URI specified in the ApplicationDescription does not match the URI in the Certificate

Hi Guys,

I’m using FactoryTalk linx gateway and OPC UA server v6.11.0 as the OPC UA server to publish SCADA tags from PLC, and try to let ignition edge (8.0.xx) as the OPC UA client on a remote PC in the same network to connect to the OPC UA server, the discovery and certificate trust of the OPC UA Server went well, however, after OPC UA server on linx gateway approved this ignitional UA client certificate, it shows the below error. I tried to remove the old cert and restart the ignition gateway, it still shows the below error.

UaException: status=Bad_CertificateUriInvalid, message=The URI specified in the ApplicationDescription does not match the URI in the Certificate.
at org.eclipse.milo.opcua.stack.core.util.validation.CertificateValidationUtil.checkApplicationUri(CertificateValidationUtil.java:655)
at org.eclipse.milo.opcua.stack.client.security.DefaultClientCertificateValidator.validateCertificateChain(DefaultClientCertificateValidator.java:99)
at org.eclipse.milo.opcua.sdk.client.session.SessionFsmFactory.lambda$createSession$49(SessionFsmFactory.java:836)
at java.base/java.util.concurrent.CompletableFuture$UniCompose.tryFire(Unknown Source)
at java.base/java.util.concurrent.CompletableFuture.postComplete(Unknown Source)
at java.base/java.util.concurrent.CompletableFuture.complete(Unknown Source)
at org.eclipse.milo.opcua.stack.client.UaStackClient.lambda$deliverResponse$5(UaStackClient.java:256)
at org.eclipse.milo.opcua.stack.core.util.ExecutionQueue$Task.run(ExecutionQueue.java:119)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.base/java.lang.Thread.run(Unknown Source)

8.0.14 (b2020062220)
Azul Systems, Inc. 11.0.6

This means either one of two things:

  1. The URI in the endpoints truly doesn’t match the URI in the certificate.
  2. The URI in the certificate has characters in it that make it an invalid URI, usually a space that hasn’t been URL-encoded, and when the comparison happens it fails because this invalid URI got parsed into a null value by that point.

In either case, you can either connect without security or fix this on the server somehow. Re-generating the certificate on the server might help, but if not you may need to call Rockwell about it.

Hi Kevin, Thanks for the prompt reply. could you please help me to have a look at the info between server and client cert? I found strange, the ignition edge version before 8 don’t have this issue, but after 8.0 has. This issue happened on ignition 8.0.14.

The URI in the server certificate has spaces in it: “FactoryTalk Linx Gateway OPC UA Server”

This check was upgraded from suppressed with a warning in 7.x to a connection failure in 8 in accordance with the OPC UA spec, which states this check cannot be suppressed.

I found all over the FactoryTalk linx gateway configuration window, there is no way to change the application name to remove the space between words, is there other way to modify at ignition OPC UA module to suite the space in OPC UA server application name?

Consider attempting to construct the certificate for FactoryTalk manually, with %20 in place of the spaces.

Thank you Sir. Can you please advise how to edit security cert? It shows X509/*.der file, the “edit propertities” buttons are greyed even with administrator account. This is the FT linx gateway (OPC Server) outgoing cert to Ignition OPC UA client, should I replace the space with “%20” in the CN (factorytalk linx gateway)?

You would use OpenSSL or some other signature tool to construct a complete new self-signed certificate with everything the same except for proper urlencoding. I would re-use that private key, but OpenSSL can make a new one, too, if necessary.

https://www.openssl.org/docs/man1.1.1/man1/openssl-req.html

Sorry, Pturmel. This really goes beyond my capability. Is there other way that I can change at ignition side to suite the space between the words in the OPC UA uri?
I uploaded the certificate file, if you can help me to trim the space as required by ignition software, it will be really helpful.
this is the ftlinx gateway OPC UA server cert,
cert_ftgw_opcua_server.der (1.2 KB)
this is the ignition gateway as OPC UA Client cert which had been trusted by FT linx gateway server.
8bd35d641209b3edd75f1c2e1672b35c886b089e.der (1.1 KB)

Hi Pturmel. Can you please give me more details, how can I construct a new certificate with only space replaced with “%20” in the uri? thank you

I haven’t had to make any certs with subject Alternate Names before, but there are examples in that man page I linked.

I was able to change ( ans supposedly match) the URI but I am still getting error.

Look in the C:\Program Files (x86)\Rockwell Software\RSOPC Gateway directory.
for a file called “create_server_certificate.bat”
You can edit line # 96 :

SET SERVER_ALTERNATIVE_SUBJECT=URI:urn:%HOST_NAME%:**FactoryTalk Linx Gateway OPC UA Server,**DNS:%FQDN%,IP:%IP_ADDRESS%

Change “FactoryTalk Linx Gateway OPC UA Server” to “FactoryTalkLinxGatewayOPCUAServer” or whatever you want and save the .bat file.

You then regenerate the certificate.

In FactoryTalk Gateway you will see the URI has changed.

Verify contenets of cert by running certutil -dump cert_ftgw_opcua_server.der from a command window.

I then created the connection in Ignition but I am still getting error :
UaException: status=Bad_CertificateUriInvalid,
message=The URI specified in the ApplicationDescription does not match the URI in the Certificate.

1 Like

status=Bad_CertificateUriInvalid, description=The URI specified in the ApplicationDescription does not match the URI in the Certificate.
@Kevin.Herron@pturmel, can you please explain with more details what is “URI specified in the application description”??, what is URI in the certificate (i assume its OPC UA server certificate)

It’s the same thing as is going on here: Trying to use Ignition to work with Rockwell’s Studio 5000 Emulate.

The ApplicationDescription is a structure in the endpoints that has an application URI in it, and that application URI must be the same as the one embedded in the server’s certificate.

{ This is from that other thread. Should have been here. }

Try modifying the batch file to encode spaces in the subject alternate name as %20 instead of removing them. Since it is a batch file, you’ll probably have to double the percent signs to avoid environment substitution.

How would one do this? I'm not seeing an option to connect without security in the UI.

EDIT: Using Ignition Version: 8.0.11