Resolve TLS certificate errors
TLS encryption is required everywhere.
This is a compilation of few errors you can expect while configuring your server.
openssl
command is required to diagnose or manipulate the certificates.
Check the permission on the folder
neo4j might run as a systemd service with a non-priviledged user. The folder "$NEO4J_HOME/certificates/<POLICY_NAME>" specified in your configuration has to be writable by the neo4j user.
Check the private key
The private key has to be in PKCS8 in 3.5.x, PEM format without any passphrase. PKCS12 will be supported in future releases. The command below should return the certificate without prompting for any password.
$ openssl rsa -in private.key -check
You can remove the passphrase with:
$ openssl rsa -in private.key -out private_key_without_passphrase.key
The folder "certificates/<POLICY_NAME>/trusted" can only contains valid certificates in DER format
If you come across signed overrun
errors.
You might want to review each file including hidden ones in the trusted/revoked folder.
2019-10-24 15:17:36.595+0200 ERROR Failed to start Neo4j: Starting Neo4j failed: Component 'org.neo4j.server.database.LifecycleManagingDatabase@6f36c2f0' was successfully initialized, but failed to start. Please see the attached cause exception "signed overrun, bytes = 918". Starting Neo4j failed: Component 'org.neo4j.server.database.LifecycleManagingDatabase@6f36c2f0' was successfully initialized, but failed to start. Please see the attached cause exception "signed overrun, bytes = 918". org.neo4j.server.ServerStartupException: Starting Neo4j failed: Component 'org.neo4j.server.database.LifecycleManagingDatabase@6f36c2f0' was successfully initialized, but failed to start. Please see the attached cause exception "signed overrun, bytes = 918". at org.neo4j.server.exception.ServerStartupErrors.translateToServerStartupError(ServerStartupErrors.java:45) at org.neo4j.server.AbstractNeoServer.start(AbstractNeoServer.java:187) at org.neo4j.server.ServerBootstrapper.start(ServerBootstrapper.java:124) at org.neo4j.server.ServerBootstrapper.start(ServerBootstrapper.java:91) at com.neo4j.server.enterprise.CommercialEntryPoint.main(CommercialEntryPoint.java:22) Caused by: org.neo4j.kernel.lifecycle.LifecycleException: Component 'org.neo4j.server.database.LifecycleManagingDatabase@6f36c2f0' was successfully initialized, but failed to start. Please see the attached cause exception "signed overrun, bytes = 918". at org.neo4j.kernel.lifecycle.LifeSupport$LifecycleInstance.start(LifeSupport.java:473) at org.neo4j.kernel.lifecycle.LifeSupport.start(LifeSupport.java:111) at org.neo4j.server.AbstractNeoServer.start(AbstractNeoServer.java:180) ... 3 more Caused by: java.lang.RuntimeException: Failed to create trust manager based on: /neo4j/certificates/xxx/trusted at org.neo4j.kernel.configuration.ssl.SslPolicyLoader.load(SslPolicyLoader.java:222) at org.neo4j.kernel.configuration.ssl.SslPolicyLoader.create(SslPolicyLoader.java:99) at org.neo4j.graphdb.factory.module.edition.CommunityEditionModule.<init>(CommunityEditionModule.java:98) at org.neo4j.kernel.impl.enterprise.EnterpriseEditionModule.<init>(EnterpriseEditionModule.java:55) at com.neo4j.commercial.edition.CommercialEditionModule.<init>(CommercialEditionModule.java:48) at org.neo4j.graphdb.facade.GraphDatabaseFacadeFactory.initFacade(GraphDatabaseFacadeFactory.java:181) at com.neo4j.commercial.edition.CommercialGraphDatabase.<init>(CommercialGraphDatabase.java:20) at com.neo4j.server.database.CommercialGraphFactory.newGraphDatabase(CommercialGraphFactory.java:40) at org.neo4j.server.database.LifecycleManagingDatabase.start(LifecycleManagingDatabase.java:90) at org.neo4j.kernel.lifecycle.LifeSupport$LifecycleInstance.start(LifeSupport.java:452) ... 5 more Caused by: java.security.cert.CertificateException: Error loading certificate file: /neo4j/certificates/xxx/private.key at org.neo4j.kernel.configuration.ssl.SslPolicyLoader.createTrustManagerFactory(SslPolicyLoader.java:363) at org.neo4j.kernel.configuration.ssl.SslPolicyLoader.load(SslPolicyLoader.java:218) ... 14 more Caused by: java.security.cert.CertificateParsingException: signed overrun, bytes = 918 at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1788) at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:195) at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:102) at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:339) at org.neo4j.kernel.configuration.ssl.SslPolicyLoader.createTrustManagerFactory(SslPolicyLoader.java:358) ... 15 more 2019-10-24 15:17:36.597+0200 INFO Neo4j Server shutdown initiated by request
Self-signed certificate
You can generate a key and a public certificate with the following command.
$ openssl req -x509 -newkey rsa:2048 -keyout private_key.pem -out public_cert.pem -days 30
You need to set the `dbms.ssl.policy.<policyname>.trust_all=true in neo4j.conf. Please note that this is insecure.
CA signed certificate
All certificates should be in DER encoded format in the trusted directory. The certificate chain has to be complete to allow the communication.
Is this page helpful?