OPC UA connection "unable to find valid certification path to requested target"

Hi Kevin ,

I am having similar issue but in my case , I have ignition edge and ignition gateway installed in the same server with two different ports. Ignition edge is running fine and in ignition gate way i am getting this certs issue . Can you please help

Note: I am trying to communicate with the device configured in AWS IOT greengrass Linux machine and ignition server and Greengrass server are accessible .

UaException: status=Bad_SecurityChecksFailed, message=sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at org.eclipse.milo.opcua.stack.client.transport.uasc.UascClientAcknowledgeHandler.onError(UascClientAcknowledgeHandler.java:258)
at org.eclipse.milo.opcua.stack.client.transport.uasc.UascClientAcknowledgeHandler.decode(UascClientAcknowledgeHandler.java:167)
at io.netty.handler.codec.ByteToMessageCodec$1.decode(ByteToMessageCodec.java:42)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:498)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:437)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
at io.netty.handler.codec.ByteToMessageCodec.channelRead(ByteToMessageCodec.java:103)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:377)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:363)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:355)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:377)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:363)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:714)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:650)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:576)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at java.base/java.lang.Thread.run(Unknown Source)

8.0.15 (b2020072213)
Azul Systems, Inc. 11.0.6

Thanks

It looks like you haven’t mutually trusted the certificates on both sides of the OPC UA connection this is coming from.

Thank you for the prompt reply!

Mutual trust between edge and gateway opc UA server ? May I know how to do that mutual trust if my understanding is right please
Thanks

In the Ignition Gateway config section under OPC UA > Security there are tabs for Client and Server.

On gateway this connection originates from look under the Client tab and make sure there is no quarantined server certificate. If there is, trust it.

If the server you are connecting to is the one from another Ignition Gateway, go to that gateway and do the same thing, but look under the Server tab instead.

If the server is another piece of software that isn’t Ignition you’ll have to consult its documentation.

Hey Kevin,

Thank you , after I trusted in the gateway under client I do not see any fault issue and Cert issue . But we are not seeing any error in the logs also .

PS: We are trying to connect through MQTT transmission to AWS greengrass EC2 using port 8883 . Here the server is giving 0 of 1 connectivity and it is working with IOT core connectivity directly.

I’m not sure what this has to do with OPC UA.

Did you get the OPC UA connection connected? Is this a separate issue?

I am sorry , ignore my previous comment. Actually after the we trusted the client certificate it is working fine. Thank you for your help