Cannot commit documents to Solr: SunCertPathBuilderException: unable to find valid certification path to requested target

[douglas-andrew-harley]

Hello, Upon attempting to commit documents to a SolrCloud cluster running behind an NGINX reverse-proxy setup to use HTTPS, I get the exceptions below. I have added the server's wildcard cert to the cacerts trustore, and specified the require JVM args: -Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.ssl.trustStore=/usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts -Djavax.net.ssl.trustStorePassword=changeit

I can list with keytool and see my cert, and when i move the cacerts file the HTTP crawler immediately fails similary, because the site I am crawling also runs HTTPS.

Any ideas what might be going on here? Anyone had any luck pushing to SolrCloud behind HTTPS?

Thanks, Doug

com.norconex.committer.core.CommitterException: Cannot index document batch to Solr.
        at com.norconex.committer.solr.SolrCommitter.commitBatch(SolrCommitter.java:253)
        at com.norconex.committer.core.AbstractBatchCommitter.commitAndCleanBatch(AbstractBatchCommitter.java:179)
        at com.norconex.committer.core.AbstractBatchCommitter.cacheOperationAndCommitIfReady(AbstractBatchCommitter.java:208)
        at com.norconex.committer.core.AbstractBatchCommitter.commitAddition(AbstractBatchCommitter.java:143)
        at com.norconex.committer.core.AbstractFileQueueCommitter.commit(AbstractFileQueueCommitter.java:222)
        at com.norconex.collector.core.crawler.AbstractCrawler.execute(AbstractCrawler.java:266)
        at com.norconex.collector.core.crawler.AbstractCrawler.doExecute(AbstractCrawler.java:227)
        at com.norconex.collector.core.crawler.AbstractCrawler.startExecution(AbstractCrawler.java:188)
        at com.norconex.jef4.job.AbstractResumableJob.execute(AbstractResumableJob.java:49)
        at com.norconex.jef4.suite.JobSuite.runJob(JobSuite.java:349)
        at com.norconex.jef4.suite.JobSuite.doExecute(JobSuite.java:300)
        at com.norconex.jef4.suite.JobSuite.execute(JobSuite.java:172)
        at com.norconex.collector.core.AbstractCollector.start(AbstractCollector.java:123)
        at com.norconex.collector.core.AbstractCollectorLauncher.launch(AbstractCollectorLauncher.java:80)
        at com.norconex.collector.http.HttpCollector.main(HttpCollector.java:75)
Caused by: org.apache.solr.client.solrj.SolrServerException: IOException occured when talking to server at: https://'cahpsdatabase.ahrq.gov_admin:c4hp5d4t4b4s3!'@dznixsolr1.westat.com/solr/cahpsdatabase.ahrq.gov
        at org.apache.solr.client.solrj.impl.HttpSolrClient.executeMethod(HttpSolrClient.java:604)
        at org.apache.solr.client.solrj.impl.HttpSolrClient.request(HttpSolrClient.java:259)
        at org.apache.solr.client.solrj.impl.HttpSolrClient.request(HttpSolrClient.java:248)
        at org.apache.solr.client.solrj.SolrRequest.process(SolrRequest.java:149)
        at org.apache.solr.client.solrj.SolrClient.add(SolrClient.java:173)
        at org.apache.solr.client.solrj.SolrClient.add(SolrClient.java:138)
        at org.apache.solr.client.solrj.SolrClient.add(SolrClient.java:152)
        at com.norconex.committer.solr.SolrCommitter.commitBatch(SolrCommitter.java:233)
        ... 14 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514)
        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
        at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
        at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:553)
        at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:412)
        at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:179)
        at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:328)
        at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:612)
        at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:447)
        at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:884)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
        at org.apache.solr.client.solrj.impl.HttpSolrClient.executeMethod(HttpSolrClient.java:495)
        ... 21 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
        at sun.security.validator.Validator.validate(Validator.java:260)
        at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)
        ... 39 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
        ... 45 more

[douglas-andrew-harley]

OK, I got this certificates issue resolved (still cannot commit files to SolrCloud yet, because of auth issues)...our IT person had given me incorrect certs, for a different tier. In the end I ahd to download the cert myself, and import it into the trustore using keytool. Adding this info here in case others get stuck also (replace HOSTNAME, TRUSTSTORENAME, and ALIASNAME for your values): 1) get server cert: openssl x509 -in <(openssl s_client -connect HOSTNAME:443 -prexit 2>/dev/null) -out HOSTNAME.crt 2) import the certificate: keytool -importcert -file HOSTNAME.crt -alias ALIASNAME-keystore TRUSTSTORENAME

Cheers, Doug

[essiembre]

Glad you found a way and thanks for sharing. Have you tried this setting as well?

<httpClientFactory>
  <trustAllSSLCertificates>true</trustAllSSLCertificates>
</httpClientFactory>

Your way of doing it is best, but that option is there if you need it.

Would you say this issue can be closed?

[douglas-andrew-harley]

No, I didn't try that setting...thanks though. Yes, please feel free to close.

Cheers, Doug