5

I have a problem with a custom local CRAN-mirror (jfrog) under windows on a machine without access to the internet:

  • in R 4.1.2, I have no problems accessing the mirror via https,
  • in R 4.2.0, I get errors that the index in PACKAGES can not be accessed via https.

After browsing the web and SO, I saw some more problems alike but none quite the same (see, e.g. here), I got around this issue by adding to my .Rprofile

options(repos = c(CRAN = "internalrepo"),
     download.file.method = "curl",
     download.file.extra = "-k -L")

to bypass checking SSL-certificates.

This works for me on a computer with access to the local network only, but it seems a bad idea on computers connected to the internet using a custom CRAN mirror.

Also, I would like to understand the cause of the problem. Did something change in the way that R handles SSL-certificates or did we break something in the installation of R 4.2?

sessionInfo() and Sys.getenv() do not show much difference between R 4.1.2 and R 4.2.0 but in R 4.2.0, I saw that there is an additional environment variable CURL_CA_BUNDLE that points to the R installation directory /etc/curl-ca-bundle.crt

clemenskuehn
  • 116
  • 8

1 Answers1

0

EDIT: 2022-12-14: I believe I tracked down the issue - it's SSL revocation checks that failed when a system only has access to a local network. A new flag was added to 4.2.1+ that can be set to TRUE, allowing SSL revocation checks to be given 'best-effort' attempts to contact, then bypassed. https://bugs.r-project.org/show_bug.cgi?id=18379 But if a machine has internet access, revocation checks will still be allowed to occur, which, I think, is probably the best we can hope for.

ORIGINAL: Just letting you know @clemenskuehn we have the same thing - local mirror working fine in 4.1.2 over HTTPS on some restricted data systems that aren't allowed internet access, then suddenly we update to 4.2.1 on our windows & linux boxes, and the windows machines only (linux works fine) aren't able to use the local mirror anymore,

"warning: unable to access index for repository https://mirror.oursite.com/cran/src/contrib:

cannot open URL 'https://mirror.oursite.com/cran/src/contrib/PACKAGES"

so it's not just you. Did you open a tracker with the R developers? Your workaround works for us so we might put it into production as a stopgap but it definitely be good if we didn't have to allow insecure connections, even though these systems can't get outbound access anyway.

DeltaChange
  • 3
  • 2
  • Thank you! I did open an account to file a bug report, but I did not yet because I did not find the time to gather all information to generate a reproducible example – clemenskuehn Oct 31 '22 at 08:11
  • The new flag can be activated by adding the following line to your .Rprofile: - ```Sys.setenv(R_LIBCURL_SSL_REVOKE_BEST_EFFORT=TRUE)``` This is what I've done after I upgraded to R-4.3.1. Hope this helps! Regards, Kevin – Kevin Woo Jul 13 '23 at 01:10