Publishing from RStudio Workbench to RStudio Connect is a common workflow, however, there are often a few hurdles that can occur when attempting to do so. This tutorial will showcase the end-to-end process of publishing to RStudio Connect from your RStudio Workbench server.
Assumptions
In this scenario, we will be using two(2) servers, one for RStudio Workbench and the other for RStudio Connect.
Both servers have directories made in the /etc/secure path. Located within this path are the self-signed SSL certificates. For Workbench, the private key is called rswkey.key, and the certificate is called ca-issuer-chain-certificates.crt.
For Connect, the private key is called rsckey.key, and the certificate is called rsccert.crt.
RStudio Workbench
The RStudio Workbench server is a stock Linux image and has a base installation of Workbench. You can find installation instructions can be found here:
https://docs.rstudio.com/rsw/installation/
For this example, we use the rsw-ssl.support.rstudioservices.com DNS name. You can see the following example configuration for the Workbench instance.
# Server Configuration File
#SSL Configuration
ssl-enabled=1
ssl-certificate=/etc/secure/rswcert.crt
ssl-certificate-key=/etc/secure/rswkey.key
RStudio Connect
The RStudio Connect server is a stock Linux image and has a base installation of Connect. You can find installation instructions can be found here:
https://docs.rstudio.com/rsc/installation/
For this example, we use the rsc-ssl.support.rstudioservices.com DNS name. You can see we use this DNS entry as the Server.Address
configuration item:
[Server]
; RStudio Connect configuration file
#Server Address
Address = "https://rsc-ssl.support.rstudioservices.com"
#HTTPS settings
[HTTPS]
Listen = :443
Certificate = /etc/secure/rsccert.crt
Key = /etc/secure/rsckey.key
#Authentication settings
[Authentication]
; Specifies the type of user authentication.
Provider = "password"
Publishing with an SSL
For detailed instruction on how to publish from RStudio Workbench to RStudio Connect, please refer to our user guide which can be found here: https://docs.rstudio.com/connect/user/publishing/
Let us say that we wish to publish to our RStudio Connect instance as below:
If you are using a self signed certificate --> (certificate signed by a Certificate Authority created internally within your organization) and attempt to publish to a Connect instance, then you may encounter the following error:
In this case, you will need to add your certificates to the trusted certificate authority (CA) repository on your server.
Adding your certificates to the trusted CA repository
Ubuntu/Debian
For Debian and Ubuntu-based distributions, this is located in the following directory:
/usr/local/share/ca-certificates/
You will need to copy the certificate file into this directory.
Then, update the trusted certificates on your system:
sudo update-ca-certificates
Red Hat/CentOS
For RHEL based distributions, this is located in the following directory:
/etc/pki/ca-trust/source/anchors/
You will need to copy the certificate file into this directory.
Then, update the trusted certificates on your system:
update-ca-trust extract
Practical Application
In our use case, we are using Ubuntu 20.04 so we will need to run the command below on the RStudio Workbench server:
cp ca-issuer-chain-certificate-RSC.crt /usr/local/share/ca-certificates/
Then update the trusted certificates on the server:
sudo update-ca-certificates
Once complete, we should be able to publish to our RStudio Connect server if we attempt to publish the application again.
This time, we get a prompt to confirm if the details on our Connect server are correct, and are able to name the application that we are publishing. From here, we can select Publish.
From here, we are redirected to our successfully deployed application.
Which certificates need to be in the ca-issuer-chain-certificate-RSC.crt file?
The ca-issuer-chain-certificate-RSC.crt file should contain the entirety of the certificate chain for your SSL certificate. This includes:
- The SSL certificate for your server.
- The SSL certificates for subordinate issuers.
- The root SSL certificate.
Sometimes, you may only be provided with the certificate for your server. If your .crt file does not include the certificate chain, then you will run into issues when trying to publish to Connect.
How do I alleviate this issue?
You will need to obtain the root certificate, as well as any intermediary issuers on the way & include them in your .crt file. To do so:
First, click on the lock icon to the left side of the URL bar.
Select Connection Secure.
Then select More Information.
Select View Certificate.
From here, we can see that there are three(3) certificates in the certificate chain. Currently, our certificate file only has one(1) out of the three certificates.
Now, we can select any intermediary certificates & download them to your computer.
From there, we can append the contents of these downloaded text files to our ca-issuer-chain-certificate-RSC.crt file separated as below.
After this has been completed, remember to update the trusted certificate store on your server
Ubuntu/Debian
For Debian and Ubuntu-based distributions, this is located in the following directory:
/usr/local/share/ca-certificates/
You will need to copy the certificate file into this directory.
Then, update the trusted certificates on your system:
sudo update-ca-certificates
Red Hat/CentOS
For RHEL based distributions, this is located in the following directory:
/etc/pki/ca-trust/source/anchors/
You will need to copy the certificate file into this directory.
Then, update the trusted certificates on your system:
update-ca-trust extract
Support Ticket
If you still have issues after completing the above, you can always lodge a support ticket, where our group of friendly, and incredibly knowledgeable staff can assist with any issues that you may be having. You can submit a ticket here:
https://support.rstudio.com/hc/en-us/requests/new
Comments