Support

Publishing to an RStudio Connect Server with a Self-Signed SSL Certificate

Follow

Overview

When publishing to RStudio Connect with SSL, errors may occur when using self-signed SSL certificates. You may see an error that looks like one of the following in the Deploy pane or log:

Peer certificate cannot be authenticated with known CA certificates

The URL does not appear to belong to a valid server

This error message is received when using an untrusted self-signed SSL certificate.  To resolve the error, the certificate must be trusted by the system you're attempting to publish from. 

Adding the self-signed SSL certificate to your publishing host: 

For rsconnect version 0.8.8 and higher:

Linux Instructions (Publishing from RStudio Server Pro)

You must add the certificate from your RStudio Connect server to the existing default Trusted Root Certification Authorities bundle used by the rsconnect package on your RStudio Server.

For example:

On CentOS, to add a certificate in the simple PEM or DER file formats to the list of CAs trusted on the system, copy the certificate to one of the following directory:

/etc/pki/ca-trust/source/anchors/ (trust settings is interpreted with a high priority)
/usr/share/pki/ca-trust-source/ (trust settings is interpreted with a low priority – may be overridden by other system settings)

Then run the following command:

update-ca-trust extract

Note that if your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust/blacklist trust flags, or trust flags for usages other than TLS), or is a bundle file with multiple certificates, then place it into the main source/directory instead.

 

Linux/Windows/Mac Instructions (Publishing from RStudio IDE)

Retrieve your self-signed certificate in use on the Connect server and save it.  

For example, to obtain the from within R:

system("echo | openssl s_client -connect yourdomain.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'")


Note: You will need to change yourdomain.com:443 to your domain and SSL port.

The certificate will have "BEGIN CERTIFICATE" and "END CERTIFICATE" markers.

Copy the full certificate, including the BEGIN and END markers, and save to a central location for yourself or your users. For example: /shared/connect.pem

3. Create a new server connection to your self-signed connect server, referencing the cert you saved:

rsconnect::addConnectServer(url="https://server.com", certificate = "/shared/connect.pem", 'test server')

4. Complete the connection:

rsconnect::connectUser('your-username', 'test server')

5. After these setup steps, you should be able to publish using the button without any further steps.

  

For rsconnect version 0.8.5 and below:

To check, execute: packageVersion("rsconnect")

You'll first need the certificate for your RStudio Connect server in PEM format. You'll then append this to the existing CA certificate bundle for rsconnect on your RStudio Server.

Note that if multiple users wish to publish to RStudio Connect, this must be set for all copies of the rsconnect package that will be used - if users have rsconnect installed in their local package libraries, each user will need to follow these steps for their particular installation of rsconnect.

On Linux, the 'openssl' tool is one way to extract the cert for a particular server.  From within R:

system("echo | openssl s_client -connect yourdomain.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'")

Note:  You will need to change yourdomain.com:443 to your domain and SSL port.

The certificate will have "BEGIN CERTIFICATE" and "END CERTIFICATE" markers. 

To trust the certificate, copy the full certificate, including the BEGIN and END markers, and append it to your ca-bundle for rsconnect on your RStudio Server host.

    • Locate the cacert.pem file in the rsconnect library folder on your RStudio Server host.  For example:

~/R/x86_64-redhat-linux-gnu-library/3.3/rsconnect/cert/cacert.pem

    • Open the cacert.pem file, and append the certificate from the RStudio Connect server to the end of it.

For example, copy the certificate text from the Console into cacert.pem:

CertExample.PNG

Other Operating Systems: 

For Windows and Mac, the process is similar.  Obtain the certificate from your system administrator or browser, and add it into the cacert.pem file stored in the cert folder within the rsconnect library.

The system administrator can obtain the certificate by viewing the certificate specified in the configuration directive "Certificate = ", in the file located at  /etc/rstudio-connect/rstudio-connect.gcfg

 

 

Comments