Neo4j: Service Unavailable: Websocket Connection Failure

Question

Currently trying to launch the [Community AMI (https://aws.amazon.com/marketplace/pp/B071P26C9D) with Neo4j browser v3.2.10 & Neo4j 3.4.9. I am using Google Chrome to access the browser. I'm receiving the following error:

Is acquiring an SSL Certificate currently the only way to get running?

ServiceUnavailable: WebSocket connection failure. Due to security constraints in your web browser, the reason for the failure is not available to this Neo4j Driver. Please use your browsers development console to determine the root cause of the failure. Common reasons include the database being unavailable, using the wrong connection URL or temporary network problems. If you have enabled encryption, ensure your browser is configured to trust the certificate Neo4j is configured to use. WebSocket readyState is: 3

---

Solutions Tried as suggested from Troubleshooting Connection Issues to Neo4j:

1. Follow directions for your browser to trust the server's certificate for the bolt port, and then refresh the page.
   http://ec2-54-xxx-xxx-111.compute-1.amazonaws.com:7687/ on Chrome returns: not a WebSocket handshake request: missing upgrade, and there is not an option to trust this certificate.
2. Use Google Chrome Currently using Google Chrome Does not work
3. Set dbms.connector.bolt.tls_level=OPTIONAL in your neo4j config.
4. Set dbms.connector.bolt.address=0.0.0.0:7687 in your neo4j config as per dbms.connector.bolt.address=0.0.0.0:7687 Both of the above solutions did not correct the issue after changing neo4j.template in /etc/neo4j/ as per Configuring Neo4j Cloud Instances
5. Security Groups should be good as per the following:

---

So people don't think this is a duplicate question, these solutions don't work: Web Sockets Connections Failure... Does not work and options aren't avail in v3.2.10

Neo4j-3-1-3 Graph Database Access Remotely

Neo4J Websocket Connection Failure (TCP/IP Confi) All solutions do not work...

---

Curious what the best option is to get going. Thanks

Answer 1

We had this issue. Took us a day but we found the solution. We used an externally signed certificate but it still didn't work! What was frustrating was the Web Front End worked. So we had the full padlock happy signal, but as soon as we used Bolt it failed with the error.

So first what is important to know is that when you use Chrome (or most browsers) it does an excellent job of searching the internet to find proof that your certificate is legitimate. Thus if you build your chain incorrectly you will kind of get away with it. However with Web Sockets it seems to follow a different rule. It doesn't do this useful search. Chrome seems to really be very poor in giving any errors making it very difficult to diagnose.

So what we did was access the Bolt/WebSocket port changing the url bolt+s://{myserver} to https://{myserver}. It will connect but give you a random error. But what it does give you is access to the Certificates. You can see the whole chain. What we found was my chain was different then Chromes chain. My chain was checked by an external website and was correct but different then what Chrome had. This was detected and thus we got the denied service.

So what we did was using the https:// trick copy the certficate by exporting the certificate (don't forget the Base 64 version not the binary). Copied the entire chain into one document and used that inside Neo4j as bolt's certificate.

If finally started working.

So in recap. Access the bolt+s:// connection using https:// this gives you access to the certificate and certificate chain. Export the certificates as Base64 and chains (work your way backwards). Copy all of these into one file and using the neo4j.conf point your Bolt connector to use this file as your certificate. You will find it will finally start working.

Answer 2

To get around this you need an SSL Cert. See:

https://medium.com/neo4j/getting-certificates-for-neo4j-with-letsencrypt-a8d05c415bbd