New certificate files required for Usage Based Licensing (UBL) on macOS, Windows, and Linux

Announcements
1

If you do not use UBL, you are not affected by this and can stop reading now.

NOTE

If the workaround in this post does not work and you are still seeing this UBL issues, please email us to: support@awsthinkbox.zendesk.com

We would like to provide you with a change to the SSL certificates used to connect to FlexNet Operations, which may impact some Deadline 10 users.
Revenera has announced that, for FlexNet Operations, they transitioned their SSL certificates from DigiCert to Amazon-issued AWS certificates starting on February 4, 2025. This change may impact customers who connect to the compliance endpoints of the FlexNet Operations, particularly those using the Usage-Based Licensing (UBL) of Deadline 10.

Who is affected?

This change affects users using UBL on Deadline 10 Worker on macOS, Windows, and Linux. On Windows and Linux, Deadline 10 uses the operating system-level CA certificate store by default, which might not trust the new Amazon-issued certificates unless the necessary CA certificates are already installed.

What will happen to affected machines?

Job rendering using UBL will fail. You may see the following error messages in your Worker logs:

[2025-01-22 04](tel:2025012204):46:21: Licensing Error: Not enough credit for deadline-maya
[2025-01-22 04](tel:2025012204):46:21: Could not checkout UBL credits for "maya".
...
General data transfer failure. Problem with the SSL CA cert (path? access rights?)

or

General data transfer failure. SSL peer certificate or SSH remote key was not OK

If you encounter these types of errors, it indicates that the Deadline is unable to verify the certificate used by the FlexNet Operations compliance endpoints.

What are we doing?

We released a new Deadline Client patch (version 10.4.0.13) at February 3, 2025. This patch will include the CA certificate file that allows Deadline UBL to trust the updated FlexNet Operations SSL certificates after their migration. If you are affected, please either update to this latest patch version or follow the below workaround.

Workaround for existing users:

To resolve this, please install the Deadline 10.4.0.13.

  • Note 1: Although the installer window may display version 10.4.0.12, you can proceed with the installation. As long as the version is newer than 10.4.0.10, the specific version number shown is not critical.)

  • Note 2: If you need to upgrade to version 10.4 (e.g. from 10.3 to 10.4), please note that there were dependency changes made in version 10.4. Please refer to the release notes for the warnings.

Or, you can manually update the CA certificate file installed by the Deadline Client.

For macOS and Linux users:

For Option 1 or Option 2, the existing CA certificates are located in the following paths, depending on the operating system:

  • For macOS users, the file is located at: /Users/Shared/Thinkbox/Deadline10/cert/ca-certificates.crt
  • For Linux users, you will need to update the CA certificate files at the following paths: /var/lib/Thinkbox/Deadline10/cert/ca-certificates.crt

Option 1.

On the Worker machines replace this file with the updated CA certificate file, which is available for download on this announcement. ca-certificates.zip (6.1 KB)

Option 2.

  1. Visit Amazon Trust Services Repository and download all five PEM files listed under the “Root CAs” table
  2. Open the existing CA certificates file in any editor. Append the contents of the downloaded PEM files to the end of the existing content on the Worker machine. Do not delete the existing content, but rather concatenate the new PEM files after it.

Option 3 for Linux

On the Worker machines you can also set ForwarderCACertPath in deadline.ini to the system default certificate store path, which is /etc/pki/tls/certs/ca-bundle.crt for Redhat (Rocky), and /etc/ssl/certs/ca-certificates.crt for Debian (Ubuntu).

For Windows users:

  1. You will need to download the five PEM files listed under the “Root CAs” table at Amazon Trust Services Repository
  2. Install them in the Trusted Root Certification Authorities store on the Worker machines. Open the Certificates. Hover your mouse curser over the Trusted Root Certification Authorities / Certificates, right click > All Tasks > Import, and choose the PEM file you have downloaded.