ssl - Neo4j 和 LetsEncrypt
问题描述
有没有人让 Neo4j 使用 LetsEncrypt 证书?
我有一个使用 LetsEncrypt 的常规网站,所以我知道我的证书很好。Neo4j 正在工作,我可以通过 https 访问 Neo4j 浏览器,我收到自签名证书警告。
我一直在关注有关设置 SSL 的文档,但是当我尝试启动服务时,它立即失败。我什至没有得到任何输出到我的日志,因为问题是什么。
myself@localhost:/var/lib/neo4j/certificates/bolt/trusted# service neo4j status
● neo4j.service - Neo4j Graph Database
Loaded: loaded (/lib/systemd/system/neo4j.service; enabled; vendor preset: enabled)
Drop-In: /etc/systemd/system/neo4j.service.d
└─override.conf
Active: inactive (dead) (Result: exit-code) since Sat 2018-07-21 21:08:37 MDT; 658ms ago
Process: 19066 ExecStart=/usr/share/neo4j/bin/neo4j console (code=exited, status=1/FAILURE)
Main PID: 19066 (code=exited, status=1/FAILURE)
Jul 21 21:08:37 Swingset systemd[1]: neo4j.service: Unit entered failed state.
Jul 21 21:08:37 Swingset systemd[1]: neo4j.service: Failed with result 'exit-code'.
Jul 21 21:08:37 Swingset systemd[1]: neo4j.service: Service hold-off time over, scheduling restart.
Jul 21 21:08:37 Swingset systemd[1]: Stopped Neo4j Graph Database.
Jul 21 21:08:37 Swingset systemd[1]: neo4j.service: Start request repeated too quickly.
Jul 21 21:08:37 Swingset systemd[1]: Failed to start Neo4j Graph Database.
所以我正在寻找能够完成这项工作的人,并且可以给我一份清单,让我仔细检查。我相信我拥有正确的文件夹结构,我认为我拥有正确的权限,我认为 neo4j.conf 已正确修改,并且我认为我已将正确的 LetsEncrypt 文件复制到正确的文件夹中并具有正确的文件名。但我一定错过了一些东西,因为它不起作用。
解决方案
有趣的是,我今天如何做完全相同的事情,并在试图弄清楚时偶然发现了这个问题......好吧,这对我有用以及我遵循的程序,基于ssl-framework 上的 Neo4j 文档中的说明.
创建适当的目录结构
cd /var/lib/neo4j/certificates mkdir -p default/revoked default/trusted
将letsencrypt证书复制到neo4j文件夹
# Copy your server cert to the base dir and the trusted dir of neo4j cp $your_cert_dir/cert.pem /var/lib/neo4j/certificates/default/cert.pem cp $your_cert_dir/cert.pem /var/lib/neo4j/certificates/default/trusted/cert.pem # Copy your key to the base dir of neo4j cp $your_cert_dir/privkey.pem /var/lib/neo4j/certificates/default/privkey.pem
确保文件具有正确的权限
# To my system, Ubuntu 16.04, it was neo4j:adm chown -R neo4j:adm /var/lib/neo4j/certificates/default/
确保neo4j的配置文件中如下条目(
/etc/neo4j/neo4j.conf
)# Set the base dir for certificates dbms.directories.certificates=/var/lib/neo4j/certificates # To enable connections from remote servers dbms.connectors.default_listen_address=0.0.0.0 # This can remain "OPTIONAL" dbms.connector.bolt.tls_level=REQUIRED # Enable https connector dbms.connector.https.enabled=true dbms.connector.https.listen_address=:7473 # Set up the policy for the connectors to the default bolt.ssl_policy=default https.ssl_policy=default # Create default policy dbms.ssl.policy.default.base_directory=certificates/default # Set the paths for the private key and of the server cert. # These must be absolute paths. dbms.ssl.policy.default.private_key=/var/lib/neo4j/certificates/default/privkey.pem dbms.ssl.policy.default.public_certificate=/var/lib/neo4j/certificates/default/cert.pem # Set up client authentication to "optional" or "none". # If this is left to "default" then the client (a.k.a person who tries to # access the web-portal) would need to authenticate with a certificate dbms.ssl.policy.default.client_auth=none
确保您有以下端口对服务器的防火墙开放
- https 连接器端口:7473
- http 连接器端口:7474(嗯,你可以保持阻塞 ;-))
- 螺栓连接器端口:7687
重启neo4j
service neo4j restart
您现在应该能够使用
https://<your server domain name>:7473
. 如果您尝试使用,https://IP:7473
那么您的浏览器将抱怨证书和地址不一样的事实。
仅供参考,我仍然在 Neo4j 日志中收到以下错误,我目前正在尝试解决它。到目前为止,其他一切似乎都运行良好。
Jul 24 14:13:34 sstest neo4j[18181]: 2018-07-24 12:13:34.556+0000 ERROR Unexpected error detected in bolt session 'fa163efffeefd082-00004705-00000003-81330a20f088cbac-29e11d2a'. The client is unauthorized due to authentication failure.
Jul 24 14:13:34 sstest neo4j[18181]: org.neo4j.bolt.v1.runtime.BoltConnectionFatality: The client is unauthorized due to authentication failure.
Jul 24 14:13:34 sstest neo4j[18181]: at org.neo4j.bolt.v1.runtime.BoltStateMachine.handleFailure(BoltStateMachine.java:742)
Jul 24 14:13:34 sstest neo4j[18181]: at org.neo4j.bolt.v1.runtime.BoltStateMachine.handleFailure(BoltStateMachine.java:728)
Jul 24 14:13:34 sstest neo4j[18181]: at org.neo4j.bolt.v1.runtime.BoltStateMachine.access$500(BoltStateMachine.java:62)
Jul 24 14:13:34 sstest neo4j[18181]: at org.neo4j.bolt.v1.runtime.BoltStateMachine$State$1.init(BoltStateMachine.java:435)
Jul 24 14:13:34 sstest neo4j[18181]: at org.neo4j.bolt.v1.runtime.BoltStateMachine.init(BoltStateMachine.java:145)
Jul 24 14:13:34 sstest neo4j[18181]: at org.neo4j.bolt.v1.messaging.BoltMessageRouter.lambda$onInit$0(BoltMessageRouter.java:70)
Jul 24 14:13:34 sstest neo4j[18181]: at org.neo4j.bolt.runtime.DefaultBoltConnection.processNextBatch(DefaultBoltConnection.java:195)
Jul 24 14:13:34 sstest neo4j[18181]: at org.neo4j.bolt.runtime.DefaultBoltConnection.processNextBatch(DefaultBoltConnection.java:143)
Jul 24 14:13:34 sstest neo4j[18181]: at org.neo4j.bolt.runtime.ExecutorBoltScheduler.executeBatch(ExecutorBoltScheduler.java:170)
Jul 24 14:13:34 sstest neo4j[18181]: at org.neo4j.bolt.runtime.ExecutorBoltScheduler.lambda$scheduleBatchOrHandleError$2(ExecutorBoltScheduler.java:153)
Jul 24 14:13:34 sstest neo4j[18181]: at java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1590)
Jul 24 14:13:34 sstest neo4j[18181]: at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
Jul 24 14:13:34 sstest neo4j[18181]: at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
Jul 24 14:13:34 sstest neo4j[18181]: at java.lang.Thread.run(Thread.java:748)
推荐阅读
- json - 使用 JQ 格式化嵌套的 JSON 输入?
- microsoft-graph-api - Microsoft Graph API Beta 密码身份验证方法:resetPassword 响应 - “失败”,但用户可以登录
- ruby-on-rails - PG :: UndefinedObject:错误:类型“整数”不存在 - Postgresql - Docker
- javascript - 使用 mongoose 连接时,本机 mongoDB 功能不起作用
- r - ggplot 绘图标签中的统计差异(包括可重现的代码)
- r - 在 R 或 SPSS 中协助 GLMM
- c# - 似乎无法从接口转换到我的结构以获取列表
- android-studio - 旋转屏幕不保存文本颜色kotlin
- r - 无法使用 vcf2geno 在 Rmarkdown 中编织 html
- typescript - 在嵌套函数中得到结果