OPC UA BadCertificateHostNameInvalid

jd3140 · ‎2023-10-04

I am trying to connect to an OPC UA server using Geo Scada however the OPC UA server object in Geo Scada fails to connect to allow browsing of OPC UA server tags . The error in the Geo SCADA logs is detailed as "BadCertificateHostNameInvalid". I have followed all the recommendations in the post "https://community.se.com/t5/EcoStruxure-Geo-SCADA-Expert/OPC-UA-Driver-Setting-Geo-SCADA-2021-Rel-Fe... and also all the recommendations in the pdf document "SettingUpSecureConnectionsfortheOPCUAClient.pdf".

I can connect to, browse and receive data from the OPC UA server using a third party client running on the same server as GeoScada therefore I am confident the issue is not network related.

I am confident that I have imported the server provided cert correctly and I also am certain that the cert that was automatically sent by GeoScada to the OPC UA server was transferred from untrusted section to trusted.

To progress this issue to the next stage i need to know what triggers "BadCertificateHostNameInvalid" in the Geo Scada log. Is this triggered by an issue with the Client Cert or the Server Cert.

sbeadle · ‎2023-10-05

Hi. Is it possible for you to contact SE support and send them logs?

AndrewScott · ‎2023-10-05

Unified Automation who produce the OPC UA SDK that is used by the Geo SCADA OPC UA client driver describe this error as:

The BadCertificateHostNameInvalid error is shown if the hostname/IP you are using to connect to the server is not contained in the server's certificate, e.g. if you are connecting to opc.tcp://192.168.0.1:4840 but the certificate only contains the hostname. In the certificate, this information is stored in the "Subject Alternative Name" extension.

https://forum.unified-automation.com/viewtopic.php?t=3578

The error refers to the SubjectAlternativeName extension, which shall contain the server's hostname(s) and/or IP addresses. If you connect to the server using it's IP address and the certificate only contains the hostname (or the other way round), this error will be thrown.
https://forum.unified-automation.com/viewtopic.php?t=1652

There is quite a bit of information online about this error:
https://www.google.co.uk/search?q=BadCertificateHostNameInvalid

Andrew Scott, R&D Principal Technologist, AVEVA

jd3140 · ‎2023-10-24

The OPC UA server administrators were unable to issue a cert that contained the ip address of the OPC UA server. To get communications to work the server ip address and hostname were added to the LM hosts file of the server running Geo SCADA (OPC UA Client). The hostname of the OPC UA server was then used instead of the ip address in the "OPC UA Server" url in the Geo Scada configuration.