babashka

asolovyov 2025-09-30T07:25:26.088929Z

I'm having a bit of a weird problem, (binding [*out* *err*] (println "test")) won't print anything. My *out* is an OutputStreamWriter, while *err* is a PrintWriter, but that's even before first ns declaration or any requires. I'm out of ideas how to figure out what's going on, so any pointers are welcome 🙂 EDIT: I'm not even sure it's babashka's fault, binding [*out* (.OutputStreamWriter. System/err)] is also doing nothing...

✅ 1
borkdude 2025-09-30T07:38:43.173259Z

Does what you are trying to do work in JVM Clojure?

borkdude 2025-09-30T07:39:31.797099Z

This is what I'm seeing in a bb REPL:

user=> (binding [*out* (java.io.OutputStreamWriter. System/err)] (println "dude"))
dude
nil

borkdude 2025-09-30T07:40:05.595209Z

This also works for me:

user=> (binding [*out* *err*] (println "test"))
test
nil

asolovyov 2025-09-30T07:43:28.750909Z

yeah it works for me in Clojure no probs and in fresh babashka elsewhere also no problems at all

asolovyov 2025-09-30T07:43:44.056469Z

obviously something is very wrong with setup of this script 😕

borkdude 2025-09-30T07:44:06.746519Z

or maybe you redirect output of the script to some other place?

asolovyov 2025-09-30T07:44:19.565559Z

I don't think so 😞

asolovyov 2025-09-30T07:44:38.149899Z

oh my god

asolovyov 2025-09-30T07:44:56.430679Z

I should've written this message an hour ago, because now it works 😕 this is the worst kind of magic

asolovyov 2025-09-30T07:45:33.077049Z

obviously I've changed something, but what did I change... daaamn 🤣

jussi 2025-09-30T10:19:36.650179Z

Run into weird PKIX issue. Using VS Code (devcontainer), Calva and clj-http fetching certain URL within REPL works. Now, performing the same task through Babashka and clj-http-lite within the same devcontainer fails to an SSL error. Any pointers why?

Type:     javax.net.ssl.SSLHandshakeException
Message:  (certificate_unknown) PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Location: clj_http/lite/client.clj:246:7
Babashka version
$ bb --version
babashka v1.12.208
clj-http-lite version
1.0.13
OpenSSL states that the URL certs are fine
$ openssl s_client -showcerts -connect 

✅ 1
jussi 2025-09-30T10:20:10.731729Z

Babashka is part of the container and thus available in VS Code terminal

borkdude 2025-09-30T10:20:54.097289Z

can you try babashka.http-client, httpkit client and babashka.curl as well?

jussi 2025-09-30T10:21:02.925759Z

Yes, brb.

borkdude 2025-09-30T10:24:27.128129Z

Here are also some docs to point bb at the trust store files at runtime: https://www.graalvm.org/jdk24/reference-manual/native-image/dynamic-features/CertificateManagement/

jussi 2025-09-30T10:25:02.107739Z

Seems to fail identically with bb.http-client

$ bb update-currencies
Running update-currencies
Downloading: org/babashka/http-client/0.4.22/http-client-0.4.22.pom from clojars
Downloading: org/babashka/http-client/0.4.22/http-client-0.4.22.jar from clojars
----- Error --------------------------------------------------------------------
Type:     javax.net.ssl.SSLHandshakeException
Message:  (certificate_unknown) PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Location: /workspaces/carbonlink/builds.clj:182:13

----- Context ------------------------------------------------------------------
178:   "Fetch historical currency exchange data from Bank of Finland."
179:   [start-date end-date]
180:   (let [url ""]
181:     (json/parse-string
182:      (:body (client/get url
                 ^--- (certificate_unknown) PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
183:                         {:accept :json
184:                          :as "UTF-16LE"
185:                          :debug true
186:                          :query-params {:startDate start-date
187:                                         :endDate end-date

----- Stack trace --------------------------------------------------------------
babashka.http-client.internal/request          - <built-in>
babashka.http-client/request                   - <built-in>
babashka.http-client/get                       - <built-in>
builds                                         - /workspaces/carbonlink/builds.clj:182:13
builds/get-historical-currency-rates           - /workspaces/carbonlink/builds.clj:181:5

jussi 2025-09-30T10:25:43.760289Z

This used to work until yesterday. Last successful run was last week.

borkdude 2025-09-30T10:26:50.495259Z

and you did not upgrade anything?

jussi 2025-09-30T10:26:51.318779Z

And it worked within the devcontainer and from clean terminal without VS Code

jussi 2025-09-30T10:27:40.166579Z

I'll check the possible upgrades, I don't recollect upgrading anything myself, but I'm not the only one touching this code base.

jussi 2025-09-30T10:29:05.998379Z

Only upgrade since last successful bb task run is kaocha, which was updated to latest version.

jussi 2025-09-30T10:29:37.094779Z

This bb task creates a commit so I can see that the last successful run was 25.9.2025

jussi 2025-09-30T10:33:42.494129Z

babashka.curl was able to fetch the resource.

borkdude 2025-09-30T10:33:45.456799Z

You could search this channel for PKIX. E.g. I find this thread: https://clojurians.slack.com/archives/CLX41ASCS/p1731400140757649

jussi 2025-09-30T10:34:55.875659Z

I did a cursory search for PKIX as a term, did miss that specific thread. Will try it.

borkdude 2025-09-30T10:35:53.074879Z

Also from another thread: > bb -http://Djavax.net.ssl.trustStore=/path/to/truststore`... my work network uses its own CAs, so I have this in a wrapper script I use (along with proxy settings)

jussi 2025-09-30T10:35:56.415069Z

Hmm, no, I actually tried importing the site certs again 🤔

jussi 2025-09-30T10:36:15.520249Z

maybe I shall try a reboot 🙈

borkdude 2025-09-30T10:36:42.668449Z

perhaps your work uses a VPN or so? something has changed there perhaps? yes, turning it off and on again usually helps at least something :)

jussi 2025-09-30T10:37:01.885029Z

shellin' out to curl works but all jvm -related approaches fail with the aforementioned PKIX error 😅

jussi 2025-09-30T10:37:40.299559Z

I did a dnf update a while ago 🤔

jussi 2025-09-30T10:37:55.342179Z

might have screwed my jvm/Fedora

jussi 2025-09-30T10:38:47.366809Z

oh well, $ sudo reboot

jussi 2025-09-30T10:51:25.646069Z

Hmm, problem persist after reboot.

jussi 2025-09-30T10:51:34.179939Z

Darn.

jussi 2025-09-30T10:53:02.577469Z

And for clarrity, no VPN in use here.

borkdude 2025-09-30T10:54:07.194819Z

I can reproduce it here:

user=> (babashka.http-client/get "")
javax.net.ssl.SSLHandshakeException: (certificate_unknown) PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target [at <repl>:3:1]

✅ 1
jussi 2025-09-30T10:55:22.583139Z

Just to be clear, Babashka is installed with the linux installation script. So not locally built nor any package managers involved.

borkdude 2025-09-30T10:55:42.069229Z

$ keytool -list
keytool error: java.lang.Exception: Keystore file does not exist: /Users/borkdude/.keystore

borkdude 2025-09-30T10:55:47.505449Z

that's what I get locally too

jussi 2025-09-30T10:56:07.696209Z

Me too.

borkdude 2025-09-30T11:05:15.175539Z

I get the same issue in a Clojure JVM so that's kind of hopeful ;)

user=> (http/get "")
Execution error (SunCertPathBuilderException) at sun.security.provider.certpath.SunCertPathBuilder/build (SunCertPathBuilder.java:148).
unable to find valid certification path to requested target

borkdude 2025-09-30T11:09:26.656939Z

@jussi.mononen chatgpt gave me the following code to import the certificate manually:

# Export server certificate
openssl s_client -connect  -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM > boffsaopendata.crt

# Import into JVM cacerts
sudo keytool -import -alias boffsaopendata -keystore $JAVA_HOME/lib/security/cacerts -file boffsaopendata.crt -storepass changeit

borkdude 2025-09-30T11:09:37.140839Z

then confirm with:

keytool -list -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit | grep boffsaopendata

borkdude 2025-09-30T11:10:00.495979Z

after that, it worked for me in the JVM. not in bb yet. but then I did:

bb -Djavax.net.ssl.trustStore=$JAVA_HOME/lib/security/cacerts  -e '(babashka.http-client/get "")'
and that worked.

borkdude 2025-09-30T11:10:40.916199Z

with bb.http-client you can also disable certificate checking which is dangerous, but if this only a local dev script, you may want to take the risk

borkdude 2025-09-30T11:12:40.593119Z

my guess is that this company changed their certificate recently or so

jussi 2025-09-30T11:13:18.192089Z

That is possible, they revamped at least their API site completely. Most likely it is completely new infrastructure, incl certs...

borkdude 2025-09-30T11:13:47.538619Z

Issued On	Friday 26 September 2025 at 11:16:58
Expires On	Saturday 26 September 2026 at 11:16:58

jussi 2025-09-30T11:14:40.976739Z

😂 oh well

jussi 2025-09-30T11:17:13.598529Z

For the curious, the API belongs to the Bank of Finland. 😎

borkdude 2025-09-30T11:18:19.643429Z

I guess the issue will resolve itself in the next release of bb based on a newer GraalVM, but for now you can use above workaround(s)

👍 1
jussi 2025-09-30T11:18:30.223499Z

Thank you 🙏🏻