jhng created SOLR-17169:
---------------------------
Summary: Solr restart issue with JWT authentioncation plugin
enabled
Key: SOLR-17169
URL: https://issues.apache.org/jira/browse/SOLR-17169
Project: Solr
Issue Type: Bug
Security Level: Public (Default Security Level. Issues are Public)
Components: Admin UI
Affects Versions: 9.5.0, 9.4
Environment: The solr environemnt:
OS: RedHat 8
JDK: OpenJDK 64-Bit Server VM 11.0.22 11.0.22+7-LTS
Reporter: jhng
Hello,
We are trying to configure Solr admin UI to authenticate using the
{{JWTAuthPlugin}} with Azure AD.
The SSO login is working if the server start properly. But when we try to
reboot the server with "service solr restart", there is 50% chance the service
can't be start.
When the server failed to start, we could find the error below in log which
seems the solr service can't find right certificate to connect azure AD. But
meanwhile on other 50% time, the solr sercie can find the certifcate and start
adminUI with SSO enabled.
{code:java}
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target at
java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:148)
~[?:?] at
java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:129)
~[?:?] at
java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
~[?:?] at
java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
~[?:?] at
java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
~[?:?] at
java.base/sun.security.validator.Validator.validate(Validator.java:264) ~[?:?]
at
java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
~[?:?] at
java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222)
~[?:?] at
java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
~[?:?] at
java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1341)
~[?:?] at
java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1232)
~[?:?] at
java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175)
~[?:?] at
java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) ~[?:?]
at
java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
~[?:?] at
java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421)
~[?:?] at
java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:183)
~[?:?] at
java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172) ~[?:?]
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1511)
~[?:?] at
java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1421)
~[?:?] at
java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:456)
~[?:?] at
java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:427)
~[?:?] at
java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:580)
~[?:?] at
java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:201)
~[?:?] at
java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1592)
~[?:?] at
java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1520)
~[?:?] at
java.base/java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:527)
~[?:?] at
java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:334)
~[?:?] at org.jose4j.http.Get.get(Get.java:81) ~[?:?] at
org.apache.solr.security.jwt.JWTIssuerConfig$WellKnownDiscoveryConfig.parse(JWTIssuerConfig.java:537)
~[?:?] {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
