Thank you Shawn, I can directly connect to either node without issue, it is only when the Load Balancer routes to either solr1 or solr2 that I get the security error (ex. https://solrlb.com:8983/solr). The Load Balancer is not managing HTTPS but just acting as a pure TCP proxy. Nothing more complex than sending traffic to either solr1 or solr2... however, the URL will be displayed as solrlb.com as it hides the real address of what is being routed to.
In this case, do we need a certificate for solrlb.com installed on both solr1 and solr2? In our previous environments we used the same load balancer setup, but that worked since the Solr nodes were serving over http and not https. Regards, Kelly -----Original Message----- From: Shawn Heisey <apa...@elyograg.org> Sent: Friday, June 1, 2018 5:25 PM To: solr-user@lucene.apache.org Subject: Re: Self Signed Certificate for Load Balancer and Solr Nodes On 6/1/2018 2:01 PM, Kelly Rusk wrote: > We have solr1.com and solr2.com self-signed certs that correspond to the two > servers. We also have a load balancer with an address named solrlb.com. When > we hit the load balancer it gives us an SSL error, as it is passing us back > to either solr1.com or solr2.com, but since these two Solr servers only have > each other's self-signed cert installed in their Keystore, it doesn't resolve > when it comes in through the load balanced address of solrlb.com. > > We tried a san certificate that has all 3 addresses, but when we do this, we > get the following error: > > This page can't be displayed > Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting > to https://b-win-solr-01.azure-dfa.com:8983 again. If this error persists, > it is possible that this site uses an unsupported protocol or cipher suite > such as RC4 (link for the details), which is not considered secure. Please > contact your site administrator. One really important question is whether the load balancer acts as a pure TCP proxy, or whether the load balancer is configured with a certificate and handles HTTPS itself. If the load balancer is handling HTTPS, it's very likely that the load balancer either cannot use modern TLS protocols and/or ciphers, or that it has the modern protocols/ciphers turned off. There's probably nothing that we can do to help you in this situation. You will need to find support for your load balancer. If the load balancer is just a TCP proxy and lets the back end server handle HTTPS, then you may need to ensure that you're running a very recent version of Java 8. You may also need to install the JCE policy files for unlimited strength encryption into your Java. I see from other messages on the list that you're running Solr 6.6.2, so it would not be a good idea for you to use Java 9 or Java 10. If you need them, the JCE policy files for Java 8 can be found here: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html One thing you didn't explicitly mention is whether the connection works when talking directly to one of the Solr servers instead of the load balancer. If that works, then your Java version is probably fine, and it's even more evidence that the problem is on the load balancer. Thanks, Shawn
