Setting up Valid Certificates for Neo4j with Let's Encrypt

Hi everybody,

This question comes up fairly often, particularly in the cloud deployment world where we deploy instances of Neo4j with HTTPS open by default, and folks need valid certificates.

If you haven't used Let's Encrypt before, it's a free way of getting valid certificates for a host name you control. I wrote up the process of how to use Let's Encrypt with Neo4j, and how to install those certificates into your Neo4j instance.

Hope it's helpful!

5 Likes

Thanks for submitting!

I’ve added a tag that allows your blog to be displayed on the community home page!

David,

This is more than helpful ! Certificates are the bane of even experienced system administrators and this document hands you the tools to do the job. Great stuff !

Regards,
Tom

1 Like

Hi David, Your article on using LetsEncrypt with Neo4j was fantastic. I have been trying to implement ssl on my neo4j backed website for a while now and this pulled it all together.

I'm not sure if this is the correct forum to post issues like this so feel free to direct me elsewhere if required.

I can access my website using https after installing the LetsEncrypt files as outlined in your article. However when I try to access the neo4j browser via https://www.mysite.com:7473 it will not connect. I can access using standard http. I have checked the port is open on my firewall and I have gone through all the steps and checks as outlined. I suspect I may have something small incorrect in my neo4j.conf file as I have tried many options to get it working. I'm using a ubuntu 16.04 based server.

Would it be possible to take a look below and provide any suggestions? I would be eternally grateful!

dbms.directories.certificates=/var/lib/neo4j/certificates
#dbms.security.auth_enabled=false
dbms.connectors.default_listen_address=0.0.0.0
dbms.connectors.default_advertised_address=www.mysite.com
dbms.connector.bolt.enabled=true
dbms.connector.bolt.tls_level=REQUIRED
dbms.connector.bolt.listen_address=0.0.0.0:7687
#dbms.connectors.default_listen_address=0.0.0.0:7687
dbms.connector.http.enabled=true
dbms.connector.http.listen_address=0.0.0.0:7474
dbms.connector.https.enabled=true
dbms.connector.https.listen_address=:7473
bolt.ssl_policy=default
https.ssl_policy=default
dbms.ssl.policy.default.base_directory=/var/lib/neo4j/certificates
dbms.ssl.policy.default.allow_key_generation=false
dbms.ssl.policy.default.private_key=/var/lib/neo4j/certificates/neo4j.key
dbms.ssl.policy.default.public_certificate=/var/lib/neo4j/certificates/neo4j.cert
dbms.ssl.policy.default.revoked_dir=/var/lib/neo4j/certificates/revoked
dbms.ssl.policy.default.trusted_dir=/var/lib/neo4j/certificates/trusted
dbms.ssl.policy.default.client_auth=NONE

Regards,
Barry.

1 Like

Ah, I just got finished writing you a response on Medium and now I see you've already posted here.

Your dbms.connector.https.listen_address=:7473 is a bit inconsistent, it shouldn't matter but you're missing the 0.0.0.0 which binds to all network devices.

Everything else at first glance looks OK, which is why in the medium post I was requesting that you follow up with some specifics on what your browser is reporting.

Also, I take it as given that the certs you've installed are for www.mysite.com (not some other domain) and that www.mysite.com resolves to your machine? Is this cluster or standalone server?

1 Like

Hi David,

Again thanks for your prompt response. The browser is just showing time out error ERR_CONNECTION_TIMED_OUT and no errors are showing in the console. The machine is a standalone server. I generated the scripts using the full URL and just used www.mysite.com for example. If i use http://www..com:7474 it opens the neo4j browser fine however using https://www..com:7473 fails to load and times out.

Any ideas on what else I could check would be greatly appreciated. I'm at my wits end!

Regards,

Barry.

Hi David,

Again many thanks for your help on this topic. The browser is just showing a timed out error ERR_CONNECTION_TIMED_OUT and no error messages are appearing the Console. I have generated the certs using my own URL and only used www..com for demo purposes. The machine is a standalone server.

Using http://www..com:7474 accesses the neo4j browser fine, however https://www..com:7473 times out as mentioned.

Any ideas on what else I could check would be greatly appreciated!

Thanks Again,

Barry.

1 Like

I can't prove it, because it depends on the details of how you've deployed, but 99 times out of 100, connection timed out errors mean one of two things:

  • Your dbms.connector.https.enabled=false, and so you're not running https, and so neo4j isn't listening at all on that port.
  • Your local firewall rules don't permit traffic to port 7473.

The second explanation is the more likely one. By default, all clouds firewall all ports out. When you send traffic on those ports, the firewall at the cloud provider just drop your packets on the floor, and connection timeouts are how that manifests.

Hi David,

Apologies regarding double post.
I checked that port 7473 was open and it returned:

tcp6 0 0 :::7473 :::* LISTEN

I then tried two commands:
sudo ufw allow https
sudo ufw allow 443

Which seems to have added further rules to my firewall.

However the good news is that it now works!

Thanks again for your time and help in pointing me in the right direction.

Regards,
Barry.

1 Like

Hi David,

I am facing an issue Failed to start Neo4j on 0.0.0.0:7474: HTTPS set to enabled, but no SSL policy provided

Running Neo4J 4.0.4 and its in docker

below is my configuration

dbms.tx_log.rotation.retention_policy=100M size
dbms.ssl.policy.https.trusted_dir=/var/certificates/https/trusted
dbms.ssl.policy.https.revoked_dir=/var/certificates/https/revoked
dbms.ssl.policy.https.public_certificate=/var/certificates/https/cert.pem
dbms.ssl.policy.https.private_key=/var/certificates/https/privkey.pem
dbms.ssl.policy.https.client_auth=NONE
dbms.ssl.policy.https.base_directory=/var/certificates/https
dbms.ssl.policy.bolt.trusted_dir=/var/certificates/default/trusted
dbms.ssl.policy.bolt.revoked_dir=/var/certificates/default/revoked
dbms.ssl.policy.bolt.public_certificate=/var/certificates/default/cert.pem
dbms.ssl.policy.bolt.private_key=/var/certificates/default/privkey.pem
dbms.ssl.policy.bolt.client_auth=NONE
dbms.ssl.policy.bolt.base_directory=/var/certificates/default
dbms.security.procedures.unrestricted=apoc.coll.,apoc.load.
dbms.memory.pagecache.size=5600M
dbms.directories.logs=/logs
dbms.default_database=graph.db
dbms.connector.https.enabled=true
dbms.allow_upgrade=true
ESCODB.SERVICE.PORT.QUERY=7687
ESCODB.SERVICE.PORT.HTTPS=7473
ESCODB.SERVICE.PORT.HTTP=7474
ESCODB.SERVICE.PORT=7474
ESCODB.SERVICE.HOST=10.2.5.87
ESCODB.PORT.7687.TCP.PROTO=tcp
ESCODB.PORT.7687.TCP.PORT=7687
ESCODB.PORT.7687.TCP.ADDR=10..8.87
ESCODB.PORT.7687.TCP=tcp://10.
..87:7687
ESCODB.PORT.7474.TCP.PROTO=tcp
ESCODB.PORT.7474.TCP.PORT=7474
ESCODB.PORT.7474.TCP.ADDR=10.
..87
ESCODB.PORT.7474.TCP=tcp://10.
..87:7474
ESCODB.PORT.7473.TCP.PROTO=tcp
ESCODB.PORT.7473.TCP.PORT=7473
ESCODB.PORT.7473.TCP.ADDR=10.
..87
ESCODB.PORT.7473.TCP=tcp://10.
..87:7473
ESCODB.PORT=tcp://10.
.*.87:7474

Thank you so much; however, when I tried to set up the SSL in your method, the neo4j restart with an error "not sudoer"
I solve this issue by rewrite the public.crt and private.key explained in the following way, hope you found it helpful.

Getting Valid SSL Certificates for Neo4j with Let’s Encrypt

1 Like