You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@solr.apache.org by Robert Pearce <rp...@gmail.com> on 2021/09/16 12:56:47 UTC
Solr configured for SSL always using plain text when talking to Zookeeper secure port
Hello,
I have a question regarding Solr and Zookeeper configured for SSL. Simply, does Solr default to non-SSL when connecting with the Zookeeper secure port on localhost?
Solr 8.9, Zookeeper 3.6.2
One Zookeeper instance configured for SSL
One Solr instance configured for SSL, pointing at ZK secure port, started in Cloud mode.
I have created self-signed certificates and keys for both Zookeeper and Solr.
The truststore for both contains all the necessary certificates.
I can configure Zookeeper for SSL and connect zkCli.sh to the secure port successfully.
I can configure Solr for SSL and run it connecting to the standard ZK port (2181); the admin UI loads with https, etc.
I have set the clusterprops.json urlScheme = https
Whenever I configure Solr to connect on the secure ZK port, however, I see this in the Solr.log:
o.a.z.ClientCnxn Opening socket connection to server localhost/127.0.0.1:2281
o.a.z.ClientCnxn SASL config status: Will not attempt to authenticate using SASL (unknown error)
o.a.z.ClientCnxn Socket connection established, initiating session, client: /127.0.0.1:58062, server: localhost/127.0.0.1:2281
o.a.z.ClientCnxn Session 0x0 for server localhost/127.0.0.1:2281, Closing socket connection. Attempting reconnect except it is a SessionExpiredException => EndOfStreamException: Unable to read additional data from server sessionid 0x0, likely server has closed socket
(These lines are separated by a few ms, no more)
And the Zookeeper log has an error for each call: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record
This is making me think Solr defaults to plain text on localhost regardless of setup.
Regards
Rob
Re: Solr configured for SSL always using plain text when talking to
Zookeeper secure port
Posted by Jan Høydahl <ja...@cominvent.com>.
Hi,
What happens when you point Solr to ZK secure port is that Solr tries to talk non-SSL TCP with the secure (HTTP) port and it fails.
See more at https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+SSL+User+Guide. You should be able to configure a set of system props on Solr side which instructs the Zookeeper Java client to talk SSL with Zookeeper, but you may need to add some additional jar files to Solr for it to work.
See also https://issues.apache.org/jira/browse/SOLR-8342 and https://issues.apache.org/jira/browse/SOLR-7893 for an attempt to start documenting this in RefGuide and making some tool support for configuring.
Contributions welcome!
Jan
> 16. sep. 2021 kl. 14:56 skrev Robert Pearce <rp...@gmail.com>:
>
> Hello,
>
> I have a question regarding Solr and Zookeeper configured for SSL. Simply, does Solr default to non-SSL when connecting with the Zookeeper secure port on localhost?
>
> Solr 8.9, Zookeeper 3.6.2
> One Zookeeper instance configured for SSL
> One Solr instance configured for SSL, pointing at ZK secure port, started in Cloud mode.
>
> I have created self-signed certificates and keys for both Zookeeper and Solr.
> The truststore for both contains all the necessary certificates.
> I can configure Zookeeper for SSL and connect zkCli.sh to the secure port successfully.
> I can configure Solr for SSL and run it connecting to the standard ZK port (2181); the admin UI loads with https, etc.
> I have set the clusterprops.json urlScheme = https
>
> Whenever I configure Solr to connect on the secure ZK port, however, I see this in the Solr.log:
>
> o.a.z.ClientCnxn Opening socket connection to server localhost/127.0.0.1:2281
> o.a.z.ClientCnxn SASL config status: Will not attempt to authenticate using SASL (unknown error)
> o.a.z.ClientCnxn Socket connection established, initiating session, client: /127.0.0.1:58062, server: localhost/127.0.0.1:2281
> o.a.z.ClientCnxn Session 0x0 for server localhost/127.0.0.1:2281, Closing socket connection. Attempting reconnect except it is a SessionExpiredException => EndOfStreamException: Unable to read additional data from server sessionid 0x0, likely server has closed socket
>
> (These lines are separated by a few ms, no more)
>
> And the Zookeeper log has an error for each call: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record
>
> This is making me think Solr defaults to plain text on localhost regardless of setup.
>
> Regards
>
> Rob