Skip to main content
Sign in

Resolve trust relationship errors with Solr SSL/TLS connections

  • Updated

Issue

When connecting to a Solr 7.4 standalone server using SSL, the following errors may appear in client applications:

  • The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

  • The remote certificate is invalid according to the validation procedure.

These errors typically occur when attempting to connect to a Solr server configured with a self-signed SSL certificate.

 

Diagnosis

To verify whether this issue applies:

  • Access the Solr Admin UI in a browser. If a certificate warning is shown, the certificate is not trusted by the system.

  • Attempt to connect to Solr using the application. If the error occurs during an HTTPS request, such as at .GetRequestStream() in VB.NET, it indicates a trust failure in the SSL handshake.

  • Confirm that Solr is using HTTPS in its solr.in.cmd or solr.sh.cmd configuration files and that the certificate has not expired.

 

Environment

Solr 7.4
Windows Server environment with VB.NET client application

 

Cause

These trust-related SSL/TLS errors typically result from one or more of the following:

  • A self-signed SSL certificate that is not trusted by the client machine.

  • The certificate is installed but not placed into the Trusted Root Certification Authorities store on Windows.

  • The Solr URL used by the client is HTTP instead of HTTPS, leading to handshake mismatches.

  • Firewall or proxy configurations that block or interfere with SSL traffic.

 

Resolution

Install the SSL certificate in the Windows trusted root certificate store

  1. Open certmgr.msc (Windows Certificate Manager).

  2. In the left pane, select Trusted Root Certification Authorities.

  3. In the right pane, right-click and select All Tasks > Import.

  4. Follow the wizard to import the self-signed certificate used by Solr.

  5. Complete the wizard and restart the application or Solr process.

Note: Ensure that the certificate matches the domain used in the Solr URL (e.g., hostname or IP address).

 

Confirm the Solr client uses HTTPS

Ensure the Solr connection URL defined in your application configuration (e.g., Web.config) begins with https:// and matches the domain in the certificate. Example:

<add key="SolrServerUrl" value="https://your-solr-hostname:8984/solr" />

 

Enable SSL in Solr (if not already configured)

Make sure SOLR_SSL_ENABLED=true is uncommented in the Solr startup configuration file (e.g., solr.in.cmd or solr.sh.cmd).

set SOLR_SSL_ENABLED=true

 

(Optional) Increase Solr startup timeout

If Solr fails to come online due to SSL initialization delay, modify the timeout in solr.in.cmd:

set SOLR_START_WAIT=60

This increases the startup wait time from the default 30 seconds to 60 seconds.

 

Confirm firewall and network access

Ensure that the server’s firewall rules allow inbound and outbound HTTPS traffic (typically on port 8983 or 8984, depending on configuration).

 

 

 

 

 

 

Related articles

Powered by Zendesk