Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [milo-dev] Connection Error to remote OPC UA Server

If you can get some Wireshark captures of the OPC Foundation client versus Milo's DiscoveryClient.getEndpoints() we may be able to spot a difference.

Maybe a different endpoint URL being used?

On Wed, Mar 23, 2022 at 7:00 AM Flavio Freuler <flavio.freuler@xxxxxx> wrote:
Yes and it's strange since I deleted the example crl file my client certificate always lands in the rejected folder when I try to connect to the server even if the same certificate is already in the trusted folder because i copied it there. 
The point you mention is also a little bit strange, with the OPC Foundation UaClient I see the endpoint with Security Nonde, but I get a warning it's not suffecient security level but I can still connect to it. When I run DiscoveryClient.getEndpoints() from my Java application I don't get any Endpoint with security None. 

Von: milo-dev <milo-dev-bounces@xxxxxxxxxxx> im Auftrag von Kevin Herron <kevinherron@xxxxxxxxx>
Gesendet: Mittwoch, 23. März 2022 14:50
An: milo developer discussions <milo-dev@xxxxxxxxxxx>
Betreff: Re: [milo-dev] Connection Error to remote OPC UA Server
 
Now you are just getting a generic "Bad" StatusCode from the server with no subcode to further indicate why :(

Caused by: UaException: status=StatusCode{value=0x81080000, quality=bad}
	at org.eclipse.milo.opcua.stack.client.transport.uasc.UascClientAcknowledgeHandler.onError(UascClientAcknowledgeHandler.java:258)
	at org.eclipse.milo.opcua.stack.client.transport.uasc.UascClientAcknowledgeHandler.decode(UascClientAcknowledgeHandler.java:167)

Does connecting without security work (if this is an option)?

On Wed, Mar 23, 2022 at 6:33 AM Flavio Freuler <flavio.freuler@xxxxxx> wrote:
Hey Kevin

Okay, I've taken a look at the servers CRL and saw that an example CRL was in there. My certificate wasn't in there but I deleted it anyway and tried again. Now I get a new Error from the Milo Client. I've attached the error message. Maybe you see something in there. Thank you. 

Best regards
Flavio

Von: milo-dev <milo-dev-bounces@xxxxxxxxxxx> im Auftrag von Kevin Herron <kevinherron@xxxxxxxxx>
Gesendet: Mittwoch, 23. März 2022 14:19
An: milo developer discussions <milo-dev@xxxxxxxxxxx>
Betreff: Re: [milo-dev] Connection Error to remote OPC UA Server
 
Flavio,

Sorry, I'm stumped. Your client certificate looks good to me, except maybe the inclusion of "localhost" and "127.0.0.1", but I'm not sure if that's really an issue or not. Are you sure that you haven't somehow added this certificate into the server's CRL somehow? You may need to contact the server vendor for further assistance.

On Wed, Mar 23, 2022 at 6:13 AM Flavio Freuler <flavio.freuler@xxxxxx> wrote:
I send you the certificates here again in a zip file. 


Von: milo-dev <milo-dev-bounces@xxxxxxxxxxx> im Auftrag von Kevin Herron <kevinherron@xxxxxxxxx>
Gesendet: Mittwoch, 23. März 2022 13:46
An: milo developer discussions <milo-dev@xxxxxxxxxxx>
Betreff: Re: [milo-dev] Connection Error to remote OPC UA Server
 
Flavio,

I'm not sure, but the error message you sent confirms that the message is coming from the server, and not being generated by the client.

If you send your certificate I can take a look and see if anything stands out to me. 

On Wed, Mar 23, 2022 at 5:38 AM Flavio Freuler <flavio.freuler@xxxxxx> wrote:
Hello Kevin 

Do you have any idea why the server would think that? I use for both, the Milo Client and the UaExpert Client self signed certificates so I don't get why one works and the other does not. I send you the complete error message from the Milo Java Client as a attachement. 

Thank you for your help!

Best regards
Flavio

Von: milo-dev <milo-dev-bounces@xxxxxxxxxxx> im Auftrag von Kevin Herron <kevinherron@xxxxxxxxx>
Gesendet: Mittwoch, 23. März 2022 12:59
An: milo developer discussions <milo-dev@xxxxxxxxxxx>
Betreff: Re: [milo-dev] Connection Error to remote OPC UA Server
 
Flavio,

It's hard to tell without a little more detail of the error messages and logs, but it seems that the server thinks the client certificate has been revoked (or is using that StatusCode incorrectly).

On Wed, Mar 23, 2022 at 3:40 AM Flavio Freuler <flavio.freuler@xxxxxx> wrote:
Hello 

I'm working on a project with Eclipse Milo. When I try to connect to the remote OPC UA Server with the UaExpert Client I get two Messages (one Info, one Error): 
  • Info: "The hostname of the discovery URL used to call GetEndpoints (Servername) was replaced by the hostname used to call FindServers (IP-Adress). Do you want to replace the hostnames of the EndpointURLs with this hostname?" -> I select yes
  • Connect to Server with Security Mode Sign&Encrypt (Basic128Rsa15): Connect Error: "Error "BadcertificateHostNameInvalid" was returned during CreateSession, press 'Ignore' to suppress the error and continue connecting" -> I select Ignore and the connection works. 
Now I want to make the same connection from my Java application with Eclipse Milo SDK. When I try to connect the first time I get the Error from my Client "UaException: status=Bad_CertificateInvalid, message=The certificate provided as a parameter is not valid." In the server log I see the following: "verify error: num=18:self signed certificate depth=0", "UaServer_EndpointCallback: SecureChannel 0 open failed! [status=0x80120000]", "[uastack] OpcUa_SecureListener_Processrequest: Closing Channel due error 0x80120000]!". 

My client cerificate is now in the rejected folder from the pki of the server. If I move it to the trusted folder and try to connect again I get the following: 
  • Milo-Client: "UaException: status=Bad_CertificateRevoked, message=The certificate has been revoked."
  • Server-Log: "OpcUa_SecureListener_ProcessRequest: Closing Channel due error 0x801D0000!"
What I have noticed is that in the Server-Log the time for the logs is an hour to early. Like it should be 11:30 am and in the log is 10:30 am. The Time of the server computer is right but it seems the time from the OPC UA Server is false. This could be a problem with the certificates when the times differ, but it's strange that it still works with the UaExpert Client. 

Do you have any idea what could be the problem for this connection issue? 

Thank you and best regards!






_______________________________________________
milo-dev mailing list
milo-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/milo-dev
_______________________________________________
milo-dev mailing list
milo-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/milo-dev
_______________________________________________
milo-dev mailing list
milo-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/milo-dev
_______________________________________________
milo-dev mailing list
milo-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/milo-dev
_______________________________________________
milo-dev mailing list
milo-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/milo-dev

Back to the top