3

I'm a bit at a loss on how to further investigate this, so pointers would be highly appreciated.

I'm running Ubuntu 17.04, and I believe roughly since around my upgrade time (was running 16.10 before) I can no longer update (or use anything "from the internet") anything from within R -- it fails on SSL for everything. All of the "normal" SSL traffic outside of R works fine.

For instance, doing install.packages("curl"), I get this error message: 

Warning in install.packages :
URL 'https://cran.rstudio.com/src/contrib/PACKAGES.rds': status was 'SSL connect error'
Warning in install.packages :
URL 'https://cran.rstudio.com/src/contrib/PACKAGES.gz': status was 'SSL connect error'
Warning in install.packages :
URL 'https://cran.rstudio.com/src/contrib/PACKAGES': status was 'SSL connect error'
Warning in install.packages :
... [etc] ...

However, if I run curl -v "https://cran.rstudio.com/src/contrib/PACKAGES.rds" -o test.curl on command line, everything works. 

*   Trying 10.26.0.19...
* TCP_NODELAY set
% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                             Dload  Upload   Total   Spent    Left  Speed
0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to (nil) (10.26.0.19) port 3128 (#0)
* Establish HTTP proxy tunnel to cran.rstudio.com:443
* Proxy auth using Basic with user '[redacted]'
> CONNECT cran.rstudio.com:443 HTTP/1.1
> Host: cran.rstudio.com:443
> Proxy-Authorization: Basic [redacted]
> User-Agent: curl/7.52.1
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 Connection established
< 
* Proxy replied OK to CONNECT request
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /home/csafferling/programs/anaconda3/ssl/cacert.pem
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):} [512 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):{ [76 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):{ [4787 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):{ [333 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):} [70 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Client hello (1):{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: OU=Domain Control Validated; CN=cran.rstudio.com
*  start date: Jun 30 19:59:41 2015 GMT
*  expire date: Jun 30 19:59:41 2018 GMT
*  subjectAltName: host "cran.rstudio.com" matched cert's "cran.rstudio.com"
*  issuer: C=US; ST=Arizona; L=Scottsdale; O=GoDaddy.com, Inc.; OU=http://certs.godaddy.com/repository/; CN=Go Daddy Secure Certificate Authority - G2
*  SSL certificate verify ok.} [5 bytes data]
> GET /src/contrib/PACKAGES.rds HTTP/1.1
> Host: cran.rstudio.com
> User-Agent: curl/7.52.1
> Accept: */*
> { [5 bytes data]
< HTTP/1.1 200 OK
< Content-Length: 251020
< Connection: keep-alive
< Date: Wed, 12 Jul 2017 14:11:48 GMT
< Server: Apache/2.2.22 (Ubuntu)
< Last-Modified: Wed, 12 Jul 2017 13:02:43 GMT
< ETag: "d78fc54-3d48c-5541e6e7d22c0"
< Accept-Ranges: bytes
< Cache-Control: max-age=1800
< Expires: Wed, 12 Jul 2017 14:41:48 GMT
< Age: 1045
< X-Cache: Hit from cloudfront
< Via: 1.1 67284fcf464f6f1529cc1e521669622c.cloudfront.net (CloudFront)
< X-Amz-Cf-Id: CqpfjeemEcxkxFYJueqzwUEu8Yh-qSenHJJiR2BdmqmAYLpu2_54dA==
< { [15891 bytes data]
* Curl_http_done: called premature == 0 100  245k  100  245k    0     0   583k      0 --:--:-- --:--:-- --:--:--  589k
* Connection #0 to host (nil) left intact

One thing I notice is that command-line curl uses the CAs of my anaconda install, which is very weird indeed. Perhaps R uses the default CAs, and they don't work? Like I said, only R fails to work with SSL, everything else works.

Any help is highly appreciated!

Improve this question

1 Answer 1

Reset to default
4

Dear Christoph Saffering,

My sense is that you have hit the CRAN ssh by default issue with RStudio / R.

Solution

Add the following to your target machines .Rprofile

options(download.file.method = "wget")
local({
         r<- getOption("repos");
         r["CRAN"] <-"https://cran.rstudio.com/"
         options(repos=r)
})

Explanation

Secure Download Methods

When R transfers files over HTTP (e.g. using the install.packages or download.file function) a download method is chosen based on the download.file.method option. There are several methods available and the default behavior if no option is explicitly specified is to use R’s internal HTTP implementation. In many circumstances this internal method will not support HTTPS connections so you’ll need to override the default.

R 3.2

R 3.2 includes two new download methods (“libcurl” and “wininet”) that both support HTTPS connections. We recommend that you use these new methods when running under R 3.2. The requisite code to add to .Rprofile or Rprofile.site is as follows:

Windows

options(download.file.method = "wininet")

Note that in the upcoming R 3.2.2 release this will no longer be necessary, as the default method is equivalent to “wininet”.

OS X and Linux

options(download.file.method = "libcurl")

Note that if you built R from source the “libcurl” method may or may not have been compiled in. In the case that it wasn’t (i.e. capabilities("libcurl") == FALSE), you can follow the directions for earlier versions of R below to configure an alternate secure method.

R 3.1 and Earlier

Windows

utils::setInternet2(TRUE)
options(download.file.method = "internal")

Note that setInternet2(TRUE) is the default value in RStudio however is not for R GUI. If you don’t want to use setInternet2(TRUE) on Windows then the only other way to configure secure downloads is to have the “wget” or “curl” utility on your PATH as described for OS X and Linux below.

OS X

options(download.file.method = "curl")

Linux

options(download.file.method = "wget")

Note that the “curl” and “wget” methods will work on any platform so long as the requisite binary is in the system PATH. The recommendations above are based on the fact that “curl” is included in OS X and “wget” is included in most Linux distributions.

ref: https://support.rstudio.com/hc/en-us/articles/206827897-Secure-Package-Downloads-for-R

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Thanks for the help, Technophobe01! Setting the options(download.file.method = "wget") solved the problem indeed. One thing I am wondering: I have capabilities("libcurl") == TRUE, but setting the download.file to libcurl doesn't work. I thought this shouldn't happen on R 3.4?
Christoph - take a look at github.com/hadley/devtools/issues/1244 Solution: sudo apt-get install libcurl4-openssl-dev libxml2-dev libxslt-dev libssl-dev -y sudo apt-get install r-base r-base-dev -y
Thanks, but unfortunately that did not help. My setup was indeed missing the libxslt-dev, but it still didn't work. I'm keeping wget, this works for me.
And now I notice that directly downloading (e.g. in curl::curl()) is not working as well. Sigh. I'm manually downloading as a workaround for that issue. Thanks for all of your help, this is already a huge step forward! :)
Christoph - the issue is related to Anaconda and R github.com/ContinuumIO/anaconda-issues/issues/72 You can remove the Conda version of curl -> conda remove curl and use the system version of curl. See thread for other options.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.