Is there a way to auto trust server certificate? Go-client failing to trust CA signed server certificates #736

Dipp3r · 2024-06-19T16:29:25Z

Dipp3r
Jun 19, 2024

I have a .net standard sample UA server from opcua foundation running, to which I'm trying to connect from the Go client with the following security options:

opts := [ ]opcua.Option{
		opcua.SecurityPolicy("Basic256Sha256"),
		opcua.SecurityModeString("SignAndEncrypt"),
		opcua.AuthUsername("user", "password"),
		opcua.CertificateFile(<self-signed-certificate-file-path>),
		opcua.PrivateKeyFile(<private-key-path>),
		opcua.SecurityFromEndpoint(ep, ua.UserTokenTypeUserName),
		opcua.SessionTimeout(30 * time.Minute),
		opcua.AutoReconnect(true),
		opcua.RemoteCertificateFile("./certs/server.der"),
		opcua.ReconnectInterval(time.Second * 10),
		opcua.Lifetime(30 * time.Minute),
		opcua.RequestTimeout(3 * time.Second),
	}

This works fine with the sample server as long as i have the self signed certificate of the server copied and renamed to "server.der" in the "certs" directory for opcua.RemoteCertificateFile("./certs/server.der") to be able to load it. But when applying the same security option to connect to an actual server that has a CA signed certificate, the go client is failing to trust the server certificate which results in a "BadSecurityChecksFailed" error on the server logs

06/17/2024 12:58:46.364 TCPSERVERCHANNEL ForceChannelFault Socket=00FF2753, ChannelId=0, TokenId=0, Reason=BadSecurityChecksFailed 'Could not verify security on OpenSecureChannel request.'
06/17/2024 12:58:46.365 ChannelId 240: in Faulted state.
06/17/2024 12:58:46.365 TCPSERVERCHANNEL ForceChannelFault Socket=00FF2753, ChannelId=0, TokenId=0, Reason=BadConnectionClosed 'Remote side closed connection'

I have tried trusting the root(issuer's) certificate of the server, still no luck. Same error!

So I was wondering if there is a way I could configure the client to automatically trust the server side certificate without having to pass the file or the file-path, something like opcua.TrustServerCertificate(true) ?

jackchenjc · 2024-08-22T18:06:35Z

jackchenjc
Aug 22, 2024

I'm wondering whether it works or not if you remove

opcua.RemoteCertificateFile("./certs/server.der")

and let

opcua.SecurityFromEndpoint(ep, ua.UserTokenTypeUserName)

set the server cert got from ep behind the scenes.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Is there a way to auto trust server certificate? Go-client failing to trust CA signed server certificates #736

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Is there a way to auto trust server certificate? Go-client failing to trust CA signed server certificates #736

Uh oh!

Dipp3r Jun 19, 2024

Replies: 1 comment

Uh oh!

jackchenjc Aug 22, 2024

Dipp3r
Jun 19, 2024

jackchenjc
Aug 22, 2024