Re: Setting up SSL on standalone Solr 8.11.1

Tue, 19 Apr 2022 15:24:43 -0700 

Victoria,

On 4/19/22 18:11, Victoria Stuart (VictoriasJourney.com) wrote:

Hi Chris; thank you for your reply (much appreciated)! :-)

I am still having issues setting up SSL with Solr, as described below.

The following is lengthy, but should include most / all? relevant information.

==============================================================================
1. SOLR BASIC AUTHENTICATION
============================
This is off-topic, but interesting to note. I'll remove it from this branch of the thread. 


==============================================================================
2. SSL [https://localhost:8983]
===============================

========================================
ISSUES:
=======

* Basic authentication (non-SSL | http://localhost:8983) works fine.

* SSL authorization is failing (Solr instance appears, then immediately 
disappears).

The current configuration above throws the following warning during Solr 
startup,
despite setting the KEY STORE | TRUST STORE passwords to the <secret> password
used during "keytool -genkeypair ..." self-signed certificate creation (above).

[victoria]$ solr stop -all; sleep 4; solr start

   ...
   Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe 
contents entry: javax.crypto.BadPaddingException: Given final block not 
properly padded. Such issues can arise if a bad key is used during decryption.

     at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2158) 
~[?:?]
   ...

----------------------------------------
LIKELY CAUSES:
--------------

  ** solr.in.sh" / "jetty-ssl.xml" incongruity?

  ** not reading key store | trust store?
  ** PEM certificate issue?
  ** other?


========================================
PATHS (ARCH LINUX):
===================

     SOLR_HOME : /mnt/Vancouver/apps/solr/solr-8.11.1/server/solr/
       solr.xml: /mnt/Vancouver/apps/solr/solr-8.11.1/server/solr/solr.xml
security.json : /mnt/Vancouver/apps/solr/solr-8.11.1/server/solr/security.json

    solr.in.sh : /mnt/Vancouver/apps/solr/solr-8.11.1/bin/solr.in.sh

jetty-ssl.xml : /mnt/Vancouver/apps/solr/solr-8.11.1/server/etc/jetty-ssl.xml

~/.bashrc  ## allows {solr start | solr restart | solr status | solr stop -all}
export PATH=/mnt/Vancouver/apps/solr/solr-8.11.1/bin/:$PATH


========================================
SSL KEYGEN:
===========

[victoria]$ date; pwd; ls -l

   2022-04-19 09:34:02 -0700 (PST)
   /mnt/Vancouver/apps/solr/solr-8.11.1/server/etc

   total 80K
   -rw-r--r-- 1 victoria victoria 2.0K Dec  7 17:01 jetty-gzip.xml
   -rw-r--r-- 1 victoria victoria 3.6K Dec  7 17:01 jetty-https8.xml
   -rw-r--r-- 1 victoria victoria 3.7K Dec  7 17:01 jetty-https.xml
   -rw-r--r-- 1 victoria victoria 2.7K Dec  7 17:01 jetty-http.xml
   -rw-r--r-- 1 victoria victoria 1.9K Dec  7 17:01 jetty-requestlog.xml
   -rw-r--r-- 1 victoria victoria 3.0K Apr 19 08:49 jetty-ssl.xml
   -rw-r--r-- 1 victoria victoria  12K Apr 14 09:28 jetty.xml
   -rw-r--r-- 1 victoria victoria  12K Dec  7 17:01 security.policy
   -rw-r--r-- 1 victoria victoria 1.3K Dec  7 17:01 security.properties
   -rw-r--r-- 1 victoria victoria  24K Dec  7 17:01 webdefault.xml

## The following command failed when including the "-keypass <secret> -storepass 
<secret>"
## arguments, hence I left them out (immediately below), and entered <secret> 
when prompted.

[victoria]$ keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -validity 9999 
-keystore solr-ssl.keystore.p12 -ext SAN=DNS:localhost,IP:127.0.0.1 -dname "CN=localhost, 
... <etc.>"

   Enter keystore password:    ## <secret>
     Re-enter new password:    ## <secret>

   Generating 2,048 bit RSA key pair and self-signed certificate 
(SHA256withRSA) with a validity of 9,999 days
     for: CN=localhost, ... <etc.>

[victoria]$ openssl pkcs12 -in solr-ssl.keystore.p12 -out solr-ssl.pem
             Enter Import Password:    ## <secret>      (obfuscated here)
             Enter PEM pass phrase:    ## <my_pem_pass> (obfuscated here)
Verifying - Enter PEM pass phrase:    ## <my_pem_pass> (obfuscated here)
Why did you do this? I don't think you need your key file to be outside of the keystore. 


[victoria]$ openssl pkcs12 -nokeys -in solr-ssl.keystore.p12 -out 
solr-ssl.cacert.pem
   Enter Import Password:    ## <secret>
FYI you can do this with keytool -export -rfc -alias 'solr-ssl' you don't need openssl. 


## Manually edited PEM ("solr-ssl.pem" >> "solr-ssl.cert_only.pem"), leaving 
only:
## "-----BEGIN CERTIFICATE-----*** (obfuscated here)***-----END 
CERTIFICATE-----"

## The following should add the SSL certificate (only) to JAVA / JVM Trust 
Store?

[victoria]$ sudo keytool -import -trustcacerts -cacerts -storepass changeit 
-noprompt -alias solr_ssl -file 
/mnt/Vancouver/apps/solr/solr-8.11.1/server/etc/solr-ssl-cert_only.pem
What, no keystore file specified? Where did the cert get imported? This may be a part of the problem. You almost always want to use a specific trust store. 


========================================
PEM FILES:
==========

/mnt/Vancouver/apps/solr/solr-8.11.1/server/etc/solr-ssl.pem

/mnt/Vancouver/apps/solr/solr-8.11.1/server/etc/solr-ssl-cert_only.pem

----------------------------------------
solr-ssl.pem:
-------------

   Bag Attributes
       friendlyName: solr-ssl
       localKeyID: ***
   Key Attributes: <No Attributes>
   -----BEGIN ENCRYPTED PRIVATE KEY-----
   *** (obfuscated here)
   -----END ENCRYPTED PRIVATE KEY-----
   Bag Attributes
       friendlyName: solr-ssl
       localKeyID: ***  (obfuscated here)
       ... (obfuscated here)
   -----BEGIN CERTIFICATE-----
   *** (obfuscated here)
   -----END CERTIFICATE-----


----------------------------------------
solr-ssl-cert_only.pem:
-----------------------

   -----BEGIN CERTIFICATE-----
   *** (obfuscated here)
   -----END CERTIFICATE-----


========================================
solr.in.sh (EXCERPTED):
=======================

## Since Solr paths in Arch Linux appear to differ slightly from Debian / other
##  distros, for configuration / troubleshooting I reverted to absolute paths.

SOLR_SSL_ENABLED=true

SOLR_SSL_KEY_STORE=/mnt/Vancouver/apps/solr/solr-8.11.1/server/etc/solr-ssl.keystore.p12
## relative path would be:
##   SOLR_SSL_KEY_STORE=../server/etc/solr-ssl.keystore.p12
SOLR_SSL_KEY_STORE_PASSWORD=<secret>      ## (obfuscated here)
SOLR_SSL_KEY_STORE_TYPE=PKCS12

SOLR_SSL_TRUST_STORE=/mnt/Vancouver/apps/solr/solr-8.11.1/server/etc/solr-ssl.keystore.p12
## relative path would be:
##   SOLR_SSL_TRUST_STORE=../server/etc/solr-ssl.keystore.p12
SOLR_SSL_TRUST_STORE_PASSWORD=<secret> (obfuscated here)
SOLR_SSL_TRUST_STORE_TYPE=PKCS12

SOLR_AUTH_TYPE="basic"
SOLR_AUTHENTICATION_OPTS="-Dbasicauth=user:pass"
## (obfuscated here) where
##   user = my Solr admin username,
##   pass = my salted, hashed password    ## (Solr Basic Authentication)

SOLR_SSL_NEED_CLIENT_AUTH=false
SOLR_SSL_WANT_CLIENT_AUTH=false

SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION=true

SOLR_SSL_CHECK_PEER_NAME=true


So what command fails with the PKIX path certification error?

My guess is something like "solr status" right? I think you need to set:

SOLR_SSL_CLIENT_TRUST_STORE=${SOLR_SSL_TRUST_STORE}
SOLR_SSL_CLIENT_TRUST_STORE_PASSWORD=${SOLR_SSL_TRUST_STORE_PASSWORD}

-chris

Reply via email to