SSL handshake error when connecting to peer-server locally

Hello everyone! Sorry for the long post. I appreciate any help you may offer in advance.

Env:

  • datomic version: datomic-pro-0.9.5930 (starter license)
  • OpenJDK Runtime Environment (build 1.8.0_212-8u212-b03-0ubuntu1.18.04.1-b03)
  • Linux laptop

What i tried to do - very basic steps, just following the online guide:

  1. started a peer-server on my laptop using the same command per online guide

bin/run -m datomic.peer-server -h localhost -p 8998 -a usr,pwd -d hello,datomic:mem://hello

this worked fine. I got:

Serving datomic:mem://hello as hello

  1. Next, tried to connect to the peer-server from client.
    Fired up a repl , included datomic.client-pro dependency, followed the instructions online:

    (require '[datomic.client.api :as d])
    (def db-cfg
    {:server-type :peer-server
    :access-key “usr”
    :secret “pwd”
    :endpoint “localhost:8998”
    })

    (def c (d/client db-cfg)) ;;worked fine

    (d/connect c {:db-name “hello”}) ;; error!

Following error came up

General SSLEngine problem
{:cognitect.anomalies/category :cognitect.anomalies/fault,
:cognitect.anomalies/message “General SSLEngine problem”,
:cognitect.http-client/throwable #error {
:cause “No name matching localhost found”
:via
[{:type javax.net.ssl.SSLHandshakeException
:message “General SSLEngine problem”

So looks like the SSL handshake between client and peer-server failed due to host name localhost

I assume the Jetty server used by peer-server defines a ssl conext factory, but I could not figure out how it is initialized. Most importantly, how I can pass a keystore setting to it. I tried to add -Djavax.net.ssl.keyStore=.. java options to peer-server command line, but seems they were ignored. I see from peer-server log the Jetty server was started with null keystore/trustStore.

2019-07-07 18:17:59.308 INFO default o.e.jetty.util.ssl.SslContextFactory - x509=X509@402d6012(transactor,h=,w=) for SslContextFactory@395281c2[provider=null,keyStore=null,trustStore=null]
2019-07-07 18:17:59.318 INFO default o.e.jetty.server.AbstractConnector - Started ServerConnector@1573e8a5{SSL,[ssl, http/1.1]}{localhost:8998}
2019-07-07 18:17:59.318 INFO default org.eclipse.jetty.server.Server - Started @6356ms

So the question is how I can bypass this issue? Can i run peer-sever without SSL? can I specify a keystore config to Jetty?

Thanks!

See https://docs.datomic.com/on-prem/peer-server.html#connecting
You need to add :validate-hostnames false to your connection map.

-Marshall

great! it worked after adding the :validate-hostnames false
Thanks!

I am getting the same problem with this config. Both the client and peer are running in Docker containers.

(def cfg {:server-type :peer-server
          :access-key "key"
          :secret "secret"
          :endpoint "peer:8998"
          :validate-hostnames false})

Is there something else that would be missing?

You may need to check your docker configurations to ensure that the correct ports/network routes are configured for communication between the client and peer-server containers.

Hi there! Any update on what might be causing this? We ran into the same problem even after adding :validate-hostnames false to the connection map and it doesn’t seem to be a docker configuration issue.