... but as I recall Solr complained that the certificate wasn't in the correct (PKCS12) format.
I am running into issues with the (Solr) self-signed certificate being rejected by web browsers ( net::ERR_CERT_AUTHORITY_INVALID ), preventing me from accessing Solr as a backend server on my SSL-only domain. [I configured an Apache httpd reverse proxy, but this issue appears to be the blocking step.]
"... So we've generated the certificates in the previous step, however Certbot creates them in PEM format which Solr doesn't like. So first up we need to convert them to PKCS12 format and we do that with the following commands:
Now what we're doing here is firstly concatenating the certificate chain generated by LetsEncrypt into a single PEM format certificate, we're then taking that newly concatenated certificate and using openssl to generate a new certificate in the PKCS12 format that we need."
Yeah, that does not make sense. In the /live/ folder are 4 files. One is named fullchain.pem and already is the full concatenated chain. By doing that cat you are also placing your privkey.pem and two extra, unneeded cert fragments in that file. It's possible you are now sending out your private key to every client. That's a huge no-no and if true is cause for your cert to be revoked (I don't know solr well enough to say for sure).
In short, that blog is a bad example. The below thread is better
I think you are missing the point of SSL certificates with Solr. They are not just used to encrypt the connection, but they are also used for Authentication. Self-signed certificates work exceptionally well in these situations, and this security model is used extensively throughout open source and commercial projects.
"I think you are missing the point of SSL certificates with Solr. They are not just used to encrypt the connection, but they are also used for Authentication. Self-signed certificates work exceptionally well in these situations, and this security model is used extensively throughout open source and commercial projects."
No, I'm not. Solr uses Basic Authentication, configured separately / independently from the SSL certificate. As I indicated at the start, the Solr self-signed certificate was blocking web browsers from accessing Solr on my domain.
No Solr API, including the Admin UI, is designed to be exposed to non-trusted parties. Tune your firewall so that only trusted computers and people are allowed access.
Even if these measures or others are taken, it is strongly recommended that Solr always be protected by a firewall. Solr is not designed to be exposed on the open internet.
There is no real reason or benefit to using a Public (LetsEncrypt) Certificate with Solr vs using a self-signed Certificate, as any person/service using the Solr should have access to the full self-signed certificate and be able to install it onto their local trust store.