Categories
Sitecore

How to install Sitecore 9 with existing SSL certificate

You probably installed already Sitecore 9 on your environments following different blogs with necessary clarifications.

But, might happen that you already have a SSL certificate for your environments.

The affected places are:

  1. Installation of SolR
  2. Installation of Sitecore 9 itself

One of the places where SSL it’s needed its on the SolR instance. So by following the instructions from Jeremy Davis on this blog post I’ve adjusted his script in order to use an already existing certificate, where I’ve introduced a new variable

$solrNameSSL = "MySSLFriendlyName"

And then used this new variable $solrNameSSL in all places that have references to SSL instead of $solrName and adjusted the place where the code is searching for the certificate Cert:\Localmachine\My not only Cert:\Localmachine\Root.

The result script is here, but please do not forget to adjust necessary variables :

Param(
$solrVersion = "6.6.2",
$installFolder = "d:\solr",
$solrPort = "8983",
$solrHost = "solr",
$solrSSL = $true,
$nssmVersion = "2.24",
$JREVersion = "1.8.0_151"
)
$JREPath = "C:\Program Files\Java\jre$JREVersion"
$solrName = "solr-$solrVersion"
$solrNameSSL = "solr"
$solrRoot = "$installFolder\$solrName"
$nssmRoot = "$installFolder\nssm-$nssmVersion"
$solrPackage = "https://archive.apache.org/dist/lucene/solr/$solrVersion/$solrName.zip"
$nssmPackage = "https://nssm.cc/release/nssm-$nssmVersion.zip"
$downloadFolder = "~\Downloads"
## Verify elevated
## https://superuser.com/questions/749243/detect-if-powershell-is-running-as-administrator
$elevated = [bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544")
if($elevated -eq $false)
{
throw "In order to install services, please run this script elevated."
}
function downloadAndUnzipIfRequired
{
Param(
[string]$toolName,
[string]$toolFolder,
[string]$toolZip,
[string]$toolSourceFile,
[string]$installRoot
)
if(!(Test-Path Path $toolFolder))
{
if(!(Test-Path Path $toolZip))
{
Write-Host "Downloading $toolName"
Start-BitsTransfer Source $toolSourceFile Destination $toolZip
}
Write-Host "Extracting $toolName to $toolFolder"
Expand-Archive $toolZip DestinationPath $installRoot
}
}
# download & extract the solr archive to the right folder
$solrZip = "$downloadFolder\$solrName.zip"
downloadAndUnzipIfRequired "Solr" $solrRoot $solrZip $solrPackage $installFolder
# download & extract the nssm archive to the right folder
$nssmZip = "$downloadFolder\nssm-$nssmVersion.zip"
downloadAndUnzipIfRequired "NSSM" $nssmRoot $nssmZip $nssmPackage $installFolder
# Ensure Java environment variable
$jreVal = [Environment]::GetEnvironmentVariable("JAVA_HOME", [EnvironmentVariableTarget]::Machine)
if($jreVal -ne $JREPath)
{
Write-Host "Setting JAVA_HOME environment variable"
[Environment]::SetEnvironmentVariable("JAVA_HOME", $JREPath, [EnvironmentVariableTarget]::Machine)
}
# if we're using HTTP
if($solrSSL -eq $false)
{
# Update solr cfg to use right host name
if(!(Test-Path Path "$solrRoot\bin\solr.in.cmd.old"))
{
Write-Host "Rewriting solr config"
$cfg = Get-Content "$solrRoot\bin\solr.in.cmd"
Rename-Item "$solrRoot\bin\solr.in.cmd" "$solrRoot\bin\solr.in.cmd.old"
$newCfg = $newCfg | % { $_ -replace "REM set SOLR_HOST=192.168.1.1", "set SOLR_HOST=$solrHost" }
$newCfg | Set-Content "$solrRoot\bin\solr.in.cmd"
}
}
# Ensure the solr host name is in your hosts file
if($solrHost -ne "localhost")
{
$hostFileName = "c:\\windows\system32\drivers\etc\hosts"
$hostFile = [System.Io.File]::ReadAllText($hostFileName)
if(!($hostFile -like "*$solrHost*"))
{
Write-Host "Updating host file"
"`r`n127.0.0.1`t$solrHost" | Add-Content $hostFileName
}
}
# if we're using HTTPS
if($solrSSL -eq $true)
{
$existingCertMy = Get-ChildItem Cert:\LocalMachine\My | where FriendlyName -eq "$solrNameSSL"
$existingCertRoot = Get-ChildItem Cert:\LocalMachine\Root | where FriendlyName -eq "$solrNameSSL"
if(!($existingCertMy) -And !($existingCertRoot))
{
# Generate SSL cert if does not exist
Write-Host "Creating & trusting an new SSL Cert for $solrHost"
# Generate a cert
# https://docs.microsoft.com/en-us/powershell/module/pkiclient/new-selfsignedcertificate?view=win10-ps
$cert = New-SelfSignedCertificate FriendlyName "$solrNameSSL" DnsName "$solrHost" CertStoreLocation "cert:\LocalMachine" NotAfter (Get-Date).AddYears(10)
# Trust the cert
# https://stackoverflow.com/questions/8815145/how-to-trust-a-certificate-in-windows-powershell
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store "Root","LocalMachine"
$store.Open("ReadWrite")
$store.Add($cert)
$store.Close()
# remove the untrusted copy of the cert
$cert | Remove-Item
}
# export the cert to pfx using solr's default password
if(!(Test-Path Path "$solrRoot\server\etc\solr-ssl.keystore.pfx"))
{
Write-Host "Exporting cert for Solr to use"
$certRoot = Get-ChildItem Cert:\LocalMachine\Root | where FriendlyName -eq "$solrNameSSL"
$certMy = Get-ChildItem Cert:\LocalMachine\My | where FriendlyName -eq "$solrNameSSL"
$certStore = "$solrRoot\server\etc\solr-ssl.keystore.pfx"
$certPwd = ConvertTo-SecureString String "secret" Force AsPlainText
if(($certMy)){
$certMy | Export-PfxCertificate FilePath $certStore Password $certpwd | Out-Null
}else
{
if(($certRoot)){
$certRoot | Export-PfxCertificate FilePath $certStore Password $certpwd | Out-Null
}
}
}
# Update solr cfg to use keystore & right host name
if(!(Test-Path Path "$solrRoot\bin\solr.in.cmd.old"))
{
Write-Host "Rewriting solr config"
$cfg = Get-Content "$solrRoot\bin\solr.in.cmd"
Rename-Item "$solrRoot\bin\solr.in.cmd" "$solrRoot\bin\solr.in.cmd.old"
$newCfg = $cfg | % { $_ -replace "REM set SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jks", "set SOLR_SSL_KEY_STORE=$certStore" }
$newCfg = $newCfg | % { $_ -replace "REM set SOLR_SSL_KEY_STORE_PASSWORD=secret", "set SOLR_SSL_KEY_STORE_PASSWORD=secret" }
$newCfg = $newCfg | % { $_ -replace "REM set SOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore.jks", "set SOLR_SSL_TRUST_STORE=$certStore" }
$newCfg = $newCfg | % { $_ -replace "REM set SOLR_SSL_TRUST_STORE_PASSWORD=secret", "set SOLR_SSL_TRUST_STORE_PASSWORD=secret" }
$newCfg = $newCfg | % { $_ -replace "REM set SOLR_HOST=192.168.1.1", "set SOLR_HOST=$solrHost" }
$newCfg | Set-Content "$solrRoot\bin\solr.in.cmd"
}
}
# install the service & runs
$svc = Get-Service "$solrName" ErrorAction SilentlyContinue
if(!($svc))
{
Write-Host "Installing Solr service"
&"$installFolder\nssm-$nssmVersion\win64\nssm.exe" install "$solrName" "$solrRoot\bin\solr.cmd" "-f" "-p $solrPort"
$svc = Get-Service "$solrName" ErrorAction SilentlyContinue
}
if($svc.Status -ne "Running")
{
Write-Host "Starting Solr service"
Start-Service "$solrName"
}
# finally prove it's all working
$protocol = "http"
if($solrSSL -eq $true)
{
$protocol = "https"
}
Invoke-Expression "start $($protocol)://$($solrHost):$solrPort/solr/#/"

view raw
Install-Solr.ps1
hosted with ❤ by GitHub

In the installation script of Sitecore 9 itself, some changes are required in order to use the already installed certificate.
One of the standard steps is to install a client certificate for xconnect, and that one has to be removed or at least commented out. This step usually looks like this:

#install client certificate for xconnect 
$certParams = @{     
	Path = "$PSScriptRoot\xconnect-createcert.json"     
	CertificateName = "$prefix.xconnect_client" 
} 
Install-SitecoreConfiguration @certParams -Verbose 

I recommend to comment out only this line
Install-SitecoreConfiguration @certParams -Verbose
and in the  variable CertificateName that is defined above to put your certificate friendly name or the certificate thumbprint.

This will cover the client authentication certificate and next will be to make necessary changes for the server authentication certificate. The parameter that is called SSLCert has to be added in script part that deploys the xconnect instance, as follows:

#deploy xconnect instance
$xconnectParams = @{
 Path = "$PSScriptRoot\xconnect-xp0.json"
 Package = "$PSScriptRoot\Sitecore 9.0.0 rev. 171002
(OnPrem)_xp0xconnect.scwdp.zip"
 LicenseFile = "$PSScriptRoot\license.xml"
 Sitename = $XConnectCollectionService
 XConnectCert = $certParams.CertificateName
 SSLCert = $certParams.CertificateName
 SqlDbPrefix = $prefix
 SqlServer = $SqlServer
 SqlAdminUser = $SqlAdminUser
 SqlAdminPassword = $SqlAdminPassword
 SolrCorePrefix = $prefix
 SolrURL = $SolrUrl
}
Install-SitecoreConfiguration @xconnectParams

That is needed because if is not provided a certificate will be generated automatically to be used use for the HTTPS web bindings of the xconnect website.

In the Oficial Installation guide in chapter 4.1 and chapter 8.1.1 there is more information about SSL requirements and where and how it’s used.

 

By Sebastian Tecsi

Sitecore MVP 2018, 2019, 2020
Sitecore Architect

One reply on “How to install Sitecore 9 with existing SSL certificate”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.