ERROR:__main__:The certificate provided as a parameter is not valid.(BadCertificateInvalid)

[ZionC27]

I have been trying to get server-with-encryption.py and client-with-encryption.py to work but have been running into issues.

What is working:

• For the server I have been using the server-certificate-example.der and server-private-key-example.pem
• I have tested using UAExpert certificate (await cert_user_manager.add_user(Path(cert_base /"certificates/cert.der"), name="test_user")) and the client works on UI.

What is not working:

• The client-with-encryption.py
• The provided peer-certificate-example-1.der is invalid because it is expired
• Making my own certificate

What I have tried:

• I created my own Private key and certificates I used the following command:
  openssl req -x509 -newkey rsa:4096 -sha256 -keyout pk.pem -out cert.pem -days 3650 -nodes -addext "subjectAltName = URI:urn:myselfsignedserver@xxxxxx,IP: 127.0.0.1,DNS: xxxxxx"

openssl x509 -outform der -in cert.pem -out cert.der

I keep getting:

INFO:asyncua.client.client:connect
INFO:asyncua.client.ua_client.UaClient:opening connection
INFO:asyncua.uaprotocol:updating client limits to: TransportLimits(max_recv_buffer=65535, max_send_buffer=65535, max_chunk_count=1601, max_message_size=104857600)
INFO:asyncua.client.ua_client.UASocketProtocol:open_secure_channel
INFO:asyncua.client.ua_client.UaClient:create_session
WARNING:asyncua.client.ua_client.UASocketProtocol:ServiceFault (BadCertificateInvalid, diagnostics: DiagnosticInfo(SymbolicId=None, NamespaceURI=None, Locale=None, LocalizedText=None, AdditionalInfo=None, InnerStatusCode=None, InnerDiagnosticInfo=None)) from server received in response to CreateSessionRequest
INFO:asyncua.client.ua_client.UASocketProtocol:close_secure_channel
INFO:asyncua.client.ua_client.UASocketProtocol:Request to close socket received
ERROR:main:The certificate provided as a parameter is not valid.(BadCertificateInvalid)

I have also tried changing rsa:2048, -set_serial "0x122b11b1" when making the certificate

I also tried removing setup_self_signed_certificate but it still doesn't work
await setup_self_signed_certificate(
private_key,
cert,
client_app_uri,
host_name,
[ExtendedKeyUsageOID.CLIENT_AUTH],
{
"countryName": "CA",
"stateOrProvinceName": "BC"
},
)

[AndreasHeine]

can you post the cert!? or a sample cert!?

[ZionC27]

@AndreasHeine Using server-with-encryption.py and client-with-encryption.py without modifying code. I used private-key-example.pem and certificate-example.der for the server and peer-private-key-example-1.pem and peer-certificate-example-1.pem inside examples and got
WARNING:asyncuagds.validate:Not trusted certificate used: "myselfsignedserver@LAPTOP-E56DPVO9"
ERROR:asyncua.client.client:create_session fault response: The certificate is not trusted. (BadCertificateUntrusted)
INFO:asyncua.client.ua_client.UASocketProtocol:close_secure_channel
INFO:asyncua.client.ua_client.UASocketProtocol:Request to close socket received
ERROR:main:The certificate is not trusted.(BadCertificateUntrusted)

I also tried the key and certificate parrings for the client from this repo https://github.com/ZionC27/certtest and they still have the same issue

[bitkeeper]

server-with-encryption.py and client-with-encryption.py cannot be executed as counter parts because:

• server-with-encryption.py expects a user authentication with cert certificates/peer-certificate-example-1.der
• client-with-encryption.py make use of a truststore (which is not filled with trusted CA of server certs)
• client-with-encryption.py generates cert to certificates/peer-certificate-example-4.der (which is generate/update at the start of the client)
• client-with-encryption.py makes use of a different server cert certificate-example.der

To let both run together and make use of the automatic generated self signed certs on run you have to make some changes:

In server-with-encryption.py:

• disable use of user_Manager with cert:

    # server = Server(user_manager=cert_user_manager)
    server = Server()

In client-with-encryption.py

• disable use of trust store by setting USE_TRUST_STORE to False:

USE_TRUST_STORE = False

• use the correct server certificate:

        # server_certificate="certificate-example.der",
        server_certificate=str(Path(cert_base / "certificates/server-certificate-example.der")),

[ZionC27]

@AndreasHeine Thank you for helping. I am still running into issues on the client side. The code did connect and read 1 value but then had an error and stoped. I was able to read from UaExpert I have attached the Server and Client code and server cert and pk I used here https://github.com/ZionC27/certtest

INFO:asyncua.client.client:connect
INFO:asyncua.client.ua_client.UaClient:opening connection
INFO:asyncua.uaprotocol:updating client limits to: TransportLimits(max_recv_buffer=65535, max_send_buffer=65535, max_chunk_count=1601, max_message_size=104857600)
INFO:asyncua.client.ua_client.UASocketProtocol:open_secure_channel
INFO:asyncua.client.ua_client.UaClient:create_session
INFO:asyncua.client.client:find_endpoint [EndpointDescription(EndpointUrl='opc.tcp://127.0.0.1:4840/freeopcua/server/', ....... my device info and cert info
INFO:asyncua.client.ua_client.UaClient:activate_session
14.999999999999963
WARNING:asyncua.client.ua_client.UASocketProtocol:ServiceFault (BadUserAccessDenied, diagnostics: DiagnosticInfo(SymbolicId=None, NamespaceURI=None, Locale=None, LocalizedText=None, AdditionalInfo=None, InnerStatusCode=None, InnerDiagnosticInfo=None)) from server received in response to WriteRequest
INFO:asyncua.client.client:disconnect
INFO:asyncua.client.ua_client.UaClient:close_session
INFO:asyncua.client.ua_client.UASocketProtocol:close_secure_channel
INFO:asyncua.client.ua_client.UASocketProtocol:Request to close socket received
ERROR:main:User does not have permission to perform the requested operation.(BadUserAccessDenied)