The URI specified in the ApplicationDescription does not match the URI in the Certificate

Ignition
1

I’m using MX OPC v3.07H as the OPC UA server to publish tags from PLC, and ignition (8.0.16) as the OPC UA client on a remote PC in the same network to connect to the OPC UA server, the discovery and certificate trust of the OPC UA Server went well, however, after OPC UA server on gateway approved, OPC connection is faulted and it shows the below error.

UaException: status=Bad_CertificateUriInvalid, message=The URI specified in the ApplicationDescription does not match the URI in the Certificate.
at org.eclipse.milo.opcua.stack.core.util.validation.CertificateValidationUtil.checkApplicationUri(CertificateValidationUtil.java:655)
at org.eclipse.milo.opcua.stack.client.security.DefaultClientCertificateValidator.validateCertificateChain(DefaultClientCertificateValidator.java:99)
at org.eclipse.milo.opcua.sdk.client.session.SessionFsmFactory.lambda$createSession$49(SessionFsmFactory.java:836)
at java.base/java.util.concurrent.CompletableFuture$UniCompose.tryFire(Unknown Source)
at java.base/java.util.concurrent.CompletableFuture.postComplete(Unknown Source)
at java.base/java.util.concurrent.CompletableFuture.complete(Unknown Source)
at org.eclipse.milo.opcua.stack.client.UaStackClient.lambda$deliverResponse$5(UaStackClient.java:256)
at org.eclipse.milo.opcua.stack.core.util.ExecutionQueue$Task.run(ExecutionQueue.java:119)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.base/java.lang.Thread.run(Unknown Source)

2

This means the server is configured in a way the OPC UA spec says makes a connection insecure.

Every application has an application URI. A server specifies this URI in both its endpoints and inside the application instance certificate itself. The clients must verify that these match when connecting.

This error means that either:

  1. these legitimately don't match, and you need to correct the server configuration somehow
  2. they match, but have an illegal character such as whitespace, and so it's being rejected as a valid URI

Newer versions of Ignition (maybe starting in 8.1?) have a workaround to allow the illegal characters and proceed with the comparison anyway.

If it's because they don't match, you'll have to get the server configuration squared away no matter what. If it's because of the whitespace issue, you'll have to re-configure the server or upgrade Ignition.

2 Likes
3

Thanks, Kevin! upgrading Ignition to 8.1 fixed my issue...

4

status=Bad_CertificateUriInvalid, description=The URI specified in the ApplicationDescription does not match the URI in the Certificate.

I still have the problem with Igntion 8.1

5

Then the server is likely misconfigured. A wireshark capture of the connection attempt can be used to verify.