pak cannot download from repos with self-issued certificates

[maxheld83]

trafficstars

this works:

pak::pkg_install("git::https://github.com/tidyverse/ggplot2.git")

this fails:

pak::pkg_install("git::https://hooli.local/foo/bar.git") # website with self-issued certificate

with

Error:                                                                                                          
! error in pak subprocess
Caused by error: 
! Could not solve package dependencies:
* git::https://hooli.local/foo/bar.git: ! pkgdepends resolution error for git::https://hooli.local/foo/bar.git.
Caused by error: 
! Failed to download DESCRIPTION from git repo at <https://hooli.local/foo/bar.git>.
Caused by error in `(function (e) …`:
! SSL certificate problem: unable to get local issuer certificate
Type .Last.error to see the more details.

this works:

curl https://hooli.local/foo/bar

this works:

remotes::install_git("https://hooli.local/foo/bar.git)"

I have placed the self-issued certificate into /etc/ssl/certs and then run sudo update-ca-certificates.

I've also set options(async_http_cainfo = "/etc/ssl/certs") in my .Rprofile to override the certificates that pak ships with.

This is hard to debug, because I don't have ready access to a share-able website with a self-issued certificate, and I know this is usually/probably a user issue.

It's odd however, that curl otherwise works, but pak doesn't, even options(async_http_cainfo = "/etc/ssl/certs"). Is there any other way in which pak and curl calls still differ when this option is set?

[solmos]

I have a similar issue. @maxheld83, have you figured out a way to fix this?

[maxheld83]

@solmos nope.

[gaborcsardi]

I think changing the cert path with the option does not work because the pak subprocess does not read the profile, so it does not see the option.

Two possible workarounds (both unverified for now):

• install pak from source, then it'll use the system certs. Only our binary builds use their own certs.
• install pak, and then replace the curl-ca-bundle.crt in the installed package with the cert bundle you want to use. (Possibly you can also delete it, then pak will use the system certs.)

[solmos]

I can confirm that removing the curl-ca-bundle.crt file after installing the binary package works. Thanks!

[solmos]

In my case this issue occurred when using r-lib/actions/setup-r-dependencies, so I guess I won't be able to use this action until https://github.com/r-lib/actions/pull/919 is merged, right?

[gaborcsardi]

You can install pak manually, delete the cert file, and use pak-version: none.

[solmos]

I have not been able to properly set R_LIB_FOR_PAK. Even if I were able to, it would be nice if I could rely on the pak installation step of setup-r-dependencies. @gaborcsardi, would an input option, say, remove-cert, in setup-r-dependencies make sense? I can try to create a PR there if this feature is welcome.

[gaborcsardi]

I have not been able to properly set R_LIB_FOR_PAK

Why not? You can set it to whatever you like, just install pak there.

[gaborcsardi]

And yes, this will be eventually fixed by pak forwarding the cert path to its subprocess. Plus I'll also add an env var, which is often easier to set than an option.

[solmos]

I was able to figure out what R_LIB_FOR_PAK should be and I implemented an internal custom GitHub Action to install pak appropriately (for us). We now add this step before setup-r-dependencies with pak-version: none, and it works. Thanks.

[solmos]

And yes, this will be eventually fixed by pak forwarding the cert path to its subprocess. Plus I'll also add an env var, which is often easier to set than an option.

This would be preferable to my current solution. Thanks.