"SSL doesn't have a valid keystore" error when trying to connect to Datomic Cloud

Question

I am trying to shift over a project to use the new datomic cloud. I've created the stack through the AWS dashboard, and even been able to connect to it in a plain clojure repl with the required dependencies. But I've been having a difficult time getting a connection to work from within my project.

At first, I ran into a bunch of dependency conflicts -- indeed that may still be the root problem here -- so I added some exclusions to my inclusion of the datomic project in my project.clj:

 [com.datomic/client-cloud "0.8.50"
  :exclusions [org.eclipse.jetty/jetty-io
               org.eclipse.jetty/jetty-util
               commons-logging
               commons-codec]]

Then when I tried to connect in the lein repl with

(require '[datomic.client.api :as d])
(def cfg {:server-type :cloud
          :region "us-east-2"
          :system "<sysname>"
          :query-group "<sysname>"
          :endpoint "http://entry.<sysname>.us-east-2.datomic.net:8182/"
          :proxy-port 8182})
(def client (d/client cfg))

I ended up with the following error:

2018-05-13 20:36:01.593:WARN:oejuc.AbstractLifeCycle:nREPL-worker-1: FAILED SslContextFactory@56f447c4(null,null): java.lang.IllegalStateException: SSL doesn't have a valid keystore> java.lang.IllegalStateException: SSL doesn't have a valid keystore`

This one stumps me. Here is a pastebin with the full stack trace: https://pastebin.com/cRGyVmnT. I am guessing that there may be a problem with the wrong version of jetty getting called, but I'm not sure what next steps to try. Thoughts?

Answer 1

If you specify more recent dependency versions for jetty-server and jetty-client it should finally work. This is what worked for me:

:dependencies [[org.clojure/clojure "1.9.0"]
             [ring/ring-core "1.7.0-RC1"]
             [ring/ring-jetty-adapter "1.7.0-RC1"]
             [org.eclipse.jetty/jetty-server "9.4.9.v20180320"] 
             [org.eclipse.jetty/jetty-client "9.4.9.v20180320"] 
             [com.datomic/client-cloud "0.8.52"]]

For a complete demo see https://github.com/ezmiller/datomic-ring-dep-conflict/pull/1/files

Answer 2

Workaround for me was to replace the ssl-context-factory implementation with alter-var-root + to use the following dependencies instead:

org.eclipse.jetty/jetty-http         {:mvn/version "9.2.24.v20180105"}
org.eclipse.jetty/jetty-io           {:mvn/version "9.2.24.v20180105"}
org.eclipse.jetty/jetty-util         {:mvn/version "9.2.24.v20180105"}
org.eclipse.jetty/jetty-client       {:mvn/version "9.2.24.v20180105"}

Downside is now it trusts everything, but perhaps something optimal configuration can be found.

   (defn ssl-context-factory-replacement
      ^SslContextFactory [{:keys [trust-all classpath-trust-store trust-store-password trust-store validate-hostnames]}]
      (SslContextFactory. true))`enter code here`

    (alter-var-root
     #'cognitect.http-client/ssl-context-factory
     (constantly ssl-context-factory-replacement))

Answer 3

I found a solution for this based on the suggestion by @Aleph Aleph in the comments to the question above. What I did was add exclusions to the package that had dependencies conflicting with datomic/cloud-client.

I looked at this conflicts by looking more closely with lein deps :tree | grep jetty. It showed the following in particular:

[ring "1.6.3" :exclusions [org.eclipse.jetty/jetty-client org.eclipse.jetty/jetty-http org.eclipse.jetty/jetty-util]] -> [ring/ring-jetty-adapter "1.6.3"] -> [org.eclipse.jetty/jetty-server "9.2.21.v20170120"] -> [org.eclipse.jetty/jetty-
io "9.2.21.v20170120"]
 overrides
[com.datomic/client-cloud "0.8.50"] -> [com.datomic/client "0.8.40"] -> [com.datomic/client-impl-shared "0.8.34"] -> [com.cognitect/http-client "0.1.83"] -> [org.eclipse.jetty/jetty-client "9.3.7.v20160115"] -> [org.eclipse.jetty/jetty-io
 "9.3.7.v20160115"]
 and
[com.datomic/client-cloud "0.8.50"] -> [com.datomic/client-impl-shared "0.8.34"] -> [com.cognitect/http-client "0.1.83"] -> [org.eclipse.jetty/jetty-client "9.3.7.v20160115"] -> [org.eclipse.jetty/jetty-io "9.3.7.v20160115"]
 and
[com.datomic/client-cloud "0.8.50"] -> [com.datomic/client "0.8.40"] -> [com.cognitect/http-client "0.1.83"] -> [org.eclipse.jetty/jetty-client "9.3.7.v20160115"] -> [org.eclipse.jetty/jetty-io "9.3.7.v20160115"]

As is evident there, the dependency coming from ring called ring/ring-jetty-adapter contained some package versions overriding those in datomic cloud. So I added the following, fixing the problem:

[ring "1.6.3"
 :exclusions [ring/ring-jetty-adapter]]