> > In local with just certificate and one domain name the SSL communication > worked. With multiple DNS and 2 certificates SSL fails with below exception. >
A client keystore by definition can only have a single certificate. A server keystore can have multiple certificates. The reason being is that a client can only be identified by a single certificate. Can you share more details about specifically what your solr.in.sh configs look like related to keystore/truststore and which files? Specifically highlight which files have multiple certificates in them. It looks like for the Solr internal http client, the client keystore has more than one certificate in it and the error is correct. This is more strict with recent versions of Jetty 9.4.x. Previously this would silently fail, but was still incorrect. Now the error is bubbled up so that there is no silent misconfigurations. Kevin Risden On Mon, Jul 13, 2020 at 4:54 PM Natarajan, Rajeswari < rajeswari.natara...@sap.com> wrote: > I looked at the patch mentioned in the JIRA > https://issues.apache.org/jira/browse/SOLR-14105 reporting the below > issue. I looked at the solr 8.5.1 code base , I see the patch is applied. > But still seeing the same exception with different stack trace. The > initial excsption stacktrace was at > > at > org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:245) > > > Now the exception we encounter is at httpsolrclient creation > > > Caused by: java.lang.RuntimeException: > java.lang.UnsupportedOperationException: X509ExtendedKeyManager only > supported on Server > at > org.apache.solr.client.solrj.impl.Http2SolrClient.createHttpClient(Http2SolrClient.java:223) > > I commented the JIRA also. Let me know if this is still an issue. > > Thanks, > Rajeswari > > On 7/13/20, 2:03 AM, "Natarajan, Rajeswari" <rajeswari.natara...@sap.com> > wrote: > > Re-sending to see if anyone encountered had this combination and > encountered this issue. In local with just certificate and one domain name > the SSL communication worked. With multiple DNS and 2 certificates SSL > fails with below exception. Below JIRA says it is fixed for > Http2SolrClient , wondering if this is fixed for http1 solr client as we > pass -Dsolr.http1=true . > > Thanks, > Rajeswari > > https://issues.apache.org/jira/browse/SOLR-14105 > > On 7/6/20, 10:02 PM, "Natarajan, Rajeswari" < > rajeswari.natara...@sap.com> wrote: > > Hi, > > We are using Solr 8.5.1 in cloud mode with Java 8. We are > enabling TLS with http1 (as we get a warning java 8 + solr 8.5 SSL can’t > be enabled) and we get below exception > > > > 2020-07-07 03:58:53.078 ERROR (main) [ ] o.a.s.c.SolrCore > null:org.apache.solr.common.SolrException: Error instantiating > shardHandlerFactory class [HttpShardHandlerFactory]: > java.lang.UnsupportedOperationException: X509ExtendedKeyManager only > supported on Server > at > org.apache.solr.handler.component.ShardHandlerFactory.newInstance(ShardHandlerFactory.java:56) > at > org.apache.solr.core.CoreContainer.load(CoreContainer.java:647) > at > org.apache.solr.servlet.SolrDispatchFilter.createCoreContainer(SolrDispatchFilter.java:263) > at > org.apache.solr.servlet.SolrDispatchFilter.init(SolrDispatchFilter.java:183) > at > org.eclipse.jetty.servlet.FilterHolder.initialize(FilterHolder.java:134) > at > org.eclipse.jetty.servlet.ServletHandler.lambda$initialize$0(ServletHandler.java:751) > at > java.util.Spliterators$ArraySpliterator.forEachRemaining(Spliterators.java:948) > at > java.util.stream.Streams$ConcatSpliterator.forEachRemaining(Streams.java:742) > at > java.util.stream.Streams$ConcatSpliterator.forEachRemaining(Streams.java:742) > at > java.util.stream.ReferencePipeline$Head.forEach(ReferencePipeline.java:580) > at > org.eclipse.jetty.servlet.ServletHandler.initialize(ServletHandler.java:744) > at > org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:360) > at > org.eclipse.jetty.webapp.WebAppContext.startWebapp(WebAppContext.java:1445) > at > org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1409) > at > org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:822) > at > org.eclipse.jetty.servlet.ServletContextHandler.doStart(ServletContextHandler.java:275) > at > org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:524) > at > org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) > at > org.eclipse.jetty.deploy.bindings.StandardStarter.processBinding(StandardStarter.java:46) > at > org.eclipse.jetty.deploy.AppLifeCycle.runBindings(AppLifeCycle.java:188) > at > org.eclipse.jetty.deploy.DeploymentManager.requestAppGoal(DeploymentManager.java:513) > at > org.eclipse.jetty.deploy.DeploymentManager.addApp(DeploymentManager.java:154) > at > org.eclipse.jetty.deploy.providers.ScanningAppProvider.fileAdded(ScanningAppProvider.java:173) > at > org.eclipse.jetty.deploy.providers.WebAppProvider.fileAdded(WebAppProvider.java:447) > at > org.eclipse.jetty.deploy.providers.ScanningAppProvider$1.fileAdded(ScanningAppProvider.java:66) > at > org.eclipse.jetty.util.Scanner.reportAddition(Scanner.java:784) > at > org.eclipse.jetty.util.Scanner.reportDifferences(Scanner.java:753) > at org.eclipse.jetty.util.Scanner.scan(Scanner.java:641) > at org.eclipse.jetty.util.Scanner.doStart(Scanner.java:540) > at > org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) > at > org.eclipse.jetty.deploy.providers.ScanningAppProvider.doStart(ScanningAppProvider.java:146) > at > org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) > at > org.eclipse.jetty.deploy.DeploymentManager.startAppProvider(DeploymentManager.java:599) > at > org.eclipse.jetty.deploy.DeploymentManager.doStart(DeploymentManager.java:249) > at > org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) > at > org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169) > at org.eclipse.jetty.server.Server.start(Server.java:407) > at > org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117) > at > org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:100) > at org.eclipse.jetty.server.Server.doStart(Server.java:371) > at > org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) > at > org.eclipse.jetty.xml.XmlConfiguration.lambda$main$0(XmlConfiguration.java:1888) > at java.security.AccessController.doPrivileged(Native Method) > at > org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1837) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at org.eclipse.jetty.start.Main.invokeMain(Main.java:218) > at org.eclipse.jetty.start.Main.start(Main.java:491) > at org.eclipse.jetty.start.Main.main(Main.java:77) > Caused by: java.lang.RuntimeException: > java.lang.UnsupportedOperationException: X509ExtendedKeyManager only > supported on Server > at > org.apache.solr.client.solrj.impl.Http2SolrClient.createHttpClient(Http2SolrClient.java:223) > at > org.apache.solr.client.solrj.impl.Http2SolrClient.<init>(Http2SolrClient.java:153) > at > org.apache.solr.client.solrj.impl.Http2SolrClient$Builder.build(Http2SolrClient.java:832) > at > org.apache.solr.handler.component.HttpShardHandlerFactory.init(HttpShardHandlerFactory.java:321) > at > org.apache.solr.handler.component.ShardHandlerFactory.newInstance(ShardHandlerFactory.java:51) > ... 50 more > Caused by: java.lang.UnsupportedOperationException: > X509ExtendedKeyManager only supported on Server > at > org.eclipse.jetty.util.ssl.SslContextFactory.newSniX509ExtendedKeyManager(SslContextFactory.java:1273) > at > org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1255) > at > org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:374) > at > org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:245) > at > org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) > at > org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169) > at > org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117) > at > org.eclipse.jetty.client.HttpClient.doStart(HttpClient.java:244) > at > org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) > at > org.apache.solr.client.solrj.impl.Http2SolrClient.createHttpClient(Http2SolrClient.java:221) > ... 54 more > > > I see that there is a below bug for this issue and is resolved. > So I am not sure what will the cause of the issue. > > https://issues.apache.org/jira/browse/SOLR-14105 > > > Thanks, > Rajeswari > > >
