Xiaotian Qin created SOLR-16207:
-----------------------------------
Summary:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
Key: SOLR-16207
URL: https://issues.apache.org/jira/browse/SOLR-16207
Project: Solr
Issue Type: Bug
Security Level: Public (Default Security Level. Issues are Public)
Reporter: Xiaotian Qin
We encounter exception in container for solr version 9. We used self-signed
certs to enable SSL following
[here|s3.console.aws.amazon.com/s3/object/wish-relevance-us-west-2?region=us-west-2&prefix=tahoe_output%2Fsearch_index_tahoe%2Ftahoe_search_intermediate_index_20211209%2Fbatch_id%3D0%2F000017_0&tab=permissions]
Looks like the java validator is trying to validate the certs and complain the
unknown source? How can we fix this?
Env we specified in container as environment. We verified that the file path
contains our p12 certs file.
{{{}}
{{ "name": "SOLR_SSL_ENABLED",}}
{{ "value": "true"}}
{{ },}}
{{ {}}
{{ "name": "SOLR_SSL_KEY_STORE",}}
{{ "value": "/ssl/solr-ssl.keystore.p12"}}
{{ },}}
{{ {}}
{{ "name": "SOLR_SSL_KEY_STORE_PASSWORD",}}
{{ "value": "secret"}}
{{ },}}
{{ {}}
{{ "name": "SOLR_SSL_KEY_STORE_TYPE",}}
{{ "value": "pkcs12"}}
{{ },}}
{{ {}}
{{ "name": "SOLR_SSL_CLIENT_KEY_STORE",}}
{{ "value": "/ssl/solr-ssl.keystore.p12"}}
{{ },}}
{{ {}}
{{ "name": "SOLR_SSL_CLIENT_KEY_STORE_PASSWORD",}}
{{ "value": "secret"}}
{{ },}}
{{ {}}
{{ "name": "SOLR_SSL_CLIENT_KEY_STORE_TYPE",}}
{{ "value": "pkcs12"}}
{{ },}}
{{ {}}
{{ "name": "SOLR_SSL_TRUST_STORE",}}
{{ "value": "/ssl/solr-ssl.keystore.p12"}}
{{ },}}
{{ {}}
{{ "name": "SOLR_SSL_TRUST_STORE_PASSWORD",}}
{{ "value": "secret"}}
{{ },}}
{{ {}}
{{ "name": "SOLR_SSL_TRUST_STORE_TYPE",}}
{{ "value": "pkcs12"}}
{{ },}}
{{ {}}
{{ "name": "SOLR_SSL_CLIENT_TRUST_STORE",}}
{{ "value": "/ssl/solr-ssl.keystore.p12"}}
{{ },}}
{{ {}}
{{ "name": "SOLR_SSL_CLIENT_TRUST_STORE_PASSWORD",}}
{{ "value": "secret"}}
{{ },}}
{{ {}}
{{ "name": "SOLR_SSL_CLIENT_TRUST_STORE_TYPE",}}
{{ "value": "pkcs12"}}
{{ },}}
{{ {}}
{{ "name": "SOLR_SSL_NEED_CLIENT_AUTH",}}
{{ "value": "false"}}
{{ },}}
{{ {}}
{{ "name": "SOLR_SSL_WANT_CLIENT_AUTH",}}
{{ "value": "true"}}
{{ },}}
{{ {}}
{{ "name": "SOLR_SSL_CHECK_PEER_NAME",}}
{{ "value": "true"}}
{{ }}}
Stack trace in solr container
{quote}Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
~[?:?]
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown
Source) ~[?:?]
at java.security.cert.CertPathBuilder.build(Unknown Source) ~[?:?]
at sun.security.validator.PKIXValidator.doBuild(Unknown Source) ~[?:?]
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
~[?:?]
at sun.security.validator.Validator.validate(Unknown Source) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
~[?:?]
at
sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(Unknown
Source) ~[?:?]
at
sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(Unknown
Source) ~[?:?]
at
sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(Unknown
Source) ~[?:?]
at sun.security.ssl.SSLHandshake.consume(Unknown Source) ~[?:?]
at sun.security.ssl.HandshakeContext.dispatch(Unknown Source) ~[?:?]
at sun.security.ssl.HandshakeContext.dispatch(Unknown Source) ~[?:?]
at sun.security.ssl.TransportContext.dispatch(Unknown Source) ~[?:?]
at sun.security.ssl.SSLTransport.decode(Unknown Source) ~[?:?]
at sun.security.ssl.SSLSocketImpl.decode(Unknown Source) ~[?:?]
at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source) ~[?:?]
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) ~[?:?]
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) ~[?:?]
at
org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436)
~[httpclient-4.5.13.jar:4.5.13]
{quote}
Solr process in container, looks like above environments being passed as
JAVA_OPTS
{quote}solr 9 8.3 61.3 51036372 44091148 ? Sl 22:40 0:58
/opt/java/openjdk/bin/java -server -Xms41308M -Xmx41308M -XX:+UseG1GC
-XX:+PerfDisableSharedMem -XX:+ParallelRefProcEnabled -XX:MaxGCPauseMillis=250
-XX:+UseLargePages -XX:+AlwaysPreTouch -XX:+ExplicitGCInvokesConcurrent
-Xlog:gc*:file=/data-podcast-solr-cloud-store/logs/solr_gc.log:time,uptime:filecount=9,filesize=20M
-Dsolr.jetty.inetaccess.includes= -Dsolr.jetty.inetaccess.excludes=
-DzkClientTimeout=30000
-DzkHost=podcast-zk-ensemble-0.zk-service.data-podcast-zookeeper.svc.cluster.local:2181,podcast-zk-ensemble-1.zk-service.data-podcast-zookeeper.svc.cluster.local:2181,podcast-zk-ensemble-2.zk-service.data-podcast-zookeeper.svc.cluster.local:2181/data-podcast-solr-cloud-data-podcast
-Dsolr.log.dir=/data-podcast-solr-cloud-store/logs -Djetty.port=8983
-DSTOP.PORT=7983 -DSTOP.KEY=solrrocks
-Dhost=data-podcast-0.data-podcast-solr-cloud.data-podcast-solr-cloud-dev.query.us-west-1a.consul
-Duser.timezone=UTC -XX:-OmitStackTraceInFastThrow
-XX:OnOutOfMemoryError=/opt/solr/bin/oom_solr.sh 8983
/data-podcast-solr-cloud-store/logs -Djetty.home=/opt/solr/server
-Dsolr.solr.home=/data-podcast-solr-cloud-store/data -Dsolr.data.home=
-Dsolr.install.dir=/opt/solr
-Dsolr.default.confdir=/opt/solr/server/solr/configsets/_default/conf
-Dlog4j.configurationFile=/var/solr/log4j2.xml
-Dsolr.sharedLib=/data-podcast-solr-cloud-store/data/lib
-Dsolr.environment=dev,label=Dev+PlayAround,color=green
-DzkACLProvider=org.apache.solr.common.cloud.VMParamsAllAndReadonlyDigestZkACLProvider
-DzkCredentialsProvider=org.apache.solr.common.cloud.VMParamsSingleSetCredentialsDigestZkCredentialsProvider
-DzkDigestUsername=username -DzkDigestPassword=123 -Dsolr.jetty.host=0.0.0.0
-Xss256k *-Dsolr.jetty.keystore=/ssl/solr-ssl.keystore.p12
-Dsolr.jetty.keystore.type=pkcs12
-Dsolr.jetty.truststore=/ssl/solr-ssl.keystore.p12
-Dsolr.jetty.truststore.type=pkcs12 -Dsolr.jetty.ssl.verifyClientHostName=HTTPS
-Dsolr.jetty.ssl.needClientAuth=false -Dsolr.jetty.ssl.wantClientAuth=true
-Djavax.net.ssl.keyStore=/ssl/solr-ssl.keystore.p12
-Djavax.net.ssl.keyStoreType=pkcs12 -Dsolr.ssl.checkPeerName=true
-Djavax.net.ssl.trustStore=/ssl/solr-ssl.keystore.p12
-Djavax.net.ssl.trustStoreType=pkcs12* -Dsolr.jetty.https.port=8983
-Djava.security.manager
-Djava.security.policy=/opt/solr/server/etc/security.policy
-Djava.security.properties=/opt/solr/server/etc/security.properties
-Dsolr.internal.network.permission=* -DdisableAdminUI=false -jar start.jar
--module=https --lib=/opt/solr/server/solr-webapp/webapp/WEB-INF/lib/*
--module=requestlog --module=gzip
{quote}
Java version in container:
$ java --version
openjdk 17.0.3 2022-04-19
OpenJDK Runtime Environment Temurin-17.0.3+7 (build 17.0.3+7)
OpenJDK 64-Bit Server VM Temurin-17.0.3+7 (build 17.0.3+7, mixed mode, sharing)
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
