I'm not 100%, but pretty confident that it's possible, but the pod would need to be loaded with pods/load-pod (this could potentially go into a reader conditional maybe if double-loading would cause a problem)

The pods lib is meant for both the JVM and bb: https://github.com/babashka/pods It needs to be included as a dep when running there and pods need to be https://github.com/babashka/pods#usage and cannot be done declaratively like in bb.edn. Adding onto what @U013JFLRFS8 said, you can always load the pod as code and not via bb.edn to make it work on both platforms.

Using pods in bb.edn was kind-of-a mistake, it only works for local projects, not as library code. Just wrap your pod in a library using load-pod for bb-only which you can use via deps.edn and bb.edn. Examples here: • https://github.com/babashka/instaparse-bb • https://github.com/clj-kondo/clj-kondo-bb

Unless the pod isn't exposing a Clojure library, then just use the pods library on the JVM as well

You want to capture the output as a stream, while it's running?

I want it to print and die 🙂

but why is the program hanging?

it’s not hanging, it has some sort of interactive mode I guess

you can try {:in ""} as an argument, so stdin is an empty string

as the first argument to p/shell

Thanks, that helped! (shell {:in "" :out :string} "openssl s_client -starttls imap -connect 127.0.0.1:1143 -showcerts")

Wow that was fast!

I get the output as an exception though, I guess it’s printing to the error buffer

which is fine, I still get it, but maybe there’s a way to get the err?

No, my bad, I get it ok

:err :string is also an option. to not throw, you can use :continue true

It was the last manual step in my mac setup. Now the entire system from scratch is configured using babashka, including importing gpg keys, pass vaults, certificates, all dotfiles, installation of all required apps etc 🙂

:-)

And it’s more or less idempotent. I can rerun it as many times as I want, and it will bring the system to the state I want it in, but only if something is missing.

very nice

thank you, you made it possible 🙂

Wow, is it available on public repo? or minimal snippet?

Does this help: https://github.com/babashka/http-client/blob/73e77e8965ffbd52456c760f578603d86f1234bb/src/babashka/http_client.clj#L28

Sorry Borkdude, I am not sure I can decode that: This is what I am sending:

(http/post (str "https://" (:cpd-route config) "/secure-url")
                                  {
                                   :body (json/generate-string {:username (:username config)
                                                          :api_key (:user-api-key config)})
                                   :content-type :json
                                   :accept :json
                                   :as :json
                                   :insecure true})

And I get :

javax.net.ssl.SSLHandshakeException: unable to find valid certification path to requested target core c:\Users\MartinRoberts\Box\Personal\projects\SiteplannerData\core.clj:2:22

you need to create a client with the insecure option

(http/client (assoc http/default-client-opts :ssl-context {:insecure true}))

and then (http/get ... {:client client})

Thanks.

Hi, glad the conference went well. When trying to reproduce using the issue in JVM I am now getting an error that random-uuid is not declared. I have looked in the source and can't trace where it is.

this is because you're using a tool old version of clojure, probably

OK I will update

Thanks

Sadly I have it all set up for JVM, but dns is now failing. It seems to work with the clj-http.

Do you have a repro?

repro? Do you mean - that I have the code somewhere you can view?

a piece of code which demonstrates the problem so it can be debugged

it doesn't have to be the code you are using in full, preferably the smallest piece of code which shows the problem

(ns ogsetup.core
  (:require 
   [babashka.http-client :as http]
   [cheshire.core :as json]))

(def client (http/client (assoc http/default-client-opts :ssl-context {:insecure true})))




(def config (json/parse-string (slurp "config.json") true))


(defn get-token []
  (let [resp  (:body (http/post (:url config)
                                {:client client
                                 :body (json/generate-string {:username (:username config)
                                                              :api_key (:user-api-key config)})
                                 :content-type :json
                                 :accept :json
                                 :as :json}))]
    (:token resp)))

(get-token)

The url is an "https".

Can you also provide the url?

Sorry it is internal to my business.

I am getting the same error in both jvm and bb versions

Evaluating file: core.clj
; javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching `url` found. ogsetup.core 
; core.clj:22:22
; Evaluation of file core.clj failed: class javax.net.ssl.SSLHandshakeException

I need a url to reproduce the problem

OK, lets leave it there. @U04V15CAJ thank you so much for all your work and support.

Why leave it here?

Because I can't share the url.

But perhaps the problem will also occur with another url? Or is it specific to this url?

I realised I could say something about the url - it was an endpoint on a k8s cluster.

Is there anyway to use clj-http instead.

no, but you can try httpkit, clj-http-lite, hato or raw java.net.http

OK I will give that a try. using lein uberjar is just a nightmare!

Hi here is the snippet that is failing with the url, it is an endpoint in a k8s cluster. Do I need to add more options to the client?

(def client (http/client (assoc http/default-client-opts :ssl-context {:insecure true})))

(defn get-token
  [] (tap-> "Get Token for user: admin")
              (let [url (str "https://<cluster>/icp4d-api/v1/authorize")
                    json-body (json/generate-string {:username (:username "admin")
                                                     :api_key (:user-api-key "<replace with api key>")})
                    resp  (json/parse-string (:body (http/post url
                                                                 {:client client
                                                                  :body json-body
                                                                  :content-type :json
                                                                  :accept :json
                                                                  :as :json
                                                                  :throw-entire-message? true})) true)]
                (:token resp)))

(get-token)

:throw-entire-message? isn't an option supported by babashka.http-client, neither is :as :json , also not :content-type :json

you need to add those headers yourself:

{:client ... :body :headers {:content-type "application/json" :accept "application/json"}}

and then parse the JSON body string yourself

OK - cut and paste from clj-http-lite

Getting the same error with - hope this is what you meant from above

(http/post url
    {:client client
     :body json-body
     :headers {:content-type "application/json" :accept "application/json"}})

It does seem strange that it works with clj-http-lite with no problems.

What error are you seeing exactly

; http://javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching http://cpd-lifecycle-manager.apps.nonage.cp.fyre.ibm.com found. http-test c:\Users\MartinRoberts\Documents\projects\http-client-exp\http-test.clj:6:53

Can you maybe set up a Docker image or so that I can run locally? I’ve never used k8s before but if you can provide an environment that I can easily run locally I would be able to look into it more

Let me think about that. Thanks for be willing.

Are you able to curl that endpoint? That error seems to be a host name mismatch from what the certificate is providing

The cert the server is producing isn’t meant for it. That’s mostly when this error happens

We are using a self signed cert that may be generic across all our test platforms.

I would have though that setting the client to insecure would get round that?

Does curl -k <the url> work? I’m on limited machine access now, can try more later

The error doesn’t seem to be about a signature mismatch but the host name itself seems to be different

I'm able to repro with a self-signed certificate + python https server

curl -k 

Is that a bug then?

What I mean am I doing something wrong? Like a missing option?

I don't know yet

Looks like it could be a bug in bb http-client. Just for completeness, could you try curl -k with your url @U4C3ZU6KX ?

@rahul080327 it reached the endpoint ok.

I can get it to work by doing this:

(require '[babashka.http-client :as http])

(System/setProperty "jdk.internal.httpclient.disableHostnameVerification" "true")

(def client (http/client (assoc http/default-client-opts :ssl-context {:insecure true})))

(defn get-token
  []
  (let [url (str "")]
    (prn (http/post url
                   {:client client}))))

(get-token)

Note: (System/setProperty "jdk.internal.httpclient.disableHostnameVerification" "true") Probably not advisable for production

Thats great thanks.

I am only working on test machines.

Like I was thinking, this isn’t about the cert signature

You can also configure :keystore and :truststore

I am guessing that the following error when using the http-kit client is for the same reason:

[{:type java.lang.IllegalArgumentException
   :message "host is null: https//server/icp4d-api/v1/authorize"
   :at [org.httpkit.client.HttpClient exec "HttpClient.java" 291]}]

it might be because you forgot a : in the url

Sorry:)

I keep ending up blocked. With this bb.edn file I thought your fix above would work. But I get the same DNS error.

{ :paths ["."]
  :deps {}
 :tasks {:requires ([httptest :as test]
                    [babashka.http-client :as http])
         :init (do
                 (def client (http/client (assoc http/default-client-opts :ssl-context {:insecure true}))))
         get-token (do (System/setProperty "jdk.internal.httpclient.disableHostnameVerification" "true")
                       (test/get-token))}
}

I’ll check back tonight, I’m traveling

Thank you - you have been so patient.

BTW is there a reason the clj-http-lite does not support multipart forms?

Maybe https://badssl.com/ can help as a repro? It has various hostnames with bad ssl certificates.

In the CSR for your self-signed certs, are you only specifying a subject or do you also have a DNS subjectAlternativeName with the same host name?

I noticed that (System/setProperty "jdk.internal.httpclient.disableHostnameVerification" "true") doesn't have the same effect in bb (when natively compiled) as in the JVM. I tried investigating but can't find the issue right now. I'll file a bb issue for this and will resume later

https://github.com/babashka/babashka/issues/1587 If anyone else wants to dig into it before I can, please do

About multipart in clj-http-lite: feel free to port whatever bb http-client has to clj-http-lite, the code is open source. cc @UE21H2HHD

@U4C3ZU6KX have you tried httpkit though?

I will get to the bottom of this once I'm back from my trip, next week or so

@U4C3ZU6KX re: > Unfortunately, I feel blocked as clj-http-lite works but not for multipart. I have tried http-kit but I get the following > error: java.lang.ClassCastException: clojure.lang.Keyword cannot be cast to java.lang.String are you sending a headers with as a map with keyword keys and could that be causing this? httpkit doesnt take keywords as keys iirc, needs strings.

user=> @(http/get "" {:headers {:foo "bar"}})
java.lang.ClassCastException: clojure.lang.Keyword cannot be cast to java.lang.String [at <repl>:6:2]
user=> @(http/get "" {:headers {"foo" "bar"}})
{:opts {:headers {"foo" "bar"}, :method :get, :url ""}, :body "{\n  \"args\": {}, \n  \"headers\": {\n    \"Accept-Encoding\": \"gzip, deflate\", \n    \"Content-Length\": \"0\", \n    \"Foo\": \"bar\", \n    \"Host\": \"\", \n    \"User-Agent\": \"http-kit/2.0\", \n    \"X-Amzn-Trace-Id\": \"Root=1-64a47937-56c777d27a560b462c23e37a\"\n  }, \n  \"origin\": \"188.214.11.255\", \n  \"url\": \"\"\n}\n", :headers {:access-control-allow-credentials "true", :access-control-allow-origin "*", :connection "keep-alive", :content-length "323", :content-type "application/json", :date "Tue, 04 Jul 2023 19:55:35 GMT", :server "gunicorn/19.9.0"}, :status 200}

I think replacing the insecure-tm implementation with

(proxy [X509ExtendedTrustManager] []
(checkClientTrusted [& _])
(checkServerTrusted [& _])) 

nevermind, see you're already onto that solution in the github issue

I also confirmed that setting an appropriate subjectAltName on the self-signed cert makes the problem go away using the existing TrustManager, if regenerating/deploying certs is an option for @U4C3ZU6KX e.g. this cert from the github issue with localhost specified only in the subject causes errors:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 3650 -nodes -subj "/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN=localhost"

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 3650 -nodes -subj "/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN=localhost" -addext "subjectAltName = DNS:localhost, IP:127.0.0.1"

@U015879P2F8 Thanks for the suggestion, unfortunately I am not in control of the certificates, I am just using a standard installation we have. What is strange is that both clj-http-lite and http-kit do not show this behaviour.

> BTW is there a reason the clj-http-lite does not support multipart forms? @U4C3ZU6KX, it's due to the -lite aspect of clj-http-lite, it's not a full-featured HTTP client by design, but does the trick for some use cases.

On mobile so can’t seem to link directly to line number, but for clj-http-lite it looks like it also overrides the HostnameVerifier in addition to the SSLContext

Make sense.

https://github.com/clj-commons/clj-http-lite/blob/master/src/clj_http/lite/core.clj line 45

@UE21H2HHD clj-http-lite could have this, was my point, it can be done in pure Clojure like in bb http client, but makes sense to skip

Right... gotcha. If have no real preference or strong opinions, but maybe nice to keep a lite library light?

<@U015879P2F8> ya, I'm at desktop and can link easily, <https://github.com/clj-commons/clj-http-lite/blob/5d5f836e70dc0e5946d2b0a66b5292e8df22b12e/src/clj_http/lite/core.clj#L45-L65|here's the clj-http-lite code that is >_<https://github.com/clj-commons/clj-http-lite/blob/5d5f836e70dc0e5946d2b0a66b5292e8df22b12e/src/clj_http/lite/core.clj#L45-L65|very>_<https://github.com/clj-commons/clj-http-lite/blob/5d5f836e70dc0e5946d2b0a66b5292e8df22b12e/src/clj_http/lite/core.clj#L45-L65| trusting>.

ok, I fixed the issue by using http://javax.net.ssl.X509ExtendedTrustManager - bb http-client should now work as is for your use case @U4C3ZU6KX but you will need the bb version from master. You can download it using bash <(curl ) --dev-build --dir /tmp This will only work when the master build is finished (should take 10 minutes from now or so)

should be there now

Thanks

I’m curious if it does work for you now

I will try first thing tomorrow

That fixed the issue - many, many thanks

Can you try this from JVM Clojure to see if it works differently from babashka?

I have been using calva and leinegen and it seems to work.

Putting the ipaddress directly in yields: No subject alternative names matching IP address

with the same babashka.http library right?

Sorry no with clj-http. I will try with the babashka library

please do

also make sure you're using the latest bb version