We have started the processing of moving all our gateways to SSL with SSO login. Yesterday we noted that after installing a SSL certificate, some of our members vision client launchers picked up the certificate just fine (automatically).
However, others encountered the issue shown in the attached photo:
"SSL Certificate must be imported"
The work around is to import the SSL certificate manually. However, our expectation is that users do not have to do it manually and the vision client launcher should pick it up automatically like the designer does.
Are we doing something wrong or is this room for improvement?
When you say “some of our members vision client launchers picked up the certificate just fine (automatically).” are you talking about being shown a dialog prompting them to trust/reject the certificate?
What version of Ignition and launchers are being used?
@Kevin.Herron for me I am using the following versions:
Ignition 8.1.3
Vision Client Launcher 1.1.3
When I open a designer that had that gateway previously on HTTP/8088 I was prompted to trust the certificate.
For vision client launcher it just automatically said “Host Valid / Host Secure”. For vision client launcher there was no dialog to trust the certificate like the designer.
the designer launcher and vision client launcher share the same backing certificates, could it be that you connected with either launcher prior to the attempt with the vision client launcher?
Also, when you are shown SSL Certificate must be imported when you click select gateway you should see a certificate view appear with the ability to trust. do you not see this?
Also, is there anything special about the certificate? (wildcard etc)
I am using Ignition Edge 7.9.20 on Opto 22 Groov EPIC PR1.
when I click Trust Certificate as in the GIF you shared, I get the following error message. any idea why?
Sorry for the late response here, but it looks like you are using the 8.X compatible launchers here, which do not work with 7.9.x. It looks like something else is causing issues with a redirect, but try the Native Client Launcher for 7.9.
Host Secure would be misleading though. The connection may use TLS, but we cant really say the host is "secure" since the certificate chain doesn't have a trusted root (either from a known CA or one your Org has already imported/trusted). Maybe that label can be something clearer, but saying "Host Secure" before just throwing the user into a prompt to trust a certificate isn't the right answer either.
Ill think about a better message here that could be used though.
Probably better to have a single message "SSL Certificate must be reviewed and imported to Launcher" (so user can't assume its a Gateway cert that needs importing) and dynamically change the blue button ("Add Designer" or "Select Gateway") to what really will show next... such as "Review Cert".