Just to give everyone an update - I upgraded our SolrCloud cluster from 4.3.1 (manually patched for SSL) -> 4.7 and have ran into a couple of issues, though I have created Jira tickets for them and some have already been committed.
1. The update shard handler wasn't using the system properties to pick up the javax.net.ssl.* configuration (SOLR-5866<https://issues.apache.org/jira/browse/SOLR-5866> ) 2. Overseer collector doesn't use the right scheme in a small use case, only came across this perusing the code but will impact some select admin calls (SOLR-5867 <https://issues.apache.org/jira/browse/SOLR-5867>) 3. Wiring up a custom HttpClientConfigurer has proven to be a bit more challenging as the HttpClientUtil needs to set the new configurer before Solr begins to be constructed, so I was left with options such as setting up a webapp-listener in the webdefaults.xml to get a hook in before the Solr servlet gets loaded. If there is a better way to achieve this please let us know, I thought there *must* be a better way but it eluded me. For simplicity sake I ended up just patching in my custom HttpClientConfigurer into the war itself. After further contemplation I thought Solr should be lenient in which certificates are acceptable to communicate within the cluster itself instead of the default HttpClient configuration that is more strict for communication to external sources. With that in mind I created a ticket to set the default host name verifier to allow all hostnames (SOLR-5868<https://issues.apache.org/jira/browse/SOLR-5868>) and we may consider allowing self-signed certs as well. With those changes the need to wire up a custom HttpClientConfigurer becomes greatly reduced. To get 4.7 up and running in it's current fashion, you can use the following custom HttpClientConfigurer (also fixes problem with SOLR-5866): https://gist.github.com/sdavids13/9577027 -Steve On Thu, Mar 13, 2014 at 10:31 PM, Steve Davids <[email protected]> wrote: > Glad to hear it works for you! It would be nice if we could upload the > json file via the zk bootstrapping, it sure would make it a bit simpler. > > -Steve > > On Mar 13, 2014, at 10:19 PM, Erick Erickson <[email protected]> > wrote: > > > Darn Windows. It turns out that this works (thanks Steve!) > > > > ./zkcli.sh -zkhost localhost:9983 -cmd put /clusterprops.json > > '{"urlScheme":"https"}' > > > > but only if you escape the double quotes and remove the ticks, as: > > > > ./zkcli.sh -zkhost localhost:9983 -cmd put /clusterprops.json > > {\"urlScheme\":\"https\"} > > > > Otherwise clusterprops.json contains the ticks as well. > > > > Got it working though.... > > > > On Thu, Mar 13, 2014 at 9:43 AM, Erick Erickson <[email protected]> > wrote: > >> I was thinking about that but haven't had a chance to catch my breath. > >> > >> Thanks for letting me know where the link is... > >> > >> Erick > >> > >> On Thu, Mar 13, 2014 at 9:08 AM, Cassandra Targett > >> <[email protected]> wrote: > >>> This needs to also make its way into the Solr Ref Guide - stuff > documented > >>> on the wiki doesn't automatically get into the Solr Reference Guide > without > >>> human intervention. > >>> > >>> There is an issue already to document this in the guide, so if you do > add > >>> something to the Solr Wiki, please add a link to the page to > >>> https://issues.apache.org/jira/browse/SOLR-5757 so it can be > officially > >>> documented. > >>> > >>> Thanks, > >>> Cassandra > >>> > >>> > >>> On Wed, Mar 12, 2014 at 7:19 PM, Erick Erickson < > [email protected]> > >>> wrote: > >>>> > >>>> Steve: > >>>> > >>>> It would be a great service if you were willing to document this on > >>>> the Wiki. If you don't already have contributor rights, just create a > >>>> logon on the Wiki, send us your logon ID and we'll add you to the > >>>> approved editors list. > >>>> > >>>> A bit of background: We used to let anyone edit the Wiki, but then > >>>> started getting hit with a billion spam pages so had to lock it down. > >>>> As long as we're convinced it's a real person asking for edit rights, > >>>> they're freely granted! > >>>> > >>>> Best, > >>>> Erick > >>>> > >>>> > >>>> On Wed, Mar 12, 2014 at 8:15 PM, Steve Davids <[email protected]> > wrote: > >>>>> I will be upgrading my SolrCloud cluster at work in a couple of days > >>>>> (hand > >>>>> patched former builds) will let everyone know if there are any other > >>>>> gothchyas. I know depending on different cases the need to bundle > your > >>>>> own > >>>>> HttpClientConfigurer to use the AllowAllHostnameVerifier (if using a > >>>>> single > >>>>> cert for all instances) or to add the TrustedSelfSignedStrategy if > using > >>>>> two-way SSL w/ self-signed certs. > >>>>> > >>>>> -Steve > >>>>> > >>>>> On Mar 12, 2014, at 8:05 PM, Erick Erickson <[email protected] > > > >>>>> wrote: > >>>>> > >>>>> Steve: > >>>>> > >>>>> Thanks, I confess confusion about all things HTTPS. I'll turn this > >>>>> over to the people who _do_ know about it in the morning, this is a > >>>>> great help in that it tells us where to look. > >>>>> > >>>>> I smell a Wiki page coming.... > >>>>> > >>>>> Erick > >>>>> > >>>>> On Wed, Mar 12, 2014 at 7:47 PM, Steve Davids <[email protected]> > wrote: > >>>>> > >>>>> Hi Eric, > >>>>> > >>>>> Unfortunately the only "working example" is in the unit-tests. What > have > >>>>> you > >>>>> done thus far? First step would be to add the "urlScheme" into > >>>>> clusterprops.json: > >>>>> > >>>>> ./zkcli.sh -zkhost localhost:9983 -cmd put /clusterprops.json > >>>>> '{"urlScheme":"https"}' > >>>>> > >>>>> > >>>>> You will also need to add the basic javax.net.ssl.* system properties > >>>>> (http://stackoverflow.com/a/5871352) > >>>>> > >>>>> It is important to note that if there is a pre-existing > >>>>> clusterstate.json > >>>>> file you will need to update the current base_url values to move > 'http' > >>>>> -> > >>>>> 'https' scheme + update the port value. This is all necessary because > >>>>> when a > >>>>> node is rebooted it compares the base_url to figure out where it left > >>>>> off in > >>>>> the cluster. SOLR-5770 was created so we don't need to worry about > >>>>> performing this manual http->https mapping since it will use the > >>>>> node_name > >>>>> to perform the comparison (though the port value would still be a > >>>>> problem). > >>>>> > >>>>> Let me know if that helps, > >>>>> > >>>>> -Steve > >>>>> > >>>>> On Mar 12, 2014, at 4:23 PM, Erick Erickson <[email protected] > > > >>>>> wrote: > >>>>> > >>>>> We simply cannot get Solr running over HTTPS. We're running Solr 4.7, > >>>>> SOLR-3854 should be included. > >>>>> > >>>>> To complicate matters this is on WebSphere, but fortunately the > people > >>>>> here are handling that part (not a chance in the world to use Jetty). > >>>>> > >>>>> "IOException can't connect with an http (not https) address" > >>>>> > >>>>> Do we have any examples lying around that handle this case that we > can > >>>>> use as a template? I'm out of my league with this, https is a > mystery. > >>>>> > >>>>> Thanks! > >>>>> Erick > >>>>> > >>>>> --------------------------------------------------------------------- > >>>>> To unsubscribe, e-mail: [email protected] > >>>>> For additional commands, e-mail: [email protected] > >>>>> > >>>>> > >>>>> > >>>>> --------------------------------------------------------------------- > >>>>> To unsubscribe, e-mail: [email protected] > >>>>> For additional commands, e-mail: [email protected] > >>>>> > >>>>> > >>>> > >>>> --------------------------------------------------------------------- > >>>> To unsubscribe, e-mail: [email protected] > >>>> For additional commands, e-mail: [email protected] > >>>> > >>> > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > >
