[Rd] R libcurl does not recognize server certs

Martin Morgan martin.morgan at roswellpark.org
Mon Mar 27 22:31:01 CEST 2017

On 03/27/2017 03:09 PM, Roman, John wrote:
> Dirk,
> ive changed the subject given the nature of the present debugging.  Im aware i can extend extras from download.file to install.packages however
> im curious to know why libcurl in the R invocation does not honor the CA bundle on my system.
> how would I pass a CA bundle to install.packages?  the function has numerous arguments before the extras are taken.

A little shot-in-the-dark but on Linux I have

$ curl-config --ca

and in R ?download.file I'm told (the documentation may read as 
window-specific, but I don't think that's the case)

      set environment variable 'CURL_CA_BUNDLE' to the path to a
      certificate bundle file, usually named 'ca-bundle.crt' or
      'curl-ca-bundle.crt'.  (This is normally done for a binary

So if I were having trouble I might say (or set the environment variable 
in some other way, e.g., as part of an alias to R)

 > Sys.setenv(CURL_CA_BUNDLE="/etc/ssl/certs/ca-certificates.crt")
 > download.file("https://, tempfile())

Maybe with more info about your OS and R installation a more transparent 
solution would offer itself; I'd guess that the bundle location is 
inferred when R is built from source, and somehow there has been a 
disconnect between your R installation and certificate location, e.g., 
moving the certificate location after R installation.

Martin Morgan

> John Roman
> Linux System Administrator
> RAND Corporation
> joroman at rand.org
> X7302
> ________________________________________
> From: Dirk Eddelbuettel [dirk.eddelbuettel at gmail.com] on behalf of Dirk Eddelbuettel [edd at debian.org]
> Sent: Monday, March 27, 2017 11:33 AM
> To: Roman, John
> Cc: Dirk Eddelbuettel; R-devel at r-project.org
> Subject: RE: [Rd] R fails to read repo index on NGINX
> On 27 March 2017 at 18:27, Roman, John wrote:
> | Thank you for your elaboration.  This issue is related to curl trusting a CA cert as its called by R.
> | curl called from bash recognizes the system cert bundle for CA's, curl called from R does not.
> |
> | may I know how to trust the system certificate bundle from within R?
> See 'help(download.file)' -- it's a little hidden but you can just make the
> external curl (which, as you say, works in your particular circumstances) the
> default for remote file access from R too.
> Next time please try to be a little more specific with your questions and
> their subject line.  Methinks nothing here has anything to do with the httpd
> server you employ.
> Dirk
> --
> http://dirk.eddelbuettel.com | @eddelbuettel | edd at debian.org
> __________________________________________________________________________
> This email message is for the sole use of the intended...{{dropped:10}}

More information about the R-devel mailing list