OPC UA Secure Connections Fail with BadSecurityChecksFailed Despite Trusted Certificate - Plain Connections Work

Ignition
1

## Problem Description

I'm experiencing a persistent issue with OPC UA secure connections to Ignition Gateway 8.1+ where secure connections consistently fail with `BadSecurityChecksFailed` during the secure channel establishment phase, despite the client certificate being properly trusted in the Gateway interface.

Environment Details

- **Ignition Gateway**: Version 8.1+ (localhost:62541)

- **OPC UA Client**: Python `opcua` library

- **Operating System**: Windows 10/11

- **Security Configuration**: Basic256Sha256 + SignAndEncrypt + Username/Password authentication

- **Credentials**: admin/admin123

- **Certificate**: Self-signed client certificate (SHA-1: 4b82a8e5658d4591a8bf31ef00ca4f0642e52141)

## What Works

:white_check_mark: **Plain OPC UA connections** (no security) work perfectly

:white_check_mark: **Certificate is trusted** - verified in Ignition Gateway > Config > OPC UA > Server > Security > Certificates (shows as trusted)

:white_check_mark: **Same certificate works** with other OPC UA servers (Prosys OPC UA Simulation Server) using identical security settings

:white_check_mark: **Gateway services** are running properly

## What Fails

:cross_mark: **All secure connection attempts** fail with `BadSecurityChecksFailed`

:cross_mark: **Error occurs during secure channel establishment** (before authentication)

:cross_mark: **Multiple security modes tested**: Sign, SignAndEncrypt, different policies - all fail

:cross_mark: **Anonymous secure connections** also fail (not user authentication issue)

## Detailed Testing Performed

### 1. Certificate Verification

- Created CA and client certificates using OpenSSL

- Imported CA certificate into Ignition Gateway trusted certificates

- Verified certificate appears as "Trusted" in Gateway interface

- Certificate fingerprint matches exactly: `4b82a8e5658d4591a8bf31ef00ca4f0642e52141`

### 2. Connection Testing Matrix

β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”

β”‚ Connection Type β”‚ Security β”‚ Result β”‚

β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€

β”‚ Plain β”‚ None β”‚ :white_check_mark: SUCCESS β”‚

β”‚ Secure Sign β”‚ Basic256Sha256 β”‚ :cross_mark: BadSecurityChecksFailed β”‚

β”‚ Secure Sign+Encrypt β”‚ Basic256Sha256 β”‚ :cross_mark: BadSecurityChecksFailed β”‚

β”‚ Anonymous Secure β”‚ Basic256Sha256 β”‚ :cross_mark: BadSecurityChecksFailed β”‚

β”‚ Different Policies β”‚ Basic128Rsa15, etc β”‚ :cross_mark: BadSecurityChecksFailed β”‚

β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

### 3. Service Restart Testing

- Restarted Ignition Gateway service completely

- Restarted OPC UA Server module specifically

- Waited for full initialization

- Issue persists after restarts

### 4. Comparison Testing

- **Prosys OPC UA Server**: Same certificate, same code, same security settings = :white_check_mark: SUCCESS

- **Ignition OPC UA Server**: Identical setup = :cross_mark: BadSecurityChecksFailed

## Error Details

**Primary Error**: `BadSecurityChecksFailed` during secure channel establishment

**Python Client Code** (simplified):

python

from opcua import Client, ua

from opcua.crypto import security_policies

client = Client("opc.tcp://localhost:62541")

client.set_security(

    security_policies.SecurityPolicyBasic256Sha256,

    certificate_path="trusted_client_cert.pem",

    private_key_path="trusted_client_key.pem", 

    mode=ua.MessageSecurityMode.SignAndEncrypt

)

client.set_user("admin")

client.set_password("admin123")

client.connect()  # ← Fails here with BadSecurityChecksFailed

## Troubleshooting Attempted

1. **Certificate Trust Verification**: Confirmed in Gateway interface

2. **Certificate File Locations**: Tried copying to `C:\Program Files\Inductive Automation\Ignition\data\opcua\pki\trusted\certs\`

3. **Security Policy Testing**: Tested Basic128Rsa15, Basic256, Basic256Sha256

4. **Security Mode Testing**: Tested Sign only, SignAndEncrypt

5. **Authentication Testing**: Tested anonymous, username/password

6. **Application URI Verification**: Ensured certificate Application URI matches client

7. **Gateway Log Review**: No specific certificate errors found in logs

8. **Service Restarts**: Full Ignition Gateway and OPC UA module restarts

9. **Firewall Testing**: Disabled Windows Firewall temporarily

10. **Alternative Libraries**: Issue appears to be server-side, not client library

## Questions for Community

1. **Are there additional Ignition-specific certificate validation settings** beyond the main certificate trust interface?

2. **Does Ignition OPC UA Server require certificates in specific filesystem locations** in addition to the Gateway trust store?

3. **Are there OPC UA Server security policy configurations** that might cause certificate validation to fail even when certificate is trusted?

4. **Has anyone experienced similar issues** where plain connections work but secure connections fail with trusted certificates?

5. **Are there specific Ignition Gateway logs** that would show detailed certificate validation failures?

## Additional Context

- This is a development/testing environment on localhost

- Same client code and certificates work perfectly with other OPC UA servers

- The issue appears to be specific to Ignition's certificate validation during secure channel establishment

- Plain connections confirm that basic OPC UA functionality works

- Certificate trust is confirmed through Gateway interface

Any insights into Ignition-specific OPC UA security configuration would be greatly appreciated!

---

**Environment**: Ignition Gateway 8.1+, Windows, Python opcua library

**Scope**: OPC UA secure connections, certificate authentication

**Priority**: Development blocking - cannot establish secure OPC UA connections

2

Did you create the user with that password in the OPC-UA user source? That's the one thing I didn't see you mention anywhere.

3

More Ignition logs and Wireshark capture, less LLM text.

1 Like
4

I have experienced this before with certificates missing some key parameters. Compare your certificate with the certificate Ignition uses for it’s loopback connection for differences.

5

This is the Session endpoint and it only allows secured connections (in the default configuration with only Basic256Sha256 configured in Ignition).

Most clients connect first without security to call GetEndpoints, then again with security after choosing an endpoint. The chosen endpoint will have the Session endpoint URL in it.

You probably need configure your client to use discovery endpoint at opc.tcp://localhost:62541/discovery, which will allow that initial unsecured connection for the discovery services.

1 Like
6

wrapper.log (372.3 KB). Thanks. See the log file, and see the analysis done by the LLM. What I found odd is that the certificate is being trusted as expected.

image
image1662Γ—528 27.3 KB

See the comparison test with Prosys (OPC Server Emulation)

image
image1047Γ—731 50.1 KB

Log analysis.

Short version: your Ignition OPC UA server is rejecting the client at SecureChannel open due to a certificate validation failure. It never gets to the session/identity step. The log shows repeated Bad_SecurityChecksFailed raises by Milo’s DefaultServerCertificateValidator.validateCertificateChain when a client on 127.0.0.1 tries to connect. That’s a straight-up cert trust/chain mismatch (untrusted, wrong chain, stale/rotated cert, or similar), not a username/password problem.

What the log proves

  • Security check fails during OpenSecureChannel β†’ UascServerAsymmetricHandler emits Bad_SecurityChecksFailed.

    wrapper

  • The failure source is certificate validation (validateCertificateChain).

    wrapper

  • Connections are coming from localhost (likely Ignition’s own OPC UA Client connection or UAExpert on the same box).

    wrapper

  • The revocation-checker warning (β€œFailed to add custom revocation checker; REVOCATION_LIST_FOUND check will be ignored.”) is non-fatal and not the cause; it just disables CRL checking. The hard stop is still Bad_SecurityChecksFailed.

    wrapper

Most likely causes (ranked)

  1. Client cert not trusted by the Ignition OPC UA Server (sitting in Quarantined/Rejected).

  2. Wrong/rotated client certificate being presented (server still trusts an older one).

  3. Broken chain (missing intermediate CA) or clock skew, making the cert not-yet-valid/expired.

  4. Less common: ApplicationUri/SAN mismatch triggering validation failure (still shows up under β€œsecurity checks failed”).

Fix it (do all 5 β€” fast)

  1. Trust the client cert: Gateway β†’ Config β†’ OPC UA β†’ Security β†’ Server.

    • Move the client’s certificate from Quarantined/Rejected β†’ Trusted and retry.

  2. Purge stale entries: remove old client certs from Trusted if you regenerated the client cert recently; you want exactly one valid client cert.

  3. Check system time on both sides (Windows service host and any local client). A skew can invalidate otherwise good certs.

  4. If using a CA-signed chain, upload the full chain (intermediate(s)+root) to the server’s trust store, or re-export the client cert with the bundled chain.

  5. Re-test with a known-good client (UAExpert on the same host) using the same endpoint, policy, and cert. If UAExpert is trusted and connects, the problem is the Ignition-as-client connection; if UAExpert gets the same Bad_SecurityChecksFailed, it’s the server trust store.

Quick isolation steps (if you need to move now)

  • Temporarily enable a NoSecurity endpoint on the server and connect; if it works, the issue is 100% in the certificate path, not networking or identity.

  • In the failing OPC UA Client connection (Ignition β†’ Config β†’ OPC Client β†’ OPC Connections), delete & recreate it so it presents a fresh client cert; then trust it on the server side.

If you want, share a redacted screenshot of:

  • OPC UA β†’ Security β†’ Server β†’ Quarantined/Trusted lists, and

  • The OPC Client β†’ OPC Connections β†’ (connection) β†’ Status page,
    and I’ll point to the exact item(s) to fix.

7 
INFO   | jvm 1    | 2025/10/19 09:29:42 | W [o.e.m.o.s.c.u.v.CertificateValidationUtil] [09:29:42.648]: Failed to add custom revocation checker; REVOCATION_LIST_FOUND check will be ignored.
INFO   | jvm 1    | 2025/10/19 09:29:42 | E [o.e.m.o.s.t.s.u.UascServerAsymmetricHandler] [09:29:42.649]: [remote=/127.0.0.1:55541] Exception caught; sent ErrorMessage{error=StatusCode[name=Bad_SecurityChecksFailed, value=0x80130000, quality=bad], reason=status=Bad_SecurityChecksFailed, description=An error occurred verifying security.}
INFO   | jvm 1    | 2025/10/19 09:29:42 | io.netty.handler.codec.DecoderException: UaException: status=Bad_SecurityChecksFailed, message=An error occurred verifying security.
INFO   | jvm 1    | 2025/10/19 09:29:42 | 	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:500)
INFO   | jvm 1    | 2025/10/19 09:29:42 | 	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290)
INFO   | jvm 1    | 2025/10/19 09:29:42 | 	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
INFO   | jvm 1    | 2025/10/19 09:29:42 | 	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
INFO   | jvm 1    | 2025/10/19 09:29:42 | 	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
INFO   | jvm 1    | 2025/10/19 09:29:42 | 	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1357)
INFO   | jvm 1    | 2025/10/19 09:29:42 | 	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)
INFO   | jvm 1    | 2025/10/19 09:29:42 | 	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
INFO   | jvm 1    | 2025/10/19 09:29:42 | 	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:868)
INFO   | jvm 1    | 2025/10/19 09:29:42 | 	at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
INFO   | jvm 1    | 2025/10/19 09:29:42 | 	at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:796)
INFO   | jvm 1    | 2025/10/19 09:29:42 | 	at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:732)
INFO   | jvm 1    | 2025/10/19 09:29:42 | 	at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:658)
INFO   | jvm 1    | 2025/10/19 09:29:42 | 	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562)
INFO   | jvm 1    | 2025/10/19 09:29:42 | 	at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:998)
INFO   | jvm 1    | 2025/10/19 09:29:42 | 	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
INFO   | jvm 1    | 2025/10/19 09:29:42 | 	at java.base/java.lang.Thread.run(Unknown Source)
INFO   | jvm 1    | 2025/10/19 09:29:42 | Caused by: org.eclipse.milo.opcua.stack.core.UaException: status=Bad_SecurityChecksFailed, description=An error occurred verifying security.
INFO   | jvm 1    | 2025/10/19 09:29:42 | 	at org.eclipse.milo.opcua.stack.core.security.DefaultServerCertificateValidator.validateCertificateChain(DefaultServerCertificateValidator.java:126)
INFO   | jvm 1    | 2025/10/19 09:29:42 | 	at org.eclipse.milo.opcua.stack.transport.server.uasc.UascServerAsymmetricHandler.onOpenSecureChannel(UascServerAsymmetricHandler.java:273)
INFO   | jvm 1    | 2025/10/19 09:29:42 | 	at org.eclipse.milo.opcua.stack.transport.server.uasc.UascServerAsymmetricHandler.decode(UascServerAsymmetricHandler.java:177)
INFO   | jvm 1    | 2025/10/19 09:29:42 | 	at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:530)
INFO   | jvm 1    | 2025/10/19 09:29:42 | 	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:469)
INFO   | jvm 1    | 2025/10/19 09:29:42 | 	... 16 common frames omitted
INFO   | jvm 1    | 2025/10/19 09:38:18 | W [o.e.m.o.s.c.u.v.CertificateValidationUtil] [09:38:18.699]: Failed to add custom revocation checker; REVOCATION_LIST_FOUND check will be ignored.
INFO   | jvm 1    | 2025/10/19 09:38:18 | E [o.e.m.o.s.t.s.u.UascServerAsymmetricHandler] [09:38:18.700]: [remote=/127.0.0.1:50830] Exception caught; sent ErrorMessage{error=StatusCode[name=Bad_SecurityChecksFailed, value=0x80130000, quality=bad], reason=status=Bad_SecurityChecksFailed, description=An error occurred verifying security.}
INFO   | jvm 1    | 2025/10/19 09:38:18 | io.netty.handler.codec.DecoderException: UaException: status=Bad_SecurityChecksFailed, message=An error occurred verifying security.
INFO   | jvm 1    | 2025/10/19 09:38:18 | 	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:500)
INFO   | jvm 1    | 2025/10/19 09:38:18 | 	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290)
INFO   | jvm 1    | 2025/10/19 09:38:18 | 	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
INFO   | jvm 1    | 2025/10/19 09:38:18 | 	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
INFO   | jvm 1    | 2025/10/19 09:38:18 | 	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
INFO   | jvm 1    | 2025/10/19 09:38:18 | 	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1357)
INFO   | jvm 1    | 2025/10/19 09:38:18 | 	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)
INFO   | jvm 1    | 2025/10/19 09:38:18 | 	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
INFO   | jvm 1    | 2025/10/19 09:38:18 | 	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:868)
INFO   | jvm 1    | 2025/10/19 09:38:18 | 	at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
INFO   | jvm 1    | 2025/10/19 09:38:18 | 	at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:796)
INFO   | jvm 1    | 2025/10/19 09:38:18 | 	at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:732)
INFO   | jvm 1    | 2025/10/19 09:38:18 | 	at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:658)
INFO   | jvm 1    | 2025/10/19 09:38:18 | 	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562)
INFO   | jvm 1    | 2025/10/19 09:38:18 | 	at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:998)
INFO   | jvm 1    | 2025/10/19 09:38:18 | 	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
INFO   | jvm 1    | 2025/10/19 09:38:18 | 	at java.base/java.lang.Thread.run(Unknown Source)
INFO   | jvm 1    | 2025/10/19 09:38:18 | Caused by: org.eclipse.milo.opcua.stack.core.UaException: status=Bad_SecurityChecksFailed, description=An error occurred verifying security.
INFO   | jvm 1    | 2025/10/19 09:38:18 | 	at org.eclipse.milo.opcua.stack.core.security.DefaultServerCertificateValidator.validateCertificateChain(DefaultServerCertificateValidator.java:126)
INFO   | jvm 1    | 2025/10/19 09:38:18 | 	at org.eclipse.milo.opcua.stack.transport.server.uasc.UascServerAsymmetricHandler.onOpenSecureChannel(UascServerAsymmetricHandler.java:273)
INFO   | jvm 1    | 2025/10/19 09:38:18 | 	at org.eclipse.milo.opcua.stack.transport.server.uasc.UascServerAsymmetricHandler.decode(UascServerAsymmetricHandler.java:177)
INFO   | jvm 1    | 2025/10/19 09:38:18 | 	at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:530)
INFO   | jvm 1    | 2025/10/19 09:38:18 | 	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:469)
INFO   | jvm 1    | 2025/10/19 09:38:18 | 	... 16 common frames omitted
INFO   | jvm 1    | 2025/10/19 09:38:26 | W [o.e.m.o.s.c.u.v.CertificateValidationUtil] [09:38:26.982]: Failed to add custom revocation checker; REVOCATION_LIST_FOUND check will be ignored.
INFO   | jvm 1    | 2025/10/19 09:38:26 | E [o.e.m.o.s.t.s.u.UascServerAsymmetricHandler] [09:38:26.983]: [remote=/127.0.0.1:54668] Exception caught; sent ErrorMessage{error=StatusCode[name=Bad_SecurityChecksFailed, value=0x80130000, quality=bad], reason=status=Bad_SecurityChecksFailed, description=An error occurred verifying security.}
INFO   | jvm 1    | 2025/10/19 09:38:26 | io.netty.handler.codec.DecoderException: UaException: status=Bad_SecurityChecksFailed, message=An error occurred verifying security.
INFO   | jvm 1    | 2025/10/19 09:38:26 | 	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:500)
INFO   | jvm 1    | 2025/10/19 09:38:26 | 	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290)
INFO   | jvm 1    | 2025/10/19 09:38:26 | 	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
INFO   | jvm 1    | 2025/10/19 09:38:26 | 	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
INFO   | jvm 1    | 2025/10/19 09:38:26 | 	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
INFO   | jvm 1    | 2025/10/19 09:38:26 | 	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1357)
INFO   | jvm 1    | 2025/10/19 09:38:26 | 	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)
INFO   | jvm 1    | 2025/10/19 09:38:26 | 	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
INFO   | jvm 1    | 2025/10/19 09:38:26 | 	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:868)
INFO   | jvm 1    | 2025/10/19 09:38:26 | 	at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
INFO   | jvm 1    | 2025/10/19 09:38:26 | 	at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:796)
INFO   | jvm 1    | 2025/10/19 09:38:26 | 	at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:732)
INFO   | jvm 1    | 2025/10/19 09:38:26 | 	at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:658)
INFO   | jvm 1    | 2025/10/19 09:38:26 | 	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562)
INFO   | jvm 1    | 2025/10/19 09:38:26 | 	at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:998)
INFO   | jvm 1    | 2025/10/19 09:38:26 | 	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
INFO   | jvm 1    | 2025/10/19 09:38:26 | 	at java.base/java.lang.Thread.run(Unknown Source)
INFO   | jvm 1    | 2025/10/19 09:38:26 | Caused by: org.eclipse.milo.opcua.stack.core.UaException: status=Bad_SecurityChecksFailed, description=An error occurred verifying security.
INFO   | jvm 1    | 2025/10/19 09:38:26 | 	at org.eclipse.milo.opcua.stack.core.security.DefaultServerCertificateValidator.validateCertificateChain(DefaultServerCertificateValidator.java:126)
INFO   | jvm 1    | 2025/10/19 09:38:26 | 	at org.eclipse.milo.opcua.stack.transport.server.uasc.UascServerAsymmetricHandler.onOpenSecureChannel(UascServerAsymmetricHandler.java:273)
INFO   | jvm 1    | 2025/10/19 09:38:26 | 	at org.eclipse.milo.opcua.stack.transport.server.uasc.UascServerAsymmetricHandler.decode(UascServerAsymmetricHandler.java:177)
INFO   | jvm 1    | 2025/10/19 09:38:26 | 	at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:530)
INFO   | jvm 1    | 2025/10/19 09:38:26 | 	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:469)
INFO   | jvm 1    | 2025/10/19 09:38:26 | 	... 16 common frames omitted
INFO   | jvm 1    | 2025/10/19 09:38:35 | W [o.e.m.o.s.c.u.v.CertificateValidationUtil] [09:38:35.277]: Failed to add custom revocation checker; REVOCATION_LIST_FOUND check will be ignored.
INFO   | jvm 1    | 2025/10/19 09:38:35 | E [o.e.m.o.s.t.s.u.UascServerAsymmetricHandler] [09:38:35.277]: [remote=/127.0.0.1:54762] Exception caught; sent ErrorMessage{error=StatusCode[name=Bad_SecurityChecksFailed, value=0x80130000, quality=bad], reason=status=Bad_SecurityChecksFailed, description=An error occurred verifying security.}
INFO   | jvm 1    | 2025/10/19 09:38:35 | io.netty.handler.codec.DecoderException: UaException: status=Bad_SecurityChecksFailed, message=An error occurred verifying security.
INFO   | jvm 1    | 2025/10/19 09:38:35 | 	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:500)
INFO   | jvm 1    | 2025/10/19 09:38:35 | 	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290)
INFO   | jvm 1    | 2025/10/19 09:38:35 | 	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
INFO   | jvm 1    | 2025/10/19 09:38:35 | 	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
INFO   | jvm 1    | 2025/10/19 09:38:35 | 	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
INFO   | jvm 1    | 2025/10/19 09:38:35 | 	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1357)
INFO   | jvm 1    | 2025/10/19 09:38:35 | 	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)
INFO   | jvm 1    | 2025/10/19 09:38:35 | 	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
INFO   | jvm 1    | 2025/10/19 09:38:35 | 	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:868)
INFO   | jvm 1    | 2025/10/19 09:38:35 | 	at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
INFO   | jvm 1    | 2025/10/19 09:38:35 | 	at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:796)
INFO   | jvm 1    | 2025/10/19 09:38:35 | 	at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:732)
INFO   | jvm 1    | 2025/10/19 09:38:35 | 	at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:658)
INFO   | jvm 1    | 2025/10/19 09:38:35 | 	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562)
INFO   | jvm 1    | 2025/10/19 09:38:35 | 	at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:998)
INFO   | jvm 1    | 2025/10/19 09:38:35 | 	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
INFO   | jvm 1    | 2025/10/19 09:38:35 | 	at java.base/java.lang.Thread.run(Unknown Source)
INFO   | jvm 1    | 2025/10/19 09:38:35 | Caused by: org.eclipse.milo.opcua.stack.core.UaException: status=Bad_SecurityChecksFailed, description=An error occurred verifying security.
INFO   | jvm 1    | 2025/10/19 09:38:35 | 	at org.eclipse.milo.opcua.stack.core.security.DefaultServerCertificateValidator.validateCertificateChain(DefaultServerCertificateValidator.java:126)
INFO   | jvm 1    | 2025/10/19 09:38:35 | 	at org.eclipse.milo.opcua.stack.transport.server.uasc.UascServerAsymmetricHandler.onOpenSecureChannel(UascServerAsymmetricHandler.java:273)
INFO   | jvm 1    | 2025/10/19 09:38:35 | 	at org.eclipse.milo.opcua.stack.transport.server.uasc.UascServerAsymmetricHandler.decode(UascServerAsymmetricHandler.java:177)
INFO   | jvm 1    | 2025/10/19 09:38:35 | 	at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:530)
INFO   | jvm 1    | 2025/10/19 09:38:35 | 	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:469)
8

Can you share the certificate(s) you’re using to connect? Just the certs, no private key.

9

Thanks for the assistance.

I cannot download the file here but this is the content if this help

-----BEGIN CERTIFICATE-----
MIIFJTCCAw2gAwIBAgIUR694zY9XaOYwfsFJAa0def1URuYwDQYJKoZIhvcNAQEL
BQAwgYMxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVTdGF0ZTENMAsGA1UEBwwEQ2l0
eTEXMBUGA1UECgwOT1BDIFVBIFRlc3QgQ0ExHjAcBgNVBAsMFUNlcnRpZmljYXRl
IEF1dGhvcml0eTEcMBoGA1UEAwwTT1BDIFVBIFRlc3QgUm9vdCBDQTAeFw0yNTEw
MTgxOTMzMzJaFw0yNjEwMTgxOTMzMzJaMIGBMQswCQYDVQQGEwJVUzEOMAwGA1UE
CAwFU3RhdGUxDTALBgNVBAcMBENpdHkxFjAUBgNVBAoMDU9QQyBVQSBDbGllbnQx
HjAcBgNVBAsMFUluZHVzdHJpYWwgQXV0b21hdGlvbjEbMBkGA1UEAwwST1BDIFVB
IFRlc3QgQ2xpZW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmiRY
c+Wmxcm+sulZiHdYiAyUDTUWoO59xDh5ipjvR/3/FYI/Zkt3sANak73cy7rT0GWj
RRlzJeeMzrWRaxd91Qu9r0ykp6sqAwSh9EGCC92VyU3nCQxSegU1OhXHBwtVoth2
dXVjvhbPaCs2VUN+m8AEWOqo/yBDS3cSpAChwkJHmDNIChJuE7WPDNhuqUMkplU+
Ql52nZpSAtRIUNdvar2M4Iratm9YVWr1MdSBgT5eBJKz6QZK0At+9wR218cOoZs3
A9zX220le57cFTnL+VcU9e0frenkYBKKixbOyNVqs9puUoHC6OuZ0Mf6P+PfKlrl
27gHk+CCAUZBGbSdGwIDAQABo4GQMIGNMGMGA1UdEQRcMFqCCWxvY2FsaG9zdIIL
Ki5sb2NhbGhvc3SHBH8AAAGHEAAAAAAAAAAAAAAAAAAAAAGBFm9wY3VhLWNsaWVu
dEBsb2NhbGhvc3SGEHVybjpvcGN1YTpjbGllbnQwDgYDVR0PAQH/BAQDAgWgMBYG
A1UdJQEB/wQMMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4ICAQBhoeqKjeUw
MRuM/v2rfD8VSa+Ektw+/D1J324/j4CSBPaCQDc7/xRV5JTarnmL0aYIdHY9CTuK
qhpa2BG76bTQsmGRKS9r91RarAYV7hdLAToCiSCMFt7XFcxgauaUInv2gNi1xtHC
kSZt7GLenMUs67059aeWakaH5LYGz/gz6107fbaHe34HfLg/otOaMyqT86fvj65L
m9X8n/5ZtGZfo4TYoSwHZTRykpBI34dzCoBSJ+FVQqy14C6lnCDVOFr86AAfkb61
4kEAHda44/Xo/qQ+c7i4fBidgVX2soXUJF2QXvwu8iJyzQztrUc0J2+NnMpxTw5s
+wVuC4G9lz2vR55GA5miPnvqyi9uciIq1ICZ+ZolG5njAZ6PpnsG/PG4uh8By8en
BKu7YfQhCtghCH6/oJK22vma3DSFiUxB23657J4xMB4khK/GZdV/kxVSuGXm0JL7
+MlEHlclSSoVoqrU9uw+9TBH2doDa5eEXEO5nn2GY5xlB8egqUb+xHEYElsZ4CDZ
TmfzrUj43HGVaUvitFZ140QVvsRi8TidsCHLidY0rBfjr9lkbour2uMgrfibU3YY
M0ltM3eiZobpEYGh5AK5uB8vnqsOvXQXsli29xYU0zonEfzlYE+Th+TQ/qGjgX0S
A2K+Avpr6rerJmdSC8y4K/NypKOBoz2Aug==
-----END CERTIFICATE-----

10

Your certificate is signed by another certificate ("OPC UA Test Root CA").

You need to make sure this root certificate is also trusted by the Ignition OPC UA server.

Also, since you are on Ignition 8.3.0, the advice about the discovery endpoint does not apply; either endpoint should work.

11

Thanks,
I have both certificate in ignition. Still the same issue

image
image1476Γ—720 43.8 KB

-----BEGIN CERTIFICATE-----
MIIFyDCCA7CgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
DjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MRcwFQYDVQQKDA5PUEMgVUEg
VGVzdCBDQTEeMBwGA1UECwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRwwGgYDVQQD
DBNPUEMgVUEgVGVzdCBSb290IENBMB4XDTI1MTAxODE5MzMzMloXDTM1MTAxNjE5
MzMzMlowgYMxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVTdGF0ZTENMAsGA1UEBwwE
Q2l0eTEXMBUGA1UECgwOT1BDIFVBIFRlc3QgQ0ExHjAcBgNVBAsMFUNlcnRpZmlj
YXRlIEF1dGhvcml0eTEcMBoGA1UEAwwTT1BDIFVBIFRlc3QgUm9vdCBDQTCCAiIw
DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMfNU7vOPiL/p7oR+EoY8YImo5Bk
zkmo3+pXbSSvF7w8OX4MrCYB1Yj+CpUPElAKD7hEFVK5BhXkuyYXpCI4lOwN8AXP
4iQ7QxdX2wyiKVte1xA+mIB30go92r6NDGqkQpmpmzfgyX3miQgEKuaPul8OYEN6
shtuDcdITk4V6sYDwKAw12OJ7au4mxGxzbicEh+z6qcqyNfKNkh+OwoyLAd2dvDM
JRzYH3L+9CAtbuPTDXjYDjVdhHukyS4DaljnRq2tgaXtlNLxLFeQQpOjdqkPmDpe
ioVmBqMR40b9KiNpktsiTnXPm67ft6sW5DvdbAcP8Fvm2qycKj+Ome6S2zwcfseg
brhhXpwbxpErXK8aHO2Xcx2+ib0g669uYFmes3DDv1DAnRjMmUPX1KoTATyFlBgM
EYPIqsrbws45aJLq+rCiBtQz7ouGVYG8WtIwhCLmKOCpfzlFW2Jz4zyKhkmQ15Gm
WUqFG65x6B1KR6RZGpSqBBYRTUu/UH3iqEMmoZjPwuk5+J7g1kiP0fWYPlHtlJVJ
OFjMaitBAR48FIVM7/acz0t21e9XZ6Q/Oxr5Aq67xCsRSxSxlcmfp6eamY1PqRpl
MLXgn0nO3ZPzPypEug671OOyfHq+44tbnbpz3dyW3lFsHrr6uByVPqCK2k5QaDqF
bG5fTIEhm+stFOa7AgMBAAGjRTBDMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0P
AQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATANBgkqhkiG
9w0BAQsFAAOCAgEAX7AfqldLYeVrm++OBdqVsJC2plWBhjW1m2xTw/R3nBV0+izl
a3VldH9D19ayTx1oXScLj5BtoFQHSAOzlD5D570zQNBsavbsU/VBgaurOYPT7g2S
Verq2grenIszofpvc8QgfsbMG/oCqyjd8BI7ppO/4NkRO5bb2qtd+PkFtFbnVUPn
gozi5E1+SeGunWXr02ZyUKnMrvIdFAar4GL6T0cyP7GASrMaqAeqhqLzNnEaEP/b
AKxpJyJ8BK9zU33BEjgznTcI9F4P9uxm2aWXsA3UPjIYuYZxvaIk7pEp1s+RNeDt
UtN4xxvVmxbl4cDCMW1TNtEj+P3Pb+XavHtmq1eYvnVi+WMDxeanLGmqKeyzJjNO
gHPlCx1sq0tNJ12p5KNtdCfb7Sxx9sELHb9ehDzCEuwBBWG6AzBoOSuja/hb8fuv
ClR2q3vMFlYZniMF+sH0Gp3nRDXC5XsXny9ru+FipDetVoK1c+dxbK3RiqVuz/LO
l2g0Jcwg3y1EcPmJI2Aye27t8qBsxFa4Z4ypxy81nxezVaaoCsdOpJ2IeAe/V5Af
ZnjhYKsYFV6ZrbRTwDrL/rXJiUB80y+Q/YfPI6Ojj9EUOWwuju8DKGEAeU8MlxJi
sHftX9SE1qJobN1DHT0m6t2encigBXv2dHQ7iYCG3ya+DkHu7iL8JumW5gY=
-----END CERTIFICATE-----

12

Your application instance certificate is missing required KeyUsage extensions.

It has Digital Signature and Key Encipherment, but is missing Non Repudiation and Data Encipherment.

See UA Part 6: Mappings - 6.2.2 Application Instance Certificate

1 Like