On 6/1/2018 2:01 PM, Kelly Rusk wrote: > We have solr1.com and solr2.com self-signed certs that correspond to the two > servers. We also have a load balancer with an address named solrlb.com. When > we hit the load balancer it gives us an SSL error, as it is passing us back > to either solr1.com or solr2.com, but since these two Solr servers only have > each other's self-signed cert installed in their Keystore, it doesn't resolve > when it comes in through the load balanced address of solrlb.com. > > We tried a san certificate that has all 3 addresses, but when we do this, we > get the following error: > > This page can't be displayed > Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting > to https://b-win-solr-01.azure-dfa.com:8983 again. If this error persists, > it is possible that this site uses an unsupported protocol or cipher suite > such as RC4 (link for the details), which is not considered secure. Please > contact your site administrator.
One really important question is whether the load balancer acts as a pure TCP proxy, or whether the load balancer is configured with a certificate and handles HTTPS itself. If the load balancer is handling HTTPS, it's very likely that the load balancer either cannot use modern TLS protocols and/or ciphers, or that it has the modern protocols/ciphers turned off. There's probably nothing that we can do to help you in this situation. You will need to find support for your load balancer. If the load balancer is just a TCP proxy and lets the back end server handle HTTPS, then you may need to ensure that you're running a very recent version of Java 8. You may also need to install the JCE policy files for unlimited strength encryption into your Java. I see from other messages on the list that you're running Solr 6.6.2, so it would not be a good idea for you to use Java 9 or Java 10. If you need them, the JCE policy files for Java 8 can be found here: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html One thing you didn't explicitly mention is whether the connection works when talking directly to one of the Solr servers instead of the load balancer. If that works, then your Java version is probably fine, and it's even more evidence that the problem is on the load balancer. Thanks, Shawn
