Neo4J Docker SSL AccessDeniedException

Integrations Docker
1

So I created a conf file with these lines mainly for SSL policy.

server.default_listen_address=0.0.0.0
#host changed here 
server.default_advertised_address=my.host.com
# BOLT Connector
dbms.connector.bolt.tls_level=REQUIRED
dbms.ssl.policy.bolt.enabled=true
dbms.ssl.policy.bolt.private_key=private.key
dbms.ssl.policy.bolt.public_certificate=public.cert
dbms.ssl.policy.bolt.client_auth=NONE
# HTTPS connector
server.https.enabled=true
dbms.connector.https.enabled=true
dbms.ssl.policy.https.enabled=true
dbms.ssl.policy.https.client_auth=NONE
dbms.ssl.policy.https.private_key=private.key
dbms.ssl.policy.https.public_certificate=public.cert
# Directories
dbms.ssl.policy.bolt.base_directory=certificates/bolt
dbms.ssl.policy.https.base_directory=certificates/https

With that also followed the proper steps to create https and bolt directory in certificates. Generated private.key and public.cert as well.

docker run     --detach     --publish=7473:7473     --publish=7687:7687     --user="$(id -u):$(id -g)"     --volume=$HOME/neo4j/certificates:/ssl     --volume=$HOME/neo4j/conf:/conf     neo4j:5.4.0

then used this command and got this error in logs of that container -

2023-02-15 13:04:14.515+0000 INFO  Starting...
2023-02-15 13:04:15.142+0000 ERROR Failed to start Neo4j on 0.0.0.0:7474.
java.lang.RuntimeException: Failed to load private key: /var/lib/neo4j/certificates/https/private.key
	at org.neo4j.ssl.config.SslPolicyLoader.loadPrivateKey(SslPolicyLoader.java:261) ~[neo4j-ssl-5.4.0.jar:5.4.0]
	at org.neo4j.ssl.config.SslPolicyLoader.pemKeyAndChain(SslPolicyLoader.java:212) ~[neo4j-ssl-5.4.0.jar:5.4.0]
	at org.neo4j.ssl.config.SslPolicyLoader.createSslPolicy(SslPolicyLoader.java:162) ~[neo4j-ssl-5.4.0.jar:5.4.0]
	at org.neo4j.ssl.config.SslPolicyLoader.addPolicy(SslPolicyLoader.java:145) ~[neo4j-ssl-5.4.0.jar:5.4.0]
	at java.util.HashMap$Values.forEach(HashMap.java:1065) ~[?:?]
	at org.neo4j.ssl.config.SslPolicyLoader.load(SslPolicyLoader.java:136) ~[neo4j-ssl-5.4.0.jar:5.4.0]
	at org.neo4j.ssl.config.SslPolicyLoader.create(SslPolicyLoader.java:104) ~[neo4j-ssl-5.4.0.jar:5.4.0]
	at org.neo4j.graphdb.factory.module.edition.CommunityEditionModule.<init>(CommunityEditionModule.java:123) ~[neo4j-5.4.0.jar:5.4.0]
	at org.neo4j.graphdb.facade.DatabaseManagementServiceFactory.build(DatabaseManagementServiceFactory.java:133) ~[neo4j-5.4.0.jar:5.4.0]
	at org.neo4j.server.CommunityBootstrapper.createNeo(CommunityBootstrapper.java:36) ~[neo4j-5.4.0.jar:5.4.0]
	at org.neo4j.server.NeoBootstrapper.start(NeoBootstrapper.java:170) ~[neo4j-5.4.0.jar:5.4.0]
	at org.neo4j.server.NeoBootstrapper.start(NeoBootstrapper.java:86) ~[neo4j-5.4.0.jar:5.4.0]
	at org.neo4j.server.CommunityEntryPoint.main(CommunityEntryPoint.java:30) ~[neo4j-5.4.0.jar:5.4.0]
Caused by: java.nio.file.AccessDeniedException: /var/lib/neo4j/certificates/https/private.key
	at sun.nio.fs.UnixException.translateToIOException(UnixException.java:90) ~[?:?]
	at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106) ~[?:?]
	at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111) ~[?:?]
	at sun.nio.fs.UnixFileAttributeViews$Basic.readAttributes(UnixFileAttributeViews.java:55) ~[?:?]
	at sun.nio.fs.UnixFileSystemProvider.readAttributes(UnixFileSystemProvider.java:148) ~[?:?]
	at sun.nio.fs.LinuxFileSystemProvider.readAttributes(LinuxFileSystemProvider.java:99) ~[?:?]
	at java.nio.file.Files.readAttributes(Files.java:1851) ~[?:?]
	at java.nio.file.Files.size(Files.java:2468) ~[?:?]
	at org.neo4j.io.fs.DefaultFileSystemAbstraction.getFileSize(DefaultFileSystemAbstraction.java:119) ~[neo4j-io-5.4.0.jar:5.4.0]
	at org.neo4j.io.fs.FileSystemUtils.readAllBytes(FileSystemUtils.java:132) ~[neo4j-io-5.4.0.jar:5.4.0]
	at org.neo4j.pki.PkiUtils.pathToByteStream(PkiUtils.java:76) ~[neo4j-ssl-5.4.0.jar:5.4.0]
	at org.neo4j.pki.PkiUtils.loadPrivateKey(PkiUtils.java:64) ~[neo4j-ssl-5.4.0.jar:5.4.0]
	at org.neo4j.ssl.config.SslPolicyLoader.loadPrivateKey(SslPolicyLoader.java:257) ~[neo4j-ssl-5.4.0.jar:5.4.0]
	... 12 more
2023-02-15 13:04:15.152+0000 INFO  Neo4j Server shutdown initiated by request
2023-02-15 13:04:15.153+0000 INFO  Stopped.

made sure to give proper permissions (644) to the private.key file in my host machine.

2

According to the Neo4j operations manual file and folder permissions should be set as follows:

Path Directory/File Owner Group Permission Unix/Linux View
/data/neo4j/certificates/https Directory neo4j neo4j 0755 drwxr-xr-x
/data/neo4j/certificates/https/public.crt File neo4j neo4j 0644 -rw-r—​r--
/data/neo4j/certificates/https/private.key File neo4j neo4j 0400 -r--------
/data/neo4j/certificates/https/trusted Directory neo4j neo4j 0755 drwxr-xr-x
/data/neo4j/certificates/https/trusted/public.crt File neo4j neo4j 0644 -rw-r—​r--
/data/neo4j/certificates/https/revoked Directory neo4j neo4j 0755 drwxr-xr-x

The owner/group should be configured to the user/group that will be running the neo4j service. Default user/group is neo4j/neo4j.

I would check to make sure your file and folder permissions match the above - I'm not sure if just 644 (which I believe is read only for any user/group?) is enough for the certificate permissions.

Also see this knowledge base article which suggests setting folder group (7474 is the user and group id):

sudo chgrp -R 7474 $HOME/neo4j/ssl && \
sudo chmod -R g+rx $HOME/neo4j/ssl
3

But the article uses ssl as the directory name and in conf setting it is using certificates .. so I am a bit confused about that..

4

Btw thank you :D I managed to deploy it with self signed SSL certificate

1 Like