知识库

“TLS 证书错误发生,无法启动服务器:RSA、DSA 或 EC 均无效…” 的数据/日志/console.log 错误说明

bin/neo4j start 中,data/log/console.log 可能会记录类似以下的错误

2016-01-04 13:32:44.589-0500 INFO Successfully shutdown database 13:33:06.856 [main] DEBUG i.n.u.i.l.InternalLoggerFactory - Using SLF4J as the default logging framework 2016-01-04 13:33:07.437-0500 ERROR Failed to start Neo4j: TLS certificate error occurred, unable to start server: Neither RSA, DSA nor EC worked TLS certificate error occurred, unable to start server: Neither RSA, DSA nor EC worked org.neo4j.server.ServerStartupException: TLS certificate error occurred, unable to start server: Neither RSA, DSA nor EC worked at org.neo4j.server.AbstractNeoServer.createKeyStore(AbstractNeoServer.java:492) at org.neo4j.server.AbstractNeoServer.init(AbstractNeoServer.java:178) at org.neo4j.server.AbstractNeoServer.start(AbstractNeoServer.java:191) at org.neo4j.server.Bootstrapper.start(Bootstrapper.java:100)

Neo4j 允许通过 conf/neo4j-server.properties 中的参数配置 HTTPS 证书。以下是默认值

# Turn https-support on/off org.neo4j.server.webserver.https.enabled=true
# Certificate location (auto generated if the file does not exist) dbms.security.tls_certificate_file=conf/ssl/snakeoil.cert
# Private key location (auto generated if the file does not exist) dbms.security.tls_key_file=conf/ssl/snakeoil.key

如果修改了上述三个参数,则需要运行 bin/neo4j restart 以使更改生效。

neo4j start 时,将读取证书文件并验证用于生成证书文件的算法是 RSA、DSA 或 EC 格式。

在上面的示例中,如果 conf/ssl/snakeoil* 文件不存在,则会在启动时自动生成,并且它们是自签名证书。