Error -356608 and -356610 when Connecting to 3rd Party OPC UA Server Using the LabVIEW OPC UA Toolkit

Updated Jun 5, 2019

Reported In

Software

  • LabVIEW 2017 OPC UA Toolkit

Other

OPC UA Server

Issue Details

I am using the LabVIEW 2017 OPC UA Toolkit to create a client VI that will communicate with an external OPC UA server (like those hosted on another PC or a PLC). When I call the Connect VI from this toolkit to connect to the server, I get one of the following errors even when I specify on both my client and server to not use a security policy:
  • Error -356608: The certificate is expired or is not yet valid.
  • Error -356610: The certificate is not trusted

Solution

To correct this issue, you can try the following:
  • Check the system time on both the client and server systems. Make sure your client system is set to an earlier time than your server.
  • Upgrade to LabVIEW and the OPC UA Toolkit version 2018 or later.
  • On the OPC Connect VI connect the Input “Trust any Server?” to a true constant. The default value is “False”, thus this may be the source of the trust issue.
  • It is possible that the OPC UA toolkit shows as an Untrusted Client on the OPC UA Server side. Changing that to Trusted Client can fix this issue.

Additional Information

When certificates are generated, they use the current system time as a timestamp. As part of the handshake process to set up an OPC UA connection, the certificates are exchanged and evaluated by the receiving system. Part of this evaluation is checking to make sure the certificate's timestamp is valid.

If the server's certificate has a timestamp later than the client's current time, for example, the client will recognize that this timestamp must be incorrect, causing it to reject the certificate and abort the connection. Errors like the ones listed above can be thrown to alert you that the certificate is not valid.

If the system times appear to be compatible, you may be seeing a known issue with the 2017 version of the LabVIEW OPC UA Toolkit. These errors can be thrown even when specifying that a security policy, and therefore security certificates, should not be used. This behavior was fixed in the 2018 version and later of the toolkit. If you are unable to upgrade from 2017 to 2018, please contact National Instruments Support.

WAS THIS ARTICLE HELPFUL?

Not Helpful