Sign In Register

How can we help you today?

Start a new topic

UE4 Dedicated Server on GameLift reports WebSocket Error X509

Hey there,


I got a strange thing going on with GameSparks. I'm using your Plugin, despite the fact that I changed the "SceneComponent" to a "UObject", cause there is zero need for this to be a SceneComponent (ActorComponent would be the choice here) AND I want to have this in my GameInstance, so I made it a UObject.

After packaging and starting the Server on my own PC, everything works fine. Uploading the same files to the AWS GameLift Servers spams my log with this:

[2017.05.06-17.32.28:929][ 0]UGameSparksModuleLog: Received websocket error: X509 - Certificate verification failed, e.g. CRL, CA or signature check failed

[2017.05.06-17.32.28:930][ 0]UGameSparksModuleLog: Got websocket error. Please make sure, that you've setup you credentials.

[2017.05.06-17.32.28:930][ 0]UGameSparksModuleLog: Backing off for one seconds

[2017.05.06-17.32.29:958][ 31]UGameSparksModuleLog: Create new connection

And it doesn't stop. What causes this and how can I fix this?

Cheers!


I assume I comes from here:

        if( use_ret == -(MBEDTLS_ERR_X509_CERT_VERIFY_FAILED) )

            mbedtls_snprintf( buf, buflen, "X509 - Certificate verification failed, e.g. CRL, CA or signature check failed" );

Inside of the error.c file. And that's set in "mbedtls_x509_crt_verify_with_profile" and/or "x509_crt_verify_child" in "x509_crt.c".

I assume it has to do with the Server (Windows Server 2012 R2), but I'm not so familiar with certificates, so I have no idea what's the actual cause of this and how to resolve it.

Pushing this as I still don't have a solution. :/

I still have this issue and we reached the point where we want to use GameSparks for Character Customization, so I need to have access to GameSparks from the Server. The GameLift support mentioned this:

 

I also am not an expert with GameSparks, but after looking through the SDK a bit I think the problem may be setting or passing MBEDTLS_SSL_VERIFY_REQUIRED on the server. In ssl.h they mention that the server should be set to MBEDTLS_SSL_VERIFY_NONE.

/**
* \brief Set the certificate verification mode
* Default: NONE on server, REQUIRED on client
*
* \param conf SSL configuration
* \param authmode can be:
*
* MBEDTLS_SSL_VERIFY_NONE: peer certificate is not checked
* (default on server)
* (insecure on client)
*
* MBEDTLS_SSL_VERIFY_OPTIONAL: peer certificate is checked, however the
* handshake continues even if verification failed;
* mbedtls_ssl_get_verify_result() can be called after the
* handshake is complete.
*
* MBEDTLS_SSL_VERIFY_REQUIRED: peer *must* present a valid certificate,
* handshake is aborted if verification failed.
*
* \note On client, MBEDTLS_SSL_VERIFY_REQUIRED is the recommended mode.
* With MBEDTLS_SSL_VERIFY_OPTIONAL, the user needs to call mbedtls_ssl_get_verify_result() at
* the right time(s), which may not be obvious, while REQUIRED always perform
* the verification as soon as possible. For example, REQUIRED was protecting
* against the "triple handshake" attack even before it was found.
*/

I hope this helps. There's no reason the CRL check would fail from a GameLift server and certs.c appears to have everything needed for the cert chain. Good luck!

Ben

 I don't really find anything related to this answer, so I'm trying to get help here again.
Would anyone from the GameSparks team be so kind and have a look at my issue?
It stops us from progressing further.

Kind regards,
Cedric Neukirchen


Hi Cedric, this must have slipped through without me seeing it. I do apologise.


In regards to your original enquiry. There is no need to persist the GameSparks UComponent as it is a proxy to the GameSparks module, so every UComponent will point to the same module which we make sure is persistent. We need to have it in the GameMode because it gives us the variables we need to ensure our Websocket runs properly. 


Your second enquiry, does this happen when the UComponent is in the GameMode?


Cheers,

Omar

I haven't tested this yet, as my "UObject" (previous USceneComponent) sits in my GameInstance.
Could you tell me why exactly it needs the GameMode?
The error only comes up when hosting it on the GameLift server.
On my own Computer, it works fine. I could test it later, but I would rather like to know what the GameMode has that the GameInstance isn't offering for your Plugin/Websocket? The GameInstance persists during the whole Session of the Server.

The error clearly states "MBEDTLS_ERR_X509_CERT_VERIFY_FAILED", so I have a hard time understand what the GameMode vs GameInstance has to do with it. I'll setup a test case, while waiting on a response to my GameMode question. Thanks for your time!

Hi Cedric,


From what I understand our initial decision to use the GameMode approach had something to do with the UE4 at the time, our resources, understanding of UE4 and the way we wanted websockets to work 2 years ago. We're going to be giving this another evaluation soon. 


We're looking at your issue right now. 

Also I've upgraded this forum post to a ticket so I can follow it closely. Ticket number is: 5377

I will be asking you questions there.


Cheers,

Omar

I'm facing with the same problem. Some clients cannot connect to gamesparks and receive the same error.


Is there any progress about this?

 Hi Ozan,


Have you setup your credentials for your connection request?


Cheers,

Omar

Hi Omar,


What should I setup? 


Only 2 in 100 people have this problem.


error.jpg
(169 KB)

 Are you using C++ or BP?


If C++, how have you setup your GS connection (With your key and secret)? if you would paste that line here (do not include your key and secret) I can see if that may be a problem.


Cheers,

Omar

Hello Omar,


I'm using BP. Key and secret entered in game mode. It's working except for few clients. 

Hey you two,

I answer Ozan via e-mail what the cause was for me.
My fresh setup GameLift Instance did not have the right certificate installed.
Visiting the GameSparks page solved this. I also found out which certificate was missing.

Here is what I sent him from the ticket I had with GameSparks/GameLift: 

Downloaded the certificate "addtrustexternalcaroot". Installed it by hand and it seems to resolve the error.
Since I need to install it via a bat file, I need to do it via a console command.
"certmgr /add addtrustexternalcaroot.crt" seems to work, but haven't fully tested a blank reupload of a build.

 Hope that helps.

Kind regards,
Cedric Neukirchen

Hello,


Installing "addtrustexternalcaroot.crt" is not solving the problem. Still couldn't find which crt should I install because there are too many.

Hello, I have the same problem, connecting to Gamesparks from a Gamelift dedicated server.


Where can I find the certificates Cedric is mentioning?

Login to post a comment