Unified Automation Forum

Hi,
I'm trying to get my client to properly reconnect, after I change the servers TLS Key and Certificate.
I'm shutting down the server, exchange the key and certificate and then start it again.

My client gets a UaSessionCallback::connectError with error = OpcUa_BadCertificateInvalid, which is OK.

Now I want my client to check the new certificate and connect again.
For this I'm setting a flag, check this flag outside the callback and if it is set I'm deleting the current session to create a new one.
But my client always gets stuck in the delete of the current session, or if I disconnect the session before, it gets stuck in the disconnect.

Can anybody give me an advice how to handle this properly?

Thanks,
Thomas

Today I've tried the same test with UAExpert instead of our client.

UAExpert shows the same behavior and is showing the following messages: Do you have any advice on how to reconnect to a server when the servers key and certificate have changed?

Hi,
if the certificate (on either side) has changed, the validation against the previously trusted one will fail. Therefore is correct behavior to stop communication on next occurrence of validation (which in your case might be re-connect, or secure channel renew). The behavior is correct.

You must ask the user/admin if the new certificate is fine, than "trust" the new cert, and thererafter re-connect again. This is the way self-signed certs work.

There is an alternative, instead of using self-signed, and distributed trust one by one, you could use UaGDS (global discovery and security management server). If client and server support the GDS pull/push interface, they can have their certificates signed by CA and automatically being updated/rolled out.

Hi,
I've updated to version 1.7.7 and now deleting the session on reconnect is working. So there is something strange in version 1.6.5 which I was using before.

Thanks for your reply.
Thomas