This page is not created by, affiliated with, or supported by Slack Technologies, Inc.
2024-05-30
Channels
- # announcements (9)
- # babashka (22)
- # beginners (25)
- # calva (2)
- # cider (9)
- # clj-on-windows (15)
- # clj-otel (29)
- # clojure (73)
- # clojure-conj (4)
- # clojure-europe (69)
- # clojure-gamedev (4)
- # clojure-nl (1)
- # clojure-norway (19)
- # clojure-sweden (12)
- # clojure-uk (4)
- # clojuredesign-podcast (6)
- # clojurescript (5)
- # clr (52)
- # community-development (2)
- # cursive (5)
- # datahike (3)
- # datalevin (5)
- # datascript (4)
- # datomic (14)
- # dev-tooling (13)
- # events (4)
- # gratitude (12)
- # honeysql (1)
- # hyperfiddle (15)
- # jobs (1)
- # lsp (19)
- # malli (8)
- # meander (2)
- # missionary (10)
- # off-topic (12)
- # polylith (3)
- # reagent (8)
- # reitit (2)
- # remote-jobs (1)
- # shadow-cljs (31)
- # timbre (4)
Weird SSL issue: we have a custom cacerts
file for firewall reasons, and our Clojure apps all run fine with the custom cacerts. When I try to use $DATOMIC_BIN/datomic ... backup-db <uri> <path>
to get a dump from the remote datomic server, though, I get the PKIX path building error, "unable to find valid certification path to requested target". It looks like it's not using the default cacerts file from $JAVA_HOME/lib/security/cacerts
somehow? I've tried specifying the right file via
export DATOMIC_JAVA_OPTS="-Djavax.net.ssl.trustStore=$JAVA_HOME/lib/security/cacerts -Djavax.net.ssl.trustStorePassword=*******"
but it doesn't help. Both machines are inside the corporate firewall. Java 17, datomic-pro-1.0.7021, Mac OS. Any hints/guesses?@U06CM8C3V Do you see the same thing on running the transactor? What flags are you passing the transactor if so? I see you are running backup so curious if its specific to that... Is there a keystore password?
bin/transactor -Djavax.net.ssl.trustStore=path-to-truststore
-Djavax.net.ssl.trustStorePassword=password-for-truststore
-Djavax.net.ssl.keyStore=path-to-keystore
-Djavax.net.ssl.keyStorePassword=password-for-keystore my-transactor.properties
The transactor is running fine--I can configure my local development version of the app to connect to the remote DB and it connects without a problem. It's only when running at the command line to pull down a backup of the data. I'm not sure where the keystore is located, but by my understanding that shouldn't be related (should it?). It's failing to find the certificate authority for our in-house cert, and that should be in the cacerts file (and it is, as demonstrated by the fact that the app is running without any problems).
Or at least that's my understanding; I'm happy to be corrected if I'm wrong here.
Ok, I've confirmed that we're not using any keystores, so the problem is definitely either the cacerts file or else how we/java/datomic picks which cacerts file to use. Or some other problem throwing a misleading error message, I suppose that's possible too.
Does the building error give you any output on what path it is using? If not, can you set: `
-Djavax.net.debug=all
To see if you get any more details on what path it is actually looking at?
Can you easily try from a different java version? i.e. 11? (I am assuming you are using the same version your peers and transactor have no issues with, but my suspicion remains that its not in the expected location.).I've tried different Java versions (8, 11, 17), but I get the same results in each. The debug flag dumped a lot of the kind of information I was looking for, and I was able to verify that our in-house CA cert is present in the list of CA certs, but it still fails. Very perplexing.
Do you have a standby transactor machine? My other thought is to test running from that machine and then see if there is anything different between the two (new machine used for backup, and old machine used for standby transactor).
Do I need a transactor to just pull a backup of the db?
It's moot though. I thought the problem was that wasn't finding our in-house CA cert, but thanks to the debug flag I now know that it IS finding the cert.
It's not going to be worth my time to try and debug SSL issues at a deeper level than that, so I'm going to try doing a backup directly on the db server and just rsync the backup down to my machine.
Ok. If you ever do happen to figure out what went wrong, please let me know. I am often times helping troubleshoot SSL related things and could use every trick I can get my hands on 🙂
Will do, thanks for the help.