1

I have a SSL-only website hosted on a CentOS 7, Apache httpd based server. SSL certification is via a Let's Encrypt certificate. The domain has a HTTP Strict Transport Security (HSTS) policy.

I am also running Apache Solr (indexing; search) as a backend server, secured with a self-signed SSL certificate. However, all web browsers reject the self-signed certificate:

`The certificate is not trusted because it is self-signed. ... Accept the risk and continue. ...'

I need to manually add a security exemption / bypass in the browser, before I am able to login to the Solr Admin UI (on the Solr port).

Victoria Stuart
  • 111
  • 4
  • 2
    The common way to expose internal web services to the internet is not to have it listen directly on the internet address but to keep it only on localhost. Then use the main server on port 443 with a proper certificate as a reverse proxy for the internal service and maybe also add additional restrictions inside the reverse proxy to restrict access to the internal service – Steffen Ullrich Aug 26 '22 at 22:04
  • Why can't you use the same certificate for another service? As I understood, both are located on the same machine. – Nikita Kipriyanov Aug 27 '22 at 17:21
  • Update: detailed instructions on installing a Let's Encrypt signed SSL certificate posted here (me): https://gist.github.com/victoriastuart/4a73d3d5e9abef27802075e59d6280d6 – Victoria Stuart Aug 31 '22 at 15:17

1 Answers1

2

As indicated by the error message, your HSTS configuration prevents access to the service.

While it might be possible to set up HSTS configuration so that it wouldn't be applied to Solr endpoint, you would still have issues connecting because the certificate is self-signed.

To properly address this, you need to implement reverse proxy.

Tero Kilkanen
  • 34,499
  • 3
  • 38
  • 58