KEPServer Certificate Expired

Tyler_Boyd · June 8, 2023, 5:58pm

I have a KEPServer connected to Ignition that has a fault that says the certificate has expired or is not yet valid. This connection has been running for as long as I have been here with no issues and based on the experation date on the certificate in Ignition it shouldn't expire for another year. Any help would be great!

Error Code
UaException: status=Bad_CertificateTimeInvalid, message=The Certificate has expired or is not yet valid.
at org.eclipse.milo.opcua.stack.client.transport.uasc.UascClientAcknowledgeHandler.onError(UascClientAcknowledgeHandler.java:258)
at org.eclipse.milo.opcua.stack.client.transport.uasc.UascClientAcknowledgeHandler.decode(UascClientAcknowledgeHandler.java:167)
at io.netty.handler.codec.ByteToMessageCodec$1.decode(ByteToMessageCodec.java:42)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:510)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:449)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:279)
at io.netty.handler.codec.ByteToMessageCodec.channelRead(ByteToMessageCodec.java:103)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:722)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:658)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:584)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:496)
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:995)
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at java.base/java.lang.Thread.run(Unknown Source)

8.1.23 (b2022121308)
Azul Systems, Inc. 11.0.16.1

pturmel · June 8, 2023, 6:04pm

Is Kepware's clock off by a year? Is Kepware's own certificate expired?

Kevin.Herron · June 8, 2023, 8:32pm

In addition to Phil's questions - are you sure you're looking at the right certificate? There is both an OPC UA client certificate and a server certificate.

Tyler_Boyd · June 9, 2023, 12:29pm

All the time stamps in KEPServer logs show the correct date and time. Kepware is running on the same server as my gateway. To be honest I don't know if the certificate is expired in Kepware all I know is that I can monitor live values in the Kepware software. Unfortunately, the person who set it up is no longer with the company, so I have no admin access to Kepware to view licenses and configuration. I have a ticket in with Kepware for support.

The only certificate I see in Ignition for KEPServer is for a client connection that has an expiration date of Mar 3, 2024.