Knowledge Base

Explanation of data/log/console.log error of 'TLS certificate error occurred, unable to start server: Neither RSA, DSA nor EC worked…​'

On bin/neo4j start the data/log/console.log may log an error similar to

2016-01-04 13:32:44.589-0500 INFO Successfully shutdown database 13:33:06.856 [main] DEBUG i.n.u.i.l.InternalLoggerFactory - Using SLF4J as the default logging framework 2016-01-04 13:33:07.437-0500 ERROR Failed to start Neo4j: TLS certificate error occurred, unable to start server: Neither RSA, DSA nor EC worked TLS certificate error occurred, unable to start server: Neither RSA, DSA nor EC worked org.neo4j.server.ServerStartupException: TLS certificate error occurred, unable to start server: Neither RSA, DSA nor EC worked at org.neo4j.server.AbstractNeoServer.createKeyStore(AbstractNeoServer.java:492) at org.neo4j.server.AbstractNeoServer.init(AbstractNeoServer.java:178) at org.neo4j.server.AbstractNeoServer.start(AbstractNeoServer.java:191) at org.neo4j.server.Bootstrapper.start(Bootstrapper.java:100)

Neo4j allows for the configuration of HTTPS certificates via the parameters in conf/neo4j-server.properties. The following are the default values:

# Turn https-support on/off org.neo4j.server.webserver.https.enabled=true
# Certificate location (auto generated if the file does not exist) dbms.security.tls_certificate_file=conf/ssl/snakeoil.cert
# Private key location (auto generated if the file does not exist) dbms.security.tls_key_file=conf/ssl/snakeoil.key

If the above three parameters are modified a bin/neo4j restart would need to be run for the changes to take effect.

On neo4j start, the certificate files will be read and verified that the algorithm used to generate the certificate files was either RSA, DSA or EC format.

In the instance above the conf/ssl/snakeoil* files are autogenerated on start if they do not already exists and they are self signed certificate.