clj-http
clj-http copied to clipboard
dakrone
exception message is: General SSLEngine problem - self signed certificate
error
exception message is: General SSLEngine problem
Same error with or without
:insecure? true
:validate-hostnames false
I created a truststore following the steps in https://github.com/dakrone/clj-http/blob/master/SSL.org (Idid not add root.pem to the truststore qlik.ks . (curl, see below, does not use it)
my code
(client/get "https://myhost:4242/qrs/about"
{:async? true
:insecure? true
;; :validate-hostnames false
:accept :json
:follow-redirects true
:debug true
:query-params {"xrfkey" "0123456789abcdef"}
:headers {"x-qlik-xrfkey" "0123456789abcdef" "X-Qlik-User" "UserDirectory=internal;UserId=sa_repository"}
;; :trust-store "truststore.pfx"
:trust-store "qlik.ks"
;:trust-store-type "pkcs12"
:trust-store-pass "changeit"}
;; respond callback
(fn [response] (println "response is:" response))
;; raise callback
(fn [exception] (println "exception message is: " (.getMessage exception))))
debug
Request: nil {:user-info nil, :follow-redirects true, :use-header-maps-in-response? true, :body-type nil, :debug true, :trust-store "qlik.ks", :trust-store-pass "changeit", :headers {"x-qlik-xrfkey" "0123456789abcdef", "X-Qlik-User" "UserDirectory=internal;UserId=sa_repository", "accept-encoding" "gzip, deflate"}, :server-port 4242, :unknown-host-respond #object[qlik.sense_api$_main$fn__2957 0x151732fb "qlik.sense_api$_main$fn__2957@151732fb"], :url "https://myhost:4242/qrs/about", :flatten-nested-keys (:query-params), :uri "/qrs/about", :server-name "myhost", :query-string "xrfkey=0123456789abcdef", :body nil, :scheme :https, :async? true, :request-method :get} HttpRequest: {:config nil, :method "GET", :requestLine #object[org.apache.http.message.BasicRequestLine 0x1ad9b8d3 "GET https://ec2amaz-58gvsn3.datamanagement.pirelli.com:4242/qrs/about?xrfkey=0123456789abcdef HTTP/1.1"], :aborted false, :params #object[org.apache.http.params.BasicHttpParams 0x4d464510 "[parameters={}]"], :protocolVersion #object[org.apache.http.HttpVersion 0x77724cbe "HTTP/1.1"], :URI #object[java.net.URI 0x16d07cf3 "https://ec2amaz-58gvsn3.datamanagement.pirelli.com:4242/qrs/about?xrfkey=0123456789abcdef"], :class org.apache.http.client.methods.HttpGet, :allHeaders [#object[org.apache.http.message.BasicHeader 0x1b57c345 "Connection: close"], #object[org.apache.http.message.BasicHeader 0x2a8b33ba "x-qlik-xrfkey: 0123456789abcdef"], #object[org.apache.http.message.BasicHeader 0x4e8b357d "X-Qlik-User: UserDirectory=internal;UserId=sa_repository"], #object[org.apache.http.message.BasicHeader 0x2e1eb85f "accept-encoding: gzip, deflate"]]}
works with curl
it works if I run
curl --cert ./client.pem --insecure --key ./client_key.pem https://myhost:4242/qrs/about?xrfkey=0123456789abcdef --header "x-qlik-xrfkey: 0123456789abcdef" --header "X-Qlik-User: UserDirectory=internal;UserId=sa_repository" -v
https://help.qlik.com/en-US/sense-developer/February2020/Subsystems/RepositoryServiceAPI/Content/Sense_RepositoryServiceAPI/RepositoryServiceAPI-Example-Connect-cURL-Certificates.htm
My environment
- Linux Debian testing x64
- Clojure 1.10.1
- openjdk version "1.8.0_252-ea"
Do you have more information about the exception? One thing that might come to mind is how are your :trust-store option only contains the filename. Have you tried it with an absolute path to the file?
No, sorry. Could you suggest me how to extract more information?
The trust-store file is correctly read. No changes if I put the full path: if I set a wrong path I get "Execution error (FileNotFoundException) at java.io.FileInputStream/open0 (FileInputStream.java:-2). .. (No such file or directory)"
With cert, key an root pem files I can connect using curl, python, nodejs, prolog (!!) and also clojure with clj-http-client (see issue https://github.com/puppetlabs/clj-http-client/issues/83 )
Below how I created the truststore
cat client.pem > combined.pem
cat client_key.pem >> combined.pem
keytool -import -alias aries -keystore qlik.ks -file combined.pem
I activated the logs as suggested by the readme
[2020-04-09T19:13:31,478][DEBUG][o.a.h.i.n.c.MainClientExec] [exchange: 1] Request completed
[2020-04-09T19:13:31,720][DEBUG][o.a.h.i.n.c.InternalIODispatch] http-outgoing-0 [ACTIVE] Exception
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1566) ~[?:1.8.0_252-ea]
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:545) ~[?:1.8.0_252-ea]
at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1217) ~[?:1.8.0_252-ea]
at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1185) ~[?:1.8.0_252-ea]
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:471) ~[?:1.8.0_252-ea]
at org.apache.http.nio.reactor.ssl.SSLIOSession.doWrap(SSLIOSession.java:263) ~[httpcore-nio-4.4.10.jar:4.4.10]
at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:301) ~[httpcore-nio-4.4.10.jar:4.4.10]
at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:503) ~[httpcore-nio-4.4.10.jar:4.4.10]
at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:120) [httpcore-nio-4.4.10.jar:4.4.10]
at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162) [httpcore-nio-4.4.10.jar:4.4.10]
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337) [httpcore-nio-4.4.10.jar:4.4.10]
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315) [httpcore-nio-4.4.10.jar:4.4.10]
at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276) [httpcore-nio-4.4.10.jar:4.4.10]
at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104) [httpcore-nio-4.4.10.jar:4.4.10]
at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:588) [httpcore-nio-4.4.10.jar:4.4.10]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_252-ea]
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Alerts.getSSLException(Alerts.java:198) ~[?:1.8.0_252-ea]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1729) ~[?:1.8.0_252-ea]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:333) ~[?:1.8.0_252-ea]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:325) ~[?:1.8.0_252-ea]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1688) ~[?:1.8.0_252-ea]
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:226) ~[?:1.8.0_252-ea]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1082) ~[?:1.8.0_252-ea]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:1015) ~[?:1.8.0_252-ea]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:1012) ~[?:1.8.0_252-ea]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_252-ea]
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1504) ~[?:1.8.0_252-ea]
at org.apache.http.nio.reactor.ssl.SSLIOSession.doRunTask(SSLIOSession.java:281) ~[httpcore-nio-4.4.10.jar:4.4.10]
at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:339) ~[httpcore-nio-4.4.10.jar:4.4.10]
... 9 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:450) ~[?:1.8.0_252-ea]
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:317) ~[?:1.8.0_252-ea]
at sun.security.validator.Validator.validate(Validator.java:262) ~[?:1.8.0_252-ea]
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:330) ~[?:1.8.0_252-ea]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:289) ~[?:1.8.0_252-ea]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144) ~[?:1.8.0_252-ea]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1675) ~[?:1.8.0_252-ea]
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:226) ~[?:1.8.0_252-ea]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1082) ~[?:1.8.0_252-ea]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:1015) ~[?:1.8.0_252-ea]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:1012) ~[?:1.8.0_252-ea]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_252-ea]
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1504) ~[?:1.8.0_252-ea]
at org.apache.http.nio.reactor.ssl.SSLIOSession.doRunTask(SSLIOSession.java:281) ~[httpcore-nio-4.4.10.jar:4.4.10]
at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:339) ~[httpcore-nio-4.4.10.jar:4.4.10]
... 9 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) ~[?:1.8.0_252-ea]
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) ~[?:1.8.0_252-ea]
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) ~[?:1.8.0_252-ea]
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:445) ~[?:1.8.0_252-ea]
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:317) ~[?:1.8.0_252-ea]
at sun.security.validator.Validator.validate(Validator.java:262) ~[?:1.8.0_252-ea]
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:330) ~[?:1.8.0_252-ea]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:289) ~[?:1.8.0_252-ea]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144) ~[?:1.8.0_252-ea]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1675) ~[?:1.8.0_252-ea]
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:226) ~[?:1.8.0_252-ea]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1082) ~[?:1.8.0_252-ea]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:1015) ~[?:1.8.0_252-ea]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:1012) ~[?:1.8.0_252-ea]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_252-ea]
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1504) ~[?:1.8.0_252-ea]
at org.apache.http.nio.reactor.ssl.SSLIOSession.doRunTask(SSLIOSession.java:281) ~[httpcore-nio-4.4.10.jar:4.4.10]
at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:339) ~[httpcore-nio-4.4.10.jar:4.4.10]
... 9 more