WebSocket connection to 'wss://neo4j.domain.com:7687/' failed: Error in connection establishment: net::ERR_CERT_DATE_INVALID
After struggling with this error, like many other mates, I found that for me the solution is easy, after I note that curl fails with certificate, I create the intermediate certificate and it works, I leave here my notes, scripts and docker-compose.yml maybe can be useful for others
using docker image neo4j:4.0.6-enterprise
with let's encrypt certificates
- cert.pem
- chain.pem
- fullchain.pem
- privkey.pem
fails with above
sudo cp ${SOURCE}/fullchain.pem ${TARGET}/volumes/certificates/neo4j.cert
sudo cp ${SOURCE}/privkey.pem ${TARGET}/volumes/certificates/neo4j.key
works with above
sudo cp ${SOURCE}/privkey.pem ${TARGET}/volumes/certificates/neo4j.key
# the trick for solvig the Error in connection establishment: net::ERR_CERT_DATE_INVALID
sudo cat ${SOURCE}/cert.pem ${SOURCE}/chain.pem > ${TARGET}/volumes/certificates/neo4j.cert
we must combine cert.pem and chain.pem, like we can see above
my full updatecertificates.sh
#!/bin/bash
# must be copied, dont work with sym links inside docker
SOURCE="/etc/letsencrypt/live/domain.com"
TARGET="/srv/docker/neo4j/neo4j406ent"
# fullpath, used in cron
sudo cp ${SOURCE}/privkey.pem ${TARGET}/volumes/certificates/neo4j.key
# the trick for solving the Error in connection establishment: net::ERR_CERT_DATE_INVALID
sudo cat ${SOURCE}/cert.pem ${SOURCE}/chain.pem > ${TARGET}/volumes/certificates/neo4j.cert
openssl x509 -in volumes/certificates/neo4j.cert -text -noout | grep 'Not After'
my docker-compose.yml
version: '2'
services:
neo4j:
image: neo4j:4.0.6-enterprise
hostname: neo4j
domainname: domain.com
container_name: neo4j
restart: unless-stopped
ports:
- "7474:7474"
- "7473:7473"
- "7687:7687"
volumes:
- /etc/localtime:/etc/localtime:ro
- ./volumes/data:/var/lib/neo4j/data
- ./volumes/logs:/var/lib/neo4j/logs
- ./volumes/plugins:/var/lib/neo4j/plugins
- ./volumes/import:/var/lib/neo4j/import
- ./volumes/certificates:/var/lib/neo4j/certificates
environment:
environment:
- NEO4J_ACCEPT_LICENSE_AGREEMENT=yes
- NEO4J_dbms_memory_heap_maxSize=2048
- NEO4J_dbms_connector_http_enabled=false
- NEO4J_dbms_connector_https_enabled=true
- NEO4J_dbms_connector_bolt_enabled=true
- NEO4J_https_ssl__policy=default
- NEO4J_dbms_ssl_policy_https_base__directory=/var/lib/neo4j/certificates
- NEO4J_dbms_ssl_policy_https_private__key=/var/lib/neo4j/certificates/neo4j.key
- NEO4J_dbms_ssl_policy_https_public__certificate=/var/lib/neo4j/certificates/neo4j.cert
- NEO4J_dbms_ssl_policy_https_revoked__dir=/var/lib/neo4j/certificates/revoked
- NEO4J_dbms_ssl_policy_bolt_trusted__dir=/var/lib/neo4j/certificates/trusted
- NEO4J_dbms_default__advertised__address=0.0.0.0
- NEO4J_dbms_connector_bolt__address=neo4j.domain.com:7687
- NEO4J_dbms_connector_bolt_advertised__address=neo4j.domain.com
apache reverse proxy config
# neo4j
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin admin@domain.com
ServerName neo4j.domain.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Include /etc/letsencrypt/options-ssl-apache.conf
# ReversProxy
ProxyPreserveHost On
ProxyRequests Off
# Docker : neo4j:3.2
ProxyPass / https://localhost:7473/
ProxyPassReverse / https://localhost:7473/
# This will do the trick to work with SSL Reverse Proxy
SSLProxyEngine On
# Other
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
# Fixed AH00898: Error during SSL Handshake with remote server returned by
SSLProxyCheckPeerExpire off
SSLCertificateFile /etc/letsencrypt/live/domain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem
</VirtualHost>
</IfModule>
now it works without any kind of issues
except for this one Secure websocket connection failure despite an apparently valid certificate
NODES 2022, Neo4j Online Education Summit
All the sessions of the conference are now available online
