Neo4J Browser: WebSocket connection to 'wss://neo4j.domain.com:7687/' failed: Error in connection establishment: net::ERR_CERT_DATE_INVALID

WebSocket connection to 'wss://neo4j.domain.com:7687/' failed: Error in connection establishment: net::ERR_CERT_DATE_INVALID

After struggling with this error, like many other mates, I found that for me the solution is easy, after I note that curl fails with certificate, I create the intermediate certificate and it works, I leave here my notes, scripts and docker-compose.yml maybe can be useful for others

using docker image neo4j:4.0.6-enterprise

with let's encrypt certificates

  • cert.pem
  • chain.pem
  • fullchain.pem
  • privkey.pem

fails with above

sudo cp ${SOURCE}/fullchain.pem ${TARGET}/volumes/certificates/neo4j.cert
sudo cp ${SOURCE}/privkey.pem ${TARGET}/volumes/certificates/neo4j.key

works with above

sudo cp ${SOURCE}/privkey.pem ${TARGET}/volumes/certificates/neo4j.key
# the trick for  solvig the Error in connection establishment: net::ERR_CERT_DATE_INVALID
sudo cat ${SOURCE}/cert.pem ${SOURCE}/chain.pem > ${TARGET}/volumes/certificates/neo4j.cert

we must combine cert.pem and chain.pem, like we can see above

my full updatecertificates.sh

#!/bin/bash
# must be copied, dont work with sym links inside docker
SOURCE="/etc/letsencrypt/live/domain.com"
TARGET="/srv/docker/neo4j/neo4j406ent"
# fullpath, used in cron
sudo cp ${SOURCE}/privkey.pem ${TARGET}/volumes/certificates/neo4j.key
# the trick for solving the Error in connection establishment: net::ERR_CERT_DATE_INVALID
sudo cat ${SOURCE}/cert.pem ${SOURCE}/chain.pem > ${TARGET}/volumes/certificates/neo4j.cert
openssl x509 -in volumes/certificates/neo4j.cert -text -noout | grep 'Not After'

my docker-compose.yml

version: '2'

services:
  neo4j:
    image: neo4j:4.0.6-enterprise
    hostname: neo4j
    domainname: domain.com
    container_name: neo4j
    restart: unless-stopped
    ports:
      - "7474:7474"
      - "7473:7473"
      - "7687:7687"
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - ./volumes/data:/var/lib/neo4j/data
      - ./volumes/logs:/var/lib/neo4j/logs
      - ./volumes/plugins:/var/lib/neo4j/plugins
      - ./volumes/import:/var/lib/neo4j/import
      - ./volumes/certificates:/var/lib/neo4j/certificates
    environment:
    environment:
      - NEO4J_ACCEPT_LICENSE_AGREEMENT=yes
      - NEO4J_dbms_memory_heap_maxSize=2048
      - NEO4J_dbms_connector_http_enabled=false
      - NEO4J_dbms_connector_https_enabled=true
      - NEO4J_dbms_connector_bolt_enabled=true
      - NEO4J_https_ssl__policy=default
      - NEO4J_dbms_ssl_policy_https_base__directory=/var/lib/neo4j/certificates
      - NEO4J_dbms_ssl_policy_https_private__key=/var/lib/neo4j/certificates/neo4j.key
      - NEO4J_dbms_ssl_policy_https_public__certificate=/var/lib/neo4j/certificates/neo4j.cert
      - NEO4J_dbms_ssl_policy_https_revoked__dir=/var/lib/neo4j/certificates/revoked
      - NEO4J_dbms_ssl_policy_bolt_trusted__dir=/var/lib/neo4j/certificates/trusted
      - NEO4J_dbms_default__advertised__address=0.0.0.0
      - NEO4J_dbms_connector_bolt__address=neo4j.domain.com:7687
      - NEO4J_dbms_connector_bolt_advertised__address=neo4j.domain.com

apache reverse proxy config

# neo4j
<IfModule mod_ssl.c>
    <VirtualHost *:443>
        ServerAdmin admin@domain.com
        ServerName neo4j.domain.com
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        Include /etc/letsencrypt/options-ssl-apache.conf
        # ReversProxy
        ProxyPreserveHost On
        ProxyRequests Off
        # Docker : neo4j:3.2
        ProxyPass / https://localhost:7473/
        ProxyPassReverse / https://localhost:7473/
        # This will do the trick to work with SSL Reverse Proxy
        SSLProxyEngine On
        # Other
        SSLProxyVerify none
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off 
        # Fixed AH00898: Error during SSL Handshake with remote server returned by
        SSLProxyCheckPeerExpire off
        SSLCertificateFile /etc/letsencrypt/live/domain.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem
    </VirtualHost>
</IfModule>

now it works without any kind of issues

except for this one Secure websocket connection failure despite an apparently valid certificate