Fork me on GitHub

how do I enable ssl on my pedestal app so it's https as opposed to http?


You can see the implementation here: Check the comments towards the end.


I have not tried the steps myself though.


It's a bit of a pain, but the following service map works (you can ignore the web socket stuff). Notes about the keystore are below.

(def service-map
     (if (System/getenv "KEYSTORE_LOCATION")
       (-> (io/file (System/getenv "KEYSTORE_LOCATION"))
    {::http/host ""
                 {:allowed-origins (fn[_] true)
                  :creds true}
     ::http/routes #(deref #'routes)
     ::http/type   :jetty
     {:context-configurator jetty-websocket-configurator
      :h2c? true
      :h2 true
      :ssl? true
      :ssl-port 8081
      :keystore keystore-location
      :key-password "thepassword"
      :security-provider "Conscrypt"}
     ::http/port   8080}))
Jetty Keystore__ In order for Pedestal (the back-end server) to start with Jetty, it expects a keystore to be available in a particular location (see service-map). To create the keystore (plagiarized from web, and don't remember where) Generate a private site key (site.key)
$ openssl genrsa -des3 -out site.key 2048
Make a copy of site.key and strip the password, so that it can be auto-loaded
$ cp site.key site.orig.key
    $ openssl rsa -in site.orig.key -out site.key
Generate a self-signed signing request (site.csr)
$ openssl req -new -key site.key -out site.csr
Generate a self-signed certificate (sitex509.crt - in x509 format for loading into the keystore)
$ openssl req -new -x509 -key site.key -out sitex509.crt
Combine the self-signed certificate (sitex509.crt) and site key (site.key) and export it in pkcs12 format (site.pkcs12)
$ openssl pkcs12 -inkey site.key -in sitex509.crt -export -out site.pkcs12
Rename the keystore (site.pkcs12) to jetty-keystore and adjust the service-map so it can be located.


Can you please write a blog post about this? That will be very helpful for anyone needing to do the same thing. And thanks!


Super! Thank you.


a big topic, I know.

Ben Hammond10:04:57

I have a question about

when I try to use it, I see a
java.lang.AbstractMethodError: Receiver class datomic.client.impl.shared.Client does not define or inherit an implementation of the resolved method abstract create_database(Ljava/lang/Object;)Ljava/lang/Object; of interface datomic.client.impl.shared.protocols.Client.
	at datomic.client.api.async$create_database.invokeStatic(async.clj:148)
	at datomic.client.api.async$create_database.invoke(async.clj:140)
	at datomic.client.api.sync.Client.create_database(sync.clj:73)
	at datomic.client.api$create_database.invokeStatic(api.clj:144)
	at datomic.client.api$create_database.invoke(api.clj:135)
	at com.cognitect.vase.fern.CloudConnection._interceptor(fern.clj:94)
which is inline with my understanding of the datomic client: it cannot create databases. but doesn't that render the CloudConnection unusable? The culprit is at

Ben Hammond10:04:29

Oh I see, this is a special case > NOTE: create-database is not available with peer-server. > Use a Datomic Peer to create databases with Datomic On-Prem.

Ben Hammond10:04:20

it would be nice if I could disable that (client/create-database call from the config


@U793EL04V thanks for pointing this out. In retrospect, DB lifecycle management should be done independently. Including calls to create-database for every request is not recommended. This new learning led to me changing the pedestal.ions sample app ( I’m going to create an issue capture that this needs to be followed up on.


In that sample I adopted the approach taken by the Datomic Ions tutorial (


I’m incorrect, the code you linked creates the db on interceptor creation only. Still, it should be done explicitly and elsewhere

Ben Hammond14:04:15

Yeah I'm combining integrant with vase & pedestal in order to manage lifecycle and dependencies