It's possible to use an SSL certificate with the launcher in Posit Workbench. This may seem appealing, but what does this mean and how does it affect the interactions with Posit Workbench?
Can I use the same SSL for my Posit Workbench server, for the launcher?
Yes, however, it is strongly recommended & a best practice to ensure that the Launcher certificates are different from those used for Posit Server.
Launcher with SSL Explained
Consider the following diagram:
Browser (User) <------> RSP <------> Launcher
- (a) represents the communication between the Browser and Posit Server itself.
- (b) represents the communication between Posit Server and the RStudio Job Launcher.
- (c) represents the communication between the RSession and the Posit Job Launcher. (Note: The Launcher starts the session in the backend, such as Slurm or Kubernetes, but does not communicate with the session directly.)
All three lines of communication are over HTTP/S. The R Session communicates with Posit Server (c) the same way that a browser communicates with RStudio Server (a). The R Session discovers the address with which to communicate with the server via the
launcher-sessions-callback-address setting, which is why the setting needs to be exactly the same as what you would enter into the browser.
The settings that pertain to the encryption of (a) and (c) are as follows, that is, enabling HTTPS for communication with Posit Server:
Additionally, the following settings are relevant to the configuration of HTTPS for (a) and (c), but not strictly required for enabling it:
www-port=<port#, default 443 if ssl-enabled=1>
In addition to the requirement that certificates defined in
rserver.conf are added to the trusted certificate store of the host, they must have been generated with the correct
Common Name (or
CN) matching the hostname of RSP (most likely the same value as the
www-address), and the files must have restrictive permissions (
root:root 400). Additionally, the CA root must be trusted by any machines within your network that will access RSW. For example, a user's machines as well as Slurm compute nodes that will run R sessions.
The settings that pertain to the encryption of (b) are as follows (i.e. to enable HTTPS for communication between Posit Server and the Launcher):
launcher-address=<launcher hostname or IP>
address=<launcher hostname or IP>
Note that the values of
rserver.conf should match the values of
launcher.conf respectively. Also, note the lack of
https:// in front of the
launcher-address value. The protocol for communication is determined by the value of
The Launcher certificates must be different certificates from those used for Posit Server. The correct
CNfor the Launcher's certificates is the value of
launcher.conf. If Posit Server and the Launcher will be running on the same machine,
localhost may be used. Another difference from the Posit Server certificates is that the Launcher certificates should be owned by the
admin-groupand defined in
launcher.conf. For example, if those values were left as they are on installation (both
rstudio-server) then the certificate files for the Launcher should have the permissions
More information on SSL configuration options can be found here:
If you still have issues after completing the above, you can always lodge a support ticket, where our group of friendly, and incredibly knowledgeable staff can assist with any issues that you may be having. You can submit a ticket here: