SSL certificate problem when deploying to shinyapps.io

Inoa · May 22, 2018, 10:21am

Hello,

When trying to deploy to shinyappsio I have the following error when using deployApp():

DONE
Uploading bundle for application: 228671...Detecting system locale ... Error in function (type, msg, asError = TRUE)  : 
  SSL certificate problem: self signed certificate in certificate chain
In addition: Warning message:
Error detecting locale: Error in read.table(file = file, header = header, sep = sep, quote = quote, : incomplete final line found by readTableHeader on 'raw'
 (Using default: en_US) 
Timing stopped at: 0.04 0 0.33
> sessionInfo()
R version 3.4.0 (2017-04-21)
Platform: x86_64-w64-mingw32/x64 (64-bit)
Running under: Windows >= 8 x64 (build 9200)

Matrix products: default

locale:
[1] LC_COLLATE=French_France.1252  LC_CTYPE=French_France.1252    LC_MONETARY=French_France.1252
[4] LC_NUMERIC=C                   LC_TIME=French_France.1252    

attached base packages:
[1] stats     graphics  grDevices utils     datasets  methods   base     

other attached packages:
[1] rsconnect_0.8.8

loaded via a namespace (and not attached):
[1] compiler_3.4.0  tools_3.4.0     RCurl_1.95-4.10 yaml_2.1.19     RJSONIO_1.3-0   digest_0.6.15   packrat_0.4.9-2
[8] bitops_1.0-6

I am deploying from my workplace and I know that I am behind the corporate firewalls. I used to bypass this issue by deploying when using my personal 4G cellular internet instead of the secured Wireless internet of my workplace. I tried the solutions of this link without success.

Any ideas will be much appreciated. Do not hesitate to let me know if you think that there is no solution and that I am doomed to deploy to shinyapps.io only when using my personal computer (no corporate firewall!).

Best regards,
Inoa.

shalu · May 22, 2018, 6:52pm

Hi,

This question is for shinyapps.io. and should be asked in https://forum.posit.co/tags/c/shiny/shinyappsio channel.

Usually it's caused by an internal proxy you are going through which injects its own certificate. You can verify by checking for http_proxy and https_proxy in the IDE env. If there, you can unset with:
Sys.unsetenv("http_proxy")
Sys.unsetenv("https_proxy")
and try to deploy again then re-set the variables.

Thanks for reaching out to the team.

Inoa · May 23, 2018, 4:09pm

Hello Shalu,

Thank you very much for your answer. Unfortunately, this did not work for me.
In the meantime, another of the scripts that I use daily broke, giving me the same error. The issue was coming from the RCurl package and I managed to solve it by changing this option:

options(RCurlOptions = list(cainfo = paste0( tempdir() , "/cacert.pem" ), ssl.verifypeer = FALSE))

I tried to do the same when deploying but it didn't work. Still the same SSL error.

Any extra idea on how Rsconnect might be calling RCurl or httr ?

Best regards,
Inoa.

n_shrestha · August 27, 2018, 6:40pm

Were you able to find a solution to this problem? I am having the same problem and have not been able to solve it. I turned the firewall off and it still did not work.

DONE
Uploading bundle for application: 97022...Error in function (type, msg, asError = TRUE)  : 
  SSL certificate problem: self signed certificate in certificate chain
Timing stopped at: 0.02 0 0.14
> sessionInfo()
R version 3.5.1 (2018-07-02)
Platform: i386-w64-mingw32/i386 (32-bit)
Running under: Windows 7 (build 7601) Service Pack 1

Matrix products: default

locale:
[1] LC_COLLATE=English_United States.1252  LC_CTYPE=English_United States.1252   
[3] LC_MONETARY=English_United States.1252 LC_NUMERIC=C                          
[5] LC_TIME=English_United States.1252    

attached base packages:
[1] stats     graphics  grDevices utils     datasets  methods   base     

other attached packages:
[1] devtools_1.13.6 RCurl_1.95-4.11 bitops_1.0-6   

loaded via a namespace (and not attached):
 [1] httr_1.3.1      compiler_3.5.1  R6_2.2.2        rsconnect_0.8.8 tools_3.5.1     withr_2.1.2    
 [7] curl_3.2        memoise_1.1.0   RJSONIO_1.3-0   git2r_0.23.0    jsonlite_1.5    digest_0.6.16  
[13] packrat_0.4.9-3

Jay · October 3, 2018, 2:49pm

Hello,

Can you try the following:

setwd()
options(rsconnect.check.certificate = FALSE)
rsconnect::deployApp()

Thanks!

n_shrestha · December 17, 2018, 5:25pm

Thank you! This worked.

Inoa · December 18, 2018, 4:48pm

Thank you, Jay! This worked perfectly.

jdlong · December 18, 2018, 5:45pm

@Jay please correct me if my take is wrong here:

My conjecture is that OPs firewall is doing "deep packet" or "SSL inspection" on outgoing SSL/TLS connections. a.k.a. a man in the middle attack. Telling rsconnect to ignore the cert allows the local app to trust the "forged" (dynamically generated by the firewall) certs which the corp firewall creates. These forged certs allow the corp firewall to inspect the contents of SSL/TLS traffic as it exits the firewall.

It looks like rsconnect is not using the local system cert store? Is there a way to add a cert so that rsconnect can use it? Seems like there should be an option to slip in a trusted corp root cert.

josh · December 18, 2018, 5:50pm

You can set the option rsconnect.ca.bundle to point to a custom certificate authority bundle, which should, in theory, accomplish what you are looking for.

jdlong · December 18, 2018, 5:57pm

I figured there was something like that. In practice that seems a much better solution than just ignoring certs altogether. But ignoring the cert for the purpose of testing is really helpful!

system · December 25, 2018, 5:58pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.