Major Description
As discussed on the mailing list:
Context:
There's a jetty-ssl.xml config file which configures Jetty's SslContextFactory using properties set in solr.in.sh, but it's incomplete for some purposes.
Problem:
I've noticed that no "certAlias" property is present. This means that when Jetty starts, it will pick an arbitrary (based on some internal order, apparently the newest?) key from the keystore to use. This is fine when you're only using your keystore for Solr and it only contains one key, but it makes life a lot more complicated in environments where keystores are managed and distributed to servers automagically.
When you add a key to the keystore, you can assign an alias. Jetty can then use the key with that alias by means of its certAlias config property.
The Solr documentation [1] confusingly assigns the alias "solr-ssl" to the key, but as far as I can tell this alias isn't actually used or referenced anywhere else.
Solution:
I'm currently dealing with a slightly more complicated TLS setup, so I'm attaching a patch which adds an extra config property in order to (optionally) specify the key alias. When the option is omitted, the old behaviour remains unchanged. Patch modifies the configuration and includes updates to the enabling-ssl documentation.