Publishing to a Posit(formerly RStudio) Connect Server with a Self-Signed or Untrusted SSL Certificate

Follow

Overview

When publishing to Posit Connect with SSL, errors may occur when using SSL certificates that are self-signed or otherwise not trusted by the machine you are deploying from. You may see an error that looks like one of the following in the Deploy pane or log:

Peer certificate cannot be authenticated with known CA certificates

The URL does not appear to belong to a valid server

Peer's certificate issuer has been marked as not trusted by the user

This error message is received when using an untrusted SSL certificate on the Posit Connect server.  To resolve the error, the certificate must be trusted by the system you're attempting to publish from. 

Adding the SSL certificate to your publishing host: 

For rsconnect version 0.8.8 and higher:

Linux Instructions (Publishing from Posit(formerly RStudio)Workbench)

You must add the certificate from your Posit Connect server to the existing default Trusted Root Certification Authorities bundle used by the rsconnect package on your Posit Workbench.

For example:

On CentOS, to add a certificate in the simple PEM or DER file formats to the list of CAs trusted on the system, copy the certificate to one of the following directories:

/etc/pki/ca-trust/source/anchors/ (trust settings is interpreted with a high priority)
/usr/share/pki/ca-trust-source/ (trust settings is interpreted with a low priority – may be overridden by other system settings)

Then run the following command:

update-ca-trust extract

Note that if your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust/blacklist trust flags, or trust flags for usages other than TLS), or is a bundle file with multiple certificates, then place it into the main source/directory instead.

 

Linux/Windows/Mac Instructions (Publishing from RStudio IDE)

 

1.  Retrieve your self-signed certificate in use on the Connect server and save it.  

For example, to obtain the certificate from within R:

system("echo | openssl s_client -connect yourdomain.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'")


Note: You will need to change yourdomain.com:443 to your domain and SSL port.

The certificate will have "BEGIN CERTIFICATE" and "END CERTIFICATE" markers.

2. Copy the full certificate, including the BEGIN and END markers, and save to a central location for yourself or your users. In this example, we use /shared/connect.pem, but any location will work as long as all of your users can access the file.

In RStudio 1.2+, a new option exists to allow you to add a CA cert via the publishing options pane:

mceclip0.png

You can select the option to Use custom CA bundle, then browse to the certificate saved.  Once complete, you should be able to publish.

Alternatively, on versions prior to 1.2 please continue to step 3:

3.  Create a new server connection to your self-signed connect server, referencing the cert you saved:

rsconnect::addConnectServer(url="https://server.com", certificate = "/shared/connect.pem", 'test server')

4. Complete the connection:

rsconnect::connectUser('your-username', 'test server')

5. After these setup steps, you should be able to publish using the button without any further steps.

  

For rsconnect version 0.8.5 and below:

To check, execute: packageVersion("rsconnect")

You'll first need the certificate for your Posit Connect server in PEM format. You'll then append this to the existing CA certificate bundle for rsconnect on your Posit Workbench.

Note that if multiple users wish to publish to Connect, this must be set for all copies of the rsconnect package that will be used - if users have rsconnect installed in their local package libraries, each user will need to follow these steps for their particular installation of rsconnect.

On Linux, the 'openssl' tool is one way to extract the cert for a particular server.  From within R:

system("echo | openssl s_client -connect yourdomain.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'")

Note:  You will need to change yourdomain.com:443 to your domain and SSL port.

The certificate will have "BEGIN CERTIFICATE" and "END CERTIFICATE" markers. 

To trust the certificate, copy the full certificate, including the BEGIN and END markers, and append it to your ca-bundle for rsconnect on your Workbench host.

    • Locate the cacert.pem file in the rsconnect library folder on your Workbench host.  For example:

~/R/x86_64-redhat-linux-gnu-library/3.3/rsconnect/cert/cacert.pem

    • Open the cacert.pem file, and append the certificate from the Connect server to the end of it.

For example, copy the certificate text from the Console into cacert.pem:

CertExample.PNG

Other Operating Systems: 

For Windows and Mac, the process is similar.  Obtain the certificate from your system administrator or browser, and add it into the cacert.pem file stored in the cert folder within the rsconnect library.

The system administrator can obtain the certificate by viewing the certificate specified in the configuration directive "Certificate = ", in the file located at  /etc/rstudio-connect/rstudio-connect.gcfg

 

 

Comments