2

This configuration has worked for me at some point but simply stopped after a brief VPS suspension due to no automatic renewal being enabled.

As per documentation, I'm providing a neo4j.cert and neo4j.key in a folder that I then mount on the container for /ssl.

Unfortunately, neo4j will be stuck on 'cleaning up self-generated ...' and throw out 'permission denied' unless I set 775 permissions on that folder so it can write & execute as well (group policy).

If I do set to 775 things work but it is not using the proper provided signed certificates instead it just deletes them and makes its own self-signed certificate.

SebastianG
  • 8,563
  • 8
  • 47
  • 111

1 Answers1

3

In 4.0, I managed to get ssl working with these settings:

$ docker run -d -p 7473:7473 -p 7474:7474 -p 7687:7687 --rm \
    -v /opt/neo4j/certs/https:/var/lib/neo4j/certificates/https \
    -e NEO4J_dbms_ssl_policy_https_enabled=true \
    -e NEO4J_dbms_ssl_policy_https_base__directory=certificates/https \
    -e NEO4J_dbms_ssl_policy_https_private__key=private.key \
    -e NEO4J_dbms_ssl_policy_https_public__certificate=public.crt \
    -e NEO4J_dbms_connector_https_enabled=true \
    neo4j:4.0

Simply mounting /ssl as instructed on the neo4j docker docs doesn't work for me. I created an issue for this on their github repo: https://github.com/neo4j/docker-neo4j/issues/225 https://neo4j.com/docs/operations-manual/3.5/docker/security/

Also, the settings above don't work for 3.5 as some variables have changed. I will edit my post if I can get it working for 3.5. https://neo4j.com/docs/operations-manual/3.5/security/ssl-framework/

This was my setup:

$ pwd
/opt/neo4j/certs/https
$ ls
private.key  public.crt

For enabling ssl on bolt:

docker run -d -p 7473:7473 -p 7474:7474 -p 7687:7687 \
    -e NEO4J_dbms_ssl_policy_bolt_enabled=true \
    -e NEO4J_dbms_ssl_policy_bolt_base__directory=certificates \
    -e NEO4J_dbms_connector_bolt_tls__level=OPTIONAL \
    -e NEO4J_dbms_connector_bolt_advertised__address=domain.with.valid.cert.com \
    -e NEO4J_dbms_ssl_policy_bolt_client__auth=NONE \
    neo4j:4.0

bolt_advertised__address seems to be necessary if you want to connect from the browser. Python driver could connect fine without it as well.

Semih Sezer
  • 410
  • 5
  • 15
  • Thanks for this! It will take me a few days until I get the opportunity to work on the project using Neo4j in docker to try this out, I'll come back and mark it as the correct answer if it works, until then I can only upvote it! – SebastianG Jan 29 '20 at 14:03
  • Thank you! Setting client_auth to NONE instead of OPTIONAL was the crux for me. (???) – neop Oct 28 '21 at 17:43