WebSocket connection to 'wss://neo4j.domain.com:7687/' failed: Error in connection establishment: net::ERR_CERT_DATE_INVALID
After struggling with this error, like many other mates, I found that for me the solution is easy, after I note that curl fails with certificate, I create the intermediate certificate and it works, I leave here my notes, scripts and docker-compose.yml maybe can be useful for others
using docker image neo4j:4.0.6-enterprise
with let's encrypt certificates
- cert.pem
- chain.pem
- fullchain.pem
- privkey.pem
fails with above
sudo cp ${SOURCE}/fullchain.pem ${TARGET}/volumes/certificates/neo4j.cert
sudo cp ${SOURCE}/privkey.pem ${TARGET}/volumes/certificates/neo4j.key
works with above
sudo cp ${SOURCE}/privkey.pem ${TARGET}/volumes/certificates/neo4j.key
# the trick for solvig the Error in connection establishment: net::ERR_CERT_DATE_INVALID
sudo cat ${SOURCE}/cert.pem ${SOURCE}/chain.pem > ${TARGET}/volumes/certificates/neo4j.cert
we must combine cert.pem and chain.pem, like we can see above
my full updatecertificates.sh
#!/bin/bash
# must be copied, dont work with sym links inside docker
SOURCE="/etc/letsencrypt/live/domain.com"
TARGET="/srv/docker/neo4j/neo4j406ent"
# fullpath, used in cron
sudo cp ${SOURCE}/privkey.pem ${TARGET}/volumes/certificates/neo4j.key
# the trick for solving the Error in connection establishment: net::ERR_CERT_DATE_INVALID
sudo cat ${SOURCE}/cert.pem ${SOURCE}/chain.pem > ${TARGET}/volumes/certificates/neo4j.cert
openssl x509 -in volumes/certificates/neo4j.cert -text -noout | grep 'Not After'
my docker-compose.yml
version: '2'
services:
neo4j:
image: neo4j:4.0.6-enterprise
hostname: neo4j
domainname: domain.com
container_name: neo4j
restart: unless-stopped
ports:
- "7474:7474"
- "7473:7473"
- "7687:7687"
volumes:
- /etc/localtime:/etc/localtime:ro
- ./volumes/data:/var/lib/neo4j/data
- ./volumes/logs:/var/lib/neo4j/logs
- ./volumes/plugins:/var/lib/neo4j/plugins
- ./volumes/import:/var/lib/neo4j/import
- ./volumes/certificates:/var/lib/neo4j/certificates
environment:
environment:
- NEO4J_ACCEPT_LICENSE_AGREEMENT=yes
- NEO4J_dbms_memory_heap_maxSize=2048
- NEO4J_dbms_connector_http_enabled=false
- NEO4J_dbms_connector_https_enabled=true
- NEO4J_dbms_connector_bolt_enabled=true
- NEO4J_https_ssl__policy=default
- NEO4J_dbms_ssl_policy_https_base__directory=/var/lib/neo4j/certificates
- NEO4J_dbms_ssl_policy_https_private__key=/var/lib/neo4j/certificates/neo4j.key
- NEO4J_dbms_ssl_policy_https_public__certificate=/var/lib/neo4j/certificates/neo4j.cert
- NEO4J_dbms_ssl_policy_https_revoked__dir=/var/lib/neo4j/certificates/revoked
- NEO4J_dbms_ssl_policy_bolt_trusted__dir=/var/lib/neo4j/certificates/trusted
- NEO4J_dbms_default__advertised__address=0.0.0.0
- NEO4J_dbms_connector_bolt__address=neo4j.domain.com:7687
- NEO4J_dbms_connector_bolt_advertised__address=neo4j.domain.com
apache reverse proxy config
# neo4j
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin admin@domain.com
ServerName neo4j.domain.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Include /etc/letsencrypt/options-ssl-apache.conf
# ReversProxy
ProxyPreserveHost On
ProxyRequests Off
# Docker : neo4j:3.2
ProxyPass / https://localhost:7473/
ProxyPassReverse / https://localhost:7473/
# This will do the trick to work with SSL Reverse Proxy
SSLProxyEngine On
# Other
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
# Fixed AH00898: Error during SSL Handshake with remote server returned by
SSLProxyCheckPeerExpire off
SSLCertificateFile /etc/letsencrypt/live/domain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem
</VirtualHost>
</IfModule>
now it works without any kind of issues
except for this one Secure websocket connection failure despite an apparently valid certificate