HTTPS connection to Neo4j database on remote server

Hi all,

I've got a Neo4j database (v4.1.0) which is being hosted on a server. I'm attempting to connect to it using a HTTPS connection, and have created a SSL Certificate Authority.

I've made the following changes to the config file:

dbms.default_listen_address=0.0.0.0 dbms.default_advertised_address=localhost dbms.connector.https.enabled=true dbms.connector.https.listen_address=:7473

dbms.ssl.policy.https.enabled=true dbms.ssl.policy.https.base_directory=certificates/https dbms.ssl.policy.https.private_key=private.key dbms.ssl.policy.https.public_certificate=public.crt dbms.ssl.policy.https.client_auth=NONE

The HTTP connection to the server works without any issue, so I don't expect any trouble from the connection. However, I get the following error when attempting to use HTTPS:

WebSocket connection failure. Due to security constraints in your web browser, the reason for the failure is not available to this Neo4j Driver. Please use your browsers development console to determine the root cause of the failure. Common reasons include the database being unavailable, using the wrong connection URL or temporary network problems. If you have enabled encryption, ensure your browser is configured to trust the certificate Neo4j is configured to use. WebSocket readyState is: 3

Has anyone got any tips on how to navigate around this? Or any idea how I can debug this more accurately to understand the cause?

Any help much appreciated!

Nick

It is my understanding certificates are tied to fully qualified host names, but I don't see the matching information here in your configuration.

Have you tried using the fully qualified host name used to create the certificate as the value for dbms.default_advertised_address (instead of localhost)

https://neo4j.com/docs/operations-manual/current/configuration/connectors/

Hi Joel,

Thanks for your reply. I've changed my default advertised address to match the server name, which seems to have progressed it, but now I'm getting an error with the certificate. Do you know what the requirements are for the certificate (a self signed one)? On this link it mentions they need to be in a PEM format (which I've done), but the examples in the config file point to .crt and .key files...

Thanks,

Nick

  • PEM is a format (of the key inside a file)
  • the .crt and .key files are the public and private keys associated with the FQDN

Neo4j may or may not care what you name the files (from experience with jboss and tomcat, my guess is it won't care), but you will need to provide the right keys in the right formats for those two configurations.

To provide more help than this we would probably need more details, but I hope this helps.
Setting up Certs isn't particularly difficult but the entire topic is a bit esoteric.

Hi Joel,

Thanks for your help. I was able to resolve the issue in the meantime - I followed the following page's advise and set dbms.connector.bolt.tls_level=OPTIONAL

However, apparently now bolt connections may not be encrypted. Is that an issue if the HTTPS connection is encrypted anyway?

Thanks,

Nick

Hi Nick,

Are you using an "untrusted SSL certificate" (e.g. self certified) or did you get one from a cert authority? (e.g. link to article on requesting a certificate from LetsEncrypt) If using a self signed certificate, then if https is working I imagine at some point the untrusted certificate was "accepted" via a popup from the browser.

EDIT: You can ignore my statement, "If server is cloud hosted, make sure the BOLT port is open to your client as well, not just https", 1. your BOLT is working unencrypted 2. I was thinking about HTTP versus HTTPS ports, but it is my understanding that BOLT is simply assigned to a port (secure or unsecure it is on that port)

I read the page and about dbms.connector.bolt.tls_level=OPTIONAL, and wanted to point out that each option they list should resolve it (for different reasons), pick one. The first option is best

Available Resolutions: 1. Use a signed SSL certificate 2. Follow directions for your browser to trust the server’s certificate for the bolt port, and then refresh the page. 3. Use Chrome 4. Set dbms.connector.bolt.tls_level=OPTIONAL in your neo4j config. Be aware that bolt connections may not be encrypted, but this is a method of side-stepping web browser issues with the untrusted certificate. ”’

1 Like

Thank you Joel for all your help!

thank you, glad I could help out!