Can't connect to OPCUA server with certs generated by AC

[FranckEtienne]

From a go client based on opcua go sdk, I can't connect to an OPCUA server (where only Basic256Sha256 is opened) built on UnifiedAutomation SDK with our AC certs.

The server have certs/pem/crl, we could access to it with UaExpert. If I use same certs as UaExpert there the error: 'An error occured verifying security'

I use Dial with parameters:

On server, it seems that client require SecutityPolicy#none which is forbidden.

If I try with AutoSigned certificates, I have no problem, only with AC certs.

Thank's for your help.

[awcullen]

Sorry for delay. I was able to connect to Unified Automation C++ SDK OPC UA Demo Server in this way.

I placed CA certificate file "ctt_ca1T.der" in server's "trusted/certs" folder. I placed CA certificate revoke file "ctt_ca1T.crl" in server's "trusted/crl" folder.

I placed client certificate file "ctt_ca1T_appT.crt" in client's "pki" folder. I placed client private key file "ctt_ca1T_appT.key" in client's "pki" folder.

I set the server to accept only Basic256Sha256/SignAndEncrypt.

ch, err := client.Dial(
    ctx,
    "opc.tcp://localhost:48010",
    client.WithSecurityPolicyURI(ua.SecurityPolicyURIBasic256Sha256, ua.MessageSecurityModeSignAndEncrypt),
    client.WithClientCertificatePaths("./pki/ctt_ca1T_appT.crt", "./pki/ctt_ca1T_appT.key"),
    client.WithUserNameIdentity("root", "secret"),
    client.WithInsecureSkipVerify(), // skips verification of server certificate
)

[FranckEtienne]

Hi Andrew,

This issue arrive when the server (SDK Unified Automation) use certificates which are sign by certificate authority (and intermediate CA). The server returns it's certificate and certificates of CA/Intermediate CA. Find attached code modified which permit my OPCUA client to connect server (client.go and client_secure_channel.go). I add ".txt" extension to files to be able to send files. Code ids take from version 1.2.0 client_secure_channel.go.txt client.go.txt

Tell me when you take in account the correction, I could test it. Thank you for you work.

[awcullen]

I tested your code and it is working.

But OPC UA suggests a server should provide just its application certificate when requested, without the intermediate or root certs.

To validate the server's certificate, the client must have any intermediate or root certificates stored in a trusted location on the client. You use the option client.WithTrustedCertificatesPaths(certPath, crlPath string) to tell a new client where the trusted certificates are located.