Setting up single node SSL

fme.mrc · May 15, 2019, 3:24pm

Im trying to enable the CA signed certificates to Neo4j server however i'm getting the below error.

2019-05-15 15:15:57.981+0000 WARN The 'dbms.ssl.policy.default_policy.client_auth' setting is specified more than once. Settings only be specified once, to avoid ambiguity. The setting value that will be used is 'NONE'.

2019-05-15 15:15:58.002+0000 INFO ======== Neo4j 3.5.4 ========

2019-05-15 15:15:58.008+0000 INFO Starting...

2019-05-15 15:15:58.594+0000 ERROR Failed to start Neo4j: Starting Neo4j failed: Component 'org.neo4j.server.database.LifecycleManagingDatabase@66ea810' was successfully initialized, but failed to start. Please see the attached cause exception "IOException : DerInputStream.getLength(): lengthTag=56, too big.". Starting Neo4j failed: Component 'org.neo4j.server.database.LifecycleManagingDatabase@66ea810' was successfully initialized, but failed to start. Please see the attached cause exception "IOException : DerInputStream.getLength(): lengthTag=56, too big.".

org.neo4j.server.ServerStartupException: Starting Neo4j failed: Component 'org.neo4j.server.database.LifecycleManagingDatabase@66ea810' was successfully initialized, but failed to start. Please see the attached cause exception "IOException : DerInputStream.getLength(): lengthTag=56, too big.".

at org.neo4j.server.exception.ServerStartupErrors.translateToServerStartupError(ServerStartupErrors.java:45)

at org.neo4j.server.AbstractNeoServer.start(AbstractNeoServer.java:187)

at org.neo4j.server.ServerBootstrapper.start(ServerBootstrapper.java:123)

at org.neo4j.server.ServerBootstrapper.start(ServerBootstrapper.java:90)

at com.neo4j.server.enterprise.CommercialEntryPoint.main(CommercialEntryPoint.java:22)

Caused by: org.neo4j.kernel.lifecycle.LifecycleException: Component 'org.neo4j.server.database.LifecycleManagingDatabase@66ea810' was successfully initialized, but failed to start. Please see the attached cause exception "IOException : DerInputStream.getLength(): lengthTag=56, too big.".

at org.neo4j.kernel.lifecycle.LifeSupport$LifecycleInstance.start(LifeSupport.java:473)

at org.neo4j.kernel.lifecycle.LifeSupport.start(LifeSupport.java:111)

at org.neo4j.server.AbstractNeoServer.start(AbstractNeoServer.java:180)

... 3 more

Caused by: java.lang.RuntimeException: Failed to load private key: /opt/neo4j-enterprise/certificates/default_policy/neo.key

at org.neo4j.kernel.configuration.ssl.SslPolicyLoader.loadPrivateKey(SslPolicyLoader.java:321)

at org.neo4j.kernel.configuration.ssl.SslPolicyLoader.load(SslPolicyLoader.java:206)

at org.neo4j.kernel.configuration.ssl.SslPolicyLoader.create(SslPolicyLoader.java:99)

at org.neo4j.graphdb.factory.module.edition.CommunityEditionModule.<init>(CommunityEditionModule.java:98)

at org.neo4j.kernel.impl.enterprise.EnterpriseEditionModule.<init>(EnterpriseEditionModule.java:55)

at com.neo4j.commercial.edition.CommercialEditionModule.<init>(CommercialEditionModule.java:48)

at org.neo4j.graphdb.facade.GraphDatabaseFacadeFactory.initFacade(GraphDatabaseFacadeFactory.java:179)

at com.neo4j.commercial.edition.CommercialGraphDatabase.<init>(CommercialGraphDatabase.java:20)

at com.neo4j.server.database.CommercialGraphFactory.newGraphDatabase(CommercialGraphFactory.java:40)

at org.neo4j.server.database.LifecycleManagingDatabase.start(LifecycleManagingDatabase.java:90)

at org.neo4j.kernel.lifecycle.LifeSupport$LifecycleInstance.start(LifeSupport.java:452)

... 5 more

Caused by: java.security.spec.InvalidKeySpecException: Neither RSA, DSA nor EC worked

at org.neo4j.ssl.PkiUtils.loadPrivateKey(PkiUtils.java:211)

at org.neo4j.kernel.configuration.ssl.SslPolicyLoader.loadPrivateKey(SslPolicyLoader.java:317)

... 15 more

Caused by: java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: IOException : DerInputStream.getLength(): lengthTag=56, too big.

at sun.security.ec.ECKeyFactory.engineGeneratePrivate(ECKeyFactory.java:169)

at java.security.KeyFactory.generatePrivate(KeyFactory.java:372)

at org.neo4j.ssl.PkiUtils.loadPrivateKey(PkiUtils.java:207)

... 16 more

Caused by: java.security.InvalidKeyException: IOException : DerInputStream.getLength(): lengthTag=56, too big.

at sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:351)

at sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:356)

at sun.security.ec.ECPrivateKeyImpl.<init>(ECPrivateKeyImpl.java:73)

at sun.security.ec.ECKeyFactory.implGeneratePrivate(ECKeyFactory.java:237)

at sun.security.ec.ECKeyFactory.engineGeneratePrivate(ECKeyFactory.java:165)

... 18 more

2019-05-15 15:15:58.596+0000 INFO Neo4j Server shutdown initiated by request

Below is my conf file setting

dbms.ssl.policy.default_policy.base_directory=/opt/neo4j-enterprise/certificates/default_policy

dbms.ssl.policy.default_policy.client_auth=NONE

dbms.ssl.policy.default_policy.allow_key_generation=false

dbms.ssl.policy.default_policy.trust_all=false

dbms.ssl.policy.default_policy.private_key=/opt/neo4j-enterprise/certificates/default_policy/neo.key

dbms.ssl.policy.default_policy.public_certificate=/opt/neo4j-enterprise/certificates/default_policy/ServerCertificate.crt

dbms.ssl.policy.default_policy.trusted_dir=/opt/neo4j-enterprise/certificates/default_policy/trusted

dbms.ssl.policy.default_policy.revoked_dir=/opt/neo4j-enterprise/certificates/default_policy/revoked

dbms.ssl.policy.default_policy.client_auth=optional

david_allen · May 15, 2019, 6:05pm

I usually see this error when the encoding of your certificate is wrong. I believe you need a JKS format key, check these docs:

What steps to actually take will depend on where you got your cert and what format it's in now.

fme.mrc · May 16, 2019, 11:53am

Thanks for the response

we provided .crt and .key files with the below command to the the 3rd party Certificate generator.

openssl genrsa -des3 -out server.key 4096
openssl req -new -key server.key -out server.csr

In response we have received signed certificate .crt file (chain.crt and server.crt)

Ealrier , i have tested with self signed crt file it did work. Not sure where i'm going wrong.

Update:

i have managed to start the neo4j node with the certificates after converting .key file DER format. However i'm still not able to access the 7473 port .

This site can’t provide a secure connection

172.XX.XX.XX sent an invalid response.

ERR_SSL_PROTOCOL_ERROR

julian.n.de.jonge · September 4, 2020, 8:03am

Hi,

Did you manage to get this to work? I'm having the same issue as you

Thanks,

Nick

Topic		Replies	Views
Problem starting neo4j server on Ubuntu 18.04 with SSL enabled Server	6	3402	January 24, 2020
SSLPrivateKeyMethod related issue when enabling SSL configuration Neo4j Graph Platform	4	3546	June 10, 2021
Error when perform a backup in Cluster Cluster	0	600	October 4, 2019
Neo4j 4.1.1 SSL configuration General	1	309	September 29, 2020
Getting an invalid property name error on "dbms.ssl.policy.bolt.enabled" on startup Neo4j Graph Platform	1	188	December 9, 2021

Setting up single node SSL

This site can’t provide a secure connection

Related topics