Kepserver 6.12 : check suppressed: certificate failed hostname check

I try to connect to kepserver 6.12 following the guide:
https://docs.inductiveautomation.com/display/DOC81/Connecting+to+Kepware+OPC+UA

My connection is faulted,
I have the follong error:

check suppressed: certificate failed hostname check: CN=KEPServerEX/UA Server,O=Unknown,C=FR,DC=SIAI21-03

This message is not related to whatever reason it is faulted. It’s a warning that the hostname you used to connect to KSE doesn’t match any in the cert, but it’s being suppressed, and so it’s only a warning, and not a failure that will prevent you from connecting.

You can usually see a StatusCode and/or stack trace if you look at the connection in the Status area of the gateway.

image

Okay, you haven’t supplied a username and password, and KSE is configured to require one.

1 Like

Thanks, adding user/password in kep solved the issue

Hi,

Thought I would add some additional info to this topic. I observed this same error message occurring in an already existing and operational Kepware Connection to our Redundant 8.0.16 Gateways. Connection would drop at about the same time everyday, and reconnect shortly later. My current hypothesis is that my specific issue is being caused by a couple of Windows Services (Windows Update and Delivery Optimization) that execute on a schedule. I found during investigation that the Delivery Optimization service was attempting to download a Windows Update for Microsoft Defender Antivirus. This, despite having already disabled Windows Update on the Windows Server using Windows Settings, as well as turning off Delivery Optimization. Thanks Microsoft!

I applied a couple of group policies to modify the Delivery Optimization Download Mode to Simple, limit the network throughput of the Background Intelligent Transfer Service (BITS) to 10kb/s, and for good measure, disabled the Windows Update and Delivery Optimization services for good on the Windows server running Ignition. Our Ignition servers operate on high usage rates, 24/7 monitoring for regulatory compliance, so any downtime is extremely high-visibility. Once operational, we try to not fix what isn't broken, so we'll put off Windows Updates as long as we can, and test on a duplicate development environment so we know what the impact will be before updating the production system.

Still monitoring the issue, but we have gone almost a week without an occurrence of the warning. I followed the instructions in a couple YouTube videos (linked below) to disable the Delivery Optimization Windows Service on all of our Windows Servers running Ignition across our sites.

Group Policy Modifications:
Windows Service Disabling

Hope this helps anyone coming across this thread in the future!

1 Like

I just want to clarify that the warning is just a harmless side effect of what's actually happening, which is that you're losing the connection to KSE for some reason.

It is stuff like this that reinforces my opinion that using Windows anywhere in operations is engineering malpractice. :frowning_face:

2 Likes

When I originally read this, my brain typed out two or three sardonic replies, but none of them seemed appropriate, so I bit tongue and didn't post them.

Nailed it - those are the words I was looking for.

1 Like