Setting up single node SSL

Im trying to enable the CA signed certificates to Neo4j server however i'm getting the below error.

2019-05-15 15:15:57.981+0000 WARN The 'dbms.ssl.policy.default_policy.client_auth' setting is specified more than once. Settings only be specified once, to avoid ambiguity. The setting value that will be used is 'NONE'.

2019-05-15 15:15:58.002+0000 INFO ======== Neo4j 3.5.4 ========

2019-05-15 15:15:58.008+0000 INFO Starting...

2019-05-15 15:15:58.594+0000 ERROR Failed to start Neo4j: Starting Neo4j failed: Component 'org.neo4j.server.database.LifecycleManagingDatabase@66ea810' was successfully initialized, but failed to start. Please see the attached cause exception "IOException : DerInputStream.getLength(): lengthTag=56, too big.". Starting Neo4j failed: Component 'org.neo4j.server.database.LifecycleManagingDatabase@66ea810' was successfully initialized, but failed to start. Please see the attached cause exception "IOException : DerInputStream.getLength(): lengthTag=56, too big.".

org.neo4j.server.ServerStartupException: Starting Neo4j failed: Component 'org.neo4j.server.database.LifecycleManagingDatabase@66ea810' was successfully initialized, but failed to start. Please see the attached cause exception "IOException : DerInputStream.getLength(): lengthTag=56, too big.".

at org.neo4j.server.exception.ServerStartupErrors.translateToServerStartupError(ServerStartupErrors.java:45)

at org.neo4j.server.AbstractNeoServer.start(AbstractNeoServer.java:187)

at org.neo4j.server.ServerBootstrapper.start(ServerBootstrapper.java:123)

at org.neo4j.server.ServerBootstrapper.start(ServerBootstrapper.java:90)

at com.neo4j.server.enterprise.CommercialEntryPoint.main(CommercialEntryPoint.java:22)

Caused by: org.neo4j.kernel.lifecycle.LifecycleException: Component 'org.neo4j.server.database.LifecycleManagingDatabase@66ea810' was successfully initialized, but failed to start. Please see the attached cause exception "IOException : DerInputStream.getLength(): lengthTag=56, too big.".

at org.neo4j.kernel.lifecycle.LifeSupport$LifecycleInstance.start(LifeSupport.java:473)

at org.neo4j.kernel.lifecycle.LifeSupport.start(LifeSupport.java:111)

at org.neo4j.server.AbstractNeoServer.start(AbstractNeoServer.java:180)

... 3 more

Caused by: java.lang.RuntimeException: Failed to load private key: /opt/neo4j-enterprise/certificates/default_policy/neo.key

at org.neo4j.kernel.configuration.ssl.SslPolicyLoader.loadPrivateKey(SslPolicyLoader.java:321)

at org.neo4j.kernel.configuration.ssl.SslPolicyLoader.load(SslPolicyLoader.java:206)

at org.neo4j.kernel.configuration.ssl.SslPolicyLoader.create(SslPolicyLoader.java:99)

at org.neo4j.graphdb.factory.module.edition.CommunityEditionModule.<init>(CommunityEditionModule.java:98)

at org.neo4j.kernel.impl.enterprise.EnterpriseEditionModule.<init>(EnterpriseEditionModule.java:55)

at com.neo4j.commercial.edition.CommercialEditionModule.<init>(CommercialEditionModule.java:48)

at org.neo4j.graphdb.facade.GraphDatabaseFacadeFactory.initFacade(GraphDatabaseFacadeFactory.java:179)

at com.neo4j.commercial.edition.CommercialGraphDatabase.<init>(CommercialGraphDatabase.java:20)

at com.neo4j.server.database.CommercialGraphFactory.newGraphDatabase(CommercialGraphFactory.java:40)

at org.neo4j.server.database.LifecycleManagingDatabase.start(LifecycleManagingDatabase.java:90)

at org.neo4j.kernel.lifecycle.LifeSupport$LifecycleInstance.start(LifeSupport.java:452)

... 5 more

Caused by: java.security.spec.InvalidKeySpecException: Neither RSA, DSA nor EC worked

at org.neo4j.ssl.PkiUtils.loadPrivateKey(PkiUtils.java:211)

at org.neo4j.kernel.configuration.ssl.SslPolicyLoader.loadPrivateKey(SslPolicyLoader.java:317)

... 15 more

Caused by: java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: IOException : DerInputStream.getLength(): lengthTag=56, too big.

at sun.security.ec.ECKeyFactory.engineGeneratePrivate(ECKeyFactory.java:169)

at java.security.KeyFactory.generatePrivate(KeyFactory.java:372)

at org.neo4j.ssl.PkiUtils.loadPrivateKey(PkiUtils.java:207)

... 16 more

Caused by: java.security.InvalidKeyException: IOException : DerInputStream.getLength(): lengthTag=56, too big.

at sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:351)

at sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:356)

at sun.security.ec.ECPrivateKeyImpl.<init>(ECPrivateKeyImpl.java:73)

at sun.security.ec.ECKeyFactory.implGeneratePrivate(ECKeyFactory.java:237)

at sun.security.ec.ECKeyFactory.engineGeneratePrivate(ECKeyFactory.java:165)

... 18 more

2019-05-15 15:15:58.596+0000 INFO Neo4j Server shutdown initiated by request

Below is my conf file setting

dbms.ssl.policy.default_policy.base_directory=/opt/neo4j-enterprise/certificates/default_policy

dbms.ssl.policy.default_policy.client_auth=NONE

dbms.ssl.policy.default_policy.allow_key_generation=false

dbms.ssl.policy.default_policy.trust_all=false

dbms.ssl.policy.default_policy.private_key=/opt/neo4j-enterprise/certificates/default_policy/neo.key

dbms.ssl.policy.default_policy.public_certificate=/opt/neo4j-enterprise/certificates/default_policy/ServerCertificate.crt

dbms.ssl.policy.default_policy.trusted_dir=/opt/neo4j-enterprise/certificates/default_policy/trusted

dbms.ssl.policy.default_policy.revoked_dir=/opt/neo4j-enterprise/certificates/default_policy/revoked

dbms.ssl.policy.default_policy.client_auth=optional

I usually see this error when the encoding of your certificate is wrong. I believe you need a JKS format key, check these docs:

https://docs.oracle.com/cd/E35976_01/server.740/es_admin/src/tadm_ssl_convert_pem_to_jks.html

What steps to actually take will depend on where you got your cert and what format it's in now.

Thanks for the response

we provided .crt and .key files with the below command to the the 3rd party Certificate generator.

openssl genrsa -des3 -out server.key 4096
openssl req -new -key server.key -out server.csr

In response we have received signed certificate .crt file (chain.crt and server.crt)

Ealrier , i have tested with self signed crt file it did work. Not sure where i'm going wrong.

Update:

i have managed to start the neo4j node with the certificates after converting .key file DER format. However i'm still not able to access the 7473 port .

This site can’t provide a secure connection

172.XX.XX.XX sent an invalid response.

ERR_SSL_PROTOCOL_ERROR