Hi all. I am Andreas from germany and I am new here.
I'm trying to get my login via Neo4j browser inside a Kubernetes cluster working and I experience some problems with Google Chrome browser. I think it might have to do with the SSL/TLS certificates which Neo4j is unable to load correctly.
The certificates I am using are valid and signed.
What does work:
- Neo4j Web-UI login via Firefox and Safari
What does not work:
- Google Chrome login
It seems like Google Chrome prevents the login on the client side. Neo4j error:
ServiceUnavailable: WebSocket connection failure. Due to security constraints in your web browser, the reason for the failure is not available to this Neo4j Driver. Please use your browsers development console to determine the root cause of the failure. Common reasons include the database being unavailable, using the wrong connection URL or temporary network problems. If you have enabled encryption, ensure your browser is configured to trust the certificate Neo4j is configured to use.
Google dev console error:
WebSocket connection to 'wss://neo4j-bolt.domain.com:7687/' failed: WebSocket opening handshake was canceled
Output of the Neo4j Server in the Kubernetes cluster:
chown: changing ownership of '/var/lib/neo4j/certificates/https/..data': Read-only file system
chown: changing ownership of '/var/lib/neo4j/certificates/https/private.key': Read-only file system
chown: changing ownership of '/var/lib/neo4j/certificates/https/public.crt': Read-only file system
chown: changing ownership of '/var/lib/neo4j/certificates/https/..2020_12_04_08_46_24.920196337/public.crt': Read-only file system
chown: changing ownership of '/var/lib/neo4j/certificates/https/..2020_12_04_08_46_24.920196337/private.key': Read-only file system
chown: changing ownership of '/var/lib/neo4j/certificates/https/..2020_12_04_08_46_24.920196337': Read-only file system
chown: changing ownership of '/var/lib/neo4j/certificates/https': Read-only file system
chmod: changing permissions of '/var/lib/neo4j/certificates/https': Read-only file system
chmod: changing permissions of '/var/lib/neo4j/certificates/https/..2020_12_04_08_46_24.920196337': Read-only file system
chmod: changing permissions of '/var/lib/neo4j/certificates/https/..2020_12_04_08_46_24.920196337/public.crt': Read-only file system
chmod: changing permissions of '/var/lib/neo4j/certificates/https/..2020_12_04_08_46_24.920196337/private.key': Read-only file system
Warning: Some files inside "/data" are not writable from inside container. Changing folder owner to neo4j.
Changed password for user 'neo4j'.
Directories in use:
home: /var/lib/neo4j
config: /var/lib/neo4j/conf
logs: /logs
plugins: /var/lib/neo4j/plugins
import: /var/lib/neo4j/import
data: /var/lib/neo4j/data
certificates: /var/lib/neo4j/certificates
run: /var/lib/neo4j/run
Starting Neo4j.
2020-12-04 08:47:04.447+0000 INFO Starting...
2020-12-04 08:47:09.767+0000 INFO ======== Neo4j 4.1.1 ========
2020-12-04 08:47:12.756+0000 INFO Performing postInitialization step for component 'security-users' with version 2 and status CURRENT
2020-12-04 08:47:12.757+0000 INFO Updating the initial password in component 'security-users'
2020-12-04 08:47:12.760+0000 INFO Updating initial user password from `auth.ini` file: neo4j
2020-12-04 08:47:15.343+0000 INFO Bolt enabled on 0.0.0.0:7687.
2020-12-04 08:47:17.964+0000 INFO Remote interface available at http://localhost:7474/
2020-12-04 08:47:17.964+0000 INFO Started.
So here's what I tried to do:
I am mounting the certificates by referencing a Kubernetes secret. As far as I know, volume mounts from secrets and configmaps are "read-only" and this cannot be changed. This might cause the problem here. What do you think?
My Kubernetes config (mostly stripped to the important parts):
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: neo4j
name: neo4j
namespace: my-namespace
spec:
replicas: 1
selector:
matchLabels:
app: neo4j
strategy:
type: Recreate
template:
metadata:
labels:
app: neo4j
spec:
containers:
- env:
- name: NEO4J_dbms_connector_bolt_advertised__address
value: neo4j-bolt.domain.com:7687
- name: NEO4J_dbms_connector_https_advertised__address
value: neo4j.domain.com:7473
- name: NEO4J_AUTH
valueFrom:
secretKeyRef:
key: neo4j_datasource_credentials
name: neo4j-secret
- name: NEO4J_dbms_connector_bolt_tls__level
value: OPTIONAL
- name: NEO4J_dbms_connector_bolt_listen__address
value: 0.0.0.0:7687
- name: NEO4J_dbms_connector_https_enabled
value: "true"
- name: NEO4J_dbms_connector_https_listen__address
value: 0.0.0.0:7473
- name: NEO4J_dbms_ssl_policy_https_enabled
value: "true"
- name: NEO4J_dbms_ssl_policy_https_base__directory
value: /var/lib/neo4j/certificates/https
- name: NEO4J_dbms_ssl_policy_https_private__key
value: private.key
- name: NEO4J_dbms_ssl_policy_https_public__certificate
value: public.crt
- name: NEO4J_dbms_ssl_policy_bolt_enabled
value: "true"
- name: NEO4J_dbms_ssl_policy_bolt_base__directory
value: /var/lib/neo4j/certificates/https
- name: NEO4J_dbms_ssl_policy_bolt_private__key
value: private.key
- name: NEO4J_dbms_ssl_policy_bolt_public__certificate
value: public.crt
image: IMAGE_URL
name: neo4j
ports:
- containerPort: 7474
name: http
- containerPort: 7687
name: bolt
- containerPort: 7473
name: https
volumeMounts:
- mountPath: /data
name: neo4j-persistent-storage
- mountPath: /var/lib/neo4j/certificates/https
name: ssl-certificate
readOnly: false
volumes:
- name: neo4j-persistent-storage
persistentVolumeClaim:
claimName: neo4j-pv-claim
- name: ssl-certificate
secret:
defaultMode: 511
secretName: ssl-certificate-secret
Is there a good way to get my certificates working without doing much "by hand"? So for example, I don't want to copy my certificates "by hand" into the persistent volume claim.
Or is there maybe even still something wrong with my configuration?
Any help would be greatly appreciated! Thank you in advance 
NODES 2022, Neo4j Online Education Summit
All the sessions of the conference are now available online
