WebSocket connection failure on AWS Community Edition

I've spun up a host instance of Neo4j on AWS using https://aws.amazon.com/marketplace/pp/B071P26C9D and it is working on its instance IPv4 but it's not working on the load balancer that is associated with the instance, I've opened ports 7473, 7474, 7687 on the load balancer but still getting the error.

I also have a working SSL cert on the domain provided by Amazon Certificate Manager (using a *.domain.com domain on the cert). I've exhausted all of the different resources out there and was wondering if anyone could help me out. Thanks!

Full Error: ServiceUnavailable: WebSocket connection failure. Due to security constraints in your web browser, the reason for the failure is not available to this Neo4j Driver. Please use your browsers development console to determine the root cause of the failure. Common reasons include the database being unavailable, using the wrong connection URL or temporary network problems. If you have enabled encryption, ensure your browser is configured to trust the certificate Neo4j is configured to use. WebSocket readyState is: 3

Can you please provide some more details on what's going on with the load balancer?

A common error is to try and use an HTTP load balancer. That will work for port 7474 and 7473, but the browser application also relies on port 7687 which is TCP not HTTP.

It's an Amazon ELB

Instance inbound rules:

Right there in your screenshot it says that you are HTTP load balancing port 7687. This is guaranteed not to work, as bolt traffic is not HTTP. The reason then your browser is failing is because the load balancer is interfering.

You need to use a TCP connection load balancer. But honestly I would not recommend a load balancer at all unless you have a more sophisticated setup and you are sure to have 2 load balancing targets, one for writes, one for reads, as documented here: https://neo4j.com/docs/operations-manual/current/ha-cluster/haproxy/#ha-haproxy-bolt

Yeah I don't actually need a load balancer at the moment, just seemed like a good idea at the time when I was using Route53 to create an alias for a subdomain I wanted the Neo instance to be available on. For some reason when I just put in the IP for the instance in the alias it doesn't work, or at least it seems as though the ACM cert isn't associated with it then like the connection isn't secure?

Probably what's going on with your cert is that you've generated it with ACM and it was attached to your load balancer but not to Neo4j itself. Neo4j needs to be configured with a certificate file, and then some extra stuff put in your neo4j.template or neo4j.conf file, depending on how you installed Neo4j.

Here's instructions on how to set up SSL for Neo4j: https://medium.com/neo4j/getting-certificates-for-neo4j-with-letsencrypt-a8d05c415bbd

The user's browser will connect via bolt to port 7687, and then if the neo4j instance itself isn't configured to use the right certificate, the browser will ultimately be talking to a machine with a self-signed cert, and you'll get browser warnings unless it's set up to Neo4j

Yeah I've read this medium article a couple of times but never implemented it because I figured the ACM cert covered it but good to know it won't. For installing LetsEncrypt should I do that in /etc/neo4j or in /etc on AWS?

If you were using a load balancer, then hypothetically you could put the cert with the load balancer. As the user's browser would see the load balancer serving the page, then all should be OK. If you go straight to Neo4j, then yes it must be configured in Neo4j. And I'd recommend doing it that way.

Not sure I follow your question about where to put LetsEncrypt. If you're using one of our cloud AMIs you should edit /etc/neo4j/neo4j.template to do the SSL configuration bits. As for the certificate files themselves, I believe it's in /var/lib/neo4j/certificates but I'm not certain. At any rate check /var/lib/neo4j

I think I misquoted the article, what I meant was where to install certbot.

I don't have a recommendation on that. Typically when you install certbot it's done via a package manager, so you never need to decide where to install it.