Server Certificate change

Questions regarding the use of the C++ SDK for Server or Client development or integration into customer products ...

Moderator: uasdkcpp

Post Reply
ThomasZ
Sr. Member
Sr. Member
Posts: 12
Joined: 02 Mar 2023, 13:41

Server Certificate change

Post by ThomasZ »

Hi,
I'm trying to get my client to properly reconnect, after I change the servers TLS Key and Certificate.
I'm shutting down the server, exchange the key and certificate and then start it again.

My client gets a UaSessionCallback::connectError with error = OpcUa_BadCertificateInvalid, which is OK.

Now I want my client to check the new certificate and connect again.
For this I'm setting a flag, check this flag outside the callback and if it is set I'm deleting the current session to create a new one.
But my client always gets stuck in the delete of the current session, or if I disconnect the session before, it gets stuck in the disconnect.

Can anybody give me an advice how to handle this properly?

Thanks,
Thomas

ThomasZ
Sr. Member
Sr. Member
Posts: 12
Joined: 02 Mar 2023, 13:41

Re: Server Certificate change

Post by ThomasZ »

Today I've tried the same test with UAExpert instead of our client.

UAExpert shows the same behavior and is showing the following messages:

Code: Select all

[uastack] OpcUa_TcpConnection_ProcessResponse: Error Message!
[uastack] OpcUa_TcpConnection_ProcessResponse: Status 0x80120000!
Error 'BadCertificateInvalid' was returned during OpenSecureChannel
Do you have any advice on how to reconnect to a server when the servers key and certificate have changed?

User avatar
Support Team
Hero Member
Hero Member
Posts: 3064
Joined: 18 Mar 2011, 15:09

Re: Server Certificate change

Post by Support Team »

Hi,
if the certificate (on either side) has changed, the validation against the previously trusted one will fail. Therefore is correct behavior to stop communication on next occurrence of validation (which in your case might be re-connect, or secure channel renew). The behavior is correct.

You must ask the user/admin if the new certificate is fine, than "trust" the new cert, and thererafter re-connect again. This is the way self-signed certs work.

There is an alternative, instead of using self-signed, and distributed trust one by one, you could use UaGDS (global discovery and security management server). If client and server support the GDS pull/push interface, they can have their certificates signed by CA and automatically being updated/rolled out.
Best regards
Unified Automation Support Team

ThomasZ
Sr. Member
Sr. Member
Posts: 12
Joined: 02 Mar 2023, 13:41

Re: Server Certificate change

Post by ThomasZ »

Hi,
I've updated to version 1.7.7 and now deleting the session on reconnect is working. So there is something strange in version 1.6.5 which I was using before.

Thanks for your reply.
Thomas

Post Reply