Before I go further, I have tried the following fixes from searching the forums and online:
Setting an environment variable to tell Node.JS to allow all SSL certs
Adding our Firewall (Fortigate) SSL certs into .pem format and creating the upmconfig.toml file to point to it in ProgramData
We’ve added affected machines into a firewall bypass group so that no traffic is even looked at, let alone inspected.
Added a plethora of Unity sub/domains and IPs to a UnityBypass rule on our firewall.
I work at a college and we have roughly 120 Win11 PCs for our Games Dev. students - we’re currently affected by an issue where some PCs cannot sign into Unity Hub. When they press SIGN IN, and are redirected to log in, Unity Hub spits back an error “Something went wrong. Please sign in again.”
The info-log file shows the same error on all the machines that fail. I have attached this to the post. The error always comes back showing that authentication couldn’t be carried out, and code: ‘UNABLE_TO_VERIFY_LEAF_SIGNATURE’.
The issue is that it is affecting machines at random. Last night we re-imaged an entire room back to the stock Games Dev. image and when we went in first thing this morning (every machine has been untouched since the image completed over-night) 5 machines have been able to log in to Unity Hub, and 3 machines haven’t. The 3 machines all have the same error message and their info-log files all look identical.
Initially I believed it was an issue with our firewall, but having added the machines that don’t work to a firewall bypass rule and them still not working makes me believe this is not a certificate issue at all.
I’m all out of ideas and could really use a hand.
TLDR - Random chance on Sign In to have code: ‘UNABLE_TO_VERIFY_LEAF_SIGNATURE’ error message and fail signing in.
Thanks for pointing me to this judesidloski - I carried out steps 1&2, ignored 3&4, and 5 is actioned as our SSL cert is installed on the machines.
I cleared appdata of Unity/UnityHub temp files, and relaunched. I got the same error message on the Hub splash screen, and checking the logs there does appear to be some differences between yesterdays log file and todays, however the thorn of the first certificate error is still stuck in my side.
{“timestamp”:“2023-12-15T08:36:25.841Z”,“level”:“warn”,“moduleName”:“CloudConfig”,“message”:“[ ‘Failed to refresh data from https://public-cdn.cloud.unity3d.com/config/production. Fallback to default data. Reason: unable to verify the first certificate’ ]”}
NodeJS apps don’t read self-signed CA certs from the system by default. You may have installed it at the system, but node is not picking it up. I’m not sure about how many different ways there are to install a cert and which methods actually boil down to the same thing. If possible try using snap-in method because that is the method we have tested on and definitely support. Hopefully that works and we can still get details about your preferred approach and work towards expanding our support in the future.
I followed the steps outlined in your reply - however I already see the certificates in both My user account, and also Local Computer area.
Some further info - I logged in the morning to the test PC I’ve been using for this issue, launched the Hub and to my surprise, when I tried to sign in, I was able to do so first time with no problem. This annoyed me considerably as I hadn’t made any changes since Friday night, when it wasn’t working still.
I asked my colleague to log in to the machine (both have logged in with admin accounts so there’s no permission issues) and then to log in to the Hub, and he got the same error that I had - and the log shows the same error regarding the Leaf Certificate/First Certificate.
The issue seems to be transient from one user account to another. It can work for 1 person on the machine, then if another logs into that PC it won’t work for them.
Even if it worked for the first person on 1 machine, they can then go and log into another machine and it won’t work for them on that one.
It’s like a constant game of whack-a-mole, and no matter what changes I try to make on a PC they don’t seem to work consistantly or even with any rhyme or reason.
Multi-user windows setups are unfortunately basically unsupported right now So there could be any number of issues switching users on the machine.
If it is working for you now that is great It is frustrating that we don’t know the cause – maybe a restart ?
If it stops working again let me know. For your colleagues let them know to take the same steps, and if you are sharing machines it seems likely that the cert installation step would need to be repeated for each user. But again I hear you that we may not understand this issue.
That’s really unfortunate to hear, as we run Unity exclusively as multi-user setup as the PCs are in a classroom and they have many classes in there.
It’s not great, it’s the opposite of great as there was no changes made to the machine prior to it working, and it had been powered off and on multiple times over the course of the 2 weeks I’ve been deep testing with it.
I didn’t change the cert installation step, I went to follow the steps but the cert already existed in the location mentioned, which means it must have already been in there all of the time that I’ve been testing with this machine.
Surely if it works for 1 person it should would for all?
If that process is too slow you may be able to get unblocked by just installing and using the editors without hub.
Let me know if I have any false assumption or misunderstanding here:
I think that for a machine that has just successfully signed in if you don’t switch windows accounts you will be able to sign out and back in to any unity ID.
For a machine that has just been unsuccessful it will be the same in reverse. (no unity id will work)
The issue is coming at the Windows user level, meaning that the issue occurs when you are switching between windows accounts right ?
I agree that if it works for one unity id it should work for all.
I don’t agree that for windows users it should work for all since it will depend on how unity hub was installed, how the proxy is configured for each user, how the certs are installed for each user.
All that said it could also be a bug
For the machine with the two admin accounts where one can sign in and one can’t, did you install the cert on both windows accounts ? If so I will file a bug for this and we will try to reproduce it.
Thankyou for this - I have gone through this process and aquired seats for our college. I will create a new image in the new year when we return and use this method on 3.5.0 and bypass the log in for students.
Do you know if I can enter this serial on the source PC, capture & deploy it to all the machines, and it will work correctly?
As for the test machine, yes, I did follow the steps identically for the cert, even though I could already see them in the location mentioned.
I did it for both admin accounts, even though they were present already I copied them over to just make sure.
I’m not sure how the license provisioning for EGL works to be honest… If it is one serial or one per user, etc. But if there is just one serial then the generated .ulf file will be the same and you can copy it instead of activating it.