解决 TLS 证书错误
TLS 加密在所有地方都是必需的。本文汇总了您在配置服务器时可能遇到的一些错误。诊断或操作证书需要使用 openssl 命令。
检查文件夹权限
Neo4j 可能作为 systemd 服务以非特权用户身份运行。您的配置中指定的文件夹“$NEO4J_HOME/certificates/<POLICY_NAME>”必须可由 neo4j 用户写入。
检查私钥
私钥在 3.5.x 版本中必须是 PKCS8 格式,PEM 格式且不带任何密码短语。PKCS12 将在未来版本中支持。以下命令应在不提示任何密码的情况下返回证书。
$ openssl rsa -in private.key -check您可以使用以下方法删除密码短语:
$ openssl rsa -in private.key -out private_key_without_passphrase.key文件夹“certificates/<POLICY_NAME>/trusted”只能包含 DER 格式的有效证书
如果您遇到 signed overrun 错误。您可能需要检查可信/吊销文件夹中的每个文件,包括隐藏文件。
2019-10-24 15:17:36.595+0200 ERROR Failed to start Neo4j: Starting Neo4j failed: Component 'org.neo4j.server.database.LifecycleManagingDatabase@6f36c2f0' was successfully initialized, but failed to start. Please see the attached cause exception "signed overrun, bytes = 918". Starting Neo4j failed: Component 'org.neo4j.server.database.LifecycleManagingDatabase@6f36c2f0' was successfully initialized, but failed to start. Please see the attached cause exception "signed overrun, bytes = 918". org.neo4j.server.ServerStartupException: Starting Neo4j failed: Component 'org.neo4j.server.database.LifecycleManagingDatabase@6f36c2f0' was successfully initialized, but failed to start. Please see the attached cause exception "signed overrun, bytes = 918". at org.neo4j.server.exception.ServerStartupErrors.translateToServerStartupError(ServerStartupErrors.java:45) at org.neo4j.server.AbstractNeoServer.start(AbstractNeoServer.java:187) at org.neo4j.server.ServerBootstrapper.start(ServerBootstrapper.java:124) at org.neo4j.server.ServerBootstrapper.start(ServerBootstrapper.java:91) at com.neo4j.server.enterprise.CommercialEntryPoint.main(CommercialEntryPoint.java:22) Caused by: org.neo4j.kernel.lifecycle.LifecycleException: Component 'org.neo4j.server.database.LifecycleManagingDatabase@6f36c2f0' was successfully initialized, but failed to start. Please see the attached cause exception "signed overrun, bytes = 918". at org.neo4j.kernel.lifecycle.LifeSupport$LifecycleInstance.start(LifeSupport.java:473) at org.neo4j.kernel.lifecycle.LifeSupport.start(LifeSupport.java:111) at org.neo4j.server.AbstractNeoServer.start(AbstractNeoServer.java:180) ... 3 more Caused by: java.lang.RuntimeException: Failed to create trust manager based on: /neo4j/certificates/xxx/trusted at org.neo4j.kernel.configuration.ssl.SslPolicyLoader.load(SslPolicyLoader.java:222) at org.neo4j.kernel.configuration.ssl.SslPolicyLoader.create(SslPolicyLoader.java:99) at org.neo4j.graphdb.factory.module.edition.CommunityEditionModule.<init>(CommunityEditionModule.java:98) at org.neo4j.kernel.impl.enterprise.EnterpriseEditionModule.<init>(EnterpriseEditionModule.java:55) at com.neo4j.commercial.edition.CommercialEditionModule.<init>(CommercialEditionModule.java:48) at org.neo4j.graphdb.facade.GraphDatabaseFacadeFactory.initFacade(GraphDatabaseFacadeFactory.java:181) at com.neo4j.commercial.edition.CommercialGraphDatabase.<init>(CommercialGraphDatabase.java:20) at com.neo4j.server.database.CommercialGraphFactory.newGraphDatabase(CommercialGraphFactory.java:40) at org.neo4j.server.database.LifecycleManagingDatabase.start(LifecycleManagingDatabase.java:90) at org.neo4j.kernel.lifecycle.LifeSupport$LifecycleInstance.start(LifeSupport.java:452) ... 5 more Caused by: java.security.cert.CertificateException: Error loading certificate file: /neo4j/certificates/xxx/private.key at org.neo4j.kernel.configuration.ssl.SslPolicyLoader.createTrustManagerFactory(SslPolicyLoader.java:363) at org.neo4j.kernel.configuration.ssl.SslPolicyLoader.load(SslPolicyLoader.java:218) ... 14 more Caused by: java.security.cert.CertificateParsingException: signed overrun, bytes = 918 at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1788) at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:195) at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:102) at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:339) at org.neo4j.kernel.configuration.ssl.SslPolicyLoader.createTrustManagerFactory(SslPolicyLoader.java:358) ... 15 more 2019-10-24 15:17:36.597+0200 INFO Neo4j Server shutdown initiated by request
自签名证书
您可以使用以下命令生成密钥和公共证书。
$ openssl req -x509 -newkey rsa:2048 -keyout private_key.pem -out public_cert.pem -days 30您需要在 neo4j.conf 中设置 `dbms.ssl.policy.<policyname>.trust_all=true`。请注意,这是不安全的。
此页面有帮助吗?