I am having issues reconnecting to an OPC-UA Server that is being hosted on a Siemens D245-2 after upgrading to 8.0.5. We had the connection made successfully with 7.9.13 but I know there were a lot of changes to how the servers authenticates in 8.0. I read the post here and while I was hopeful, I was unsuccessful. I can log in to the Siemens Web Server, and download the current certificate. However, after adding said certificate to the trusted list, and trusting the other quarantined certificate it still comes back after sitting for a bit. Also here is a partial snapshot of the two certs if that helps any.
ITDiagRootCA is the downloaded certificate and Winder was the quarantined one.
If you turn the logger for
org.eclipse.milo.opcua.stack.core.util.CertificateValidationUtil to DEBUG it might give you a little more info in the logs about what’s going wrong.
Aside from that, if you can upload the 2 certificates somewhere I’ll take a look at them see if anything stands out.
edit: and the logger for “DefaultCertificateValidator” as suggested in that other thread.
Sent you email. It was still kevin at inductiveautomation.com correct?
Looks like you sent me 2 of the same certificate
Sorry about that, looks like I had downloaded that one twice without realizing it. I replied to that email with the second certificate.
I think this will be fixed upgrading to 8.0.7. The criteria for determine if a certificate is a CA was relaxed since 8.0.5. It’s probably not working right now because the root certificate does not have a KeyUsage extension with the keyCertSign bit set. In 8.0.7 just having the BasicConstraints CA=true flag set is enough, and you just get a warning if keyCertSign is missing.
Well, the good news is that the OPC connection is fixed, but our CPU usage has went from 15% idling to hovering at 75% and spiking into the 90%'s. Oh the joys of upgrading lol.
And I should add that the spiking is after going from 8.0.5 to 8.0.7