Chris: I want to thank you for your kind help, with which I was able to solve this issue. It turns out, apparently, that the password I used for my self-signed SSL certificate contained problematic characters: # _ $
# https://docs.oracle.com/cd/E14571_01/install.1111/e12002/oimscrn011.htm#INOIM1372= KeyStore password; a valid password can contain 6 to 30 characters, begin with an alphabetic character, and use only alphanumeric characters and special characters like underscore (_), dollar ($), pound (#). The password must contain at least one number. # https://getfishtank.ca/blog/updating-ssl-certificates-in-solr Point of note: when updating to Solr certificate, there's one thing you need to be aware of: The password should not contain any special characters. It's not uncommon for SSL certs to contain special characters, but Solr doesn't like them in the format we have to work with. It should be purely alpha-numeric. If it does, during the restart you may get a message that the service failed to restart. My original certificate p/w was apparently silently causing issues (other than the Solr status messages, such as the esoteric "... Javax.crypto.BadPaddingException:Given final block not properly padded solution ..." which led me to explore the password issue (following an online search). With the configuration below, I initially got security warnings in my browsers, with Solr o/w running apparently without issues. Ctrl-reloads and clearing localhost cookies had no effect; however, those warnings thankfully self-resolved after some minutes - leading to the sigh-in page. :-D Before that occurred, clicking the "Accept the Risk and Continue" button in Firefox did nothing. ---------------------------------------- Follow-on question: I have a "Lets Encrypt / Certbot" certificate ... Can I use that certificate, in place of the self-signed certificate? cert.pem | chain.pem | fullchain.pem | privkey.pem Those files (online) are at the website where I want to run Solr (installed there - a cloud VPS - but not yet configured pending this work. When I run that website / Solr publicly, I don't want any "security" warnings / concerns for my users. # ============================================================================ # ---------------------------------------------------------------------------- # Solr instance [ https://localhost:8983/solr/#/login ]: # ------------------------------------------------------ [victoria]$ solr start Waiting up to 45 seconds to see Solr running on port 8983 [|] Started Solr server on port 8983 (pid=3821092). Happy searching! [victoria]$ solr status Found 1 Solr nodes: Solr process 3821092 running on port 8983 INFO - 2022-04-19 20:25:57.634; org.apache.solr.util.configuration.SSLConfigurations; Setting javax.net.ssl.keyStorePassword INFO - 2022-04-19 20:25:57.636; org.apache.solr.util.configuration.SSLConfigurations; Setting javax.net.ssl.trustStorePassword ERROR: Failed to get system information from https://localhost:8983/solr due to: org.apache.solr.common.SolrException: Parse error : <html> <head> <meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/> <title>Error 401 Bad credentials</title> </head> <body><h2>HTTP ERROR 401 Bad credentials</h2> <table> <tr><th>URI:</th><td>/solr/admin/info/system</td></tr> <tr><th>STATUS:</th><td>401</td></tr> <tr><th>MESSAGE:</th><td>Bad credentials</td></tr> <tr><th>SERVLET:</th><td>default</td></tr> </table> </body> </html> [victoria]$ # ---------------------------------------------------------------------------- # GENERATE SELF-SIGNED SSL CERTIFICATE: # ------------------------------------- [victoria]$ keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -validity 9999 -keystore solr-ssl.keystore.p12 -ext SAN=DNS:localhost,IP:127.0.0.1 -dname "CN=localhost, OU=Persagen, O=Persagen, L=Vancouver, ST=British Columbia, C=CA" Enter keystore password: *** ## "secret" in online documentation Re-enter new password: *** Generating 2,048 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 9,999 days for: CN=localhost, OU=Persagen, O=Persagen, L=Vancouver, ST=British Columbia, C=CA [victoria]$ [victoria]$ keytool -exportcert -rfc -keystore solr-ssl.keystore.p12 -alias solr-ssl -file solr-ssl-cert Enter keystore password: *** Certificate stored in file <solr-ssl-cert> [victoria@victoria etc]$ cat solr-ssl-cert -----BEGIN CERTIFICATE----- *** -----END CERTIFICATE----- # ---------------------------------------- # ADD CERTIFICATE TO KEYSTORE: # ---------------------------- [victoria]$ sudo keytool -import -trustcacerts -cacerts -storepass changeit -noprompt -alias solr-ssl -file /mnt/Vancouver/apps/solr/solr-8.11.1/server/etc/solr-ssl-cert Certificate was added to keystore [victoria]$ ## Verify keystore addition (default p/w for keytool is: changeit): [victoria]$ keytool -list -cacerts | grep solr-ssl Enter keystore password: changeit solr-ssl, Apr 19, 2022, trustedCertEntry, [victoria]$ # ---------------------------------------------------------------------------- # solr.in.sh [excerpted]: # ----------------------- SOLR_SSL_ENABLED=true SOLR_SSL_KEY_STORE=/mnt/Vancouver/apps/solr/solr-8.11.1/server/etc/solr-ssl.keystore.p12 SOLR_SSL_KEY_STORE_PASSWORD=*** ## "secret" (as above) SOLR_SSL_KEY_STORE_TYPE=PKCS12 SOLR_SSL_TRUST_STORE=/mnt/Vancouver/apps/solr/solr-8.11.1/server/etc/solr-ssl.keystore.p12 SOLR_SSL_TRUST_STORE_PASSWORD=*** ## "secret" (as above) SOLR_SSL_TRUST_STORE_TYPE=PKCS12 SOLR_AUTH_TYPE="basic" SOLR_AUTHENTICATION_OPTS="-Dbasicauth=victoria:***" ## obfuscated here SOLR_SSL_NEED_CLIENT_AUTH=true SOLR_SSL_WANT_CLIENT_AUTH=false SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION=false # ---------------------------------------------------------------------------- # jetty-ssl.xml [excerpted]: # -------------------------- <Set name="KeyStorePath"><Property name="solr.jetty.keystore" default="./etc/solr-ssl.keystore.p12"/></Set> <Set name="KeyStorePassword"><Ref refid="keyStorePassword"/></Set> <Set name="TrustStorePath"><Property name="solr.jetty.truststore" default="./etc/solr-ssl.keystore.p12"/></Set> <Set name="TrustStorePassword"><Ref refid="trustStorePassword"/></Set> <Set name="NeedClientAuth"><Property name="solr.jetty.ssl.needClientAuth" default="false"/></Set> <Set name="WantClientAuth"><Property name="solr.jetty.ssl.wantClientAuth" default="false"/></Set> <Set name="KeyStoreType"><Property name="solr.jetty.keystore.type" default="PKCS12"/></Set> <Set name="TrustStoreType"><Property name="solr.jetty.truststore.type" default="PKCS12"/></Set> # ---------------------------------------------------------------------------- # SSL WARNING: # ------------ https://localhost:8983/ # Opera 85.0.4341.60: This site can’t provide a secure connection localhost didn’t accept your login certificate, or one may not have been provided. Try contacting the system admin. ERR_BAD_SSL_CLIENT_AUTH_CERT # Firefox 99.0.1 64-bit Warning: Potential Security Risk Ahead ... localhost:8983 uses an invalid security certificate. The certificate is not trusted because it is self-signed. Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT View Certificate ## "localhost.pem" = my "solr-ssl-cert", above # ============================================================================
