Solr SSL connection, posting to Solr core issues

Sun, 24 Apr 2022 13:07:21 -0700 

I enabled SSL with Solr along with Basic Authentication, and added my SSL 
certificates to the appropriate keystores.

  sudo keytool -import -trustcacerts -cacerts -storepass changeit -noprompt \
    -alias solr-ssl -file .../solr-8.11.1/server/etc/solr-ssl-cert
    Certificate was added to keystore

  keytool -list -cacerts | grep solr-ssl
    Enter keystore password:
    solr-ssl, Apr 24, 2022, trustedCertEntry,

  keytool -list -keystore $JAVA_HOME/lib/security/cacerts | grep -i solr
    Warning: use -cacerts option to access cacerts keystore
    Enter keystore password:
    solr-ssl, Apr 24, 2022, trustedCertEntry,

I am able to access Solr at https://localhost:8983/solr/#/ ...

However:

  * the Solr Admin UI interface >> Security panel indicates that TLS/SSL is not
    enabled:  "TLS enabled? X"

  * I cannot post documents to a Solr core:

    post -c pg-solr-demo  test_document.html
    post -c pg-solr-demo -u <my_username>:<my password> test_document.html

    ...
    POSTing file council_for_national_policy.html (text/html) to [base]/extract
    SimplePostTool: FATAL: IOException while posting data: java.io.IOException:
      Error writing request body to server

If I disable SSL and revert to the http://localhost:8983/solr/#/ ... mode, I 
can post documents to my Solr cores.

Furthermore, a HTML frontend to Solr no longer accesses Solr (URL changed from
http://... to https://... etc. in HTML file and supporting .js script).

In Firefox (to the left of the address bar):
  
  "Site information for localhost":
   Connection is not secure. ... You are not securely connected to this site.
   You have added a security exception for this site."

If I do a query on data indexed in a Solr core (done in http://... mode)
in the Admin UI >> Logging I get an error message:
        
  ERROR false
  SolrLogAuditLoggerPlugin

  type="ERROR" message="Error" method="GET" status="503" requestType="UNKNOWN"
  username="pg-solr-admin" resource="/admin/ping"
  queryString="_=1650829260656&action=status&ts=1650829260656&wt=json" 
collections=[]

So, I think the issue is a SSL issue { solr.in.sh | jetty-ssl.xml | ... }, not
a { solrconfig.xml | schema.xml } issue.

Suggestions?

==============================================================================
solr.in.sh [excerpted]
----------------------

SOLR_SSL_ENABLED=true

SOLR_SSL_KEY_STORE=/mnt/Vancouver/apps/solr/solr-8.11.1/server/etc/solr-ssl.keystore.p12
SOLR_SSL_KEY_STORE_PASSWORD=<my "secret" p/w>
SOLR_SSL_KEY_STORE_TYPE=PKCS12

# SOLR_SSL_TRUST_STORE=../server/etc/solr-ssl.keystore.p12
SOLR_SSL_TRUST_STORE_PASSWORD=<my "secret" p/w>
SOLR_SSL_TRUST_STORE_TYPE=PKCS12

SOLR_AUTH_TYPE="basic"
SOLR_AUTHENTICATION_OPTS="-Dbasicauth=<my_username:my_password>"

SOLR_SSL_NEED_CLIENT_AUTH=false
SOLR_SSL_WANT_CLIENT_AUTH=false

SOLR_SSL_CHECK_PEER_NAME=true


------------------------------------------------------------------------------
jetty-ssl.xml [excerpted]
-------------------------

<Configure id="sslContextFactory" 
class="org.eclipse.jetty.util.ssl.SslContextFactory$Server">
  <Call class="org.apache.solr.util.configuration.SSLConfigurationsFactory" 
name="current">
    <Get name="keyStorePassword" id="keyStorePassword"/>
    <Get name="trustStorePassword" id="trustStorePassword"/>
  </Call>

  <Set name="KeyStorePath"><Property name="solr.jetty.keystore" 
default="./etc/solr-ssl.keystore.p12"/></Set>
  <!-- *** QUESTION: do I need to explicitly provide the keystore password, 
here? *** -->
  <Set name="KeyStorePassword"><Ref refid="keyStorePassword"/></Set>

  <Set name="TrustStorePath"><Property name="solr.jetty.truststore" 
default="./etc/solr-ssl.keystore.p12"/></Set>

  <Set name="TrustStorePassword"><Ref refid="trustStorePassword"/></Set>
  <!-- *** QUESTION: do I need to explicitly provide the keystore password, 
here? *** -->

  <Set name="NeedClientAuth"><Property name="solr.jetty.ssl.needClientAuth" 
default="false"/></Set>
  <Set name="WantClientAuth"><Property name="solr.jetty.ssl.wantClientAuth" 
default="false"/></Set>

  <Set name="KeyStoreType"><Property name="solr.jetty.keystore.type" 
default="PKCS12"/></Set>
  <Set name="TrustStoreType"><Property name="solr.jetty.truststore.type" 
default="PKCS12"/></Set>

  <New id="sslHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
    <Arg><Ref refid="httpConfig"/></Arg>
    <Call name="addCustomizer">
      <Arg><New class="org.eclipse.jetty.server.SecureRequestCustomizer"/></Arg>
    </Call>
  </New>

------------------------------------------------------------------------------


==============================================================================

Reply via email to