Getting Valid SSL Certificates for Neo4j with Let’s Encrypt

Victor Zhao
4 min readAug 7, 2020

中文版本

lets encrypt and neo4j

Using Neo4j’s cloud VMs, a common question is how to set up valid SSL to protect data in transit. This article will cover how to do it with LetsEncrypt, a popular free certificate authority.

The instructions below will work with almost any public cloud-hosted instance of Neo4j >= 4.0. And the demo instance is Neo4j Graph Database — Community Edition by Neo4j on AWS Marketplace.

Neo4j Graph Database — Community Edition

Why are we doing this?

You need valid SSL certificates in order for the browser and various client applications to trust that your site is what it says that it is. If you’ve created a Neo4j instance in a public cloud and you’ve seen browser warnings about “this site is untrusted” or “add a special exception” — valid certificates solve this.

connection not private on safari

Prerequisites

  • A valid DNS Name that is pointed to the machine (as let’s encrypt will not issue SSL for IPs)
  • TCP 80 (HTTP) is open to the public (for the instance to complete the http-01 challenge). However, you can still get the Certificates even without open this port by using DNS Plugins.

Part 1: Get Certificates from Let’s Encrypt by using Certbot

All the steps below is taken directly from the certbot instructions

Add Certbot PPA

You’ll need to add the Certbot PPA to your list of repositories. To do so, run the following commands on the command line on the machine:

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update

Install Certbot

Run this command on the command line on the machine to install Certbot.

sudo apt-get install certbot

Get the certificates

Since Neo4j will not use the 80 port, and no web server is running on the VM.

Run this command and follow the instructions it gives you.

sudo certbot certonly --standalone

Let’s suppose the DNS Name you used to request the SSL Certificates is called myneo4j.example.com

You should be able to find some files under /etc/letsencrypt/live/myneo4j.example.com/ directory (you may need sudo privilege to view them)

Part 2: Install the certificates to the Neo4j

For the sake of convenience, we first run this to avoid unexpected permission denied error.

sudo su

You should be able to notice that now you are acting as root

First cd into the neo4j certificates directory:

cd /var/lib/neo4j/certificates

You can see three different directories each with a private.key and a public.crt which we will need to replace with privkey.pem and fullchain.pem under /etc/letsencrypt/live/myneo4j.example.com/

Remember to replace myneo4j.example.com with your own value

#./https/
cat /etc/letsencrypt/live/myneo4j.example.com/fullchain.pem > https/public.crt
cat /etc/letsencrypt/live/myneo4j.example.com/privkey.pem > https/private.key
#./bolt/
cat /etc/letsencrypt/live/myneo4j.example.com/fullchain.pem > bolt/public.crt
cat /etc/letsencrypt/live/myneo4j.example.com/privkey.pem > bolt/private.key
#./cluster/
cat /etc/letsencrypt/live/myneo4j.example.com/fullchain.pem > cluster/public.crt
cat /etc/letsencrypt/live/myneo4j.example.com/privkey.pem > cluster/private.key

Why rewrite the file but not move it to this directory and replace the original ones, as it is the most hassle-free method for you don’t need to deal with the complex permissions of these files.

Then find the neo4j config file which should be under /etc/neo4j/ directory as neo4j.template or neo4j.conf. Edit the template file if it exists, otherwise the conf one.

#open the file with your preferred editor, e.g.
vim /etc/neo4j/neo4j.template

And find the following lines and change those value into this:

#...
dbms.default_listen_address=0.0.0.0
#...
dbms.default_advertised_address=myneo4j.example.com
#...

And make sure #https connector is enabled. Also, you can disable the #http connector.

And the final Step: Restart the service

service neo4j restart

Wait a while for neo4j to restart and check its status

service neo4j status
INFO Started.

If there’s no error showing, and INFO Started. is presenting,

Then, congratulations!

You should be able to use neo4j with valid SSL.

Reference:

  1. Getting Certificates for Neo4j with LetsEncrypt
  2. Certbot — Ubuntubionic Other
  3. Several Stackoverflow threads

--

--