KepwareEx rejects with error “Certificate doesn’t meet … requirement”

Forum Home Forums Communicating with Devices OPC KepwareEx rejects with error “Certificate doesn’t meet … requirement”

Tagged: , ,

Viewing 8 posts - 1 through 8 (of 8 total)
  • Author
    Posts
  • June 1, 2024 at 6:03 am #14591
    zzz
    Participant

    https://github.com/OPCFoundation/UA-.NETStandard/issues/305

    @cxd110 Sha1 signed certs and 1k key length are by default deprecated.

    June 1, 2024 at 6:29 am #14592
    zzz
    Participant

    Opc.Ua.ServiceResultException: Certificate doesn’t meet minimum key length requirement. (1024<2048)
    —> Opc.Ua.ServiceResultException: Certificate doesn’t meet minimum key length requirement. (1024<2048)
    — End of inner exception stack trace —
    at Opc.Ua.CertificateValidator.Validate(X509Certificate2Collection chain, ConfiguredEndpoint endpoint)
    at Opc.Ua.CertificateValidator.Validate(X509Certificate2Collection chain)
    at Opc.Ua.Client.Session.Open(String sessionName, UInt32 sessionTimeout, IUserIdentity identity, IList`
    1 preferredLocales, Boolean checkDomain)
    at Opc.Ua.Client.Session.Create(ApplicationConfiguration configuration, ITransportWaitingConnection connection, ConfiguredEndpoint endpoint, Boolean updateBeforeConnect, Boolean checkDomain, String sessionName, UInt32 sessionTimeout, IUserIdentity identity, IList`1 preferredLocales)
    at Scada.Comm.Drivers.DrvOpcUa.OpcClientHelperBase.ConnectAsync() in scada-v6/ScadaComm/OpenDrivers/DrvOpcUa.Common/OpcClientHelperBase.cs:line 198
    at Scada.Comm.Drivers.DrvOpcUa.View.Forms.FrmDeviceConfig.ConnectToOpcServer()

    • This reply was modified 1 year, 2 months ago by zzz.
    • This reply was modified 1 year, 2 months ago by zzz.
    June 1, 2024 at 6:54 am #14595
    zzz
    Participant

    Hi Mik, if it is the other way around please help update the post title. And please shed light on how to workaround this check. Thanks.

    I do everything to avoid laying hands on that OPC server again since an old system’s client it served also use OPC UA and is very quirky. No more incidents from me.

    June 1, 2024 at 7:32 am #14596
    zzz
    Participant

    Based on info from previous github issue link, I tried to disable it without success. I am not sure what did I miss ?

    
// OpenDrivers/DrvOpcUa.Common/OpcClientHelperBase.cs

...
using (Stream stream = ReadConfiguration())
    {
        config = await application.LoadApplicationConfiguration(stream, false);
        Console.WriteLine("RejectSHA1SignedCertificates = {0}", 
                    config.SecurityConfiguration.RejectSHA1SignedCertificates);
        config.SecurityConfiguration.RejectSHA1SignedCertificates = false;
        config.SecurityConfiguration.MinimumCertificateKeySize = 1024;
    }
...
    // create session
    EndpointConfiguration endpointConfiguration = EndpointConfiguration.Create(config);
    ConfiguredEndpoint endpoint = new(null, selectedEndpoint, endpointConfiguration);
    UserIdentity userIdentity = connectionOptions.AuthenticationMode == AuthenticationMode.Username ?
        new UserIdentity(connectionOptions.Username, connectionOptions.Password) :
        new UserIdentity(new AnonymousIdentityToken());

    Console.WriteLine("Before OpcSession Create");
    Console.WriteLine("RejectSHA1SignedCertificates = {0}", 
        config.SecurityConfiguration.RejectSHA1SignedCertificates);
    Console.WriteLine("MinimumCertificateKeySize = {0}", 
        config.SecurityConfiguration.MinimumCertificateKeySize);
     OpcSession = await Session.Create(config, endpoint, false, GetSessionName(),
        (uint)config.ClientConfiguration.DefaultSessionTimeout, userIdentity, null);

    log.WriteLine(Locale.IsRussian ?
        "OPC-сессия создана успешно" :
        "OPC session created successfully");

    RejectSHA1SignedCertificates = True
    Before OpcSession Create
    RejectSHA1SignedCertificates = False
    MinimumCertificateKeySize = 1024
    ====ERROR===
    Opc.Ua.ServiceResultException: Certificate doesn’t meet minimum key length requirement. (1024<2048)
    —> Opc.Ua.ServiceResultException: Certificate doesn’t meet minimum key length requirement. (1024<2048)
    — End of inner exception stack trace —
    at Opc.Ua.CertificateValidator.Validate(X509Certificate2Collection chain, ConfiguredEndpoint endpoint)
    at Opc.Ua.CertificateValidator.Validate(X509Certificate2Collection chain)
    at Opc.Ua.Client.Session.Open(String sessionName, UInt32 sessionTimeout, IUserIdentity identity, IList`1 preferredLocales, Boolean checkDomain)
    at Opc.Ua.Client.Session.Create(ApplicationConfiguration configuration, ITransportWaitingConnection connection, ConfiguredEndpoint endpoint, Boolean updateBeforeConnect, Boolean checkDomain, String sessionName, UInt32 sessionTimeout, IUserIdentity identity, IList`1 preferredLocales)
    at Scada.Comm.Drivers.DrvOpcUa.OpcClientHelperBase.ConnectAsync()
    at Scada.Comm.Drivers.DrvOpcUa.View.Forms.FrmDeviceConfig.ConnectToOpcServer()
    ====END OF ERROR===

    • This reply was modified 1 year, 2 months ago by zzz.
    June 1, 2024 at 7:50 am #14598
    zzz
    Participant

    OK, I found the settings in config Project\Instances\Default\ScadaComm\Config\DrvOpcUa.View.xml
    Setting the above setting respectively, solves this error.

    But its strange override the config in config property gives no effect. 🙁

    This is now solved, please help update the title. “Legacy server get rejected by RS6”

    Now am getting new error.

    Opc.Ua.ServiceResultException: Error establishing a connection: Error received from remote host:

    Will start new post if turns out to persist.

    • This reply was modified 1 year, 2 months ago by zzz.
    • This reply was modified 1 year, 2 months ago by zzz.
    June 2, 2024 at 7:16 am #14605
    zzz
    Participant

    This is not working on the server side, since the changes in DrvOpcUa.View.xml only affects the client side, and when uploaded to ScadaComm, its loading OpcUa configs from DrvOpcUa.Logic.xml.

    June 3, 2024 at 7:58 am #14612
    Mikhail
    Moderator

    You should add DrvOpcUa.Logic.xml into the Rapid SCADA project, edit the file as needed, and upload the project for execution.
    What parameter in DrvOpcUa.*.xml should be updated to fix the connection issue?

    June 13, 2024 at 7:28 am #14675
    zzz
    Participant

    Yes, make changes in
    $Project\Instances\Default\ScadaComm\Config\DrvOpcUa.View.xml, once it works ok in ScadaAdmin OpcUA View, duplicate that xml as DrvOpcUa.Logic.xml in the same folder and upload, Communicator shall take the same OpcUA setting.

    The change is the addition of the following two settings, as was stated in link in the first post:

    
<SecurityConfiguration>
...
    <!-- Re-enable SHA-1024 for old server -->
    <RejectSHA1SignedCertificates>false</RejectSHA1SignedCertificates>
    <MinimumCertificateKeySize>1024</MinimumCertificateKeySize>
...
</SecurityConfiguration>
    • This reply was modified 1 year, 2 months ago by zzz.
  • Author
    Posts
Viewing 8 posts - 1 through 8 (of 8 total)
  • You must be logged in to reply to this topic.