Neo4j

miguepintor · ‎10-21-2020

Hi all,
We are using the NODEJS neo4j driver to connect to a neo4j community instance neo4j:4.1.2.

That instance is configured to use BOLT with SSL:

dbms.default_listen_address=0.0.0.0
# BOLT Connector
dbms.connector.bolt.tls_level=REQUIRED
dbms.ssl.policy.bolt.enabled=true
dbms.ssl.policy.bolt.private_key=/var/lib/neo4j/certificates/bolt/private.key
dbms.ssl.policy.bolt.public_certificate=/var/lib/neo4j/certificates/bolt/public.crt
dbms.ssl.policy.bolt.client_auth=NONE
dbms.connector.bolt.listen_address=0.0.0.0:7687
# HTTPS connector
dbms.connector.http.enabled=false
dbms.connector.https.enabled=true
dbms.ssl.policy.https.enabled=true
dbms.ssl.policy.https.client_auth=NONE
dbms.ssl.policy.https.private_key=/var/lib/neo4j/certificates/https/private.key
dbms.ssl.policy.https.public_certificate=/var/lib/neo4j/certificates/https/public.crt
dbms.connector.http.listen_address=0.0.0.0:7473
# Directories
dbms.ssl.policy.bolt.base_directory=/var/lib/neo4j/certificates/bolt
dbms.ssl.policy.https.base_directory=/var/lib/neo4j/certificates/https

When the Neo4j javascript driver is configured in this way:

    driver = neo4j.driver(
      `bolt://${NEO4J_HOST}:${NEO4J_BOLT_PORT}`,
      neo4j.auth.basic(NEO4J_BOLT_USERNAME, NEO4J_BOLT_PASSWORD),
      {
        encrypted: 'ENCRYPTION_ON',
      },
    );

It works perfectly when NEO4J_HOST is equals to MY.DOMAIN.COM (for which the certificates where issued).

BUT when I want to connect to it using an internal domain INTERNAL.DOMAIN.COM I receive ERR_TLS_CERT_ALTNAME_INVALID even though I added the same "public.crt" to the trustedCertificates as shown below:

    driver = neo4j.driver(
      `bolt://${NEO4J_HOST}:${NEO4J_BOLT_PORT}`,
      neo4j.auth.basic(NEO4J_BOLT_USERNAME, NEO4J_BOLT_PASSWORD),
      {
        encrypted: 'ENCRYPTION_ON',
        trust: 'TRUST_CUSTOM_CA_SIGNED_CERTIFICATES',
        trustedCertificates: [path.resolve(__dirname, './public_cert.pem')],
      },
    );

Any kind of help is more than welcome due to we use this in production,
Regards.

miguepintor · ‎12-15-2020

Hi all,
Might somebody give me a hand there?

Thanks in advance,
Regards.

rouven_bauer · ‎07-08-2021

I'm not sure what you want to achieve and how your SSL certificates are set up. So here's a general explanation of your two options, that both do encryption + authentication (checking the signature and thus making sure you're talking to the right server):

Create a certificate that is trusted by most trust stores (e.g. with letsencrypt, or buy one). Seems like you got this to work with MY.DOMAIN.COM. You should be able to issue the same certificate for multiple domain names. So you could issue one certificate for MY.DOMAIN.COM and INTERNAL.DOMAIN.COM.
Create a self-signed certificate (also possible for one or multiple domains) and sign it with your own root certificate. It's this root certificate that you have to provide to the driver then. Not the self-signed certificate you use to set up the server. Something along the lines of this tutorial. Make sure you don't install the root certificate in you system's trust store (i.e., skip the section " Installing Your Root Certificate" of that tutorial).

I hope this is of some help.

michael_hunger · ‎07-08-2021

More comments from the team:

Maybe they need to switch to bolt+ssc (but remove encrypted: 'ENCRYPTION_ON' that would conflict)
they need to add the internal name to the certificate
hostname validation is still hostname validation, even if you trust the issuer

Neo4j

Getting ERR_TLS_CERT_ALTNAME_INVALID even though the cert was added to the trustedCertificates