Skip to main content
Sign in

Adding self-signed certs to the keystore so that you can connect Web / Sharepoint connector using https links

  • Updated

Issue

How can I add self-signed certs to the Keystore so that you can connect Web/Sharepoint connectors using https links? 

 

Environment

Fusion 4

Note: This document is for Fusion 4. For Fusion 5, follow the instructions outlined here: https://doc.lucidworks.com/how-to/931/deploy-fusion-at-scale#custom-certs

 

Resolution

 If you are crawling a SharePoint that is SSL protected you might hit this handshake error:

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

 

The solution is to save the SSL certificate to an X.509 .pem file and then add it to the keystore.

First, we need to get the certificate.

 

Generating the certificate on Linux command line

openssl s_client -servername remote.server.net -connect remote.server.net:443 </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >$fusion_home/apps/jetty/connectors/etc/yourcertname.crt
 

This will generate a .crt file in $fusion_home/apps/jetty/connectors/etc/yourcertname.crt

 

Generating the certificate using Firefox web browser

Navigate to the https://sharepointhost


Click on the lock Icon on the top left of the screen:

pasted_image_0.pngpasted_image_0__1_.png

pasted_image_0__2_.png

pasted_image_0__3_.png

pasted_image_0__4_.png

pasted_image_0__5_.png

 

Save the file into

$fusion_home/apps/jetty/connectors/etc/yourcertname.crt

 

Generating the certificate using Chrome web browser

Since Chrome version 56, you do the following: go to the Three Dots Menu -> More Tools -> Developer Tools, then click on the Security Tab. This will give you a Security Overview with a View certificate button.

pasted_image_0__6_.png

pasted_image_0__7_.png

pasted_image_0__8_.png

pasted_image_0__9_.png

 

Save the file into

$fusion_home/apps/jetty/connectors/etc/yourcertname.crt

 

Generating the certificate using powershell

 

$fusion_home = c:\your\fusion\install\directory

$webRequest = [Net.WebRequest]::Create("https://your-hostname")

try { $webRequest.GetResponse() } catch {}

$cert = $webRequest.ServicePoint.Certificate

$bytes = $cert.Export([Security.Cryptography.X509Certificates.X509ContentType]::Cert)

set-content -value $bytes -encoding byte -path "$fusion_home\apps\jetty\connectors\etc\yourcertname.binary.crt"

certutil -encode "$fusion_home\apps\jetty\connectors\etc\yourcertname.binary.crt" "$fusion_home\apps\jetty\connectors\etc\yourcertname.crt"

rm "$fusion_home\apps\jetty\connectors\etc\yourcertname.binary.crt" -f

 

This will generate a .crt file in $fusion_home\apps\jetty\connectors\etc\yourcertname.crt

 

Now that we have generated the x.509 base64 crt file, we need to add it to a keystore that is loaded on the Connectors JVM.

 

To do this we have two options:

Option 1: Import the certificate into the JRE default cacerts

This option will import the certificate into the JRE’s cacerts file.

 

keytool -import -alias root -keystore jre\lib\security\cacerts -file $fusion_home/apps/jetty/connectors/etc/keystore -storepass changeit

 

Option 2: Generate a keystore and import the certificate

This option will create a fresh keystore file and will import the certificate into it. Use this when option 1 is not an option.

 

Use this option when you cannot add a certificate to the cacerts in the JVM. Create a JKS keystore and import the cert. To do this you use the keytool.

 

Linux:

 

$JAVA_HOME/bin/keytool -import -alias yourcertname -file $fusion_home/apps/jetty/connectors/etc/yourcertname.crt -keystore $fusion_home/apps/jetty/connectors/etc/keystore -storepass changeit

 

Windows:

 

%JAVA_HOME\bin\keytool.exe -import -alias yourcertname -file "%FUSION_HOME%\apps\jetty\connectors\etc\yourcertname.crt -keystore "%FUSION_HOME%\apps\jetty\connectors\etc\keystore -storepass "changeit"

 

Now add the trust store to the connectors JVM

 

Now Edit $fusion_home/conf/fusion.properties

And add the following to the system properties:

 

-Djavax.net.ssl.trustStore=YOUR_FUSION_HOME/apps/jetty/connectors/etc/keystore -Djavax.net.ssl.trustStorePassword=changeit

 

Example for linux would be:

 

connectors.jvmOptions=-Xmx1g -Xss256k -Dcom.lucidworks.connectors.pipelines.embedded=false -Djavax.net.ssl.trustStore=/home/ndipiazza/fusion/3.1.2/apps/jetty/connectors/etc/keystore -Djavax.net.ssl.trustStorePassword=changeit

 

Example for Windows would be: (IMPORTANT! You must escape your backslashes in fusion.properties because it is a Java properties file so \ must be escaped.):

 

connectors.jvmOptions=-Xmx1g -Xss256k -Dcom.lucidworks.connectors.pipelines.embedded=false -Djavax.net.ssl.trustStore=\"c:\\Users\\ndipiazza\\Downloads\\fusion\\3.1.2\\apps\\jetty\\connectors\\etc\\keystore\" -Djavax.net.ssl.trustStorePassword=\"changeit\"

 

Restart connectors and test

 

Now that the Connectors JVM has the certificate in its keystore, restart Connectors.

If you continue to get an error like this: java.io.IOException: Hostname 'your.domain.com' was not verified

Then check on the “Avoid SSL Hostname Verification” checkbox in the connector.


 

Related articles

Powered by Zendesk