"The server certificate is different from the EndpointDescription" errors and crashes

[ainglessi]

Describe the bug
Starting 22 November the gateway crashes roughly every 15 minutes when connected to the Sample Server (open62541) with 'Umati::Exceptions::ClientNotConnected' error (see logs below).

To Reproduce
Steps to reproduce the behavior:

1. Use Sample Server container image version sha256:65f65cf51b4bc8269625d6d503be31b9e50e8365fbe7e060a3fc85ff6e6636f3
2. Use gateway image version sha256:31445c2a51904c00af976d98f00b45aded319a8a8ad6f63abf49d5073a0ea4b9 (commit ac97bd3) or newer.
3. See error in logs and gateway crashing

Expected behavior
Works fine with gateway image sha256:bc655b69bbab29beeb16d25540d42370707104ffcbfcd9e4861fa548f883707b and older.

Screenshots

Environment:

Public sample-server and dashboard-opcua-client images in Docker 27.4.0-rc.3 on Debian 12 VM.

Log

2024-12-04 09:52:32,448 [DashboardOpcUaClient] INFO std::shared_ptr<ModelOpcUa::StructureBiNode> Umati::Dashboard::OpcUaTypeReader::handleBrowseTypeResult(BiDirTypeMap_t&, const ModelOpcUa::BrowseResult_t&, const std::weak_ptr<ModelOpcUa::StructureBiNode>&, ModelOpcUa::ModellingRule_t, bool):255 Current size BiDirectionalTypeMap: 500
[2024-12-04 09:53:18.750 (UTC+0000)] error/client       The server certificate is different from the EndpointDescription
[2024-12-04 09:53:18.750 (UTC+0000)] error/client       Processing the message returned the error code BadSecurityChecksFailed
[2024-12-04 09:53:18.750 (UTC+0000)] info/channel       TCP 6   | SC 7470       | SecureChannel closed
[2024-12-04 09:53:18.750 (UTC+0000)] warn/client        Received Publish Response for a non-existant subscription
[2024-12-04 09:53:18.750 (UTC+0000)] warn/client        Received Publish Response for a non-existant subscription
[2024-12-04 09:53:18.750 (UTC+0000)] warn/client        Received Publish Response for a non-existant subscription
[2024-12-04 09:53:18.750 (UTC+0000)] warn/client        Received Publish Response for a non-existant subscription
[2024-12-04 09:53:18.750 (UTC+0000)] warn/client        Received Publish Response for a non-existant subscription
[2024-12-04 09:53:18.750 (UTC+0000)] warn/client        Received Publish Response for a non-existant subscription
[2024-12-04 09:53:18.750 (UTC+0000)] warn/client        Received Publish Response for a non-existant subscription
[2024-12-04 09:53:18.750 (UTC+0000)] warn/client        Received Publish Response for a non-existant subscription
[2024-12-04 09:53:18.750 (UTC+0000)] warn/client        Received Publish Response for a non-existant subscription
[2024-12-04 09:53:18.750 (UTC+0000)] warn/client        Received Publish Response for a non-existant subscription
[2024-12-04 09:53:18.750 (UTC+0000)] warn/client        skip verifying ApplicationURI for the SecurityPolicy http://opcfoundation.org/UA/SecurityPolicy#None
[2024-12-04 09:53:18.754 (UTC+0000)] info/network       TCP 8   | Opening a connection to "server-cpp" on port 4840
[2024-12-04 09:53:18.754 (UTC+0000)] info/client        Client Status: ChannelState: Connecting, SessionState: Created, ConnectStatus: Good
2024-12-04 09:53:18,754 [DashboardOpcUaClient] INFO void Umati::OpcUa::stateCallback(UA_Client*, UA_SecureChannelState, UA_SessionState, UA_StatusCode):39 Client is connecting
2024-12-04 09:53:18,754 [DashboardOpcUaClient] INFO void Umati::OpcUa::stateCallback(UA_Client*, UA_SecureChannelState, UA_SessionState, UA_StatusCode):78 Session created
[2024-12-04 09:53:18.754 (UTC+0000)] info/network       TCP 6   | Socket closed
2024-12-04 09:53:18,754 [DashboardOpcUaClient] INFO void Umati::OpcUa::stateCallback(UA_Client*, UA_SecureChannelState, UA_SessionState, UA_StatusCode):45 Client hello sent
2024-12-04 09:53:18,754 [DashboardOpcUaClient] INFO void Umati::OpcUa::stateCallback(UA_Client*, UA_SecureChannelState, UA_SessionState, UA_StatusCode):78 Session created
2024-12-04 09:53:18,754 [DashboardOpcUaClient] ERROR void Umati::OpcUa::OpcUaClient::connectionStatusChanged(UA_Int32, UA_ServerState):686 Disconnected.

terminate called after throwing an instance of 'Umati::Exceptions::ClientNotConnected'
  what():  Need connected client.

[GoetzGoerisch]

@ccvca can you have a look please.
@ainglessi you have a suspected commit from upstream, could you add this here?

[ainglessi]

Suspected culprit: open62541/open62541@afcf6d0. It's server-related though.

[wlkrm]

@ainglessi is this solved?
open62541/open62541#7043

[ainglessi]

The line

error/client The server certificate is different from the EndpointDescription

is not there any more, but

error/client Processing the message returned the error code BadSecurityChecksFailed

is still there and the gateway still crashes.

May be another issue.

[wlkrm]

Ah ok will look into that

[wlkrm]

@ainglessi, this was not reproducible anymore?
I cannot reproduce this with revert-431

[ainglessi]

I've been running revert-431 with the latest server for a couple of days now, the error hasn't popped up.

[wlkrm]

Ok, would you considered this bug as "fixed" then?

[ainglessi]

I think we can close it, keeping in mind that it may be reopened in case the error can be reproduced again.

[ainglessi]

Can not reproduce reliably.