OPC Publisher: Failed to decode the CRL
See original GitHub issueWhile connection the OPC Publisher in a project I need to add the whole Client Certificate chain including the CRLs for die Client Certificate of the OPC Server. Reading the CRL of the Root-CA is not possible and I’ll get the following error Message:
[ERR] Error while trying to read information from trusted issuer store.
System.Security.Cryptography.CryptographicException: Failed to decode the CRL.
---> System.Formats.Asn1.AsnContentException: The provided data is tagged with 'Universal' class value '24', but it should have been 'ContextSpecific' class value '0'.
at System.Formats.Asn1.AsnDecoder.CheckExpectedTag(Asn1Tag tag, Asn1Tag expectedTag, UniversalTagNumber tagNumber)
at System.Formats.Asn1.AsnDecoder.ReadSequence(ReadOnlySpan`1 source, AsnEncodingRules ruleSet, Int32& contentOffset, Int32& contentLength, Int32& bytesConsumed, Nullable`1 expectedTag)
at System.Formats.Asn1.AsnReader.ReadSequence(Nullable`1 expectedTag)
at Opc.Ua.Security.Certificates.X509CRL.DecodeCrl(Byte[] tbs)
--- End of inner exception stack trace ---
at Opc.Ua.Security.Certificates.X509CRL.DecodeCrl(Byte[] tbs)
at Opc.Ua.Security.Certificates.X509CRL.Decode(Byte[] crl)
at Microsoft.Azure.IIoT.OpcUa.Protocol.OpcConfigEx.ShowCertificateStoreInformationAsync(ApplicationConfiguration appConfig, ILogger logger)
The CRL is in DER-Format with and .crl-Ending I’m also using the --aa flag in the OPC Publisher Create Container Options, but it seems to be ignored.
The certificates are required as soon as I enable UsernamePassword Authentication (UseSecurity-Flag is set to false)
Expected behavior The CRL should be loaded without any error message and the connection between the Publisher and the OPC Server should be successful.
Container Create Options
{
"Hostname": "OPCPublisher",
"Cmd": [
"--pf=/appdata/telemetrynodes.json",
"--lf=/appdata/logs/telemetry.log",
"--PkiRootPath=/appdata/pki",
"--aa",
"--tm",
"--di=60",
"--MessagingMode=PubSub",
"--BatchSize=1",
"--loglevel=verbose"
],
"HostConfig": {
"Binds": ["/iiotedge:/appdata"]
}
}
Desktop
- OS: Red Hat Enterprise Linux
- Publisher-Version: latest
Issue Analytics
- State:
- Created 8 months ago
- Comments:9 (5 by maintainers)
Top Results From Across the Web
Certificate error : unable to load CRL in trust store #174
CryptographicException: Failed to decode the X509 signature. ---> System.Formats. ... Decode(Byte[] crl) at Opc.Ua.Security.Certificates.
Read more >OPC Publisher EDGE device error communication ...
OPC Publisher EDGE device error communication error unable to start metric server ,system.Net.HttpListenerException (5) Access denied.
Read more >Issuing CA produces errors when publishing base and ...
AD CS Certificate Revocation List (CRL) Publishing - Failed to publish base CRL Alert Description Source: <server name>.
Read more >Missing CRLs
Missing CRLs. This policy setting controls whether Outlook considers a missing certificate revocation list (CRL) a warning or an error.
Read more >Changelog
During deletion of last subscription the server sends Publish responses with BadNoSubscription ... Windows: - Trace reason for error during CRL loading.
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Hi @mregen,
no, the CRL is in DER-Format.
Edit: Removed CRL File due to customers’ request
Preview 2 is now out with latest OPC UA stack.