OPC UA connection "unable to find valid certification path to requested target"

Hi Kevin ,

I am having similar issue but in my case , I have ignition edge and ignition gateway installed in the same server with two different ports. Ignition edge is running fine and in ignition gate way i am getting this certs issue . Can you please help

Note: I am trying to communicate with the device configured in AWS IOT greengrass Linux machine and ignition server and Greengrass server are accessible .

UaException: status=Bad_SecurityChecksFailed, message=sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at org.eclipse.milo.opcua.stack.client.transport.uasc.UascClientAcknowledgeHandler.onError(UascClientAcknowledgeHandler.java:258)
at org.eclipse.milo.opcua.stack.client.transport.uasc.UascClientAcknowledgeHandler.decode(UascClientAcknowledgeHandler.java:167)
at io.netty.handler.codec.ByteToMessageCodec$1.decode(ByteToMessageCodec.java:42)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:498)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:437)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
at io.netty.handler.codec.ByteToMessageCodec.channelRead(ByteToMessageCodec.java:103)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:377)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:363)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:355)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:377)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:363)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:714)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:650)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:576)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at java.base/java.lang.Thread.run(Unknown Source)

8.0.15 (b2020072213)
Azul Systems, Inc. 11.0.6

Thanks

It looks like you haven’t mutually trusted the certificates on both sides of the OPC UA connection this is coming from.

Thank you for the prompt reply!

Mutual trust between edge and gateway opc UA server ? May I know how to do that mutual trust if my understanding is right please
Thanks

In the Ignition Gateway config section under OPC UA > Security there are tabs for Client and Server.

On gateway this connection originates from look under the Client tab and make sure there is no quarantined server certificate. If there is, trust it.

If the server you are connecting to is the one from another Ignition Gateway, go to that gateway and do the same thing, but look under the Server tab instead.

If the server is another piece of software that isn’t Ignition you’ll have to consult its documentation.

Hey Kevin,

Thank you , after I trusted in the gateway under client I do not see any fault issue and Cert issue . But we are not seeing any error in the logs also .

PS: We are trying to connect through MQTT transmission to AWS greengrass EC2 using port 8883 . Here the server is giving 0 of 1 connectivity and it is working with IOT core connectivity directly.

I'm not sure what this has to do with OPC UA.

Did you get the OPC UA connection connected? Is this a separate issue?

I am sorry , ignore my previous comment. Actually after the we trusted the client certificate it is working fine. Thank you for your help

@Kevin.Herron I'm having the same issue with getting Ignition to connect to the Codesys OPCUA Server running on my GROOV RIO, it was working up until 3 days ago. I haven't updated any firmware or ignition versions either. I'm running Ignition 8.1.41.

In the Ignition Gateway under the Client Tab I trusted the certificate and then it continuously reappears under Quarantined Certificates, please see the image below:

On the CODESYS side I have also trusted the Ignition Client Certificate to start the connection process, please see the image below:

The only way I can establish a connection from Ignition is when I set the option

Security Certificate Validation Enabled = False

I have attached both my certificates if you want to take a look I have all the required Key Usage requirement for both and even regenerated both certificates on each side just eliminate any bad certificates.
codesys_grv_rio.der (856 Bytes)
ignition_client.der (1.1 KB)

Here is the exact error from ignition:

UaException: status=Bad_SecurityChecksFailed, message=sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at org.eclipse.milo.opcua.stack.core.util.validation.CertificateValidationUtil.buildCertPath(CertificateValidationUtil.java:400)
	at org.eclipse.milo.opcua.stack.core.util.validation.CertificateValidationUtil.buildTrustedCertPath(CertificateValidationUtil.java:120)
	at org.eclipse.milo.opcua.stack.client.security.DefaultClientCertificateValidator.validateCertificateChain(DefaultClientCertificateValidator.java:64)
	at org.eclipse.milo.opcua.stack.client.transport.uasc.UascClientMessageHandler.onOpenSecureChannel(UascClientMessageHandler.java:469)
	at org.eclipse.milo.opcua.stack.client.transport.uasc.UascClientMessageHandler.decodeMessage(UascClientMessageHandler.java:394)
	at org.eclipse.milo.opcua.stack.client.transport.uasc.UascClientMessageHandler.decode(UascClientMessageHandler.java:382)
	at io.netty.handler.codec.ByteToMessageCodec$1.decode(ByteToMessageCodec.java:42)
	at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:529)
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:468)
	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290)
	at io.netty.handler.codec.ByteToMessageCodec.channelRead(ByteToMessageCodec.java:103)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:442)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
	at org.eclipse.milo.opcua.stack.client.transport.uasc.UascClientAcknowledgeHandler.decode(UascClientAcknowledgeHandler.java:171)
	at io.netty.handler.codec.ByteToMessageCodec$1.decode(ByteToMessageCodec.java:42)
	at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:529)
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:468)
	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290)
	at io.netty.handler.codec.ByteToMessageCodec.channelRead(ByteToMessageCodec.java:103)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:442)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
	at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
	at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:788)
	at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:724)
	at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:650)
	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562)
	at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997)
	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
	at java.base/java.lang.Thread.run(Unknown Source)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
	at java.base/java.security.cert.CertPathBuilder.build(Unknown Source)
	at org.eclipse.milo.opcua.stack.core.util.validation.CertificateValidationUtil.buildCertPath(CertificateValidationUtil.java:398)
	... 34 more

8.1.41 (b2024052809)
Azul Systems, Inc. 17.0.10

It looks like this certificate is being generated by software written against a more recent version of the OPC UA spec, which now definitively states that for a self-signed certificate the cA bit of the BasicConstraints extension shall be set to false, with true being accepted for backwards compatibility as long as the pathLength constraint is 0.

Unfortunately Ignition is still looking for the cA bit to be true instead. We'll have to update this validation in a future version.

However, under these new rules, all self-signed certificates must have the keyCertSign KeyUsage bit set, so even if we were up to date on the validation rules it would still fail.

For now you'll just have to leave the validation disabled.

@Kevin.Herron If thats true then why was I able to even establish a connection from the beginning and then out of nowhere is just stopped working?

I don’t know, can’t tell you that retroactively. Working with what I have.

I am having the same problem. I have 2 Siemens PLCs both set up identical (apart from IP addresses and program) but the OPC settings are identical. I have the certificates downloaded from the TIA and installed on the Ignition machine and been through the endpoint setup both certificates are trusted but one of the connections connects ok and the other is faulting with:

[remote=/10.69.67.56:4840] Exception caught: UaException: status=Bad_SecurityChecksFailed, message=sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I have tried deleting all the connections and certificates and restarting the ignition and reinstalling but always the same one connects however checking on the siemens they are both set up exactly the same too

in addition to this i have just used the Matrikon OPCUA explorere from the same server as the ignition and getting a good connection from there on both siemens OPC.

Can you share your logs and the server certificate(s)?

PLC-K20Communication-1.cer (597 Bytes)
PLC-K20Communication-BAS.cer (597 Bytes)
The PLC-K20Communication-1.cer is the certificate that works

the logs are too large to uplo


ad onto here but attached is a screenshot

Can you click that + button and get the full stack trace?

I'm honestly surprised either of these work. Are you sure you don't have certificate validation disabled for one of these connections? Or the connection configured without security?

Both of these certificates are using EC keys instead of RSA, which both shouldn't work and isn't allowed for use with the RSA-based OPC UA Security Policies.



these are the settings for the one that is connected and working fine. the faulting connection is identical except for the IP address.