You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@solr.apache.org by "Xiaotian Qin (Jira)" <ji...@apache.org> on 2022/05/20 17:18:00 UTC
[jira] [Resolved] (SOLR-16207) sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
[ https://issues.apache.org/jira/browse/SOLR-16207?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Xiaotian Qin resolved SOLR-16207.
---------------------------------
Resolution: Abandoned
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> -----------------------------------------------------------------------------------------------------------------------
>
> Key: SOLR-16207
> URL: https://issues.apache.org/jira/browse/SOLR-16207
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Affects Versions: 9.0
> Reporter: Xiaotian Qin
> Priority: Major
>
> We encounter exception in container for solr version 9. We used self-signed certs to enable SSL following:
> [https://solr.apache.org/guide/solr/latest/deployment-guide/enabling-ssl.html#configuring-solr-for-ssl]
> Looks like the java validator is trying to validate the certs and complain the unknown source? How can we fix this?
> We verified that the file path contains our p12 certs file.
>
> {
> {{ "name": "SOLR_SSL_ENABLED",}}
> {{ "value": "true"}}
> {{ },}}
> {{ {}}
> {{ "name": "SOLR_SSL_KEY_STORE",}}
> {{ "value": "/ssl/solr-ssl.keystore.p12"}}
> {{ },}}
> {{ {}}
> {{ "name": "SOLR_SSL_KEY_STORE_PASSWORD",}}
> {{ "value": "secret"}}
> {{ },}}
> {{ {}}
> {{ "name": "SOLR_SSL_KEY_STORE_TYPE",}}
> {{ "value": "pkcs12"}}
> {{ },}}
> {{ {}}
> {{ "name": "SOLR_SSL_CLIENT_KEY_STORE",}}
> {{ "value": "/ssl/solr-ssl.keystore.p12"}}
> {{ },}}
> {{ {}}
> {{ "name": "SOLR_SSL_CLIENT_KEY_STORE_PASSWORD",}}
> {{ "value": "secret"}}
> {{ },}}
> {{ {}}
> {{ "name": "SOLR_SSL_CLIENT_KEY_STORE_TYPE",}}
> {{ "value": "pkcs12"}}
> {{ },}}
> {{ {}}
> {{ "name": "SOLR_SSL_TRUST_STORE",}}
> {{ "value": "/ssl/solr-ssl.keystore.p12"}}
> {{ },}}
> {{ {}}
> {{ "name": "SOLR_SSL_TRUST_STORE_PASSWORD",}}
> {{ "value": "secret"}}
> {{ },}}
> {{ {}}
> {{ "name": "SOLR_SSL_TRUST_STORE_TYPE",}}
> {{ "value": "pkcs12"}}
> {{ },}}
> {{ {}}
> {{ "name": "SOLR_SSL_CLIENT_TRUST_STORE",}}
> {{ "value": "/ssl/solr-ssl.keystore.p12"}}
> {{ },}}
> {{ {}}
> {{ "name": "SOLR_SSL_CLIENT_TRUST_STORE_PASSWORD",}}
> {{ "value": "secret"}}
> {{ },}}
> {{ {}}
> {{ "name": "SOLR_SSL_CLIENT_TRUST_STORE_TYPE",}}
> {{ "value": "pkcs12"}}
> {{ },}}
> {{ {}}
> {{ "name": "SOLR_SSL_NEED_CLIENT_AUTH",}}
> {{ "value": "false"}}
> {{ },}}
> {{ {}}
> {{ "name": "SOLR_SSL_WANT_CLIENT_AUTH",}}
> {{ "value": "true"}}
> {{ },}}
> {{ {}}
> {{ "name": "SOLR_SSL_CHECK_PEER_NAME",}}
> {{ "value": "true"}}
> {{ }}}
>
> Stack trace in solr container
> {quote}Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source) ~[?:?]
> at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source) ~[?:?]
> at java.security.cert.CertPathBuilder.build(Unknown Source) ~[?:?]
> at sun.security.validator.PKIXValidator.doBuild(Unknown Source) ~[?:?]
> at sun.security.validator.PKIXValidator.engineValidate(Unknown Source) ~[?:?]
> at sun.security.validator.Validator.validate(Unknown Source) ~[?:?]
> at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source) ~[?:?]
> at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source) ~[?:?]
> at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(Unknown Source) ~[?:?]
> at sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(Unknown Source) ~[?:?]
> at sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(Unknown Source) ~[?:?]
> at sun.security.ssl.SSLHandshake.consume(Unknown Source) ~[?:?]
> at sun.security.ssl.HandshakeContext.dispatch(Unknown Source) ~[?:?]
> at sun.security.ssl.HandshakeContext.dispatch(Unknown Source) ~[?:?]
> at sun.security.ssl.TransportContext.dispatch(Unknown Source) ~[?:?]
> at sun.security.ssl.SSLTransport.decode(Unknown Source) ~[?:?]
> at sun.security.ssl.SSLSocketImpl.decode(Unknown Source) ~[?:?]
> at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source) ~[?:?]
> at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) ~[?:?]
> at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) ~[?:?]
> at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436) ~[httpclient-4.5.13.jar:4.5.13]
> {quote}
> Solr process in container, looks like above environments being passed as JAVA_OPTS
> {quote}solr 9 8.3 61.3 51036372 44091148 ? Sl 22:40 0:58 /opt/java/openjdk/bin/java -server -Xms41308M -Xmx41308M -XX:+UseG1GC -XX:+PerfDisableSharedMem -XX:+ParallelRefProcEnabled -XX:MaxGCPauseMillis=250 -XX:+UseLargePages -XX:+AlwaysPreTouch -XX:+ExplicitGCInvokesConcurrent -Xlog:gc*:file=/data-podcast-solr-cloud-store/logs/solr_gc.log:time,uptime:filecount=9,filesize=20M -Dsolr.jetty.inetaccess.includes= -Dsolr.jetty.inetaccess.excludes= -DzkClientTimeout=30000 -DzkHost=podcast-zk-ensemble-0.zk-service.data-podcast-zookeeper.svc.cluster.local:2181,podcast-zk-ensemble-1.zk-service.data-podcast-zookeeper.svc.cluster.local:2181,podcast-zk-ensemble-2.zk-service.data-podcast-zookeeper.svc.cluster.local:2181/data-podcast-solr-cloud-data-podcast -Dsolr.log.dir=/data-podcast-solr-cloud-store/logs -Djetty.port=8983 -DSTOP.PORT=7983 -DSTOP.KEY=solrrocks -Dhost=data-podcast-0.data-podcast-solr-cloud.data-podcast-solr-cloud-dev.query.us-west-1a.consul -Duser.timezone=UTC -XX:-OmitStackTraceInFastThrow -XX:OnOutOfMemoryError=/opt/solr/bin/oom_solr.sh 8983 /data-podcast-solr-cloud-store/logs -Djetty.home=/opt/solr/server -Dsolr.solr.home=/data-podcast-solr-cloud-store/data -Dsolr.data.home= -Dsolr.install.dir=/opt/solr -Dsolr.default.confdir=/opt/solr/server/solr/configsets/_default/conf -Dlog4j.configurationFile=/var/solr/log4j2.xml -Dsolr.sharedLib=/data-podcast-solr-cloud-store/data/lib -Dsolr.environment=dev,label=Dev+PlayAround,color=green -DzkACLProvider=org.apache.solr.common.cloud.VMParamsAllAndReadonlyDigestZkACLProvider -DzkCredentialsProvider=org.apache.solr.common.cloud.VMParamsSingleSetCredentialsDigestZkCredentialsProvider -DzkDigestUsername=username -DzkDigestPassword=123 -Dsolr.jetty.host=0.0.0.0 -Xss256k *-Dsolr.jetty.keystore=/ssl/solr-ssl.keystore.p12 -Dsolr.jetty.keystore.type=pkcs12 -Dsolr.jetty.truststore=/ssl/solr-ssl.keystore.p12 -Dsolr.jetty.truststore.type=pkcs12 -Dsolr.jetty.ssl.verifyClientHostName=HTTPS -Dsolr.jetty.ssl.needClientAuth=false -Dsolr.jetty.ssl.wantClientAuth=true -Djavax.net.ssl.keyStore=/ssl/solr-ssl.keystore.p12 -Djavax.net.ssl.keyStoreType=pkcs12 -Dsolr.ssl.checkPeerName=true -Djavax.net.ssl.trustStore=/ssl/solr-ssl.keystore.p12 -Djavax.net.ssl.trustStoreType=pkcs12* -Dsolr.jetty.https.port=8983 -Djava.security.manager -Djava.security.policy=/opt/solr/server/etc/security.policy -Djava.security.properties=/opt/solr/server/etc/security.properties -Dsolr.internal.network.permission=* -DdisableAdminUI=false -jar start.jar --module=https --lib=/opt/solr/server/solr-webapp/webapp/WEB-INF/lib/* --module=requestlog --module=gzip
> {quote}
>
>
> Java version in container:
> $ java --version
> openjdk 17.0.3 2022-04-19
> OpenJDK Runtime Environment Temurin-17.0.3+7 (build 17.0.3+7)
> OpenJDK 64-Bit Server VM Temurin-17.0.3+7 (build 17.0.3+7, mixed mode, sharing)
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org