URI specified in the ApplicationDescription does not match the URI in the Certificate

zju_yj · August 1, 2020, 2:33pm

Hi Guys,

I’m using FactoryTalk linx gateway and OPC UA server v6.11.0 as the OPC UA server to publish SCADA tags from PLC, and try to let ignition edge (8.0.xx) as the OPC UA client on a remote PC in the same network to connect to the OPC UA server, the discovery and certificate trust of the OPC UA Server went well, however, after OPC UA server on linx gateway approved this ignitional UA client certificate, it shows the below error. I tried to remove the old cert and restart the ignition gateway, it still shows the below error.

UaException: status=Bad_CertificateUriInvalid, message=The URI specified in the ApplicationDescription does not match the URI in the Certificate.
at org.eclipse.milo.opcua.stack.core.util.validation.CertificateValidationUtil.checkApplicationUri(CertificateValidationUtil.java:655)
at org.eclipse.milo.opcua.stack.client.security.DefaultClientCertificateValidator.validateCertificateChain(DefaultClientCertificateValidator.java:99)
at org.eclipse.milo.opcua.sdk.client.session.SessionFsmFactory.lambda$createSession$49(SessionFsmFactory.java:836)
at java.base/java.util.concurrent.CompletableFuture$UniCompose.tryFire(Unknown Source)
at java.base/java.util.concurrent.CompletableFuture.postComplete(Unknown Source)
at java.base/java.util.concurrent.CompletableFuture.complete(Unknown Source)
at org.eclipse.milo.opcua.stack.client.UaStackClient.lambda$deliverResponse$5(UaStackClient.java:256)
at org.eclipse.milo.opcua.stack.core.util.ExecutionQueue$Task.run(ExecutionQueue.java:119)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.base/java.lang.Thread.run(Unknown Source)

8.0.14 (b2020062220)
Azul Systems, Inc. 11.0.6

Kevin.Herron · August 2, 2020, 1:04am

This means either one of two things:

The URI in the endpoints truly doesn’t match the URI in the certificate.
The URI in the certificate has characters in it that make it an invalid URI, usually a space that hasn’t been URL-encoded, and when the comparison happens it fails because this invalid URI got parsed into a null value by that point.

In either case, you can either connect without security or fix this on the server somehow. Re-generating the certificate on the server might help, but if not you may need to call Rockwell about it.

zju_yj · August 2, 2020, 2:20am

Hi Kevin, Thanks for the prompt reply. could you please help me to have a look at the info between server and client cert? I found strange, the ignition edge version before 8 don’t have this issue, but after 8.0 has. This issue happened on ignition 8.0.14.

Kevin.Herron · August 2, 2020, 2:26am

The URI in the server certificate has spaces in it: “FactoryTalk Linx Gateway OPC UA Server”

This check was upgraded from suppressed with a warning in 7.x to a connection failure in 8 in accordance with the OPC UA spec, which states this check cannot be suppressed.

zju_yj · August 2, 2020, 4:00am

I found all over the FactoryTalk linx gateway configuration window, there is no way to change the application name to remove the space between words, is there other way to modify at ignition OPC UA module to suite the space in OPC UA server application name?

pturmel · August 2, 2020, 2:57pm

Consider attempting to construct the certificate for FactoryTalk manually, with %20 in place of the spaces.

zju_yj · August 2, 2020, 3:43pm

Thank you Sir. Can you please advise how to edit security cert? It shows X509/*.der file, the “edit propertities” buttons are greyed even with administrator account. This is the FT linx gateway (OPC Server) outgoing cert to Ignition OPC UA client, should I replace the space with “%20” in the CN (factorytalk linx gateway)?

pturmel · August 2, 2020, 3:56pm

You would use OpenSSL or some other signature tool to construct a complete new self-signed certificate with everything the same except for proper urlencoding. I would re-use that private key, but OpenSSL can make a new one, too, if necessary.

https://www.openssl.org/docs/man1.1.1/man1/openssl-req.html

zju_yj · August 3, 2020, 10:09am

Sorry, Pturmel. This really goes beyond my capability. Is there other way that I can change at ignition side to suite the space between the words in the OPC UA uri?
I uploaded the certificate file, if you can help me to trim the space as required by ignition software, it will be really helpful.
this is the ftlinx gateway OPC UA server cert,
cert_ftgw_opcua_server.der (1.2 KB)
this is the ignition gateway as OPC UA Client cert which had been trusted by FT linx gateway server.
8bd35d641209b3edd75f1c2e1672b35c886b089e.der (1.1 KB)