Neo4j 3.5 Certificate Error

Neo4j Graph Platform Browser
1

hi all! The neo4j browser ui (version 3.5) keeps throwing a "certificate unkown" error. Has anyone encountered this before?

Querying neo4j from another machine using the python API does work paradoxically...

See the full error text below:

 2020-01-22 13:29:54.975+0000 ERROR [o.n.b.t.TransportSelectionHandler] Fatal error occurred when initialising pipeline: [id: 0x3d3ff5c0, L:/9.0.9.111:7687 ! R:/44.128.0.7:39790] javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
 io.netty.handler.codec.DecoderException: javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
         at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:472)
         at io.netty.handler.codec.ByteToMessageDecoder.channelInputClosed(ByteToMessageDecoder.java:405)
         at io.netty.handler.codec.ByteToMessageDecoder.channelInputClosed(ByteToMessageDecoder.java:372)
         at io.netty.handler.codec.ByteToMessageDecoder.channelInactive(ByteToMessageDecoder.java:355)
         at io.netty.handler.ssl.SslHandler.channelInactive(SslHandler.java:1054)
         at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:245)
         at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:231)
         at io.netty.channel.AbstractChannelHandlerContext.fireChannelInactive(AbstractChannelHandlerContext.java:224)
         at io.netty.channel.ChannelInboundHandlerAdapter.channelInactive(ChannelInboundHandlerAdapter.java:75)
         at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:245)
         at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:231)
         at io.netty.channel.AbstractChannelHandlerContext.fireChannelInactive(AbstractChannelHandlerContext.java:224)
         at io.netty.channel.DefaultChannelPipeline$HeadContext.channelInactive(DefaultChannelPipeline.java:1429)
         at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:245)
         at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:231)
         at io.netty.channel.DefaultChannelPipeline.fireChannelInactive(DefaultChannelPipeline.java:947)
         at io.netty.channel.AbstractChannel$AbstractUnsafe$8.run(AbstractChannel.java:826)
         at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:163)
         at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:404)
         at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:335)
         at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:909)
         at java.lang.Thread.run(Thread.java:748)
 Caused by: javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
         at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
         at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1647)
         at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1615)
         at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1781)
         at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1070)
         at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:896)
         at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:766)
         at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
         at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:295)
         at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1301)
         at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1203)
         at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1247)
         at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:502)
         at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:441)
         ... 21 more
2

In order to figure out what's going on, you need to paste the contents of your neo4j.conf file, and pay particular attention to any setting that has dbms.ssl in it. In your config you should specify some directories where you store your certs.

These errors can happen when your certs are encoded the wrong way for Neo4j to read.

As for why python can sporadically still query -- check your other settings to see if the server actually requires encryption. If bolt encryption is optional, even with bad SSL you can probably connect unencrypted, issue queries and get responses.

3

Thanks, David! We tried various settings (both the legacy and preferred way). We used the following settings (environment variables):

    "NEO4J_dbms_ssl_policy_default_allow__key__generation": "true",

    "NEO4J_dbms_ssl_policy_default_base__directory": "certificates/default",

    "NEO4J_dbms_ssl_policy_default_verify__hostname": "false",

    "NEO4J_dbms_ssl_policy_default_client__auth": "NONE",

    "NEO4J_dbms_connectors_default__listen__address": "0.0.0.0",

    "NEO4J_dbms_ssl_policy_default_trust__all": "true"

the certificates/default/trusted and certificates/default/trusted and certificates/default/revoked exist and are read/writable by neo4j. TLS is terminated by our load-balancer so no verification is required in neo4j itself.

4

@david_allen any idea what might be going on? Please let me know if there's any additional info I can provide. Thanks!