I am having similar issue but in my case , I have ignition edge and ignition gateway installed in the same server with two different ports. Ignition edge is running fine and in ignition gate way i am getting this certs issue . Can you please help
Note: I am trying to communicate with the device configured in AWS IOT greengrass Linux machine and ignition server and Greengrass server are accessible .
UaException: status=Bad_SecurityChecksFailed, message=sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at org.eclipse.milo.opcua.stack.client.transport.uasc.UascClientAcknowledgeHandler.onError(UascClientAcknowledgeHandler.java:258)
at org.eclipse.milo.opcua.stack.client.transport.uasc.UascClientAcknowledgeHandler.decode(UascClientAcknowledgeHandler.java:167)
at io.netty.handler.codec.ByteToMessageCodec$1.decode(ByteToMessageCodec.java:42)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:498)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:437)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
at io.netty.handler.codec.ByteToMessageCodec.channelRead(ByteToMessageCodec.java:103)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:377)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:363)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:355)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:377)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:363)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:714)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:650)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:576)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at java.base/java.lang.Thread.run(Unknown Source)
In the Ignition Gateway config section under OPC UA > Security there are tabs for Client and Server.
On gateway this connection originates from look under the Client tab and make sure there is no quarantined server certificate. If there is, trust it.
If the server you are connecting to is the one from another Ignition Gateway, go to that gateway and do the same thing, but look under the Server tab instead.
If the server is another piece of software that isn’t Ignition you’ll have to consult its documentation.
Thank you , after I trusted in the gateway under client I do not see any fault issue and Cert issue . But we are not seeing any error in the logs also .
PS: We are trying to connect through MQTT transmission to AWS greengrass EC2 using port 8883 . Here the server is giving 0 of 1 connectivity and it is working with IOT core connectivity directly.
@Kevin.Herron I'm having the same issue with getting Ignition to connect to the Codesys OPCUA Server running on my GROOV RIO, it was working up until 3 days ago. I haven't updated any firmware or ignition versions either. I'm running Ignition 8.1.41.
In the Ignition Gateway under the Client Tab I trusted the certificate and then it continuously reappears under Quarantined Certificates, please see the image below:
The only way I can establish a connection from Ignition is when I set the option
Security Certificate Validation Enabled = False
I have attached both my certificates if you want to take a look I have all the required Key Usage requirement for both and even regenerated both certificates on each side just eliminate any bad certificates. codesys_grv_rio.der (856 Bytes) ignition_client.der (1.1 KB)
Here is the exact error from ignition:
UaException: status=Bad_SecurityChecksFailed, message=sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at org.eclipse.milo.opcua.stack.core.util.validation.CertificateValidationUtil.buildCertPath(CertificateValidationUtil.java:400)
at org.eclipse.milo.opcua.stack.core.util.validation.CertificateValidationUtil.buildTrustedCertPath(CertificateValidationUtil.java:120)
at org.eclipse.milo.opcua.stack.client.security.DefaultClientCertificateValidator.validateCertificateChain(DefaultClientCertificateValidator.java:64)
at org.eclipse.milo.opcua.stack.client.transport.uasc.UascClientMessageHandler.onOpenSecureChannel(UascClientMessageHandler.java:469)
at org.eclipse.milo.opcua.stack.client.transport.uasc.UascClientMessageHandler.decodeMessage(UascClientMessageHandler.java:394)
at org.eclipse.milo.opcua.stack.client.transport.uasc.UascClientMessageHandler.decode(UascClientMessageHandler.java:382)
at io.netty.handler.codec.ByteToMessageCodec$1.decode(ByteToMessageCodec.java:42)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:529)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:468)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290)
at io.netty.handler.codec.ByteToMessageCodec.channelRead(ByteToMessageCodec.java:103)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:442)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
at org.eclipse.milo.opcua.stack.client.transport.uasc.UascClientAcknowledgeHandler.decode(UascClientAcknowledgeHandler.java:171)
at io.netty.handler.codec.ByteToMessageCodec$1.decode(ByteToMessageCodec.java:42)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:529)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:468)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290)
at io.netty.handler.codec.ByteToMessageCodec.channelRead(ByteToMessageCodec.java:103)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:442)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:788)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:724)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:650)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562)
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997)
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at java.base/java.lang.Thread.run(Unknown Source)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.base/java.security.cert.CertPathBuilder.build(Unknown Source)
at org.eclipse.milo.opcua.stack.core.util.validation.CertificateValidationUtil.buildCertPath(CertificateValidationUtil.java:398)
... 34 more
8.1.41 (b2024052809)
Azul Systems, Inc. 17.0.10
It looks like this certificate is being generated by software written against a more recent version of the OPC UA spec, which now definitively states that for a self-signed certificate the cA bit of the BasicConstraints extension shall be set to false, with true being accepted for backwards compatibility as long as the pathLength constraint is 0.
Unfortunately Ignition is still looking for the cA bit to be true instead. We'll have to update this validation in a future version.
However, under these new rules, all self-signed certificates must have the keyCertSign KeyUsage bit set, so even if we were up to date on the validation rules it would still fail.
For now you'll just have to leave the validation disabled.
I am having the same problem. I have 2 Siemens PLCs both set up identical (apart from IP addresses and program) but the OPC settings are identical. I have the certificates downloaded from the TIA and installed on the Ignition machine and been through the endpoint setup both certificates are trusted but one of the connections connects ok and the other is faulting with:
[remote=/10.69.67.56:4840] Exception caught: UaException: status=Bad_SecurityChecksFailed, message=sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I have tried deleting all the connections and certificates and restarting the ignition and reinstalling but always the same one connects however checking on the siemens they are both set up exactly the same too
in addition to this i have just used the Matrikon OPCUA explorere from the same server as the ignition and getting a good connection from there on both siemens OPC.
I'm honestly surprised either of these work. Are you sure you don't have certificate validation disabled for one of these connections? Or the connection configured without security?
Both of these certificates are using EC keys instead of RSA, which both shouldn't work and isn't allowed for use with the RSA-based OPC UA Security Policies.