01/27/2023
Hello,
first of all I am completely new to OPC UA and I apologize if I am not aware of some paradigms that lead to this problem.
My problem:
I have programmed an OPC UA server locally which works 100% as long as the client is running on the same machine.
Now I have moved the server to the machine on which it should run later and nothing works.
The whole thing was developed in C# and azsgerollt on Linux (Debian 9), the server runs there also if one connects locally a client, only in the network there are problems.
I have left localhost as endpoint, but I see that the URL is changed to opc.tcp://HOSTNAME:Port at startup, in the log I then find
27.01.2023 13:15:37.167 Channel 1: SendResponse 2
27.01.2023 13:15:37.180 TCPSERVERCHANNEL ProcessCloseSecureChannelRequest Socket=TCPSERVERCHANNEL, ChannelId=12036987, TokenId=1
27.01.2023 13:15:37.181 Channel 1 in Closed state.
27.01.2023 13:15:37.182 Channel 1 closed
27.01.2023 13:15:37.197 Channel 2 in Connecting state.
27.01.2023 13:15:37.197 TCPSERVERCHANNEL SOCKET ATTACHED: 02B3B1BE, ChannelId=2
27.01.2023 13:15:37.200 Channel 2 in Opening state.
27.01.2023 13:15:37.202 Security Policy: https://opcfoundation.org/UA/Se…..olicy#None
27.01.2023 13:15:37.202 Sender Certificate: (none)
27.01.2023 13:15:37.202 Token #0 created. CreatedAt = 12:15:37.202 . Lifetime = 3600000
27.01.2023 13:15:37.202 SECURE CHANNEL CREATED [.NetStandard ServerChannel UA-TCP 1.4.365.48] [ID=2] Connected To: opc.tcp://0.0.0.0:26543/BrabenderOPCUAServer
27.01.2023 13:15:37.202 Token #1 activated. CreatedAt = 12:15:37.202 . Lifetime = 300000
27.01.2023 13:15:37.202 Channel 2 in Open state.
27.01.2023 13:15:37.202 Channel 2: SendOpenSecureChannelResponse()
27.01.2023 13:15:37.206 Channel 2: ProcessRequestMessage 2
27.01.2023 13:15:37.225 SERVER – Unexpected Service Fault: Name or service not known
ExtendedSocketException ‘Name or service not known’========================================
Id: Bad
Description: [ExtendedSocketException] Name or service not known
>>> Name or service not known
— at System.Net.Dns.InternalGetHostByName(String hostName)
— at System.Net.Dns.GetHostAddresses(String hostNameOrAddress)
— at Opc.Ua.ServerBase.NormalizeHostname(String hostname)
— at Opc.Ua.ServerBase.FilterByEndpointUrl(Uri endpointUrl, IList`1 baseAddresses)
— at Opc.Ua.Server.StandardServer.FindServers(RequestHeader requestHeader, String endpointUrl, StringCollection localeIds, StringCollection serverUris, ApplicationDescriptionCollection& servers)
— at Opc.Ua.SessionEndpoint.FindServers(IServiceRequest incoming)
— at Opc.Ua.EndpointBase.ServiceDefinition.Invoke(IServiceRequest request)
— at Opc.Ua.EndpointBase.ProcessRequestAsyncResult.OnProcessRequest(Object state)
========================================
For phase 1, I didn’t plan to use certificates, so I simply connected my client to the machine’s IP over the network, which caused this error,
Unfortunately, the machine cannot be found on the network by hostname, which made it impossible for me to connect the client with opc.tcp://HOSTNAME:port.
I hope my explanation is sufficient to answer the question.
Is there any form of endpoint that does not perform hostname validation?
01/27/2023
Randy Armstrong said
You need to use IP addresses everywhere there is a hostname in configuration.In the Certificate you put the IPAddress in the subjectAltName instead of the dnsName.
Thank you for your answer, it is agreed with the customer that no certificates will be exchanged, because a renewal in the field is impossible.
Is there another way to bypass this dns/hostname validation?
Since the IP changes, a generic approach with 127.0.0.1 or 0.0.0.0 is most desirable.
05/30/2017
HostName validation can be suppressed in configuration.
See https://reference.opcfoundatio…..docs/6.1.3
Host Name
Bad_CertificateHostNameInvalid
AuditCertificateDataMismatchEventType
The HostName in the URL used to connect to the Servershall be the same as one of the HostNames specified in the Certificate.
This check is skipped for CA Certificates.
This check is skipped for Serverside validation.
This error may be suppressed.
You need to look in the client documentation to find out how to do this.
The expiry date check can also be suppressed.
I strongly recommend that you do not turn off security in the field because there are many hacks/exploits that only work if security is disabled.
Accepting an expired certificate is better than no certificate.
1 Guest(s)