at java.base/java.util.Optional.orElseThrow(Unknown Source)
 	at org.eclipse.milo.opcua.stack.server.transport.uasc.UascServerAsymmetricHandler.openSecureChannel(UascServerAsymmetricHandler.java:387)
 	at org.eclipse.milo.opcua.stack.server.transport.uasc.UascServerAsymmetricHandler.lambda$sendOpenSecureChannelResponse$1(UascServerAsymmetricHandler.java:298)
 	at org.eclipse.milo.opcua.stack.core.channel.SerializationQueue.lambda$encode$0(SerializationQueue.java:52)
 	at org.eclipse.milo.opcua.stack.core.util.ExecutionQueue$Task.run(ExecutionQueue.java:119)
 	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
 	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
 	at java.base/java.lang.Thread.run(Unknown Source)

This means your client is trying to open a secure channel at the discovery endpoint (opc.tcp://192.168.47.128:62541/discovery), not the session endpoint (opc.tcp://192.168.47.128:62541).

These are 2 separate endpoints. The discovery endpoint offers unsecured discovery services. The session endpoint, by default, requires security for any connection and offers both discovery and the regular session services.

1 Like
17

@Kevin.Herron , Thanks for the feedbacks,
I have changed the endpoint to (opc.tcp://192.168.47.128:62541) Then observed the following in the logs.

UascServerAsymmetricHandler 24Jul2022 22:19:16
Error installing security token: StatusCode{name=Bad_SecurityChecksFailed, value=0x80130000, quality=bad} 
org.eclipse.milo.opcua.stack.core.UaException: no matching endpoint found: transportProfile=TCP_UASC_UABINARY, endpointUrl=opc.tcp://192.168.47.128:62541, securityPolicy=None, securityMode=None
at org.eclipse.milo.opcua.stack.server.transport.uasc.UascServerAsymmetricHandler.lambda$openSecureChannel$3(UascServerAsymmetricHandler.java:397)
at java.base/java.util.Optional.orElseThrow(Unknown Source)
at org.eclipse.milo.opcua.stack.server.transport.uasc.UascServerAsymmetricHandler.openSecureChannel(UascServerAsymmetricHandler.java:387)
at org.eclipse.milo.opcua.stack.server.transport.uasc.UascServerAsymmetricHandler.lambda$sendOpenSecureChannelResponse$1(UascServerAsymmetricHandler.java:298)
at org.eclipse.milo.opcua.stack.core.channel.SerializationQueue.lambda$encode$0(SerializationQueue.java:52)
at org.eclipse.milo.opcua.stack.core.util.ExecutionQueue$Task.run(ExecutionQueue.java:119)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.base/java.lang.Thread.run(Unknown Source)
18

Yes, well now your client is trying to connect to the session endpoint without security. Unless you configure the Ignition OPC UA server to allow unsecured connections the session endpoint requires security.

You may be dealing with a broken client implementation that does a “two step” connection:

  1. connect, get endpoints, find a matching one
  2. connect to the matching endpoint, create/activate a session

but fails to pay attention to the endpoint URL in the endpoints it got during step 1.

If this is the case you’ll have to open an issue with whoever maintains that client/SDK.

1 Like
19

Thank you very much @Kevin.Herron, Your feedbacks helped to resolve the issue.
Yes I think your observations are right. I have moved my client using from python-opcua library to opcua-asyncio library then I can able to connect my python client with security policy and mode set to Basic256Sha256,SignAndEncrypt.

Soon will raise issue with sdk maintainer.

Thanks again,
Hari G B.

20

I think python-opcua is deprecated and opcua-asyncio is its replacement. They may not care to fix things in the deprecated library.

1 Like