Search code examples
dockersslneo4jplesk

Neo4j (3.4.17, 3.5.13, 4.0.0) in docker on plesk doesn't use provided SSL certificates in /ssl but tries to delete them and make its own self-signed

This configuration has worked for me at some point but simply stopped after a brief VPS suspension due to no automatic renewal being enabled.

As per documentation, I'm providing a neo4j.cert and neo4j.key in a folder that I then mount on the container for /ssl.

Unfortunately, neo4j will be stuck on 'cleaning up self-generated ...' and throw out 'permission denied' unless I set 775 permissions on that folder so it can write & execute as well (group policy).

If I do set to 775 things work but it is not using the proper provided signed certificates instead it just deletes them and makes its own self-signed certificate.

Solution

  • In 4.0, I managed to get ssl working with these settings:

    $ docker run -d -p 7473:7473 -p 7474:7474 -p 7687:7687 --rm \
    -v /opt/neo4j/certs/https:/var/lib/neo4j/certificates/https \
    -e NEO4J_dbms_ssl_policy_https_enabled=true \
    -e NEO4J_dbms_ssl_policy_https_base__directory=certificates/https \
    -e NEO4J_dbms_ssl_policy_https_private__key=private.key \
    -e NEO4J_dbms_ssl_policy_https_public__certificate=public.crt \
    -e NEO4J_dbms_connector_https_enabled=true \
    neo4j:4.0

    Simply mounting /ssl as instructed on the neo4j docker docs doesn't work for me. I created an issue for this on their github repo: https://github.com/neo4j/docker-neo4j/issues/225 https://neo4j.com/docs/operations-manual/3.5/docker/security/

    Also, the settings above don't work for 3.5 as some variables have changed. I will edit my post if I can get it working for 3.5. https://neo4j.com/docs/operations-manual/3.5/security/ssl-framework/

    This was my setup:

    $ pwd
/opt/neo4j/certs/https
$ ls
private.key  public.crt

    For enabling ssl on bolt:

    docker run -d -p 7473:7473 -p 7474:7474 -p 7687:7687 \
    -e NEO4J_dbms_ssl_policy_bolt_enabled=true \
    -e NEO4J_dbms_ssl_policy_bolt_base__directory=certificates \
    -e NEO4J_dbms_connector_bolt_tls__level=OPTIONAL \
    -e NEO4J_dbms_connector_bolt_advertised__address=domain.with.valid.cert.com \
    -e NEO4J_dbms_ssl_policy_bolt_client__auth=NONE \
    neo4j:4.0

    bolt_advertised__address seems to be necessary if you want to connect from the browser. Python driver could connect fine without it as well.