Microsoft Azure PlayFab logo
    • Multiplayer
    • LiveOps
    • Data & Analytics
    • Add-ons
    • For Any Role

      • Engineer
      • Designer
      • Executive
      • Marketer
    • For Any Stage

      • Build
      • Improve
      • Grow
    • For Any Size

      • Solo
      • Indie
      • AAA
  • Runs on PlayFab
  • Pricing
    • Blog
    • Forums
    • Contact us
  • Sign up
  • Sign in
  • Ask a question
  • Spaces
    • PlayStream
    • Feature Requests
    • Add-on Marketplace
    • Bugs
    • API and SDK Questions
    • General Discussion
    • LiveOps
    • Topics
    • Questions
    • Articles
    • Ideas
    • Users
    • Badges
  • Home /
  • General Discussion /
avatar image
Question by Linus Neuman · Nov 26, 2021 at 02:54 PM · Custom Game Serversmultiplayerwindows

Playfab multiplayer server can't connect to Epic Online Services (SSL error)

Hi,

I'm currently hosting a multiplayer game server on Playfab. It's a UE4 dedicated server running on Windows. It has the playfab GSDK plugin from github integrated.

Playfab launches the server fine, and gets heartbeats.
However, it can't connect to Epic Online Services (EOS).

This is the error received:

]LogEOS: Warning: [LogHttp] Retry 5 on https://api.epicgames.dev/sdk/v1/default?platformId=WIN
[2021.11.26-13.27.59:215][458]LogEOS: Warning: [LogHttp] 0000020B0A763400: invalid HTTP response code received. URL: https://api.epicgames.dev/sdk/v1/default?platformId=WIN, HTTP code: 0, content length: 0, actual payload size: 0
[2021.11.26-13.27.59:216][458]LogEOS: Warning: [LogHttp] 0000020B0A763400: request failed, libcurl error: 60 (Peer certificate cannot be authenticated with given CA certificates)
[2021.11.26-13.27.59:216][458]LogEOS: Warning: [LogHttp] 0000020B0A763400: libcurl info message cache 10 (Hostname in DNS cache was stale, zapped)
[2021.11.26-13.27.59:216][458]LogEOS: Warning: [LogHttp] 0000020B0A763400: libcurl info message cache 11 (  Trying 34.234.116.84...)
[2021.11.26-13.27.59:217][458]LogEOS: Warning: [LogHttp] 0000020B0A763400: libcurl info message cache 12 (TCP_NODELAY set)
[2021.11.26-13.27.59:217][458]LogEOS: Warning: [LogHttp] 0000020B0A763400: libcurl info message cache 13 (Connected to api.epicgames.dev (34.234.116.84) port 443 (#22))
[2021.11.26-13.27.59:217][458]LogEOS: Warning: [LogHttp] 0000020B0A763400: libcurl info message cache 14 (ALPN, offering http/1.1)
[2021.11.26-13.27.59:217][458]LogEOS: Warning: [LogHttp] 0000020B0A763400: libcurl info message cache 15 (Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH)
[2021.11.26-13.27.59:218][458]LogEOS: Warning: [LogHttp] 0000020B0A763400: libcurl info message cache 16 (TLSv1.3 (OUT), TLS handshake, Client hello (1):)
[2021.11.26-13.27.59:218][458]LogEOS: Warning: [LogHttp] 0000020B0A763400: libcurl info message cache 17 (TLSv1.3 (IN), TLS handshake, Server hello (2):)
[2021.11.26-13.27.59:218][458]LogEOS: Warning: [LogHttp] 0000020B0A763400: libcurl info message cache 18 (TLSv1.2 (IN), TLS handshake, Certificate (11):)
[2021.11.26-13.27.59:219][458]LogEOS: Warning: [LogHttp] 0000020B0A763400: libcurl info message cache 19 (TLSv1.2 (OUT), TLS alert, Server hello (2):)
[2021.11.26-13.27.59:219][458]LogEOS: Warning: [LogHttp] 0000020B0A763400: libcurl info message cache 20 (SSL certificate problem: unable to get local issuer certificate)
[2021.11.26-13.27.59:219][458]LogEOS: Warning: [LogHttp] 0000020B0A763400: libcurl info message cache 21 (Closing connection 22)
[2021.11.26-13.27.59:220][458]LogEOS: Warning: [LogHttp] Retry exhausted on https://api.epicgames.dev/sdk/v1/default?platformId=WIN
[2021.11.26-13.27.59:220][458]LogEOS: Warning: [LogEOS] Failed to connect to the backend. ServiceName=[SDKConfig], OperationName=[GetPlatformConfigRoute], Url=[<Redacted>]
[2021.11.26-13.27.59:248][459]LogEOS: Warning: [LogEOS] SDK Config Platform Update Request Failed, Result Code: EOS_NoConnection, Retrying after 6.575274 seconds

I'm not sure why this is failing, do I need to upload a certificate to the build on playfab?
Is there a mismatch in TLS versions?


I've tried disabling bVerifyPeer in UE4, but to no avail.

This is working fine outside of Playfab, so there is some kind of environment issue I believe.

We use EOS for matchmaking, voice, etc and need our playfab server instance to be able to reach it.

Cheers,

Linus

Comment
Jeremy
Nikita Matusevich

People who like this

2 Show 0
10 |1200 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users

9 Replies

· Add your reply
  • Sort: 
avatar image
Best Answer

Answer by ravarna · Mar 23 at 05:15 PM

@linus neuman, the problem with the crt bundle is that windows only installs the first in the list of certificates and then stops. Amazon root is not the first one there. Here are the certs you need in the DER format from Amazon Trust Services Repository.

I think AmazonRootCA1 suffices, but you can install all of the following: RootCA1, RootCA2, RootCA3, RootCA4 and StarField.

Also, is this working on your local multiplayer agent with containerization (it may work in process mode if the root is installed on your machine).

Comment

People who like this

0 Show 2 · Share
10 |1200 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image ravarna · Mar 23 at 05:23 PM 1
Share

Also, powershell can be tricky, I suggest having a startup.cmd file with the following contents and use that as the start game command:

certutil.exe -addstore root .\AmazonRootCA1.cer

certutil.exe -addstore root .\AmazonRootCA2.cer

certutil.exe -addstore root .\AmazonRootCA3.cer

certutil.exe -addstore root .\AmazonRootCA4.cer

certutil.exe -addstore root .\SFSRootCAG2.cer

.\GameServer.exe -log -Playfab

avatar image Linus Neuman ravarna · Mar 24 at 09:17 AM 1
Share

This worked beautifully, thanks!

Cheers

Linus

avatar image

Answer by June Rhodes · Dec 03, 2021 at 09:40 AM

@Made Wang This is not a case of the developer needing to upload custom SSL certificates, nor does EOS even have public/private key pairs.

The issue is that the container or execution environment for PlayFab servers is lacking the latest root CA certificates. Typically these are delivered through Windows Update, but for whatever reason, the PlayFab environment is missing the Amazon Root CA 1 root certificate.

Because the execution environment doesn't have the Amazon Root CA 1 certificate, the EOS SDK can't communicate with the back-end APIs.

Comment
Jeremy

People who like this

1 Show 0 · Share
10 |1200 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image

Answer by Linus Neuman · Dec 14, 2021 at 11:44 AM

Hello Made, please see my previous comment that you can't refer to June's answer since it's a call for action on your end,


Regards,
Linus

Comment

People who like this

0 Show 0 · Share
10 |1200 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image

Answer by Jeremy · Jan 13 at 01:36 PM

@Made Wang any update on this issue ?

Comment

People who like this

0 Show 0 · Share
10 |1200 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image

Answer by Nikita Matusevich · Feb 25 at 05:22 AM

Is there any information on this issue?

Comment
Nikita Matusevich

People who like this

1 Show 0 · Share
10 |1200 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image

Answer by Jay Zuo · Feb 25 at 10:30 AM

This seems not to be the container or execution environment for PlayFab servers is lacking the latest root CA certificates.

I'm testing with the following steps:

1. Deploy a build to MPS and get a standby server.

2. Connect to the server with RDP (Here, we are actually connecting to the VM, not the server instance).

3. Open a PowerShell window as Administrator.

4. Run "docker ps" to get the Container Id of the standby server.

5. Run "docker exec -it <Container Id> powershell" to connect "inside" the running container.

6. In the running container, execute "curl.exe https://api.epicgames.dev/sdk/v1/default?platformId=WIN"

With the above command, I can get the right response. If it's the container is lacking the latest root CA certificates. I'd think the above curl command should also fail.

I'm not familiar with UE4, especially UE4 dedicated server, this issue might need further investigation.

Comment

People who like this

0 Show 0 · Share
10 |1200 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image

Answer by Dimitris Gkanatsios · Feb 28 at 03:35 AM

Windows containers seem to be lacking certain CAs. You can try running your game servers on process mode. This might work as the VM has more CAs integrated. To make sure your game servers work well on process mode, please try LocalMultiplayerAgent first PlayFab/MpsAgent: Azure PlayFab Multiplayer Servers LocalMultiplayerAgent project and helper libraries (github.com)

Comment

People who like this

0 Show 1 · Share
10 |1200 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image Linus Neuman · Mar 22 at 02:45 PM 0
Share

Hi!

Sorry for the late answer, we took a break from looking at cloud hosted servers.
I tested using the process method instead!
However we run into the same issue, same complaints about CA certificate in the log.
I verified it works perfectly fine in my local multiplayer agent.

avatar image

Answer by admin-22 · Mar 22 at 06:33 AM

Is there any development on this topic? I'm running into the same issue

Comment

People who like this

0 Show 0 · Share
10 |1200 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image

Answer by Dimitris Gkanatsios · Mar 22 at 10:23 PM

removed my previous answer and posting a solution we added here, let us know if it works!

MpsSamples/amazon_root_ca.md at main PlayFab/MpsSamples (github.com)

Comment

People who like this

0 Show 2 · Share
10 |1200 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image Linus Neuman · Mar 23 at 01:26 PM 0
Share

Unfortunately doesn't seem to do the trick,

If I use Windows Process mode, it fails to start instead, not sure if I did something wrong but I set something up like this:
Start command: "SetupAndLaunch.ps1".

The package zip looks like this:
GameServer.exe
SetupAndLaunch.ps1

curl-ca-bundle.crt

SetupAndLaunch.ps1 looks like this:

Import-Certificate -FilePath curl-ca-bundle.crt -CertStoreLocation 'Cert:\LocalMachine\Root' -Verbose -WhatIf

.\GameServer.exe -log -Playfab

Unfortunately, it fails to start with error message "Start servers failed". If I RDP to it, I can't see that it ever attempted to launch the game server, so perhaps it failed to run the start script or the start script failed.

If I manually launch the game via the launch script, it crashes and complains about "Heartbeat endpoint and Server id are required configuration values.", possibly because I'm launching it manually without necessary environment variables set?

If I use container mode, it doesn't seem to launch it either. It says "pending heartbeat" for a very long time.

I set the start command to "C:\Assets\SetupAndLaunch.ps1". and mounted the package zip to C:\Assets.

avatar image Linus Neuman · Mar 23 at 03:29 PM 0
Share

I can manually boot the game server via RDP it starts complaining about this, even if I manually install the crt bundle from curl:
[2022.03.23-15.26.25:578][658]LogEOS: Warning: [LogHttp] 000001A5C806C040: invalid HTTP response code received. URL: https://api.epicgames.dev/sdk/v1/default?platformId=WIN, HTTP code: 0, content length: 0, actual payload size: 0
[2022.03.23-15.26.25:578][658]LogEOS: Warning: [LogHttp] 000001A5C806C040: request failed, libcurl error: 60 (Peer certificate cannot be authenticated with given CA certificates)
[2022.03.23-15.26.25:578][658]LogEOS: Warning: [LogHttp] 000001A5C806C040: libcurl info message cache 23 (Hostname api.epicgames.dev was found in DNS cache)
[2022.03.23-15.26.25:578][658]LogEOS: Warning: [LogHttp] 000001A5C806C040: libcurl info message cache 24 ( Trying 35.173.6.230...)
[2022.03.23-15.26.25:579][658]LogEOS: Warning: [LogHttp] 000001A5C806C040: libcurl info message cache 25 (TCP_NODELAY set)
[2022.03.23-15.26.25:579][658]LogEOS: Warning: [LogHttp] 000001A5C806C040: libcurl info message cache 26 (Connected to api.epicgames.dev (35.173.6.230) port 443 (#5))
[2022.03.23-15.26.25:579][658]LogEOS: Warning: [LogHttp] 000001A5C806C040: libcurl info

Your answer

Hint: You can notify a user about this post by typing @username

Up to 2 attachments (including images) can be used with a maximum of 524.3 kB each and 1.0 MB total.

Navigation

Spaces
  • General Discussion
  • API and SDK Questions
  • Feature Requests
  • PlayStream
  • Bugs
  • Add-on Marketplace
  • LiveOps
  • Follow this Question

    Answers Answers and Comments

    11 People are following this question.

    avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image

    Related Questions

    UE4 GSDK Server always returning Unhealthy 1 Answer

    Azure Multiplayer server cannot connect to websocket 1 Answer

    CUSTOM Multiplayer server DDOS 1 Answer

    ​PowerShell maxes CPU usage - Multiplayer Servers 1 Answer

    Connecting multiple clients to the same server! ,Connecting multiple clients to one playfab server 1 Answer

    PlayFab

    • Multiplayer
    • LiveOps
    • Data & Analytics
    • Runs on PlayFab
    • Pricing

    Solutions

    • For Any Role

      • Engineer
      • Designer
      • Executive
      • Marketer
    • For Any Stage

      • Build
      • Improve
      • Grow
    • For Any Size

      • Solo
      • Indie
      • AAA

    Engineers

    • Documentation
    • Quickstarts
    • API Reference
    • SDKs
    • Usage Limits

    Resources

    • Forums
    • Contact us
    • Blog
    • Service Health
    • Terms of Service
    • Attribution

    Follow us

    • Facebook
    • Twitter
    • LinkedIn
    • YouTube
    • Sitemap
    • Contact Microsoft
    • Privacy & cookies
    • Terms of use
    • Trademarks
    • Safety & eco
    • About our ads
    • © Microsoft 2020
    • Anonymous
    • Sign in
    • Create
    • Ask a question
    • Create an article
    • Post an idea
    • Spaces
    • PlayStream
    • Feature Requests
    • Add-on Marketplace
    • Bugs
    • API and SDK Questions
    • General Discussion
    • LiveOps
    • Explore
    • Topics
    • Questions
    • Articles
    • Ideas
    • Users
    • Badges