Neo4j (3.4.17, 3.5.13, 4.0.0) in docker on plesk doesn't use provided SSL certificates in /ssl but tries to delete them and make its own self-signed

Question

This configuration has worked for me at some point but simply stopped after a brief VPS suspension due to no automatic renewal being enabled.

As per documentation, I'm providing a neo4j.cert and neo4j.key in a folder that I then mount on the container for /ssl.

Unfortunately, neo4j will be stuck on 'cleaning up self-generated ...' and throw out 'permission denied' unless I set 775 permissions on that folder so it can write & execute as well (group policy).

If I do set to 775 things work but it is not using the proper provided signed certificates instead it just deletes them and makes its own self-signed certificate.

Semih Sezer · Accepted Answer · 2020-01-27T06:22:16.677

In 4.0, I managed to get ssl working with these settings:

$ docker run -d -p 7473:7473 -p 7474:7474 -p 7687:7687 --rm \
    -v /opt/neo4j/certs/https:/var/lib/neo4j/certificates/https \
    -e NEO4J_dbms_ssl_policy_https_enabled=true \
    -e NEO4J_dbms_ssl_policy_https_base__directory=certificates/https \
    -e NEO4J_dbms_ssl_policy_https_private__key=private.key \
    -e NEO4J_dbms_ssl_policy_https_public__certificate=public.crt \
    -e NEO4J_dbms_connector_https_enabled=true \
    neo4j:4.0

Simply mounting /ssl as instructed on the neo4j docker docs doesn't work for me. I created an issue for this on their github repo: https://github.com/neo4j/docker-neo4j/issues/225 https://neo4j.com/docs/operations-manual/3.5/docker/security/

Also, the settings above don't work for 3.5 as some variables have changed. I will edit my post if I can get it working for 3.5. https://neo4j.com/docs/operations-manual/3.5/security/ssl-framework/

This was my setup:

$ pwd
/opt/neo4j/certs/https
$ ls
private.key  public.crt

For enabling ssl on bolt:

docker run -d -p 7473:7473 -p 7474:7474 -p 7687:7687 \
    -e NEO4J_dbms_ssl_policy_bolt_enabled=true \
    -e NEO4J_dbms_ssl_policy_bolt_base__directory=certificates \
    -e NEO4J_dbms_connector_bolt_tls__level=OPTIONAL \
    -e NEO4J_dbms_connector_bolt_advertised__address=domain.with.valid.cert.com \
    -e NEO4J_dbms_ssl_policy_bolt_client__auth=NONE \
    neo4j:4.0

bolt_advertised__address seems to be necessary if you want to connect from the browser. Python driver could connect fine without it as well.

Thanks for this! It will take me a few days until I get the opportunity to work on the project using Neo4j in docker to try this out, I'll come back and mark it as the correct answer if it works, until then I can only upvote it! — SebastianG, Jan 29 '20 at 14:03
Thank you! Setting client_auth to NONE instead of OPTIONAL was the crux for me. (???) — neop, Oct 28 '21 at 17:43

Neo4j (3.4.17, 3.5.13, 4.0.0) in docker on plesk doesn't use provided SSL certificates in /ssl but tries to delete them and make its own self-signed

1 Answers1

Linked