[jira] [Comment Edited] (SOLR-14105) Http2SolrClient SSL not working in branch_8x
[ https://issues.apache.org/jira/browse/SOLR-14105?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17156931#comment-17156931 ] Rajeswari Natarajan edited comment on SOLR-14105 at 7/13/20, 7:47 PM: -- In which version of solr this issue is fixed. We are using Solr 8.5.1 in cloud mode with Java 8. We are enabling TLS with http1 (as we get a warning java 8 + solr 8.5 SSL can’t be enabled) and we get below exception. 2020-07-07 03:58:53.078 ERROR (main) [ ] o.a.s.c.SolrCore null:org.apache.solr.common.SolrException: Error instantiating shardHandlerFactory class [HttpShardHandlerFactory]: java.lang.UnsupportedOperationException: X509ExtendedKeyManager only supported on Server at org.apache.solr.handler.component.ShardHandlerFactory.newInstance(ShardHandlerFactory.java:56) at org.apache.solr.core.CoreContainer.load(CoreContainer.java:647) at org.apache.solr.servlet.SolrDispatchFilter.createCoreContainer(SolrDispatchFilter.java:263) at org.apache.solr.servlet.SolrDispatchFilter.init(SolrDispatchFilter.java:183) at org.eclipse.jetty.servlet.FilterHolder.initialize(FilterHolder.java:134) at org.eclipse.jetty.servlet.ServletHandler.lambda$initialize$0(ServletHandler.java:751) at java.util.Spliterators$ArraySpliterator.forEachRemaining(Spliterators.java:948) at java.util.stream.Streams$ConcatSpliterator.forEachRemaining(Streams.java:742) at java.util.stream.Streams$ConcatSpliterator.forEachRemaining(Streams.java:742) at java.util.stream.ReferencePipeline$Head.forEach(ReferencePipeline.java:580) at org.eclipse.jetty.servlet.ServletHandler.initialize(ServletHandler.java:744) at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:360) at org.eclipse.jetty.webapp.WebAppContext.startWebapp(WebAppContext.java:1445) at org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1409) at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:822) at org.eclipse.jetty.servlet.ServletContextHandler.doStart(ServletContextHandler.java:275) at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:524) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) at org.eclipse.jetty.deploy.bindings.StandardStarter.processBinding(StandardStarter.java:46) at org.eclipse.jetty.deploy.AppLifeCycle.runBindings(AppLifeCycle.java:188) at org.eclipse.jetty.deploy.DeploymentManager.requestAppGoal(DeploymentManager.java:513) at org.eclipse.jetty.deploy.DeploymentManager.addApp(DeploymentManager.java:154) at org.eclipse.jetty.deploy.providers.ScanningAppProvider.fileAdded(ScanningAppProvider.java:173) at org.eclipse.jetty.deploy.providers.WebAppProvider.fileAdded(WebAppProvider.java:447) at org.eclipse.jetty.deploy.providers.ScanningAppProvider$1.fileAdded(ScanningAppProvider.java:66) at org.eclipse.jetty.util.Scanner.reportAddition(Scanner.java:784) at org.eclipse.jetty.util.Scanner.reportDifferences(Scanner.java:753) at org.eclipse.jetty.util.Scanner.scan(Scanner.java:641) at org.eclipse.jetty.util.Scanner.doStart(Scanner.java:540) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) at org.eclipse.jetty.deploy.providers.ScanningAppProvider.doStart(ScanningAppProvider.java:146) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) at org.eclipse.jetty.deploy.DeploymentManager.startAppProvider(DeploymentManager.java:599) at org.eclipse.jetty.deploy.DeploymentManager.doStart(DeploymentManager.java:249) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169) at org.eclipse.jetty.server.Server.start(Server.java:407) at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117) at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:100) at org.eclipse.jetty.server.Server.doStart(Server.java:371) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) at org.eclipse.jetty.xml.XmlConfiguration.lambda$main$0(XmlConfiguration.java:1888) at java.security.AccessController.doPrivileged(Native Method) at org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1837) at sun.reflect.NativeMethodAccessorImpl.invoke0(Na
[jira] [Comment Edited] (SOLR-14105) Http2SolrClient SSL not working in branch_8x
[ https://issues.apache.org/jira/browse/SOLR-14105?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17106221#comment-17106221 ] Jan Høydahl edited comment on SOLR-14105 at 5/13/20, 11:43 AM: --- Thanks Simone. You did not quote me correctly. I said "..*seems* a bit incomplete and trappy", and that comment was meant for 9.4.24 that we use, and it took us several iterations to get the Server/Client split right. Again, a workaround is to specify a separate SOLR_SSL_CLIENT_KEY_STORE. I think it is very hard to follow the GitHub issues/PRs you link to, so even after reading them, I did not understand that 9.4.25 actually allows multi certs even on the client side? This was the behaviour we had in Solr before upgrading from 9.4.19 to 9.4.24 - Jetty would pick the first cert on the keystore instead of throwing an exception. What is the new selection logic introduced in 9.4.25 (when we use SslContextFactory.Client)? Sounds like Solr should anyway upgrade Jetty! was (Author: janhoy): Thanks Simone. You did not quote me correctly. I said "..*seems* a bit incomplete and trappy", and that comment is for 9.4.14 that we use. Again, a workaround is to specify a separate SOLR_SSL_CLIENT_KEY_STORE. I think it is very hard to follow the GitHub issues/PRs you link to, so even after reading them, I did not understand that 9.4.25 actually allows multi certs even on the client side? This was the behaviour we had in Solr before upgrading from 9.4.19 to 9.4.24 - Jetty would pick the first cert on the keystore instead of throwing an exception. What is the new selection logic introduced in 9.4.25 (when we use SslContextFactory.Client)? Sounds like Solr should anyway upgrade Jetty! > Http2SolrClient SSL not working in branch_8x > > > Key: SOLR-14105 > URL: https://issues.apache.org/jira/browse/SOLR-14105 > Project: Solr > Issue Type: Bug >Affects Versions: 8.5 >Reporter: Jan Høydahl >Assignee: Kevin Risden >Priority: Major > Attachments: SOLR-14105.patch > > > In branch_8x we upgraded to Jetty 9.4.24. This causes the following > exceptions when attempting to start server with SSL: > {noformat} > 2019-12-17 14:46:16.646 ERROR (main) [ ] o.a.s.c.SolrCore > null:org.apache.solr.common.SolrException: Error instantiating > shardHandlerFactory class [HttpShardHandlerFactory]: > java.lang.UnsupportedOperationException: X509ExtendedKeyManager only > supported on Server > at > org.apache.solr.handler.component.ShardHandlerFactory.newInstance(ShardHandlerFactory.java:56) > at org.apache.solr.core.CoreContainer.load(CoreContainer.java:633) > ... > Caused by: java.lang.RuntimeException: > java.lang.UnsupportedOperationException: X509ExtendedKeyManager only > supported on Server > at > org.apache.solr.client.solrj.impl.Http2SolrClient.createHttpClient(Http2SolrClient.java:224) > at > org.apache.solr.client.solrj.impl.Http2SolrClient.(Http2SolrClient.java:154) > at > org.apache.solr.client.solrj.impl.Http2SolrClient$Builder.build(Http2SolrClient.java:833) > at > org.apache.solr.handler.component.HttpShardHandlerFactory.init(HttpShardHandlerFactory.java:321) > at > org.apache.solr.handler.component.ShardHandlerFactory.newInstance(ShardHandlerFactory.java:51) > ... 50 more > Caused by: java.lang.UnsupportedOperationException: X509ExtendedKeyManager > only supported on Server > at > org.eclipse.jetty.util.ssl.SslContextFactory.newSniX509ExtendedKeyManager(SslContextFactory.java:1273) > at > org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1255) > at > org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:374) > at > org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:245) > {noformat} -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Comment Edited] (SOLR-14105) Http2SolrClient SSL not working in branch_8x
[ https://issues.apache.org/jira/browse/SOLR-14105?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17101129#comment-17101129 ] Akhmad Amirov edited comment on SOLR-14105 at 5/6/20, 7:54 PM: --- As I stated above my log shows jetty-9.4.24.v20191120, which is part of latest Solr 8.5.1 package 2020-05-06 13:16:26.831 INFO (main) [ ] o.e.j.u.log Logging initialized @738ms to org.eclipse.jetty.util.log.Slf4jLog 2020-05-06 13:16:26.894 INFO (main) [ ] o.e.j.u.TypeUtil JVM Runtime does not support Modules 2020-05-06 13:16:27.005 INFO (main) [ ] o.e.j.s.Server jetty-9.4.24.v20191120; built: 2019-11-20T21:37:49.771Z; git: 363d5f2df3a8a28de40604320230664b9c793c16; jvm 1.8.0_241-b07 2020-05-06 13:16:27.026 INFO (main) [ ] o.e.j.d.p.ScanningAppProvider Deployment monitor [file:///app/solr-8.5.1/server/contexts/] at interval 0 2020-05-06 13:16:27.238 INFO (main) [ ] o.e.j.w.StandardDescriptorProcessor NO JSP Support for /solr, did not find org.apache.jasper.servlet.JspServlet 2020-05-06 13:16:27.247 INFO (main) [ ] o.e.j.s.session DefaultSessionIdManager workerName=node0 2020-05-06 13:16:27.247 INFO (main) [ ] o.e.j.s.session No SessionScavenger set, using defaults 2020-05-06 13:16:27.248 INFO (main) [ ] o.e.j.s.session node0 Scavenging every 60ms 2020-05-06 13:16:27.294 INFO (main) [ ] o.a.s.u.c.SSLConfigurations Setting javax.net.ssl.keyStorePassword 2020-05-06 13:16:27.294 INFO (main) [ ] o.a.s.u.c.SSLConfigurations Setting javax.net.ssl.trustStorePassword 2020-05-06 13:16:27.306 INFO (main) [ ] o.a.s.s.SolrDispatchFilter Using logger factory org.apache.logging.slf4j.Log4jLoggerFactory 2020-05-06 13:16:27.309 INFO (main) [ ] o.a.s.s.SolrDispatchFilter ___ _ Welcome to Apache Solr™ version 8.5.1 2020-05-06 13:16:27.312 INFO (main) [ ] o.a.s.s.SolrDispatchFilter / __| ___| |_ _ Starting in cloud mode on port 8443 2020-05-06 13:16:27.312 INFO (main) [ ] o.a.s.s.SolrDispatchFilter __ \/ _ \ | '_| Install dir: /app/solr 2020-05-06 13:16:27.312 INFO (main) [ ] o.a.s.s.SolrDispatchFilter |___/___/_|_| Start time: 2020-05-06T18:16:27.312Z 2020-05-06 13:16:27.330 INFO (main) [ ] o.a.s.c.SolrResourceLoader Using system property solr.solr.home: /app/solr/server/solr 2020-05-06 13:16:27.373 INFO (main) [ ] o.a.s.c.c.ConnectionManager Waiting for client to connect to ZooKeeper 2020-05-06 13:16:27.395 INFO (zkConnectionManagerCallback-2-thread-1) [ ] o.a.s.c.c.ConnectionManager zkClient has connected 2020-05-06 13:16:27.395 INFO (main) [ ] o.a.s.c.c.ConnectionManager Client is connected to ZooKeeper 2020-05-06 13:16:27.504 INFO (main) [ ] o.a.s.s.SolrDispatchFilter Loading solr.xml from SolrHome (not found in ZooKeeper) 2020-05-06 13:16:27.506 INFO (main) [ ] o.a.s.c.SolrXmlConfig Loading container configuration from /app/solr/server/solr/solr.xml 2020-05-06 13:16:27.556 INFO (main) [ ] o.a.s.c.SolrXmlConfig MBean server found: com.sun.jmx.mbeanserver.JmxMBeanServer@1e802ef9, but no JMX reporters were configured - adding default JMX reporter. 2020-05-06 13:16:27.946 INFO (main) [ ] o.a.s.h.c.HttpShardHandlerFactory Host whitelist initialized: WhitelistHostChecker [whitelistHosts=null, whitelistHostCheckingEnabled=true] 2020-05-06 13:16:27.972 WARN (main) [ ] o.a.s.c.s.i.Http2SolrClient Create Http2SolrClient with HTTP/1.1 transport since Java 8 or lower versions does not support SSL + HTTP/2 2020-05-06 13:16:28.310 INFO (main) [ ] o.e.j.u.s.SslContextFactory x509=X509@b5cc23a(node1.my.com,h=[11.111.111.111, node1.my.com],w=[]) for Client@69f63d95[provider=null,keyStore=file:///app/certificates/solr-ssl.keystore.p12,trustStore=file:///app/certificates/solr-ssl.truststore.p12] 2020-05-06 13:16:28.460 ERROR (main) [ ] o.a.s.c.SolrCore null:org.apache.solr.common.SolrException: Error instantiating shardHandlerFactory class [HttpShardHandlerFactory]: java.lang.UnsupportedOperationException: X509ExtendedKeyManager only supported on Server2020-05-06 13:16:28.460 ERROR (main) [ ] o.a.s.c.SolrCore null:org.apache.solr.common.SolrException: Error instantiating shardHandlerFactory class [HttpShardHandlerFactory]: java.lang.UnsupportedOperationException: X509ExtendedKeyManager only supported on Server at org.apache.solr.handler.component.ShardHandlerFactory.newInstance(ShardHandlerFactory.java:56) at org.apache.solr.core.CoreContainer.load(CoreContainer.java:647) at org.apache.solr.servlet.SolrDispatchFilter.createCoreContainer(SolrDispatchFilter.java:263) at org.apache.solr.servlet.SolrDispatchFilter.init(SolrDispatchFilter.java:183) at org.eclipse.jetty.servlet.FilterHolder.initialize(FilterHolder.java:134) at org.eclipse.jetty.servlet.ServletHandler.lambda$initialize$0(ServletHandler.java:751) at java.util.Spliterators$ArraySpliterator.forEachRemaining(Spliterators.java:948) at java.util.stream.Streams$ConcatSpliterator.forEachRemaining(Streams.ja
[jira] [Comment Edited] (SOLR-14105) Http2SolrClient SSL not working in branch_8x
[ https://issues.apache.org/jira/browse/SOLR-14105?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17101085#comment-17101085 ] Aaron Kalsnes edited comment on SOLR-14105 at 5/6/20, 6:48 PM: --- I'm seeing the same behavior with Solr 8.5.1: {{java.lang.UnsupportedOperationException: X509ExtendedKeyManager only supported on *Server*}} I am not a Java developer, but according to an issue on Jetty's GitHub ([https://github.com/eclipse/jetty.project/issues/4425]), this error is happening because: {quote}"The issue is that we had to split the {{SslContextFactory}} into a client and server version, rather than a single class for both. If you have code that previously instantiated {{SslContextFactory}} directly, then it will mostly work other than SNI. The fix is to change to use {{SslContextFactory.Server}} instead of just {{SslContextFactory}}." {quote} Looking at [https://github.com/apache/lucene-solr/blob/master/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Http2SolrClient.java], I do not see ".Server" anywhere. I assume that "Server" in the error message is referring to "SslContextFactory.Server" Here is the stack trace: {noformat} 2020-05-06 13:18:18.149 ERROR (main) [ ] o.a.s.c.SolrCore null:org.apache.solr.common.SolrException: Error instantiating shardHandlerFactory class [HttpShardHandlerFactory]: java.lang.UnsupportedOperationException: X509ExtendedKeyManager only supported on Server at org.apache.solr.handler.component.ShardHandlerFactory.newInstance(ShardHandlerFactory.java:56) at org.apache.solr.core.CoreContainer.load(CoreContainer.java:647) at org.apache.solr.servlet.SolrDispatchFilter.createCoreContainer(SolrDispatchFilter.java:263) at org.apache.solr.servlet.SolrDispatchFilter.init(SolrDispatchFilter.java:183) at org.eclipse.jetty.servlet.FilterHolder.initialize(FilterHolder.java:134) at org.eclipse.jetty.servlet.ServletHandler.lambda$initialize$0(ServletHandler.java:751) at java.util.Spliterators$ArraySpliterator.forEachRemaining(Spliterators.java:948) at java.util.stream.Streams$ConcatSpliterator.forEachRemaining(Streams.java:742) at java.util.stream.Streams$ConcatSpliterator.forEachRemaining(Streams.java:742) at java.util.stream.ReferencePipeline$Head.forEach(ReferencePipeline.java:580) at org.eclipse.jetty.servlet.ServletHandler.initialize(ServletHandler.java:744) at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:360) at org.eclipse.jetty.webapp.WebAppContext.startWebapp(WebAppContext.java:1445) at org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1409) at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:822) at org.eclipse.jetty.servlet.ServletContextHandler.doStart(ServletContextHandler.java:275) at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:524) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) at org.eclipse.jetty.deploy.bindings.StandardStarter.processBinding(StandardStarter.java:46) at org.eclipse.jetty.deploy.AppLifeCycle.runBindings(AppLifeCycle.java:188) at org.eclipse.jetty.deploy.DeploymentManager.requestAppGoal(DeploymentManager.java:513) at org.eclipse.jetty.deploy.DeploymentManager.addApp(DeploymentManager.java:154) at org.eclipse.jetty.deploy.providers.ScanningAppProvider.fileAdded(ScanningAppProvider.java:173) at org.eclipse.jetty.deploy.providers.WebAppProvider.fileAdded(WebAppProvider.java:447) at org.eclipse.jetty.deploy.providers.ScanningAppProvider$1.fileAdded(ScanningAppProvider.java:66) at org.eclipse.jetty.util.Scanner.reportAddition(Scanner.java:784) at org.eclipse.jetty.util.Scanner.reportDifferences(Scanner.java:753) at org.eclipse.jetty.util.Scanner.scan(Scanner.java:641) at org.eclipse.jetty.util.Scanner.doStart(Scanner.java:540) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) at org.eclipse.jetty.deploy.providers.ScanningAppProvider.doStart(ScanningAppProvider.java:146) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) at org.eclipse.jetty.deploy.DeploymentManager.startAppProvider(DeploymentManager.java:599) at org.eclipse.jetty.deploy.DeploymentManager.doStart(DeploymentManager.java:249) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169) at org.eclipse.jetty.server.Server.start(Server.java:407) at org.eclipse.jetty.util.component.ContainerLifeCycle