解决 TLS 证书错误
TLS 加密在任何地方都是必需的。这是一份在配置服务器时可能遇到的若干错误的汇总。诊断或操作证书需要使用 openssl 命令。
检查文件夹的权限
neo4j 可能作为 systemd 服务运行,使用非特权用户。配置中指定的文件夹 “$NEO4J_HOME/certificates/<POLICY_NAME>” 必须对 neo4j 用户可写。
检查私钥
在 3.5.x 版本中,私钥必须为 PKCS8、PEM 格式且不含任何密码短语。PKCS12 将在后续版本中得到支持。下面的命令应返回证书且不会提示输入密码。
$ openssl rsa -in private.key -check您可以使用以下方式移除密码短语
$ openssl rsa -in private.key -out private_key_without_passphrase.key文件夹 “certificates/<POLICY_NAME>/trusted” 只能包含 DER 格式的有效证书
如果遇到 signed overrun 错误,您可能需要检查 trusted/revoked 文件夹中的每个文件(包括隐藏文件)。
2019-10-24 15:17:36.595+0200 ERROR Failed to start Neo4j: Starting Neo4j failed: Component 'org.neo4j.server.database.LifecycleManagingDatabase@6f36c2f0' was successfully initialized, but failed to start. Please see the attached cause exception "signed overrun, bytes = 918". Starting Neo4j failed: Component 'org.neo4j.server.database.LifecycleManagingDatabase@6f36c2f0' was successfully initialized, but failed to start. Please see the attached cause exception "signed overrun, bytes = 918". org.neo4j.server.ServerStartupException: Starting Neo4j failed: Component 'org.neo4j.server.database.LifecycleManagingDatabase@6f36c2f0' was successfully initialized, but failed to start. Please see the attached cause exception "signed overrun, bytes = 918". at org.neo4j.server.exception.ServerStartupErrors.translateToServerStartupError(ServerStartupErrors.java:45) at org.neo4j.server.AbstractNeoServer.start(AbstractNeoServer.java:187) at org.neo4j.server.ServerBootstrapper.start(ServerBootstrapper.java:124) at org.neo4j.server.ServerBootstrapper.start(ServerBootstrapper.java:91) at com.neo4j.server.enterprise.CommercialEntryPoint.main(CommercialEntryPoint.java:22) Caused by: org.neo4j.kernel.lifecycle.LifecycleException: Component 'org.neo4j.server.database.LifecycleManagingDatabase@6f36c2f0' was successfully initialized, but failed to start. Please see the attached cause exception "signed overrun, bytes = 918". at org.neo4j.kernel.lifecycle.LifeSupport$LifecycleInstance.start(LifeSupport.java:473) at org.neo4j.kernel.lifecycle.LifeSupport.start(LifeSupport.java:111) at org.neo4j.server.AbstractNeoServer.start(AbstractNeoServer.java:180) ... 3 more Caused by: java.lang.RuntimeException: Failed to create trust manager based on: /neo4j/certificates/xxx/trusted at org.neo4j.kernel.configuration.ssl.SslPolicyLoader.load(SslPolicyLoader.java:222) at org.neo4j.kernel.configuration.ssl.SslPolicyLoader.create(SslPolicyLoader.java:99) at org.neo4j.graphdb.factory.module.edition.CommunityEditionModule.<init>(CommunityEditionModule.java:98) at org.neo4j.kernel.impl.enterprise.EnterpriseEditionModule.<init>(EnterpriseEditionModule.java:55) at com.neo4j.commercial.edition.CommercialEditionModule.<init>(CommercialEditionModule.java:48) at org.neo4j.graphdb.facade.GraphDatabaseFacadeFactory.initFacade(GraphDatabaseFacadeFactory.java:181) at com.neo4j.commercial.edition.CommercialGraphDatabase.<init>(CommercialGraphDatabase.java:20) at com.neo4j.server.database.CommercialGraphFactory.newGraphDatabase(CommercialGraphFactory.java:40) at org.neo4j.server.database.LifecycleManagingDatabase.start(LifecycleManagingDatabase.java:90) at org.neo4j.kernel.lifecycle.LifeSupport$LifecycleInstance.start(LifeSupport.java:452) ... 5 more Caused by: java.security.cert.CertificateException: Error loading certificate file: /neo4j/certificates/xxx/private.key at org.neo4j.kernel.configuration.ssl.SslPolicyLoader.createTrustManagerFactory(SslPolicyLoader.java:363) at org.neo4j.kernel.configuration.ssl.SslPolicyLoader.load(SslPolicyLoader.java:218) ... 14 more Caused by: java.security.cert.CertificateParsingException: signed overrun, bytes = 918 at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1788) at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:195) at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:102) at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:339) at org.neo4j.kernel.configuration.ssl.SslPolicyLoader.createTrustManagerFactory(SslPolicyLoader.java:358) ... 15 more 2019-10-24 15:17:36.597+0200 INFO Neo4j Server shutdown initiated by request
自签名证书
您可以使用以下命令生成密钥和公用证书。
$ openssl req -x509 -newkey rsa:2048 -keyout private_key.pem -out public_cert.pem -days 30需要在 neo4j.conf 中设置 dbms.ssl.policy.<policyname>.trust_all=true。请注意,这种做法不安全。
此页面有帮助吗?