OPC Publisher: Failed to decode the CRL #1937
Comments
|
cc: @vslepakov |
|
Can you please check if this issue is similar to: #1771? If so, updating to 2.8.4 and setting |
|
I checked it and it seems to be another issue. The errior message in my case doesn't appear in the other one. |
|
Hi @CONeal , please check if you use a CRL which is encoded as PEM: if not, please provide the CRL for investigation to repro the issue. |
|
Hi @mregen, no, the CRL is in DER-Format. Edit: Removed CRL File due to customers' request |
|
Hi @CONeal, this is a known issue with update times >year 2050 which was addressed here: |
|
@mregen Thanks for the check and the workaround. @cristipogacean I also got back to your idea. It's a workaround if it's not possible to change the NextUpdate field. When working with the RejectUnknownRevocationStatus it's required to remove the existing CRL file(s) which can't be loaded, because the Publisher always loads the files at startup. First, I assumed that the Flags will be handled first and afterwards the required PKI data get loaded. |
# Changes introduced: - New Namespaces for all projects and simplified code structure. There are now 2 SDK projects, one for the OPC Publisher module, and another for the optional cloud WebAPI companion service. - Ability to run platform (modules, services) "standalone" on the edge #464 - [OPC Discovery] has been included into the OPC Publisher module, the container name must be updated to refer to OPC Publisher. - [OPC Discovery] A new synchronous FindServer API has been added to allow discovery by discovery url through a single API call. - [OPC Twin] has been included into the OPC Publisher module, the container name must be updated to refer to OPC Publisher. - [OPC Twin] we removed the Activate and Deactivate calls. - [OPC Twin] OPC TWIN Method call #996 - Support for opc-twin module api direct method calls with input arguments (not requiring OPC Twin micro services) #1512 - Support for a new TestConnection API to test a connection to a server and receiving detailed error information back. - [OPC Publisher] (breaking change) The publisher id in each message is now always the same value across all writer groups rather than previously where a random guid was used per writer group when a publisher id was not configured. - [OPC Publisher] Several bug fixes for preview 1 (#1964) - [OPC Publisher] DatasetMessage SequenceNumber is now correctly incremented (preview) (#1961) - [OPC Publisher] Enabling using DisplayNames defined for the event fields in pn.json as keys in the payload of dataset messages (#1963) - [OPC Publisher] Request opc server's nodes information #1960 - [OPC Publisher] dotnet publish can be used to build a docker container for OPC Publisher #1949 - [OPC Publisher] Metrics output and log output showing number of sessions currently active (related to #1923) - [OPC Publisher] Added new OPC UA stack which addressess #1937 and latest CVE's - [All micro services] Have been combined into a single WebAPI with the same resource paths as the 2.8 AKS deployment and all-in-one service. - [OPC Registry service] Supervisor, Discoverer entities have been removed, but the API has been layered on top of the publisher entity for backwards compatibiltiy. Do not use these API's anymore. - [OPC Registry service] A new RegisterEndpoint API has been added that calls the new sync FindServer API and adds the result into the registry in one call. - [Telemetry processor] The telemetry and onboarding processors have been integrated into the WebAPI, but only forwards to SignalR. The secondary event hub has been removed. If you need to post process telemetry you must read telemetry data directly from IoT Hub. - Document the diagnostics output and troubleshooting guide #1952 # Stats: * Consolidated down to 1 edge module and 1 optional cloud companion web app. * Maintained 99% of API and even added new capabilities/functionality such as Event and MQTT broker support. * Reduced LOC for shipped binaries by 53% from to 641844 in 2.8.6 to 297144 in 2.9.0 preview 2 * Increased Test coverage (blocks) by around 50% from 51.34% to 76.36%
|
Preview 2 is now out with latest OPC UA stack. |
While connection the OPC Publisher in a project I need to add the whole Client Certificate chain including the CRLs for die Client Certificate of the OPC Server.
Reading the CRL of the Root-CA is not possible and I'll get the following error Message:
The CRL is in DER-Format with and .crl-Ending
I'm also using the --aa flag in the OPC Publisher Create Container Options, but it seems to be ignored.
The certificates are required as soon as I enable UsernamePassword Authentication (UseSecurity-Flag is set to false)
Expected behavior
The CRL should be loaded without any error message and the connection between the Publisher and the OPC Server should be successful.
Container Create Options
{ "Hostname": "OPCPublisher", "Cmd": [ "--pf=/appdata/telemetrynodes.json", "--lf=/appdata/logs/telemetry.log", "--PkiRootPath=/appdata/pki", "--aa", "--tm", "--di=60", "--MessagingMode=PubSub", "--BatchSize=1", "--loglevel=verbose" ], "HostConfig": { "Binds": ["/iiotedge:/appdata"] } }Desktop
The text was updated successfully, but these errors were encountered: