I will be upgrading my SolrCloud cluster at work in a couple of days (hand patched former builds) will let everyone know if there are any other gothchyas. I know depending on different cases the need to bundle your own HttpClientConfigurer to use the AllowAllHostnameVerifier (if using a single cert for all instances) or to add the TrustedSelfSignedStrategy if using two-way SSL w/ self-signed certs.
-Steve On Mar 12, 2014, at 8:05 PM, Erick Erickson <[email protected]> wrote: > Steve: > > Thanks, I confess confusion about all things HTTPS. I'll turn this > over to the people who _do_ know about it in the morning, this is a > great help in that it tells us where to look. > > I smell a Wiki page coming.... > > Erick > > On Wed, Mar 12, 2014 at 7:47 PM, Steve Davids <[email protected]> wrote: >> Hi Eric, >> >> Unfortunately the only "working example" is in the unit-tests. What have you >> done thus far? First step would be to add the "urlScheme" into >> clusterprops.json: >> >> ./zkcli.sh -zkhost localhost:9983 -cmd put /clusterprops.json >> '{"urlScheme":"https"}' >> >> >> You will also need to add the basic javax.net.ssl.* system properties >> (http://stackoverflow.com/a/5871352) >> >> It is important to note that if there is a pre-existing clusterstate.json >> file you will need to update the current base_url values to move 'http' -> >> 'https' scheme + update the port value. This is all necessary because when a >> node is rebooted it compares the base_url to figure out where it left off in >> the cluster. SOLR-5770 was created so we don't need to worry about >> performing this manual http->https mapping since it will use the node_name >> to perform the comparison (though the port value would still be a problem). >> >> Let me know if that helps, >> >> -Steve >> >> On Mar 12, 2014, at 4:23 PM, Erick Erickson <[email protected]> wrote: >> >> We simply cannot get Solr running over HTTPS. We're running Solr 4.7, >> SOLR-3854 should be included. >> >> To complicate matters this is on WebSphere, but fortunately the people >> here are handling that part (not a chance in the world to use Jetty). >> >> "IOException can't connect with an http (not https) address" >> >> Do we have any examples lying around that handle this case that we can >> use as a template? I'm out of my league with this, https is a mystery. >> >> Thanks! >> Erick >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] >
