SSL certificate trust error when deploying to shinyapps.io

RoelVerbelen · March 5, 2019, 12:35am

Hi,

I'm experiencing the following error when trying to deploy shiny apps to my shinyapps.io account using the RStudio IDE "Publish to Server" interface/button:

curl: (51) schannel: CertGetCertificateChain trust error CERT_TRUST_IS_PARTIAL_CHAIN
Error in http(service$protocol, service$host, service$port, method, url,  : 
  Curl request failed (curl error 51 occurred)
Calls: <Anonymous> ... isContentType -> grepl -> GET -> httpRequest -> http
Execution halted

The full diagnostics information shows:

----- Deployment log started at  2019-03-05 11:06:23  -----
Deploy command: 
 rsconnect::deployApp(appDir = "(Censored)", appFileManifest = "(Censored)",      account = "(Censored)", server = "shinyapps.io", appName = "test",      appId = 762412, launch.browser = function(url) {         message("Deployment completed: ", url)     }, lint = FALSE, metadata = list(asMultiple = FALSE, asStatic = FALSE),      logLevel = "verbose") 

Session information: 
R version 3.5.2 (2018-12-20)
Platform: x86_64-w64-mingw32/x64 (64-bit)
Running under: Windows 7 x64 (build 7601) Service Pack 1

Matrix products: default

locale:
[1] LC_COLLATE=English_Australia.1252  LC_CTYPE=English_Australia.1252   
[3] LC_MONETARY=English_Australia.1252 LC_NUMERIC=C                      
[5] LC_TIME=English_Australia.1252    

attached base packages:
[1] stats     graphics  grDevices utils     datasets  methods   base     

loaded via a namespace (and not attached):
[1] compiler_3.5.2   rsconnect_0.8.13
Cookies: 
[1] "None"
GET /v1/applications/762412 780ms
----- Deployment error -----
Error in http(service$protocol, service$host, service$port, method, url,  : 
  Curl request failed (curl error 51 occurred)
Calls: <Anonymous> ... isContentType -> grepl -> GET -> httpRequest -> http
 
----- Error stack trace -----
12: stop(paste("Curl request failed (curl error", result, "occurred)"))
11: http(service$protocol, service$host, service$port, method, url, 
        headers, writer = writer, timeout = timeout, certificate = certificate)
10: httpRequest(service, authInfo, "GET", path, query, headers, writer, 
        timeout)
9: GET(service, authInfo, path)
8: grepl(contentType, response$contentType, fixed = TRUE)
7: isContentType(response, "application/json")
6: handleResponse(GET(service, authInfo, path))
5: client$getApplication(target$appId)
4: applicationForTarget(client, accountDetails, target, forceUpdate)
3: force(code)
2: withStatus(paste0("Preparing to deploy ", assetTypeName), {
       application <- applicationForTarget(client, accountDetails, 
           target, forceUpdate)
   })
1: rsconnect::deployApp(appDir = "(Censored)", appFileManifest = "(Censored)", 
       account = "(Censored)", server = "shinyapps.io", appName = "test", 
       appId = 762412, launch.browser = function(url) {
           message("Deployment completed: ", url)
       }, lint = FALSE, metadata = list(asMultiple = FALSE, asStatic = FALSE), 
       logLevel = "verbose")
curl: (51) schannel: CertGetCertificateChain trust error CERT_TRUST_IS_PARTIAL_CHAIN
Error in http(service$protocol, service$host, service$port, method, url,  : 
  Curl request failed (curl error 51 occurred)
Calls: <Anonymous> ... isContentType -> grepl -> GET -> httpRequest -> http
Execution halted

I didn't experience this error one week ago and the only thing that has changed is that I upgraded my R version from 3.5.1 to 3.5.2. All my packages (including rsconnect 0.8.13) were brought up to date. The error is independent of the app, I also get it for the shiny template (Old Faithful Geyser Data histogram). I've checked with our IT department and confirmed that outgoing traffic is not being blocked by any security mechanisms and we don't proxy between my computer and the internet.

This issue is similar to this one. From there, I learned that I can avoid the issue by running:

options(rsconnect.check.certificate = FALSE)
rsconnect::deployApp()

I then tried upgrading to the latest stable version of RStudio (1.1.463). Now the error is detected before I even try to publish:

and the following line gets printed to the console:

curl: (51) schannel: CertGetCertificateChain trust error CERT_TRUST_IS_PARTIAL_CHAIN

Next, I tried upgrading the the preview version of RStudio (1.2.1303). There, the issue can be circumvented by changing the options:

How can I avoid getting this error while still enabling Check SSL certificates when publishing?

josh · March 5, 2019, 12:53am

Do you have a corporate firewall/proxy in between your computer and shinyapps.io?

RoelVerbelen · March 5, 2019, 1:05am

There's a firewall in place, but no proxy:

Also, using the same company network, I didn't experience any issue two weeks ago.

jonathan · March 6, 2019, 5:34pm

Recent versions of the rsconnect package use curl as the default transport when publishing on Windows. This is an improvement for most Windows users but it's possible that it's not an improvement in your case!

Does the problem reproduce if you set:

options(rsconnect.http = "rcurl")

in you Shiny directory's .rsconnect_profile file?

RoelVerbelen · March 11, 2019, 2:23am

Hi Jonathan,

Thank you for your reply and solution.

Adding

options(rsconnect.http = "rcurl")

to a newly created .rsconnect_profile file in the same Shiny directory enabled me to publish the Shiny app again using RStudio's publishing button.

The Publish to Server window does keep indicating Curl request failed (curl error 51 occurred) but it publishes nontheless.

This warning message in that window no longer appears once I additionally run

options(rsconnect.http = "rcurl")

in the R console.

I hope this gives you some insight on what some Windows users might experience.

Thank you for your help!

jdlong · March 11, 2019, 1:42pm

while you don't set a proxy server for your computer I can say with fairly high certainty your company is using deep SSL inspection. They have likely installed a firewall service that functions as a man-in-the-middle on all your SSL connections. This works most of the time because they have installed a corporate root certificate on your machine that allows the firewall to issue forged certificates for any site you go to. That way the firewall can decrypt and inspect all SSL traffic as it passes in and out of the firewall. Curl does not (sometimes) use the Windows cert store, so when a curl connection is intercepted curl drops the connection because it detects the man-in-the-middle.

This is only my theory and may not be exactly what you are facing. However here's a link to help you figure out if your corp is using deep ssl inspection: https://security.stackexchange.com/questions/119364/how-can-i-detect-https-inspection

system · May 4, 2019, 5:42pm

This topic was automatically closed 54 days after the last reply. New replies are no longer allowed.

If you have a query related to it or one of the replies, start a new topic and refer back with a link.