You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If strict revocation check is used, GDS Push cert update fails the UpdateCertificate --> ApplyChanges because there is no way to transmit a CRL with the updated certificate. Only the Root CA cert is transmitted.
Server needs to be manually restarted or crashes.
System.AggregateException
HResult=0x80131500
Message=One or more errors occurred. (BadCertificateRevocationUnknown)
Source=System.Private.CoreLib
StackTrace:
at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)
at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
at Opc.Ua.Bindings.TcpTransportListener.CertificateUpdate(ICertificateValidator validator, CertificateTypesProvider certificateTypesProvider) in D:\Source\Repos\UA-.NETStandard5\Stack\Opc.Ua.Core\Stack\Tcp\TcpTransportListener.cs:line 447
This exception was originally thrown at this call stack:
Opc.Ua.CertificateValidator.GetIssuer(System.Security.Cryptography.X509Certificates.X509Certificate2, Opc.Ua.CertificateIdentifierCollection, Opc.Ua.CertificateStoreIdentifier, bool) in CertificateValidator.cs
Opc.Ua.CertificateValidator.GetIssuersNoExceptionsOnGetIssuer(System.Security.Cryptography.X509Certificates.X509Certificate2Collection, System.Collections.Generic.List<Opc.Ua.CertificateIdentifier>, System.Collections.Generic.Dictionary<System.Security.Cryptography.X509Certificates.X509Certificate2, Opc.Ua.ServiceResultException>) in CertificateValidator.cs
Opc.Ua.CertificateTypesProvider.LoadCertificateChainAsync(System.Security.Cryptography.X509Certificates.X509Certificate2) in CertificateIdentifier.cs
Opc.Ua.CertificateTypesProvider.LoadCertificateChainRawAsync(System.Security.Cryptography.X509Certificates.X509Certificate2) in CertificateIdentifier.cs
Inner Exception 1:
ServiceResultException: BadCertificateRevocationUnknown
Expected Behavior
The revocation check should be releaxed for the cert update check, to allow to continue to run.
Later with GDS server puish the trustlists can be updated.
Steps To Reproduce
Start GDS Server.
Start Winforms GDS Client.
Connect to UA ref server, register and update certificate using the known workflow.
--> see exception thrown.
@mregen we could create our own certificate validator for the Apply changes, same as with the UpdateCertificate Method (with setting m_rejectUnknownRevocationStatus = false):
@romanett, now I remember the discussion. I think first of all the Winforms GDS client need to be fixed to update the Trustlist first. Then we need to check if it is ok to use an alternate validator with revocation check disabled.
Type of issue
Current Behavior
If strict revocation check is used, GDS Push cert update fails the
UpdateCertificate
-->ApplyChanges
because there is no way to transmit a CRL with the updated certificate. Only the Root CA cert is transmitted.Server needs to be manually restarted or crashes.
Expected Behavior
The revocation check should be releaxed for the cert update check, to allow to continue to run.
Later with GDS server puish the trustlists can be updated.
Steps To Reproduce
Start GDS Server.
Start Winforms GDS Client.
Connect to UA ref server, register and update certificate using the known workflow.
--> see exception thrown.
Environment
Anything else?
The recommendation is to update the trust lists before updating the application certificate.
The text was updated successfully, but these errors were encountered: