发表新帖
发表新帖

How to use SSL certificates in Neo4j instead of self-signed certificates (or snakeoil.cert)

前端 未结
关注
3 796
隐瞒了意图╮
隐瞒了意图╮ 2021-01-14 06:58

For a production Neo4j server I need to use a SSL certificate that is not self-signed. I will post lessons learned in the response below.

3条回答
  • 离开以前
    离开以前 (楼主)
    2021-01-14 07:45

    If your neo4j server in public subnet and you want a valid SSL to protect data in transit.

    For certificate generation, you can either use native AWS certificates generates or LetsEncrypt.

    LetsEncrypt - Let's Encrypt is a non-profit certificate authority run by Internet Security Research Group that provides X.509 certificates for Transport Layer Security encryption at no charge.

    Install LetsEncrypt-

    sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install -y certbot

    Generate free certificate-

    $ sudo certbot certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log

    # Change group of all letsencrypt files to neo4j
sudo chgrp -R neo4j /etc/letsencrypt/* 
# Make sure all directories and files are group readable.
sudo chmod -R g+rx /etc/letsencrypt/*

    set up symlinks and the directory structure neo4j expects

    cd /var/lib/neo4j/certificates
sudo mkdir revoked trusted bak
# Move old generated certificates into a backup directory
sudo mv neo4j.* bak
export MY_DOMAIN=graph.somehost.com
# Configure cert neo4j will use
sudo ln -s /etc/letsencrypt/live/$MY_DOMAIN/fullchain.pem neo4j.cert
# Configure private key neo4j will use
sudo ln -s /etc/letsencrypt/live/$MY_DOMAIN/privkey.pem neo4j.key
# Indicate that this cert is trusted for neo4j
sudo ln -s /etc/letsencrypt/live/$MY_DOMAIN/fullchain.pem trusted/neo4j.cert

    update Neo4jConf file

    dbms.connectors.default_listen_address=0.0.0.0
dbms.connectors.default_advertised_address=your.hostname.com
bolt.ssl_policy=default
dbms.ssl.policy.default.base_directory=/var/lib/neo4j/certificates
dbms.ssl.policy.default.allow_key_generation=false
dbms.ssl.policy.default.private_key=/var/lib/neo4j/certificates/neo4j.key
dbms.ssl.policy.default.public_certificate=/var/lib/neo4j/certificates/neo4j.cert
dbms.ssl.policy.default.revoked_dir=/var/lib/neo4j/certificates/revoked
dbms.ssl.policy.default.client_auth=NONE

    Restart All nodes.

    0 讨论(0)
 看不清?
提交回复
热议问题