Neo4j and LetsEncrypt

Question

Has anyone gotten Neo4j to work with a LetsEncrypt certificate?

I have a regular website working with LetsEncrypt so I know my certificate is good. Neo4j is working and I can access the Neo4j browser over https and I get the self-signed cert warning.

I've been following the documentation on setting up SSL but when I try to start services it fails immediately. I don't even get any output to my logs as what the issue is.

myself@localhost:/var/lib/neo4j/certificates/bolt/trusted# service neo4j status
● neo4j.service - Neo4j Graph Database
   Loaded: loaded (/lib/systemd/system/neo4j.service; enabled; vendor preset: enabled)
  Drop-In: /etc/systemd/system/neo4j.service.d
           └─override.conf
   Active: inactive (dead) (Result: exit-code) since Sat 2018-07-21 21:08:37 MDT; 658ms ago
  Process: 19066 ExecStart=/usr/share/neo4j/bin/neo4j console (code=exited, status=1/FAILURE)
 Main PID: 19066 (code=exited, status=1/FAILURE)

Jul 21 21:08:37 Swingset systemd[1]: neo4j.service: Unit entered failed state.
Jul 21 21:08:37 Swingset systemd[1]: neo4j.service: Failed with result 'exit-code'.
Jul 21 21:08:37 Swingset systemd[1]: neo4j.service: Service hold-off time over, scheduling restart.
Jul 21 21:08:37 Swingset systemd[1]: Stopped Neo4j Graph Database.
Jul 21 21:08:37 Swingset systemd[1]: neo4j.service: Start request repeated too quickly.
Jul 21 21:08:37 Swingset systemd[1]: Failed to start Neo4j Graph Database.

So I'm looking for someone who has gotten this work and could give me a checklist of things to double check. I believe I have the correct folder structure in place, I think I have the correct permissions, I think the neo4j.conf modified correctly, and I think I have the correct LetsEncrypt files copied into the correct folders and with the correct file names. But I must be missing something because it's not working.

Answer 1

Funny how I was doing exactly the same thing today and stumbled upon this question when trying to figure it out... Well here's what worked for me and the proceedure that I followed, based on the instructions from the Neo4j Documentation on the ssl-framework.

• Create the appropriate directory structure

  cd /var/lib/neo4j/certificates
  mkdir -p default/revoked default/trusted
  

• Copy the letsencrypt certificates to the neo4j folder

  # Copy your server cert to the base dir and the trusted dir of neo4j
  cp $your_cert_dir/cert.pem /var/lib/neo4j/certificates/default/cert.pem
  cp $your_cert_dir/cert.pem /var/lib/neo4j/certificates/default/trusted/cert.pem
  
  # Copy your key to the base dir of neo4j
  cp $your_cert_dir/privkey.pem /var/lib/neo4j/certificates/default/privkey.pem
  

• Ensure that the files have the correct permissions

  # To my system, Ubuntu 16.04, it was neo4j:adm
  chown -R neo4j:adm /var/lib/neo4j/certificates/default/
  

• Ensure that the following entries are as follows at the configuration file of neo4j (/etc/neo4j/neo4j.conf)

  # Set the base dir for certificates
  dbms.directories.certificates=/var/lib/neo4j/certificates
  
  # To enable connections from remote servers
  dbms.connectors.default_listen_address=0.0.0.0
  
  # This can remain "OPTIONAL"
  dbms.connector.bolt.tls_level=REQUIRED
  
  # Enable https connector
  dbms.connector.https.enabled=true
  dbms.connector.https.listen_address=:7473
  
  # Set up the policy for the connectors to the default
  bolt.ssl_policy=default
  https.ssl_policy=default
  
  # Create default policy 
  dbms.ssl.policy.default.base_directory=certificates/default
  
  
  # Set the paths for the private key and of the server cert.
  # These must be absolute paths.
  dbms.ssl.policy.default.private_key=/var/lib/neo4j/certificates/default/privkey.pem
  dbms.ssl.policy.default.public_certificate=/var/lib/neo4j/certificates/default/cert.pem
  
  
  # Set up client authentication to "optional" or "none". 
  # If this is left to "default" then the client (a.k.a person who tries to
  # access the web-portal) would need to authenticate with a certificate   
  
  dbms.ssl.policy.default.client_auth=none
  

• Ensure that you have the following ports open to the firewall of the server

  • https connector port: 7473
  • http connector port: 7474 (Well, this you may be able to keep blocked ;-) )
  • bolt connector port: 7687

• Restart neo4j

  service neo4j restart
  

• You should now be able to connect to the web interface with https://<your server domain name>:7473. If you try with https://IP:7473 then your browser will complain about the fact that the certificate and the address are not the same.

FYI I still get the following error at the Neo4j logs, and I'm currently trying to solve it. Still everything else seems to be working fine so far.

    Jul 24 14:13:34 sstest neo4j[18181]: 2018-07-24 12:13:34.556+0000 ERROR Unexpected error detected in bolt session 'fa163efffeefd082-00004705-00000003-81330a20f088cbac-29e11d2a'. The client is unauthorized due to authentication failure.
    Jul 24 14:13:34 sstest neo4j[18181]: org.neo4j.bolt.v1.runtime.BoltConnectionFatality: The client is unauthorized due to authentication failure.
    Jul 24 14:13:34 sstest neo4j[18181]:         at org.neo4j.bolt.v1.runtime.BoltStateMachine.handleFailure(BoltStateMachine.java:742)
    Jul 24 14:13:34 sstest neo4j[18181]:         at org.neo4j.bolt.v1.runtime.BoltStateMachine.handleFailure(BoltStateMachine.java:728)
    Jul 24 14:13:34 sstest neo4j[18181]:         at org.neo4j.bolt.v1.runtime.BoltStateMachine.access$500(BoltStateMachine.java:62)
    Jul 24 14:13:34 sstest neo4j[18181]:         at org.neo4j.bolt.v1.runtime.BoltStateMachine$State$1.init(BoltStateMachine.java:435)
    Jul 24 14:13:34 sstest neo4j[18181]:         at org.neo4j.bolt.v1.runtime.BoltStateMachine.init(BoltStateMachine.java:145)
    Jul 24 14:13:34 sstest neo4j[18181]:         at org.neo4j.bolt.v1.messaging.BoltMessageRouter.lambda$onInit$0(BoltMessageRouter.java:70)
    Jul 24 14:13:34 sstest neo4j[18181]:         at org.neo4j.bolt.runtime.DefaultBoltConnection.processNextBatch(DefaultBoltConnection.java:195)
    Jul 24 14:13:34 sstest neo4j[18181]:         at org.neo4j.bolt.runtime.DefaultBoltConnection.processNextBatch(DefaultBoltConnection.java:143)
    Jul 24 14:13:34 sstest neo4j[18181]:         at org.neo4j.bolt.runtime.ExecutorBoltScheduler.executeBatch(ExecutorBoltScheduler.java:170)
    Jul 24 14:13:34 sstest neo4j[18181]:         at org.neo4j.bolt.runtime.ExecutorBoltScheduler.lambda$scheduleBatchOrHandleError$2(ExecutorBoltScheduler.java:153)
    Jul 24 14:13:34 sstest neo4j[18181]:         at java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1590)
    Jul 24 14:13:34 sstest neo4j[18181]:         at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    Jul 24 14:13:34 sstest neo4j[18181]:         at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    Jul 24 14:13:34 sstest neo4j[18181]:         at java.lang.Thread.run(Thread.java:748)