search

gopcua / opcua

Native Go OPC-UA library
MIT License
829 stars 253 forks source link

Bug: Client fails to trust CA signed server certificates #735

Open Dipp3r opened 1 month ago

Dipp3r commented 1 month ago

I have a .net standard sample UA server from opcua foundation running, to which I'm trying to connect from the Go client with the following security options: 

opts := [ ]opcua.Option{
        opcua.SecurityPolicy("Basic256Sha256"),
        opcua.SecurityModeString("SignAndEncrypt"),
        opcua.AuthUsername("user", "password"),
        opcua.CertificateFile(<self-signed-certificate-file-path>),
        opcua.PrivateKeyFile(<private-key-path>),
        opcua.SecurityFromEndpoint(ep, ua.UserTokenTypeUserName),
        opcua.SessionTimeout(30 * time.Minute),
        opcua.AutoReconnect(true),
        opcua.RemoteCertificateFile("./certs/server.der"),
        opcua.ReconnectInterval(time.Second * 10),
        opcua.Lifetime(30 * time.Minute),
        opcua.RequestTimeout(3 * time.Second),
    }

This works fine with the sample server as long as i have the self signed certificate of the server copied and renamed to "server.der" in the "certs" directory for opcua.RemoteCertificateFile("./certs/server.der") to be able to load it. But when applying the same security option to connect to an actual server that has a CA signed certificate, the go client is failing to trust the server certificate which results in a "BadSecurityChecksFailed" error on the server logs 

06/17/2024 12:58:46.364 TCPSERVERCHANNEL ForceChannelFault Socket=00FF2753, ChannelId=0, TokenId=0, Reason=BadSecurityChecksFailed 'Could not verify security on OpenSecureChannel request.'
06/17/2024 12:58:46.365 ChannelId 240: in Faulted state.
06/17/2024 12:58:46.365 TCPSERVERCHANNEL ForceChannelFault Socket=00FF2753, ChannelId=0, TokenId=0, Reason=BadConnectionClosed 'Remote side closed connection'

I have tried trusting the root(issuer's) certificate of the server, still no luck. Same error!

So I was wondering if there is a way I could configure the client to automatically trust the server side certificate without having to pass the file or the file-path, something like opcua.TrustServerCertificate(true) ?