Note: This document is for Fusion 4. For Fusion 5, follow the instructions outlined here: https://doc.lucidworks.com/how-to/931/deploy-fusion-at-scale#custom-certs
Issue:
How can I add self-signed certs to the Keystore so that you can connect Web/Sharepoint connectors using https links?
Environment:
Fusion 4.X
Note: These Instructions do not apply to Fusion 5
Resolution:
If you are crawling a SharePoint that is SSL protected you might hit this handshake error:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target The solution is to save the SSL certificate to an X.509 .pem file and then add it to the keystore. First, we need to get the certificate. Generating the certificate on Linux command lineopenssl s_client -servername remote.server.net -connect remote.server.net:443 </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >$fusion_home/apps/jetty/connectors/etc/yourcertname.crt This will generate a .crt file in $fusion_home/apps/jetty/connectors/etc/yourcertname.crt Generating the certificate using Firefox web browserNavigate to the https://sharepointhost Click on the lock Icon on the top left of the screen:
Save the file into $fusion_home/apps/jetty/connectors/etc/yourcertname.crt
Generating the certificate using Chrome web browserSince Chrome version 56, you do the following: go to the Three Dots Menu -> More Tools -> Developer Tools, then click on the Security Tab. This will give you a Security Overview with a View certificate button.
Save the file into $fusion_home/apps/jetty/connectors/etc/yourcertname.crt
Generating the certificate using powershell
This will generate a .crt file in $fusion_home\apps\jetty\connectors\etc\yourcertname.crt
Now that we have generated the x.509 base64 crt file, we need to add it to a keystore that is loaded on the Connectors JVM.
To do this we have two options: Option 1: Import the certificate into the JRE default cacertsThis option will import the certificate into the JRE’s cacerts file.
keytool -import -alias root -keystore jre\lib\security\cacerts -file $fusion_home/apps/jetty/connectors/etc/keystore -storepass changeit
Option 2: Generate a keystore and import the certificateThis option will create a fresh keystore file and will import the certificate into it. Use this when option 1 is not an option.
Use this option when you cannot add a certificate to the cacerts in the JVM. Create a JKS keystore and import the cert. To do this you use the keytool.
Linux:
$JAVA_HOME/bin/keytool -import -alias yourcertname -file $fusion_home/apps/jetty/connectors/etc/yourcertname.crt -keystore $fusion_home/apps/jetty/connectors/etc/keystore -storepass changeit
Windows:
%JAVA_HOME\bin\keytool.exe -import -alias yourcertname -file "%FUSION_HOME%\apps\jetty\connectors\etc\yourcertname.crt -keystore "%FUSION_HOME%\apps\jetty\connectors\etc\keystore -storepass "changeit"
Now add the trust store to the connectors JVM
Now Edit $fusion_home/conf/fusion.properties And add the following to the system properties:
-Djavax.net.ssl.trustStore=YOUR_FUSION_HOME/apps/jetty/connectors/etc/keystore -Djavax.net.ssl.trustStorePassword=changeit
Example for linux would be:
connectors.jvmOptions=-Xmx1g -Xss256k -Dcom.lucidworks.connectors.pipelines.embedded=false -Djavax.net.ssl.trustStore=/home/ndipiazza/fusion/3.1.2/apps/jetty/connectors/etc/keystore -Djavax.net.ssl.trustStorePassword=changeit
Example for Windows would be: (IMPORTANT! You must escape your backslashes in fusion.properties because it is a Java properties file so \ must be escaped.):
connectors.jvmOptions=-Xmx1g -Xss256k -Dcom.lucidworks.connectors.pipelines.embedded=false -Djavax.net.ssl.trustStore=\"c:\\Users\\ndipiazza\\Downloads\\fusion\\3.1.2\\apps\\jetty\\connectors\\etc\\keystore\" -Djavax.net.ssl.trustStorePassword=\"changeit\"
Restart connectors and test
Now that the Connectors JVM has the certificate in its keystore, restart Connectors. If you continue to get an error like this: java.io.IOException: Hostname 'your.domain.com' was not verified Then check on the “Avoid SSL Hostname Verification” checkbox in the connector.
|
Comments
1 comment
And for Fusion 5:
https://doc.lucidworks.com/how-to/931/deploy-fusion-at-scale#custom-certs
Please sign in to leave a comment.