Unable to validate self-signed certificate in Mac OS X

Question

Unable to validate self-signed certificate in Mac OS X

asieira opened this issue 10 years ago · comments

I am having problems getting RCurl function getURL to access an HTTPS URL on a server that is using a self-signed certificate. I'm running R 3.0.2 on Mac OS X 10.9.2.

I have read the FAQ and the curl page on the subject. So this is where I stand:

I have saved a copy of the certificate to disk (~/cert.pem).
I have been able to use this very same file to connect to the server using python-requests and the 'verify' option, and succeeded.
curl on the command-line seems to be ignoring the --cacert option. I succeeded in accessing the website with it after I flagged the certificate as trusted using the Mac OS X 'Keychain Access' app.
RCurl stubbornly refuses to connect to the website with the following code:

getURL("https://somesite.tld", verbose=T, cainfo=normalizePath("~/cert.pem"))

This is the output I get:

* Adding handle: conn: 0x7f92771b0400
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 38 (0x7f92771b0400) send_pipe: 1, recv_pipe: 0
* About to connect() to somesite.tld port 443 (#38)
*   Trying 42.42.42.42...
* Connected to somesite.tld (42.42.42.42) port 443 (#38)
* SSL certificate problem: Invalid certificate chain
* Closing connection 38

When I tested both curl with the --cacert option and the RCurl code above in a Linux VM with the same cert.pem file and exact same URL, it worked perfectly.

So equal tests on Linux and Mac OS X, and only on Mac OS X do they fail. Even adding the certificate to the keychain didn't work.

The only thing that does work is using ssl.verifypeer=FALSE, but I don't want to do that for security reasons.

Michaelcwl · Answer 1 · Fri Jul 14 2017 20:05:58 GMT+0800 (China Standard Time)

Hi, did you ever get answer for this ?

Regards,

Michael

Alexandre Sieira · Answer 2 · Fri Jul 14 2017 20:30:53 GMT+0800 (China Standard Time)

No, I actually switched to using https://cran.r-project.org/package=curl and https://cran.r-project.org/package=httr instead, which I recommend you also do.

Alexandre Sieira · Answer 3 · Fri Jul 14 2017 20:35:07 GMT+0800 (China Standard Time)

Alternatively, you could use https://cran.r-project.org/package=SnakeCharmR and access the wonderful Python package requests to perform your access, since it allows for very granular control of this validation.

Michaelcwl · Answer 4 · Fri Jul 14 2017 22:48:14 GMT+0800 (China Standard Time)

Thanks for the suggestions.