I have issue where I move two certificates from the rejected directory to the trusted certs directory, but then as soon as my OPC UA client sends another request to the server (open secure channel), the same certificates end up in the rejected directory again, and the server responds with an error message:
(Frame 13: 189 bytes on wire (1512 bits), 189 bytes captured (1512 bits) on interface \Device\NPF_{3970287E-D220-49EA-B769-B19BFAE3CC5C}, id 0
Ethernet II, Src: LCFCHeFe_a5:47:3f (8c:16:45:a5:47:3f), Dst: RedLionC_07:ff:47 (00:05:e4:07:ff:47)
Internet Protocol Version 4, Src: 192.168.1.220, Dst: 192.168.1.45
Transmission Control Protocol, Src Port: 4840, Dst Port: 41234, Seq: 1, Ack: 2709, Len: 135
OpcUa Binary Protocol
Message Type: ERR
Chunk Type: F
Message Size: 135
Error: 0x80130000 [BadSecurityChecksFailed]
Reason: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
)
It’s hard to say without a copy of the certificate to look at, but it’s probably either invalid in some manner or signed by one or more CAs that need to be manually added to one of Ignition’s OPC UA server PKI dirs.
I tried uploading the certificates to my message, but because I’m new user, it would not let me do so.
I just DM’d you a dropbox link you can upload to.
Uploaded the offending certificates.
I tried enabling some DEBUG options in the Status/logging section of “ignition” and restarting the OPCUA module, but it really did not provide any more information on why the certificates were being added to the rejected directory (even though I had marked both as trusted).
It looks like the certs should work if you put the CA cert into $IGNITION/data/opcua/server/security/pki/issuers/certs and the leaf cert into $IGNITION/data/opcua/server/security/pki/trusted/certs.
If it still doesn’t work see if there are there any entries in the Ignition logs at the time your client tries to connect or go ahead and upload them to the same dropbox link.