This page is not created by, affiliated with, or supported by Slack Technologies, Inc.
2023-06-20
Channels
- # ai (4)
- # aleph (1)
- # babashka (127)
- # beginners (89)
- # calva (44)
- # cider (22)
- # clerk (74)
- # clj-commons (5)
- # clj-kondo (3)
- # cljs-dev (51)
- # clojure (117)
- # clojure-europe (22)
- # clojure-nl (2)
- # clojure-norway (100)
- # clojure-uk (2)
- # clojurescript (64)
- # data-science (26)
- # datalevin (3)
- # datascript (2)
- # emacs (10)
- # events (5)
- # figwheel-main (12)
- # helix (2)
- # honeysql (15)
- # hoplon (3)
- # jobs-discuss (32)
- # malli (3)
- # polylith (3)
- # re-frame (2)
- # reitit (15)
- # releases (2)
- # sci (14)
- # shadow-cljs (14)
- # specter (2)
- # tools-build (7)
- # xtdb (16)
When I use pods from bb.edn, I'm guessing I can't run the script with Clojure anymore?
I'm not 100%, but pretty confident that it's possible, but the pod would need to be loaded with pods/load-pod (this could potentially go into a reader conditional maybe if double-loading would cause a problem)
The pods lib is meant for both the JVM and bb: https://github.com/babashka/pods It needs to be included as a dep when running there and pods need to be https://github.com/babashka/pods#usage and cannot be done declaratively like in bb.edn. Adding onto what @U013JFLRFS8 said, you can always load the pod as code and not via bb.edn to make it work on both platforms.
Using pods in bb.edn was kind-of-a mistake, it only works for local projects, not as library code. Just wrap your pod in a library using load-pod for bb-only which you can use via deps.edn and bb.edn. Examples here: • https://github.com/babashka/instaparse-bb • https://github.com/clj-kondo/clj-kondo-bb
Unless the pod isn't exposing a Clojure library, then just use the pods library on the JVM as well
How do I capture output of this command with babashka?
openssl s_client -starttls imap -connect 127.0.0.1:1143 -showcerts
When I try (p/shell "openssl s_client -starttls imap -connect 127.0.0.1:1143 -showcerts")
it just hangs, cause the program itself doesn’t exit. If I use commands that produce the output in bash with automatic exit, like echo | openssl s_client -starttls imap -connect 127.0.0.1:1143 -showcerts
there is no output.
I want it to print and die 🙂
it’s not hanging, it has some sort of interactive mode I guess
Thanks, that helped!
(shell {:in "" :out :string} "openssl s_client -starttls imap -connect 127.0.0.1:1143 -showcerts")
I get the output as an exception though, I guess it’s printing to the error buffer
which is fine, I still get it, but maybe there’s a way to get the err?
No, my bad, I get it ok
It was the last manual step in my mac setup. Now the entire system from scratch is configured using babashka, including importing gpg keys, pass vaults, certificates, all dotfiles, installation of all required apps etc 🙂
And it’s more or less idempotent. I can rerun it as many times as I want, and it will bring the system to the state I want it in, but only if something is missing.
Hi hopefully an easy one to answer - how can I make the babashka/http handle insecure https endpoints. In clj-http there is an :insecure? true
option.
Does this help: https://github.com/babashka/http-client/blob/73e77e8965ffbd52456c760f578603d86f1234bb/src/babashka/http_client.clj#L28
Sorry Borkdude, I am not sure I can decode that: This is what I am sending:
(http/post (str "https://" (:cpd-route config) "/secure-url")
{
:body (json/generate-string {:username (:username config)
:api_key (:user-api-key config)})
:content-type :json
:accept :json
:as :json
:insecure true})
And I get :
javax.net.ssl.SSLHandshakeException: unable to find valid certification path to requested target core c:\Users\MartinRoberts\Box\Personal\projects\SiteplannerData\core.clj:2:22
Hi, glad the conference went well. When trying to reproduce using the issue in JVM I am now getting an error that random-uuid is not declared. I have looked in the source and can't trace where it is.
Sadly I have it all set up for JVM, but dns is now failing. It seems to work with the clj-http.
it doesn't have to be the code you are using in full, preferably the smallest piece of code which shows the problem
(ns ogsetup.core
(:require
[babashka.http-client :as http]
[cheshire.core :as json]))
(def client (http/client (assoc http/default-client-opts :ssl-context {:insecure true})))
(def config (json/parse-string (slurp "config.json") true))
(defn get-token []
(let [resp (:body (http/post (:url config)
{:client client
:body (json/generate-string {:username (:username config)
:api_key (:user-api-key config)})
:content-type :json
:accept :json
:as :json}))]
(:token resp)))
(get-token)
Evaluating file: core.clj
; javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching `url` found. ogsetup.core
; core.clj:22:22
; Evaluation of file core.clj failed: class javax.net.ssl.SSLHandshakeException
OK, lets leave it there. @U04V15CAJ thank you so much for all your work and support.
But perhaps the problem will also occur with another url? Or is it specific to this url?
Hi here is the snippet that is failing with the url, it is an endpoint in a k8s cluster. Do I need to add more options to the client?
(def client (http/client (assoc http/default-client-opts :ssl-context {:insecure true})))
(defn get-token
[] (tap-> "Get Token for user: admin")
(let [url (str "https://<cluster>/icp4d-api/v1/authorize")
json-body (json/generate-string {:username (:username "admin")
:api_key (:user-api-key "<replace with api key>")})
resp (json/parse-string (:body (http/post url
{:client client
:body json-body
:content-type :json
:accept :json
:as :json
:throw-entire-message? true})) true)]
(:token resp)))
(get-token)
:throw-entire-message?
isn't an option supported by babashka.http-client, neither is :as :json
, also not :content-type :json
you need to add those headers yourself:
{:client ... :body :headers {:content-type "application/json" :accept "application/json"}}
I don't know kubernetes. Is there anybody who can make a reproduction out of this problem? Perhaps @rahul080327?
Getting the same error with - hope this is what you meant from above
(http/post url
{:client client
:body json-body
:headers {:content-type "application/json" :accept "application/json"}})
; http://javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching http://cpd-lifecycle-manager.apps.nonage.cp.fyre.ibm.com found. http-test c:\Users\MartinRoberts\Documents\projects\http-client-exp\http-test.clj:6:53
Can you maybe set up a Docker image or so that I can run locally? I’ve never used k8s before but if you can provide an environment that I can easily run locally I would be able to look into it more
Are you able to curl that endpoint? That error seems to be a host name mismatch from what the certificate is providing
The cert the server is producing isn’t meant for it. That’s mostly when this error happens
Does curl -k <the url> work? I’m on limited machine access now, can try more later
The error doesn’t seem to be about a signature mismatch but the host name itself seems to be different
I'm able to repro with a self-signed certificate + python https server
curl -k
works but bb http-client doesn'tLooks like it could be a bug in bb http-client. Just for completeness, could you try curl -k with your url @U4C3ZU6KX ?
@rahul080327 it reached the endpoint ok.
I can get it to work by doing this:
(require '[babashka.http-client :as http])
(System/setProperty "jdk.internal.httpclient.disableHostnameVerification" "true")
(def client (http/client (assoc http/default-client-opts :ssl-context {:insecure true})))
(defn get-token
[]
(let [url (str "")]
(prn (http/post url
{:client client}))))
(get-token)
Note: (System/setProperty "jdk.internal.httpclient.disableHostnameVerification" "true")
Probably not advisable for production
Like I was thinking, this isn’t about the cert signature
I am guessing that the following error when using the http-kit client is for the same reason:
[{:type java.lang.IllegalArgumentException
:message "host is null: https//server/icp4d-api/v1/authorize"
:at [org.httpkit.client.HttpClient exec "HttpClient.java" 291]}]
I keep ending up blocked. With this bb.edn file I thought your fix above would work. But I get the same DNS error.
{ :paths ["."]
:deps {}
:tasks {:requires ([httptest :as test]
[babashka.http-client :as http])
:init (do
(def client (http/client (assoc http/default-client-opts :ssl-context {:insecure true}))))
get-token (do (System/setProperty "jdk.internal.httpclient.disableHostnameVerification" "true")
(test/get-token))}
}
Unfortunately, I feel blocked as clj-http-lite works but not for multipart. I have tried http-kit but I get the following error: java.lang.ClassCastException: clojure.lang.Keyword cannot be cast to java.lang.String
which the case of an open issue: https://github.com/http-kit/http-kit/issues/343 and the obvious route of using the http-client is proving problematic.Maybe https://badssl.com/ can help as a repro? It has various hostnames with bad ssl certificates.
In the CSR for your self-signed certs, are you only specifying a subject or do you also have a DNS subjectAlternativeName with the same host name?
I noticed that (System/setProperty "jdk.internal.httpclient.disableHostnameVerification" "true")
doesn't have the same effect in bb (when natively compiled) as in the JVM. I tried investigating but can't find the issue right now. I'll file a bb issue for this and will resume later
https://github.com/babashka/babashka/issues/1587 If anyone else wants to dig into it before I can, please do
About multipart in clj-http-lite: feel free to port whatever bb http-client has to clj-http-lite, the code is open source. cc @UE21H2HHD
@U4C3ZU6KX have you tried httpkit though?
@U4C3ZU6KX re: > Unfortunately, I feel blocked as clj-http-lite works but not for multipart. I have tried http-kit but I get the following > error: java.lang.ClassCastException: clojure.lang.Keyword cannot be cast to java.lang.String are you sending a headers with as a map with keyword keys and could that be causing this? httpkit doesnt take keywords as keys iirc, needs strings.
user=> @(http/get "" {:headers {:foo "bar"}})
java.lang.ClassCastException: clojure.lang.Keyword cannot be cast to java.lang.String [at <repl>:6:2]
user=> @(http/get "" {:headers {"foo" "bar"}})
{:opts {:headers {"foo" "bar"}, :method :get, :url ""}, :body "{\n \"args\": {}, \n \"headers\": {\n \"Accept-Encoding\": \"gzip, deflate\", \n \"Content-Length\": \"0\", \n \"Foo\": \"bar\", \n \"Host\": \"\", \n \"User-Agent\": \"http-kit/2.0\", \n \"X-Amzn-Trace-Id\": \"Root=1-64a47937-56c777d27a560b462c23e37a\"\n }, \n \"origin\": \"188.214.11.255\", \n \"url\": \"\"\n}\n", :headers {:access-control-allow-credentials "true", :access-control-allow-origin "*", :connection "keep-alive", :content-length "323", :content-type "application/json", :date "Tue, 04 Jul 2023 19:55:35 GMT", :server "gunicorn/19.9.0"}, :status 200}
I think replacing the insecure-tm
implementation with
(proxy [X509ExtendedTrustManager] []
(checkClientTrusted [& _])
(checkServerTrusted [& _]))
would solve itnevermind, see you're already onto that solution in the github issue
I also confirmed that setting an appropriate subjectAltName on the self-signed cert makes the problem go away using the existing TrustManager
, if regenerating/deploying certs is an option for @U4C3ZU6KX
e.g. this cert from the github issue with localhost
specified only in the subject causes errors:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 3650 -nodes -subj "/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN=localhost"
but after adding a SAN it works fine connecting as localhost or by IP:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 3650 -nodes -subj "/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN=localhost" -addext "subjectAltName = DNS:localhost, IP:127.0.0.1"
@U015879P2F8 Thanks for the suggestion, unfortunately I am not in control of the certificates, I am just using a standard installation we have.
What is strange is that both clj-http-lite
and http-kit
do not show this behaviour.
> BTW is there a reason the clj-http-lite does not support multipart forms?
@U4C3ZU6KX, it's due to the -lite
aspect of clj-http-lite
, it's not a full-featured HTTP client by design, but does the trick for some use cases.
On mobile so can’t seem to link directly to line number, but for clj-http-lite it looks like it also overrides the HostnameVerifier
in addition to the SSLContext
https://github.com/clj-commons/clj-http-lite/blob/master/src/clj_http/lite/core.clj line 45
@UE21H2HHD clj-http-lite could have this, was my point, it can be done in pure Clojure like in bb http client, but makes sense to skip
Right... gotcha. If have no real preference or strong opinions, but maybe nice to keep a lite
library light?
<@U015879P2F8> ya, I'm at desktop and can link easily, <https://github.com/clj-commons/clj-http-lite/blob/5d5f836e70dc0e5946d2b0a66b5292e8df22b12e/src/clj_http/lite/core.clj#L45-L65|here's the clj-http-lite code that is >_<https://github.com/clj-commons/clj-http-lite/blob/5d5f836e70dc0e5946d2b0a66b5292e8df22b12e/src/clj_http/lite/core.clj#L45-L65|very>_<https://github.com/clj-commons/clj-http-lite/blob/5d5f836e70dc0e5946d2b0a66b5292e8df22b12e/src/clj_http/lite/core.clj#L45-L65| trusting>.
ok, I fixed the issue by using http://javax.net.ssl.X509ExtendedTrustManager - bb http-client should now work as is for your use case @U4C3ZU6KX
but you will need the bb version from master.
You can download it using bash <(curl
This will only work when the master build is finished (should take 10 minutes from now or so)
Why would I get this No subject alternative DNS name matching
when I can ping the name of the end point, but in the script it fails? Sorry for asking primitive questions.
Putting the ipaddress directly in yields: No subject alternative names matching IP address
I don't know kubernetes. Is there anybody who can make a reproduction out of this problem? Perhaps @rahul080327?