Professional OPC
Development Tools

logos

Certificate chain not complete

More
13 Jun 2018 07:04 #6437 by support
Hello. The link you have provided is useful, thank you. We should, however, understand that it was written with TLS in mind, and the OPC UA may require it differently.

I attempted to find something about this in OPC UA specs, but so far I was unsuccessful. The chapter in Part 4 (6.1.3 "Determining if a Certificate is Trusted" in version 1.03) which I suppose should describe this, is basically silent about it.

You are absolutely right about AcceptAnyCertificate. If that does not work I would like to know, and we will work on it.

Best regards

Please Log in or Create an account to join the conversation.

More
12 Jun 2018 13:16 #6431 by chrisstankevitz
Thank you. It is strange that QuickOPC/OPCFoundataion requires the root CA in the chain (although not authoritative, please see [1]). I hope that Kepware Kepserver includes the root. If it does not, then I'm not sure how I will get QuickOPC to work with Kepserver. QuickOPC/OPCFoundation is pretty clear with the exception text that the root is not included by KepServer. But I will try to confirm it either way.

I will confirm that whether or not AcceptAnyCertificate works. If I am correct and it doesn't work, it might be because OPCFoundation is throwing an exception that the chain is bad -- which may be handled differently in the QuickOPC code base than the error that is triggered when a cert is untrusted.

Chris

[1] security.stackexchange.com/questions/65332/ssl-root-certific...qa&utm_campaign=google_rich_qa

Please Log in or Create an account to join the conversation.

More
11 Jun 2018 16:37 #6425 by support
Yes, QuickOPC can work with certs signed by a CA. QuickOPC relies on the code from OPC Foundation .NET stack in this respect.

I have quickly checked this code and there must be a root in the chain; the error you are getting indicates that there isn't. So, if you do not have a root, attempts to resolve it by steps you described under (1) and (2) won't work. (3) should work, but that really is no solution - it is an insecure hack. I am surprised that it did not work - are you sure you received the *same* error when you tried it, and not something different?

Best regards

Please Log in or Create an account to join the conversation.

More
11 Jun 2018 12:03 #6423 by chrisstankevitz
Thanks for your help. I'm using the version that I downloaded yesterday: QuickOPC-2018.2-Full.exe

Please Log in or Create an account to join the conversation.

More
11 Jun 2018 06:25 #6418 by support
Please state which version of QuickOPC you are using.

Please Log in or Create an account to join the conversation.

More
10 Jun 2018 20:31 - 10 Jun 2018 20:55 #6416 by chrisstankevitz
My OPC UA server is Kepware Kepserver 6.4 offering only an encrypted endpoint. The endpoint uses a cert/key that was issued by a "private" CA.

I have several Kepware clients that securely connect to this server. These other clients do not complain that the "certificate chain is not complete".

When I try to connect to this server with QuickOPC it fails with "certificate chain is not complete" (see below). The error is so offensive that QuickOPC does not even pop up the familiar QuickOPC "do you want to trust this server" dialog.

Does QuickOPC work with servers certs that were issued by a CA (not self-signed)?

What do I need to do to get QuickOPC to connect to OPC UA servers with certs signed by a CA?

Does QuickOPC require certs in "chain style"?

Is Kepware capable of supplying "chain style" certs?


I attempted to solve/workaround the problem (to no avail) with these steps:

1. Add the issuing CA's cert to the windows "Trusted Root Authorities" store on the computer running the QuickOPC software. I would not have expected this to help since QuickOPC has a long history of interactively allowing me at runtime to vouch for a server's trustworthiness.

2. Add the issuing CA's cert to c:\ProgramData\OPC Foundation\CertificateStores\UA Certificate Authorities\certs. I did not expect this to help for the same reason as 1.

3. Set AcceptAnyCertificate to true

I understand that PKI certs can optionally contain a 'chain' that includes issuing intermediate certs. My understanding is also that this chain traditionally does not include the root (as the root is assumed to exist on the client). I'm not sure how Kepware Kepserver handles this (I'm not sure if it includes the root or not) and I'm not sure what QuickOPCs very strict requirement is (although it appears to require the root to be provided by the server?).


Thank you,

Chris
Exception: OPC-UA service result - Certificate chain not complete.
SubjectName: CN=ds1-pri.foo.bar.local, OU=unk, O=unk, L=unk, S=unk, DC=foo.bar.local, C=Country
IssuerName: CN=foo-ca1, DC=foo, DC=bar, DC=local = BadSecurityChecksFailed.
 
---- SERVICE RESULT ----
StatusCode: {BadSecurityChecksFailed} = 0x80130000 (2148728832)
-----
StatusCode: {BadSecurityChecksFailed} = 0x80130000 (2148728832)
Description: Certificate chain not complete.
SubjectName: CN=ds1-pri.foo.bar.local, OU=unk, O=unk, L=unk, S=unk, DC=foo.bar.local, C=Country
IssuerName: CN=foo-ca1, DC=foo, DC=bar, DC=local
AdditionalInfo: >>> Certificate chain not complete.
SubjectName: CN=ds1-pri.foo.bar.local, OU=unk, O=unk, L=unk, S=unk, DC=foo.bar.local, C=Country
IssuerName: CN=foo-ca1, DC=foo, DC=bar, DC=local
---    at Opc.Ua.CertificateValidator.GetIssuersWithChainSupportEnabled(X509Certificate2Collection certificates, List`1 issuers)
---    at Opc.Ua.CertificateValidator.InternalValidateWithChainSupportEnabled(X509Certificate2Collection certificates)
---    at Opc.Ua.CertificateValidator.Validate(X509Certificate2Collection chain)
Last edit: 10 Jun 2018 20:55 by chrisstankevitz.

Please Log in or Create an account to join the conversation.

Moderators: support
Time to create page: 0.207 seconds

      

 Recommend this on Google