Troubleshooting SSL issues when publishing from RStudio Workbench to RStudio Connect

Follow

Publishing from RStudio Workbench to RStudio Connect is a common workflow, however, there are often a few hurdles that can occur when attempting to do so. This tutorial will showcase the end-to-end process of publishing to RStudio Connect from your RStudio Workbench server.

 

Assumptions

In this scenario, we will be using two(2) servers, one for RStudio Workbench and the other for RStudio Connect. 

Both servers have directories made in the /etc/secure path. Located within this path are the self-signed SSL certificates. For Workbench, the private key is called rswkey.key, and the certificate is called ca-issuer-chain-certificates.crt.

For Connect, the private key is called rsckey.key, and the certificate is called rsccert.crt.

 

RStudio Workbench

The RStudio Workbench server is a stock Linux image and has a base installation of Workbench. You can find installation instructions can be found here:

https://docs.rstudio.com/rsw/installation/

For this example, we use the rsw-ssl.support.rstudioservices.com DNS name. You can see the following example configuration for the Workbench instance.

# Server Configuration File
#SSL Configuration
ssl-enabled=1
ssl-certificate=/etc/secure/rswcert.crt
ssl-certificate-key=/etc/secure/rswkey.key

 

RStudio Connect

The RStudio Connect server is a stock Linux image and has a base installation of Connect. You can find installation instructions can be found here:

https://docs.rstudio.com/rsc/installation/

For this example, we use the rsc-ssl.support.rstudioservices.com DNS name. You can see we use this DNS entry as the Server.Address configuration item:

[Server]
; RStudio Connect configuration file
#Server Address
Address = "https://rsc-ssl.support.rstudioservices.com"

#HTTPS settings
[HTTPS]
Listen = :443
Certificate = /etc/secure/rsccert.crt
Key = /etc/secure/rsckey.key

#Authentication settings
[Authentication]
; Specifies the type of user authentication.
Provider = "password"

 

Publishing with an SSL

For detailed instruction on how to publish from RStudio Workbench to RStudio Connect, please refer to our user guide which can be found here: https://docs.rstudio.com/connect/user/publishing/

Let us say that we wish to publish to our RStudio Connect instance as below:

ConnectAccount.png

If you are using a self signed certificate --> (certificate signed by a Certificate Authority created internally within your organization) and attempt to publish to a Connect instance, then you may encounter the following error:

ConnectError.png

In this case, you will need to add your certificates to the trusted certificate authority (CA) repository on your server.

 

Adding your certificates to the trusted CA repository

Ubuntu/Debian

For Debian and Ubuntu-based distributions, this is located in the following directory:

/usr/local/share/ca-certificates/

You will need to copy the certificate file into this directory.

Then, update the trusted certificates on your system:

sudo update-ca-certificates

Red Hat/CentOS

For RHEL based distributions, this is located in the following directory:

/etc/pki/ca-trust/source/anchors/

You will need to copy the certificate file into this directory.

Then, update the trusted certificates on your system:

update-ca-trust extract

 

Practical Application

In our use case, we are using Ubuntu 20.04 so we will need to run the command below on the RStudio Workbench server:

cp ca-issuer-chain-certificate-RSC.crt /usr/local/share/ca-certificates/

Then update the trusted certificates on the server:

sudo update-ca-certificates

RSCcopy.png

Once complete, we should be able to publish to our RStudio Connect server if we attempt to publish the application again.

 

PublishName.png

 

This time, we get a prompt to confirm if the details on our Connect server are correct, and are able to name the application that we are publishing. From here, we can select Publish.

 

From here, we are redirected to our successfully deployed application.

PublishSuccessful.png

 

Which certificates need to be in the ca-issuer-chain-certificate-RSC.crt file?

The ca-issuer-chain-certificate-RSC.crt file should contain the entirety of the certificate chain for your SSL certificate. This includes:

  • The SSL certificate for your server.
  • The SSL certificates for subordinate issuers.
  • The root SSL certificate.

Sometimes, you may only be provided with the certificate for your server. If your .crt file does not include the certificate chain, then you will run into issues when trying to publish to Connect.

 

How do I alleviate this issue?

You will need to obtain the root certificate, as well as any intermediary issuers on the way & include them in your .crt file. To do so:

First, click on the lock icon to the left side of the URL bar.

Screenshot_2021-11-10_121508.png

Select Connection Secure.

Screenshot_2021-11-10_121550.png

Then select More Information.

Screenshot_2021-11-10_121621.png

Select View Certificate.

Screenshot_2021-11-10_121642.png

From here, we can see that there are three(3) certificates in the certificate chain. Currently, our certificate file only has one(1) out of the three certificates.

Screenshot_2021-11-10_121711.png

Now, we can select any intermediary certificates & download them to your computer.

Screenshot_2021-11-10_121802.pngScreenshot_2021-11-10_121734.png

From there, we can append the contents of these downloaded text files to our ca-issuer-chain-certificate-RSC.crt file separated as below.

ssl.png

After this has been completed, remember to update the trusted certificate store on your server

Ubuntu/Debian

For Debian and Ubuntu-based distributions, this is located in the following directory:

/usr/local/share/ca-certificates/

You will need to copy the certificate file into this directory.

Then, update the trusted certificates on your system:

sudo update-ca-certificates

Red Hat/CentOS

For RHEL based distributions, this is located in the following directory:

/etc/pki/ca-trust/source/anchors/

You will need to copy the certificate file into this directory.

Then, update the trusted certificates on your system:

update-ca-trust extract

 

Support Ticket

If you still have issues after completing the above, you can always lodge a support ticket, where our group of friendly, and incredibly knowledgeable staff can assist with any issues that you may be having. You can submit a ticket here:

https://support.rstudio.com/hc/en-us/requests/new

 

Comments