Renewing SSL certificate on Apache Solr server

References:

Steps:

  1. SSH into the server.
  2. Upload the private key for the renewed SSL certificate as well as the updated certificate chain (just the primary certificate for the domain will not do), e.g. STAR_example_com.key and STAR_example_com_fullchain.pem. If you are unsure, check out my earlier article on Things to watch out for when renewing SSL certificates.
  3. Find the location(s) for the Solr service configuration file solr.in.sh by running sudo find / -name "solr.in.sh" 2>/dev/null. The output may be something like:

          /home/ubuntu/solr.in.sh
          /opt/solr-8.1.1/bin/solr.in.sh
          /etc/default/solr.in.sh
        
  4. The above point is mainly to show that there can be multiple config files. To pinpoint the correct configuration file, run sudo service solr status. There will be a line that looks like: “Loaded: loaded (/etc/init.d/solr; bad; vendor preset: enabled)”. Open up /etc/init.d/solr and find the variable SOLR_ENV. The line will look like SOLR_ENV="/etc/default/solr.in.sh", in which case the correct config file will be /etc/default/solr.in.sh.
  5. Open up the config file, e.g. sudo vi /etc/default/solr.in.sh, and look for the SSL-related system properties. Take note of the key store location and password. A sample is shown below with the key store at /home/ubuntu/STAR_example_com.keystore.jks and password being mysecret:

          SOLR_SSL_KEY_STORE=/home/ubuntu/STAR_example_com.keystore.jks
          SOLR_SSL_KEY_STORE_PASSWORD=mysecret
          SOLR_SSL_KEY_STORE_TYPE=JKS
          SOLR_SSL_TRUST_STORE=/home/ubuntu/STAR_example_com.keystore.jks
          SOLR_SSL_TRUST_STORE_PASSWORD=mysecret
          SOLR_SSL_TRUST_STORE_TYPE=JKS
          SOLR_SSL_NEED_CLIENT_AUTH=false
          SOLR_SSL_WANT_CLIENT_AUTH=false
        
  6. Run keytool -list -v -keystore /home/ubuntu/STAR_example_com.keystore.jks to see information for the current SSL certificate.
  7. Create a .p12 file (this contains the public key, private key and owner information) by running openssl pkcs12 -export -in STAR_example_com_fullchain.pem -inkey STAR_example_com.key -out STAR_example_com.p12. At the “Enter Export Password” prompt, key in the same password used in the config file, in this case mysecret.
  8. Renew the keystore:

    • Backup the current keystore, e.g. cp /home/ubuntu/STAR_example_com.keystore.jks /home/ubuntu/STAR_example_com.keystore.jks.backup20200621.
    • Create the new keystore by running keytool -importkeystore -srckeystore STAR_example_com.p12 -srcstoretype PKCS12 -destkeystore /home/ubuntu/STAR_example_com.keystore.jks -deststoretype JKS.
    • At the “Enter destination keystore password” prompt, key in the same password as the config file.
    • At the “Enter source keystore password” prompt, key in the export password for the .p12 file.
  9. Restart the Solr service: sudo service solr restart. Warning: this may take up to half an hour during which you may get “Connection refused” errors when trying to access the server. You can test access by running curl --verbose https://solr.example.com:8983.
  10. Once everything is ok, remove the p12, private key and certificate chain files from the server.