RE: SolrCloud (6.6.6) SSL Setup - Unable to create collection
I solved my problem by using just the certificate from my first node and
copying that to the second node. I'm not sure whether all three are necessary,
but I copied:
* solr-ssl.keystore.jks
* solr-ssl-keystore.p12
* solr-ssl.pem.
If you originally made separate certificates for each node, make sure that on
the additional nodes you remove those cert files before adding the files from
the first node. I moved mine to a backup folder I created because I wasn't sure
what I was trying would work but I think that was unnecessary.
Victor
-Original Message-
From: Victor Kretzer
Sent: Thursday, September 3, 2020 3:03 PM
To: solr-user@lucene.apache.org
Subject: SolrCloud (6.6.6) SSL Setup - Unable to create collection
BACKGROUND: I'm attempting to setup SolrCloud (Solr 6.6.6) with an external
zookeeper ensemble on Azure. I have three dedicated vms for the zookeeper
ensemble and two for solr all running Ubuntu 18.04 LTS. I'm new to Solr (and
Linux) and have been heavily relying on the Solr Ref Guide 6.6, most recently
the following section on enabling ssl:
https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flucene.apache.org%2Fsolr%2Fguide%2F6_6%2Fenabling-ssl.htmldata=02%7C01%7CVictorKretzer%40gdcit.com%7Ca124b9385d4a4eab744408d8503c0457%7C87b66f08478c40adbb095e93796da295%7C1%7C0%7C637347565991726245sdata=BE%2BPvrXsVzAR67Aoe3D%2FxMruuRlY2Img4aBHeuKpJY8%3Dreserved=0
So far I have:
Installed and setup zookeeper
Installed Solr (using install_solr_service.sh script) on both vms.
Followed the steps under Basic SSL Setup, generating certificates on each of
the nodes.
Set the cluster-wide property to https per the Configure Zookeeper section of
SolrCloud in the document
Started both nodes and have been able to navigate to them in my browser with
https
If I do bin/solr status I get:
Solr process 13106 running on port 8983
{
"solr_home":"/opt/solr-6.6.6/cloud/test2",
"version":"6.6.6 68fa249034ba8b273955f20097700dc2fbb7a800 - ishan -
2019-03-29 09:13:13",
"startTime":"2020-09-03T18:15:34.092Z",
"uptime":"0 days, 0 hours, 43 minutes, 29 seconds",
"memory":"52.7 MB (%10.7) of 490.7 MB",
"cloud":{
"ZooKeeper":"zk1:2181,zk2:2181,zk3:2181/solr",
"liveNodes":"2",
"collections":"0"}}
THE ISSUE
When I try to create a collection using the steps outlined in the above
document, I get the following error:
azureuser@solr-node-01-test:/opt/solr$ sudo bin/solr create -c mycollection
-shards 2 -force
Connecting to ZooKeeper at zk1:2181,zk2:2181,zk3:2181/solr ...
INFO - 2020-09-03 18:21:26.784;
org.apache.solr.client.solrj.impl.ZkClientClusterStateProvider; Cluster at
zk1:2181,zk2:2181,zk3:2181/solr ready
Re-using existing configuration directory mycollection
Creating new collection 'mycollection' using command:
https://Solr1:8983/solr/admin/collections?action=CREATE=mycollection=2=1=1=mycollection
ERROR: Failed to create collection 'mycollection' due to:
{Solr2:8983_solr=org.apache.solr.client.solrj.SolrServerException:IOException
occured when talking to server at: https://Solr2:8983/solr}
*I've attached logs at the bottom of this email.
QUESTIONS:
What am I doing wrong and how can I fix it?
Was I right to create separate certificates on each of the nodes (one cert on
vm1, another cert on vm 2)?
Do I need to copy the certs for each node into the other (if so how)?
CONCLUSION
Thank you so much in advance and if there's any other information you need
please let me know.
Victor
2020-09-03 18:15:35.240 INFO
(zkCallback-5-thread-1-processing-n:Solr1:8983_solr) [ ]
o.a.s.c.c.ZkStateReader Updated live nodes from ZooKeeper... (1) -> (2)
2020-09-03 18:15:40.124 INFO (qtp401424608-45) [ ]
o.a.s.c.TransientSolrCoreCacheDefault Allocating transient cache for 2147483647
transient cores
2020-09-03 18:15:40.124 INFO (qtp401424608-45) [ ] o.a.s.s.HttpSolrCall
[admin] webapp=null path=/admin/cores
params={indexInfo=false=json&_=1599156956818} status=0 QTime=23
2020-09-03 18:15:40.134 INFO (qtp401424608-20) [ ] o.a.s.s.HttpSolrCall
[admin] webapp=null path=/admin/info/system params={wt=json&_=1599156956818}
status=0 QTime=29
2020-09-03 18:15:40.171 INFO (qtp401424608-13) [ ]
o.a.s.h.a.CollectionsHandler Invoked Collection Action :list with params
action=LIST=json&_=1599156956818 and sendToOCPQueue=true
2020-09-03 18:15:40.172 INFO (qtp401424608-13) [ ] o.a.s.s.HttpSolrCall
[admin] webapp=null path=/admin/collections
params={action=LIST=json&_=1599156956818} status=0 QTime=1
2020-09-03 18:15:40.174 INFO (qtp401424608-16) [ ] o.a.s.s.HttpSolrCall
[admin] webapp=null path=/admin/info/system params={wt=json&_=1599156956818}
status=0 QTime=8
2020-09-03 18:15:58.225 INFO (qtp401424608-14) [ ] o.a.s.s.HttpSolrCall
[admin] webapp=null path=/admin/cores
params={indexInfo=false=json&_=1599156974989} status=0 QTime=0
2020-09-03 18:15:58.231 INFO (qtp401424608-13) [ ]
Re: SolrCloud - Enable SSL
OK. I think I have figured this out. https://issues.apache.org/jira/browse/SOLR-5610 On Thu, Jan 15, 2015 at 6:00 PM, Hrishikesh Gadre gadre.s...@gmail.com wrote: Hi, If we need to enable SSL configuration for an existing Solr cluster (hosting one or more collections), do we need to manually update the clusterstate.json file? Or is there any API available which would serve the purpose? As per the Solr wiki, we need to set the urlScheme property to https https://cwiki.apache.org/confluence/display/solr/Enabling+SSL#EnablingSSL-SolrCloud Thanks Hrishikesh
Re: SolrCloud on SSL
Tim, if a separate VLAN was an option, I wouldn't be trying to use SSL. -- Chris On Wed, Oct 16, 2013 at 7:27 PM, Tim Vaillancourt t...@elementspace.comwrote: Not important, but I'm also curious why you would want SSL on Solr (adds overhead, complexity, harder-to-troubleshoot, etc)? To avoid the overhead, could you put Solr on a separate VLAN (with ACLs to client servers)? Cheers, Tim On 12 October 2013 17:30, Shawn Heisey s...@elyograg.org wrote: On 10/11/2013 9:38 AM, Christopher Gross wrote: On Fri, Oct 11, 2013 at 11:08 AM, Shawn Heisey s...@elyograg.org wrote: On 10/11/2013 8:17 AM, Christopher Gross wrote: Is there a spot in a Solr configuration that I can set this up to use HTTPS? From what I can tell, not yet. https://issues.apache.org/jira/browse/SOLR-3854 https://issues.apache.org/jira/browse/SOLR-4407 https://issues.apache.org/jira/browse/SOLR-4470 Dang. Christopher, I was just looking through Solr source code for a completely different issue, and it seems that there *IS* a way to do this in your configuration. If you were to use https://hostname; or https://ipaddress; as the host parameter in your solr.xml file on each machine, it should do what you want. The parameter is described here, but not the behavior that I have discovered: http://wiki.apache.org/solr/SolrCloud#SolrCloud_Instance_Params Boring details: In the org.apache.solr.cloud package, there is a ZkController class. The getHostAddress method is where I discovered that you can do this. If you could try this out and confirm that it works, I will get the wiki page updated and look into the Solr reference guide as well. Thanks, Shawn
Re: SolrCloud on SSL
Not important, but I'm also curious why you would want SSL on Solr (adds overhead, complexity, harder-to-troubleshoot, etc)? To avoid the overhead, could you put Solr on a separate VLAN (with ACLs to client servers)? Cheers, Tim On 12 October 2013 17:30, Shawn Heisey s...@elyograg.org wrote: On 10/11/2013 9:38 AM, Christopher Gross wrote: On Fri, Oct 11, 2013 at 11:08 AM, Shawn Heisey s...@elyograg.org wrote: On 10/11/2013 8:17 AM, Christopher Gross wrote: Is there a spot in a Solr configuration that I can set this up to use HTTPS? From what I can tell, not yet. https://issues.apache.org/jira/browse/SOLR-3854 https://issues.apache.org/jira/browse/SOLR-4407 https://issues.apache.org/jira/browse/SOLR-4470 Dang. Christopher, I was just looking through Solr source code for a completely different issue, and it seems that there *IS* a way to do this in your configuration. If you were to use https://hostname; or https://ipaddress; as the host parameter in your solr.xml file on each machine, it should do what you want. The parameter is described here, but not the behavior that I have discovered: http://wiki.apache.org/solr/SolrCloud#SolrCloud_Instance_Params Boring details: In the org.apache.solr.cloud package, there is a ZkController class. The getHostAddress method is where I discovered that you can do this. If you could try this out and confirm that it works, I will get the wiki page updated and look into the Solr reference guide as well. Thanks, Shawn
Re: SolrCloud on SSL
On 10/11/2013 9:38 AM, Christopher Gross wrote: On Fri, Oct 11, 2013 at 11:08 AM, Shawn Heisey s...@elyograg.org wrote: On 10/11/2013 8:17 AM, Christopher Gross wrote: Is there a spot in a Solr configuration that I can set this up to use HTTPS? From what I can tell, not yet. https://issues.apache.org/jira/browse/SOLR-3854 https://issues.apache.org/jira/browse/SOLR-4407 https://issues.apache.org/jira/browse/SOLR-4470 Dang. Christopher, I was just looking through Solr source code for a completely different issue, and it seems that there *IS* a way to do this in your configuration. If you were to use https://hostname; or https://ipaddress; as the host parameter in your solr.xml file on each machine, it should do what you want. The parameter is described here, but not the behavior that I have discovered: http://wiki.apache.org/solr/SolrCloud#SolrCloud_Instance_Params Boring details: In the org.apache.solr.cloud package, there is a ZkController class. The getHostAddress method is where I discovered that you can do this. If you could try this out and confirm that it works, I will get the wiki page updated and look into the Solr reference guide as well. Thanks, Shawn
Re: SolrCloud on SSL
On 10/11/2013 8:17 AM, Christopher Gross wrote: I have 3 SolrCloud nodes (call them idx1, idx2, idx3), and the boxes have SSL certs configured on them to protect the Solr Indexes. Right now, I can do queries on idx1 and it works fine. If I try to query on idx3, I get: org.apache.solr.common.SolrException: org.apache.sorl.client.solrj.SolrServerException:IOException occurred when talking to server at http://idx1:8443/solr/test1 (and then a long stack trace -- can't copy it, on a test network) Is there a spot in a Solr configuration that I can set this up to use HTTPS? From what I can tell, not yet. https://issues.apache.org/jira/browse/SOLR-3854 https://issues.apache.org/jira/browse/SOLR-4407 https://issues.apache.org/jira/browse/SOLR-4470 I'm wondering why you want to do this, though. It adds extra CPU overhead. Perhaps not a lot, but it's not free. As for protecting Solr against eavesdropping, is it in a location where that's possible? The bottom line is this: People that you cannot trust should not have direct access to Solr. It should be firewalled so only trusted personnel and applications can talk to it. Anyone who has direct access to Solr can change your index, delete your index, and send denial of service queries. If you take steps to block access to the update handler(s) and the admin UI, denial of service queries are still possible. Blocking access to the update handlers and admin UI is not something Solr itself can do - that's a job for the servlet container. Related general issue: The /browse handler included in the example (which utilizes code written in velocity) requires that the user have direct access to Solr. This makes its very design insecure. That handler is intended as a demonstration of Solr's capabilities and how to use them, it's not for production. Thanks, Shawn
Re: SolrCloud on SSL
On Fri, Oct 11, 2013 at 11:08 AM, Shawn Heisey s...@elyograg.org wrote: On 10/11/2013 8:17 AM, Christopher Gross wrote: Is there a spot in a Solr configuration that I can set this up to use HTTPS? From what I can tell, not yet. https://issues.apache.org/jira/browse/SOLR-3854 https://issues.apache.org/jira/browse/SOLR-4407 https://issues.apache.org/jira/browse/SOLR-4470 Dang. I'm wondering why you want to do this, though. It adds extra CPU overhead. Perhaps not a lot, but it's not free. As for protecting Solr against eavesdropping, is it in a location where that's possible? The bottom line is this: People that you cannot trust should not have direct access to Solr. It should be firewalled so only trusted personnel and applications can talk to it. Oh, they should be firewalled, but I can't (yet) with the existing network architecture. It's out of my direct control -- I'm just trying to stay one step ahead of the game. Anyone who has direct access to Solr can change your index, delete your index, and send denial of service queries. If you take steps to block access to the update handler(s) and the admin UI, denial of service queries are still possible. Blocking access to the update handlers and admin UI is not something Solr itself can do - that's a job for the servlet container. Related general issue: The /browse handler included in the example (which utilizes code written in velocity) requires that the user have direct access to Solr. This makes its very design insecure. That handler is intended as a demonstration of Solr's capabilities and how to use them, it's not for production. Good to know, I'll make sure that I've bumped this in my configs. Thanks!
Re: SolrCloud on SSL
You could resolve that with SSH tunnels. Autossh with the right parameters works like a charm. HTH, Guido. On 11/10/13 16:08, Shawn Heisey wrote: On 10/11/2013 8:17 AM, Christopher Gross wrote: I have 3 SolrCloud nodes (call them idx1, idx2, idx3), and the boxes have SSL certs configured on them to protect the Solr Indexes. Right now, I can do queries on idx1 and it works fine. If I try to query on idx3, I get: org.apache.solr.common.SolrException: org.apache.sorl.client.solrj.SolrServerException:IOException occurred when talking to server at http://idx1:8443/solr/test1 (and then a long stack trace -- can't copy it, on a test network) Is there a spot in a Solr configuration that I can set this up to use HTTPS? From what I can tell, not yet. https://issues.apache.org/jira/browse/SOLR-3854 https://issues.apache.org/jira/browse/SOLR-4407 https://issues.apache.org/jira/browse/SOLR-4470 I'm wondering why you want to do this, though. It adds extra CPU overhead. Perhaps not a lot, but it's not free. As for protecting Solr against eavesdropping, is it in a location where that's possible? The bottom line is this: People that you cannot trust should not have direct access to Solr. It should be firewalled so only trusted personnel and applications can talk to it. Anyone who has direct access to Solr can change your index, delete your index, and send denial of service queries. If you take steps to block access to the update handler(s) and the admin UI, denial of service queries are still possible. Blocking access to the update handlers and admin UI is not something Solr itself can do - that's a job for the servlet container. Related general issue: The /browse handler included in the example (which utilizes code written in velocity) requires that the user have direct access to Solr. This makes its very design insecure. That handler is intended as a demonstration of Solr's capabilities and how to use them, it's not for production. Thanks, Shawn
