Use LetsEncrypt certs with Neo4j

Question

How can one use the certificate files generated by LetsEncrypt together with a Neo4j instance? The files generated by LetsEncrypt are:

cert.pem
chain.pem
fullchain.pem
privkey.pem

I've tried conversion via OpenSSL with no luck so far, using conversion from PEM to DER. Neo4j complains about not finding the certs upon start. The question is how to convert the LetsEncrypt certs into something that Neo4j can use.

Setup details:

The certs are placed in /var/lib/neo4j/certificates/ with names neo4j.{cert,key}, permissions 600, owned by neo4j:nogroup. All of this seems to be according to the docs.
In the config I have this line to specify the certificate path: dbms.directories.certificates=/var/lib/neo4j/certificates
In the config I also have remote access over HTTPS enabled: dbms.connector.https.address=0.0.0.0:7473

When restarting Neo4j I get the following error message:

WARN  Illegal character 0x16 in state=START for buffer HeapByteBuffer@5a260174[p=1,l=193,c=8192,r=192]={\x16<<< SEVERAL_LINES_OF_HEX_JIBBERISH_HERE }
WARN  badMessage: 400 Illegal character 0x16 for HttpChannelOverHttp@5d682358{r=0,c=false,a=IDLE,uri=-}

**At least** you should provide the errors you're getting... — gxx, Oct 18 '16 at 23:04
Note, that according to documentation, you need to convert only key. For cert just use fullchain.pem — Hardy Rust, Oct 20 '16 at 09:19

score 9 · Accepted Answer · answered Oct 21 '16 at 13:32

I was able to use the lets encrypt certificate on neo4j by using the following process:

Used the letsencrypt/acme client implemented as a shell-script method to make the certificate for my domain.
Three files are generated running the script to get the certificate fullchain.pem cert.pem privkey.pem
Copy them to the certificates directory of neo4j

mv /path_to_lets_encrypt_certs_dir/fullchain.pem /var/lib/neo4j/certificates/neo4j.cert

mv /path_to_lets_encrypt_certs_dir/privkey.pem /var/lib/neo4j/certificates/neo4j.key
Restart neo4j

anirudh@prok:~# /var/lib/neo4j/bin/neo4j restart
Stopping Neo4j.. stopped
Starting Neo4j.
WARNING: Max 1024 open files allowed, minimum of 40000 recommended.  See the Neo4j manual.
Started neo4j (pid 17608). By default, it is available at  https://your-domain:7473/
There may be a short delay until the server is ready.
See /var/lib/neo4j/logs/neo4j.log for current status.

This should run it for you. Hope this helps!

Use LetsEncrypt certs with Neo4j

1 Answers1