Hey folks, Context: There's a jetty-ssl.xml config file which configures Jetty's SslContextFactory using properties set in solr.in.sh, but it's incomplete for some purposes.
Problem: I've noticed that no "certAlias" property is present. This means that when Jetty starts, it will pick an arbitrary (based on some internal order, I guess?) key from the keystore to use. This is fine when you're only using your keystore for Solr and it only contains one key, but it makes life a lot more complicated in environments where keystores are managed and distributed to servers automagically. When you add a key to the keystore, you can assign an alias. Jetty can then use the key with that alias by means of its certAlias config property. The Solr documentation [1] confusingly assigns the alias "solr-ssl" to the key, but as far as I can tell this alias isn't actually used or referenced anywhere else. Solution: I'm currently dealing with a slightly more complicated TLS setup, so I propose I patch jetty-ssl.xml, solr.in.sh|cmd and enabling-ssl.adoc to (optionally) use the alias? Unless someone can think of a reason why I shouldn't do this? I'm a bit worried that adding certAlias to jetty-ssl.xml might break existing setups which don't use an alias, but I'm guessing that only keystores with more than one key will be affected? - Bram [1] https://lucene.apache.org/solr/guide/7_5/enabling-ssl.html
