Why Won't You Just Die? How to Update a SOLR Certificate and Deal With Stuck Services

In this example I'm replacing a small QA environment's SOLR 8.11.2 certificate. You'll see that I had an issue with the one provided to me, so I just wound up making a new one as it's only available locally and the system is not publicly accessible.


Replacing Your SOLR Certificate

Ok let's start with the easy part, or so I thought. In this lower environment I didn't have to worry about uptime, so I just stopped my service. This is just habit and I'm not sure it's needed.

net stop qasolr-8.11.2

The next step was to open c:\solr\solr-8.11.2\server\etc\ and drop the new .pfx file in there.

Finally (yes, it's this fast), I opened the soly.in.cmd file in c:\solr\solr-8.11.2\bin\, and scrolled way to the bottom to edit the important bits, replacing:

set SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.p12
set SOLR_SSL_KEY_STORE_PASSWORD=secret
set SOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore.p12
set SOLR_SSL_TRUST_STORE_PASSWORD=secret

with 

set SOLR_SSL_KEY_STORE=C:\Solr\qasolr-8.11.2\server\etc\qa-solr-cert.pfx
set SOLR_SSL_KEY_STORE_PASSWORD=secret
set SOLR_SSL_KEY_STORE_TYPE=PKCS12
set SOLR_SSL_TRUST_STORE=C:\Solr\qasolr-8.11.2\server\etc\qa-solr-cert.pfx
set SOLR_SSL_TRUST_STORE_PASSWORD=secret
set SOLR_SSL_TRUST_STORE_TYPE=PKCS12

The cert's password is “secret”, if that wasn't obvious. It'll be important in a minute.

After you've saved the file, you can restart SOLR with:

net start qasolr-8.11.2

Once started I checked https://qa.mydomain.ca:8983/solr/#/, but the certificate was invalid. At this point stopping the SOLR service to edit settings wasn't happening. We got a problem.


How to Get the Service to Stop

One sure fire way to stop a service is to use taskkill, but you need the PID of the instance first.

sc queryex qasolr-8.11.2

Next:

taskkill /f /pid 2192

Great, we can continue right? Wrong. When I tried to start SOLR again I received the following error:


The qasolr-8.11.2 service terminated with the following service-specific error: 
Incorrect function.


It turns out killing java.exe when you're this stuck is needed as well:

taskkill /im java.exe /f


Fine, I'll Do It Myself

I tried several times to figure out what's wrong with the certificate I was provided, but in the end I just made one myself, remembering to keep the password as secret (no special characters allowed):

New-SelfSignedCertificate 
  -Subject "QA Certificate" 
  -DnsName "*.mydomain.ca" 
  -CertStoreLocation "cert:\LocalMachine\My" 
  -KeyAlgorithm RSA 
  -KeyLength 2048 
  -KeyExportPolicy Exportable 
  -NotAfter (Get-Date).AddYears(10)

Once generated this new certificate should be imported to the trusted store and replace the pfx file above. It did the trick and my browser test had a valid https connection!