Playfab multiplayer server can't connect to Epic Online Services (SSL error)
Hi,
I'm currently hosting a multiplayer game server on Playfab. It's a UE4 dedicated server running on Windows. It has the playfab GSDK plugin from github integrated.
Playfab launches the server fine, and gets heartbeats.
However, it can't connect to Epic Online Services (EOS).
This is the error received:
]LogEOS: Warning: [LogHttp] Retry 5 on https://api.epicgames.dev/sdk/v1/default?platformId=WIN [2021.11.26-13.27.59:215][458]LogEOS: Warning: [LogHttp] 0000020B0A763400: invalid HTTP response code received. URL: https://api.epicgames.dev/sdk/v1/default?platformId=WIN, HTTP code: 0, content length: 0, actual payload size: 0 [2021.11.26-13.27.59:216][458]LogEOS: Warning: [LogHttp] 0000020B0A763400: request failed, libcurl error: 60 (Peer certificate cannot be authenticated with given CA certificates) [2021.11.26-13.27.59:216][458]LogEOS: Warning: [LogHttp] 0000020B0A763400: libcurl info message cache 10 (Hostname in DNS cache was stale, zapped) [2021.11.26-13.27.59:216][458]LogEOS: Warning: [LogHttp] 0000020B0A763400: libcurl info message cache 11 ( Trying 34.234.116.84...) [2021.11.26-13.27.59:217][458]LogEOS: Warning: [LogHttp] 0000020B0A763400: libcurl info message cache 12 (TCP_NODELAY set) [2021.11.26-13.27.59:217][458]LogEOS: Warning: [LogHttp] 0000020B0A763400: libcurl info message cache 13 (Connected to api.epicgames.dev (34.234.116.84) port 443 (#22)) [2021.11.26-13.27.59:217][458]LogEOS: Warning: [LogHttp] 0000020B0A763400: libcurl info message cache 14 (ALPN, offering http/1.1) [2021.11.26-13.27.59:217][458]LogEOS: Warning: [LogHttp] 0000020B0A763400: libcurl info message cache 15 (Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH) [2021.11.26-13.27.59:218][458]LogEOS: Warning: [LogHttp] 0000020B0A763400: libcurl info message cache 16 (TLSv1.3 (OUT), TLS handshake, Client hello (1):) [2021.11.26-13.27.59:218][458]LogEOS: Warning: [LogHttp] 0000020B0A763400: libcurl info message cache 17 (TLSv1.3 (IN), TLS handshake, Server hello (2):) [2021.11.26-13.27.59:218][458]LogEOS: Warning: [LogHttp] 0000020B0A763400: libcurl info message cache 18 (TLSv1.2 (IN), TLS handshake, Certificate (11):) [2021.11.26-13.27.59:219][458]LogEOS: Warning: [LogHttp] 0000020B0A763400: libcurl info message cache 19 (TLSv1.2 (OUT), TLS alert, Server hello (2):) [2021.11.26-13.27.59:219][458]LogEOS: Warning: [LogHttp] 0000020B0A763400: libcurl info message cache 20 (SSL certificate problem: unable to get local issuer certificate) [2021.11.26-13.27.59:219][458]LogEOS: Warning: [LogHttp] 0000020B0A763400: libcurl info message cache 21 (Closing connection 22) [2021.11.26-13.27.59:220][458]LogEOS: Warning: [LogHttp] Retry exhausted on https://api.epicgames.dev/sdk/v1/default?platformId=WIN [2021.11.26-13.27.59:220][458]LogEOS: Warning: [LogEOS] Failed to connect to the backend. ServiceName=[SDKConfig], OperationName=[GetPlatformConfigRoute], Url=[<Redacted>] [2021.11.26-13.27.59:248][459]LogEOS: Warning: [LogEOS] SDK Config Platform Update Request Failed, Result Code: EOS_NoConnection, Retrying after 6.575274 seconds
I'm not sure why this is failing, do I need to upload a certificate to the build on playfab?
Is there a mismatch in TLS versions?
I've tried disabling bVerifyPeer in UE4, but to no avail.
This is working fine outside of Playfab, so there is some kind of environment issue I believe.
We use EOS for matchmaking, voice, etc and need our playfab server instance to be able to reach it.
Cheers,
Linus
Best Answer
@Made Wang This is not a case of the developer needing to upload custom SSL certificates, nor does EOS even have public/private key pairs.
The issue is that the container or execution environment for PlayFab servers is lacking the latest root CA certificates. Typically these are delivered through Windows Update, but for whatever reason, the PlayFab environment is missing the Amazon Root CA 1 root certificate.
Because the execution environment doesn't have the Amazon Root CA 1 certificate, the EOS SDK can't communicate with the back-end APIs.
[Edited]Refer to @June Rhodes's answer.
Thanks Made, I will reach out to EOS to see if I can get a certificate from them.
Correct, I use GSDK to connect the server to Playfab which has a healthy heartbeat connection.
I will update on my success with the certificate.
Cheers,
Linus
Hi,
They ask how I connect to their backend service, upon which I reached out to the plugin developer that wrote the logic that connects to EOS.
They claim that the environment has outdated CAs.
If you visit
https://api.epicgames.dev/
You can see that they use an Amazon CA, and if I download it and try to upload it to playfab, it won't accept it:
Private key is not specified in the specified X.509 PEM certificate content. Please specify private key in the X.509 PEM certificate content.
The size of the X.509 certificate is too long. Please specify X.509 certificate which is smaller than 25600 characters.
I found these two threads -Azure key vault to manage certificates-Microsoft Q&A and Certificate problem with UE4-Playfab Community that might be useful to you.
Playfab has no clear instructions on certificate restrictions, but you can refer to this document-Add a TLS/SSL certificate in Azure App Service to understand some certificate requirements.
Thanks Made,
I've seen those threads and they were not of help unfortunately, I don't have the private key at all and EOS won't provide me with any, my information is that the playfab environment has outdated CAs.
@Made Wang
As June says, your environment uses outdated CAs. Can you update them please?
Hello Made, please see my previous comment that you can't refer to June's answer since it's a call for action on your end,
Regards,
Linus
