[Server] Fix: Return full CertificateChain after Certificate Update (#2861)

* simpler update process

* update endpoint descriptions

* adress review feedback

* cleanup

Author: romanett

Libraries/Opc.Ua.Server/Configuration/ConfigurationNodeManager.cs

@@ -675,7 +675,15 @@ private ServiceResult ApplyChanges(
                     // give the client some time to receive the response
                     // before the certificate update may disconnect all sessions
                     await Task.Delay(1000).ConfigureAwait(false);
-                    await m_configuration.CertificateValidator.UpdateCertificateAsync(m_configuration.SecurityConfiguration).ConfigureAwait(false);
+                    try
+                    {
+                        await m_configuration.CertificateValidator.UpdateCertificateAsync(m_configuration.SecurityConfiguration).ConfigureAwait(false);
+                    }
+                    catch (Exception ex)
+                    {
+                        Utils.LogCritical(ex, "Failed to sucessfully Apply Changes: Error updating application instance certificates. Server could be in faulted state.");
+                        throw;
+                    }
                 }
                 );
             }

Stack/Opc.Ua.Bindings.Https/Stack/Https/HttpsTransportListener.cs

@@ -499,7 +499,6 @@ public void CertificateUpdate(
             foreach (EndpointDescription description in m_descriptions)
             {
                 ServerBase.SetServerCertificateInEndpointDescription(description,
-                    m_serverCertProvider.SendCertificateChain,
                     certificateTypeProvider,
                     false);
             }

Stack/Opc.Ua.Core/Security/Certificates/CertificateTypesProvider.cs

@@ -119,7 +119,7 @@ public X509Certificate2 GetInstanceCertificate(string securityPolicyUri)
         }
 
         /// <summary>
-        /// Loads the cached certificate chain blob of a certificate for use in a secure channel as raw byte array.
+        /// Loads the cached certificate chain blob of a certificate for use in a secure channel as raw byte array from cache.
         /// </summary>
         /// <param name="certificate">The application certificate.</param>
         public byte[] LoadCertificateChainRaw(X509Certificate2 certificate)
@@ -199,6 +199,7 @@ public X509Certificate2Collection LoadCertificateChain(X509Certificate2 certific
         public void Update(SecurityConfiguration securityConfiguration)
         {
             m_securityConfiguration = securityConfiguration;
+            //ToDo intialize internal CertificateValidator after Certificate Update to clear cache of old application certificates
         }
 
         CertificateValidator m_certificateValidator;

Stack/Opc.Ua.Core/Stack/Server/ServerBase.cs

@@ -604,20 +604,18 @@ public static bool RequireEncryption(EndpointDescription description)
         /// Sets the Server Certificate in an Endpoint description if the description requires encryption.
         /// </summary>
         /// <param name="description">the endpoint Description to set the server certificate</param>
-        /// <param name="sendCertificateChain">true if the certificate chain shall be sent</param>
         /// <param name="certificateTypesProvider">The provider to get the server certificate per certificate type.</param>
         /// <param name="checkRequireEncryption">only set certificate if the endpoint does require Encryption</param>
         public static void SetServerCertificateInEndpointDescription(
             EndpointDescription description,
-            bool sendCertificateChain,
             CertificateTypesProvider certificateTypesProvider,
             bool checkRequireEncryption = true)
         {
             if (!checkRequireEncryption || RequireEncryption(description))
             {
                 X509Certificate2 serverCertificate = certificateTypesProvider.GetInstanceCertificate(description.SecurityPolicyUri);
                 // check if complete chain should be sent.
-                if (sendCertificateChain)
+                if (certificateTypesProvider.SendCertificateChain)
                 {
                     description.ServerCertificate = certificateTypesProvider.LoadCertificateChainRaw(serverCertificate);
                 }
@@ -797,6 +795,22 @@ protected virtual EndpointBase GetEndpointInstance(ServerBase server)
         protected virtual void OnCertificateUpdate(object sender, CertificateUpdateEventArgs e)
         {
             InstanceCertificateTypesProvider.Update(e.SecurityConfiguration);
+
+            foreach (var certificateIdentifier in Configuration.SecurityConfiguration.ApplicationCertificates)
+            {
+                // preload chain
+                X509Certificate2 certificate = certificateIdentifier.Find(false).GetAwaiter().GetResult();
+                InstanceCertificateTypesProvider.LoadCertificateChainAsync(certificate).GetAwaiter().GetResult();
+            }
+
+            //update certificate in the endpoint descriptions
+            foreach (EndpointDescription endpointDescription in m_endpoints)
+            {
+                SetServerCertificateInEndpointDescription(
+                    endpointDescription,
+                    InstanceCertificateTypesProvider);
+            }
+
             foreach (var listener in TransportListeners)
             {
                 listener.CertificateUpdate(e.CertificateValidator, InstanceCertificateTypesProvider);
@@ -1476,7 +1490,7 @@ protected virtual void ProcessRequest(IEndpointIncomingRequest request, object c
         {
             request.CallSynchronously();
         }
-#endregion
+        #endregion
 
         #region RequestQueue Class
         /// <summary>
@@ -1706,7 +1720,7 @@ private void OnProcessRequestQueue(object state)
                 }
             }
 #endif
-#endregion
+            #endregion
 
             #region Private Fields
             private ServerBase m_server;
@@ -1720,7 +1734,7 @@ private void OnProcessRequestQueue(object state)
             private Queue<IEndpointIncomingRequest> m_queue;
             private int m_totalThreadCount;
 #endif
-#endregion
+            #endregion
 
         }
         #endregion

Stack/Opc.Ua.Core/Stack/Tcp/TcpServiceHost.cs

@@ -98,7 +98,6 @@ public List<EndpointDescription> CreateServiceHost(
 
                         ServerBase.SetServerCertificateInEndpointDescription(
                             description,
-                            sendCertificateChain,
                             instanceCertificateTypesProvider);
 
                         listenerEndpoints.Add(description);