Neo4j - The client is unauthorized due to authentication failure

Question

I'm currently running Neo4j version 3.4.9 on a Google Cloud VM instance and I'm having an authentication issue I can't resolve.

My Neo4j server is running fine in the cloud and I can access it directly using Neo4j browser. I have changed the default neo4j user password. I can also successfully query the Neo4j server from the GraphQL playground.

I've checked both the neo4j-driver and neo4jgraphql-js modules and they are both the latest versions. I have also checked my .env file and it has the correct username and password that matches the default neo4j user and the new password I changed to from the default.

I have tried running the Neo4j server without authentication by changing the dbms.security.auth_enabled setting to false in the neo4j.conf file but this hasn't helped.

I have also checked the Neo4j server logs and this is the error on the server side:

2020-07-21 17:59:48.830+0000 ERROR [o.n.b.t.TransportSelectionHandler] Fatal error occurred during protocol selection for connection: [id: 0x2434a10e, L:/10.154.0.2:7687 ! R:/86.151.231.207:63494] javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:459)
    at io.netty.handler.codec.ByteToMessageDecoder.channelInputClosed(ByteToMessageDecoder.java:392)
    at io.netty.handler.codec.ByteToMessageDecoder.channelInputClosed(ByteToMessageDecoder.java:359)
    at io.netty.handler.codec.ByteToMessageDecoder.channelInactive(ByteToMessageDecoder.java:342)
    at io.netty.handler.ssl.SslHandler.channelInactive(SslHandler.java:1028)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:245)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:231)
    at io.netty.channel.AbstractChannelHandlerContext.fireChannelInactive(AbstractChannelHandlerContext.java:224)
    at io.netty.channel.ChannelInboundHandlerAdapter.channelInactive(ChannelInboundHandlerAdapter.java:75)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:245)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:231)
    at io.netty.channel.AbstractChannelHandlerContext.fireChannelInactive(AbstractChannelHandlerContext.java:224)
    at io.netty.channel.DefaultChannelPipeline$HeadContext.channelInactive(DefaultChannelPipeline.java:1429)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:245)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:231)
    at io.netty.channel.DefaultChannelPipeline.fireChannelInactive(DefaultChannelPipeline.java:947)
    at io.netty.channel.AbstractChannel$AbstractUnsafe$8.run(AbstractChannel.java:822)
    at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:163)
    at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:404)
    at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:309)
    at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:884)
    at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:214)
    at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1667)
    at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1635)
    at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1801)
    at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1090)
    at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:913)
    at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:783)
    at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:626)
    at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:294)
    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1275)
    at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1177)
    at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1221)
    at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489)
    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428)

This suggests a certificate error and so I have updated the config_dbms.connector.bolt.tls_level setting in the neo4j.conf file to OPTIONAL but I still get this error. I have also tried setting config_dbms.connector.bolt.tls_level to DISABLED but it doesn't solve the problem and creates lots of others!

One solution I have explored is setting up a certificate for the Neo4j server on GCP but according to this Neo4j guide here you can only do that with a server that has a must have a valid DNS address, which mine doesn't. I didn't specify a hostname on creation and with GCP you can't add one retrospectively.

The only other solution I can think of is to build a fresh VM instance on GCP with a hostname, set up the correct DNS records, get the certificate and point my application at the new Neo4j server.

Answer 1

You are using the latest versions of neo4j-driver and neo4jgraphql-js, and yet you are running an old neo4j server version (3.4.9).

You may need to upgrade the neo4j server to the latest version.

Or, if you cannot do that, you can try using the latest JS packages that are compatible with neo4j 3.4.9. For example, neo4j-driver version 1.7.7 claims to be "for Neo4j 3.0.0+".