search

neo4j-contrib / neo4j-helm

Helm Charts for running Neo4j on Kubernetes [DEPRECATED]
https://neo4j-contrib.github.io/neo4j-helm/user-guide/USER-GUIDE.html
Apache License 2.0
88 stars 81 forks source link

Loading SSL cert causes java.io.IOException: Short read of DER length #147

Closed salehio closed 3 years ago

salehio commented 3 years ago

Hello,

After pointing my neo4j install at my public and private keys, it seems to fail to load due to a formatting failure. Looking at my crt file, it seems to be a PEM, which according to the documentation is correct.

root@xxxxneo-neo4j-core-0:/var/lib/neo4j# cat /certs/xxxx.crt
-----BEGIN PUBLIC KEY-----
MII...
-----END PUBLIC KEY-----
PS C:\Users\h> kubectl logs -n graph --follow xxxxneo-neo4j-core-2
Configuration override prefix =xxxxneo_neo4j_core_2
Starting Neo4j CORE 2 on xxxxneo-neo4j-core-2.xxxxneo-neo4j.graph.svc.cluster.local
Warning: Some files inside "/data" are not writable from inside container. Changing folder owner to neo4j.
Changed password for user 'neo4j'.
Fetching versions.json for Plugin 'apoc' from https://neo4j-contrib.github.io/neo4j-apoc-procedures/versions.json
Installing Plugin 'apoc' from https://github.com/neo4j-contrib/neo4j-apoc-procedures/releases/download/4.1.0.4/apoc-4.1.0.4-all.jar to /plugins/apoc.jar
Applying default values for plugin apoc to neo4j.conf
Directories in use:
  home:         /var/lib/neo4j
  config:       /var/lib/neo4j/conf
  logs:         /data/logs
  plugins:      /plugins
  import:       /var/lib/neo4j/import
  data:         /var/lib/neo4j/data
  certificates: /var/lib/neo4j/certificates
  run:          /var/lib/neo4j/run
Starting Neo4j.
2020-12-03 09:51:32.849+0000 WARN  Unrecognized setting. No declared setting with name: dbms.ssl.policy.default_ciphers
2020-12-03 09:51:32.852+0000 INFO  Starting...
2020-12-03 09:51:33.871+0000 ERROR Failed to start Neo4j on dbms.connector.http.listen_address, a socket address. If missing port or hostname it is acquired from dbms.default_listen_address. Failed to load public certificate chain: /certs/xxxx.crt
java.lang.RuntimeException: Failed to load public certificate chain: /certs/xxxx.crt
        at org.neo4j.ssl.config.SslPolicyLoader.loadCertificateChain(SslPolicyLoader.java:282)
        at org.neo4j.ssl.config.SslPolicyLoader.pemKeyAndChain(SslPolicyLoader.java:228)
        at org.neo4j.ssl.config.SslPolicyLoader.createSslPolicy(SslPolicyLoader.java:170)
        at org.neo4j.ssl.config.SslPolicyLoader.addPolicy(SslPolicyLoader.java:151)
        at java.base/java.util.HashMap$Values.forEach(HashMap.java:976)
        at org.neo4j.ssl.config.SslPolicyLoader.load(SslPolicyLoader.java:141)
        at org.neo4j.ssl.config.SslPolicyLoader.create(SslPolicyLoader.java:104)
        at com.neo4j.causalclustering.core.CoreEditionModule.<init>(CoreEditionModule.java:190)
        at com.neo4j.causalclustering.core.CoreGraphDatabase.lambda$createManagementService$0(CoreGraphDatabase.java:37)
        at org.neo4j.graphdb.facade.DatabaseManagementServiceFactory.build(DatabaseManagementServiceFactory.java:127)
        at com.neo4j.causalclustering.core.CoreGraphDatabase.createManagementService(CoreGraphDatabase.java:38)
        at com.neo4j.causalclustering.core.CoreGraphDatabase.<init>(CoreGraphDatabase.java:30)
        at com.neo4j.server.enterprise.EnterpriseManagementServiceFactory.createManagementService(EnterpriseManagementServiceFactory.java:34)
        at com.neo4j.server.enterprise.EnterpriseBootstrapper.createNeo(EnterpriseBootstrapper.java:20)
        at org.neo4j.server.NeoBootstrapper.start(NeoBootstrapper.java:117)
        at org.neo4j.server.NeoBootstrapper.start(NeoBootstrapper.java:87)
        at com.neo4j.server.enterprise.EnterpriseEntryPoint.main(EnterpriseEntryPoint.java:25)
Caused by: java.security.cert.CertificateException: Unable to initialize, java.io.IOException: Short read of DER length
        at java.base/sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:197)
        at java.base/sun.security.provider.X509Factory.parseX509orPKCS7Cert(X509Factory.java:476)
        at java.base/sun.security.provider.X509Factory.engineGenerateCertificates(X509Factory.java:361)
        at java.base/java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:478)
        at org.neo4j.ssl.PkiUtils.loadCertificates(PkiUtils.java:80)
        at org.neo4j.ssl.config.SslPolicyLoader.loadCertificateChain(SslPolicyLoader.java:278)
        ... 16 more
Caused by: java.io.IOException: Short read of DER length
        at java.base/sun.security.util.DerInputStream.getLength(DerInputStream.java:588)
        at java.base/sun.security.util.DerValue.<init>(DerValue.java:257)
        at java.base/sun.security.util.DerInputStream.getDerValue(DerInputStream.java:457)
        at java.base/sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1822)
        at java.base/sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:194)
        ... 21 more
2020-12-03 09:51:33.872+0000 INFO  Neo4j Server shutdown initiated by request

Any idea what could be going wrong here?

moxious commented 3 years ago

This is an issue with how you've specified your certificates. I'm going to have to close this issue because we can't provide support on internal Neo4j stuff here, this repo is for the helm chart specifically. That being said, the exception that you're encountering is because the file you've specified is malformed, and Neo4j could not work with this file in any deployment scenario, helm or otherwise.

Have a look here, and then at the Neo4j operations manual chapter on SSL for additional indications on certificate files & placement.

https://stackoverflow.com/questions/45303597/java-io-ioexception-short-read-of-der-length