You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lucene.apache.org by "Hoss Man (JIRA)" <ji...@apache.org> on 2016/04/26 01:53:12 UTC
[jira] [Commented] (SOLR-9040) bin/solr SSL support for client->server communcation broken on master

    [ https://issues.apache.org/jira/browse/SOLR-9040?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15257275#comment-15257275 ] 

Hoss Man commented on SOLR-9040:
--------------------------------


# Run the following commands (typing in {{secret}} everytime you are asked for a password/pass phrase) to create the certificate files...{noformat}
mkdir /tmp/keystore \
 && cd /tmp/keystore \
 && keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass secret -storepass secret -validity 9999 -keystore solr-ssl.keystore.jks -ext SAN=DNS:localhost,IP:192.168.1.3,IP:127.0.0.1 -dname "CN=localhost, OU=Organizational Unit, O=Organization, L=Location, ST=State, C=Country" \
 && keytool -importkeystore -srckeystore solr-ssl.keystore.jks -destkeystore solr-ssl.keystore.p12 -srcstoretype jks -deststoretype pkcs12 \
 && openssl pkcs12 -in solr-ssl.keystore.p12 -out solr-ssl.pem \
 && openssl pkcs12 -nokeys -in solr-ssl.keystore.p12 -out solr-ssl.cacert.pem
{noformat}
# Add the following to {{solr/bin/solr.in.sh}} ... {noformat}
SOLR_SSL_KEY_STORE=/tmp/keystore/solr-ssl.keystore.jks
SOLR_SSL_KEY_STORE_PASSWORD=secret
SOLR_SSL_TRUST_STORE=/tmp/keystore/solr-ssl.keystore.jks
SOLR_SSL_TRUST_STORE_PASSWORD=secret
SOLR_SSL_NEED_CLIENT_AUTH=false
SOLR_SSL_WANT_CLIENT_AUTH=false
{noformat}
# Run: {{ant clean && cd solr && ant server}}
# Run: {{bin/solr -e techproducts}}
# Run: {{bin/solr status}}
# Run: {{curl --cacert /tmp/keystore/solr-ssl.cacert.pem https://localhost:8983/solr/admin/cores}}
#* Compare output to: {{curl https://localhost:8983/solr/admin/cores}}

On branch_6x (or in the 6.0 release) this all works fine, and bin/solr not only starts Solr but can also create the techproduct core & the subsequent command to get status info works.  The {{curl}} commands demonstrate that Solr is in fact using the specified self-signed cert, and w/o that cert clients like curl won't communicate with it.  (Likewise: if you {{rm -r /tmp/keystore}} while solr is already running, re-run the commands to re-create the certificates, and then run {{bin/solr status}} you'll see that with the (new) incorrect certificates {{bin/solr status}} will return an error)

On master however, things don't work.  {{bin/solr -e techproducts}} can startup solr -- but it can't create the core becuase the HTTP client code it tries to use says it doesn't support https -- curl meanwhile still can communicate with Solr using the specified cacert, indicating that the server itself is running SSL fine, it's the lcient code that's having issues...

{noformat}
hossman@tray:~/lucene/dev/solr [master] $ bin/solr -e techproducts
Creating Solr home directory /home/hossman/lucene/dev/solr/example/techproducts/solr

Starting up Solr on port 8983 using command:
bin/solr start -p 8983 -s "example/techproducts/solr"

Waiting up to 30 seconds to see Solr running on port 8983 [/]  
Started Solr server on port 8983 (pid=9925). Happy searching!

INFO  - 2016-04-25 16:43:29.823; org.apache.http.impl.execchain.RetryExec; I/O exception (org.apache.http.conn.UnsupportedSchemeException) caught when processing request to {s}->https://localhost:8983: https protocol is not supported
INFO  - 2016-04-25 16:43:29.827; org.apache.http.impl.execchain.RetryExec; Retrying request to {s}->https://localhost:8983
INFO  - 2016-04-25 16:43:29.828; org.apache.http.impl.execchain.RetryExec; I/O exception (org.apache.http.conn.UnsupportedSchemeException) caught when processing request to {s}->https://localhost:8983: https protocol is not supported
...
INFO  - 2016-04-25 16:43:57.887; org.apache.http.impl.execchain.RetryExec; I/O exception (org.apache.http.conn.UnsupportedSchemeException) caught when processing request to {s}->https://localhost:8983: https protocol is not supported
INFO  - 2016-04-25 16:43:57.887; org.apache.http.impl.execchain.RetryExec; Retrying request to {s}->https://localhost:8983

ERROR: Did not see Solr at https://localhost:8983/solr come online within 30

hossman@tray:~/lucene/dev/solr [master] $ bin/solr status

Found 1 Solr nodes: 

Solr process 9925 running on port 8983
INFO  - 2016-04-25 16:44:33.437; org.apache.http.impl.execchain.RetryExec; I/O exception (org.apache.http.conn.UnsupportedSchemeException) caught when processing request to {s}->https://localhost:8983: https protocol is not supported
INFO  - 2016-04-25 16:44:33.440; org.apache.http.impl.execchain.RetryExec; Retrying request to {s}->https://localhost:8983
INFO  - 2016-04-25 16:44:33.443; org.apache.http.impl.execchain.RetryExec; I/O exception (org.apache.http.conn.UnsupportedSchemeException) caught when processing request to {s}->https://localhost:8983: https protocol is not supported
INFO  - 2016-04-25 16:44:33.443; org.apache.http.impl.execchain.RetryExec; Retrying request to {s}->https://localhost:8983
INFO  - 2016-04-25 16:44:33.443; org.apache.http.impl.execchain.RetryExec; I/O exception (org.apache.http.conn.UnsupportedSchemeException) caught when processing request to {s}->https://localhost:8983: https protocol is not supported
INFO  - 2016-04-25 16:44:33.444; org.apache.http.impl.execchain.RetryExec; Retrying request to {s}->https://localhost:8983

ERROR: Failed to get system information from https://localhost:8983/solr due to: org.apache.http.conn.UnsupportedSchemeException: https protocol is not supported

hossman@tray:~/lucene/dev/solr [master] $ curl --cacert /tmp/keystore/solr-ssl.cacert.pem https://localhost:8983/solr/admin/cores
<?xml version="1.0" encoding="UTF-8"?>
<response>
<lst name="responseHeader"><int name="status">0</int><int name="QTime">22</int></lst><lst name="initFailures"/><lst name="status"/>
</response>

{noformat}



> bin/solr SSL support for client->server communcation broken on master
> ---------------------------------------------------------------------
>
>                 Key: SOLR-9040
>                 URL: https://issues.apache.org/jira/browse/SOLR-9040
>             Project: Solr
>          Issue Type: Bug
>            Reporter: Hoss Man
>            Assignee: Hoss Man
>
> Working on SOLR-9028 lead me to realize that {{bin/solr}} actions which require communicating with solr over HTTP are broken on master when SSL is enabled.  My testing suggests that this doesn't affect branch 6x or 6.0.
> (Long) detailed steps to reproduce to follow in first  comment



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org