Certificate issue


(Dariusaudryc) #1

It seems that I cannot generate my certificate automatically. This is my log:

2018-10-10 03:47:36.224+0000 INFO  ======== Neo4j 3.4.8 ========                                                                                                                                                  
2018-10-10 03:47:36.264+0000 INFO  Starting...                                                                                                                                                                    
2018-10-10 03:47:38.281+0000 ERROR Failed to start Neo4j: Starting Neo4j failed: Component 'org.neo4j.server.database.LifecycleManagingDatabase@58ce9668' was successfully initialized, but failed to start. Pleas
e see the attached cause exception "/opt/neo4j-community-3.4.8/certificates/neo4j.cert (No such file or directory)". Starting Neo4j failed: Component 'org.neo4j.server.database.LifecycleManagingDatabase@58ce966
8' was successfully initialized, but failed to start. Please see the attached cause exception "/opt/neo4j-community-3.4.8/certificates/neo4j.cert (No such file or directory)".                                   
org.neo4j.server.ServerStartupException: Starting Neo4j failed: Component 'org.neo4j.server.database.LifecycleManagingDatabase@58ce9668' was successfully initialized, but failed to start. Please see the attache
d cause exception "/opt/neo4j-community-3.4.8/certificates/neo4j.cert (No such file or directory)".                                                                                                               
        at org.neo4j.server.exception.ServerStartupErrors.translateToServerStartupError(ServerStartupErrors.java:68)                                                                                              
        at org.neo4j.server.AbstractNeoServer.start(AbstractNeoServer.java:220)                                                                                                                                   
        at org.neo4j.server.ServerBootstrapper.start(ServerBootstrapper.java:111)                                                                                                                                 
        at org.neo4j.server.ServerBootstrapper.start(ServerBootstrapper.java:79)                                                                                                                                  
        at org.neo4j.server.CommunityEntryPoint.main(CommunityEntryPoint.java:32)                                                                                                                                 
Caused by: org.neo4j.kernel.lifecycle.LifecycleException: Component 'org.neo4j.server.database.LifecycleManagingDatabase@58ce9668' was successfully initialized, but failed to start. Please see the attached caus
e exception "/opt/neo4j-community-3.4.8/certificates/neo4j.cert (No such file or directory)".                                                                                                                     
        at org.neo4j.kernel.lifecycle.LifeSupport$LifecycleInstance.start(LifeSupport.java:466)                                                                                                                   
        at org.neo4j.kernel.lifecycle.LifeSupport.start(LifeSupport.java:107)                                                                                                                                     
        at org.neo4j.server.AbstractNeoServer.start(AbstractNeoServer.java:212)
        ... 3 more
Caused by: java.lang.RuntimeException: Error starting org.neo4j.kernel.impl.factory.GraphDatabaseFacadeFactory, /opt/neo4j-community-3.4.8/data/databases/graph.db
        at org.neo4j.kernel.impl.factory.GraphDatabaseFacadeFactory.initFacade(GraphDatabaseFacadeFactory.java:212)
        at org.neo4j.kernel.impl.factory.GraphDatabaseFacadeFactory.newFacade(GraphDatabaseFacadeFactory.java:125)
        at org.neo4j.server.CommunityNeoServer.lambda$static$0(CommunityNeoServer.java:58)
        at org.neo4j.server.database.LifecycleManagingDatabase.start(LifecycleManagingDatabase.java:88)
        at org.neo4j.kernel.lifecycle.LifeSupport$LifecycleInstance.start(LifeSupport.java:445)
        ... 5 more
Caused by: org.neo4j.kernel.lifecycle.LifecycleException: Component 'org.neo4j.kernel.extension.KernelExtensions@19c65cdc' failed to initialize. Please see the attached cause exception "/opt/neo4j-community-3.4.8/certificates/neo4j.cert (No such file or directory)".
        at org.neo4j.kernel.lifecycle.LifeSupport$LifecycleInstance.init(LifeSupport.java:427)
        at org.neo4j.kernel.lifecycle.LifeSupport.init(LifeSupport.java:62)
        at org.neo4j.kernel.lifecycle.LifeSupport.start(LifeSupport.java:98)
        at org.neo4j.kernel.impl.factory.GraphDatabaseFacadeFactory.initFacade(GraphDatabaseFacadeFactory.java:208)
        ... 9 more
Caused by: java.lang.RuntimeException: Failed to initialize SSL encryption support, which is required to start this connector. Error was: Failed to generate private key and certificate
        at org.neo4j.bolt.BoltKernelExtension.createSslContext(BoltKernelExtension.java:243)
        at org.neo4j.bolt.BoltKernelExtension.lambda$createConnectors$0(BoltKernelExtension.java:204)
        at java.util.stream.Collectors.lambda$toMap$58(Collectors.java:1321)
        at java.util.stream.ReduceOps$3ReducingSink.accept(ReduceOps.java:169)
        at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1374)
        at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481)
        at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
        at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708)
        at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
        at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499)
        at org.neo4j.bolt.BoltKernelExtension.createConnectors(BoltKernelExtension.java:188)
        at org.neo4j.bolt.BoltKernelExtension.newInstance(BoltKernelExtension.java:165)
        at org.neo4j.bolt.BoltKernelExtension.newInstance(BoltKernelExtension.java:84)
        at org.neo4j.kernel.extension.KernelExtensions.newInstance(KernelExtensions.java:78)
        at org.neo4j.kernel.extension.KernelExtensions.init(KernelExtensions.java:61)
        at org.neo4j.kernel.lifecycle.LifeSupport$LifecycleInstance.init(LifeSupport.java:406)
        ... 12 more
Caused by: java.lang.RuntimeException: Failed to generate private key and certificate
        at org.neo4j.kernel.configuration.ssl.SslPolicyLoader.loadOrCreateLegacyPolicy(SslPolicyLoader.java:156)
        at org.neo4j.kernel.configuration.ssl.SslPolicyLoader.getOrCreateLegacyPolicy(SslPolicyLoader.java:137)
        at org.neo4j.kernel.configuration.ssl.SslPolicyLoader.getPolicy(SslPolicyLoader.java:118)
        at org.neo4j.bolt.BoltKernelExtension.createSslContext(BoltKernelExtension.java:238)
        ... 27 more
Caused by: java.io.FileNotFoundException: /opt/neo4j-community-3.4.8/certificates/neo4j.cert (No such file or directory)
        at java.io.FileOutputStream.open0(Native Method)
        at java.io.FileOutputStream.open(FileOutputStream.java:270)
        at java.io.FileOutputStream.<init>(FileOutputStream.java:213)
        at java.io.FileOutputStream.<init>(FileOutputStream.java:162)
        at java.io.FileWriter.<init>(FileWriter.java:90)
        at org.neo4j.ssl.PkiUtils.writePem(PkiUtils.java:229)
        at org.neo4j.ssl.PkiUtils.createSelfSignedCertificate(PkiUtils.java:116)
        at org.neo4j.kernel.configuration.ssl.SslPolicyLoader.loadOrCreateLegacyPolicy(SslPolicyLoader.java:152)
        ... 30 more
2018-10-10 03:47:38.283+0000 INFO  Neo4j Server shutdown initiated by request
Cleaning up partially generated self-signed certificate...

Can someone shed some light on this (I never have this problem with 3.3 or any neo4j previous versions)? By the way, I don't which category should I put this in.


(M. David Allen) #2

I can't tell you exactly what the issue is, but let me lay out a few things that will hopefully let you find it.

Literally what this error means is that the database is looking in a particular directory for your file and can't find it. The fix is to change your configuration to point to the right place. Below are examples from my working config. You can change them to whatever you need, but this is how the database knows where to look.

In my working config, I have a line like this:

dbms.directories.certificates=/var/lib/neo4j/certificates

that tells the DB to look in that directory for certificates. Separately, you might have a line like this:

dbms.ssl.policy.default.base_directory=/var/lib/neo4j/certificates

This is tricky -- this is actually claiming that there is a policy called "default" and that all of the certs for the "default" policy live in that directory.

dbms.ssl.policy.default.private_key=/var/lib/neo4j/certificates/neo4j.key dbms.ssl.policy.default.public_certificate=/var/lib/neo4j/certificates/neo4j.cert

That's specifying exactly where the private key for the "default" policy is, and the public cert.

Finally:

bolt.ssl_policy=default

This means that bolt ssl should use the "default" policy. That is, the policy named default which were defined in those other parameters and not some built-into the database default. If you had named it "foo" above instead of default all the same would apply.


(Dariusaudryc) #3

Can you tell me how do you do the installation? In my previous experience with neo4j 3.3, when I downloaded, and unzip it, I will get the certificate right away.

I am also aware of the problem that neo4j cannot locate the certificate directory. And there is no neo4j certificate in 3.4. Is that also the case for you? if it is, how did you get your certificate directory (not where it is, because I will know where it is if it is there).

Also, I did not change anything on the ssl section in neo4j.conf. Do I need to do something there, and follow your example and change all of them accordingly?


(M. David Allen) #4

Sorry for the late response. My best instructions on how to configure certificates are here:

Whether or not there is a directory depends on your install method (tarball, dpkg, rpm, cloud image, etc). Some more details are needed here - also, you must change a number of settings in the SSL section in order to enable a signed certificate. Please follow the blog post again and post follow-up questions about your experiences with this.


(Michael Hunger) #5

Can you try if 3.4.7 works for you? Seems to be a regression as the other user reported. I asked the eng-team.


(Dariusaudryc) #6

Hi There, any news on the certificate issue? I haven't tried the 3.4.7 yet, I can't seem to find the link to download 3.4.7 that I can trust?


(Michael Hunger) #7

Try this:

https://go.neo4j.com/download-thanks.html?edition=community&release=3.4.7&flavour=unix


(Dariusaudryc) #8

Hi Michael,

Sorry for the long reply. yes 3.4.7 works well for me. I was too excited to start working on it that I forgot to reply you.

Cheers,
Darius Audryc