Thanks Shawn for your input, Is this errors specific only for zookeeper operations? If so is there any way to turn off default zookeeper which runs on 9983?
Dinesh Sundaram MBS Platform Engineering Mastercard -----Original Message----- From: Shawn Heisey [mailto:apa...@elyograg.org] Sent: Wednesday, December 13, 2017 11:38 AM To: solr-user@lucene.apache.org Subject: Re: Solr ssl issue while creating collection On 12/13/2017 10:06 AM, Sundaram, Dinesh wrote: > Thanks Shawn, this helps. Now getting the below exception, is there any way > to avoid verifying this? > > 2017-12-13 17:00:39.239 DEBUG > (httpShardExecutor-4-thread-1-processing-n:xx.xx.xx.xx:8983_solr > [https://urldefense.proofpoint.com/v2/url?u=https-3A____xx.xx.xx.xx-3A8983__solr&d=DwIDaQ&c=uc5ZRXl8dGLM1RMQwf7xTCjRqXF0jmCF6SP0bDlmMmY&r=gCFZFMR7y0gzhIBFz1lKTqHFMl-3R6gq7ojE0Eam2Eg&m=v4DznkLF4VBvrVleiFON0I41uu_NPGd1TpVYs3q0Hro&s=eqDSyAa-0UCXm_IT2YoWaZDjMb5zM5Uv8-9Zcidjlec&e=] > > https://urldefense.proofpoint.com/v2/url?u=https-3A____xx.xx.xx.xx-3A8983__solr&d=DwIDaQ&c=uc5ZRXl8dGLM1RMQwf7xTCjRqXF0jmCF6SP0bDlmMmY&r=gCFZFMR7y0gzhIBFz1lKTqHFMl-3R6gq7ojE0Eam2Eg&m=v4DznkLF4VBvrVleiFON0I41uu_NPGd1TpVYs3q0Hro&s=eqDSyAa-0UCXm_IT2YoWaZDjMb5zM5Uv8-9Zcidjlec&e=) > [ ] o.a.h.c.s.DefaultHostnameVerifier Certificate for <xx.xx.xx.xx> > doesn't match common name of the certificate subject: xx.xx.xx.xx.com > javax.net.ssl.SSLPeerUnverifiedException: Certificate for > <xx.xx.xx.xx> doesn't match common name of the certificate subject: > xx.xx.xx.xx.com If you're running 6.x, then you can disable the hostname verification. But if you're running 7.x, there's a bug that breaks it: https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.apache.org_jira_browse_SOLR-2D9304&d=DwIDaQ&c=uc5ZRXl8dGLM1RMQwf7xTCjRqXF0jmCF6SP0bDlmMmY&r=gCFZFMR7y0gzhIBFz1lKTqHFMl-3R6gq7ojE0Eam2Eg&m=v4DznkLF4VBvrVleiFON0I41uu_NPGd1TpVYs3q0Hro&s=mX_wS19NYYqBsWUI3qCXAXBbY-3p8Vjkzq4K3BFfgdk&e= There's a patch on the issue, but it hasn't been tested, so I have no idea whether it works. Even if it works, the patch is incomplete because it doesn't have a test to verify the problem doesn't happen again. An alternate idea would be to add all the possible hostnames to the certificate you're using, and make sure the trust stores are valid, so all of the cert verification will work. Thanks, Shawn CONFIDENTIALITY NOTICE This e-mail message and any attachments are only for the use of the intended recipient and may contain information that is privileged, confidential or exempt from disclosure under applicable law. If you are not the intended recipient, any disclosure, distribution or other use of this e-mail message or attachments is prohibited. If you have received this e-mail message in error, please delete and notify the sender immediately. Thank you.
