Unable to validate self-signed certificate in Mac OS X
asieira opened this issue · comments
I am having problems getting RCurl function getURL to access an HTTPS URL on a server that is using a self-signed certificate. I'm running R 3.0.2 on Mac OS X 10.9.2.
I have read the FAQ and the curl page on the subject. So this is where I stand:
- I have saved a copy of the certificate to disk (~/cert.pem).
- I have been able to use this very same file to connect to the server using python-requests and the 'verify' option, and succeeded.
- curl on the command-line seems to be ignoring the --cacert option. I succeeded in accessing the website with it after I flagged the certificate as trusted using the Mac OS X 'Keychain Access' app.
- RCurl stubbornly refuses to connect to the website with the following code:
getURL("https://somesite.tld", verbose=T, cainfo=normalizePath("~/cert.pem"))
This is the output I get:
* Adding handle: conn: 0x7f92771b0400
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 38 (0x7f92771b0400) send_pipe: 1, recv_pipe: 0
* About to connect() to somesite.tld port 443 (#38)
* Trying 42.42.42.42...
* Connected to somesite.tld (42.42.42.42) port 443 (#38)
* SSL certificate problem: Invalid certificate chain
* Closing connection 38
When I tested both curl with the --cacert option and the RCurl code above in a Linux VM with the same cert.pem file and exact same URL, it worked perfectly.
So equal tests on Linux and Mac OS X, and only on Mac OS X do they fail. Even adding the certificate to the keychain didn't work.
The only thing that does work is using ssl.verifypeer=FALSE, but I don't want to do that for security reasons.
Hi, did you ever get answer for this ?
Regards,
Michael
No, I actually switched to using https://cran.r-project.org/package=curl and https://cran.r-project.org/package=httr instead, which I recommend you also do.
Alternatively, you could use https://cran.r-project.org/package=SnakeCharmR and access the wonderful Python package requests to perform your access, since it allows for very granular control of this validation.
Thanks for the suggestions.