2. Programming Q&A
  3. opc ua - BadCertificateChainIncomplete with node-opcua client - Stack Overflow

opc ua - BadCertificateChainIncomplete with node-opcua client - Stack Overflow

admin2025-04-27  3

When connecting to a Siemens S7-1500 OPCUA server using node-opcua client (and with with what I think is the correct cert placed in the correct PKI folder) I get the following output:

    serverCertificate =  12ffc2f86bd61eb68ce3b717426e08babbd7454d
    serverCertificate =  MIIEHDCCAwSgAwIBAgIIWHEfo4fZJkgwDQYJKoZIhvcNAQELBQAwSDEnMCUGA1UEAxMeU2llbWVucyBUSUEgUHJvamVjdCAtIFByb2plY3QyMQswCQYDVQQGEwJERTEQMA4GA1UEChMHU2llbWVuczAeFw0yNTAxMDkxNjAzMzZaFw0zNzAxMDkwNTAwMDBaMDgxFzAVBgNVBAMTDlBMQy0xL09QQ1VBLTEzMQswCQYDVQQGEwJERTEQMA4GA1UEChMHU2llbWVuczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKShdHG9BQUIp7ABx+CpBNtr7juc+wRZXBqCxrAFmLAaNB/iUyHLMQyfXe3PaI4xR2oVIZYhOdgd48yhISO/+ZNfWjsUbj7Us5aP/jh4UwzID6pFRGnR09BYcy/Kkq3hNw5akjvDpCus3i8vUfeZH0oSnmeMUhzpbsc9qT6SfvtYR1KMs6bkOPJTJoIkzxT40ORGmuOT2lRudJHqDro9cxnthSQi30xSSKo3C9bnBMfVf3wQfL8HcBUUug3CgorxJ9zTwv6iA+pnuXVUES4Har9elP4Mu0NknWuimvvOnL9Wmjy0UgiOLW4xZovEs+aeC6LqpcGqpRC7K3ran2bUCvMCAwEAAaOCARgwggEUMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFOkDt2wcO7ph+gYRJRmQlzU6CKaAMHcGA1UdIwRwMG6AFCvw98tAwJOEGuhzesIKz5G1QUYKoUykSjBIMScwJQYDVQQDEx5TaWVtZW5zIFRJQSBQcm9qZWN0IC0gUHJvamVjdDIxCzAJBgNVBAYTAkRFMRAwDgYDVQQKEwdTaWVtZW5zggg8DcpICPTPKTAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMD0GA1UdEQQ2MDSGLHVybjpTSU1BVElDLlM3LTEyMDAuT1BDLVVBLkFwcGxpY2F0aW9uOlBMQ18xhwQKwPQLMA0GCSqGSIb3DQEBCwUAA4IBAQAaCZBox7LnySbKulEjtWJi5rGeyYOKw7bmd9CM6djpLrJ5BXdNGZzkLX5P/ZBzrYPZbo5PguvzQHeb3YbHSkzzRirspuGaFZGktAOwBk5uI6BqZPcwSsl2zqoL2lac4kMeOdYVNQVM0wdzGBySPMkOOvuEIwUux/kFAkoO4lfgF2dWpx8X9JTQqq/G1M+yh6Z2ddUUXBdahSx9mz37j0rpf2uA582K7p4Uwqtf+JVeGNn8dXM6AKHJawq7bSsQ/lmWv7b1GtXgRodn+NWmcvkAUn7btMfkIHjU1vebRiqaQbTFMhWXHQ5FQNuY1ZCpEEmSRhjPajKx8Rnc4ZJsyoQl       

[NODE-OPCUA-W25] client's server certificate verification has failed  server
Certificate verification failed with err BadCertificateChainIncomplete (0x810d0000)

What is the first serverCertificate? A hash key?

Is it possible to combine the two above server certificates that the client is getting into a certificate that passes verification?

When connecting to a Siemens S7-1500 OPCUA server using node-opcua client (and with with what I think is the correct cert placed in the correct PKI folder) I get the following output:

    serverCertificate =  12ffc2f86bd61eb68ce3b717426e08babbd7454d
    serverCertificate =  MIIEHDCCAwSgAwIBAgIIWHEfo4fZJkgwDQYJKoZIhvcNAQELBQAwSDEnMCUGA1UEAxMeU2llbWVucyBUSUEgUHJvamVjdCAtIFByb2plY3QyMQswCQYDVQQGEwJERTEQMA4GA1UEChMHU2llbWVuczAeFw0yNTAxMDkxNjAzMzZaFw0zNzAxMDkwNTAwMDBaMDgxFzAVBgNVBAMTDlBMQy0xL09QQ1VBLTEzMQswCQYDVQQGEwJERTEQMA4GA1UEChMHU2llbWVuczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKShdHG9BQUIp7ABx+CpBNtr7juc+wRZXBqCxrAFmLAaNB/iUyHLMQyfXe3PaI4xR2oVIZYhOdgd48yhISO/+ZNfWjsUbj7Us5aP/jh4UwzID6pFRGnR09BYcy/Kkq3hNw5akjvDpCus3i8vUfeZH0oSnmeMUhzpbsc9qT6SfvtYR1KMs6bkOPJTJoIkzxT40ORGmuOT2lRudJHqDro9cxnthSQi30xSSKo3C9bnBMfVf3wQfL8HcBUUug3CgorxJ9zTwv6iA+pnuXVUES4Har9elP4Mu0NknWuimvvOnL9Wmjy0UgiOLW4xZovEs+aeC6LqpcGqpRC7K3ran2bUCvMCAwEAAaOCARgwggEUMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFOkDt2wcO7ph+gYRJRmQlzU6CKaAMHcGA1UdIwRwMG6AFCvw98tAwJOEGuhzesIKz5G1QUYKoUykSjBIMScwJQYDVQQDEx5TaWVtZW5zIFRJQSBQcm9qZWN0IC0gUHJvamVjdDIxCzAJBgNVBAYTAkRFMRAwDgYDVQQKEwdTaWVtZW5zggg8DcpICPTPKTAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMD0GA1UdEQQ2MDSGLHVybjpTSU1BVElDLlM3LTEyMDAuT1BDLVVBLkFwcGxpY2F0aW9uOlBMQ18xhwQKwPQLMA0GCSqGSIb3DQEBCwUAA4IBAQAaCZBox7LnySbKulEjtWJi5rGeyYOKw7bmd9CM6djpLrJ5BXdNGZzkLX5P/ZBzrYPZbo5PguvzQHeb3YbHSkzzRirspuGaFZGktAOwBk5uI6BqZPcwSsl2zqoL2lac4kMeOdYVNQVM0wdzGBySPMkOOvuEIwUux/kFAkoO4lfgF2dWpx8X9JTQqq/G1M+yh6Z2ddUUXBdahSx9mz37j0rpf2uA582K7p4Uwqtf+JVeGNn8dXM6AKHJawq7bSsQ/lmWv7b1GtXgRodn+NWmcvkAUn7btMfkIHjU1vebRiqaQbTFMhWXHQ5FQNuY1ZCpEEmSRhjPajKx8Rnc4ZJsyoQl       

[NODE-OPCUA-W25] client's server certificate verification has failed  server
Certificate verification failed with err BadCertificateChainIncomplete (0x810d0000)

What is the first serverCertificate? A hash key?

Is it possible to combine the two above server certificates that the client is getting into a certificate that passes verification?

  • opc-ua
  • node-opcua
Share Improve this question asked Jan 11 at 13:58 user2132190user2132190 4651 gold badge3 silver badges19 bronze badges
Add a comment  | 

1 Answer 1

Reset to default 0

For the first small question:
I assume what you see is the certificate thumbprint, which is effectively a hash key.

For the main question:

When you receive a certificate which is signed by a CA, then you should know or trust all certificates of the certificate chain, not only the leaf certificate.
See https://github.com/node-opcua/node-opcua-pki
For the known but not trusted certificates you have the issuers/certs folder.
Note: You never need any leaf certificates in the issuers/certs as those certificates are always provided from the server.

  • One solution is to put the leaf certificate into the trusted/certs and the CA certificate into the issuers/certs. Only the leaf is trusted
  • Another solution is to put the CA certificate into the trusted/certs (and there is no need to put the leaf certificate anwhere). All certificates signed by the CA are trusted

Certificate chains with multiple CAs should work the same, every CA should be either in trusted/certs or in issuers/certs

转载请注明原文地址:http://anycun.com/QandA/1745708715a91124.html

opc uaBadCertificateChainIncomplete with nodeopcua clientStack Overflow