BadCertificateChainIncomplete in Linux version

[ITPrakab]

Hi,
I've got a problem with Linux version of UA expert. During the connection establishing occurs the following problem with certificate:


Even if the certificate is trusted, there is something wrong with it. Anywhere, exist a workaround how can I connect to the OPC server:


This operation I must to proceed by every attempt of connection to the OPC UA server. If I try to connect to the OPC server via Windows version of UA expert, there is no problem occurs. OPC server is built-in part of S7-1200 PLC, I have no possibility to edit the server certificate. What is recommended action to solve this problem?
Thank you very much in advance.

Petr Moos.

[Support Team]

Hi,

there might be an issue with the OpenSSL Version you are using on the Linux. On Linux the UaExpert uses the OpenSSL as found on the system. Which Linux Distro are you using and which version of the OpenSSL is installed?

The ChainIncomplete error is typically caused by two reasons:
1) you really have a chain (multiple certificates), but (incompletely) not having trusted the issuer(s), or missing corresponding RevocationList (RCL)
2) your self-signed cert looks like being CA-signed, but is self-signed in reality (wrong content).

We are not experts in S7-1200 but most probably is option 2). Was the cert created with TIA, or was it created "externally" and just downloaded?

The UaExpert can (temporally) "ignore" errors, however if the certificate is "fundamentally" wrong (can not pass the OpenSSL validation), it will be rejected no matter what. The OpenSSL has advanced validation checks which change the behavior, and this might be the difference between the Linux and Windows (using different versions of OpenSSL).