OPCUA certificate rejected with error: Bad_SecurityChecksFailed

mazeyrat · January 11, 2024, 9:45am

We try to connect to a Siemens PLC with an OPCUA certificate provided by our customer.

2024-01-10 15:08:55:218 milo-netty-event-loop-15 [remote=/10.30.33.11:4840] Exception caught: UaException: status=Bad_SecurityChecksFailed, message=sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
io.netty.handler.codec.DecoderException: UaException: status=Bad_SecurityChecksFailed, message=sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:499)
	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290)
	at io.netty.handler.codec.ByteToMessageCodec.channelRead(ByteToMessageCodec.java:103)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:442)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
	at org.eclipse.milo.opcua.stack.client.transport.uasc.UascClientAcknowledgeHandler.decode(UascClientAcknowledgeHandler.java:171)
	at io.netty.handler.codec.ByteToMessageCodec$1.decode(ByteToMessageCodec.java:42)
	at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:529)
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:468)
	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290)
	at io.netty.handler.codec.ByteToMessageCodec.channelRead(ByteToMessageCodec.java:103)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:442)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
	at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
	at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:788)
	at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:724)
	at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:650)
	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562)
	at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997)
	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
	at java.base/java.lang.Thread.run(Unknown Source)
Caused by: org.eclipse.milo.opcua.stack.core.UaException: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at org.eclipse.milo.opcua.stack.core.util.validation.CertificateValidationUtil.buildCertPath(CertificateValidationUtil.java:413)
	at org.eclipse.milo.opcua.stack.core.util.validation.CertificateValidationUtil.buildTrustedCertPath(CertificateValidationUtil.java:120)
	at org.eclipse.milo.opcua.stack.client.security.DefaultClientCertificateValidator.validateCertificateChain(DefaultClientCertificateValidator.java:64)
	at org.eclipse.milo.opcua.stack.client.transport.uasc.UascClientMessageHandler.onOpenSecureChannel(UascClientMessageHandler.java:469)
	at org.eclipse.milo.opcua.stack.client.transport.uasc.UascClientMessageHandler.decodeMessage(UascClientMessageHandler.java:394)
	at org.eclipse.milo.opcua.stack.client.transport.uasc.UascClientMessageHandler.decode(UascClientMessageHandler.java:382)
	at io.netty.handler.codec.ByteToMessageCodec$1.decode(ByteToMessageCodec.java:42)
	at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:529)
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:468)
	... 26 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
	at java.base/java.security.cert.CertPathBuilder.build(Unknown Source)
	at org.eclipse.milo.opcua.stack.core.util.validation.CertificateValidationUtil.buildCertPath(CertificateValidationUtil.java:411)
	... 34 common frames omitted

I send you by PM de rejected certificat on ignition details logs.

Any idea what is wrong in ignition settings or in the certificat ?

From ua expert on the gateway we have this error:

pturmel · January 11, 2024, 1:09pm

Their certificate is signed by a CA that is unknown, or by an intermediate certificate of a CA where the intermediate is unknown.

Kevin.Herron · January 11, 2024, 1:09pm

Looks like you don’t have the whole certificate chain. I’m on mobile until next week, won’t be able to help much.

mazeyrat · January 11, 2024, 4:02pm

@Kevin.Herron, @pturmel

For opcu client certificate, may I need to add something in:

%gateway installation directory%data/certificates/supplemental

https://docs.inductiveautomation.com/display/DOC81/Security+Certificates

mazeyrat · January 12, 2024, 11:08am

@Kevin.Herron, @pturmel

we try to troubleshot with UaExpert and Ignition, and now we have some error around crl.

Our certificat has some Certificat Revocation List mentioned in the server certificat with:
URL=http://xxxxx/CRL/CA_Subordinate01.crl

Can you confirm Ignition is responsible to request this url, or may I need manually do it and place the file returned in a gateway folder ?

Sorry, can't provide the exact error right now because we have very limited acces to the system.

pturmel · January 12, 2024, 1:24pm

I would expect Ignition to request those URLs itself.

Kevin.Herron · January 12, 2024, 1:56pm

The intermediate and root certs would need to be placed in the data/opcua/client/pki/issuers/certs dir. the CRLs would go in the crl dir but I’m not sure if Ignition is strict about them existing or not. I don’t think it downloads them.

mazeyrat · January 12, 2024, 3:40pm

thanks, I will try to run some test next week to see if they are mandatory, and I will try to manually download them and put them in:

data\opcua\client\security\pki\issuers\crl

mazeyrat · January 12, 2024, 4:37pm

Do you think, we need to install for the Ignition opcua client a certificate provided by the same CA of than the OPUA PLC server ?

How can change Ignition opcua client certificate ?

Kevin.Herron · January 12, 2024, 4:46pm

No that shouldn’t be necessary. You just need to mark the ignition client certificate as trusted in the plc, or import it as trusted ahead of time.

mazeyrat · January 12, 2024, 4:54pm

ok I see, but if my customer request to change the opcua client certificat of Ignition, I don't see in documentation how to use another one instead of the one generated by Ignition.
How to do this ?

Kevin.Herron · January 12, 2024, 5:13pm

In the PKI dir there is a keystore. You can add new keys/ certs or replace the default. An advanced setting on the connections allows you to specify the alias of the cert to use for that connection.

This is not documented or supported further.

mazeyrat · January 12, 2024, 6:14pm

Sorry, I'm not sure to well understand.

OPC UA Client Connection Settings

The keystore file can be put in this directory:

Ignition\data\opcua\client\security

the file must have a pfx format.

The name of the file is the KeyStore Alias connections advanced parameter ?
The keyStore password is the Password Fields connections advanced parameter ?

Kevin.Herron · January 12, 2024, 9:47pm

The keystore file can hold multiple keys and certificates. The alias identifies which one to use on that connection.

mazeyrat · January 13, 2024, 8:40am

Ok I see what you mean:

C:\Program Files\Inductive Automation\Ignition\data\opc\opcua-module\keystore

Kevin.Herron · January 13, 2024, 3:57pm

Yes, but that looks like the keystore from a 7.9 gateway?

mazeyrat · January 14, 2024, 5:56pm

It's a 8.1 gateway, probably upgraded from 8.0 or 7.9.

I have another 8.1.36 fresh install, but I don't find any keystore file, no ignition/data/opc folder, and no keystore in Ignition/data/opcua/client/security.

Where is the keystore file directory for 8.1 ?

Kevin.Herron · January 14, 2024, 6:00pm

Since 8.0 there are two KeyStores, one for client, one for server:

$IGNITION/data/opcua/client/security/certificates.pfx
$IGNITION/data/opcua/server/security/certificates.pfx

mazeyrat · January 15, 2024, 8:04am

Ok, but there is a password to edit certificates.pfx if we need to add some key in the keystore for a custom client opcua certificate ?

Kevin.Herron · January 15, 2024, 11:22am

The password is "password".