Post

2 followers Follow
0
Avatar

Self-signed SSL certs and RStudio Server Pro/RStudio Connect

I have RStudio Server Pro, Shiny Server Pro, and RStudio Connect all installed on a RHEL6 system with nginx sitting in front and acting as a reverse proxy and all three services set to run on/answer on localhost only.

With everything configured to use unencrypted HTTP, everything works completely.

Our corporate standard is for internal facing services that need/want to use SSL to have a certificate that is signed by a self-signed certificate. I've added the cert chain to the public cert for my server, and have been able to switch everything so that all the services are available via https, and I get a green "Secure" padlock in my browser URL bar (Chrome). The one problem I have is in rstudio, when I try to set up so that I can publish to rstudio connect I get an error back when it tries to verify my URL that there is a self-signed cert in the chain. If I take out the cert chain, I get a different SSL error that it basically can't find the rest of the certs that it needs to validate the SSL connection.

 

Is there a way to get a self-signed cert accepted?

Michael Steeves

4 comments

1
Avatar

Your timing is impeccable; we just merged support for this yesterday. You can try the development version of the rsconnect package to get the new functionality, which is described here:

https://github.com/rstudio/rsconnect/pull/212

If you can't upgrade rsconnect, it is also possible to overwrite the CA bundle that the package ships as a workaround (albeit an unpleasant one).

Jonathan.

Jonathan McPherson 1 vote
Comment actions Permalink
0
Avatar

Jonathan:

Thanks for the quick response -- I've installed an updated version of the package from github, and am further along, but am still running into a problem.

I have added an entry for my rstudio server using the rsconnect::addConnectServer() function, and put in the public portion of the certs used to sign the connect server's cert into a .pem file that I point to with RSCONNECT_CA_BUNDLE, however when I try to link everything up so that I can publish from rstudio I'm getting a new error back in the rstudio console window:

Error in httpRequest(service, authInfo, "GET", path, query, headers, writer, :
argument "privateKey" is missing, with no default

Is there some other step I'm missing? Right now I'm using nginx in front of everything, and just to test I tried to have connect configured for HTTPS instead of HTTP, however I get TLS handshake errors when I try to hit the main connect landing pages. If I switch connect back to HTTP I'm able to reach the initial landing page and authenticate with no problems.

Michael Steeves 0 votes
Comment actions Permalink
1
Avatar

The 'privateKey' error is a bug (pardon our dust, you're among the first to try this out!). I've just pushed a fix, so if you download the very latest rsconnect from Github you shouldn't see that.

If that doesn't help, does it work if you add the account using the R console? You can do this with the connectUser function, i.e. rsconnect::connectUser(server = "myserver").

Jonathan McPherson 1 vote
Comment actions Permalink
0
Avatar

Jonathan:

Had to do it all from the console, but it's working and I can publish now.

Thanks for all your help on this one.

Michael Steeves 0 votes
Comment actions Permalink