Windows UAC Prevents Access to C:\GameMetadata\Certificates

I am running my fleet on WINDOWS_2012 servers.

During server setup (install.bat) I need access to C:\GameMetadata\Certificates in order to configure my servers for secure client connections.

In particular, my game was built in Unity and uses the Mirror package https://mirror-networking.com/ for networking. The Mirror SDK wants me to supply a .pfx certificate container.

So my install.bat attempts the following:

  1. Elevates the installer by running powershell as an administrator
  2. Installs OpenSSL (and its dependencies)
  3. Uses OpenSSL to generate a .pfx file from the .pem files located at
    C:\GameMetadata\Certificates

Unfortunately, the installer fails at step 3 because the .pem files (located at C:\GameMetadata\Certificates) require User Account Control (UAC) consent to access.

Is it possible for the default location of the generated certificates (.pem files) to be changed or for the UAC requirement to be removed?

Should I not be trying to access the .pem files at install time in this way?

Thanks for your consideration on this issue.

Firstly have you looked at the TLS certs GameLift now provides for secure client/server connections: https://aws.amazon.com/releasenotes/release-amazon-gamelift-on-2019-09-03/?tag=releasenotes%23keywords%23amazon-gamelift

"Enable PKI resource generation for a fleet. When this feature is turned on, GameLift generates a TLS certificate for the fleet and creates a DNS entry for each instance in the fleet. With these resources, your game can authenticate the client and server connection and encrypt all game client/server communication. This feature is particularly valuable when deploying mobile multi-player games. These services are provided through the AWS Certificate Manager (ACM) and are currently available at no additional cost. "

As to auto-elevate, see the answers here: Execute install.bat with administrator privileges

1 Like

Pip,
Thank you for responding.

Yes, I am TRYING to use the certs that GameLift provides. GetInstanceCertificate() returns the path to the cert files on the server.
For Windows this path is “C:\GameMetadata\Certificates” as mentioned in my original post.

I cannot access this location because it is protected by Windows User Account Control (UAC).

Yes, I have seen the post about auto-elevation. As described, I am using powershell in unrestricted mode and using run as administrator. (This is the recommended method according to that post.)

BUT, on Windows, being an administrator is not sufficient!! UAC requires consent in the form of a pop-up dialog box. The idea behind UAC is to require user input, so that malware cannot run as administrator and have unrestricted access to the machine.

So, how can I get access to these provided certs from install.bat when they are protected by Windows UAC?

I don’t have any direct experience of trying to access the cert materials at install time to convert them. I’ve asked the GameLift team if they have any examples.

Hopefully GameLift can provide an answer here but I would keep experimenting with how to make powershell/bat files play nicely with UAC.

There some useful looking tips here:

Maybe a hail mary, but do you need to convert via the install.bat? Can you convert in memory or similar in code when your game launches? I wonder if there are alternative paths around UAC

Can you expand on why you need to do this during install time?

The advice from the GameLift team is you should always be calling GetInstanceCertificate to get the location of the certs and not be relying on fixed cert locations (also the gameserver user has permissions to read from the locations so no access escalation is required)

There is no definitive reason why the conversion NEEDS to take place at install time, but it makes sense to do it then because the machine instance will be running multiple concurrent server executables (mutiple servers per ec2 instance). So it is redundant for each executable to do the conversion (or at least check if it has been done already).

Nonetheless, I will see if I can make progress by having my server executable launch openssl and convert the .pem files to .pfx

Are you saying that different user profiles (with different permissions) are used for running install.bat and server.exe?

I don’t have all the details (as I don’t work for GameLift directly) but I know the runtime user has permissions for these locations. What happens during install and permissions is not something I am an expert at.

I flagged your post to the GameLift team so they can look at your use case (which makes a lot of sense) and add a feature request into their backlog.

Hopefully you found a way to work around this at launch time.

Runtime success!

As mentioned above, it would be useful to be able to access the certs directory at install-time instead. Gamelift team, please consider changing this.

That said, I was able to successfully convert the .pem files to a .pfx certificate container, at runtime, by launching an openssl process from Unity.

Relevant Code:

//if (certificate.pfx has not already been generated)
{
    using (System.Diagnostics.Process myProcess = new System.Diagnostics.Process())
    {
        ....
        myProcess.StartInfo.UseShellExecute = false;
        myProcess.StartInfo.FileName = "C:\\....\\openssl.exe";
        myProcess.StartInfo.Arguments = string.Format("pkcs12 -export -out {0}\\game_Data\\certificate.pfx -inkey {1}\\privateKey.pem -in {1}\\certificate.pem -passout pass:{2}", gameDir, certsPath, certificatePassword);
        myProcess.StartInfo.CreateNoWindow = true;
        ....
        myProcess.Start();
        ....
        myProcess.WaitForExit();
        ....
        myProcess.Close();
        ....
    }
}

This works fine because gl-user-server has all the neccessary permissions to access the gamelift certs directory.

@Pip Thanks for your help!