Hi Chris, I followed the steps from https://lucene.apache.org/solr/guide/7_3/enabling-ssl.html.
1) keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass secret -storepass secret -validity 9999 -keystore solr-ssl.keystore.jks -ext SAN=DNS:localhost,IP:192.168.1.3,IP:127.0.0.1 -dname "CN=localhost, OU=Organizational Unit, O=Organization, L=Location, ST=State, C=Country" 2) keytool -importkeystore -srckeystore solr-ssl.keystore.jks -destkeystore solr-ssl.keystore.p12 -srcstoretype jks -deststoretype pkcs12 3) openssl pkcs12 -in solr-ssl.keystore.p12 -out solr-ssl.pem I have also set these in solr.in.cmd: SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jksSOLR_SSL_KEY_STORE_PASSWORD=secretSOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore.jksSOLR_SSL_TRUST_STORE_PASSWORD=secret# Require clients to authenticateSOLR_SSL_NEED_CLIENT_AUTH=false# Enable clients to authenticate (but not require)SOLR_SSL_WANT_CLIENT_AUTH=false# Define Key Store type if necessarySOLR_SSL_KEY_STORE_TYPE=JKSSOLR_SSL_TRUST_STORE_TYPE=JKS Regards, Edwin On 8 June 2018 at 22:41, Christopher Schultz <ch...@christopherschultz.net> wrote: > Edwin, > > On 6/7/18 11:11 PM, Zheng Lin Edwin Yeo wrote: > > Hi, > > > > I am running SolrCloud on Solr 7.3.1 on External ZooKeeper 3.4.11, and I > am > > setting up the security aspect of Solr. > > > > After setting up the SSL based on the steps from > > https://lucene.apache.org/solr/guide/7_3/enabling-ssl.html, the > collections > > that are with 2 replica are no longer able to be loaded. > > > > What could be causing the issue? > > > > I remember that wasn't this problem when I tried the same thing in Solr 6 > > and even Solr 7.1. > > I've fought a bit to get Solr running on a single instance with SSL, so > I can imagine that ZK might be an issue for you. > > Can you describe how each server's truststores and keystores are > configured? Are you using client-validated servers (e.g. one-way TLS > like you would with most public web sites) or are you using > mutual-authentication where the server is also checking the client's > certificate? > > -chris > >
