Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

OPC Publisher: Failed to decode the CRL

See original GitHub issue

While connection the OPC Publisher in a project I need to add the whole Client Certificate chain including the CRLs for die Client Certificate of the OPC Server. Reading the CRL of the Root-CA is not possible and I’ll get the following error Message:

[ERR] Error while trying to read information from trusted issuer store.
System.Security.Cryptography.CryptographicException: Failed to decode the CRL.
---> System.Formats.Asn1.AsnContentException: The provided data is tagged with 'Universal' class value '24', but it should have been 'ContextSpecific' class value '0'.
   at System.Formats.Asn1.AsnDecoder.CheckExpectedTag(Asn1Tag tag, Asn1Tag expectedTag, UniversalTagNumber tagNumber)
   at System.Formats.Asn1.AsnDecoder.ReadSequence(ReadOnlySpan`1 source, AsnEncodingRules ruleSet, Int32& contentOffset, Int32& contentLength, Int32& bytesConsumed, Nullable`1 expectedTag)
   at System.Formats.Asn1.AsnReader.ReadSequence(Nullable`1 expectedTag)
   at Opc.Ua.Security.Certificates.X509CRL.DecodeCrl(Byte[] tbs)
   --- End of inner exception stack trace ---
   at Opc.Ua.Security.Certificates.X509CRL.DecodeCrl(Byte[] tbs)
   at Opc.Ua.Security.Certificates.X509CRL.Decode(Byte[] crl)
   at Microsoft.Azure.IIoT.OpcUa.Protocol.OpcConfigEx.ShowCertificateStoreInformationAsync(ApplicationConfiguration appConfig, ILogger logger)

The CRL is in DER-Format with and .crl-Ending I’m also using the --aa flag in the OPC Publisher Create Container Options, but it seems to be ignored.

The certificates are required as soon as I enable UsernamePassword Authentication (UseSecurity-Flag is set to false)

Expected behavior The CRL should be loaded without any error message and the connection between the Publisher and the OPC Server should be successful.

Container Create Options

{
  "Hostname": "OPCPublisher",
  "Cmd": [
    "--pf=/appdata/telemetrynodes.json",
    "--lf=/appdata/logs/telemetry.log",
    "--PkiRootPath=/appdata/pki",
    "--aa",
    "--tm",
    "--di=60",
    "--MessagingMode=PubSub",
    "--BatchSize=1",
    "--loglevel=verbose"
  ],
  "HostConfig": {
    "Binds": ["/iiotedge:/appdata"]
  }
}

Desktop

OS: Red Hat Enterprise Linux
Publisher-Version: latest

Issue Analytics

State:
Created 8 months ago
Comments:9 (5 by maintainers)

Top GitHub Comments

1reaction

CONealcommented, Jan 18, 2023

Hi @mregen,

no, the CRL is in DER-Format.

Edit: Removed CRL File due to customers’ request

0reactions

marcschiercommented, May 19, 2023

Preview 2 is now out with latest OPC UA stack.

Top Results From Across the Web

Certificate error : unable to load CRL in trust store #174

CryptographicException: Failed to decode the X509 signature. ---> System.Formats. ... Decode(Byte[] crl) at Opc.Ua.Security.Certificates.

OPC Publisher EDGE device error communication ...

OPC Publisher EDGE device error communication error unable to start metric server ,system.Net.HttpListenerException (5) Access denied.

Issuing CA produces errors when publishing base and ...

AD CS Certificate Revocation List (CRL) Publishing - Failed to publish base CRL Alert Description Source: <server name>.

Missing CRLs

Missing CRLs. This policy setting controls whether Outlook considers a missing certificate revocation list (CRL) a warning or an error.

Changelog

During deletion of last subscription the server sends Publish responses with BadNoSubscription ... Windows: - Trace reason for error during CRL loading.