Problem
Some Windows players (especially on Windows 10) were unable to connect to brainCloud from Unreal Engine 4 games, even though servers and other platforms appeared healthy. Affected users would see generic "cannot connect" or "lost connection" style errors at the start of the game and could not progress past the title screen.
The underlying issue was that certain Windows machines did not have a valid set of root CA certificates in the Windows certificate store, so TLS validation for the brainCloud endpoint failed. Because UE4's HTTP stack (FHttpCurl) uses system certificates by default, these machines could not complete the HTTPS handshake.
Root Cause Details
On problematic machines:
The Windows Certificate Manager showed missing or inconsistent trusted root CAs compared to healthy machines.
In at least one case, a GoDaddy root certificate (G2) was missing from "Trusted Root Certification Authorities" but appeared only under "Intermediate/Third-Party Root Certification Authorities".
Removing the GoDaddy G2 cert and relying on the system store alone reproduced the failure.
Since brainCloud periodically rotates its server certificates (at least annually), long-term stability cannot rely on a specific leaf certificate. Clients should trust a stable set of root certificates that can validate whatever chain brainCloud presents.
High-Level Solution
Unreal Engine allows projects to ship their own CA bundle (cacert.pem) and configure FHttpCurl to validate peers against that bundle instead of the Windows store. By bundling an up-to-date cacert.pem with the game and enabling peer verification, UE4 can perform TLS validation even when the Windows store is incomplete or misconfigured.
In testing:
Bundling a modern cacert.pem with the UE4 Windows build allowed previously failing machines to connect successfully to brainCloud.
After one successful run, Windows appeared to cache the necessary certificates. In some cases the game continued to work even after removing the local cacert.pem.
Rolling this into a Steam build resolved connection issues for live users on both Pool and Snooker titles.
Step-by-Step Implementation (UE4, Windows)
1. Download a Current CA Bundle
Download the latest CA bundle from: https://curl.se/ca/cacert.pem and save it as cacert.pem on your development machine.
This file contains root anchor CAs suitable for verifying HTTPS endpoints including brainCloud. Because it focuses on root certs, you should not need to update it frequently when brainCloud rotates its leaf certificates.
2. Add cacert.pem to Your UE4 Project
In your UE4 project, create the folder Content/Certificates if it does not already exist, then copy cacert.pem into that folder. You can place this at the project level (recommended) or at the engine level for broader coverage.
3. Configure UE4 to Use the Bundled Certificate File
Open Config/Windows/WindowsEngine.ini and add the following:
[/Script/Engine.NetworkSettings]
n.VerifyPeer=true
This tells UE4 to look in Content/Certificates for a cacert.pem file and package it with the game. FHttpCurl will use this file for peer verification instead of relying solely on the Windows certificate store. Using WindowsEngine.ini (rather than DefaultEngine.ini) limits the behavior to Windows builds only.
4. Build and Deploy
Package a new Windows build with the updated config and cacert.pem in place. Deploy to your test environment or Steam beta branch, then test on machines that previously failed to connect to brainCloud.
Once the updated build was installed, machines that had previously failed were able to connect. The fix was confirmed by live player reports for both titles after rollout.
Considerations and Caveats
Certificate rotation: brainCloud server certs are renewed regularly (at least yearly), but the root CA typically stays stable. Bundling root CAs via cacert.pem should remain valid across rotations.
OS caching: After a successful connection using the bundled cert, Windows may cache the required certificates. Subsequent connections may succeed even if the file is later removed, but do not rely on this as a primary strategy.
Engine-specific behavior: This is specific to UE4 FHttpCurl loading certs from Content/Certificates when n.VerifyPeer=true is set. Other engines use different mechanisms.
Platform scope: This fix is only needed for Windows builds. Other platforms (iOS, Android, PlayStation, Xbox) are generally unaffected.
Quick Reference
If your UE4 Windows players intermittently fail to connect to brainCloud due to certificate issues:
Place a current cacert.pem in Content/Certificates in your project.
Add n.VerifyPeer=true under [/Script/Engine.NetworkSettings] in Config/Windows/WindowsEngine.ini.
Rebuild and ship a new Windows build via Steam.
This ensures your UE4 game uses a known-good CA bundle for TLS validation against brainCloud, mitigating issues caused by broken or outdated Windows certificate stores on player machines.