Create a gist now

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Generate trusted local SSL cert for Solr
# Usage:
# This script is designed to be run after you have Solr running locally without SSL
# It will generate a trusted, self-signed certificate for LOCAL DEV (this must be modified for production)
# Notes: The keystore must be under server/etc on Solr root, and MUST be named solr-ssl.keystore.jks
# The cert will be added to locally trusted certs, so no security warnings in browsers
# You must still reconfigure Solr to use the keystore and restart it after running this script
#
# THIS SCRIPT REQUIRES WINDOWS 10 (for the SSL trust); without 10 remove the lines around trusting the cert.
# License: MIT
.\solrssl.ps1 -KeystoreFile C:\Solr\apache-solr\server\etc\solr-ssl.keystore.jks
param(
[string]$KeystoreFile = 'solr-ssl.keystore.jks',
[string]$KeystorePassword = 'secret',
[string]$SolrDomain = 'localhost',
[switch]$Clobber
)
$ErrorActionPreference = 'Stop'
### PARAM VALIDATION
if($KeystorePassword -ne 'secret') {
Write-Error 'The keystore password must be "secret", because Solr apparently ignores the parameter'
}
if((Test-Path $KeystoreFile)) {
if($Clobber) {
Write-Host "Removing $KeystoreFile..."
Remove-Item $KeystoreFile
} else {
$KeystorePath = Resolve-Path $KeystoreFile
Write-Error "Keystore file $KeystorePath already existed. To regenerate it, pass -Clobber."
}
}
$P12Path = [IO.Path]::ChangeExtension($KeystoreFile, 'p12')
if((Test-Path $P12Path)) {
if($Clobber) {
Write-Host "Removing $P12Path..."
Remove-Item $P12Path
} else {
$P12Path = Resolve-Path $P12Path
Write-Error "Keystore file $P12Path already existed. To regenerate it, pass -Clobber."
}
}
try {
$keytool = (Get-Command 'keytool.exe').Source
} catch {
$keytool = Read-Host "keytool.exe not on path. Enter path to keytool (found in JRE bin folder)"
if([string]::IsNullOrEmpty($keytool) -or -not (Test-Path $keytool)) {
Write-Error "Keytool path was invalid."
}
}
### DOING STUFF
Write-Host ''
Write-Host 'Generating JKS keystore...'
& $keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass $KeystorePassword -storepass $KeystorePassword -validity 9999 -keystore $KeystoreFile -ext SAN=DNS:$SolrDomain,IP:127.0.0.1 -dname "CN=$SolrDomain, OU=Organizational Unit, O=Organization, L=Location, ST=State, C=Country"
Write-Host ''
Write-Host 'Generating .p12 to import to Windows...'
& $keytool -importkeystore -srckeystore $KeystoreFile -destkeystore $P12Path -srcstoretype jks -deststoretype pkcs12 -srcstorepass $KeystorePassword -deststorepass $KeystorePassword
Write-Host ''
Write-Host 'Trusting generated SSL certificate...'
$secureStringKeystorePassword = ConvertTo-SecureString -String $KeystorePassword -Force -AsPlainText
$root = Import-PfxCertificate -FilePath $P12Path -Password $secureStringKeystorePassword -CertStoreLocation Cert:\LocalMachine\Root
Write-Host 'SSL certificate is now locally trusted. (added as root CA)'
Write-Host ''
Write-Host '########## NEXT STEPS ##########' -ForegroundColor Green
Write-Host ''
Write-Host '1. Copy your keystore to $SOLR_HOME\server\etc (MUST be here)' -ForegroundColor Green
if(-not $KeystoreFile.EndsWith('solr-ssl.keystore.jks')) {
Write-Warning 'Your keystore file is not named "solr-ssl.keystore.jks"'
Write-Warning 'Solr requires this exact name, so make sure to rename it before use.'
}
$KeystorePath = Resolve-Path $KeystoreFile
Write-Host ''
Write-Host '2. Add the following lines to your solr.in.cmd:' -ForegroundColor Green
Write-Host ''
Write-Host "set SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jks" -ForegroundColor Yellow
Write-Host "set SOLR_SSL_KEY_STORE_PASSWORD=$KeystorePassword" -ForegroundColor Yellow
Write-Host "set SOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore.jks" -ForegroundColor Yellow
Write-Host "set SOLR_SSL_TRUST_STORE_PASSWORD=$KeystorePassword" -ForegroundColor Yellow
Write-Host ''
Write-Host 'Done!'
@michaellwest

This comment has been minimized.

Show comment
Hide comment
@michaellwest

michaellwest Aug 3, 2017

Fantastic! Thanks for sharing.

michaellwest commented Aug 3, 2017

Fantastic! Thanks for sharing.

@viniciusdeschamps

This comment has been minimized.

Show comment
Hide comment
@viniciusdeschamps

viniciusdeschamps Aug 4, 2017

Cool stuff! Thanks

viniciusdeschamps commented Aug 4, 2017

Cool stuff! Thanks

@kevinobee

This comment has been minimized.

Show comment
Hide comment
@kevinobee

kevinobee commented Aug 9, 2017

Nice work @kamsar

@himadric

This comment has been minimized.

Show comment
Hide comment
@himadric

himadric Oct 24, 2017

Awesome. Thanks!!

himadric commented Oct 24, 2017

Awesome. Thanks!!

@jitendrasoni

This comment has been minimized.

Show comment
Hide comment
@jitendrasoni

jitendrasoni Oct 28, 2017

Fantastic! Thanks.

jitendrasoni commented Oct 28, 2017

Fantastic! Thanks.

@kistva

This comment has been minimized.

Show comment
Hide comment
@kistva

kistva Nov 7, 2017

Thanks a lot @kamsar
Saved a lot of work

kistva commented Nov 7, 2017

Thanks a lot @kamsar
Saved a lot of work

@JagatheeshMenon

This comment has been minimized.

Show comment
Hide comment
@JagatheeshMenon

JagatheeshMenon Nov 10, 2017

Hi
Not sure what mistake I have done, I am getting the below error.

PS C:\sitecore> .\solr-ssl.ps1 -keystoreFile C:\solr-6.6.2\server\etc\solr-ssl.keystore.jks

Generating JKS keystore...
The expression after '&' in a pipeline element produced an object that was not valid. It must result in a command
name, a script block, or a CommandInfo object.
At C:\sitecore\solr-ssl.ps1:50 char:3

  • & $keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass $Keyst ...
  • + CategoryInfo          : InvalidOperation: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : BadExpression
    

JagatheeshMenon commented Nov 10, 2017

Hi
Not sure what mistake I have done, I am getting the below error.

PS C:\sitecore> .\solr-ssl.ps1 -keystoreFile C:\solr-6.6.2\server\etc\solr-ssl.keystore.jks

Generating JKS keystore...
The expression after '&' in a pipeline element produced an object that was not valid. It must result in a command
name, a script block, or a CommandInfo object.
At C:\sitecore\solr-ssl.ps1:50 char:3

  • & $keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass $Keyst ...
  • + CategoryInfo          : InvalidOperation: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : BadExpression
    
@eliyasnaswale

This comment has been minimized.

Show comment
Hide comment
@eliyasnaswale

eliyasnaswale Jan 8, 2018

This was quick , really good! thanks.

eliyasnaswale commented Jan 8, 2018

This was quick , really good! thanks.

@SoulOfUniverse

This comment has been minimized.

Show comment
Hide comment
@SoulOfUniverse

SoulOfUniverse Jan 11, 2018

Correct your script to:
Write-Host "set SOLR_SSL_KEY_STORE=etc/$KeystoreFile" -ForegroundColor Yellow
Write-Host "set SOLR_SSL_KEY_STORE_PASSWORD=$KeystorePassword" -ForegroundColor Yellow
Write-Host "set SOLR_SSL_TRUST_STORE=etc/$KeystoreFile" -ForegroundColor Yellow
Write-Host "set SOLR_SSL_TRUST_STORE_PASSWORD=$KeystorePassword" -ForegroundColor Yellow

Otherwise the keyFileName specified, doesn't match your report for Solr config settings.

SoulOfUniverse commented Jan 11, 2018

Correct your script to:
Write-Host "set SOLR_SSL_KEY_STORE=etc/$KeystoreFile" -ForegroundColor Yellow
Write-Host "set SOLR_SSL_KEY_STORE_PASSWORD=$KeystorePassword" -ForegroundColor Yellow
Write-Host "set SOLR_SSL_TRUST_STORE=etc/$KeystoreFile" -ForegroundColor Yellow
Write-Host "set SOLR_SSL_TRUST_STORE_PASSWORD=$KeystorePassword" -ForegroundColor Yellow

Otherwise the keyFileName specified, doesn't match your report for Solr config settings.

@kamsar

This comment has been minimized.

Show comment
Hide comment
@kamsar

kamsar Jan 11, 2018

@SoulOfUniverse the lack of variable was intentional, because Solr will not use a keystore with any other name or path.

Owner

kamsar commented Jan 11, 2018

@SoulOfUniverse the lack of variable was intentional, because Solr will not use a keystore with any other name or path.

@SoulOfUniverse

This comment has been minimized.

Show comment
Hide comment
@SoulOfUniverse

SoulOfUniverse Jan 12, 2018

@kamsar yes already noticed that, it just confused me initially when I specify different name for certificate it still forces to use default one, but its more for the path to be correctly identified and file to be created.

SoulOfUniverse commented Jan 12, 2018

@kamsar yes already noticed that, it just confused me initially when I specify different name for certificate it still forces to use default one, but its more for the path to be correctly identified and file to be created.

@IamSportan

This comment has been minimized.

Show comment
Hide comment
@IamSportan

IamSportan Jan 25, 2018

Hi, @JagatheeshMenon,

I am also getting the same error that you posted, could you please let me know how you got fixed?

for @ALL:

I am getting this below error, any turn around would be highly appreciated!
Generating JKS keystore...
The expression after '&' in a pipeline element produced an object that was not valid. It must result in a command
name, a script block, or a CommandInfo object.
At C:\sitecore\solr-ssl.ps1:50 char:3

Thanks in advance!

IamSportan commented Jan 25, 2018

Hi, @JagatheeshMenon,

I am also getting the same error that you posted, could you please let me know how you got fixed?

for @ALL:

I am getting this below error, any turn around would be highly appreciated!
Generating JKS keystore...
The expression after '&' in a pipeline element produced an object that was not valid. It must result in a command
name, a script block, or a CommandInfo object.
At C:\sitecore\solr-ssl.ps1:50 char:3

Thanks in advance!

@roccas86

This comment has been minimized.

Show comment
Hide comment
@roccas86

roccas86 Jan 30, 2018

Hello,

this script don´t work for me ether.

PS C:\sitecore\install> .\solrssl.ps1 -KeystoreFile C:\sitecore\solr-6.6.2\server\etc\solr-ssl.keystore.jks

Generating JKS keystore...
The expression after '&' in a pipeline element produced an object that was not valid. It must result in a command name,
a script block, or a CommandInfo object.
At C:\sitecore\install\solrssl.ps1:50 char:3

  • & $keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass $Keyst ...
  • + CategoryInfo          : InvalidOperation: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : BadExpression
    

roccas86 commented Jan 30, 2018

Hello,

this script don´t work for me ether.

PS C:\sitecore\install> .\solrssl.ps1 -KeystoreFile C:\sitecore\solr-6.6.2\server\etc\solr-ssl.keystore.jks

Generating JKS keystore...
The expression after '&' in a pipeline element produced an object that was not valid. It must result in a command name,
a script block, or a CommandInfo object.
At C:\sitecore\install\solrssl.ps1:50 char:3

  • & $keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass $Keyst ...
  • + CategoryInfo          : InvalidOperation: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : BadExpression
    
@nsrivastava17

This comment has been minimized.

Show comment
Hide comment
@nsrivastava17

nsrivastava17 Feb 5, 2018

Hi @kamsar,
Facing the same issue as mentioned above
Generating JKS keystore...
The expression after '&' in a pipeline element produced an object that was not valid. It must result in a command name,
a script block, or a CommandInfo object.
At C:\sitecore\install\solrssl.ps1:50 char:3

& $keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass $Keyst ...

  • CategoryInfo : InvalidOperation: (:) [], ParentContainsErrorRecordException
  • FullyQualifiedErrorId : BadExpression

I am using Windows Server 2012 R2.
Any help would be much appreciated.

nsrivastava17 commented Feb 5, 2018

Hi @kamsar,
Facing the same issue as mentioned above
Generating JKS keystore...
The expression after '&' in a pipeline element produced an object that was not valid. It must result in a command name,
a script block, or a CommandInfo object.
At C:\sitecore\install\solrssl.ps1:50 char:3

& $keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass $Keyst ...

  • CategoryInfo : InvalidOperation: (:) [], ParentContainsErrorRecordException
  • FullyQualifiedErrorId : BadExpression

I am using Windows Server 2012 R2.
Any help would be much appreciated.

@DheerajP

This comment has been minimized.

Show comment
Hide comment
@DheerajP

DheerajP Feb 6, 2018

Am I missing something?

keytool.exe : Importing keystore C:\solr-6.6.1\server\etc\solr-ssl.keystore.jks to C:\solr-6.6.1\server\etc\solr-ssl.keystore.p12...
At C:\solr-6.6.1\solrssl.ps1:54 char:1

  • & $keytool -importkeystore -srckeystore $KeystoreFile -destkeystore $ ...
  •   + CategoryInfo          : NotSpecified: (Importing keyst...keystore.p12...:String) [], RemoteException
      + FullyQualifiedErrorId : NativeCommandError
    

DheerajP commented Feb 6, 2018

Am I missing something?

keytool.exe : Importing keystore C:\solr-6.6.1\server\etc\solr-ssl.keystore.jks to C:\solr-6.6.1\server\etc\solr-ssl.keystore.p12...
At C:\solr-6.6.1\solrssl.ps1:54 char:1

  • & $keytool -importkeystore -srckeystore $KeystoreFile -destkeystore $ ...
  •   + CategoryInfo          : NotSpecified: (Importing keyst...keystore.p12...:String) [], RemoteException
      + FullyQualifiedErrorId : NativeCommandError
    
@mnadirkhan

This comment has been minimized.

Show comment
Hide comment
@mnadirkhan

mnadirkhan Feb 8, 2018

Hi,

I am getting the following error message::
Trusting generated SSL certificate...
Import-PfxCertificate : The PFX file could not be found.
At D:\cms\sc9\solrssl.ps1:59 char:9

  • $root = Import-PfxCertificate -FilePath $P12Path -Password $secureStr ...
  •     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    • CategoryInfo : NotSpecified: (:) [Import-PfxCertificate], FileNotFoundException
    • FullyQualifiedErrorId : System.IO.FileNotFoundException,Microsoft.CertificateServices.Commands.ImportPfxCertificate

Any help?

mnadirkhan commented Feb 8, 2018

Hi,

I am getting the following error message::
Trusting generated SSL certificate...
Import-PfxCertificate : The PFX file could not be found.
At D:\cms\sc9\solrssl.ps1:59 char:9

  • $root = Import-PfxCertificate -FilePath $P12Path -Password $secureStr ...
  •     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    • CategoryInfo : NotSpecified: (:) [Import-PfxCertificate], FileNotFoundException
    • FullyQualifiedErrorId : System.IO.FileNotFoundException,Microsoft.CertificateServices.Commands.ImportPfxCertificate

Any help?

@nsrivastava17

This comment has been minimized.

Show comment
Hide comment
@nsrivastava17

nsrivastava17 Feb 12, 2018

The issue got resolved., I was facing because I was using v4 powershell. Updated PS to 5.2 and it worked.

nsrivastava17 commented Feb 12, 2018

The issue got resolved., I was facing because I was using v4 powershell. Updated PS to 5.2 and it worked.

@matyas-p

This comment has been minimized.

Show comment
Hide comment
@matyas-p

matyas-p Apr 30, 2018

Just in case it would help somebody:

  • I was trying to get it work on Windows 8.1
  • As in the comments in anexample.ps1, I removed the lines around trusting the cert => ssl didn't work for Solr
  • Then I added the removed lines back to see if that would fix it => worked.

matyas-p commented Apr 30, 2018

Just in case it would help somebody:

  • I was trying to get it work on Windows 8.1
  • As in the comments in anexample.ps1, I removed the lines around trusting the cert => ssl didn't work for Solr
  • Then I added the removed lines back to see if that would fix it => worked.
@salmansh8

This comment has been minimized.

Show comment
Hide comment
@salmansh8

salmansh8 Aug 10, 2018

Folks, I'm having trouble running this script. I tried at least 4 different machines. When I try to run this script, I get the following error:

Generating JKS keystore...
keytool.exe :
At D:\solrssl.ps1:50 char:1

  • & $keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -key ...
  •   + CategoryInfo          : NotSpecified: (:String) [], RemoteException
      + FullyQualifiedErrorId : NativeCommandError
    
    

Can anyone please help?

salmansh8 commented Aug 10, 2018

Folks, I'm having trouble running this script. I tried at least 4 different machines. When I try to run this script, I get the following error:

Generating JKS keystore...
keytool.exe :
At D:\solrssl.ps1:50 char:1

  • & $keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -key ...
  •   + CategoryInfo          : NotSpecified: (:String) [], RemoteException
      + FullyQualifiedErrorId : NativeCommandError
    
    

Can anyone please help?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment