Hi, I have some problems with client certificates. By the look of it, it works with curl and safari prompts for and accepts my certificate. Does not work with Edge, Firefox or Chrome. The certificates are requested from our CA.
When requesting https://s02/solr in the browser, it doesn't prompt for certificate and I get the following error message in Chrome: >This site can't provide a secure connection >s02 didn't accept your login certificate, or one may not have been provided. >Try contacting the system admin. When debugging with wireshark I can see the s01t9 certificate in the "certificate request"-part of the handshake, but the browser answers without certificate. Setup as follows: solr.in.sh: SOLR_SSL_KEY_STORE=etc/keystore.jks SOLR_SSL_KEY_STORE_PASSWORD=secret SOLR_SSL_TRUST_STORE=etc/truststore.jks SOLR_SSL_TRUST_STORE_PASSWORD=secret SOLR_SSL_NEED_CLIENT_AUTH=true SOLR_SSL_WANT_CLIENT_AUTH=false Content of truststore.jks: [solruser@s02 etc]# keytool -list -keystore /opt/solr-6.4.0/server/etc/truststore.jks -storepass secret Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry s01t9, 15.feb.2017, trustedCertEntry, Certificate fingerprint (SHA1): CF:BD:02:71:64:F0:BA:65:71:10:A1:23:42:34:E0:3C:37:75:E1:BF Curl(returns html of admin page with -L option): curl -v -E s01t9.pem:secret --cacert rootca.pem 'https://vs02/solr' * Hostname was NOT found in DNS cache * Trying 10.0.121.132... * Connected to s02 (10.0.121.132) port 443 (#0) * successfully set certificate verify locations: * CAfile: rootca.pem CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Request CERT (13): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS handshake, CERT verify (15): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using AES256-SHA256 * Server certificate: * subject: CN=s01t9 * start date: 2017-01-09 11:31:49 GMT * expire date: 2022-01-08 11:31:49 GMT * subjectAltName: s02 matched * issuer: DC=local; DC=com; CN=Root CA * SSL certificate verify ok. > GET /solr HTTP/1.1 > User-Agent: curl/7.35.0 > Host: s02 > Accept: */* > < HTTP/1.1 302 Found < Location: https://s02 /solr/ < Content-Length: 0 < * Connection #0 to host s02 left intact Thanks, Espen
