Configuring SSL Certificates in Posit Connect
This section describes how to configure SSL certificates in Posit Connect.
You can configure SSL/TLS certificates by editing the configuration file to point to the relevant private key and certificate files and restarting Connect.
To configure SSL certificates, add the following lines to the Connect configuration file:
File: /etc/rstudio-connect/rstudio-connect.gcfg
[HTTPS]
Listen = :443
Certificate = /etc/rstudio-connect/your_domain_name.crt
Key = /etc/rstudio-connect/your_domain_name.keyEnsure that the file permissions on your SSL certificate are as restrictive as possible. The certificate file requires 644 permissions (readable and writable by owner, and readable by other users). The rstudio-connect user should typically own the certificate file. For example:
sudo chown rstudio-connect:rstudio-connect /etc/rstudio-connect/your_domain_name.crt
sudo chmod 644 /etc/rstudio-connect/your_domain_name.crt This certificate file:
- must contain the whole certificate chain for Connect, e.g.,
Host Certificate -> Intermediate Certificate -> Root Certificate - must be Base 64 encoded PEM file format
A correctly constructed certificate will resemble the example below:
connect-certificate.crt
# This is the Host certificate, e.g., connect.example.org
-----BEGIN CERTIFICATE-----
MIICczCCAdwCCQCopgO2akJCEDANBgkqhkiG9w0BAQUFADB+MQswCQYDVQQGEwJV
UzELMAkGA1UECAwCTUExDzANBgNVBAcMBkJvc3RvbjEWMBQGA1UECgwNUlN0dWRp
AwEAATANBgkqhkiG9w0BAQUFAAOBgQBSu4L/WSKMQ7tw5e/SEgDLRhwpiVFvuxvG
fNcp2t+XsASj7CFOohYDgHohyN+3Ogef3yZ/OVD+NabyZvNWk7XrfrQK9B0Zqj36
+AAQ/Y5rEdL/X02RIaBBIPYKZs8Kkr1OD0aFFJek+Wv6c87SntD0KqtzqoP+DPih
84WS/121pQ==
-----END CERTIFICATE-----
# This is the Intermediate issuing certificate, and is referenced by the Connect host certificate.
# Some configurations don't include this certificate in the issuing chain.
-----BEGIN CERTIFICATE-----
MIICczCCAdwCCQCopgO2akJCEDANBgkqhkiG9w0BAQUFADB+MQswCQYDVQQGEwJV
iXV9v9skNUVaw+LMdkQrnHRXaSrW1W5bLFlp7DgQj79u8vGFxTNWK0YJ3kwtKgb4
pkXkCpMLa4qlr3jq16hoWOv8jAtEhd6EYUQeOFm2T4wtiJjXiLYE2DjpzVZXqqsC
AwEAATANBgkqhkiG9w0BAQUFAAOBgQBSu4L/WSKMQ7tw5e/SEgDLRhwpiVFvuxvG
fNcp2t+XsASj7CFOohYDgHohyN+3Ogef3yZ/OVD+NabyZvNWk7XrfrQK9B0Zqj36
+AAQ/Y5rEdL/X02RIaBBIPYKZs8Kkr1OD0aFFJek+Wv6c87SntD0KqtzqoP+DPih
84WS/121pQ==
-----END CERTIFICATE-----
# This is the Root certificate
-----BEGIN CERTIFICATE-----
MIICczCCAdwCCQCopgO2akJCEDANBgkqhkiG9w0BAQUFADB+MQswCQYDVQQGEwJV
UzELMAkGA1UECAwCTUExDzANBgNVBAcMBkJvc3RvbjEWMBQGA1UECgwNUlN0dWRp
M1owfjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk1BMQ8wDQYDVQQHDAZCb3N0b24x
FjAUBgNVBAoMDVJTdHVkaW8sIEluYy4xGDAWBgNVBAMMD3d3dy5yc3R1ZGlvLmNv
bTEfMB0GCSqGSIb3DQEJARYQaW5mb0Byc3R1ZGlvLmNvbTCBnzANBgkqhkiG9w0B
+AAQ/Y5rEdL/X02RIaBBIPYKZs8Kkr1OD0aFFJek+Wv6c87SntD0KqtzqoP+DPih
84WS/121pQ==
-----END CERTIFICATE-----Ensure that the file permissions on your SSL certificate key are as restrictive as possible. The certificate file requires 600 permissions, that is owner readable and writable. The certificate key file should typically be owned by the rstudio-connect user. For example:
sudo chown rstudio-connect:rstudio-connect /etc/rstudio-connect/your_domain_name.key
sudo chmod 600 /etc/rstudio-connect/your_domain_name.key Then restart Connect by running the following command:
Terminal
sudo systemctl restart rstudio-connectConnect does not allow certificate private keys to have a passphrase. If one exists, remove the passphrase by using the following example:
Terminal
openssl rsa -in [original.key] -out [new.key]Configuring HTTP to HTTPS redirects
To redirect all HTTP traffic to the secure HTTPS endpoint, add the following lines to the Connect configuration file:
File: /etc/rstudio-connect/rstudio-connect.gcfg
[Server]
Address = https://<SERVER-ADDRESS>
[HTTPS]
Listen = :443
Permanent = true
Certificate = /etc/rstudio-connect/your_domain_name.crt
Key = /etc/rstudio-connect/your_domain_name.key
[HTTPRedirect]
Listen = :80For HTTP to HTTPS redirects to work properly, ensure that you remove the HTTP.Listen option from the configuration file if you have defined it.
Then restart Connect by running the following command:
Terminal
sudo systemctl restart rstudio-connectAdditional documentation
For more information on SSL certificates and other related settings, refer to the HTTPS settings in the Configuration Appendix of the Connect Administration Guide.
For information about TLS cipher suites and working with legacy clients, see the TLS cipher suites section of the Security guide.