Generate a Certificate for RStudio Products using Certbot/Let's Encrypt

Follow

Certbot is a tool provided by the EFF that allows users to generate SSL certificates for free. By default, Certbot recommends using either the standalone, webroot or nginx methods of generating a challenge file. These methods can prove problematic for generating key files for RStudio products. However, the DNS challenge can be used with RStudio (Posit, PBC) products easily.

Please be advised that Certbot/Let's Encrypt are not RStudio (Posit, PBC) products. Therefore, we do not officially support issues caused by/internal to Certbot/Let's Encrypt. We are providing these instructions as an aid, however; they may not be appropriate for all environments. Please work with your IT Department to determine if following this guide will work for your configuration. 

In order to get started, first download and install Let's Encrypt.

 

Note: If the server is using Red Hat 8 and above, it will need the EPEL repository installed as a dependency. Run the below to install it if it is not installed.

sudo dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm

For Red Hat 9:

sudo dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm -y

Next run the install for Let's Encrypt. 

If using RHEL run: 

 sudo yum install letsencrypt

If Ubuntu: 

 sudo apt install letsencrypt

 

The server can now run a manual DNS implementation of Let's Encrypt:

sudo certbot certonly --manual --preferred-challenges dns -d "subdomain.domain.com"

Note: change the domain and subdomain values to match the value of the server. You must use the Fully Qualified Domain Name (no http:// or 'www' heading).

 

When running the Certbot command, you will be asked for an email address and to agree with the terms and conditions. Enter the fields Certbot asks for (you will only be asked for these once) until you receive an encryption string. The string will look something like this:

2c-OpPzy6rLhs2-GvBteWZ_FDVzIlBxrXjUCp0aZ0NE

The terminal output will resemble the below:

mceclip0.png

Pause here and create a TXT type DNS record for the subdomain in the format of _acme-challenge.subdomain.domain.com using whatever method is usually used to configure the server's DNS settings (for example, in AWS this is Route53). Copy the encrypted string that was generated from the terminal. Paste the encrypted string and use it for the value of the TXT domain record. Save the DNS record and wait 1-5 minutes. When the domain has propagated, press enter on the terminal to complete generating the certificate. If successful, Certbot will print the location of the .pem files.

I.e:

Successfully received certificate.

Certificate is saved at: /etc/letsencrypt/live/subdomain.domain.com/fullchain.pem

Key is saved at:         /etc/letsencrypt/live/subdomain.domain.com/privkey.pem

This certificate expires on 2022-12-14.

Now, you can copy the certificate to a common location and continue configuring SSL for your RStudio Product.

For more information, please see:

Configuring SSL for Connect

Configuring SSL for Workbench

Configuring SSL for Package Manager

Comments