This tutorial provides a comprehensive guide to securing Apache Solr with an SSL certificate from Let’s Encrypt, a free and automated certificate authority. By following these steps, you will enable Solr to operate over HTTPS, ensuring encrypted communication. This guide assumes you are using a Linux server (Ubuntu/Debian) with Apache Solr and Apache2 web server already installed.
Prerequisites
- A server running Ubuntu/Debian with Apache Solr installed.
- Apache2 web server installed and configured.
- A registered domain name pointing to your server’s public IP.
- Root or sudo access to the server.
- Basic familiarity with terminal commands.
Step 1: Install Certbot
Certbot is the tool used to obtain and manage Let’s Encrypt SSL certificates.
- Update the package list:
sudo apt update
- Install Certbot and the Apache plugin:
sudo apt install certbot python3-certbot-apache -y
Step 2: Obtain the SSL Certificate
Use Certbot to generate an SSL certificate for your domain.
- Run Certbot to request a certificate, replacing
solr.yourdomain.com
with your actual domain:sudo certbot --apache -d solr.yourdomain.com
- Follow the prompts:
- Provide an email address for renewal notifications.
- Agree to the terms of service.
- Choose whether to redirect HTTP traffic to HTTPS (recommended).
- Certbot will generate and store the certificate files in
/etc/letsencrypt/live/solr.yourdomain.com/
.
Step 3: Configure Apache Solr for SSL
Solr typically runs as a standalone service, but to enable SSL, you need to configure it to use the certificate and private key from Let’s Encrypt.
- Locate Solr’s configuration: Solr’s configuration files are usually in
/opt/solr
or the directory where Solr is installed. The main configuration file issolr.in.sh
(orsolr.in.cmd
on Windows). - Edit solr.in.sh: Open the file, typically located at
/opt/solr/bin/solr.in.sh
:sudo nano /opt/solr/bin/solr.in.sh
- Add SSL settings: Add or modify the following lines to enable SSL and point to the Let’s Encrypt certificate:
SOLR_SSL_ENABLED=true SOLR_SSL_KEY_STORE=/etc/letsencrypt/live/solr.yourdomain.com/privkey.pem SOLR_SSL_KEY_STORE_PASSWORD=your_keystore_password SOLR_SSL_TRUST_STORE=/etc/letsencrypt/live/solr.yourdomain.com/fullchain.pem SOLR_SSL_TRUST_STORE_PASSWORD=your_truststore_password SOLR_SSL_NEED_CLIENT_AUTH=false SOLR_SSL_WANT_CLIENT_AUTH=false
- Replace
solr.yourdomain.com
with your domain. - Set
your_keystore_password
andyour_truststore_password
to secure passwords (you can generate random passwords if needed).
- Replace
- Save and exit: Save the file and exit the editor.
Step 4: Configure Apache2 for Proxying
Since Solr runs on its own server (default port 8983), you can use Apache2 as a reverse proxy to handle SSL and forward requests to Solr.
- Enable Apache modules: Ensure the required Apache modules are enabled:
sudo a2enmod proxy proxy_http ssl rewrite
- Create a virtual host configuration: Create a new configuration file for Solr:
sudo nano /etc/apache2/sites-available/solr.conf
- Add the virtual host configuration:
ServerName solr.yourdomain.com ProxyPreserveHost On ProxyPass /solr http://localhost:8983/solr ProxyPassReverse /solr http://localhost:8983/solr SSLEngine on SSLCertificateFile /etc/letsencrypt/live/solr.yourdomain.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/solr.yourdomain.com/privkey.pem ErrorLog ${APACHE_LOG_DIR}/solr_error.log CustomLog ${APACHE_LOG_DIR}/solr_access.log combined - Replace
solr.yourdomain.com
with your domain. - The
ProxyPass
directive forwards requests to Solr’s default port (8983).
- Replace
- Enable the site:
sudo a2ensite solr.conf
- Restart Apache:
sudo systemctl restart apache2
Step 5: Restart Solr
Apply the SSL configuration by restarting Solr:
sudo systemctl restart solr
If Solr is not running as a service, stop and start it manually:
/opt/solr/bin/solr stop
/opt/solr/bin/solr start
Step 6: Test the Configuration
- Open a browser and navigate to
https://solr.yourdomain.com/solr
. You should see the Solr Admin interface over HTTPS. - Verify the SSL certificate by clicking the padlock icon in your browser to ensure it is issued by Let’s Encrypt.
- If you encounter issues, check the Apache logs:
sudo tail -f /var/log/apache2/solr_error.log
- Check Solr logs, typically in
/var/solr/logs/solr.log
.
Step 7: Automate Certificate Renewal
Let’s Encrypt certificates expire every 90 days, but Certbot can automate renewals.
- Test the renewal process:
sudo certbot renew --dry-run
- Certbot’s cron job is usually set up automatically. Verify it:
sudo systemctl status certbot.timer
- After renewal, restart Apache and Solr to apply the new certificate:
sudo systemctl restart apache2
sudo systemctl restart solr
Troubleshooting Tips
- Certificate errors: Ensure the domain points to your server’s IP and that port 443 is open in your firewall.
- Solr not accessible: Verify that Solr is running (
sudo systemctl status solr
) and that the proxy settings in Apache are correct. - Permission issues: Ensure the Solr user has read access to the certificate files:
sudo chown solr:solr /etc/letsencrypt/live/solr.yourdomain.com/*
sudo chmod 640 /etc/letsencrypt/live/solr.yourdomain.com/*
Conclusion
You have successfully configured Apache Solr to use a Let’s Encrypt SSL certificate, securing communication over HTTPS. Regular maintenance includes monitoring certificate renewals and ensuring Solr and Apache services are running smoothly.