Collections unable to load after setting up SSL

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Collections unable to load after setting up SSL

Zheng Lin Edwin Yeo
Hi,

I am running SolrCloud on Solr 7.3.1 on External ZooKeeper 3.4.11, and I am
setting up the security aspect of Solr.

After setting up the SSL based on the steps from
https://lucene.apache.org/solr/guide/7_3/enabling-ssl.html, the collections
that are with 2 replica are no longer able to be loaded.

What could be causing the issue?

I remember that wasn't this problem when I tried the same thing in Solr 6
and even Solr 7.1.

Regards,
Edwin
Reply | Threaded
Open this post in threaded view
|

Re: Collections unable to load after setting up SSL

Christopher Schultz
Edwin,

On 6/7/18 11:11 PM, Zheng Lin Edwin Yeo wrote:

> Hi,
>
> I am running SolrCloud on Solr 7.3.1 on External ZooKeeper 3.4.11, and I am
> setting up the security aspect of Solr.
>
> After setting up the SSL based on the steps from
> https://lucene.apache.org/solr/guide/7_3/enabling-ssl.html, the collections
> that are with 2 replica are no longer able to be loaded.
>
> What could be causing the issue?
>
> I remember that wasn't this problem when I tried the same thing in Solr 6
> and even Solr 7.1.
I've fought a bit to get Solr running on a single instance with SSL, so
I can imagine that ZK might be an issue for you.

Can you describe how each server's truststores and keystores are
configured? Are you using client-validated servers (e.g. one-way TLS
like you would with most public web sites) or are you using
mutual-authentication where the server is also checking the client's
certificate?

-chris


signature.asc (956 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Collections unable to load after setting up SSL

Zheng Lin Edwin Yeo
Hi Chris,

I followed the steps from
https://lucene.apache.org/solr/guide/7_3/enabling-ssl.html.

1)

keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass
secret -storepass secret -validity 9999 -keystore
solr-ssl.keystore.jks -ext
SAN=DNS:localhost,IP:192.168.1.3,IP:127.0.0.1 -dname "CN=localhost,
OU=Organizational Unit, O=Organization, L=Location, ST=State,
C=Country"


2)

keytool -importkeystore -srckeystore solr-ssl.keystore.jks
-destkeystore solr-ssl.keystore.p12 -srcstoretype jks -deststoretype
pkcs12


3)

openssl pkcs12 -in solr-ssl.keystore.p12 -out solr-ssl.pem



I have also set these in solr.in.cmd:

SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jksSOLR_SSL_KEY_STORE_PASSWORD=secretSOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore.jksSOLR_SSL_TRUST_STORE_PASSWORD=secret#
Require clients to authenticateSOLR_SSL_NEED_CLIENT_AUTH=false# Enable
clients to authenticate (but not
require)SOLR_SSL_WANT_CLIENT_AUTH=false# Define Key Store type if
necessarySOLR_SSL_KEY_STORE_TYPE=JKSSOLR_SSL_TRUST_STORE_TYPE=JKS



Regards,
Edwin

On 8 June 2018 at 22:41, Christopher Schultz <[hidden email]>
wrote:

> Edwin,
>
> On 6/7/18 11:11 PM, Zheng Lin Edwin Yeo wrote:
> > Hi,
> >
> > I am running SolrCloud on Solr 7.3.1 on External ZooKeeper 3.4.11, and I
> am
> > setting up the security aspect of Solr.
> >
> > After setting up the SSL based on the steps from
> > https://lucene.apache.org/solr/guide/7_3/enabling-ssl.html, the
> collections
> > that are with 2 replica are no longer able to be loaded.
> >
> > What could be causing the issue?
> >
> > I remember that wasn't this problem when I tried the same thing in Solr 6
> > and even Solr 7.1.
>
> I've fought a bit to get Solr running on a single instance with SSL, so
> I can imagine that ZK might be an issue for you.
>
> Can you describe how each server's truststores and keystores are
> configured? Are you using client-validated servers (e.g. one-way TLS
> like you would with most public web sites) or are you using
> mutual-authentication where the server is also checking the client's
> certificate?
>
> -chris
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Collections unable to load after setting up SSL

Christopher Schultz
Edwin,

On 6/8/18 12:02 PM, Zheng Lin Edwin Yeo wrote:

> I followed the steps from
> https://lucene.apache.org/solr/guide/7_3/enabling-ssl.html.
>
> 1)
>
> keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass
> secret -storepass secret -validity 9999 -keystore
> solr-ssl.keystore.jks -ext
> SAN=DNS:localhost,IP:192.168.1.3,IP:127.0.0.1 -dname "CN=localhost,
> OU=Organizational Unit, O=Organization, L=Location, ST=State,
> C=Country"
>
>
> 2)
>
> keytool -importkeystore -srckeystore solr-ssl.keystore.jks
> -destkeystore solr-ssl.keystore.p12 -srcstoretype jks -deststoretype
> pkcs12
>
>
> 3)
>
> openssl pkcs12 -in solr-ssl.keystore.p12 -out solr-ssl.pem
>
>
>
> I have also set these in solr.in.cmd:
>
> SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jksSOLR_SSL_KEY_STORE_PASSWORD=secretSOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore.jksSOLR_SSL_TRUST_STORE_PASSWORD=secret#
> Require clients to authenticateSOLR_SSL_NEED_CLIENT_AUTH=false# Enable
> clients to authenticate (but not
> require)SOLR_SSL_WANT_CLIENT_AUTH=false# Define Key Store type if
> necessarySOLR_SSL_KEY_STORE_TYPE=JKSSOLR_SSL_TRUST_STORE_TYPE=JKS
You didn't describe how you have deployed each of these files on each of
your servers.

You might want to make sure that all your (attempted) absolute paths
actually start with a slash, though.

-chris


signature.asc (956 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Collections unable to load after setting up SSL

Zheng Lin Edwin Yeo
Hi Chris,

I have deployed these files on the {SolrHome}\server\etc folder.

Currently this is the setting of the path in edm.in.cmd.

set SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jks
set SOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore.jks

For your meaning of absolute paths actually start with a slash, meaning we
have to set it like this?

set SOLR_SSL_KEY_STORE=/etc/solr-ssl.keystore.jks
set SOLR_SSL_TRUST_STORE=/etc/solr-ssl.keystore.jks

Regards,
Edwin


On 9 June 2018 at 00:15, Christopher Schultz <[hidden email]>
wrote:

> Edwin,
>
> On 6/8/18 12:02 PM, Zheng Lin Edwin Yeo wrote:
> > I followed the steps from
> > https://lucene.apache.org/solr/guide/7_3/enabling-ssl.html.
> >
> > 1)
> >
> > keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass
> > secret -storepass secret -validity 9999 -keystore
> > solr-ssl.keystore.jks -ext
> > SAN=DNS:localhost,IP:192.168.1.3,IP:127.0.0.1 -dname "CN=localhost,
> > OU=Organizational Unit, O=Organization, L=Location, ST=State,
> > C=Country"
> >
> >
> > 2)
> >
> > keytool -importkeystore -srckeystore solr-ssl.keystore.jks
> > -destkeystore solr-ssl.keystore.p12 -srcstoretype jks -deststoretype
> > pkcs12
> >
> >
> > 3)
> >
> > openssl pkcs12 -in solr-ssl.keystore.p12 -out solr-ssl.pem
> >
> >
> >
> > I have also set these in solr.in.cmd:
> >
> > SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jksSOLR_SSL_KEY_
> STORE_PASSWORD=secretSOLR_SSL_TRUST_STORE=etc/solr-ssl.
> keystore.jksSOLR_SSL_TRUST_STORE_PASSWORD=secret#
> > Require clients to authenticateSOLR_SSL_NEED_CLIENT_AUTH=false# Enable
> > clients to authenticate (but not
> > require)SOLR_SSL_WANT_CLIENT_AUTH=false# Define Key Store type if
> > necessarySOLR_SSL_KEY_STORE_TYPE=JKSSOLR_SSL_TRUST_STORE_TYPE=JKS
>
> You didn't describe how you have deployed each of these files on each of
> your servers.
>
> You might want to make sure that all your (attempted) absolute paths
> actually start with a slash, though.
>
> -chris
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Collections unable to load after setting up SSL

Zheng Lin Edwin Yeo
I have found that we can't set it this way either, as we will get the below
error on "no valid keystore".

set SOLR_SSL_KEY_STORE=/etc/solr-ssl.keystore.jks
set SOLR_SSL_TRUST_STORE=/etc/solr-ssl.keystore.jks

Error:
java.lang.reflect.InvocationTargetException
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
        at java.lang.reflect.Method.invoke(Unknown Source)
        at org.eclipse.jetty.start.Main.invokeMain(Main.java:221)
        at org.eclipse.jetty.start.Main.start(Main.java:504)
        at org.eclipse.jetty.start.Main.main(Main.java:78)
Caused by: java.lang.IllegalStateException: no valid keystore


Any other ways can that we set or to generate the keystore?

Regards,
Edwin


On 9 June 2018 at 21:30, Zheng Lin Edwin Yeo <[hidden email]> wrote:

> Hi Chris,
>
> I have deployed these files on the {SolrHome}\server\etc folder.
>
> Currently this is the setting of the path in edm.in.cmd.
>
> set SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jks
> set SOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore.jks
>
> For your meaning of absolute paths actually start with a slash, meaning
> we have to set it like this?
>
> set SOLR_SSL_KEY_STORE=/etc/solr-ssl.keystore.jks
> set SOLR_SSL_TRUST_STORE=/etc/solr-ssl.keystore.jks
>
> Regards,
> Edwin
>
>
> On 9 June 2018 at 00:15, Christopher Schultz <[hidden email]
> > wrote:
>
>> Edwin,
>>
>> On 6/8/18 12:02 PM, Zheng Lin Edwin Yeo wrote:
>> > I followed the steps from
>> > https://lucene.apache.org/solr/guide/7_3/enabling-ssl.html.
>> >
>> > 1)
>> >
>> > keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass
>> > secret -storepass secret -validity 9999 -keystore
>> > solr-ssl.keystore.jks -ext
>> > SAN=DNS:localhost,IP:192.168.1.3,IP:127.0.0.1 -dname "CN=localhost,
>> > OU=Organizational Unit, O=Organization, L=Location, ST=State,
>> > C=Country"
>> >
>> >
>> > 2)
>> >
>> > keytool -importkeystore -srckeystore solr-ssl.keystore.jks
>> > -destkeystore solr-ssl.keystore.p12 -srcstoretype jks -deststoretype
>> > pkcs12
>> >
>> >
>> > 3)
>> >
>> > openssl pkcs12 -in solr-ssl.keystore.p12 -out solr-ssl.pem
>> >
>> >
>> >
>> > I have also set these in solr.in.cmd:
>> >
>> > SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jksSOLR_SSL_KEY_STO
>> RE_PASSWORD=secretSOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore
>> .jksSOLR_SSL_TRUST_STORE_PASSWORD=secret#
>> > Require clients to authenticateSOLR_SSL_NEED_CLIENT_AUTH=false# Enable
>> > clients to authenticate (but not
>> > require)SOLR_SSL_WANT_CLIENT_AUTH=false# Define Key Store type if
>> > necessarySOLR_SSL_KEY_STORE_TYPE=JKSSOLR_SSL_TRUST_STORE_TYPE=JKS
>>
>> You didn't describe how you have deployed each of these files on each of
>> your servers.
>>
>> You might want to make sure that all your (attempted) absolute paths
>> actually start with a slash, though.
>>
>> -chris
>>
>>
>
Reply | Threaded
Open this post in threaded view
|

Re: Collections unable to load after setting up SSL

Vincenzo D'Amore
Hi Edwin,

I think you should specify the absolute path when setting the environment variables or remove the leading slash from the path.

Ciao,
Vincenzo


> On 11 Jun 2018, at 04:22, Zheng Lin Edwin Yeo <[hidden email]> wrote:
>
> I have found that we can't set it this way either, as we will get the below
> error on "no valid keystore".
>
> set SOLR_SSL_KEY_STORE=/etc/solr-ssl.keystore.jks
> set SOLR_SSL_TRUST_STORE=/etc/solr-ssl.keystore.jks
>
> Error:
> java.lang.reflect.InvocationTargetException
>        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>        at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
>        at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
>        at java.lang.reflect.Method.invoke(Unknown Source)
>        at org.eclipse.jetty.start.Main.invokeMain(Main.java:221)
>        at org.eclipse.jetty.start.Main.start(Main.java:504)
>        at org.eclipse.jetty.start.Main.main(Main.java:78)
> Caused by: java.lang.IllegalStateException: no valid keystore
>
>
> Any other ways can that we set or to generate the keystore?
>
> Regards,
> Edwin
>
>
>> On 9 June 2018 at 21:30, Zheng Lin Edwin Yeo <[hidden email]> wrote:
>>
>> Hi Chris,
>>
>> I have deployed these files on the {SolrHome}\server\etc folder.
>>
>> Currently this is the setting of the path in edm.in.cmd.
>>
>> set SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jks
>> set SOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore.jks
>>
>> For your meaning of absolute paths actually start with a slash, meaning
>> we have to set it like this?
>>
>> set SOLR_SSL_KEY_STORE=/etc/solr-ssl.keystore.jks
>> set SOLR_SSL_TRUST_STORE=/etc/solr-ssl.keystore.jks
>>
>> Regards,
>> Edwin
>>
>>
>> On 9 June 2018 at 00:15, Christopher Schultz <[hidden email]
>>> wrote:
>>
>>> Edwin,
>>>
>>>> On 6/8/18 12:02 PM, Zheng Lin Edwin Yeo wrote:
>>>> I followed the steps from
>>>> https://lucene.apache.org/solr/guide/7_3/enabling-ssl.html.
>>>>
>>>> 1)
>>>>
>>>> keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass
>>>> secret -storepass secret -validity 9999 -keystore
>>>> solr-ssl.keystore.jks -ext
>>>> SAN=DNS:localhost,IP:192.168.1.3,IP:127.0.0.1 -dname "CN=localhost,
>>>> OU=Organizational Unit, O=Organization, L=Location, ST=State,
>>>> C=Country"
>>>>
>>>>
>>>> 2)
>>>>
>>>> keytool -importkeystore -srckeystore solr-ssl.keystore.jks
>>>> -destkeystore solr-ssl.keystore.p12 -srcstoretype jks -deststoretype
>>>> pkcs12
>>>>
>>>>
>>>> 3)
>>>>
>>>> openssl pkcs12 -in solr-ssl.keystore.p12 -out solr-ssl.pem
>>>>
>>>>
>>>>
>>>> I have also set these in solr.in.cmd:
>>>>
>>>> SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jksSOLR_SSL_KEY_STO
>>> RE_PASSWORD=secretSOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore
>>> .jksSOLR_SSL_TRUST_STORE_PASSWORD=secret#
>>>> Require clients to authenticateSOLR_SSL_NEED_CLIENT_AUTH=false# Enable
>>>> clients to authenticate (but not
>>>> require)SOLR_SSL_WANT_CLIENT_AUTH=false# Define Key Store type if
>>>> necessarySOLR_SSL_KEY_STORE_TYPE=JKSSOLR_SSL_TRUST_STORE_TYPE=JKS
>>>
>>> You didn't describe how you have deployed each of these files on each of
>>> your servers.
>>>
>>> You might want to make sure that all your (attempted) absolute paths
>>> actually start with a slash, though.
>>>
>>> -chris
>>>
>>>
>>
Reply | Threaded
Open this post in threaded view
|

Re: Collections unable to load after setting up SSL

Zheng Lin Edwin Yeo
Hi Vincenzo,

Thanks for your reply.

The original error of that t he collections that are with 2 replica are not
able to be loaded. came from without the leading slash from the path.
I also got the same error as the original when I specify the absolute path.

Regards,
Edwin

On 11 June 2018 at 14:40, Vincenzo D'Amore <[hidden email]> wrote:

> Hi Edwin,
>
> I think you should specify the absolute path when setting the environment
> variables or remove the leading slash from the path.
>
> Ciao,
> Vincenzo
>
>
> > On 11 Jun 2018, at 04:22, Zheng Lin Edwin Yeo <[hidden email]>
> wrote:
> >
> > I have found that we can't set it this way either, as we will get the
> below
> > error on "no valid keystore".
> >
> > set SOLR_SSL_KEY_STORE=/etc/solr-ssl.keystore.jks
> > set SOLR_SSL_TRUST_STORE=/etc/solr-ssl.keystore.jks
> >
> > Error:
> > java.lang.reflect.InvocationTargetException
> >        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> >        at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
> >        at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown
> Source)
> >        at java.lang.reflect.Method.invoke(Unknown Source)
> >        at org.eclipse.jetty.start.Main.invokeMain(Main.java:221)
> >        at org.eclipse.jetty.start.Main.start(Main.java:504)
> >        at org.eclipse.jetty.start.Main.main(Main.java:78)
> > Caused by: java.lang.IllegalStateException: no valid keystore
> >
> >
> > Any other ways can that we set or to generate the keystore?
> >
> > Regards,
> > Edwin
> >
> >
> >> On 9 June 2018 at 21:30, Zheng Lin Edwin Yeo <[hidden email]>
> wrote:
> >>
> >> Hi Chris,
> >>
> >> I have deployed these files on the {SolrHome}\server\etc folder.
> >>
> >> Currently this is the setting of the path in edm.in.cmd.
> >>
> >> set SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jks
> >> set SOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore.jks
> >>
> >> For your meaning of absolute paths actually start with a slash, meaning
> >> we have to set it like this?
> >>
> >> set SOLR_SSL_KEY_STORE=/etc/solr-ssl.keystore.jks
> >> set SOLR_SSL_TRUST_STORE=/etc/solr-ssl.keystore.jks
> >>
> >> Regards,
> >> Edwin
> >>
> >>
> >> On 9 June 2018 at 00:15, Christopher Schultz <
> [hidden email]
> >>> wrote:
> >>
> >>> Edwin,
> >>>
> >>>> On 6/8/18 12:02 PM, Zheng Lin Edwin Yeo wrote:
> >>>> I followed the steps from
> >>>> https://lucene.apache.org/solr/guide/7_3/enabling-ssl.html.
> >>>>
> >>>> 1)
> >>>>
> >>>> keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass
> >>>> secret -storepass secret -validity 9999 -keystore
> >>>> solr-ssl.keystore.jks -ext
> >>>> SAN=DNS:localhost,IP:192.168.1.3,IP:127.0.0.1 -dname "CN=localhost,
> >>>> OU=Organizational Unit, O=Organization, L=Location, ST=State,
> >>>> C=Country"
> >>>>
> >>>>
> >>>> 2)
> >>>>
> >>>> keytool -importkeystore -srckeystore solr-ssl.keystore.jks
> >>>> -destkeystore solr-ssl.keystore.p12 -srcstoretype jks -deststoretype
> >>>> pkcs12
> >>>>
> >>>>
> >>>> 3)
> >>>>
> >>>> openssl pkcs12 -in solr-ssl.keystore.p12 -out solr-ssl.pem
> >>>>
> >>>>
> >>>>
> >>>> I have also set these in solr.in.cmd:
> >>>>
> >>>> SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jksSOLR_SSL_KEY_STO
> >>> RE_PASSWORD=secretSOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore
> >>> .jksSOLR_SSL_TRUST_STORE_PASSWORD=secret#
> >>>> Require clients to authenticateSOLR_SSL_NEED_CLIENT_AUTH=false#
> Enable
> >>>> clients to authenticate (but not
> >>>> require)SOLR_SSL_WANT_CLIENT_AUTH=false# Define Key Store type if
> >>>> necessarySOLR_SSL_KEY_STORE_TYPE=JKSSOLR_SSL_TRUST_STORE_TYPE=JKS
> >>>
> >>> You didn't describe how you have deployed each of these files on each
> of
> >>> your servers.
> >>>
> >>> You might want to make sure that all your (attempted) absolute paths
> >>> actually start with a slash, though.
> >>>
> >>> -chris
> >>>
> >>>
> >>
>
Reply | Threaded
Open this post in threaded view
|

Re: Collections unable to load after setting up SSL

Christopher Schultz
In reply to this post by Zheng Lin Edwin Yeo
Edwin,

On 6/10/18 10:22 PM, Zheng Lin Edwin Yeo wrote:

> I have found that we can't set it this way either, as we will get the below
> error on "no valid keystore".
>
> set SOLR_SSL_KEY_STORE=/etc/solr-ssl.keystore.jks
> set SOLR_SSL_TRUST_STORE=/etc/solr-ssl.keystore.jks
>
> Error:
> java.lang.reflect.InvocationTargetException
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
>         at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
>         at java.lang.reflect.Method.invoke(Unknown Source)
>         at org.eclipse.jetty.start.Main.invokeMain(Main.java:221)
>         at org.eclipse.jetty.start.Main.start(Main.java:504)
>         at org.eclipse.jetty.start.Main.main(Main.java:78)
> Caused by: java.lang.IllegalStateException: no valid keystore
>
>
> Any other ways can that we set or to generate the keystore?
File permissions on /etc/solr-*?

Effective user-id of the process trying to connect to Solr?

If you use relative paths, do you have any idea what the paths are
relative TO?

-chris

> On 9 June 2018 at 21:30, Zheng Lin Edwin Yeo <[hidden email]> wrote:
>
>> Hi Chris,
>>
>> I have deployed these files on the {SolrHome}\server\etc folder.
>>
>> Currently this is the setting of the path in edm.in.cmd.
>>
>> set SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jks
>> set SOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore.jks
>>
>> For your meaning of absolute paths actually start with a slash, meaning
>> we have to set it like this?
>>
>> set SOLR_SSL_KEY_STORE=/etc/solr-ssl.keystore.jks
>> set SOLR_SSL_TRUST_STORE=/etc/solr-ssl.keystore.jks
>>
>> Regards,
>> Edwin
>>
>>
>> On 9 June 2018 at 00:15, Christopher Schultz <[hidden email]
>>> wrote:
>>
>>> Edwin,
>>>
>>> On 6/8/18 12:02 PM, Zheng Lin Edwin Yeo wrote:
>>>> I followed the steps from
>>>> https://lucene.apache.org/solr/guide/7_3/enabling-ssl.html.
>>>>
>>>> 1)
>>>>
>>>> keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass
>>>> secret -storepass secret -validity 9999 -keystore
>>>> solr-ssl.keystore.jks -ext
>>>> SAN=DNS:localhost,IP:192.168.1.3,IP:127.0.0.1 -dname "CN=localhost,
>>>> OU=Organizational Unit, O=Organization, L=Location, ST=State,
>>>> C=Country"
>>>>
>>>>
>>>> 2)
>>>>
>>>> keytool -importkeystore -srckeystore solr-ssl.keystore.jks
>>>> -destkeystore solr-ssl.keystore.p12 -srcstoretype jks -deststoretype
>>>> pkcs12
>>>>
>>>>
>>>> 3)
>>>>
>>>> openssl pkcs12 -in solr-ssl.keystore.p12 -out solr-ssl.pem
>>>>
>>>>
>>>>
>>>> I have also set these in solr.in.cmd:
>>>>
>>>> SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jksSOLR_SSL_KEY_STO
>>> RE_PASSWORD=secretSOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore
>>> .jksSOLR_SSL_TRUST_STORE_PASSWORD=secret#
>>>> Require clients to authenticateSOLR_SSL_NEED_CLIENT_AUTH=false# Enable
>>>> clients to authenticate (but not
>>>> require)SOLR_SSL_WANT_CLIENT_AUTH=false# Define Key Store type if
>>>> necessarySOLR_SSL_KEY_STORE_TYPE=JKSSOLR_SSL_TRUST_STORE_TYPE=JKS
>>>
>>> You didn't describe how you have deployed each of these files on each of
>>> your servers.
>>>
>>> You might want to make sure that all your (attempted) absolute paths
>>> actually start with a slash, though.
>>>
>>> -chris
>>>
>>>
>>
>


signature.asc (956 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Collections unable to load after setting up SSL

Zheng Lin Edwin Yeo
Hi Chris,

File permissions on /etc/solr-* ?
- The permissions are set to full control for all users.

Effective user-id of the process trying to connect to Solr?
- I am connecting from the Solr Admin UI. I have set the Basic
Authentication, and that the Basic Authentication is working on its own
without the SSL

If you use relative paths, do you have any idea what the paths are relative
TO?
- Yes. I have also tried setting the full path, and I still get the same
issue.

Regards,
Edwin

On 12 June 2018 at 02:01, Christopher Schultz <[hidden email]>
wrote:

> Edwin,
>
> On 6/10/18 10:22 PM, Zheng Lin Edwin Yeo wrote:
> > I have found that we can't set it this way either, as we will get the
> below
> > error on "no valid keystore".
> >
> > set SOLR_SSL_KEY_STORE=/etc/solr-ssl.keystore.jks
> > set SOLR_SSL_TRUST_STORE=/etc/solr-ssl.keystore.jks
> >
> > Error:
> > java.lang.reflect.InvocationTargetException
> >         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> >         at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
> >         at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown
> Source)
> >         at java.lang.reflect.Method.invoke(Unknown Source)
> >         at org.eclipse.jetty.start.Main.invokeMain(Main.java:221)
> >         at org.eclipse.jetty.start.Main.start(Main.java:504)
> >         at org.eclipse.jetty.start.Main.main(Main.java:78)
> > Caused by: java.lang.IllegalStateException: no valid keystore
> >
> >
> > Any other ways can that we set or to generate the keystore?
>
> File permissions on /etc/solr-*?
>
> Effective user-id of the process trying to connect to Solr?
>
> If you use relative paths, do you have any idea what the paths are
> relative TO?
>
> -chris
>
> > On 9 June 2018 at 21:30, Zheng Lin Edwin Yeo <[hidden email]>
> wrote:
> >
> >> Hi Chris,
> >>
> >> I have deployed these files on the {SolrHome}\server\etc folder.
> >>
> >> Currently this is the setting of the path in edm.in.cmd.
> >>
> >> set SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jks
> >> set SOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore.jks
> >>
> >> For your meaning of absolute paths actually start with a slash, meaning
> >> we have to set it like this?
> >>
> >> set SOLR_SSL_KEY_STORE=/etc/solr-ssl.keystore.jks
> >> set SOLR_SSL_TRUST_STORE=/etc/solr-ssl.keystore.jks
> >>
> >> Regards,
> >> Edwin
> >>
> >>
> >> On 9 June 2018 at 00:15, Christopher Schultz <
> [hidden email]
> >>> wrote:
> >>
> >>> Edwin,
> >>>
> >>> On 6/8/18 12:02 PM, Zheng Lin Edwin Yeo wrote:
> >>>> I followed the steps from
> >>>> https://lucene.apache.org/solr/guide/7_3/enabling-ssl.html.
> >>>>
> >>>> 1)
> >>>>
> >>>> keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass
> >>>> secret -storepass secret -validity 9999 -keystore
> >>>> solr-ssl.keystore.jks -ext
> >>>> SAN=DNS:localhost,IP:192.168.1.3,IP:127.0.0.1 -dname "CN=localhost,
> >>>> OU=Organizational Unit, O=Organization, L=Location, ST=State,
> >>>> C=Country"
> >>>>
> >>>>
> >>>> 2)
> >>>>
> >>>> keytool -importkeystore -srckeystore solr-ssl.keystore.jks
> >>>> -destkeystore solr-ssl.keystore.p12 -srcstoretype jks -deststoretype
> >>>> pkcs12
> >>>>
> >>>>
> >>>> 3)
> >>>>
> >>>> openssl pkcs12 -in solr-ssl.keystore.p12 -out solr-ssl.pem
> >>>>
> >>>>
> >>>>
> >>>> I have also set these in solr.in.cmd:
> >>>>
> >>>> SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jksSOLR_SSL_KEY_STO
> >>> RE_PASSWORD=secretSOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore
> >>> .jksSOLR_SSL_TRUST_STORE_PASSWORD=secret#
> >>>> Require clients to authenticateSOLR_SSL_NEED_CLIENT_AUTH=false#
> Enable
> >>>> clients to authenticate (but not
> >>>> require)SOLR_SSL_WANT_CLIENT_AUTH=false# Define Key Store type if
> >>>> necessarySOLR_SSL_KEY_STORE_TYPE=JKSSOLR_SSL_TRUST_STORE_TYPE=JKS
> >>>
> >>> You didn't describe how you have deployed each of these files on each
> of
> >>> your servers.
> >>>
> >>> You might want to make sure that all your (attempted) absolute paths
> >>> actually start with a slash, though.
> >>>
> >>> -chris
> >>>
> >>>
> >>
> >
>
>