Looks like the hostname in your certificate doesn't match the hostname you are accessing Solr through. Eg: If you are accessing Solr as abc.myorg.com:8983/solr ,the certificate on abc.myorg.com should have the hostname correctly specified.
Conversely if you know the hostname in the certificate you could try to address the server as such. Maybe you could ask your network staff to validate/correct this for you. On Mon, Aug 12, 2024 at 3:01 PM Hodder, Rick (Property and Casualty CIO) <richard.hod...@thehartford.com.invalid> wrote: > I’m running solr on a windows server, and am trying to set up SSL on SOLR. > > > > My network staff gave me a keystore with a certificate in PKCS12 format. > > > > I have set the following options in solr.in: > > > > set SOLR_SSL_KEY_STORE=E:\ApacheSolr8_11_1\server\etc\solr-ssl.keystore.p12 > > set SOLR_SSL_KEY_STORE_PASSWORD=zzzzzz > > set > SOLR_SSL_TRUST_STORE=E:\ApacheSolr8_11_1\server\etc\solr-ssl.keystore.p12 > > set SOLR_SSL_TRUST_STORE_PASSWORD=zzzzzz > > REM Require clients to authenticate > > set SOLR_SSL_NEED_CLIENT_AUTH=false > > REM Enable clients to authenticate (but not require) > > set SOLR_SSL_WANT_CLIENT_AUTH=false > > REM Verify client hostname during SSL handshake > > set SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION=false > > REM SSL Certificates contain host/ip "peer name" information that is > validated by default. Setting > > REM this to false can be useful to disable these checks when re-using a > certificate on many hosts > > set SOLR_SSL_CHECK_PEER_NAME=true > > REM Override Key/Trust Store types if necessary > > set SOLR_SSL_KEY_STORE_TYPE=PKCS12 > > set SOLR_SSL_TRUST_STORE_TYPE=PKCS12 > > > > When I start SOLR, I am receiving the following: > > > > INFO - 2024-08-12 14:09:44.942; > org.apache.solr.util.configuration.SSLConfigurations; Setting > javax.net.ssl.keyStorePassword > > INFO - 2024-08-12 14:09:44.942; > org.apache.solr.util.configuration.SSLConfigurations; Setting > javax.net.ssl.trustStorePassword > > Waiting up to 30 to see Solr running on port 8983 > > > > ERROR: Certificate for <localhost> doesn't match any of the subject > alternative names: [<machine name from cert>] > > > > How can I go about fixing this? > > > > Thanks, > > > > *RICK HODDER* > Staff Software Engineer > Global Specialty > > [image: The Hartford] <https://www.thehartford.com/> > > The Hartford > 83 Wooster Heights Rd. | 2nd floor > Danbury, CT, 06810 > W: 475-329-6251 > > Email: richard.hod...@thehartford.com > > www.thehartford.com > www.facebook.com/thehartford > twitter.com/thehartford > > > > > > > > ****************************************************************************************************** > This communication, including attachments, is for the exclusive use of > addressee and may contain proprietary, confidential and/or privileged > information. If you are not the intended recipient, any use, copying, > disclosure, dissemination or distribution is strictly prohibited. If you > are not the intended recipient, please notify the sender immediately by > return e-mail, delete this communication and destroy all copies. > > > ****************************************************************************************************** >
