SSL certificate problem: certificate has expired

weizhang · June 5, 2020, 3:07am

Hello,

It worked fine before but no longer the case after deployment yesterday. I created a very simple example to replicate the problem.

Anyone can lend a hand please.

Thanks very much.

Once the example app (https://mbienz.shinyapps.io/uncomtrade_test/) is deployed to shinyappio, The ct_search() from "comtradr" package will no longer work.

The error I get from log is Error in curl::curl_fetch_memory(url, handle = handle) :
2020-06-04T01:11:21.532166+00:00 shinyapps[2405335]: SSL certificate problem: certificate has expired.

The ui.R and server.R are below:

library(shiny)
library(DT)
library(comtradr)


ui <- fluidPage(

   titlePanel("Hello Shiny!"),
   
   sidebarLayout(
      
      sidebarPanel(
         
         # Input: Slider for the number of bins ----
         selectizeInput("select_country",
                        tags$p("Select a country"), 
                        choices =  c("New Zealand"), 
                        selected = NULL,  width = "200px",
                        multiple = T)
         
      ),
      
      mainPanel(
         DTOutput(outputId = "export_table")
         
      )
   )
)


library(shiny)
library(DT)
library(comtradr)

server <- function(input, output) {
   
   observe({
      try(
      dtf_exports <-
         ct_search(reporters = input$select_country,
                   partners = "All",
                   trade_direction = "exports",
                   start_date = 2018,
                   end_date = 2018
                   )
      )
   })
   
   output$export_table <- renderDT({
      
      dtf_exports
      
   })
   
}

> sessionInfo()
R version 3.5.1 (2018-07-02)
Platform: x86_64-w64-mingw32/x64 (64-bit)
Running under: Windows 10 x64 (build 18362)

Matrix products: default

locale:
[1] LC_COLLATE=Chinese (Simplified)_China.936  LC_CTYPE=Chinese (Simplified)_China.936    LC_MONETARY=Chinese (Simplified)_China.936
[4] LC_NUMERIC=C                               LC_TIME=Chinese (Simplified)_China.936    

attached base packages:
[1] stats     graphics  grDevices utils     datasets  methods   base     

other attached packages:
[1] comtradr_0.2.2   DT_0.9           packrat_0.5.0    rsconnect_0.8.15 shiny_1.4.0     

loaded via a namespace (and not attached):
 [1] Rcpp_1.0.2        rstudioapi_0.10   magrittr_1.5      xtable_1.8-4      R6_2.2.2          rlang_0.4.1       fastmap_1.0.1    
 [8] httr_1.4.1        tools_3.5.1       htmltools_0.4.0   crosstalk_1.0.0   openssl_1.0.1     yaml_2.2.0        digest_0.6.22    
[15] crayon_1.3.4      purrr_0.3.3       later_1.0.0       htmlwidgets_1.5.1 promises_1.1.0    curl_3.2          mime_0.5         
[22] compiler_3.5.1    jsonlite_1.6.1    httpuv_1.5.2      Cairo_1.5-10

hrbrmstr · June 4, 2020, 12:08pm

So, this issue has been plaguing a non-insubstantial # of sites in general since May 30. A certificate issue — COMODO — (for various reasons not salient to this reply) CA certificate (certificates operate in a "chain") expired on May 30. You can see for yourself with:

x <- openssl::download_ssl_cert("comtrade.un.org")

lapply(x, `[[`, "validity")

the last entry shows the top-most cert has expired.

Browsers are "cheating" by letting folks visit the site without a warning, but anything that uses libcurl does strict checking unless told otherwise.

I'm not comfortable posting a workaround suggestion b/c disabling SSL cert validation is kindof a bad idea, esp since most folks will forget to remove the workaround. I can give a hint that it will involve httr::with_config(), tho, if you're desperate to get this working before they regen the cert.

I filed an issue over at the {comtradr} GH repo https://github.com/ropensci/comtradr/issues/25

system · July 29, 2020, 7:08am

This topic was automatically closed 54 days after the last reply. New replies are no longer allowed.

hrbrmstr · December 3, 2020, 5:49am

So, if you promise to not let the hack be permanent…

Let's mock an API call by creating a function that calls httr::GET():

getƒ <- function() {
  httr::GET("comtrade.un.org")
}

Now, we'll make the API call:

getƒ()
## Error in curl::curl_fetch_memory(url, handle = handle) : 
##  SSL certificate problem: certificate has expired

DOH!

Let's see if there are any {curl} options to help us out:

str(as.list(curl::curl_options("ssl_ver")))
## List of 5
##  $ proxy_ssl_verifyhost: num 249
##  $ proxy_ssl_verifypeer: num 248
##  $ ssl_verifyhost      : num 81
##  $ ssl_verifypeer      : num 64
##  $ ssl_verifystatus    : num 232

AH! So, let's just tell {curl} to forget about the peer certs (which are the "bad" ones):

httr::with_config(
  config = httr::config(ssl_verifypeer = FALSE),
  getƒ()
)
## Response [https://comtrade.un.org/]
##   Date: 2020-06-05 01:44
##   Status: 200
##   Content-Type: text/html
##   Size: 64.1 kB
## <!doctype html>
## <html lang="en">
## <head>
##     <meta charset="UTF-8"/>
##     <title>UN Comtrade | International Trade Statistics Database</title>
##     <meta name="DESCRIPTION" content="United Nations Comtrade Database - Internation...
##     <meta name="KEYWORDS" content="trade, trade data, imports, exports, world trade,...
##     <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
##     <!--<link href="css/bootstrap.min.css" rel="stylesheet" media="screen">-->
## 	 <link href="https://comtrade.un.org/css/bootstrap-3.3.7.min.css" rel="stylesheet" ...
## ...

Boom!

The expr param to httr:::with_config() can be any function call or a {} block with {httr} ops in it.

weizhang · December 15, 2020, 6:31pm

Thanks Captain.

I am desperate to get the app work but absolutely not sure how I can use httr::with_config().

I did have a look at the its very brief documentation and can only think it might have to do with add_header() or set_cookies() or authenticate().

I will be waiting for the certificate to be updated then if no other legitimate means.

Thanks heaps!!

weizhang · November 19, 2020, 7:27pm

Thanks Captain.

I just tried your way however even without the hack.

after running getf() in my R console, I get the following right away.

The problem is that I can run ct_search() perfectly from my R console but not if the function is built in a shiny app.

> getf <- function() {
+    httr::GET("comtrade.un.org")
+ }
> getf()
Response [https://comtrade.un.org/]
  Date: 2020-06-05 03:02
  Status: 200
  Content-Type: text/html
  Size: 64.1 kB
<!doctype html>
<html lang="en">
<head>
    <meta charset="UTF-8"/>
    <title>UN Comtrade | International Trade Statistics Database</title>
    <meta name="DESCRIPTION" content="United Nations Comtrade Database - International Trade Statistics - Import/Export Data" />
    <meta name="KEYWORDS" content="trade, trade data, imports, exports, world trade, international trade, trade statistics, commodit...
    <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
    <!--<link href="css/bootstrap.min.css" rel="stylesheet" media="screen">-->
	 <link href="https://comtrade.un.org/css/bootstrap-3.3.7.min.css" rel="stylesheet" media="screen"/>
...