Timeout trying to connect to RealTime server with certificate generation enabled

#1

What else must be done to get WSS working? I’ve enabled certificate generation on the fleet, but I can’t seem to open a connection. Any insight into what I might be missing?

Here are the server logs as it starts up:

[INFO] (rt-logger.js) 59: Game session (PID: 13531) configured with logger: {"logDirPath":"/local/game/logs/13531","logLevelFilter":"*.info","filename":"server.log"}
[INFO] (index.js) 123: Game server was constructed with {"test_dist":false,"script":"../../../local/game/etag-005d5904bf82113cb0e612377793a8ab/src/server.js","port":1900,"end":2000,"udp_port":33400,"udp_port_end":33500,"devargs":"dev","enable_security":true}
[INFO] (gamelift.js) 195: Starting GameLift Realtime server process. PID: 13531...
[INFO] (gamelift.js) 200: Calling GameLiftServerAPI.SdkVersion...
[INFO] (gamelift.js) 205: GameLiftServerAPI.SdkVersion succeeded with result: 3.3.0
[INFO] (gamelift.js) 208: Calling GameLiftServerAPI.InitSDK...
[INFO] (gamelift.js) 213: GameLiftServerAPI.InitSDK succeeded
[INFO] (gamelift.js) 216: Waiting for Realtime server to start...
[INFO] (index.js) 149: Loading game server script at path: /local/game/etag-005d5904bf82113cb0e612377793a8ab/src/server.js
[INFO] (index.js) 177: Fetching credentials to establish secure connections...
[INFO] (gamelift.js) 170: Calling GameLiftServerAPI.GetInstanceCertificate
[INFO] (gamelift.js) 175: GameLiftServerAPI.DescribePlayerSessions succeeded with optional result: [object Object]
[INFO] (index.js) 185: Credential paths fetched: {"CertificatePath":"/local/gamemetadata/certificates/certificate.pem","PrivateKeyPath":"/local/gamemetadata/certificates/privateKey.pem","CertificateChainPath":"/local/gamemetadata/certificates/certificateChain.pem","HostName":"u2fp3zjxdovmooutoxufgldo641gkzfay986yrvaejfoyq5fsmv3w04sl24cfqd.whji3yx30fjwq55416k67pyobo9oi02c.us-west-2.amazongamelift.com","RootCertificatePath":"/local/gamemetadata/certificates/rootCertificate.pem"}
[INFO] (index.js) 202: Parsed credentials signed for hostname: u2fp3zjxdovmooutoxufgldo641gkzfay986yrvaejfoyq5fsmv3w04sl24cfqd.whji3yx30fjwq55416k67pyobo9oi02c.us-west-2.amazongamelift.com
[INFO] (index.js) 209: Initializing Realtime server event handlers...
[INFO] (dtls.js) 32: Creating DTLS server...
[INFO] (ws.js) 47: Creating WebSocket server over HTTPS...
[INFO] (ws.js) 64: Available cipher suite on host: aes128-gcm-sha256,aes128-sha,aes128-sha256,aes256-gcm-sha384,aes256-sha,aes256-sha256,dhe-psk-aes128-cbc-sha,dhe-psk-aes128-cbc-sha256,dhe-psk-aes128-gcm-sha256,dhe-psk-aes256-cbc-sha,dhe-psk-aes256-cbc-sha384,dhe-psk-aes256-gcm-sha384,dhe-psk-chacha20-poly1305,dhe-rsa-aes128-gcm-sha256,dhe-rsa-aes128-sha,dhe-rsa-aes128-sha256,dhe-rsa-aes256-gcm-sha384,dhe-rsa-aes256-sha,dhe-rsa-aes256-sha256,dhe-rsa-chacha20-poly1305,ecdhe-ecdsa-aes128-gcm-sha256,ecdhe-ecdsa-aes128-sha,ecdhe-ecdsa-aes128-sha256,ecdhe-ecdsa-aes256-gcm-sha384,ecdhe-ecdsa-aes256-sha,ecdhe-ecdsa-aes256-sha384,ecdhe-ecdsa-chacha20-poly1305,ecdhe-psk-aes128-cbc-sha,ecdhe-psk-aes128-cbc-sha256,ecdhe-psk-aes256-cbc-sha,ecdhe-psk-aes256-cbc-sha384,ecdhe-psk-chacha20-poly1305,ecdhe-rsa-aes128-gcm-sha256,ecdhe-rsa-aes128-sha,ecdhe-rsa-aes128-sha256,ecdhe-rsa-aes256-gcm-sha384,ecdhe-rsa-aes256-sha,ecdhe-rsa-aes256-sha384,ecdhe-rsa-chacha20-poly1305,psk-aes128-cbc-sha,psk-aes128-cbc-sha256,psk-aes128-gcm-sha256,psk-aes256-cbc-sha,psk-aes256-cbc-sha384,psk-aes256-gcm-sha384,psk-chacha20-poly1305,rsa-psk-aes128-cbc-sha,rsa-psk-aes128-cbc-sha256,rsa-psk-aes128-gcm-sha256,rsa-psk-aes256-cbc-sha,rsa-psk-aes256-cbc-sha384,rsa-psk-aes256-gcm-sha384,rsa-psk-chacha20-poly1305,srp-aes-128-cbc-sha,srp-aes-256-cbc-sha,srp-rsa-aes-128-cbc-sha,srp-rsa-aes-256-cbc-sha
[INFO] (ws.js) 89: Using secure options for websocket: {"ciphers":"TLS_AES_256_GCM_SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384","minVersion":"TLSv1.2","dhparam":"2048"}
[INFO] (index.js) 223: Initializing UDP connector...
[INFO] (index.js) 129: Attempting to open port 33400...
[INFO] (dtls.js) 56: DTLS server listening on 0.0.0.0:33400
[INFO] (index.js) 229: Initializing TCP connector...
[INFO] (index.js) 129: Attempting to open port 1900...
[INFO] (ws.js) 163: HTTP/S server listening on port: 1900
[INFO] (server.js) 605: Ready to host games...
[INFO] (index.js) 241: onProcessStarted success. Process ready for games.
[INFO] (index.js) 261: Game session initialized with port: 1900
[INFO] (gamelift.js) 223: Realtime server started! Calling GameLiftServerAPI.ProcessReady with processParameters: {"Port":1900,"LogParameters":{"LogPaths":["/local/game/logs/13531"]}}
[INFO] (gamelift.js) 229: Process advertised to AuxProxy! GameLiftServerAPI.ProcessReady succeeded
[INFO] (gamelift.js) 231: GameLift Realtime server process started successfully.

Edit:

The GameLift service is also continuously complaining about this fleet:

SERVER_PROCESS_SDK_INITIALIZATION_TIMEOUT
Server process started correctly but did not call InitSDK() within 5 minutes, launchPath(/local/NodeJS/bin/node), arguments(-- /local/game/src/gamelift.js --enable-security --script ../../../local/game/etag-005d5904bf82113cb0e612377793a8ab/src/server.js --devargs "dev"), instanceId(i-09f6e5e76f757c572)

Edit:

Connecting to an instance without certificate generation enabled:

$ telnet 35.166.244.249 1901
Trying 35.166.244.249...
Connected to ec2-35-166-244-249.us-west-2.compute.amazonaws.com.
Escape character is '^]'.

Trying to connect to an instance with certificate generation enabled:

$ telnet 34.223.223.14 1900
Trying 34.223.223.14...

I can, however, connect to the secure fleet from another fleet:

[gl-user-remote@ip-10-172-206-82 ~]$ telnet 34.223.223.14 1900
Trying 34.223.223.14...
Connected to 34.223.223.14.
Escape character is '^]'.

Do I need to configure some security groups or something with the secure fleet?

#2

I am sorry you are having problems with this.

I’m going to let the GameLift team know, to see if they have any further insight.

I would though:

  • Make sure your Client side SDK is up-to-date to support secure fleets as I believe there is some handshake code required

The bigger worry is this warning:

Server process started correctly but did not call InitSDK() within 5 minutes, launchPath(/local/NodeJS/bin/node), arguments(-- /local/game/src/gamelift.js --enable-security --script ../../../local/game/etag-005d5904bf82113cb0e612377793a8ab/src/server.js --devargs "dev"), instanceId(i-09f6e5e76f757c572)

This means that GameLift will probably terminate your instances, this looks like you have a bug in your server script causing it fail. This may be the reason you can’t connect connect to your secure fleet.

I would:

  • Double check the documentation
  • Lint/validate your scripts
  • Simplify your script until you have a working fleet and then add in your logic in small sections.
#3

Any new information on this? We have a functional fleet without certificate generation enabled.

I tried launching a secure fleet with a minimal, functional script. I’ve even attempted it with this example script from the Realtime docs – just to see:

/*
* All or portions of this file Copyright (c) Amazon.com, Inc. or its affiliates or
* its licensors.
*
* All use of this software is governed by the terms and conditions governing AWS
* Content in the AWS Customer Agreement at aws.amazon.com/agreement. Do not
* remove or modify any license notices. This file is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
*
*/

// Example minimal server file with no overridden callbacks or configuration

var gameSession;

// Called when game server is initialized, is passed server object of current session
function init(session) {
    gameSession = session;
}

exports.ssExports = {
    init: init
};

Unfortunately, the server does not respond and any connection attempt times out.

As I said previously, I am able to establish a connection from one fleet instance to another fleet instance. So, something is working in that regard. That’s why I asked about security groups.

We may need to set up a proxy server as a workaround for this issue, but I was hoping all the GameLift certificate generation / SSL bits would just work.

Looking forward to any insight on this issue, thanks!