1

TL;DR

Setup, SSL on SOLR 6 - now when curling the instance, i get the following error 

$ curl -u username:password "https://fake.org:8983/solr/name/select?q=*:*&wt=json&indent=on"

curl: (60) Issuer certificate is invalid.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

Deets

I have been trying to setup SSL on SOLR 6 using the official documentation here

Once I start SOLR with the SSL properties set, i can connect to it via curl the following way and this yields me accurate results. 

curl -u username:password "https://localhost:8983/solr/name/select?q=*:*&wt=json&indent=on" -k --verbose

However, if i remove the -k flag from my curl command, i get the following error 

$ curl -u username:password "https://fake.org:8983/solr/name/select?q=*:*&wt=json&indent=on" --verbose
* About to connect() to domain port 8983 (#0)
*   Trying 127.0.0.1...
* Connected to fake.org (127.0.0.1) port 8983 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Server certificate:
*   subject: CN=fake.org,OU=XX,O=XXX,L=XXX,ST=XXX,C=XX
*   start date: Oct 03 10:02:10 2019 GMT
*   expire date: Feb 17 10:02:10 2047 GMT
*   common name: fake.org
*   issuer: CN=fake.org,OU=XX,O=XXX,L=XXX,ST=XXX,C=XX
* NSS error -8156 (SEC_ERROR_CA_CERT_INVALID)
* Issuer certificate is invalid.
* Closing connection 0
curl: (60) Issuer certificate is invalid.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
$

Now, something tells me I have to get a .crt file to be trusted by a keystore, but I am not sure what crt file that is.

user3340456
  • 11
  • 1
  • What are you trying to get to trust your Solr installation? If you're making `curl` trust it - is that the only place you're going to make requests from? – MatsLindh Oct 04 '19 at 08:17
  • 1
    Could it be that you get a warning because you are using a self-signed certificate? What happens if you go to URL `https://fake.org:8983/solr/name/select?q=*:*&wt=json&indent=on` in the browser and inspect the certificate as indicated on this other question https://stackoverflow.com/questions/18964175/how-to-fix-curl-60-ssl-certificate-invalid-certificate-chain ? – Hector Correa Oct 04 '19 at 15:51
  • you would need to have proper certificate (not self signed) to avoid this error – Mysterion Oct 11 '19 at 15:15

0 Answers0