BadSecurityChecksFailed when connecting to KepServerEx

[Shatzel]

In connecting to an existing OPC UA KepServerEx with Basic256Sha256 SignAndEncrypt, I keep getting the BadSecurityChecksFailed while attempting to handshake; where the server is 192.168.1.2 and the client is 192.168.1.20. The client appears to query the server for it's security policy and cert just fine, but when an open_secure_channel sends the updated request, I receive "An error occurred verifying security". I have verified that the server is available and I can pull tags with the .NET reference client, but I would prefer to use opcua-asyncio for my project

Edit: The KepServerEx does receive the client cert and automatically gets added to the rejected cert folder.

ssl.conf

[ req ]
default_bits = 2048
default_md = sha256
distinguished_name = subject
req_extensions = req_ext
x509_extensions = req_ext
string_mask = utf8only
prompt = no

[ req_ext ]
basicConstraints = critical, CA:TRUE, pathlen:0
nsCertType = client, server
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyCertSign
extendedKeyUsage= critical, serverAuth, clientAuth
nsComment = "OpenSSL Generated Certificate"
authorityKeyIdentifier=keyid,issuer:always
subjectAltName = URI:urn:192.168.1.20:TVAC_NUC:Client, IP: 192.168.1.20

[ subject ]
countryName = US
stateOrProvinceName = CA
localityName = NA
organizationName = NA
commonName = TVAC_Nuc_Client

main()

    url = "opc.tcp://192.168.1.2:49430/"
    client = asyncua.Client(url=url)
    #client.name = "TVAC_Nuc_Client"
    client.application_uri = "urn:192.168.1.20:TVAC_NUC:Client"
    #client.product_uri = "urn:192.168.1.20:TVAC_NUC:Client"
    client.session_timeout = 2000

    create_key = ['openssl', 'genrsa', '-out', path+'key.pem', '2048']
    create_cert = ['openssl', 'req', '-x509', '-days', '3650', '-new', '-out', path+'cert.pem', '-key', path+'key.pem', '-config', path+'ssl.conf']
    create_der = ['openssl', 'x509', '-outform', 'der', '-in', path+'cert.pem', '-out', path+'cert.der']

    if not exists(path+"cert.der"):
        call(create_key)
        time.sleep(1)
        call(create_cert)
        time.sleep(.5)
        call(create_der)
        time.sleep(.5)

    #SecurityPolicyBasic256
    #SecurityPolicyBasic256Sha256
    #server_certificate=f"{path}TVAC1_Server_cert.der",

    print(f'Setting security...')
    await client.set_security(
        policy=crypto.security_policies.SecurityPolicyBasic256Sha256,
        certificate=f"{path}cert.der",
        private_key=f"{path}key.pem",
        mode=ua.MessageSecurityMode.SignAndEncrypt
    )
    time.sleep(2)
    print("connecting...")
    async with client:
        print("Root children are", await client.nodes.root.get_children())

Terminal and error printout:

Setting security...
setting protocol to http://opcfoundation.org/UA/SecurityPolicy#None
updating client limits to: TransportLimits(max_recv_buffer=65536, max_send_buffer=65536, max_chunk_count=5000, max_message_size=16777216)

request is: OpenSecureChannelRequest(TypeId=FourByteNodeId(Identifier=446, NamespaceIndex=0, NodeIdType=<NodeIdType.FourByte: 1>), RequestHeader_=RequestHeader(AuthenticationToken=NodeId(Identifier=0, NamespaceIndex=0, NodeIdType=<NodeIdType.TwoByte: 0>), Timestamp=datetime.datetime(2022, 11, 21, 19, 24, 44, 886852), RequestHandle=0, ReturnDiagnostics=0, AuditEntryId=None, TimeoutHint=0, AdditionalHeader=ExtensionObject(TypeId=NodeId(Identifier=0, NamespaceIndex=0, NodeIdType=<NodeIdType.TwoByte: 0>), Body=None)), Parameters=OpenSecureChannelParameters(ClientProtocolVersion=0, RequestType=<SecurityTokenRequestType.Issue: 0>, SecurityMode=<MessageSecurityMode.None_: 1>, ClientNonce=b'', RequestedLifetime=3600000))

server cert is <Certificate(subject=<Name(DC=4677-1-PC,C=US,O=Unknown,CN=KEPServerEX/UA Server)>, ...)>
client cert is <Certificate(subject=<Name(C=US,ST=CA,L=NA,O=NA,CN=TVAC_Nuc_Client)>, ...)>
client key is <cryptography.hazmat.backends.openssl.rsa._RSAPrivateKey object at 0x7f824d7d53d0>
security policy is <asyncua.crypto.security_policies.SecurityPolicyBasic256Sha256 object at 0x7f824e571760>

connecting...
setting protocol to http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256
updating client limits to: TransportLimits(max_recv_buffer=65536, max_send_buffer=65536, max_chunk_count=5000, max_message_size=16777216)

request is: OpenSecureChannelRequest(TypeId=FourByteNodeId(Identifier=446, NamespaceIndex=0, NodeIdType=<NodeIdType.FourByte: 1>), RequestHeader_=RequestHeader(AuthenticationToken=NodeId(Identifier=0, NamespaceIndex=0, NodeIdType=<NodeIdType.TwoByte: 0>), Timestamp=datetime.datetime(2022, 11, 21, 19, 24, 46, 914582), RequestHandle=0, ReturnDiagnostics=0, AuditEntryId=None, TimeoutHint=0, AdditionalHeader=ExtensionObject(TypeId=NodeId(Identifier=0, NamespaceIndex=0, NodeIdType=<NodeIdType.TwoByte: 0>), Body=None)), Parameters=OpenSecureChannelParameters(ClientProtocolVersion=0, RequestType=<SecurityTokenRequestType.Issue: 0>, SecurityMode=<MessageSecurityMode.SignAndEncrypt: 3>, ClientNonce=b'\xd5\x14\xef\x89\xf1h\xffI\\r\x8e\xed1\xd0\xa5P.\x86@\xc8\x0e\x18\xccy\xcb\xd8\xc5\xd2l\xa2\xee\xef', RequestedLifetime=3600000))

Received an error: ErrorMessage(Error=StatusCode(value=2148728832), Reason='An error occurred verifying security.')
Received an error: ErrorMessage(Error=StatusCode(value=2148728832), Reason='An error occurred verifying security.')
disconnect_socket was called but connection is closed

Traceback (most recent call last):
  File "/home/envir-tech/devel/opcua-asyncio/asyncua/shatzel/opc_client.py", line 63, in <module>
    asyncio.run(main())
  File "/usr/lib/python3.8/asyncio/runners.py", line 44, in run
    return loop.run_until_complete(main)
  File "/usr/lib/python3.8/asyncio/base_events.py", line 616, in run_until_complete
    return future.result()
  File "/home/envir-tech/devel/opcua-asyncio/asyncua/shatzel/opc_client.py", line 47, in main
    async with client:
  File "/home/envir-tech/.local/lib/python3.8/site-packages/asyncua/client/client.py", line 86, in __aenter__
    await self.connect()
  File "/home/envir-tech/.local/lib/python3.8/site-packages/asyncua/client/client.py", line 283, in connect
    await self.open_secure_channel()
  File "/home/envir-tech/.local/lib/python3.8/site-packages/asyncua/client/client.py", line 344, in open_secure_channel
    result = await self.uaclient.open_secure_channel(params)
  File "/home/envir-tech/.local/lib/python3.8/site-packages/asyncua/client/ua_client.py", line 311, in open_secure_channel
    return await self.protocol.open_secure_channel(params)
  File "/home/envir-tech/.local/lib/python3.8/site-packages/asyncua/client/ua_client.py", line 226, in open_secure_channel
    await asyncio.wait_for(self._send_request(request, message_type=ua.MessageType.SecureOpen), self.timeout)
  File "/usr/lib/python3.8/asyncio/tasks.py", line 501, in wait_for
    raise exceptions.TimeoutError()
asyncio.exceptions.TimeoutError

[Shatzel]

True to form; one week of beating my head against a problem and as soon as I ask for help, I realize the solution.

Solved: Needed to move the client cert from the server side rejected folder and then import as a trusted client.