Lab 2: Setting up HTTPS
By the end of this lab, you will be able to:
- Place TLS certificate and private key files in the recommended location
- Set the correct ownership and permissions on certificate and key files
- Configure Package Manager to serve traffic over HTTPS
- Confirm the Package Manager web interface is reachable over HTTPS
This lab puts into practice the concepts covered in Securing Access with HTTPS. If you have not read it yet, review it first so the steps below make sense.
Move the Certificates to the Correct Location
For this lab, the certificate and private key are located in the ~/certs/ folder in the ubuntu user’s home directory. For Package Manager, we recommend storing these files in the same folder as the other configuration files, in /etc/rstudio-pm/.
Move the files from the certs folder in your home directory to /etc/rstudio-pm/.
Set File Permissions and Ownership
Once the files are in the /etc/rstudio-pm folder, set the correct permissions and ownership for both files. Ensure that the files have both the appropriate owner and mode using the chown and chmod commands.
Both files must be owned by rstudio-pm:rstudio-pm.
The certificate must be readable and writable by the owner, and readable by others (644). The private key must be readable and writable only by the owner (600).
Here are the commands needed to configure your certificates correctly on the Package Manager instance:
Terminal
sudo mv ~/certs/certificate.crt /etc/rstudio-pm/certificate.crt
sudo mv ~/certs/private.key /etc/rstudio-pm/private.key
sudo chown rstudio-pm:rstudio-pm /etc/rstudio-pm/certificate.crt
sudo chown rstudio-pm:rstudio-pm /etc/rstudio-pm/private.key
sudo chmod 644 /etc/rstudio-pm/certificate.crt
sudo chmod 600 /etc/rstudio-pm/private.keyTo check the content of your certificate file, and to ensure that the full certificate chain is present in your file, you can run:
Terminal
openssl x509 -text -noout -in <path_to_certificate_file.crt>This command also checks that the certificate is in PEM format, which Package Manager requires. The documentation provides commands to convert certificates in other formats to PEM.
As indicated in our documentation, the private key cannot be protected with a passphrase. If there is one, you can remove it with this command:
Terminal
openssl rsa -in [original.key] -out [new.key]Edit the Configuration File
Edit the /etc/rstudio-pm/rstudio-pm.gcfg file to configure Package Manager to use these certificates, by adding the following:
/etc/rstudio-pm/rstudio-pm.gcfg
[HTTPS]
Listen = :443
Certificate = /etc/rstudio-pm/certificate.crt
Key = /etc/rstudio-pm/private.keyMake sure you allow Package Manager to use a privileged port by running the following command:
Terminal
sudo setcap 'cap_net_bind_service=+ep' /opt/rstudio-pm/bin/rstudio-pmYou can now restart Package Manager:
Terminal
sudo systemctl restart rstudio-pmVerify Your Work
Click on the “Package Manager” tab to access the web interface. Refresh the page by clicking on the circular arrow icon in the top right corner. You should now be able to reach it over HTTPS. The URL of your instance is also available in the bottom right corner of the interface, and you can open this URL in a new browser tab.
- Any deployment of Package Manager beyond initial testing needs HTTPS so credentials and packages are encrypted in transit.
- A TLS connection uses two files with different sensitivities: the certificate is public and can be world-readable (644), while the private key is secret and must be readable only by its owner (600). Both must be owned by the
rstudio-pmservice account. - Enabling HTTPS takes three steps: point the
[HTTPS]config section at the certificate, key, and port; grant the binary permission to bind privileged port 443 withsetcap; and restart the service. - Certificates must be in PEM format and contain the full chain, and private keys cannot carry a passphrase.