- Newest
- Most votes
- Most comments
Firstly have you looked at the TLS certs GameLift now provides for secure client/server connections: https://aws.amazon.com/releasenotes/release-amazon-gamelift-on-2019-09-03/?tag=releasenotes%23keywords%23amazon-gamelift
"Enable PKI resource generation for a fleet. When this feature is turned on, GameLift generates a TLS certificate for the fleet and creates a DNS entry for each instance in the fleet. With these resources, your game can authenticate the client and server connection and encrypt all game client/server communication. This feature is particularly valuable when deploying mobile multi-player games. These services are provided through the AWS Certificate Manager (ACM) and are currently available at no additional cost. "
As to auto-elevate, see the answers here: https://forums.awsgametech.com/t/execute-install-bat-with-administrator-privileges/5826
Pip, Thank you for responding.
Yes, I am TRYING to use the certs that GameLift provides. GetInstanceCertificate() returns the path to the cert files on the server. For Windows this path is "C:\GameMetadata\Certificates" as mentioned in my original post.
I cannot access this location because it is protected by Windows User Account Control (UAC).
Yes, I have seen the post about auto-elevation. As described, I am using powershell in unrestricted mode and using run as administrator. (This is the recommended method according to that post.)
BUT, on Windows, being an administrator is not sufficient!! UAC requires consent in the form of a pop-up dialog box. The idea behind UAC is to require user input, so that malware cannot run as administrator and have unrestricted access to the machine.
So, how can I get access to these provided certs from install.bat when they are protected by Windows UAC?
I don't have any direct experience of trying to access the cert materials at install time to convert them. I've asked the GameLift team if they have any examples.
Hopefully GameLift can provide an answer here but I would keep experimenting with how to make powershell/bat files play nicely with UAC.
There some useful looking tips here:
- https://gallery.technet.microsoft.com/scriptcenter/Disable-UAC-using-730b6ecd
- https://gallery.technet.microsoft.com/scriptcenter/How-to-switch-UAC-level-0ac3ea11
- https://stackoverflow.com/questions/38658661/how-to-avoid-uac-prompt-while-running-powershell-script
Maybe a hail mary, but do you need to convert via the install.bat? Can you convert in memory or similar in code when your game launches? I wonder if there are alternative paths around UAC
Can you expand on why you need to do this during install time?
The advice from the GameLift team is you should always be calling GetInstanceCertificate to get the location of the certs and not be relying on fixed cert locations (also the gameserver user has permissions to read from the locations so no access escalation is required)
There is no definitive reason why the conversion NEEDS to take place at install time, but it makes sense to do it then because the machine instance will be running multiple concurrent server executables (mutiple servers per ec2 instance). So it is redundant for each executable to do the conversion (or at least check if it has been done already).
Nonetheless, I will see if I can make progress by having my server executable launch openssl and convert the .pem files to .pfx
Are you saying that different user profiles (with different permissions) are used for running install.bat and server.exe?
I don't have all the details (as I don't work for GameLift directly) but I know the runtime user has permissions for these locations. What happens during install and permissions is not something I am an expert at.
I flagged your post to the GameLift team so they can look at your use case (which makes a lot of sense) and add a feature request into their backlog.
Hopefully you found a way to work around this at launch time.
Runtime success!
As mentioned above, it would be useful to be able to access the certs directory at install-time instead. Gamelift team, please consider changing this.
That said, I was able to successfully convert the .pem files to a .pfx certificate container, at runtime, by launching an openssl process from Unity.
Relevant Code:
//if (certificate.pfx has not already been generated)
{
using (System.Diagnostics.Process myProcess = new System.Diagnostics.Process())
{
....
myProcess.StartInfo.UseShellExecute = false;
myProcess.StartInfo.FileName = "C:\\....\\openssl.exe";
myProcess.StartInfo.Arguments = string.Format("pkcs12 -export -out {0}\\game_Data\\certificate.pfx -inkey {1}\\privateKey.pem -in {1}\\certificate.pem -passout pass:{2}", gameDir, certsPath, certificatePassword);
myProcess.StartInfo.CreateNoWindow = true;
....
myProcess.Start();
....
myProcess.WaitForExit();
....
myProcess.Close();
....
}
}
This works fine because gl-user-server has all the neccessary permissions to access the gamelift certs directory.
@REDACTEDUSER
Hey, I'm running into a very similar problem. I'm trying to run a Fishnet unity app on a Windows Server 2021 fleet (fishnet is very similar to mirror and uses the same websocket code). I managed to get a certificate.pfx file using the approach described here (install openssl and invoke it from Unity), however when I try to connect from a webgl client, the websocket handshake fails with the following error: Create SSLStream Failed: System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception. ---> Mono.Security.Interface.TlsException: Handshake failed - error code: UNITYTLS_INTERNAL_ERROR, verify result: 4294936704
The error code 4294936704 doesn't help much and I couldn't find anything online that explains it. I tried with ssl protocol set to TLS in Unity, and then TLS, TLS11, TLS12, TLS13, nothing works.
Has anyone had the same problem ? Any idea how to investigate it further or fix it ? I am using Unity 2021.3.4
Thanks
Relevant content
- asked 4 years ago
- asked a year ago
- asked a year ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago