quarto-dev / quarto-cli

Open-source scientific and technical publishing system built on Pandoc.
https://quarto.org
Other
3.92k stars 322 forks source link

`quarto publish connect` - invalid peer certificate error #10704

Open madisonostermann opened 2 months ago

madisonostermann commented 2 months ago

Bug description

Received "invalid peer certificate: UnknownIssuer" error when trying to publish quarto site to connect server.

Steps to reproduce

I am encountering the same issue as #3363 trying to publish a Quarto website to our Posit Connect server. The quarto website builds successfully locally, and I can publish via the button in RStudio without issue. However, running quarto publish connect --server https://myserver.com and entering my API key results in the error:

ERROR: TypeError: error sending request for url (https://myserver.com/__api__/v1/user): error trying to connect: invalid peer certificate: UnknownIssuer

This worked when our server was http, before adding certs. When I do the curl command curl -H "Authorization: Key $API_KEY" https://myserver.com/__api__/v1/content, I get a valid response. I've also checked that my certificate for the site is Always Trusted (on Mac, done in keychain access).

Expected behavior

quarto publish connect --server https://myserver.com should prompt for an API key and then publish.

Actual behavior

quarto publish connect --server https://myserver.com and entering my API key results in the error:

ERROR: TypeError: error sending request for url (https://myserver.com/__api__/v1/user): error trying to connect: invalid peer certificate: UnknownIssuer

Your environment

Quarto: version 1.5.54 OS: macOS 14.6.1 / Darwin 23.6.0 (my coworker on Windows also reproduced this issue) Connect version: 2024.03.0

Quarto check output

Quarto 1.5.54
[✓] Checking versions of quarto binary dependencies...
      Pandoc version 3.2.0: OK
      Dart Sass version 1.70.0: OK
      Deno version 1.41.0: OK
      Typst version 0.11.0: OK
[✓] Checking versions of quarto dependencies......OK
[✓] Checking Quarto installation......OK
      Version: 1.5.54
      Path: /Users/mgipson1/Applications/quarto/bin

[✓] Checking tools....................OK
      TinyTeX: (not installed)
      Chromium: (not installed)

[✓] Checking LaTeX....................OK
      Tex:  (not detected)

[✓] Checking basic markdown render....OK

[✓] Checking Python 3 installation....OK
      Version: 3.10.1
      Path: /Users/mgipson1/.pyenv/versions/3.10.1/bin/python3
      Jupyter: 5.7.2
      Kernels: projectname, ochco-edp-etl-venv, python3

[✓] Checking Jupyter engine render....OK

[✓] Checking R installation...........OK
      Version: 4.4.1
      Path: /Library/Frameworks/R.framework/Resources
      LibPaths:
        - /Users/mgipson1/github-repositories/pa-knowledge-base/renv/library/macos/R-4.4/x86_64-apple-darwin20
        - /Users/mgipson1/Library/Caches/org.R-project.R/R/renv/sandbox/macos/R-4.4/x86_64-apple-darwin20/2edc1867
      knitr: 1.48
      rmarkdown: 2.28

[✓] Checking Knitr engine render......OK
cderv commented 2 months ago

This worked when our server was http, before adding certs.

I assume you are working in an organization with their own server ? I am asking because adding certificates to such environment can be done in a way that only the environment that have the certs registered know. Usually on the global web, certificates will be published to centralized place that are checked against. If you are in a closed network organization this could be different.

If so, do you know if the certificate are correctly registered on your local environment where you are trying to publish ? Have you problem access your rsconnect server with HTTPS using other tool ?

Like R with the connect API ? or curl ? or just a browser ?

I can publish via the button in RStudio without issue.

Is this with a local RStudio IDE ? Or a RStudio Workbench server ?

From my experice this is a configuration issue in your environment where the certificate is not registered. Quarto should check anything in the CA_STORE for the system (and also from online source)

cscheid commented 2 months ago

I assume you are working in an organization with their own server ? I am asking because adding certificates to such environment can be done in a way that only the environment that have the certs registered know. Usually on the global web, certificates will be published to centralized place that are checked against. If you are in a closed network organization this could be different.

Right - Deno does respect root certificates that are installed. I think UnknownIssuer is a hint for what's happening here

I've also checked that my certificate for the site is Always Trusted (on Mac, done in keychain access).

I don't think this is related to the problem.

I think we're seeing this https://github.com/denoland/deno/issues/2301

@madisonostermann do you know more about these certificates? Specifically, are they self-signed? I think Deno (the typescript runtime that Quarto is implemented with) might be doing something reasonable. I don't know if we want to support disabling this because of the inherent risks that it would generate...