Victoria,
On 4/16/22 15:10, Victoria Stuart (VictoriasJourney.com) wrote:
I am securing a standalone Solr 8.11.1 instance on Arch Linux.
The instructions at
https://solr.apache.org/guide/8_11/enabling-ssl.html
are incomplete, in that I cannot import the certificate to the Java Trust Store.
$ solr status
Found 1 Solr nodes:
Solr process 1729782 running on port 8983
INFO - 2022-04-16 12:01:09.124;
org.apache.solr.util.configuration.SSLConfigurations; \
Setting javax.net.ssl.keyStorePassword
ERROR: Failed to get system information from https://localhost:8983/solr
due to: \
javax.net.ssl.SSLException: Unexpected error:
java.security.InvalidAlgorithmParameterException: \
the trustAnchors parameter must be non-empty
$
Can someone post the commands, and settings in
solr.in.sh
solr-ssl.xml
solr.*.pem ## includes private key, or only certificate?
and any other suggestions?
I am getting keytool errors of the type:
keytool error: java.lang.Exception: Input not an X.509 certificate
==============================================================================
"solr status" does not try to import a certificate. The error message
"trustAnchors must be non-empty" usually means that you have not
specified a trust store.
What command are you trying to use in order to import your certificate?
What does the cert itself look like? It should start with a line like this:
-----BEGIN CERTIFICATE-----
and end with a line like this:
-----END CERTIFICATE-----
If it starts with "-----BEGIN PRIVATE KEY-----" then you are trying to
load a key into a trust store, which isn't what you want to do.
I have the following in my //etc/default/solr.in.sh file (which is where
config for Solr goes on my Debian-based Linux environment)
SOLR_SSL_KEY_STORE=/etc/solr/solr.p12
SOLR_SSL_KEY_STORE_PASSWORD=[password]
SOLR_SSL_KEY_STORE_TYPE=PKCS12
SOLR_SSL_TRUST_STORE=/etc/solr/solr-trusted-clients.p12
SOLR_SSL_TRUST_STORE_PASSWORD=[password]
SOLR_SSL_TRUST_STORE_TYPE=PKCS12
SOLR_SSL_NEED_CLIENT_AUTH=true
I am using mutual TLS (client certs); you may not need that last line.
For client stuff (including "solr status", I suspect), I have:
SOLR_SSL_CLIENT_KEY_STORE=/etc/solr/solr-client.p12
SOLR_SSL_CLIENT_KEY_STORE_TYPE=PKCS12
SOLR_SSL_CLIENT_KEY_STORE_PASSWORD=[password]
SOLR_SSL_CLIENT_TRUST_STORE=/etc/solr/solr-server.p12
SOLR_SSL_CLIENT_TRUST_STORE_TYPE=PKCS12
SOLR_SSL_CLIENT_TRUST_STORE_PASSWORD=[password]
The file /etc/solr/solr.p12 contains the server's key and certificate.
It could be used as the client's trust store because only the
certificate will be used. The key will be ignored. But instead I have
the cert-only in /etc/solr/solr-server.p12
The file /etc/solr/solr-trusted-clients.p12 contains all certificates
for all clients who will be contacting the Solr server.
The file /etc/solr/solr-client.p12 contains the key+cert for the client.
I hope that helps,
-chris
