OPCUA Certificate Error

David_Nolan · July 20, 2020, 8:15pm

OK, so i am trying to connect to the OPC UA server using UA Expert. I have the server in certificate mode on the Ewon. i am ultimately able to connect to the server, but only if i ignore the below message:

This shows in the UA Expert logs as "The hostname or IP address in the server certificate does not match the hostname or IP address the client connected to. Since i can actually connect to the server despite the message i assume it is the certificate that might have the wrong definition? My UA Expert server connection settings are below:

Am i doing something wrong on either the client or server sides? is there a way i can avoid this, or suppress it?

kyle_HMS · July 20, 2020, 8:27pm

This is because the either the hostname or IP don’t match what is in the certificate. You should be able to suppress the error, but you would need to look it up in the UA Expert documentation as I’m not sure how to do it. Try looking in the Certificate Manager.

You could also check the certificate to see what the mismatch is and change the IP address or use the correct hostname as the Endpoint Url.

David_Nolan · July 21, 2020, 1:10pm

the IP field in the certificate properties is 10.0.0.253. the actual IP address is the one shown in my above screenshot. the UA expert client actually connects and i can read data. so the certificate is just not right somehow. is there a way i can force the UA server to reconstruct/modify it to the right IP?

kyle_HMS · July 21, 2020, 1:21pm

I believe you would need to create a new certificate. Here are some instructions from the developer forum:

Enable OPCUA Server in Ewon Flexy (System > Main > OPCUA
Declare your OPCUA connection in Ignition, with encryption. (OPC Client > OPC Connections --> Choose Sign & Encrypt, BASIC256SHA256)
Refresh the OPCUA Settings of Flexy and trust the Ignition certificate (Right-click and click “trust” and update)
Then download the Flexy OPCUA certificate on your PC

image718×554 7.68 KB

Go to Ignition > OPCUA > Security and update it in Ignition

image1413×698 11.6 KB

The connection should then work

image1071×663 29.5 KB

David_Nolan · July 22, 2020, 6:52pm

I’m not sure we are both on the same page regarding this problem… I am not using Ignition, but rather a Unified Automation .NET library, and and was looking more for insight into how the UA server on the Ewon builds that certificate. The certificate has an IP Address property that is not associated with the IP address the device is running with. Is there a way, on the Ewon side, that I can correct this?

For me, the problem manifests itself from UAExpert in that the discrepancy must be ignored for the connection to take place. I would like to understand more about this behavior before trying to handle it from code.

kyle_HMS · July 22, 2020, 7:16pm

If you delete the certificate and reboot the Ewon, it will create a new certificate with the new IP address. The certificate must have been created before the IP address was changed.

David_Nolan · July 22, 2020, 8:29pm

Thanks! You guys never let me down!