Log In
Register
Forum
Topic RSS
2:53, EEST
August 14, 2017
Offline
i try running the SampleClient Console Application within the SDK Evaluation on Mac/Linux but i’m getting this confusing error
java.io.IOException: Duplicate extensions not allowed i really don’t know how to fix this ?
Thank you
10:31, EEST
December 21, 2011
Offline
Which server are you testing against? Could you provide details of the server certificate, for example by sending a copy of it to uajava-support at prosysopc.com?
Also, its would help to see the stack trace, to figure out where and when this is happening.
Which Java version are you using?
12:29, EEST
August 14, 2017
Offline
Hi, im using the internal OPC UA server of a Siemens S7-1500 plc Unit. I tested it with a sample Client in C# and it worked fine.
I use Eclipse and Java 8.
Here is the complete stack trace
Exception in thread “main” org.opcfoundation.ua.common.RuntimeServiceResultException: org.opcfoundation.ua.common.ServiceResultException: Bad_CertificateInvalid (code=0x80120000, description=”2148663296, java.io.IOException: Duplicate extensions not allowed”)
at org.opcfoundation.ua.transport.TransportChannelSettings.getServerCertificate(TransportChannelSettings.java:114)
at org.opcfoundation.ua.transport.tcp.io.TcpConnection.initialize(TcpConnection.java:376)
at org.opcfoundation.ua.transport.tcp.io.SecureChannelTcp.initialize(SecureChannelTcp.java:273)
at org.opcfoundation.ua.transport.tcp.io.SecureChannelTcp.initialize(SecureChannelTcp.java:246)
at org.opcfoundation.ua.application.Client.createSecureChannel(Client.java:640)
at org.opcfoundation.ua.application.Client.createSecureChannel(Client.java:555)
at org.opcfoundation.ua.application.Client.createSessionChannel(Client.java:370)
at org.opcfoundation.ua.application.Client.createSessionChannel(Client.java:345)
at org.opcfoundation.ua.examples.SampleClient.main(SampleClient.java:109)
Caused by: org.opcfoundation.ua.common.ServiceResultException: Bad_CertificateInvalid (code=0x80120000, description=”2148663296, java.io.IOException: Duplicate extensions not allowed”)
at org.opcfoundation.ua.transport.security.Cert.(Cert.java:143)
at org.opcfoundation.ua.transport.TransportChannelSettings.getServerCertificate(TransportChannelSettings.java:112)
… 8 more
Caused by: java.security.cert.CertificateParsingException: java.io.IOException: Duplicate extensions not allowed
at sun.security.x509.X509CertInfo.(X509CertInfo.java:169)
at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1804)
at sun.security.x509.X509CertImpl.(X509CertImpl.java:195)
at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:102)
at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:339)
at org.opcfoundation.ua.utils.CertificateUtils.decodeX509Certificate(CertificateUtils.java:193)
at org.opcfoundation.ua.transport.security.Cert.(Cert.java:136)
… 9 more
Caused by: java.io.IOException: Duplicate extensions not allowed
at sun.security.x509.CertificateExtensions.parseExtension(CertificateExtensions.java:115)
at sun.security.x509.CertificateExtensions.init(CertificateExtensions.java:88)
at sun.security.x509.CertificateExtensions.(CertificateExtensions.java:78)
at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:702)
at sun.security.x509.X509CertInfo.(X509CertInfo.java:167)
… 15 more
17:13, EEST
December 21, 2011
Offline
Do you have Bouncy Castle libraries in your class path?
Which Java 8 version are you using?
18:13, EEST
August 14, 2017
Offline
I have Java 8 update 141 installed and the project compiler is set to 1.8
the bouncyCastle Libraries i think bcprov and bckpix are listed as referenced libraries in my project
18:51, EEST
December 21, 2011
Offline
This is a possible issue in JDK, which requires that there is only one extension of any type in the certificate. Also, for the same reason, I cannot generate such a certificate with Java to check it out.
And the reason for this is limitation is the RFC 3280 that specifies the usage of certificates:
https://www.ietf.org/rfc/rfc3280.txt
4.2 Certificate Extensions
…
A certificate MUST NOT include more than
one instance of a particular extension.
…
So, if you could find the certificate of the server from the trust store of the other client applications, please check it out yourself or send that by email, so that we can try to verify the issue. I don’t think that there is any way to overcome this, so you will need to contact the server manufacturer and tell them that they are using invalid certificates.
19:16, EEST
August 14, 2017
Offline
ok, so this is an server issue? well since its build in a Siemens PLC i don’t have any access except turning it on and off.
I have a c# sample Application provided by Siemens could the certificate you asked about be mentioned in this app?
9:38, EEST
December 21, 2011
Offline
Yes, this is a very unfortunate interoperability issue. Apparently other development environments enable creation and usage of certificates that are invalid by the specification. And the Java environment seems to be very strict about this.
You should look for the certificate store of the client application, if you can locate the server certificate in there after accepting it. You will need to refer to the documentation of the client to locate it.
21:51, EEST
September 26, 2018
Offline
Hello schodo and Jouni,
Was this issue solved? I have started to try the Prosys SDK for Java too and I run into the same problem. The .NET example distributed by Siemens works fine, but the Sample Client does not.
BTW: is there a way to add attachments or pictures to this forum post?
10:16, EEST
April 17, 2013
Offline
Hello,
We have an S7-1500 device for testing and demonstration purposes here at our offices. The above mentioned issue does not happen with our device, which reports
“ProductName=SIMATIC S7-1500 OPC UA, SoftwareVersion=V02.05.00” as its version. I tested this with our Java SDK version 3.1.6.
What Simatic firmware version and Prosys OPC UA Java SDK version are you using currently?
There’s no good way to attach pictures here to the forum. Please send any pictures or other large attachments by email to us at uajava-support prosysopc.com.
20:59, EET
September 26, 2018
Offline
Hello Heikki,
Sorry my reply is so late: I received an answer from Siemens and decided to wait for TIA Portal V15.1, which was now released.
Last week I installed V15.1, updated the firmware of my S7-1512 and also loaded a new certificate for OPCUA in the PLC. This helped: the I/O-error is gone.
Then, I updated my java SDK version to 1.8.0.172 (to fix the SSL handshake error) and installed the Siemens root certificate in my VM’s cacerts file. Now I can successfully connect!
Of course, now I run into novice problems. For instance, I have made a subscription to an UDT in an instance DB. I successfully get a notification when I change a bit in the UDT in the PLC, but: how do I get the values of all bits in the UDT? Is there an example of working with Structures and Arrays I can read?
Most Users Ever Online: 1919
Currently Online:
24 Guest(s)
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Heikki Tahvanainen: 402
hbrackel: 144
rocket science: 88
pramanj: 86
Francesco Zambon: 83
Ibrahim: 78
Sabari: 62
kapsl: 57
gjevremovic: 49
Xavier: 43
Member Stats:
Guest Posters: 0
Members: 735
Moderators: 7
Admins: 1
Forum Stats:
Groups: 3
Forums: 15
Topics: 1523
Posts: 6449
Newest Members:
rust, christamcdowall, redaahern07571, nigelbdhmp, travistimmons, AnnelCib, dalenegettinger, howardkennerley, Thomassnism, biancacraft16Moderators: Jouni Aro: 1026, Pyry: 1, Petri: 0, Bjarne Boström: 1026, Jimmy Ni: 26, Matti Siponen: 346, Lusetti: 0
Administrators: admin: 1
