Bug: Client fails to trust CA signed server certificates
Dipp3r opened this issue · 0 comments
I have a .net standard sample UA server from opcua foundation running, to which I'm trying to connect from the Go client with the following security options:
opts := [ ]opcua.Option{
opcua.SecurityPolicy("Basic256Sha256"),
opcua.SecurityModeString("SignAndEncrypt"),
opcua.AuthUsername("user", "password"),
opcua.CertificateFile(<self-signed-certificate-file-path>),
opcua.PrivateKeyFile(<private-key-path>),
opcua.SecurityFromEndpoint(ep, ua.UserTokenTypeUserName),
opcua.SessionTimeout(30 * time.Minute),
opcua.AutoReconnect(true),
opcua.RemoteCertificateFile("./certs/server.der"),
opcua.ReconnectInterval(time.Second * 10),
opcua.Lifetime(30 * time.Minute),
opcua.RequestTimeout(3 * time.Second),
}
This works fine with the sample server as long as i have the self signed certificate of the server copied and renamed to "server.der" in the "certs" directory for opcua.RemoteCertificateFile("./certs/server.der")
to be able to load it. But when applying the same security option to connect to an actual server that has a CA signed certificate, the go client is failing to trust the server certificate which results in a "BadSecurityChecksFailed" error on the server logs
06/17/2024 12:58:46.364 TCPSERVERCHANNEL ForceChannelFault Socket=00FF2753, ChannelId=0, TokenId=0, Reason=BadSecurityChecksFailed 'Could not verify security on OpenSecureChannel request.'
06/17/2024 12:58:46.365 ChannelId 240: in Faulted state.
06/17/2024 12:58:46.365 TCPSERVERCHANNEL ForceChannelFault Socket=00FF2753, ChannelId=0, TokenId=0, Reason=BadConnectionClosed 'Remote side closed connection'
I have tried trusting the root(issuer's) certificate of the server, still no luck. Same error!
So I was wondering if there is a way I could configure the client to automatically trust the server side certificate without having to pass the file or the file-path, something like opcua.TrustServerCertificate(true)
?