Has anyone gotten Neo4j to work with a LetsEncrypt certificate?
I have a regular website working with LetsEncrypt so I know my certificate is good. Neo4j is working and I can access the Neo4j browser over https and I get the self-signed cert warning.
I've been following the documentation on setting up SSL but when I try to start services it fails immediately. I don't even get any output to my logs as what the issue is.
myself#localhost:/var/lib/neo4j/certificates/bolt/trusted# service neo4j status
● neo4j.service - Neo4j Graph Database
Loaded: loaded (/lib/systemd/system/neo4j.service; enabled; vendor preset: enabled)
Drop-In: /etc/systemd/system/neo4j.service.d
└─override.conf
Active: inactive (dead) (Result: exit-code) since Sat 2018-07-21 21:08:37 MDT; 658ms ago
Process: 19066 ExecStart=/usr/share/neo4j/bin/neo4j console (code=exited, status=1/FAILURE)
Main PID: 19066 (code=exited, status=1/FAILURE)
Jul 21 21:08:37 Swingset systemd[1]: neo4j.service: Unit entered failed state.
Jul 21 21:08:37 Swingset systemd[1]: neo4j.service: Failed with result 'exit-code'.
Jul 21 21:08:37 Swingset systemd[1]: neo4j.service: Service hold-off time over, scheduling restart.
Jul 21 21:08:37 Swingset systemd[1]: Stopped Neo4j Graph Database.
Jul 21 21:08:37 Swingset systemd[1]: neo4j.service: Start request repeated too quickly.
Jul 21 21:08:37 Swingset systemd[1]: Failed to start Neo4j Graph Database.
So I'm looking for someone who has gotten this work and could give me a checklist of things to double check. I believe I have the correct folder structure in place, I think I have the correct permissions, I think the neo4j.conf modified correctly, and I think I have the correct LetsEncrypt files copied into the correct folders and with the correct file names. But I must be missing something because it's not working.
Funny how I was doing exactly the same thing today and stumbled upon this question when trying to figure it out... Well here's what worked for me and the proceedure that I followed, based on the instructions from the Neo4j Documentation on the ssl-framework.
Create the appropriate directory structure
cd /var/lib/neo4j/certificates
mkdir -p default/revoked default/trusted
Copy the letsencrypt certificates to the neo4j folder
# Copy your server cert to the base dir and the trusted dir of neo4j
cp $your_cert_dir/cert.pem /var/lib/neo4j/certificates/default/cert.pem
cp $your_cert_dir/cert.pem /var/lib/neo4j/certificates/default/trusted/cert.pem
# Copy your key to the base dir of neo4j
cp $your_cert_dir/privkey.pem /var/lib/neo4j/certificates/default/privkey.pem
Ensure that the files have the correct permissions
# To my system, Ubuntu 16.04, it was neo4j:adm
chown -R neo4j:adm /var/lib/neo4j/certificates/default/
Ensure that the following entries are as follows at the configuration file of neo4j (/etc/neo4j/neo4j.conf)
# Set the base dir for certificates
dbms.directories.certificates=/var/lib/neo4j/certificates
# To enable connections from remote servers
dbms.connectors.default_listen_address=0.0.0.0
# This can remain "OPTIONAL"
dbms.connector.bolt.tls_level=REQUIRED
# Enable https connector
dbms.connector.https.enabled=true
dbms.connector.https.listen_address=:7473
# Set up the policy for the connectors to the default
bolt.ssl_policy=default
https.ssl_policy=default
# Create default policy
dbms.ssl.policy.default.base_directory=certificates/default
# Set the paths for the private key and of the server cert.
# These must be absolute paths.
dbms.ssl.policy.default.private_key=/var/lib/neo4j/certificates/default/privkey.pem
dbms.ssl.policy.default.public_certificate=/var/lib/neo4j/certificates/default/cert.pem
# Set up client authentication to "optional" or "none".
# If this is left to "default" then the client (a.k.a person who tries to
# access the web-portal) would need to authenticate with a certificate
dbms.ssl.policy.default.client_auth=none
Ensure that you have the following ports open to the firewall of the server
https connector port: 7473
http connector port: 7474 (Well, this you may be able to keep blocked ;-) )
bolt connector port: 7687
Restart neo4j
service neo4j restart
You should now be able to connect to the web interface with https://<your server domain name>:7473. If you try with https://IP:7473 then your browser will complain about the fact that the certificate and the address are not the same.
FYI I still get the following error at the Neo4j logs, and I'm currently trying to solve it. Still everything else seems to be working fine so far.
Jul 24 14:13:34 sstest neo4j[18181]: 2018-07-24 12:13:34.556+0000 ERROR Unexpected error detected in bolt session 'fa163efffeefd082-00004705-00000003-81330a20f088cbac-29e11d2a'. The client is unauthorized due to authentication failure.
Jul 24 14:13:34 sstest neo4j[18181]: org.neo4j.bolt.v1.runtime.BoltConnectionFatality: The client is unauthorized due to authentication failure.
Jul 24 14:13:34 sstest neo4j[18181]: at org.neo4j.bolt.v1.runtime.BoltStateMachine.handleFailure(BoltStateMachine.java:742)
Jul 24 14:13:34 sstest neo4j[18181]: at org.neo4j.bolt.v1.runtime.BoltStateMachine.handleFailure(BoltStateMachine.java:728)
Jul 24 14:13:34 sstest neo4j[18181]: at org.neo4j.bolt.v1.runtime.BoltStateMachine.access$500(BoltStateMachine.java:62)
Jul 24 14:13:34 sstest neo4j[18181]: at org.neo4j.bolt.v1.runtime.BoltStateMachine$State$1.init(BoltStateMachine.java:435)
Jul 24 14:13:34 sstest neo4j[18181]: at org.neo4j.bolt.v1.runtime.BoltStateMachine.init(BoltStateMachine.java:145)
Jul 24 14:13:34 sstest neo4j[18181]: at org.neo4j.bolt.v1.messaging.BoltMessageRouter.lambda$onInit$0(BoltMessageRouter.java:70)
Jul 24 14:13:34 sstest neo4j[18181]: at org.neo4j.bolt.runtime.DefaultBoltConnection.processNextBatch(DefaultBoltConnection.java:195)
Jul 24 14:13:34 sstest neo4j[18181]: at org.neo4j.bolt.runtime.DefaultBoltConnection.processNextBatch(DefaultBoltConnection.java:143)
Jul 24 14:13:34 sstest neo4j[18181]: at org.neo4j.bolt.runtime.ExecutorBoltScheduler.executeBatch(ExecutorBoltScheduler.java:170)
Jul 24 14:13:34 sstest neo4j[18181]: at org.neo4j.bolt.runtime.ExecutorBoltScheduler.lambda$scheduleBatchOrHandleError$2(ExecutorBoltScheduler.java:153)
Jul 24 14:13:34 sstest neo4j[18181]: at java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1590)
Jul 24 14:13:34 sstest neo4j[18181]: at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
Jul 24 14:13:34 sstest neo4j[18181]: at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
Jul 24 14:13:34 sstest neo4j[18181]: at java.lang.Thread.run(Thread.java:748)
Related
When trying to (re)start httpd service I get the following error:
** (pkttyagent:2574): WARNING **: 01:33:55.345: Unable to register authentication agent:
GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: Cannot determine user of subject Error registering authentication agent:
GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: Cannot determine user of subject (polkit-error-quark, 0) Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.
Then
systemctl status httpd.service
sheds no light on the problem:
httpd.service - Web server Apache
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Wed 2020-07-22 01:33:55 BST; 26min ago
Process: 2578 ExecStart=/usr/local/apache/bin/apachectl start (code=exited, status=1/FAILURE)
Jul 22 01:33:55 server... systemd[1]: Starting Web server Apache...
Jul 22 01:33:55 server... systemd[1]: httpd.service: control process exited, code=exited status=1
Jul 22 01:33:55 server... systemd[1]: Failed to start Web server Apache.
Jul 22 01:33:55 server... systemd[1]: Unit httpd.service entered failed state.
Jul 22 01:33:55 server... systemd[1]: httpd.service failed.
What might be causing this? Where should I look to debug?
[Thu Jul 23 05:40:44.885963 2020] [ssl:emerg] [pid 2877:tid 140514669713280] AH02565: Certificate and private key do not match
Looks like key and certificate do not match. Please check md5 of the key and cert file.
This usually happens when trying to restart a systemd service.
The workaround is as follows:
Run this as root
groupadd -g 23 nohidproc
usermod -a -G nohidproc polkitd
mount -o remount,rw,hidepid=2,gid=nohidproc /proc
systemctl restart polkit
Apache does not start after installing the web server. (CentOS 7)
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Sat 2020-03-28 12:18:22 MSK; 16ms ago
Docs: man:httpd.service(8)
Process: 30144 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
Main PID: 30144 (code=exited, status=1/FAILURE)
Status: "Reading configuration..."
Mar 28 12:18:22 box-40395.localdomain systemd[1]: Starting The Apache HTTP Server...
Mar 28 12:18:22 box-40395.localdomain httpd[30144]: AH00526: Syntax error on line 103 of /etc/httpd/conf.d/ssl.conf:
Mar 28 12:18:22 box-40395.localdomain httpd[30144]: SSLCertificateFile: file '/etc/pki/tls/certs/localhost.crt' does not exist or is empty
Mar 28 12:18:22 box-40395.localdomain systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Mar 28 12:18:22 box-40395.localdomain systemd[1]: Failed to start The Apache HTTP Server.
Mar 28 12:18:22 box-40395.localdomain systemd[1]: Unit httpd.service entered failed state.
Mar 28 12:18:22 box-40395.localdomain systemd[1]: httpd.service failed.
You could try by creating a fake certificate.
In centos there is a handy script which might help
$ cd /etc/pki/tls/certs
$ sudo ./make-dummy-cert localhost.crt
This script produces a self-signed certificate and the certificate's private key.
Therefore SSLCertificateKeyFile in /etc/httpd/conf.d/ssl.conf could be commented out
SLCertificateFile /etc/pki/tls/certs/localhost.crt
# SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
Otherwise service won't start
The error message is very clear:
SSLCertificateFile: file /etc/pki/tls/certs/localhost.crt does not exist or is empty
Remove this invalid configuration or add missing/fix existing certificate file. Either way to have to fix the configuration before Apache can start.
Obtaining an SSL certificate is out of the scope for StackOverflow. There're plenty of resources on the web, you can try on ServerFault too…
When you're done, simply sudo systemctl start httpd to start Apache.
Question originally posted in Spanish, on es.stackoverflow.com, by mnsperez97:
I have a problem with the connection to Apache, after restarting it
with the sudo service apache2 restart command, I get this error
Job for apache2.service failed because the control process exited with
error code. See "systemctl status apache2.service" and "journalctl
-xe" for details.
and then when entering localhost it does not let me in and it makes me
worse, when I run sudo journalctl -xe he told me the following but
still I do not find the error, if you could help me I would be very
grateful
EDIT: run the systemctl status apache2.service command and this
appears to me
apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Drop-In: /lib/systemd/system/apache2.service.d
└─apache2-systemd.conf
Active: failed (Result: exit-code) since Thu 2019-10-17 12:20:34 -04; 29min ago
Process: 21198 ExecStop=/usr/sbin/apachectl stop (code=exited, status=1/FAILURE)
Process: 7385 ExecReload=/usr/sbin/apachectl graceful (code=exited, status=0/SUCCESS)
Process: 23453 ExecStart=/usr/sbin/apachectl start (code=exited, status=1/FAILURE)
Main PID: 1059 (code=exited, status=0/SUCCESS)
oct 17 12:20:34 pcarrasco systemd[1]: Starting The Apache HTTP Server...
oct 17 12:20:34 pcarrasco apachectl[23453]: AH00526: Syntax error on line 47 of /etc/apache2/sites-enabled/cms.local.conf:
oct 17 12:20:34 pcarrasco apachectl[23453]: order takes one argument, 'allow,deny', 'deny,allow', or 'mutual-failure'
oct 17 12:20:34 pcarrasco apachectl[23453]: Action 'start' failed.
oct 17 12:20:34 pcarrasco apachectl[23453]: The Apache error log may have more information.
oct 17 12:20:34 pcarrasco systemd[1]: apache2.service: Control process exited, code=exited status=1
oct 17 12:20:34 pcarrasco systemd[1]: apache2.service: Failed with result 'exit-code'.
oct 17 12:20:34 pcarrasco systemd[1]: Failed to start The Apache HTTP Server.
This is common due to problems in your configuration
it may be the port configuration
lock at the log file (pass can be found as ErrorLog in /etc/httpd/conf/httpd.conf)
or try to undo what you changed in the configuration files till you find the problem
There is an issue where I have a cpanel server with cachewall (Xvarnish used to be called) and mod_pagspeed installed.
Cachewall/Xvarnish has https support enabled.
The issue is that even though the header of the website is showing that both Cachewall and modpagespeed is running, I'm getting flooded with this in my apache error log:
[Mon Jul 03 20:45:49.060050 2017] [pagespeed:error] [pid 31223:tid 112490802050816] [mod_pagespeed 1.11.33.4-0 #31223] Serf status 120171(APR does not understand this error code) polling for 1 threaded fetches for 0.05 seconds
[Mon Jul 03 20:45:49.060071 2017] [pagespeed:error] [pid 31223:tid 112490802050816] [mod_pagespeed 1.11.33.4-0 #31223] Serf status 120171(APR does not understand this error code) polling for 1 threaded fetches for 0.05 seconds
[Mon Jul 03 20:45:49.910183 2017] [pagespeed:warn] [pid 31225:tid 112490799363840] [mod_pagespeed 1.11.33.4-0 #31225] Fetch timed out: https://www.example.com/wp-includes/js/jquery/jquery.js?ver=1.12.4 (connecting to:139.xx.xx.xx:82) (1) waiting for 50 ms
Not sure whats going on here.
I think you have to understand the cache flow when using both varnish and page_speed.
Please check the link bellow for details:
https://www.sonassi.com/help/troubleshooting/understanding-cache-flow-when-using-pagespeed-and-varnish
Clear all page_speed cache and varnish cache, then restart both varnish and apache.
I ran a yum update after which HTTP Apache server fails to start up on my Centos 7 VM.
The apache details - Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips PHP/5.4.16
Kernel version - 3.10.0-327.10.1.el7.x86_64
Here is what the systemctl shows. I'm not able to figure out what is broken after the update.
[root#localhost log]# systemctl status httpd.service
● httpd.service - The Apache HTTP Server
Loaded: loaded (/etc/systemd/system/httpd.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Fri 2016-02-26 16:32:37 NZDT; 4min 19s ago
Docs: man:httpd(8)
man:apachectl(8)
Process: 3654 ExecStopPost=/usr/bin/kdestroy -A (code=exited, status=0/SUCCESS)
Process: 3651 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=1/FAILURE)
Process: 3649 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
Process: 3574 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy (code=exited, status=0/SUCCESS)
Main PID: 3649 (code=exited, status=1/FAILURE)
Feb 26 16:32:37 localhost.localdomain ipa-httpd-kdcproxy[3574]: ipa : WARNING Disabling KDC proxy
Feb 26 16:32:37 localhost.localdomain httpd[3649]: [Fri Feb 26 16:32:37.213684 2016] [so:warn] [pid 3649] AH01574: module rewrite_module is already loaded, skipping
Feb 26 16:32:37 localhost.localdomain httpd[3649]: [Fri Feb 26 16:32:37.217181 2016] [so:warn] [pid 3649] AH01574: module ssl_module is already loaded, skipping
Feb 26 16:32:37 localhost.localdomain httpd[3649]: AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain. Set the 'ServerName' directi... this message
Feb 26 16:32:37 localhost.localdomain systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Feb 26 16:32:37 localhost.localdomain kill[3651]: kill: cannot find process ""
Feb 26 16:32:37 localhost.localdomain systemd[1]: httpd.service: control process exited, code=exited status=1
Feb 26 16:32:37 localhost.localdomain systemd[1]: Failed to start The Apache HTTP Server.
Feb 26 16:32:37 localhost.localdomain systemd[1]: Unit httpd.service entered failed state.
Feb 26 16:32:37 localhost.localdomain systemd[1]: httpd.service failed.
Hint: Some lines were ellipsized, use -l to show in full.
Could I please request help to get some pointers to dig further or anyone who has seen this before & knows how to fix please?
it was happened to me when i install/uninstall free-ipa, because of which nss.conf has been created inside /etc/httpd/conf.d/nss.conf, you can give a try by just moving this file to another directory as i did, now httpd service is working like a charm.
Can you please setup the correct hostname for your server and check " journalctl -xn " command out while restarting httpd services on yoru server, You will get exact root cause of your httpd issues with journalctl -xn command.