Problem starting neo4j server on Ubuntu 18.04 with SSL enabled


(Dragotic) #1

Hello everyone,

It's already been 2 days since I started deploying my neo4j database to an Ubuntu 18.04 server. All went smoothly until I had to configure ssl certificates. I have a domain name that I purchased from GoDaddy and an SSL certificate. I uploaded the certificate and private key to my neo4j folder but it keeps throwing me errors.

I'm using neo4j 3.5.3 that I installed with sudo apt install neo4j=1:3.5.3 and this is my configuration file:

bolt.ssl_policy=default
https.ssl_policy=default
#*****************************************************************
# SSL policy configuration
#*****************************************************************
# Each policy is configured under a separate namespace, e.g.
#    dbms.ssl.policy.<policyname>.*
#
# The example settings below are for a new policy named 'default'.
# The base directory for cryptographic objects. Each policy will by
# default look for its associated objects (keys, certificates, ...)
# under the base directory.
#
# Every such setting can be overridden using a full path to
# the respective object, but every policy will by default look
# for cryptographic objects in its base location.
#
# Mandatory setting
dbms.ssl.policy.default.base_directory=/var/lib/neo4j/certificates/default
# Allows the generation of a fresh private key and a self-signed
# certificate if none are found in the expected locations. It is
# recommended to turn this off again after keys have been generated.
#
# Keys should in general be generated and distributed offline
# by a trusted certificate authority (CA) and not by utilizing
# this mode.
dbms.ssl.policy.default.allow_key_generation=false
# Enabling this makes it so that this policy ignores the contents
# of the trusted_dir and simply resorts to trusting everything.
#
# Use of this mode is discouraged. It would offer encryption but no security.
dbms.ssl.policy.default.trust_all=false
# The private key for the default SSL policy. By default a file
# named private.key is expected under the base directory of the policy.
# It is mandatory that a key can be found or generated.
dbms.ssl.policy.default.private_key=/var/lib/neo4j/certificates/default/private.key
# The private key for the default SSL policy. By default a file
# named public.crt is expected under the base directory of the policy.
# It is mandatory that a certificate can be found or generated.
dbms.ssl.policy.default.public_certificate=/var/lib/neo4j/certificates/default/public.crt

# The certificates of trusted parties. By default a directory named
# 'trusted' is expected under the base directory of the policy. It is
# mandatory to create the directory so that it exists, because it cannot
# be auto-created (for security purposes).
#
# To enforce client authentication client_auth must be set to 'require'!

#dbms.ssl.policy.default.trusted_dir=

# Client authentication setting. Values: none, optional, require
# The default is to require client authentication.
#
# Servers are always authenticated unless explicitly overridden
# using the trust_all setting. In a mutual authentication setup this
# should be kept at the default of require and trusted certificates
# must be installed in the trusted_dir.

dbms.ssl.policy.default.client_auth=none

# It is possible to verify the hostname that the client uses
# to connect to the remote server. In order for this to work, the server public
# certificate must have a valid CN and/or matching Subject Alternative Names.

# Note that this is irrelevant on host side connections (sockets receiving
# connections).

# To enable hostname verification client side on nodes, set this to true.

#dbms.ssl.policy.default.verify_hostname=false

# A comma-separated list of allowed TLS versions.
# By default only TLSv1.2 is allowed.

#dbms.ssl.policy.default.tls_versions=

# A comma-separated list of allowed ciphers.
# The default ciphers are the defaults of the JVM platform.

#dbms.ssl.policy.default.ciphers=

and this is the error that is thrown when I try to restart the neo4j service:

Mar 14 10:06:25 neo4j neo4j[23477]: Starting Neo4j.
Mar 14 10:06:26 neo4j neo4j[23477]: 2019-03-14 10:06:26.422+0000 INFO  ======== Neo4j 3.5.3 ========
Mar 14 10:06:26 neo4j neo4j[23477]: 2019-03-14 10:06:26.436+0000 INFO  Starting...
Mar 14 10:06:27 neo4j neo4j[23477]: 2019-03-14 10:06:27.065+0000 ERROR Failed to start Neo4j: Starting Neo4j failed: Component 'org.neo4j.server.database.LifecycleManagingDatabase@73e9cf30' was successfully initialized, but failed to start. Please see the attached cause exception "IOException : DerInputStream.getLength(): lengthTag=59, too big.". Starting Neo4j failed: Component 'org.neo4j.server.database.LifecycleManagingDatabase@73e9cf30' was successfully initialized, but failed to start. Please see the attached cause exception "IOException : DerInputStream.getLength(): lengthTag=59, too big.".
Mar 14 10:06:27 neo4j neo4j[23477]: org.neo4j.server.ServerStartupException: Starting Neo4j failed: Component 'org.neo4j.server.database.LifecycleManagingDatabase@73e9cf30' was successfully initialized, but failed to start. Please see the attached cause exception "IOException : DerInputStream.getLength(): lengthTag=59, too big.".
Mar 14 10:06:27 neo4j neo4j[23477]:         at org.neo4j.server.exception.ServerStartupErrors.translateToServerStartupError(ServerStartupErrors.java:45)
Mar 14 10:06:27 neo4j neo4j[23477]:         at org.neo4j.server.AbstractNeoServer.start(AbstractNeoServer.java:184)
Mar 14 10:06:27 neo4j neo4j[23477]:         at org.neo4j.server.ServerBootstrapper.start(ServerBootstrapper.java:123)
Mar 14 10:06:27 neo4j neo4j[23477]:         at org.neo4j.server.ServerBootstrapper.start(ServerBootstrapper.java:90)
Mar 14 10:06:27 neo4j neo4j[23477]:         at org.neo4j.server.CommunityEntryPoint.main(CommunityEntryPoint.java:32)
Mar 14 10:06:27 neo4j neo4j[23477]: Caused by: org.neo4j.kernel.lifecycle.LifecycleException: Component 'org.neo4j.server.database.LifecycleManagingDatabase@73e9cf30' was successfully initialized, but failed to start. Please see the attached cause exception "IOException : DerInputStream.getLength(): lengthTag=59, too big.".
Mar 14 10:06:27 neo4j neo4j[23477]:         at org.neo4j.kernel.lifecycle.LifeSupport$LifecycleInstance.start(LifeSupport.java:473)
Mar 14 10:06:27 neo4j neo4j[23477]:         at org.neo4j.kernel.lifecycle.LifeSupport.start(LifeSupport.java:111)
Mar 14 10:06:27 neo4j neo4j[23477]:         at org.neo4j.server.AbstractNeoServer.start(AbstractNeoServer.java:177)
Mar 14 10:06:27 neo4j neo4j[23477]:         ... 3 more
Mar 14 10:06:27 neo4j neo4j[23477]: Caused by: java.lang.RuntimeException: Failed to load private key: /var/lib/neo4j/certificates/default/private.key
Mar 14 10:06:27 neo4j neo4j[23477]:         at org.neo4j.kernel.configuration.ssl.SslPolicyLoader.loadPrivateKey(SslPolicyLoader.java:321)
Mar 14 10:06:27 neo4j neo4j[23477]:         at org.neo4j.kernel.configuration.ssl.SslPolicyLoader.load(SslPolicyLoader.java:206)
Mar 14 10:06:27 neo4j neo4j[23477]:         at org.neo4j.kernel.configuration.ssl.SslPolicyLoader.create(SslPolicyLoader.java:99)
Mar 14 10:06:27 neo4j neo4j[23477]:         at org.neo4j.graphdb.factory.module.edition.CommunityEditionModule.<init>(CommunityEditionModule.java:98)
Mar 14 10:06:27 neo4j neo4j[23477]:         at org.neo4j.graphdb.facade.GraphDatabaseFacadeFactory.initFacade(GraphDatabaseFacadeFactory.java:168)
Mar 14 10:06:27 neo4j neo4j[23477]:         at org.neo4j.graphdb.facade.GraphDatabaseFacadeFactory.newFacade(GraphDatabaseFacadeFactory.java:135)
Mar 14 10:06:27 neo4j neo4j[23477]:         at org.neo4j.server.database.CommunityGraphFactory.newGraphDatabase(CommunityGraphFactory.java:40)
Mar 14 10:06:27 neo4j neo4j[23477]:         at org.neo4j.server.database.LifecycleManagingDatabase.start(LifecycleManagingDatabase.java:78)
Mar 14 10:06:27 neo4j neo4j[23477]:         at org.neo4j.kernel.lifecycle.LifeSupport$LifecycleInstance.start(LifeSupport.java:452)
Mar 14 10:06:27 neo4j neo4j[23477]:         ... 5 more
Mar 14 10:06:27 neo4j neo4j[23477]: Caused by: java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: IOException : DerInputStream.getLength(): lengthTag=59, too big.
Mar 14 10:06:27 neo4j neo4j[23477]:         at sun.security.rsa.RSAKeyFactory.engineGeneratePrivate(RSAKeyFactory.java:217)
Mar 14 10:06:27 neo4j neo4j[23477]:         at java.security.KeyFactory.generatePrivate(KeyFactory.java:372)
Mar 14 10:06:27 neo4j neo4j[23477]:         at org.neo4j.ssl.PkiUtils.loadPrivateKey(PkiUtils.java:226)
Mar 14 10:06:27 neo4j neo4j[23477]:         at org.neo4j.kernel.configuration.ssl.SslPolicyLoader.loadPrivateKey(SslPolicyLoader.java:317)
Mar 14 10:06:27 neo4j neo4j[23477]:         ... 13 more
Mar 14 10:06:27 neo4j neo4j[23477]: Caused by: java.security.InvalidKeyException: IOException : DerInputStream.getLength(): lengthTag=59, too big.
Mar 14 10:06:27 neo4j neo4j[23477]:         at sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:352)
Mar 14 10:06:27 neo4j neo4j[23477]:         at sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:357)
Mar 14 10:06:27 neo4j neo4j[23477]:         at sun.security.rsa.RSAPrivateCrtKeyImpl.<init>(RSAPrivateCrtKeyImpl.java:91)
Mar 14 10:06:27 neo4j neo4j[23477]:         at sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(RSAPrivateCrtKeyImpl.java:75)
Mar 14 10:06:27 neo4j neo4j[23477]:         at sun.security.rsa.RSAKeyFactory.generatePrivate(RSAKeyFactory.java:316)
Mar 14 10:06:27 neo4j neo4j[23477]:         at sun.security.rsa.RSAKeyFactory.engineGeneratePrivate(RSAKeyFactory.java:213)
Mar 14 10:06:27 neo4j neo4j[23477]:         ... 16 more

Any ideas on what's causing this mess? I re-checked the certificates, re issued them through GoDaddy but no luck.


(Michael Hunger) #2

Can you check this, it says you copied too much of the CERT into the files.

https://confluence.atlassian.com/jirakb/java-certificate-issue-ioexception-derinputstream-getlength-lengthtag-109-too-big-761505154.html


(Dragotic) #3

Did this yesterday. But I just did it again and no luck. It throws the same error.


(Michael Hunger) #4

I only used let's encrypt certs.
Perhaps you can try those?


(Dragotic) #5

Yes, perhaps I should give this a try but I don't get why this would be an option. I mean I already got my certificate, signed by GoDaddy.

I will get back to you, if this helps.
Thanks


(Dragotic) #6

Well it worked. I still don't get why the certificate was the issue.