lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Erick Erickson <>
Subject Re: Solr TLS/SSL key alias configuration (with patch to come)
Date Wed, 31 Oct 2018 14:51:29 GMT
There's no reason I can imagine not to open a JIRA,
basically anyone willing to create a patch has my vote!

bq. I'm a bit worried that adding certAlias to jetty-ssl.xml might break
existing setups which don't use an alias.

Probably just add a note to the upgrade section of CHANGES.txt,
unless others disagree. I confess knowing very little about the
mechanics here.

BTW, don't know if you're familiar with asciidoc but in case not I
wanted to mention that there's an IntelliJ (and, I assume Eclipse)
plugin showing you the rendering, and you can also use Atom.

On Wed, Oct 31, 2018 at 7:41 AM Bram Van Dam <> wrote:
> Hey folks,
> Context:
> There's a jetty-ssl.xml config file which configures Jetty's
> SslContextFactory using properties set in, but it's
> incomplete for some purposes.
> Problem:
> I've noticed that no "certAlias" property is present. This means that
> when Jetty starts, it will pick an arbitrary (based on some internal
> order, I guess?) key from the keystore to use. This is fine when you're
> only using your keystore for Solr and it only contains one key, but it
> makes life a lot more complicated in environments where keystores are
> managed and distributed to servers automagically.
> When you add a key to the keystore, you can assign an alias. Jetty can
> then use the key with that alias by means of its certAlias config property.
> The Solr documentation [1] confusingly assigns the alias "solr-ssl" to
> the key, but as far as I can tell this alias isn't actually used or
> referenced anywhere else.
> Solution:
> I'm currently dealing with a slightly more complicated TLS setup, so I
> propose I patch jetty-ssl.xml,|cmd and enabling-ssl.adoc to
> (optionally) use the alias? Unless someone can think of a reason why I
> shouldn't do this?
> I'm a bit worried that adding certAlias to jetty-ssl.xml might break
> existing setups which don't use an alias, but I'm guessing that only
> keystores with more than one key will be affected?
>  - Bram
> [1]

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message