PAC-write error

aallen · September 26, 2022, 3:08pm

Hello,
I am trying to write to a PAC controller variable located on a separate device, using the Node-Red pac-write node.
I keep getting the error “UNABLE_TO_VERIFY_LEAF_SIGNATURE”.
I’ve tried uploading the certificates and making new ones, as well as generating new API keys.
What does this error mean?

Beno · September 26, 2022, 3:10pm

Lots of explanations and solutions on the forums about that one.

https://forums.opto22.com/search?q=leaf

Just need to take a look at your certificates.

Beno · September 27, 2022, 11:26pm

Oh. Wow. My bad.
The search did not include the post I was thinking of…

This one should get you going. Just mentally swap out one of the RIOs for an EPIC. ie, EPIC to RIO.

aallen · September 28, 2022, 1:42am

I’ve had this issue for quite some time and have never been able to get it working, someone let me know about the scratchpad instead

Is the path to the certificates different in a RIO vs. EPIC?

Beno · September 28, 2022, 2:13am

Let me test it tomorrow.
I am not sure you even need to put the path in, but its been a while.
Usually EPIC to RIO (ie RIO as remote IO to EPIC) is not done in Node-RED, but via PAC Control and there is no ‘leaf’ issue.

Beno · September 29, 2022, 6:49pm

Sorry for the delay getting back to this…

Got it working.
Node-RED on EPIC with RIO cert and talking without issue.
Can confirm the path to the cert is the same in the EPIC as in the RIO:
/usr/local/share/ca-certificates/rio.crt

Here is the key.
If you are on a private network and using self signed certificates, ensure it has not expired.
Take the server cert from each device and add to the trust store of the other device.
Ensure that the CN (Common Name) or SAN (Subject Alternative Name) is the correct (possibly static) IP address since its unlikely you have a DNS on that network and so will need the cert to match the devices IP address.
Put the device IP address in the Node-RED node along with its API key and path to cert.

If you are on a private network with a private CA.
Take the CA certificate that is returned to you from the CA after your CSR has been signed and put it in each devices trust store.

If you are on a public network with a public CA.
It should not be an issue since the public CA should be in the device trust store - and please don’t do that, don’t put it on the Internet, use the VPN that’s built in.

Lets know how you get on.