RE: Solr 6.6.2 ManagedSchema Replication
Yes!!! That did it. It requires a document first. I created a test doc and the managed-schema replicated. Regards, Kelly -Original Message- From: Erick Erickson Sent: Monday, August 20, 2018 10:55 AM To: solr-user Subject: Re: Solr 6.6.2 ManagedSchema Replication Shot in the dark. Does the index change in the meantime? IIRC, the configuration replication is _not_ triggered unless there are fresh segments to bring down, i.e. you've added or deleted docs to the master. Which is something of a chicken-and-egg problem. See SOLR-1304 (which, if still accurate, shows how far back this has been an issue). SOLR-4674 is similar. Best, Erick On Mon, Aug 20, 2018 at 7:33 AM, Kelly Rusk wrote: > Hi Shawn, > > I have tested both reloads and even full restarts of the Solr application, > and the managed-schema does not replicate. Any ideas of next steps? Do I need > to manually copy the managed-schema over? > > Regards, > > Kelly > > -----Original Message- > From: Kelly Rusk > Sent: Saturday, August 18, 2018 11:11 PM > To: solr-user@lucene.apache.org; solr-user@lucene.apache.org > Subject: Re: Solr 6.6.2 ManagedSchema Replication > > Disregard that last part asking about the reporter. That's the person who > reported the issue... it just sounded like a Solr logging feature. I will > check if a reload works. > > From: Kelly Rusk > Sent: Saturday, August 18, 2018 11:09:24 PM > To: solr-user@lucene.apache.org > Subject: Re: Solr 6.6.2 ManagedSchema Replication > > Thanks Shawn, > > I haven't tried the reload. I just saw that the files appear to not be copied > over when I compare the managed-schema in the file system of Master and Slave. > > What is the reporter? Where would I access that to check? I am running Solr > on Windows (platform governance requirement). > > Thanks again for all your help and direction. > > Regards, > > Kelly > > > From: Shawn Heisey > Sent: Saturday, August 18, 2018 10:53 PM > To: solr-user@lucene.apache.org > Subject: Re: Solr 6.6.2 ManagedSchema Replication > > On 8/18/2018 6:56 PM, Kelly Rusk wrote: >> Hello Shawn, >> >> Someone else appears to have opened the same issue as what I require: >> https://issues.apache.org/jira/browse/SOLR-9382 >> >> Do you have a recommended workaround as this issue is 2 years old without >> resolution? > > I've got no idea here. > > I'm assuming you have put managed-schema into the confFiles section of your > replication handler. > > Do you find that it doesn't get copied at all, or are you finding what the > reporter on SOLR-9382 found -- that the files were copied, but a reload was > required to get the changes to take effect? > > Thanks, > Shawn >
RE: Solr 6.6.2 ManagedSchema Replication
Hi Shawn, I have tested both reloads and even full restarts of the Solr application, and the managed-schema does not replicate. Any ideas of next steps? Do I need to manually copy the managed-schema over? Regards, Kelly -Original Message- From: Kelly Rusk Sent: Saturday, August 18, 2018 11:11 PM To: solr-user@lucene.apache.org; solr-user@lucene.apache.org Subject: Re: Solr 6.6.2 ManagedSchema Replication Disregard that last part asking about the reporter. That's the person who reported the issue... it just sounded like a Solr logging feature. I will check if a reload works. From: Kelly Rusk Sent: Saturday, August 18, 2018 11:09:24 PM To: solr-user@lucene.apache.org Subject: Re: Solr 6.6.2 ManagedSchema Replication Thanks Shawn, I haven't tried the reload. I just saw that the files appear to not be copied over when I compare the managed-schema in the file system of Master and Slave. What is the reporter? Where would I access that to check? I am running Solr on Windows (platform governance requirement). Thanks again for all your help and direction. Regards, Kelly From: Shawn Heisey Sent: Saturday, August 18, 2018 10:53 PM To: solr-user@lucene.apache.org Subject: Re: Solr 6.6.2 ManagedSchema Replication On 8/18/2018 6:56 PM, Kelly Rusk wrote: > Hello Shawn, > > Someone else appears to have opened the same issue as what I require: > https://issues.apache.org/jira/browse/SOLR-9382 > > Do you have a recommended workaround as this issue is 2 years old without > resolution? I've got no idea here. I'm assuming you have put managed-schema into the confFiles section of your replication handler. Do you find that it doesn't get copied at all, or are you finding what the reporter on SOLR-9382 found -- that the files were copied, but a reload was required to get the changes to take effect? Thanks, Shawn
Re: Solr 6.6.2 ManagedSchema Replication
Disregard that last part asking about the reporter. That’s the person who reported the issue... it just sounded like a Solr logging feature. I will check if a reload works. From: Kelly Rusk Sent: Saturday, August 18, 2018 11:09:24 PM To: solr-user@lucene.apache.org Subject: Re: Solr 6.6.2 ManagedSchema Replication Thanks Shawn, I haven’t tried the reload. I just saw that the files appear to not be copied over when I compare the managed-schema in the file system of Master and Slave. What is the reporter? Where would I access that to check? I am running Solr on Windows (platform governance requirement). Thanks again for all your help and direction. Regards, Kelly From: Shawn Heisey Sent: Saturday, August 18, 2018 10:53 PM To: solr-user@lucene.apache.org Subject: Re: Solr 6.6.2 ManagedSchema Replication On 8/18/2018 6:56 PM, Kelly Rusk wrote: > Hello Shawn, > > Someone else appears to have opened the same issue as what I require: > https://issues.apache.org/jira/browse/SOLR-9382 > > Do you have a recommended workaround as this issue is 2 years old without > resolution? I've got no idea here. I'm assuming you have put managed-schema into the confFiles section of your replication handler. Do you find that it doesn't get copied at all, or are you finding what the reporter on SOLR-9382 found -- that the files were copied, but a reload was required to get the changes to take effect? Thanks, Shawn
Re: Solr 6.6.2 ManagedSchema Replication
Thanks Shawn, I haven’t tried the reload. I just saw that the files appear to not be copied over when I compare the managed-schema in the file system of Master and Slave. What is the reporter? Where would I access that to check? I am running Solr on Windows (platform governance requirement). Thanks again for all your help and direction. Regards, Kelly From: Shawn Heisey Sent: Saturday, August 18, 2018 10:53 PM To: solr-user@lucene.apache.org Subject: Re: Solr 6.6.2 ManagedSchema Replication On 8/18/2018 6:56 PM, Kelly Rusk wrote: > Hello Shawn, > > Someone else appears to have opened the same issue as what I require: > https://issues.apache.org/jira/browse/SOLR-9382 > > Do you have a recommended workaround as this issue is 2 years old without > resolution? I've got no idea here. I'm assuming you have put managed-schema into the confFiles section of your replication handler. Do you find that it doesn't get copied at all, or are you finding what the reporter on SOLR-9382 found -- that the files were copied, but a reload was required to get the changes to take effect? Thanks, Shawn
RE: Solr 6.6.2 ManagedSchema Replication
Hello Shawn, Someone else appears to have opened the same issue as what I require: https://issues.apache.org/jira/browse/SOLR-9382 Do you have a recommended workaround as this issue is 2 years old without resolution? Regards, Kelly -Original Message- From: Kelly Rusk Sent: Saturday, August 18, 2018 1:15 PM To: solr-user@lucene.apache.org Subject: Re: Solr 6.6.2 ManagedSchema Replication I will try to dig that up on Monday. Thanks for the assistance. Outside of what I have found, have you seen this issue? Regards, Kelly From: Shawn Heisey Sent: Saturday, August 18, 2018 9:40:12 AM To: solr-user@lucene.apache.org Subject: Re: Solr 6.6.2 ManagedSchema Replication On 8/18/2018 7:19 AM, Kelly Rusk wrote: > In looking at my records, I submitted a bug fix request at that time. A > better question may be have others ran into this issue and what worked for > them? What have others tested? Do you have the issue number and/or a link to the issue? I've tried searching for it and haven't found it. Thanks, Shawn
Re: Solr 6.6.2 ManagedSchema Replication
I will try to dig that up on Monday. Thanks for the assistance. Outside of what I have found, have you seen this issue? Regards, Kelly From: Shawn Heisey Sent: Saturday, August 18, 2018 9:40:12 AM To: solr-user@lucene.apache.org Subject: Re: Solr 6.6.2 ManagedSchema Replication On 8/18/2018 7:19 AM, Kelly Rusk wrote: > In looking at my records, I submitted a bug fix request at that time. A > better question may be have others ran into this issue and what worked for > them? What have others tested? Do you have the issue number and/or a link to the issue? I've tried searching for it and haven't found it. Thanks, Shawn
Re: Solr 6.6.2 ManagedSchema Replication
Thank you Shawn, In looking at my records, I submitted a bug fix request at that time. A better question may be have others ran into this issue and what worked for them? What have others tested? Kelly From: Shawn Heisey Sent: Saturday, August 18, 2018 12:01:38 AM To: solr-user@lucene.apache.org Subject: Re: Solr 6.6.2 ManagedSchema Replication On 8/17/2018 9:15 PM, Kelly Rusk wrote: > Hello all, > > I am running Solr 6.6.2 in a Master/Slave setup. I need the managedschema > file on the Master to replicate to the Slave servers. Does it: > > - Get replicated automatically with the other files > > OR > - Do I need to include this file to be replicated, and if so, how do I do > this as managedschema doesn’t have a file extension to reference If putting "managed-schema" (without the quotes) as a confFile to replicate doesn't copy it when the index changes and the schema changes, then I would call that a bug. Looks like you asked this same question back in May and were told the same thing then, and given a possible workaround. Thanks, Shawn
Solr 6.6.2 ManagedSchema Replication
Hello all, I am running Solr 6.6.2 in a Master/Slave setup. I need the managedschema file on the Master to replicate to the Slave servers. Does it: - Get replicated automatically with the other files OR - Do I need to include this file to be replicated, and if so, how do I do this as managedschema doesn’t have a file extension to reference OR - something else entirely to meet my goal Thank you, Kelly
RE: Add Wildcard Certificate to Java Keystore
I have solved the issue. We found out that the certificate we were provided had a special character in it. The keystore did not like the special character. Once I imported the .p12 to the Windows Server, I exported a pfx from it with a password that had no special characters. After importing to the keystore via this command, all worked: keytool -importkeystore -srckeystore C:\rs-pkgs\my.pfx -srcstoretype pkcs12 -destkeystore S:\Solr\solr-6.6.2\server\etc\solr-ssl.keystore.jks -deststoretype JKS Kelly -Original Message- From: Kelly Rusk Sent: Monday, August 13, 2018 12:38 PM To: solr-user@lucene.apache.org Subject: RE: Add Wildcard Certificate to Java Keystore Hi Chris, All I have is the .p12 and password so it has already gone through the CSR process. How do I import this file into the keystore? On the Windows side, does it need to reside in the Personal Store or Trusted Root Store? Kelly -Original Message- From: Christopher Schultz Sent: Monday, August 13, 2018 12:00 PM To: solr-user@lucene.apache.org Subject: Re: Add Wildcard Certificate to Java Keystore Kelly, On 8/13/18 11:55 AM, Kelly Rusk wrote: > I have imported a Wildcard Certificate to my Java Keystore and it > displays, but when I pull up Internet Explorer and browse to my Solr > site, it fails to load and presents TLS errors. What do you mean "it displays"? How did you import your signed certificate into your keystore? What was in the keystore before you performed the import? > Has anyone run into this, what commands do you run to import a Public > CA into Solr? Generally, you want to generate a key+cert/CSR and send the CSR to a CA. The CA signs it and returns it, typically with one or more intermediate certificates to build a chain of trust between the CA's root cert (present in browser trust stores) and your server's certificate (which was signed by a subordinate certificate, not directly by the CA's root cert). Import them into your keystore in this order: 1. Highest (closest to the root) CA cert 2. [any other intermediate certs from the CA, in order] 3. Your server's cert Most server software needs a bounce to reload the keystore. -chris
RE: Add Wildcard Certificate to Java Keystore
Hi Chris, Thanks for the assistance. It is from a real CA. I was sent the .p12 Wildcard certificate and I need to use that to HTTPS my Solr address. Kelly -Original Message- From: Christopher Schultz Sent: Monday, August 13, 2018 12:59 PM To: solr-user@lucene.apache.org Subject: Re: Add Wildcard Certificate to Java Keystore Kelly, On 8/13/18 12:37 PM, Kelly Rusk wrote: > All I have is the .p12 and password so it has already gone through the > CSR process. How do I import this file into the keystore? Java's keytool won't merge keystores. You'll have to export the certificates from the PKCS12 file you got from your CA and import each of them separately into your own keystore. > On the Windows side, does it need to reside in the Personal Store or > Trusted Root Store? Umm... is this for a server certificate? If so, you definitely don't want to import any of those certificates into any system-wide or user-wide certificate trust stores. Is this certificate signed by a real CA, or are you building your own, internal, private CA who is signing these certficates? -chris > -Original Message- From: Christopher Schultz > Sent: Monday, August 13, 2018 12:00 PM > To: solr-user@lucene.apache.org Subject: Re: Add Wildcard Certificate > to Java Keystore > > Kelly, > > On 8/13/18 11:55 AM, Kelly Rusk wrote: >> I have imported a Wildcard Certificate to my Java Keystore and it >> displays, but when I pull up Internet Explorer and browse to my Solr >> site, it fails to load and presents TLS errors. > > What do you mean "it displays"? > > How did you import your signed certificate into your keystore? What > was in the keystore before you performed the import? > >> Has anyone run into this, what commands do you run to import a Public >> CA into Solr? > > Generally, you want to generate a key+cert/CSR and send the CSR to a > CA. The CA signs it and returns it, typically with one or more > intermediate certificates to build a chain of trust between the CA's > root cert (present in browser trust stores) and your server's > certificate (which was signed by a subordinate certificate, not > directly by the CA's root cert). > > Import them into your keystore in this order: > > 1. Highest (closest to the root) CA cert 2. [any other intermediate > certs from the CA, in order] 3. Your server's cert > > Most server software needs a bounce to reload the keystore. > > -chris >
RE: Add Wildcard Certificate to Java Keystore
Hi Chris, All I have is the .p12 and password so it has already gone through the CSR process. How do I import this file into the keystore? On the Windows side, does it need to reside in the Personal Store or Trusted Root Store? Kelly -Original Message- From: Christopher Schultz Sent: Monday, August 13, 2018 12:00 PM To: solr-user@lucene.apache.org Subject: Re: Add Wildcard Certificate to Java Keystore Kelly, On 8/13/18 11:55 AM, Kelly Rusk wrote: > I have imported a Wildcard Certificate to my Java Keystore and it > displays, but when I pull up Internet Explorer and browse to my Solr > site, it fails to load and presents TLS errors. What do you mean "it displays"? How did you import your signed certificate into your keystore? What was in the keystore before you performed the import? > Has anyone run into this, what commands do you run to import a Public > CA into Solr? Generally, you want to generate a key+cert/CSR and send the CSR to a CA. The CA signs it and returns it, typically with one or more intermediate certificates to build a chain of trust between the CA's root cert (present in browser trust stores) and your server's certificate (which was signed by a subordinate certificate, not directly by the CA's root cert). Import them into your keystore in this order: 1. Highest (closest to the root) CA cert 2. [any other intermediate certs from the CA, in order] 3. Your server's cert Most server software needs a bounce to reload the keystore. -chris
Add Wildcard Certificate to Java Keystore
Hi all, I have imported a Wildcard Certificate to my Java Keystore and it displays, but when I pull up Internet Explorer and browse to my Solr site, it fails to load and presents TLS errors. Has anyone run into this, what commands do you run to import a Public CA into Solr? Regards, Kelly
Re: Solr Multiple Hostnames
Thank you Shawn! Kelly From: Shawn Heisey Sent: Saturday, August 11, 2018 12:01:21 AM To: solr-user@lucene.apache.org Subject: Re: Solr Multiple Hostnames On 8/10/2018 11:12 AM, Kelly Rusk wrote: > I want traffic passed over https to flow through the load balancer and > resolve on the Solr servers by an address of > https://solr.mydomain.com:8983/solr. The hostname I have set for the Solr > Master is master.mydomain.com and the Slave is slave.mydomain.com. > > So, are you stating that so long as my DNS has an entry for the domain of > https://solr.mydomain.com:8983/solr it should work, even if the individual > Solr servers have their host set as master.mydomain.com or slave.mydomain.com. Any request you send that's properly formatted will be answered. If DNS sends it to Solr, the port is correct, the protocol is correct, and all that, it should work. You could have the following host header in the HTTP request that Solr receives and it would work: Host: wibble.frongle.spoof The *load balancer* might care about the host header, but unless you tweak the jetty config to accomplish something different than Solr ships with, Solr will not care what the host header contains. You won't even *need* a Host header. When you configure a replication slave, you give it a URL for the master. That must be a good URL, of course. The master doesn't get told about the slaves. Thanks, Shawn
RE: Solr Multiple Hostnames
Hi Shawn, I want traffic passed over https to flow through the load balancer and resolve on the Solr servers by an address of https://solr.mydomain.com:8983/solr. The hostname I have set for the Solr Master is master.mydomain.com and the Slave is slave.mydomain.com. So, are you stating that so long as my DNS has an entry for the domain of https://solr.mydomain.com:8983/solr it should work, even if the individual Solr servers have their host set as master.mydomain.com or slave.mydomain.com. Regards, Kelly -Original Message- From: Shawn Heisey Sent: Thursday, August 9, 2018 11:00 PM To: solr-user@lucene.apache.org Subject: Re: Solr Multiple Hostnames On 8/9/2018 8:37 PM, Kelly Rusk wrote: > Is it possible to have mutiple hostnames for a single Solr node, akin to an > IIS Website with multiple host headers? Solr doesn't pay attention to any host header in the HTTP request. If Solr receives the traffic on its TCP port, it will answer, no matter what host value you send. It's not possible to configure even one name, let alone multiple names. What is it that you're trying to accomplish that has you thinking you need to add another hostname? I read your message, but I do not see the end goal. https://home.apache.org/~hossman/#xyproblem Thanks, Shawn
Solr Multiple Hostnames
Hello all, Is it possible to have mutiple hostnames for a single Solr node, akin to an IIS Website with multiple host headers? My scenario is that I have a Master/Slave configuration with a load balancer in front. The Master has a url of https://master-solr.mydomain.com and the Slave a url of https://slave-solr.mydomain.com. The Slave node looks to the Master URL in its config for replication. The load balancer routes to either the Master or Slave node. To date, I put an domain name on the load balancer and pointed traffic to that endpoint to then route to either Master or Slave. (Using a SANS Cert that has the Master, Slave, and LB URL). What I want is to add a second hostname to each Solr server, such as https://solr.mydomain.com so that I target this endpoint and it routes through the LB instead of needing a domain name on the LB for the endpoint. What I have found so far is that I can only set a single hostname in Solr. Any ideas? What have others done? Regards, Kelly
RE: Self Signed Certificate for Load Balancer and Solr Nodes
Thank you Chris, Per the sans, we had attempted that, but had already generated some certificates. I will see if we can back out of that with a fresh install using sans. I will give the first option a try, and appreciate the assistance. Regards, Kelly -Original Message- From: Christopher Schultz Sent: Friday, June 1, 2018 5:59 PM To: solr-user@lucene.apache.org Subject: Re: Self Signed Certificate for Load Balancer and Solr Nodes -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Kelly, On 6/1/18 5:41 PM, Kelly Rusk wrote: > I can directly connect to either node without issue, it is only when > the Load Balancer routes to either solr1 or solr2 that I get the > security error (ex. https://solrlb.com:8983/solr). The Load Balancer > is not managing HTTPS but just acting as a pure TCP proxy. > Nothing more complex than sending traffic to either solr1 or solr2... > however, the URL will be displayed as solrlb.com as it hides the real > address of what is being routed to. > > In this case, do we need a certificate for solrlb.com installed on > both solr1 and solr2? That's exactly what you need. It would be best to: 1. Create a certificate for solrlb.com 2. Install the same key + certificate on both Solr nodes 3. Always use solrlb.com for any links and redirects you generate Optionally, you could add SANs for that certificate for both solr1 and solr2 just in case you want to be able to connect directly to either back-end node without getting hostname mismatch complaints. > In our previous environments we used the same load balancer setup, > but that worked since the Solr nodes were serving over http and not > https. You probably never noticed that redirects were occurring that were sending users to a particular node instead of always using the lb's hostname because there was never anything double-checking the hostname. In your previous message, you mentioned that you got an error message including the hostname "b-win-solr-01.azure-dfa.com" which probably isn't your load-balancer's hostname. That suggests to me that some kind of redirect (or similar) is occurring and that the redirect doesn't understand that there is a reverse-proxy/lb out in front of the node. Hope that helps, - -chris > -Original Message- From: Shawn Heisey > Sent: Friday, June 1, 2018 5:25 PM To: > solr-user@lucene.apache.org Subject: Re: Self Signed Certificate for > Load Balancer and Solr Nodes > > On 6/1/2018 2:01 PM, Kelly Rusk wrote: >> We have solr1.com and solr2.com self-signed certs that correspond to >> the two servers. We also have a load balancer with an address named >> solrlb.com. When we hit the load balancer it gives us an SSL error, >> as it is passing us back to either solr1.com or solr2.com, but since >> these two Solr servers only have each other's self-signed cert >> installed in their Keystore, it doesn't resolve when it comes in >> through the load balanced address of solrlb.com. >> >> We tried a san certificate that has all 3 addresses, but when we do >> this, we get the following error: >> >> This page can't be displayed Turn on TLS 1.0, TLS 1.1, and TLS >> 1.2 in Advanced settings and try connecting to >> https://b-win-solr-01.azure-dfa.com:8983 again. If this error >> persists, it is possible that this site uses an unsupported protocol >> or cipher suite such as RC4 (link for the details), which is not >> considered secure. Please contact your site administrator. > > One really important question is whether the load balancer acts as a > pure TCP proxy, or whether the load balancer is configured with a > certificate and handles HTTPS itself. > > If the load balancer is handling HTTPS, it's very likely that the load > balancer either cannot use modern TLS protocols and/or ciphers, or > that it has the modern protocols/ciphers turned off. > There's probably nothing that we can do to help you in this situation. > You will need to find support for your load balancer. > > If the load balancer is just a TCP proxy and lets the back end server > handle HTTPS, then you may need to ensure that you're running a very > recent version of Java 8. You may also need to install the JCE policy > files for unlimited strength encryption into your Java. I see from > other messages on the list that you're running Solr 6.6.2, so it would > not be a good idea for you to use Java 9 or Java 10. If you need > them, the JCE policy files for Java > 8 can be found here: > > http://www.oracle.com/technetwork/java/javase/downloads/jce8-download- 2133166.html > > One thing you didn't explicitly mention is whether the connection > works when talking directly to one
RE: Self Signed Certificate for Load Balancer and Solr Nodes
Thank you Shawn, I can directly connect to either node without issue, it is only when the Load Balancer routes to either solr1 or solr2 that I get the security error (ex. https://solrlb.com:8983/solr). The Load Balancer is not managing HTTPS but just acting as a pure TCP proxy. Nothing more complex than sending traffic to either solr1 or solr2... however, the URL will be displayed as solrlb.com as it hides the real address of what is being routed to. In this case, do we need a certificate for solrlb.com installed on both solr1 and solr2? In our previous environments we used the same load balancer setup, but that worked since the Solr nodes were serving over http and not https. Regards, Kelly -Original Message- From: Shawn Heisey Sent: Friday, June 1, 2018 5:25 PM To: solr-user@lucene.apache.org Subject: Re: Self Signed Certificate for Load Balancer and Solr Nodes On 6/1/2018 2:01 PM, Kelly Rusk wrote: > We have solr1.com and solr2.com self-signed certs that correspond to the two > servers. We also have a load balancer with an address named solrlb.com. When > we hit the load balancer it gives us an SSL error, as it is passing us back > to either solr1.com or solr2.com, but since these two Solr servers only have > each other's self-signed cert installed in their Keystore, it doesn't resolve > when it comes in through the load balanced address of solrlb.com. > > We tried a san certificate that has all 3 addresses, but when we do this, we > get the following error: > > This page can't be displayed > Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting > to https://b-win-solr-01.azure-dfa.com:8983 again. If this error persists, > it is possible that this site uses an unsupported protocol or cipher suite > such as RC4 (link for the details), which is not considered secure. Please > contact your site administrator. One really important question is whether the load balancer acts as a pure TCP proxy, or whether the load balancer is configured with a certificate and handles HTTPS itself. If the load balancer is handling HTTPS, it's very likely that the load balancer either cannot use modern TLS protocols and/or ciphers, or that it has the modern protocols/ciphers turned off. There's probably nothing that we can do to help you in this situation. You will need to find support for your load balancer. If the load balancer is just a TCP proxy and lets the back end server handle HTTPS, then you may need to ensure that you're running a very recent version of Java 8. You may also need to install the JCE policy files for unlimited strength encryption into your Java. I see from other messages on the list that you're running Solr 6.6.2, so it would not be a good idea for you to use Java 9 or Java 10. If you need them, the JCE policy files for Java 8 can be found here: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html One thing you didn't explicitly mention is whether the connection works when talking directly to one of the Solr servers instead of the load balancer. If that works, then your Java version is probably fine, and it's even more evidence that the problem is on the load balancer. Thanks, Shawn
Self Signed Certificate for Load Balancer and Solr Nodes
Hello all, We are using self-signed certificates for our two servers in an HTTPS Master/Slave configuration running on Windows (please no discussions about the merits of Linux vs. Windows for Solr, it's a requirement). We have solr1.com and solr2.com self-signed certs that correspond to the two servers. We also have a load balancer with an address named solrlb.com. When we hit the load balancer it gives us an SSL error, as it is passing us back to either solr1.com or solr2.com, but since these two Solr servers only have each other's self-signed cert installed in their Keystore, it doesn't resolve when it comes in through the load balanced address of solrlb.com. We tried a san certificate that has all 3 addresses, but when we do this, we get the following error: This page can't be displayed Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://b-win-solr-01.azure-dfa.com:8983 again. If this error persists, it is possible that this site uses an unsupported protocol or cipher suite such as RC4 (link for the details), which is not considered secure. Please contact your site administrator. What is the correct method of using a self-signed certificate or certificates so that the pass thru Load Balancer address of solrlb.com that will either route to solr1 or solr2 works? Regards, Kelly
RE: Replicate managed-schema in Solr Master/Slave Configuration
Thanks Erick, I have made changes on the Master/indexing that are replicated to the Slave and the managed-schema does not come over. Sounds like a JIRA entry may be in order. How do I go about doing that? I am not using ConfigSets as each Core has its own unique Schema. Regards, Kelly -Original Message- From: Erick Erickson Sent: Thursday, May 31, 2018 8:50 PM To: solr-user Subject: Re: Replicate managed-schema in Solr Master/Slave Configuration On a quick glance at the code, I don't see anything requiring an xml extension for the managed schema. I suppose it's possible that the hyphen is messing things up. You should see a message like: "Adding config files to list: " .. on replication if you turn on debug-level logging. At worst, you could change the _name_ of your schema by changing solrconfig.xml like below. true managed-schema But I'll emphasize that you should _not_ have to do this from a quick code inspection. Have you changed your index since changing the managed schema? Replication doesn't do anything unless the index on the master is changed relative to the slave. And are you using configsets? If the schema has changed _and_ you see a replication happens (i.e. new docs appear on the slaves) _and_ the managed-schema still isn't replicated, that would merit a JIRA. Best, Erick On Thu, May 31, 2018 at 3:35 PM, Kelly Rusk wrote: > Hello all, > I need to replicate the managed-schema in my Solr 6.6.2 Master/Slave > environment and have added the necessary replication handlers. However, as > the managed-schema does not have a file extension it doesn't seem to get > picked up/replicated: > schema.xml,managed-schema,stopwords.txt > How can I replicate the managed-schema file if it has no file extension? > Regards, > Kelly >
Replicate managed-schema in Solr Master/Slave Configuration
Hello all, I need to replicate the managed-schema in my Solr 6.6.2 Master/Slave environment and have added the necessary replication handlers. However, as the managed-schema does not have a file extension it doesn't seem to get picked up/replicated: schema.xml,managed-schema,stopwords.txt How can I replicate the managed-schema file if it has no file extension? Regards, Kelly
RE: Solr 6.6.2 Master/Slave SSL Replication Error
Hello all, I added the incorrect certificate and can clearly see the certificate in my keystore when I run the following command: keytool -list -v -keystore D:\Solr\solr-6.6.2\server\etc\solr-ssl.keystore.pfx -storepass mypass However, I can't remove it as this command states "keytool error: java.lang.Exception: Alias does not exist": keytool -delete -alias "MyCert" -keystore D:\Solr\solr-6.6.2\server\etc\solr-ssl.keystore.pfx -storepass mypass How can it show it in the store, but not delete it? If I try to import it again, it says it can't import because it already exists in the store! Thanks, Kelly -----Original Message- From: Kelly Rusk [mailto:kelly.r...@rackspace.com] Sent: Sunday, April 22, 2018 8:51 PM To: solr-user@lucene.apache.org; solr-user@lucene.apache.org Subject: Re: Solr 6.6.2 Master/Slave SSL Replication Error Makes perfect sense! Should I use the key tool to import the Certs? If so, do you have an example you prefer or should I just pull from the docs? Regards, Kelly _ From: Shawn Heisey Sent: Sunday, April 22, 2018 8:40 PM Subject: Re: Solr 6.6.2 Master/Slave SSL Replication Error To: On 4/22/2018 6:27 PM, Kelly Rusk wrote: > Thanks for the assistance. The Master Server has a self-signed Cert with its > machine name, and the Slave has a self-signed Cert with its machine name. > > They have identical configurations, and I created a keystore per server. > Should I import the self-signed Cert into each other's keystore? Or are you > stating that I need to copy the keystore over to the Slave instead of having > the one I created? For the way you have it now, the trust store will need all of the certificates of all of the servers. It's the remote certificate that must be validated, so having just the local certificate in the trust store doesn't do you any good. A better option would be to have one certificate that covers all of the names you're using, and have all the servers set up identically. Thanks, Shawn
Re: Solr 6.6.2 Master/Slave SSL Replication Error
Makes perfect sense! Should I use the key tool to import the Certs? If so, do you have an example you prefer or should I just pull from the docs? Regards, Kelly _ From: Shawn Heisey Sent: Sunday, April 22, 2018 8:40 PM Subject: Re: Solr 6.6.2 Master/Slave SSL Replication Error To: On 4/22/2018 6:27 PM, Kelly Rusk wrote: > Thanks for the assistance. The Master Server has a self-signed Cert with its > machine name, and the Slave has a self-signed Cert with its machine name. > > They have identical configurations, and I created a keystore per server. > Should I import the self-signed Cert into each other’s keystore? Or are you > stating that I need to copy the keystore over to the Slave instead of having > the one I created? For the way you have it now, the trust store will need all of the certificates of all of the servers. It's the remote certificate that must be validated, so having just the local certificate in the trust store doesn't do you any good. A better option would be to have one certificate that covers all of the names you're using, and have all the servers set up identically. Thanks, Shawn
Re: Solr 6.6.2 Master/Slave SSL Replication Error
Hi Shawn, Thanks for the assistance. The Master Server has a self-signed Cert with its machine name, and the Slave has a self-signed Cert with its machine name. They have identical configurations, and I created a keystore per server. Should I import the self-signed Cert into each other’s keystore? Or are you stating that I need to copy the keystore over to the Slave instead of having the one I created? Regards, Kelly _ From: Shawn Heisey Sent: Sunday, April 22, 2018 7:56 PM Subject: Re: Solr 6.6.2 Master/Slave SSL Replication Error To: On 4/22/2018 4:40 PM, Kelly Rusk wrote: > I already have a key store/trust store and my settings are as follows: > > set SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jks > set SOLR_SSL_KEY_STORE_PASSWORD=secret > set SOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore.jks > set SOLR_SSL_TRUST_STORE_PASSWORD=secret > REM Require clients to authenticate > set SOLR_SSL_NEED_CLIENT_AUTH=false > REM Enable clients to authenticate (but not require) > set SOLR_SSL_WANT_CLIENT_AUTH=false > > I am using a Master/Slave config, not a SolrCloud. > > How would I add the self-signed Cert I created on my Master node to the Slave > node? Is that what you are recommending? You will need the same SSL config, including both the key store and the the trust store, on all Solr servers. Put the keystore file and the config above on all of them. This should allow everything to work. I'm assuming that the keystore file contains just the self-signed cert and its private key? Thanks, Shawn
Re: Solr 6.6.2 Master/Slave SSL Replication Error
Thanks Chris, I already have a key store/trust store and my settings are as follows: set SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jks set SOLR_SSL_KEY_STORE_PASSWORD=secret set SOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore.jks set SOLR_SSL_TRUST_STORE_PASSWORD=secret REM Require clients to authenticate set SOLR_SSL_NEED_CLIENT_AUTH=false REM Enable clients to authenticate (but not require) set SOLR_SSL_WANT_CLIENT_AUTH=false I am using a Master/Slave config, not a SolrCloud. How would I add the self-signed Cert I created on my Master node to the Slave node? Is that what you are recommending? Regards, Kelly _ From: Chris Hostetter Sent: Sunday, April 22, 2018 5:43 PM Subject: Re: Solr 6.6.2 Master/Slave SSL Replication Error To: You need to configure Solr to use a "truststore" that contains the certificate you want it to trust. With a solr cloud setup, that usually involves configuring the "keystore" and the "truststore" to both contain the same keys... https://lucene.apache.org/solr/guide/6_6/enabling-ssl.html : Date: Sat, 21 Apr 2018 14:40:08 -0700 (MST) : From: kway : Reply-To: solr-user@lucene.apache.org : To: solr-user@lucene.apache.org : Subject: Re: Solr 6.6.2 Master/Slave SSL Replication Error : : ... looking at this line, I am wondering if this is an issue because I am : using a Self-Signed Certificate: : : Caused by: javax.net.ssl.SSLHandshakeException: : sun.security.validator.ValidatorException: PKIX path building failed: : sun.security.provider.certpath.SunCertPathBuilderException: unable to find : valid certification path to requested target : : How would I get this to work with a self-signed cert? : : Regards, : : Kelly : : : : -- : Sent from: http://lucene.472066.n3.nabble.com/Solr-User-f472068.html : -Hoss http://www.lucidworks.com/
