OPC UA Client - BadCertificateHostNameInvalid - opcfoundation.org

Question

We've got an older VB .NET (Visual Studio 2013 Community Edition) piece of code that currently communicates with a PLC over UDP for some very rudimentary data transfer.

We are needing tighter coupling between the PLC and the PC now (the PC must be able to set a bunch of parameters, and a Labview program may want to access the PLC directly), so our PLC vendor (B&R) said OPC UA was the way to go.

This seems similar to the question posed here:

OPC-UA client SDK for C#.NET application development

In an introductory seminar to OPC UA, we got compiled versions of the OPC UA client, and if I fire up a PLC simulator, the client can connect to the PLC simulator. Of course, it asks for a name and a password, but a pop-up does show up that says I try to connect, I get a pop-up window for the UA Sample Client that says "Certificate could not be validated: BadCertificateUntrusted"

OK, I don't have a certificate. You click through, and the client continues onwards, and shows a tree of all the elements that have been exposed to OPC UA by the PLC code. All is well.

Now, if I download the full code from the opcfoundation.org site, I can compile the code, but, when going through this same test sequence, after acknowledging that I don't have a valid certificate, another window pops up that says:

EXCEPTION (ServiceResultException) BadCertificateHostNameInvalid SERVICE RESULT (BadCertificateHostNameInvalid)

These are both OPC UA 1.02, BTW.

Does something have to be configured elsewhere? I noticed there are a few XML files (Opc.Ua.SampleClient.Config.xml, and Opc.Ua.SampleClient.Endpoints.xml), and I'm wondering if they have to modified to get rid of this stoppage.

I do recall reading that that something won't be OPC UA compliant if you automatically allow this to be OK (of course), so you can't just make this automagically happen, but that's OK with me.

The drawbacks to using the OPC UA code is that it is a bit deep (as noted by user Brino in the original StackOverflow post), and that it requires your own code to be released under GPL, so Unified-Automation looks pretty enticing, since we may not want to release our source code.

Any thoughts on this particular problem?

Answer 1

The warnings and exceptions you're seeing are not likely to do with your certificate, but with the certificate the server is returning.

The BadCertificateHostNameInvalid StatusCode means that either the server's hostname is not present as a SubjectAltName at all in the certificate, or that it doesn't match the hostname you actually used to connect to the server.

If possible, select SecurityPolicy "None" and see if things work the way you expect. Afterwards you can focus on getting the certificate situation sorted out. You may need to set an appropriate hostname in the server and then have it regenerate a certificate that uses the new hostname. You may also need to make sure your client machine can resolve whatever hostname the server is configured to use so that you can connect using that.

The drawbacks to using the OPC UA code is that it is a bit deep (as noted by user Brino in the original StackOverflow post), and that it requires your own code to be released under GPL, so Unified-Automation looks pretty enticing, since we may not want to release our source code.

This is only true if you're not a member of the OPC foundation. If you're a member you're free to use the code without distribution of your source. See the header files for more info, and consult with actual text of the "RCL" license from the foundation.