Avatar

Please consider registering
guest

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

sp_Feed Topic RSS sp_TopicIcon
The certificate provided as a parameter is not valid.
April 8, 2014
15:23, EEST
Avatar
gjevremovic
Member
Members
Forum Posts: 49
Member Since:
January 30, 2014
sp_UserOfflineSmall Offline

Hi Aro,

I have a problem to connect to in house opc ua server solution devloped by using prosys C SDK.
In house opc ua server is on different machine and there is no diff in datetime btwn client server.
I tried also with IP addresses for server name but the result is the same.
For client side I am using Prosys-OPC-UA-Java-SDK-Client-Binary-1.4.8-8731.
My client works fine with UADemoServer. It connects in both modes NONE and BASIC128RSA15_SIGN.

But when I tried to connect to in house opc ua server which supports NONE and BASIC256_SIGN_ENCRYPT modes (Anonymous)
client received Bad_CertificateInvalid (0x80120000) in BASIC256_SIGN_ENCRYPT mode:

ERROR TcpConnection.run – CP336/10.150.109.110:4842 Error
org.opcfoundation.ua.common.ServiceResultException: Bad_CertificateInvalid (0x80120000) “The certificate provided as a parameter is not valid.”
at org.opcfoundation.ua.transport.tcp.io.TcpConnection$ReadThread.run(Unknown Source)
08.04.2014 16:42:47,579 ERROR ProsysExceptionPrintingUtil.printException – com.prosysopc.ua.client.ConnectException: Failed to create secure channel to server: : opc.tcp://CP336:4842 [http://opcfoundation.org/UA/SecurityPolicy#Basic256,SignAndEncrypt] ServiceResult=Bad_CertificateInvalid (0x80120000) “The certificate provided as a parameter is not valid.”
08.04.2014 16:42:47,588 ERROR ProsysExceptionPrintingUtil.printException – Caused by: org.opcfoundation.ua.common.ServiceResultException: Bad_CertificateInvalid (0x80120000) “The certificate provided as a parameter is not valid.”

and when tried to connect by using mode NONE client received Bad_UnexpectedError (0x80010000) :

ERROR ProsysExceptionPrintingUtil.printException – com.prosysopc.ua.client.InvalidServerEndpointException: Failed to create session channel to server: : opc.tcp://CP336:4842 [http://opcfoundation.org/UA/SecurityPolicy#None,None] ServiceResult=Bad_UnexpectedError (0x80010000) “An unexpected error occurred.”
08.04.2014 16:55:05,364 ERROR ProsysExceptionPrintingUtil.printException – Caused by: org.opcfoundation.ua.common.ServiceResultException: Bad_UnexpectedError (code=0x80010000, description=”Requested endpoint is not found on the server”)

Than I tried with UaExpert opc ua client and this client connects to in house opc ua server without problems.
Also with sample prosys C client there is no problem to establish connection.

Do you have any hint where I can dig further?

Best regards,

Goran

April 8, 2014
16:33, EEST
Avatar
gjevremovic
Member
Members
Forum Posts: 49
Member Since:
January 30, 2014
sp_UserOfflineSmall Offline

I noticed that validation of certificates is not a problem.
For example in mode BASIC256_SIGN_ENCRYPT when I moved client certificate from rejected to certs of server PKI
error Bad_CertificateInvalid (0x80120000) “The certificate provided as a parameter is not valid.” disappeared.
After client restart the same error is returned as in security mode NONE:
08.04.2014 19:30:41,659 DEBUG ~~~~~~ protocol: opc.tcp ~~~~~~~~ hostname: CP336 ~~~~~~~~~~~ port: 4842 ~~~~~~~~~~ security:BASIC256_SIGN_ENCRYPT
08.04.2014 19:30:41,716 DEBUG ~~~~~~~~~~~~~~~~~~~~~~~~~~ Create a server connection using server URI passed
08.04.2014 19:30:42,120 DEBUG ~~~~~~~~~~~~~~~~~~~~~~~~~~ ApplicationIdentity.loadOrCreateCertificate passed
08.04.2014 19:30:42,121 DEBUG ~~~~~~~~~~~~~~~~~~~~~~~~~~ set the user identity passed
08.04.2014 19:30:42,389 DEBUG ~~~~~~~~~~~~~~~~~~~~~~~~~~ match of supported security modes passed
08.04.2014 19:30:42,688 ERROR ProsysExceptionPrintingUtil.printException – com.prosysopc.ua.client.InvalidServerEndpointException: Failed to create session channel to server: : opc.tcp://CP336:4842 [http://opcfoundation.org/UA/SecurityPolicy#Basic256,SignAndEncrypt] ServiceResult=Bad_UnexpectedError (0x80010000) “An unexpected error occurred.”
08.04.2014 19:30:42,688 ERROR ProsysExceptionPrintingUtil.printException – Caused by: org.opcfoundation.ua.common.ServiceResultException: Bad_UnexpectedError (code=0x80010000, description=”Requested endpoint is not found on the server”)

This means Bad_UnexpectedError (code=0x80010000, description=”Requested endpoint is not found on the server” is the only problem but I can’t
conclude why client fails to create session channel to server?

I read also:
http://www.prosysopc.com/blog/forum/opc-ua-java-sdk/testing-the-java-sdk/#p117
Currently I don’t have server log but I didn’t doubt on wrong URL as I am using the same url as discovery url from UaExpert client.

Probably it is related to:
“The servers define a list of endpoints that they are listening to. The client can only connect to the server using an URI that matches one of these endpoints. But the UaClient will convert it to the actual hostname, if the server does not define ’localhost’ in its endpoints.
Also IP number can only be used, if the server also defines the respective endpoint using the IP number.
If you are using the client in Linux, you cannot use NetBIOS computer names to access Windows servers. In general it is best to use TCP/IP DNS names from all clients. Alternatively, you can always use the IP address of the computer, if you make sure that the server also initializes an endpoint using the IP address, in addition to the hostname.”

Best regards,

Goran

April 9, 2014
5:40, EEST
Avatar
gjevremovic
Member
Members
Forum Posts: 49
Member Since:
January 30, 2014
sp_UserOfflineSmall Offline

Resolved. Server exposes end points by using hostname. After setup of server hostname everything works fine.
Please if you have comment related to best practice add it.

Best regards,

Goran

April 15, 2014
8:28, EEST
Avatar
Jouni Aro
Moderator
Moderators
Forum Posts: 1026
Member Since:
December 21, 2011
sp_UserOfflineSmall Offline

Yes, this is a problem in the ANSI C SDK. It will be fixed in the next update.

July 15, 2015
12:45, EEST
Avatar
Jouni Aro
Moderator
Moderators
Forum Posts: 1026
Member Since:
December 21, 2011
sp_UserOfflineSmall Offline

UPDATE: In Java SDK 2.1.2, you can use the new property, UaClient.set/isValidateDiscoveredEndpoints(false) to enable connection to a server that is providing different endpointUrls as a response to GetEndpoints and CreateSession.

September 8, 2015
1:31, EEST
Avatar
jcriquet
Member
Members
Forum Posts: 4
Member Since:
September 8, 2015
sp_UserOfflineSmall Offline

Hi,

I’m getting the same error using Basic128Rsa15 or Basic256. The server doesn’t support None so I can’t test that. This is a KepWare OPC UA server and I am able to connect to it using the OPC UA Viewer by CAS, with no issues.

sys::Err: com.prosysopc.ua.client.ConnectException: Failed to create secure channel to server: : opc.tcp://**.**.**.**:***** [http://opcfoundation.org/UA/SecurityPolicy#Basic256,SignAndEncrypt] ServiceResult=Bad_CertificateInvalid (0x80120000) “The certificate provided as a parameter is not valid.”

I’m at a loss as to how to debug this and find out what exactly is the matter.

September 8, 2015
7:24, EEST
Avatar
Jouni Aro
Moderator
Moderators
Forum Posts: 1026
Member Since:
December 21, 2011
sp_UserOfflineSmall Offline

The server is not accepting the certificate of your client application. According to the error code, there is something invalid in the certificate. Did you make it with loadOrCreateCertificate? Can you connect with the SampleConsoleClient?

September 26, 2015
19:11, EEST
Avatar
jcriquet
Member
Members
Forum Posts: 4
Member Since:
September 8, 2015
sp_UserOfflineSmall Offline

Jouni Aro said

The server is not accepting the certificate of your client application. According to the error code, there is something invalid in the certificate. Did you make it with loadOrCreateCertificate? Can you connect with the SampleConsoleClient?

Silly me, I simply needed to trust the certificate on the server side.

I figured it out. Thanks!

Forum Timezone: Europe/Helsinki

Most Users Ever Online: 1919

Currently Online: inilarythikibia
23 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

Heikki Tahvanainen: 402

hbrackel: 144

rocket science: 88

pramanj: 86

Francesco Zambon: 83

Ibrahim: 78

Sabari: 62

kapsl: 57

gjevremovic: 49

Xavier: 43

Member Stats:

Guest Posters: 0

Members: 731

Moderators: 7

Admins: 1

Forum Stats:

Groups: 3

Forums: 15

Topics: 1529

Posts: 6471

Newest Members:

inilarythikibia, rickykennion, PromotionToold, HypromeImpupe, toneylapham544, rondawolinski7, Marypof5711, roycedelargie91, kourtneyquisenbe, ellis87832073466

Moderators: Jouni Aro: 1026, Pyry: 1, Petri: 0, Bjarne Boström: 1032, Jimmy Ni: 26, Matti Siponen: 349, Lusetti: 0

Administrators: admin: 1