Input.OPCUA : Connection with certificat

Telegraf
1

Hi everyone,

I am trying to use telegraf (1.27.3) and Beckhoff OPC UA server (4.4.69.0).
I am able to setup a connection between both if I am using Security policy as “None”.
In my case I would like to use it with:

  • security_policy = “Basic256Sha256”
  • security_mode = “SignAndEncrypt”

This is my telegraf config file:
image

Today what I already Tried:

  • Use beckhoff OPC Server automatically trust new certificate ( Not working EOF)
  • Get back from /tmp/scs# the certificated generated by telegraf and copy & past into /etc/telegraf (Not Working EOF, and even if the certificat has been generated & Trusted beckhoff rejected it)
  • Generate my own certificat and update telegraf conf (Not Working EOF, and even if the certificat has been generated & Trusted beckhoff rejected it). I can see that it is one from the generated cert because my company name appear

I am lost now, where should I start ?
Someone already setup a connection between Beckhoof OPCUA & telegraf ?

Have a good day

2

Are you sure your device supports that security policy? Have you tried just Basic256?

3

Hello,

Thx for your answerd, yes I am sure it is working with uaexpert.

I asked beckhoff support, and they ask me what is the version of opcua used in telegraf ?

Does any one have an Idea ?

Thx

4

Something I forgot to say:

I am using Certificat + connection with UserName.

image
image663×741 31.2 KB

5

what is the version of opcua used in telegraf

Telegraf uses the gopcua/opuca library version v0.4.0 right now.

6

Thx.

Nothing more I can try to do ?

This issue seem to be exactly the same than I have: EOF error, Basic256Sha256 · Issue #658 · gopcua/opcua · GitHub

7

Hi @Loic_Winkelmann, can you try to defining your own certificates using this script: https://github.com/InfluxCommunity/Telegraf-Community-Configs/tree/master/Kepware/certificates

Then pointing your certificate and private_key accordingly. I have tested this on: GitHub - Azure-Samples/iot-edge-opc-plc: Sample OPC UA server with nodes that generate random and increasing data, anomalies and much more ... and also Kepware which seems to do the trick. I know one of the maintainers is actively working on better testing for certificates.

8

Hello Jay,

Thx for you answerd, Unfortunately it is not working:

image
image1231×237 11 KB

I generated a new certifcat following your link & update the conf

The certificat is automatically in rejected folder in my OPCUA server

9

Telegraf.conf:

image
image724×606 69.5 KB

I have done a chmod telegraf:telegraf on the certificat:

Because I am using telegraf user for the service

10

Hi @Loic_Winkelmann,
Correct my expectation would be it would be rejected due to the fact it’s a self-signed certificate. if you move it to accepted within the trusted store and restart Telegraf does this change the output?

11

Yes, sorry :slight_smile:

Each time I accepted and restart it automatically goes to reject event if it is already in Allow.
That is crazy !

12

hmm have you got a beckoff specification to hand? It sounds like an odd configuration. I could understand why it would happen if you let Telegraf recreate its own certificates as they keep changing but these should be static.

13

hmm so you could build build the certificate based upon an organization that is accepted by beckoff. Are you using beckoff V3? Also for my own clarity in that screenshot are you deleting the certificate in rejected once you move it?

Also did you connect to Beckoff using UA expert and Kepware via Certficate authentication or Username and password?

14

UAserverconf
UAserverconf1152×648 6.15 KB

I created a ticket they are looking on.

But I already try with many client and it works:

  • UA expert
  • Kepware
  • Matrikon
15

no it is working, sry you were faster than me :slight_smile:

16

hmm so you could build build the certificate based upon an organization that is accepted by beckoff. Are you using beckoff V3? Also for my own clarity in that screenshot are you deleting the certificate in rejected once you move it?

Also did you connect to Beckoff using UA expert and Kepware via Certficate authentication or Username and password?

17
  • I am using Codesys V3 right, and the version of the OPCUA server is the last one : 4.4.69.0
  • Yes I am deleting the certificat after I just moved it
  • I am connecting with UA expert using Username + password

image
image415×615 14.1 KB

18

hmm can you remove all versions of the certificate from the trust store please both from trusted and rejected. Completely stop telegraf before you do this. Instead of using auto could you do the following:

  #
  ## The interval at which the server should at least update its monitored items
   #subscription_interval = "100ms"
  #
  ## Security policy, one of "None", "Basic128Rsa15", "Basic256",
  ## "Basic256Sha256", or "auto"
   security_policy = "Basic256Sha256"
  #
  ## Security mode, one of "None", "Sign", "SignAndEncrypt", or "auto"
   security_mode = "SignAndEncrypt"
  #
  ## Path to cert.pem. Required when security mode or policy isn't "None".
  ## If cert path is not supplied, self-signed cert and key will be generated.
  certificate = "/etc/telegraf/public.pem"
  #
  ## Path to private key.pem. Required when security mode or policy isn't "None".
  ## If key path is not supplied, self-signed cert and key will be generated.
private_key = "/etc/telegraf/default_pk.pem"
  #
  ## Authentication Method, one of "Certificate", "UserName", or "Anonymous".  To
  ## authenticate using a specific ID, select 'Certificate' or 'UserName'
   auth_method = "UserName"

I don’t belive auto works particularly well with self-included certificates

19

Screenshot 2023-08-14 at 11.37.20
Screenshot 2023-08-14 at 11.37.201920×1190 226 KB

Hereis my test. You could also try and change the name and recreate the certificate:

openssl req -new -key default_pk.pem -out cert.csr -subj "/C=US/ST=NY/L=NY/O=Organization/OU=OrganizationUnit/CN=Telegraf OPC UA client test"
20

image
image1834×232 33.4 KB

I changed auto & auto as your config file.