You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@solr.apache.org by "Victoria Stuart (VictoriasJourney.com)" <ma...@VictoriasJourney.com> on 2022/04/16 19:10:02 UTC
Setting up SSL on standalone Solr 8.11.1
I am securing a standalone Solr 8.11.1 instance on Arch Linux.
The instructions at
https://solr.apache.org/guide/8_11/enabling-ssl.html
are incomplete, in that I cannot import the certificate to the Java Trust Store.
$ solr status
Found 1 Solr nodes:
Solr process 1729782 running on port 8983
INFO - 2022-04-16 12:01:09.124; org.apache.solr.util.configuration.SSLConfigurations; \
Setting javax.net.ssl.keyStorePassword
ERROR: Failed to get system information from https://localhost:8983/solr due to: \
javax.net.ssl.SSLException: Unexpected error: java.security.InvalidAlgorithmParameterException: \
the trustAnchors parameter must be non-empty
$
Can someone post the commands, and settings in
solr.in.sh
solr-ssl.xml
solr.*.pem ## includes private key, or only certificate?
and any other suggestions?
I am getting keytool errors of the type:
keytool error: java.lang.Exception: Input not an X.509 certificate
==============================================================================
Re: Setting up SSL on standalone Solr 8.11.1 [solved]
Posted by "Victoria Stuart (VictoriasJourney.com)" <ma...@VictoriasJourney.com>.
Chris: I want to thank you for your kind help, with which I was able to solve
this issue. It turns out, apparently, that the password I used for my self-signed
SSL certificate contained problematic characters: # _ $
# https://docs.oracle.com/cd/E14571_01/install.1111/e12002/oimscrn011.htm#INOIM1372=
KeyStore password; a valid password can contain 6 to 30 characters, begin
with an alphabetic character, and use only alphanumeric characters and
special characters like underscore (_), dollar ($), pound (#). The password
must contain at least one number.
# https://getfishtank.ca/blog/updating-ssl-certificates-in-solr
Point of note: when updating to Solr certificate, there's one thing you need
to be aware of: The password should not contain any special characters.
It's not uncommon for SSL certs to contain special characters, but Solr
doesn't like them in the format we have to work with. It should be purely
alpha-numeric. If it does, during the restart you may get a message that the
service failed to restart.
My original certificate p/w was apparently silently causing issues (other than
the Solr status messages, such as the esoteric
"... Javax.crypto.BadPaddingException:Given final block not properly padded
solution ..."
which led me to explore the password issue (following an online search).
With the configuration below, I initially got security warnings in my browsers,
with Solr o/w running apparently without issues. Ctrl-reloads and clearing
localhost cookies had no effect; however, those warnings thankfully
self-resolved after some minutes - leading to the sigh-in page. :-D
Before that occurred, clicking the "Accept the Risk and Continue" button in
Firefox did nothing.
----------------------------------------
Follow-on question:
I have a "Lets Encrypt / Certbot" certificate ... Can I use that certificate,
in place of the self-signed certificate?
cert.pem | chain.pem | fullchain.pem | privkey.pem
Those files (online) are at the website where I want to run Solr (installed
there - a cloud VPS - but not yet configured pending this work. When I run
that website / Solr publicly, I don't want any "security" warnings / concerns
for my users.
# ============================================================================
# ----------------------------------------------------------------------------
# Solr instance [ https://localhost:8983/solr/#/login ]:
# ------------------------------------------------------
[victoria]$ solr start
Waiting up to 45 seconds to see Solr running on port 8983 [|]
Started Solr server on port 8983 (pid=3821092). Happy searching!
[victoria]$ solr status
Found 1 Solr nodes:
Solr process 3821092 running on port 8983
INFO - 2022-04-19 20:25:57.634; org.apache.solr.util.configuration.SSLConfigurations; Setting javax.net.ssl.keyStorePassword
INFO - 2022-04-19 20:25:57.636; org.apache.solr.util.configuration.SSLConfigurations; Setting javax.net.ssl.trustStorePassword
ERROR: Failed to get system information from https://localhost:8983/solr due to:
org.apache.solr.common.SolrException: Parse error : <html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/>
<title>Error 401 Bad credentials</title>
</head>
<body><h2>HTTP ERROR 401 Bad credentials</h2>
<table>
<tr><th>URI:</th><td>/solr/admin/info/system</td></tr>
<tr><th>STATUS:</th><td>401</td></tr>
<tr><th>MESSAGE:</th><td>Bad credentials</td></tr>
<tr><th>SERVLET:</th><td>default</td></tr>
</table>
</body>
</html>
[victoria]$
# ----------------------------------------------------------------------------
# GENERATE SELF-SIGNED SSL CERTIFICATE:
# -------------------------------------
[victoria]$ keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -validity 9999 -keystore solr-ssl.keystore.p12 -ext SAN=DNS:localhost,IP:127.0.0.1 -dname "CN=localhost, OU=Persagen, O=Persagen, L=Vancouver, ST=British Columbia, C=CA"
Enter keystore password: *** ## "secret" in online documentation
Re-enter new password: ***
Generating 2,048 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 9,999 days
for: CN=localhost, OU=Persagen, O=Persagen, L=Vancouver, ST=British Columbia, C=CA
[victoria]$
[victoria]$ keytool -exportcert -rfc -keystore solr-ssl.keystore.p12 -alias solr-ssl -file solr-ssl-cert
Enter keystore password: ***
Certificate stored in file <solr-ssl-cert>
[victoria@victoria etc]$ cat solr-ssl-cert
-----BEGIN CERTIFICATE-----
***
-----END CERTIFICATE-----
# ----------------------------------------
# ADD CERTIFICATE TO KEYSTORE:
# ----------------------------
[victoria]$ sudo keytool -import -trustcacerts -cacerts -storepass changeit -noprompt -alias solr-ssl -file /mnt/Vancouver/apps/solr/solr-8.11.1/server/etc/solr-ssl-cert
Certificate was added to keystore
[victoria]$
## Verify keystore addition (default p/w for keytool is: changeit):
[victoria]$ keytool -list -cacerts | grep solr-ssl
Enter keystore password: changeit
solr-ssl, Apr 19, 2022, trustedCertEntry,
[victoria]$
# ----------------------------------------------------------------------------
# solr.in.sh [excerpted]:
# -----------------------
SOLR_SSL_ENABLED=true
SOLR_SSL_KEY_STORE=/mnt/Vancouver/apps/solr/solr-8.11.1/server/etc/solr-ssl.keystore.p12
SOLR_SSL_KEY_STORE_PASSWORD=*** ## "secret" (as above)
SOLR_SSL_KEY_STORE_TYPE=PKCS12
SOLR_SSL_TRUST_STORE=/mnt/Vancouver/apps/solr/solr-8.11.1/server/etc/solr-ssl.keystore.p12
SOLR_SSL_TRUST_STORE_PASSWORD=*** ## "secret" (as above)
SOLR_SSL_TRUST_STORE_TYPE=PKCS12
SOLR_AUTH_TYPE="basic"
SOLR_AUTHENTICATION_OPTS="-Dbasicauth=victoria:***" ## obfuscated here
SOLR_SSL_NEED_CLIENT_AUTH=true
SOLR_SSL_WANT_CLIENT_AUTH=false
SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION=false
# ----------------------------------------------------------------------------
# jetty-ssl.xml [excerpted]:
# --------------------------
<Set name="KeyStorePath"><Property name="solr.jetty.keystore" default="./etc/solr-ssl.keystore.p12"/></Set>
<Set name="KeyStorePassword"><Ref refid="keyStorePassword"/></Set>
<Set name="TrustStorePath"><Property name="solr.jetty.truststore" default="./etc/solr-ssl.keystore.p12"/></Set>
<Set name="TrustStorePassword"><Ref refid="trustStorePassword"/></Set>
<Set name="NeedClientAuth"><Property name="solr.jetty.ssl.needClientAuth" default="false"/></Set>
<Set name="WantClientAuth"><Property name="solr.jetty.ssl.wantClientAuth" default="false"/></Set>
<Set name="KeyStoreType"><Property name="solr.jetty.keystore.type" default="PKCS12"/></Set>
<Set name="TrustStoreType"><Property name="solr.jetty.truststore.type" default="PKCS12"/></Set>
# ----------------------------------------------------------------------------
# SSL WARNING:
# ------------
https://localhost:8983/
# Opera 85.0.4341.60:
This site can’t provide a secure connection
localhost didn’t accept your login certificate, or one may not have been provided.
Try contacting the system admin.
ERR_BAD_SSL_CLIENT_AUTH_CERT
# Firefox 99.0.1 64-bit
Warning: Potential Security Risk Ahead
...
localhost:8983 uses an invalid security certificate.
The certificate is not trusted because it is self-signed.
Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
View Certificate ## "localhost.pem" = my "solr-ssl-cert", above
# ============================================================================
Re: Setting up SSL on standalone Solr 8.11.1
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Victoria,
On 4/19/22 18:11, Victoria Stuart (VictoriasJourney.com) wrote:
> Hi Chris; thank you for your reply (much appreciated)! :-)
>
> I am still having issues setting up SSL with Solr, as described below.
>
> The following is lengthy, but should include most / all? relevant information.
>
> ==============================================================================
> 1. SOLR BASIC AUTHENTICATION
> ============================
This is off-topic, but interesting to note. I'll remove it from this
branch of the thread.
> ==============================================================================
> 2. SSL [https://localhost:8983]
> ===============================
>
> ========================================
> ISSUES:
> =======
>
> * Basic authentication (non-SSL | http://localhost:8983) works fine.
>
> * SSL authorization is failing (Solr instance appears, then immediately disappears).
>
> The current configuration above throws the following warning during Solr startup,
> despite setting the KEY STORE | TRUST STORE passwords to the <secret> password
> used during "keytool -genkeypair ..." self-signed certificate creation (above).
>
> [victoria]$ solr stop -all; sleep 4; solr start
>
> ...
> Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
>
> at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2158) ~[?:?]
> ...
>
> ----------------------------------------
> LIKELY CAUSES:
> --------------
>
> ** solr.in.sh" / "jetty-ssl.xml" incongruity?
>
> ** not reading key store | trust store?
> ** PEM certificate issue?
> ** other?
>
>
> ========================================
> PATHS (ARCH LINUX):
> ===================
>
> SOLR_HOME : /mnt/Vancouver/apps/solr/solr-8.11.1/server/solr/
> solr.xml: /mnt/Vancouver/apps/solr/solr-8.11.1/server/solr/solr.xml
> security.json : /mnt/Vancouver/apps/solr/solr-8.11.1/server/solr/security.json
>
> solr.in.sh : /mnt/Vancouver/apps/solr/solr-8.11.1/bin/solr.in.sh
>
> jetty-ssl.xml : /mnt/Vancouver/apps/solr/solr-8.11.1/server/etc/jetty-ssl.xml
>
> ~/.bashrc ## allows {solr start | solr restart | solr status | solr stop -all}
> export PATH=/mnt/Vancouver/apps/solr/solr-8.11.1/bin/:$PATH
>
>
> ========================================
> SSL KEYGEN:
> ===========
>
> [victoria]$ date; pwd; ls -l
>
> 2022-04-19 09:34:02 -0700 (PST)
> /mnt/Vancouver/apps/solr/solr-8.11.1/server/etc
>
> total 80K
> -rw-r--r-- 1 victoria victoria 2.0K Dec 7 17:01 jetty-gzip.xml
> -rw-r--r-- 1 victoria victoria 3.6K Dec 7 17:01 jetty-https8.xml
> -rw-r--r-- 1 victoria victoria 3.7K Dec 7 17:01 jetty-https.xml
> -rw-r--r-- 1 victoria victoria 2.7K Dec 7 17:01 jetty-http.xml
> -rw-r--r-- 1 victoria victoria 1.9K Dec 7 17:01 jetty-requestlog.xml
> -rw-r--r-- 1 victoria victoria 3.0K Apr 19 08:49 jetty-ssl.xml
> -rw-r--r-- 1 victoria victoria 12K Apr 14 09:28 jetty.xml
> -rw-r--r-- 1 victoria victoria 12K Dec 7 17:01 security.policy
> -rw-r--r-- 1 victoria victoria 1.3K Dec 7 17:01 security.properties
> -rw-r--r-- 1 victoria victoria 24K Dec 7 17:01 webdefault.xml
>
> ## The following command failed when including the "-keypass <secret> -storepass <secret>"
> ## arguments, hence I left them out (immediately below), and entered <secret> when prompted.
>
> [victoria]$ keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -validity 9999 -keystore solr-ssl.keystore.p12 -ext SAN=DNS:localhost,IP:127.0.0.1 -dname "CN=localhost, ... <etc.>"
>
> Enter keystore password: ## <secret>
> Re-enter new password: ## <secret>
>
> Generating 2,048 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 9,999 days
> for: CN=localhost, ... <etc.>
>
> [victoria]$ openssl pkcs12 -in solr-ssl.keystore.p12 -out solr-ssl.pem
> Enter Import Password: ## <secret> (obfuscated here)
> Enter PEM pass phrase: ## <my_pem_pass> (obfuscated here)
> Verifying - Enter PEM pass phrase: ## <my_pem_pass> (obfuscated here)
Why did you do this? I don't think you need your key file to be outside
of the keystore.
> [victoria]$ openssl pkcs12 -nokeys -in solr-ssl.keystore.p12 -out solr-ssl.cacert.pem
> Enter Import Password: ## <secret>
FYI you can do this with keytool -export -rfc -alias 'solr-ssl' you
don't need openssl.
> ## Manually edited PEM ("solr-ssl.pem" >> "solr-ssl.cert_only.pem"), leaving only:
> ## "-----BEGIN CERTIFICATE-----*** (obfuscated here)***-----END CERTIFICATE-----"
>
> ## The following should add the SSL certificate (only) to JAVA / JVM Trust Store?
>
> [victoria]$ sudo keytool -import -trustcacerts -cacerts -storepass changeit -noprompt -alias solr_ssl -file /mnt/Vancouver/apps/solr/solr-8.11.1/server/etc/solr-ssl-cert_only.pem
What, no keystore file specified? Where did the cert get imported? This
may be a part of the problem. You almost always want to use a specific
trust store.
> ========================================
> PEM FILES:
> ==========
>
> /mnt/Vancouver/apps/solr/solr-8.11.1/server/etc/solr-ssl.pem
>
> /mnt/Vancouver/apps/solr/solr-8.11.1/server/etc/solr-ssl-cert_only.pem
>
> ----------------------------------------
> solr-ssl.pem:
> -------------
>
> Bag Attributes
> friendlyName: solr-ssl
> localKeyID: ***
> Key Attributes: <No Attributes>
> -----BEGIN ENCRYPTED PRIVATE KEY-----
> *** (obfuscated here)
> -----END ENCRYPTED PRIVATE KEY-----
> Bag Attributes
> friendlyName: solr-ssl
> localKeyID: *** (obfuscated here)
> ... (obfuscated here)
> -----BEGIN CERTIFICATE-----
> *** (obfuscated here)
> -----END CERTIFICATE-----
>
>
> ----------------------------------------
> solr-ssl-cert_only.pem:
> -----------------------
>
> -----BEGIN CERTIFICATE-----
> *** (obfuscated here)
> -----END CERTIFICATE-----
>
>
> ========================================
> solr.in.sh (EXCERPTED):
> =======================
>
> ## Since Solr paths in Arch Linux appear to differ slightly from Debian / other
> ## distros, for configuration / troubleshooting I reverted to absolute paths.
>
> SOLR_SSL_ENABLED=true
>
> SOLR_SSL_KEY_STORE=/mnt/Vancouver/apps/solr/solr-8.11.1/server/etc/solr-ssl.keystore.p12
> ## relative path would be:
> ## SOLR_SSL_KEY_STORE=../server/etc/solr-ssl.keystore.p12
> SOLR_SSL_KEY_STORE_PASSWORD=<secret> ## (obfuscated here)
> SOLR_SSL_KEY_STORE_TYPE=PKCS12
>
> SOLR_SSL_TRUST_STORE=/mnt/Vancouver/apps/solr/solr-8.11.1/server/etc/solr-ssl.keystore.p12
> ## relative path would be:
> ## SOLR_SSL_TRUST_STORE=../server/etc/solr-ssl.keystore.p12
> SOLR_SSL_TRUST_STORE_PASSWORD=<secret> (obfuscated here)
> SOLR_SSL_TRUST_STORE_TYPE=PKCS12
>
> SOLR_AUTH_TYPE="basic"
> SOLR_AUTHENTICATION_OPTS="-Dbasicauth=user:pass"
> ## (obfuscated here) where
> ## user = my Solr admin username,
> ## pass = my salted, hashed password ## (Solr Basic Authentication)
>
> SOLR_SSL_NEED_CLIENT_AUTH=false
> SOLR_SSL_WANT_CLIENT_AUTH=false
>
> SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION=true
>
> SOLR_SSL_CHECK_PEER_NAME=true
So what command fails with the PKIX path certification error?
My guess is something like "solr status" right? I think you need to set:
SOLR_SSL_CLIENT_TRUST_STORE=${SOLR_SSL_TRUST_STORE}
SOLR_SSL_CLIENT_TRUST_STORE_PASSWORD=${SOLR_SSL_TRUST_STORE_PASSWORD}
-chris
Re: Setting up SSL on standalone Solr 8.11.1
Posted by "Victoria Stuart (VictoriasJourney.com)" <ma...@VictoriasJourney.com>.
Hi Chris; thank you for your reply (much appreciated)! :-)
I am still having issues setting up SSL with Solr, as described below.
The following is lengthy, but should include most / all? relevant information.
==============================================================================
1. SOLR BASIC AUTHENTICATION
============================
Working. "security.json" wouldn't work however with plain-text (plainly viewed)
passwords, and the Solr docs provided no guidance on the generation of hashed passwords.
https://solr.apache.org/guide/8_11/basic-authentication-plugin.html
Solutions for generating salted SHA256 password hashes can be found online, e.g.
** SolrPasswordHash
https://github.com/ansgarwiechers/solrpasswordhash
https://github.com/ansgarwiechers/solrpasswordhash/blob/master/src/SolrPasswordHash.java
*** How does Apache Solr authenticate passwords?
https://systemrequest.net/index.php/31/
** Online Solr password encryption tool for the Basic Authentication plugin
https://github.com/clemente-biondo/clemente-biondo.github.io
I used the following (works).
----------------------------------------
GENERATE SALTED PASSWORD HASH:
------------------------------
* Per: rmalchow/solr_pw_hash.md
https://gist.github.com/rmalchow/51f5b23c2f59c687b001bfcdbf4bad5c
[victoria]$ SALT=$(pwgen 48 -1)
[victoria]$ echo $SALT
ieXaeghaiM6jaemue9Eig0eigiez5iesh8Ohng5aireeliuT
[victoria]$ PW='<solr_auth_password>' ## obfuscated here
[victoria]$ echo $PW
*** ## obfuscated here
[victoria]$ echo "hash: $(echo -n "$SALT$PW" | sha256sum -b | xxd -r -p | sha256sum -b | xxd -r -p | base64 -w 1024) $(echo -n "$SALT" | base64 -w1024)"
hash: p***= a*** ## obfuscated here
Authenticated user:pass works in Solr, available at http://localhost:8983
==============================================================================
2. SSL [https://localhost:8983]
===============================
========================================
ISSUES:
=======
* Basic authentication (non-SSL | http://localhost:8983) works fine.
* SSL authorization is failing (Solr instance appears, then immediately disappears).
The current configuration above throws the following warning during Solr startup,
despite setting the KEY STORE | TRUST STORE passwords to the <secret> password
used during "keytool -genkeypair ..." self-signed certificate creation (above).
[victoria]$ solr stop -all; sleep 4; solr start
...
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2158) ~[?:?]
...
----------------------------------------
LIKELY CAUSES:
--------------
** solr.in.sh" / "jetty-ssl.xml" incongruity?
** not reading key store | trust store?
** PEM certificate issue?
** other?
========================================
PATHS (ARCH LINUX):
===================
SOLR_HOME : /mnt/Vancouver/apps/solr/solr-8.11.1/server/solr/
solr.xml: /mnt/Vancouver/apps/solr/solr-8.11.1/server/solr/solr.xml
security.json : /mnt/Vancouver/apps/solr/solr-8.11.1/server/solr/security.json
solr.in.sh : /mnt/Vancouver/apps/solr/solr-8.11.1/bin/solr.in.sh
jetty-ssl.xml : /mnt/Vancouver/apps/solr/solr-8.11.1/server/etc/jetty-ssl.xml
~/.bashrc ## allows {solr start | solr restart | solr status | solr stop -all}
export PATH=/mnt/Vancouver/apps/solr/solr-8.11.1/bin/:$PATH
========================================
SSL KEYGEN:
===========
[victoria]$ date; pwd; ls -l
2022-04-19 09:34:02 -0700 (PST)
/mnt/Vancouver/apps/solr/solr-8.11.1/server/etc
total 80K
-rw-r--r-- 1 victoria victoria 2.0K Dec 7 17:01 jetty-gzip.xml
-rw-r--r-- 1 victoria victoria 3.6K Dec 7 17:01 jetty-https8.xml
-rw-r--r-- 1 victoria victoria 3.7K Dec 7 17:01 jetty-https.xml
-rw-r--r-- 1 victoria victoria 2.7K Dec 7 17:01 jetty-http.xml
-rw-r--r-- 1 victoria victoria 1.9K Dec 7 17:01 jetty-requestlog.xml
-rw-r--r-- 1 victoria victoria 3.0K Apr 19 08:49 jetty-ssl.xml
-rw-r--r-- 1 victoria victoria 12K Apr 14 09:28 jetty.xml
-rw-r--r-- 1 victoria victoria 12K Dec 7 17:01 security.policy
-rw-r--r-- 1 victoria victoria 1.3K Dec 7 17:01 security.properties
-rw-r--r-- 1 victoria victoria 24K Dec 7 17:01 webdefault.xml
## The following command failed when including the "-keypass <secret> -storepass <secret>"
## arguments, hence I left them out (immediately below), and entered <secret> when prompted.
[victoria]$ keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -validity 9999 -keystore solr-ssl.keystore.p12 -ext SAN=DNS:localhost,IP:127.0.0.1 -dname "CN=localhost, ... <etc.>"
Enter keystore password: ## <secret>
Re-enter new password: ## <secret>
Generating 2,048 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 9,999 days
for: CN=localhost, ... <etc.>
[victoria]$ openssl pkcs12 -in solr-ssl.keystore.p12 -out solr-ssl.pem
Enter Import Password: ## <secret> (obfuscated here)
Enter PEM pass phrase: ## <my_pem_pass> (obfuscated here)
Verifying - Enter PEM pass phrase: ## <my_pem_pass> (obfuscated here)
[victoria]$ openssl pkcs12 -nokeys -in solr-ssl.keystore.p12 -out solr-ssl.cacert.pem
Enter Import Password: ## <secret>
## Manually edited PEM ("solr-ssl.pem" >> "solr-ssl.cert_only.pem"), leaving only:
## "-----BEGIN CERTIFICATE-----*** (obfuscated here)***-----END CERTIFICATE-----"
## The following should add the SSL certificate (only) to JAVA / JVM Trust Store?
[victoria]$ sudo keytool -import -trustcacerts -cacerts -storepass changeit -noprompt -alias solr_ssl -file /mnt/Vancouver/apps/solr/solr-8.11.1/server/etc/solr-ssl-cert_only.pem
[sudo] password for victoria: ## <my Arch Linux root password> (obfuscated here)
Certificate was added to keystore
[victoria]$
========================================
PEM FILES:
==========
/mnt/Vancouver/apps/solr/solr-8.11.1/server/etc/solr-ssl.pem
/mnt/Vancouver/apps/solr/solr-8.11.1/server/etc/solr-ssl-cert_only.pem
----------------------------------------
solr-ssl.pem:
-------------
Bag Attributes
friendlyName: solr-ssl
localKeyID: ***
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
*** (obfuscated here)
-----END ENCRYPTED PRIVATE KEY-----
Bag Attributes
friendlyName: solr-ssl
localKeyID: *** (obfuscated here)
... (obfuscated here)
-----BEGIN CERTIFICATE-----
*** (obfuscated here)
-----END CERTIFICATE-----
----------------------------------------
solr-ssl-cert_only.pem:
-----------------------
-----BEGIN CERTIFICATE-----
*** (obfuscated here)
-----END CERTIFICATE-----
========================================
solr.in.sh (EXCERPTED):
=======================
## Since Solr paths in Arch Linux appear to differ slightly from Debian / other
## distros, for configuration / troubleshooting I reverted to absolute paths.
SOLR_SSL_ENABLED=true
SOLR_SSL_KEY_STORE=/mnt/Vancouver/apps/solr/solr-8.11.1/server/etc/solr-ssl.keystore.p12
## relative path would be:
## SOLR_SSL_KEY_STORE=../server/etc/solr-ssl.keystore.p12
SOLR_SSL_KEY_STORE_PASSWORD=<secret> ## (obfuscated here)
SOLR_SSL_KEY_STORE_TYPE=PKCS12
SOLR_SSL_TRUST_STORE=/mnt/Vancouver/apps/solr/solr-8.11.1/server/etc/solr-ssl.keystore.p12
## relative path would be:
## SOLR_SSL_TRUST_STORE=../server/etc/solr-ssl.keystore.p12
SOLR_SSL_TRUST_STORE_PASSWORD=<secret> (obfuscated here)
SOLR_SSL_TRUST_STORE_TYPE=PKCS12
SOLR_AUTH_TYPE="basic"
SOLR_AUTHENTICATION_OPTS="-Dbasicauth=user:pass"
## (obfuscated here) where
## user = my Solr admin username,
## pass = my salted, hashed password ## (Solr Basic Authentication)
SOLR_SSL_NEED_CLIENT_AUTH=false
SOLR_SSL_WANT_CLIENT_AUTH=false
SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION=true
SOLR_SSL_CHECK_PEER_NAME=true
# ----------------------------------------------------------------------------
## Per the earlier response (Chris) to this question, Although I don't have
## "client" SSL settings set up, downstream (if possible) I will want to set
## up users with access to one of either two Solr cores:
## 1. guest / demo access to Solr core with demo documents indexed
## 2. registered users with access granted to separate Solr core (all documents indexed)
========================================
jetty-ssl.xml
=============
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">
<Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory$Server">
<Call class="org.apache.solr.util.configuration.SSLConfigurationsFactory" name="current">
<Get name="keyStorePassword" id="keyStorePassword"/>
<Get name="trustStorePassword" id="trustStorePassword"/>
</Call>
<Set name="KeyStorePath"><Property name="solr.jetty.keystore" default="./etc/solr-ssl.keystore.p12"/></Set>
<Set name="KeyStorePassword"><Ref refid="keyStorePassword"/></Set>
<Set name="TrustStorePath"><Property name="solr.jetty.truststore" default="./etc/solr-ssl.keystore.p12"/></Set>
<Set name="TrustStorePassword"><Ref refid="trustStorePassword"/></Set>
<Set name="NeedClientAuth"><Property name="solr.jetty.ssl.needClientAuth" default="false"/></Set>
<Set name="WantClientAuth"><Property name="solr.jetty.ssl.wantClientAuth" default="false"/></Set>
<Set name="KeyStoreType"><Property name="solr.jetty.keystore.type" default="PKCS12"/></Set>
<Set name="TrustStoreType"><Property name="solr.jetty.truststore.type" default="PKCS12"/></Set>
<New id="sslHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
<Arg><Ref refid="httpConfig"/></Arg>
<Call name="addCustomizer">
<Arg><New class="org.eclipse.jetty.server.SecureRequestCustomizer"/></Arg>
</Call>
</New>
</Configure>
==============================================================================
==============================================================================
----- Original Message(s): -----
Date: 2022 Apr 18 (Mon) 12:37
From: Christopher Schultz <ch...@christopherschultz.net>
To: users@solr.apache.org, "Victoria Stuart (VictoriasJourney.com)" <ma...@VictoriasJourney.com>
Subject: Re: Setting up SSL on standalone Solr 8.11.1
Victoria,
On 4/16/22 15:10, Victoria Stuart (VictoriasJourney.com) wrote:
> I am securing a standalone Solr 8.11.1 instance on Arch Linux.
>
> The instructions at
>
> https://solr.apache.org/guide/8_11/enabling-ssl.html
>
> are incomplete, in that I cannot import the certificate to the Java Trust Store.
>
> $ solr status
> Found 1 Solr nodes:
>
> Solr process 1729782 running on port 8983
>
> INFO - 2022-04-16 12:01:09.124; org.apache.solr.util.configuration.SSLConfigurations; \
> Setting javax.net.ssl.keyStorePassword
>
> ERROR: Failed to get system information from https://localhost:8983/solr due to: \
> javax.net.ssl.SSLException: Unexpected error: java.security.InvalidAlgorithmParameterException: \
> the trustAnchors parameter must be non-empty
> $
>
> Can someone post the commands, and settings in
>
> solr.in.sh
> solr-ssl.xml
> solr.*.pem ## includes private key, or only certificate?
>
> and any other suggestions?
>
> I am getting keytool errors of the type:
>
> keytool error: java.lang.Exception: Input not an X.509 certificate
>
> ==============================================================================
"solr status" does not try to import a certificate. The error message
"trustAnchors must be non-empty" usually means that you have not
specified a trust store.
What command are you trying to use in order to import your certificate?
What does the cert itself look like? It should start with a line like this:
-----BEGIN CERTIFICATE-----
and end with a line like this:
-----END CERTIFICATE-----
If it starts with "-----BEGIN PRIVATE KEY-----" then you are trying to
load a key into a trust store, which isn't what you want to do.
I have the following in my //etc/default/solr.in.sh file (which is where
config for Solr goes on my Debian-based Linux environment)
SOLR_SSL_KEY_STORE=/etc/solr/solr.p12
SOLR_SSL_KEY_STORE_PASSWORD=[password]
SOLR_SSL_KEY_STORE_TYPE=PKCS12
SOLR_SSL_TRUST_STORE=/etc/solr/solr-trusted-clients.p12
SOLR_SSL_TRUST_STORE_PASSWORD=[password]
SOLR_SSL_TRUST_STORE_TYPE=PKCS12
SOLR_SSL_NEED_CLIENT_AUTH=true
I am using mutual TLS (client certs); you may not need that last line.
For client stuff (including "solr status", I suspect), I have:
SOLR_SSL_CLIENT_KEY_STORE=/etc/solr/solr-client.p12
SOLR_SSL_CLIENT_KEY_STORE_TYPE=PKCS12
SOLR_SSL_CLIENT_KEY_STORE_PASSWORD=[password]
SOLR_SSL_CLIENT_TRUST_STORE=/etc/solr/solr-server.p12
SOLR_SSL_CLIENT_TRUST_STORE_TYPE=PKCS12
SOLR_SSL_CLIENT_TRUST_STORE_PASSWORD=[password]
The file /etc/solr/solr.p12 contains the server's key and certificate.
It could be used as the client's trust store because only the
certificate will be used. The key will be ignored. But instead I have
the cert-only in /etc/solr/solr-server.p12
The file /etc/solr/solr-trusted-clients.p12 contains all certificates
for all clients who will be contacting the Solr server.
The file /etc/solr/solr-client.p12 contains the key+cert for the client.
I hope that helps,
-chris
==============================================================================
Re: Setting up SSL on standalone Solr 8.11.1
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Victoria,
On 4/16/22 15:10, Victoria Stuart (VictoriasJourney.com) wrote:
> I am securing a standalone Solr 8.11.1 instance on Arch Linux.
>
> The instructions at
>
> https://solr.apache.org/guide/8_11/enabling-ssl.html
>
> are incomplete, in that I cannot import the certificate to the Java Trust Store.
>
> $ solr status
> Found 1 Solr nodes:
>
> Solr process 1729782 running on port 8983
>
> INFO - 2022-04-16 12:01:09.124; org.apache.solr.util.configuration.SSLConfigurations; \
> Setting javax.net.ssl.keyStorePassword
>
> ERROR: Failed to get system information from https://localhost:8983/solr due to: \
> javax.net.ssl.SSLException: Unexpected error: java.security.InvalidAlgorithmParameterException: \
> the trustAnchors parameter must be non-empty
> $
>
> Can someone post the commands, and settings in
>
> solr.in.sh
> solr-ssl.xml
> solr.*.pem ## includes private key, or only certificate?
>
> and any other suggestions?
>
> I am getting keytool errors of the type:
>
> keytool error: java.lang.Exception: Input not an X.509 certificate
>
> ==============================================================================
"solr status" does not try to import a certificate. The error message
"trustAnchors must be non-empty" usually means that you have not
specified a trust store.
What command are you trying to use in order to import your certificate?
What does the cert itself look like? It should start with a line like this:
-----BEGIN CERTIFICATE-----
and end with a line like this:
-----END CERTIFICATE-----
If it starts with "-----BEGIN PRIVATE KEY-----" then you are trying to
load a key into a trust store, which isn't what you want to do.
I have the following in my //etc/default/solr.in.sh file (which is where
config for Solr goes on my Debian-based Linux environment)
SOLR_SSL_KEY_STORE=/etc/solr/solr.p12
SOLR_SSL_KEY_STORE_PASSWORD=[password]
SOLR_SSL_KEY_STORE_TYPE=PKCS12
SOLR_SSL_TRUST_STORE=/etc/solr/solr-trusted-clients.p12
SOLR_SSL_TRUST_STORE_PASSWORD=[password]
SOLR_SSL_TRUST_STORE_TYPE=PKCS12
SOLR_SSL_NEED_CLIENT_AUTH=true
I am using mutual TLS (client certs); you may not need that last line.
For client stuff (including "solr status", I suspect), I have:
SOLR_SSL_CLIENT_KEY_STORE=/etc/solr/solr-client.p12
SOLR_SSL_CLIENT_KEY_STORE_TYPE=PKCS12
SOLR_SSL_CLIENT_KEY_STORE_PASSWORD=[password]
SOLR_SSL_CLIENT_TRUST_STORE=/etc/solr/solr-server.p12
SOLR_SSL_CLIENT_TRUST_STORE_TYPE=PKCS12
SOLR_SSL_CLIENT_TRUST_STORE_PASSWORD=[password]
The file /etc/solr/solr.p12 contains the server's key and certificate.
It could be used as the client's trust store because only the
certificate will be used. The key will be ignored. But instead I have
the cert-only in /etc/solr/solr-server.p12
The file /etc/solr/solr-trusted-clients.p12 contains all certificates
for all clients who will be contacting the Solr server.
The file /etc/solr/solr-client.p12 contains the key+cert for the client.
I hope that helps,
-chris