It sounds like Edge, Firefox, and Chrome aren't setup on your computer to do client authentication. You can set need client authentication to false and use want client authentication in solr.in.sh. This will allow browsers that don't present a client certificate to work. Otherwise you need to configure your browsers.
Client authentication is an extra part of SSL and not usually required. Kevin Risden On Feb 15, 2017 4:43 AM, "Espen Rise Halstensen" <e...@dips.no> wrote: > > Hi, > > I have some problems with client certificates. By the look of it, it works > with > curl and safari prompts for and accepts my certificate. Does not work with > Edge, > Firefox or Chrome. The certificates are requested from our CA. > > When requesting https://s02/solr in the browser, it doesn't > prompt for certificate and I get the following error message in Chrome: > >This site can't provide a secure connection > >s02 didn't accept your login certificate, or one may not have been > provided. > >Try contacting the system admin. > > When debugging with wireshark I can see the s01t9 certificate in the > "certificate request"-part of the handshake, but the browser answers > without certificate. > > > Setup as follows: > > solr.in.sh: > SOLR_SSL_KEY_STORE=etc/keystore.jks > SOLR_SSL_KEY_STORE_PASSWORD=secret > SOLR_SSL_TRUST_STORE=etc/truststore.jks > SOLR_SSL_TRUST_STORE_PASSWORD=secret > SOLR_SSL_NEED_CLIENT_AUTH=true > SOLR_SSL_WANT_CLIENT_AUTH=false > > Content of truststore.jks: > [solruser@s02 etc]# keytool -list -keystore > /opt/solr-6.4.0/server/etc/truststore.jks > -storepass secret > > Keystore type: JKS > Keystore provider: SUN > > Your keystore contains 1 entry > > s01t9, 15.feb.2017, trustedCertEntry, > Certificate fingerprint (SHA1): CF:BD:02:71:64:F0:BA:65:71:10: > A1:23:42:34:E0:3C:37:75:E1:BF > > > > Curl(returns html of admin page with -L option): > > curl -v -E s01t9.pem:secret --cacert rootca.pem 'https://vs02/solr' > * Hostname was NOT found in DNS cache > * Trying 10.0.121.132... > * Connected to s02 (10.0.121.132) port 443 (#0) > * successfully set certificate verify locations: > * CAfile: rootca.pem > CApath: /etc/ssl/certs > * SSLv3, TLS handshake, Client hello (1): > * SSLv3, TLS handshake, Server hello (2): > * SSLv3, TLS handshake, CERT (11): > * SSLv3, TLS handshake, Request CERT (13): > * SSLv3, TLS handshake, Server finished (14): > * SSLv3, TLS handshake, CERT (11): > * SSLv3, TLS handshake, Client key exchange (16): > * SSLv3, TLS handshake, CERT verify (15): > * SSLv3, TLS change cipher, Client hello (1): > * SSLv3, TLS handshake, Finished (20): > * SSLv3, TLS change cipher, Client hello (1): > * SSLv3, TLS handshake, Finished (20): > * SSL connection using AES256-SHA256 > * Server certificate: > * subject: CN=s01t9 > * start date: 2017-01-09 11:31:49 GMT > * expire date: 2022-01-08 11:31:49 GMT > * subjectAltName: s02 matched > * issuer: DC=local; DC=com; CN=Root CA > * SSL certificate verify ok. > > GET /solr HTTP/1.1 > > User-Agent: curl/7.35.0 > > Host: s02 > > Accept: */* > > > < HTTP/1.1 302 Found > < Location: https://s02 /solr/ > < Content-Length: 0 > < > * Connection #0 to host s02 left intact > > Thanks, > Espen >
