References:
Steps:
- SSH into the server.
-
Upload the private key for the renewed SSL certificate as well as the updated certificate chain (just the primary certificate for the domain will not do), e.g.
STAR_example_com.key
andSTAR_example_com_fullchain.pem
. If you are unsure, check out my earlier article on Things to watch out for when renewing SSL certificates. -
Find the location(s) for the Solr service configuration file
solr.in.sh
by runningsudo find / -name "solr.in.sh" 2>/dev/null
. The output may be something like:/home/ubuntu/solr.in.sh /opt/solr-8.1.1/bin/solr.in.sh /etc/default/solr.in.sh
-
The above point is mainly to show that there can be multiple config files. To pinpoint the correct configuration file, run
sudo service solr status
. There will be a line that looks like: “Loaded: loaded (/etc/init.d/solr; bad; vendor preset: enabled)”. Open up/etc/init.d/solr
and find the variableSOLR_ENV
. The line will look likeSOLR_ENV="/etc/default/solr.in.sh"
, in which case the correct config file will be/etc/default/solr.in.sh
. -
Open up the config file, e.g.
sudo vi /etc/default/solr.in.sh
, and look for the SSL-related system properties. Take note of the key store location and password. A sample is shown below with the key store at/home/ubuntu/STAR_example_com.keystore.jks
and password beingmysecret
:SOLR_SSL_KEY_STORE=/home/ubuntu/STAR_example_com.keystore.jks SOLR_SSL_KEY_STORE_PASSWORD=mysecret SOLR_SSL_KEY_STORE_TYPE=JKS SOLR_SSL_TRUST_STORE=/home/ubuntu/STAR_example_com.keystore.jks SOLR_SSL_TRUST_STORE_PASSWORD=mysecret SOLR_SSL_TRUST_STORE_TYPE=JKS SOLR_SSL_NEED_CLIENT_AUTH=false SOLR_SSL_WANT_CLIENT_AUTH=false
- Run
keytool -list -v -keystore /home/ubuntu/STAR_example_com.keystore.jks
to see information for the current SSL certificate. -
Create a
.p12
file (this contains the public key, private key and owner information) by runningopenssl pkcs12 -export -in STAR_example_com_fullchain.pem -inkey STAR_example_com.key -out STAR_example_com.p12
. At the “Enter Export Password” prompt, key in the same password used in the config file, in this casemysecret
. -
Renew the keystore:
- Backup the current keystore, e.g.
cp /home/ubuntu/STAR_example_com.keystore.jks /home/ubuntu/STAR_example_com.keystore.jks.backup20200621
. - Create the new keystore by running
keytool -importkeystore -srckeystore STAR_example_com.p12 -srcstoretype PKCS12 -destkeystore /home/ubuntu/STAR_example_com.keystore.jks -deststoretype JKS
. - At the “Enter destination keystore password” prompt, key in the same password as the config file.
- At the “Enter source keystore password” prompt, key in the export password for the
.p12
file.
- Backup the current keystore, e.g.
-
Restart the Solr service:
sudo service solr restart
. Warning: this may take up to half an hour during which you may get “Connection refused” errors when trying to access the server. You can test access by runningcurl --verbose https://solr.example.com:8983
. - Once everything is ok, remove the p12, private key and certificate chain files from the server.