How to fix [ServiceUnavailable: WebSocket connection failure] error on neo4j-enterprise AMI deployed on EC2?

(Manish Giri) #1

I followed the Hosting Neo4j on EC2 guide and after several hours of resolving errors, I was able to launch Neo4j on the AMI running on an EC2 instance.

However, as soon as I tried to connect to it via Chrome (https://[PublicDnsName]:7473) and logged in, it threw the error -

ServiceUnavailable: WebSocket connection failure. Due to security constraints in your web browser, the reason for the failure is not available to this Neo4j Driver. Please use your browsers development console to determine the root cause of the failure. Common reasons include the database being unavailable, using the wrong connection URL or temporary network problems. If you have enabled encryption, ensure your browser is configured to trust the certificate Neo4j is configured to use. WebSocket readyState is: 3

There are numerous reports of this very issue all over, and the only suggested solution seems to be this answer posted by Dana Canzano.

This error can be resolved by editing the file $NEO4J_HOME/conf/neo4j.conf and uncommenting:

# To have Bolt accept non-local connections, uncomment this line:

However, when I ssh-ed into the EC2 instance, the first thing I noticed was that the neo4j.conf file was right in /home/ubuntu, unlike the other areas as mentioned in other answers.

Also, I didn't find this pre-commented line :dbms.connector.bolt.address= anywhere in the file, so I just added it in.

The file (network part) now looks like this:

# Network connector configuration

# With default configuration Neo4j only accepts local connections.
# To accept non-local connections, uncomment this line:

# You can also choose a specific network interface, and configure a non-default
# port for each connector, by setting their individual listen_address.

# The address at which this server can be reached by its clients. This may be the server's IP address or DNS name, or
# it may be the address of a reverse proxy which sits in front of the server. This setting may be overridden for
# individual connectors below.

# You can also choose a specific advertised hostname or IP address, and
# configure an advertised port for each connector, by setting their
# individual advertised_address.

# Bolt connector
# HTTP Connector. There must be exactly one HTTP connector.

# HTTPS Connector. There can be zero or one HTTPS connectors.

After this, I tried to reconnect from Chrome, but it still showed the same error. Figuring that Neo4j would need to be restarted, I tried sudo service neo4j stop followed by sudo service neo4j start but still, it shows the same error, on Chrome, Firefox and Edge.

That thread by Dana Canzano also has unanswered questions on pretty much the same issue I'm facing.

I went through this SO question which is almost the same as my issue, and tried the suggestions given in the question, but it didn't help.

Here's a screenshot of the necessary rules in my security group for the ec2 instance (properly configured) -

After hours and hours of debugging errors due to poorly written guides with incomplete or inaccurate information, I'm very near to giving up. Would appreciate any help.

1 Like

(M. David Allen) #2

Sorry you're running into so many issues, but I can see from your post that there are a number of things going wrong. Here's a rundown of what they are and what you can do to fix them.

The "service unavailable" error is caused by the fact that a newly launched amazon VM does not have an SSL certificate. This occurs because your browser is trying to connect to both ports 7473 (HTTPS) and 7687 (bolt) and many browser won't do this if the SSL cert is untrusted, without you first trusting it.
See the second issue in this post:

That post has a list of resolutions, including getting your own certificates.

Also, if you're modifying /home/ubuntu/neo4j.conf, this is the wrong file to modify. There is documentation here about how Neo4j Cloud VMs work, and the file you should be modifying is /etc/neo4j/neo4j.template

Additionally - the command used to restart the system service is systemctl restart neo4j not service neo4j.

Finally -- changing the line with dbms.connector.bolt.address will not resolve the error you're encountering. You need to either have your browser trust the SSL cert, or get a trusted SSL certificate.