SSL handshake error when connecting to peer-server locally

jglx30 · July 9, 2019, 12:58am

Hello everyone! Sorry for the long post. I appreciate any help you may offer in advance.

Env:

datomic version: datomic-pro-0.9.5930 (starter license)
OpenJDK Runtime Environment (build 1.8.0_212-8u212-b03-0ubuntu1.18.04.1-b03)
Linux laptop

What i tried to do - very basic steps, just following the online guide:

started a peer-server on my laptop using the same command per online guide

bin/run -m datomic.peer-server -h localhost -p 8998 -a usr,pwd -d hello,datomic:mem://hello

this worked fine. I got:

Serving datomic:mem://hello as hello

Next, tried to connect to the peer-server from client.
Fired up a repl , included datomic.client-pro dependency, followed the instructions online:

(require '[datomic.client.api :as d])
(def db-cfg
{:server-type :peer-server
:access-key “usr”
:secret “pwd”
:endpoint “localhost:8998”
})

(def c (d/client db-cfg)) ;;worked fine

(d/connect c {:db-name “hello”}) ;; error!

Following error came up

General SSLEngine problem
{:cognitect.anomalies/category :cognitect.anomalies/fault,
:cognitect.anomalies/message “General SSLEngine problem”,
:cognitect.http-client/throwable #error {
:cause “No name matching localhost found”
:via
[{:type javax.net.ssl.SSLHandshakeException
:message “General SSLEngine problem”

So looks like the SSL handshake between client and peer-server failed due to host name localhost

I assume the Jetty server used by peer-server defines a ssl conext factory, but I could not figure out how it is initialized. Most importantly, how I can pass a keystore setting to it. I tried to add -Djavax.net.ssl.keyStore=.. java options to peer-server command line, but seems they were ignored. I see from peer-server log the Jetty server was started with null keystore/trustStore.

2019-07-07 18:17:59.308 INFO default o.e.jetty.util.ssl.SslContextFactory - x509=X509@402d6012(transactor,h=,w=) for SslContextFactory@395281c2[provider=null,keyStore=null,trustStore=null]
2019-07-07 18:17:59.318 INFO default o.e.jetty.server.AbstractConnector - Started ServerConnector@1573e8a5{SSL,[ssl, http/1.1]}{localhost:8998}
2019-07-07 18:17:59.318 INFO default org.eclipse.jetty.server.Server - Started @6356ms

So the question is how I can bypass this issue? Can i run peer-sever without SSL? can I specify a keystore config to Jetty?

Thanks!

marshall · July 9, 2019, 1:23pm

See https://docs.datomic.com/on-prem/peer-server.html#connecting
You need to add :validate-hostnames false to your connection map.

-Marshall

jglx30 · July 10, 2019, 12:11am

great! it worked after adding the :validate-hostnames false
Thanks!

m0smithtb · July 22, 2019, 9:27pm

I am getting the same problem with this config. Both the client and peer are running in Docker containers.

(def cfg {:server-type :peer-server
          :access-key "key"
          :secret "secret"
          :endpoint "peer:8998"
          :validate-hostnames false})

Is there something else that would be missing?

marshall · July 30, 2019, 3:36pm

You may need to check your docker configurations to ensure that the correct ports/network routes are configured for communication between the client and peer-server containers.

mia · October 4, 2019, 6:25pm

Hi there! Any update on what might be causing this? We ran into the same problem even after adding :validate-hostnames false to the connection map and it doesn’t seem to be a docker configuration issue.

mrzor · November 25, 2019, 12:07pm

Greetings!

I’d like to report I’m now seeing this error. I tested against datomic 0.9.5930 et 0.9.5981. There is no docker involved in my datomic setup at this point.

I believe it used to work, at least in July 2019, with version 0.9.5930. I do not know what changed in my setup since then (I suppose that’s an argument for Docker in that context …).

As far as I can tell adding :validate-hostnames false to my client map (as the linked documentation above suggests) or my connection map (as marshall suggests) doesn’t have any effect. The :validate-hostnames keyword doesn’t appear in the documentation found within the datomic.client.api namespace, located at ~/.m2/repository/com/datomic/client-api/0.8.35/client-api-0.8.35.jar!/datomic/client/api.clj on my system.

$ lsb-release -d 
Description:	Ubuntu 19.04

$ java -version
openjdk version "12.0.2" 2019-07-16
OpenJDK Runtime Environment Zulu12.3+11-CA (build 12.0.2+3)
OpenJDK 64-Bit Server VM Zulu12.3+11-CA (build 12.0.2+3, mixed mode, sharing)

$ grep datomic project.clj
                 [com.datomic/datomic-pro            "0.9.5981"]
                 [com.datomic/client-pro             "0.8.28"]

mrzor · November 27, 2019, 2:10pm

Greetings!

I managed to connect to localhost using :validate-hostnames false after upgrading com.datomic/client-pro to the latest 0.9.41, that I found out about using some maven browser.

The page https://docs.datomic.com/on-prem/project-setup.html directed me to install 0.8.28 and I initially believed there was some underlying reason to this. I now believe it should be updated

NB: :validate-hostnames false needs to be put in the client map and not the connection map - as the documentation already states.

Cheers!

marshall · December 11, 2019, 3:21pm

I’m glad you got this sorted.
I’ve updated the listed version in that page of the documentation.

Topic		Replies	Views
Java 11.0.1 SSL Exception Datomic Pro	2	2561	December 17, 2018
Peer server cant connect to postgresql database Troubleshooting	4	1901	August 13, 2019
Unable to resolve entry point, make sure you have the correct version of com.datomic/client on your classpath Troubleshooting	4	885	May 1, 2019
Unable to connect to Datomic system through the bastion Troubleshooting	3	1309	March 17, 2020
Datomic 1.0.7075 Pro now available Announcements	0	486	December 18, 2023

SSL handshake error when connecting to peer-server locally

Related topics