Unable to connect to Neo4j using Neo4j browser

[darshanmehta10]

I have a Neo4j graph with just 100 documents in it. The structure looks like below:

"Person" : {
  "id":"string",
  "name":"string",
  "companies":[
    {
      "id":"string",
      "name":string"
    }
  ]
}

In the Neo4j browser, when I try to execute the query match (n:Person) return n limit 10, it takes long time to respond, eventually times out and returns an error in browser:

WebSocket connection failure. Due to security constraints in your web browser, the reason for the failure is not available to this Neo4j Driver. Please use your browsers development console to determine the root cause of the failure. Common reasons include the database being unavailable, using the wrong connection URL or temporary network problems. If you have enabled encryption, ensure your browser is configured to trust the certificate Neo4j is configured to use. WebSocket `readyState` is: 3

Neo4j runs in remote node for me (in docker) and I am accessing it from my local machine. As mentioned in this link, I have also set dbms.connector.bolt_listen_address to 0.0.0.0:7687 for it to accept the remote connections. Below is the docker run command:

docker run \
    --name neo4j \
    -p7474:7474 -p7687:7687 \
    -d \
    -v /root/neo4j/data:/data \
    -v /root/neo4j/logs:/logs \
    -v /root/neo4j/import:/var/lib/neo4j/import \
    -v /root/neo4j/plugins:/plugins \
    --env NEO4J_AUTH=neo4j/test \
    --env NEO4J_dbms_connector_bolt_listen__address=0.0.0.0:7687 \
	neo4j:4.0.4

Neo4j Version: 4.0.4
Operating System: Debian GNU/Linux 10 (buster)
API: Docker

Steps to reproduce

1. Pull the image: docker pull neo4j/neo4j:4.0.4
2. Start the container using the above command
3. Add documents as per the structure above
4. Try to query the graph in Neo4j browser

Expected behavior

Neo4j browser should show the nodes and edges in the graph

Actual behavior

All the queries fail with the Websocket error described above

[darshanmehta10]

Update

I tried to re-run the container with https (by performing steps mentioned in this comment). I also made chrome accept the certificate to get rid of the warning.

Now, when I open the browser at https://my-ip:7473/browser, chrome shows it as being secured. However, when I try to login, I still get the following error:

WebSocket connection failure. Due to security constraints in your web browser,
the reason for the failure is not available to this Neo4j Driver. Please use your 
browsers development console to determine the root cause of the failure. Common 
reasons include the database being unavailable, using the wrong connection URL 
or temporary network problems. If you have enabled encryption, ensure your
browser is configured to trust the certificate Neo4j is configured to use. 
WebSocket `readyState` is: 3

I hoped that this error would go away by using the trusted certificate. However, it's still there. Am I missing anything here?

[jennyowen]

@darshanmehta10 For the Websockets warning, this is the same issue as #240 which has been fixed for Neo4j 4.0.4.
Adding the --env NEO4J_dbms_connector_bolt_listen__address=0.0.0.0:7687 argument is probably what's breaking this for you.
The instructions you linked to apply to older versions of Neo4j.

For the second issue about SSL, you haven't enabled port 7473 in docker (at least as far as I can tell from the code you posted) yet you're trying to connect to it in the browser.
That's not gonna work. You'll need to add the argument -p 7473:7473.

[darshanmehta10]

@jennyowen thanks for the response. I have updated my docker run command to this:

docker run \
    --name neo4j \
    -p7474:7474 -p7687:7687 -p 7473:7473 \
    -d \
    -v /root/neo4j/data:/data \
    -v /root/neo4j/logs:/logs \
    -v /root/neo4j/import:/var/lib/neo4j/import \
    -v /root/neo4j/plugins:/plugins \
    -v /root/neo4j/certificates:/var/lib/neo4j/certificates \
    --env NEO4J_AUTH=neo4j/test \
    --env NEO4J_dbms_connector_https_enabled=true \
    --env NEO4J_dbms_ssl_policy_https_enabled=true \
	neo4j:4.0.4

It now exposes the port and no longer has NEO4J_dbms_connector_bolt_listen__address property. However, I still get the same error while trying to access it. Chrome doesn't let me pass through login screen. Do I need to change anything else?

[rogierc]

I am getting the same error when running the browser from a remote machine.
When I log into the container and use cypher-shell from within the conatiner, it works.

My compose file:

version: "3.3"

volumes:
    neo4j_data:
        external: true
    neo4j_logs:
        external: true

services:
    neo4j:
        container_name: compose_neo4j_1
        build:
            context: ../container
        volumes:
            - type: volume
              source: neo4j_data
              target: /data
            - type: volume
              source: neo4j_logs
              target: /logs
        ports:
            - "7473:7473"
            - "7474:7474"
            - "7687:7687"
        restart: unless-stopped

The Dockerfile that is built:

FROM neo4j:4.0.4

ENV NEO4J_AUTH=neo4j/test

[rogierc]

Could be it is something else than autentication...

The debug.log shows that every 10 secs neo4j is restarting, without any warning or error.

[jennyowen]

@darshanmehta10 I did a re-write of our SSL documentation, which the doc team kindly published today to help with your issue. Could you try following one of the HTTPS encryption examples here:
https://neo4j.com/docs/operations-manual/current/docker/security/

@rogierc neo4j infinitely restarting like that tends to be caused by a store lock on the database. There might be another active neo4j container using your data volume. I don't think this is the same problem as the one reported here, so could you create a new issue and include reproduction information and the error and error stack trace from the debug.log?

[rogierc]

@jennyowen
I did a rebuild of the container and volumes. The restarting has disappeared now. I assume something got stuck during experimenting and restarting the container. I will create another issue when I'm able to reproduce.

[rogierc]

I seem to have solved the connect issue in my neo4j container. Now I can issue cypher queries in the browser that get executed by the server as expected.

I added NEO4J_dbms_connector_bolt_advertised__address to the environment of the container. The Dockerfile now contains:

FROM neo4j:4.0.4

ENV NEO4J_AUTH=neo4j/test

ENV NEO4J_dbms_connector_bolt_advertised__address=192.168.0.20:7687

192.168.0.20:7687 is the externally accessible addres of the websocket.

The http and https connectors have comparable configuration properties. It seems these are not needed. I'm not entirely sure about that though.

[darshanmehta10]

@jennyowen thanks for updating the page.

I tried with 2nd and 3rd example on the page. However, I am still getting the same error.

Try 1:

Contents of https directory:

root@host:~/neo4j/certificates/https# ls -l
total 16
-rwx------ 1 systemd-timesync systemd-journal 1704 May 31 23:03 private.key
-rwx------ 1 systemd-timesync systemd-journal 1038 May 31 23:03 public.crt
drwx------ 2 systemd-timesync systemd-journal 4096 May 31 22:08 revoked
drwx------ 2 systemd-timesync systemd-journal 4096 May 31 22:27 trusted

Docker run command:

docker run \
    --name neo4j \
    -p7474:7474 -p7687:7687 -p 7473:7473 \
    -d \
    -v /root/neo4j/data:/data \
    -v /root/neo4j/logs:/logs \
    -v /root/neo4j/import:/var/lib/neo4j/import \
    -v /root/neo4j/plugins:/plugins \
    -v /root/neo4j/certificates:/ssl \
    --env NEO4J_AUTH=neo4j/test \
    --env NEO4J_dbms_connector_https_enabled=true \
    --env NEO4J_dbms_ssl_policy_https_enabled=true \
    --env NEO4J_dbms_ssl_policy_https_base__directory=/ssl/https \
	neo4j:4.0.4

Result:

Same error in chrome while logging in. In the dev toolbar, I see this: Error in connection establishment: net::ERR_CONNECTION_CLOSED

Try 2:

Contents of directories:

root@host:~/neo4j/certificates# ls -l
total 8
drwxr-xr-x 4 root             root            4096 Jun  2 20:02 bolt
drwxr-xr-x 4 systemd-timesync systemd-journal 4096 May 31 23:03 https
root@orionx-infra-2:~/neo4j/certificates# ls -l bolt
total 16
-rwxr-xr-x 1 root root 1704 Jun  2 20:02 private.key
-rwxr-xr-x 1 root root 1038 Jun  2 20:02 public.crt
drwxr-xr-x 2 root root 4096 Jun  2 20:02 revoked
drwxr-xr-x 2 root root 4096 Jun  2 20:02 trusted
root@host:~/neo4j/certificates# ls -l https/
total 16
-rwx------ 1 systemd-timesync systemd-journal 1704 May 31 23:03 private.key
-rwx------ 1 systemd-timesync systemd-journal 1038 May 31 23:03 public.crt
drwx------ 2 systemd-timesync systemd-journal 4096 May 31 22:08 revoked
drwx------ 2 systemd-timesync systemd-journal 4096 May 31 22:27 trusted

Docker run command:

docker run \
    --name neo4j \
    -p7474:7474 -p7687:7687 -p 7473:7473 \
    -d \
    -v /root/neo4j/data:/data \
    -v /root/neo4j/logs:/logs \
    -v /root/neo4j/import:/var/lib/neo4j/import \
    -v /root/neo4j/plugins:/plugins \
    -v /root/neo4j/certificates:/ssl \
    --env NEO4J_AUTH=neo4j/test \
    --env NEO4J_dbms_connector_https_enabled=true \
    --env NEO4J_dbms_ssl_policy_https_enabled=true \
    --env NEO4J_dbms_ssl_policy_https_base__directory=/ssl/https \
    --env NEO4J_dbms_ssl_policy_bolt_enabled=true \
    --env NEO4J_dbms_ssl_policy_bolt_base__directory=/ssl/bolt \
    neo4j:4.0.4

Result:

Same error while logging in from chrome.

[darshanmehta10]

Update

I tried adding a property NEO4J_dbms_connector_bolt_advertised__address in docker run. However, I am still getting the same error. I am using an instance hosted in cloud and have enabled all the ports and protocols in the firewall rules to take the networking out of the picture. Below is my docker run command:

docker run \
    --name neo4j \
    -p7474:7474 -p7687:7687 -p 7473:7473 \
    -d \
    -v /root/neo4j/data:/data \
    -v /root/neo4j/logs:/logs \
    -v /root/neo4j/import:/var/lib/neo4j/import \
    -v /root/neo4j/plugins:/plugins \
    -v /root/neo4j/certificates:/ssl \
    --env NEO4J_AUTH=neo4j/test \
    --env NEO4J_dbms_connector_https_enabled=true \
    --env NEO4J_dbms_ssl_policy_https_enabled=true \
    --env NEO4J_dbms_ssl_policy_https_base__directory=/ssl/https \
    --env NEO4J_dbms_ssl_policy_bolt_enabled=true \
    --env NEO4J_dbms_ssl_policy_bolt_base__directory=/ssl/bolt \
    --env NEO4J_dbms_connector_bolt_advertised__address=<ip>:7687 \
    neo4j:4.0.4

@rogierc could you post the exact docker run command that worked for you? Also, are you using a self signed certificate?

Btw, here's the command I used to generate certificate and key:

openssl req \
-newkey rsa:2048 \
-x509 \
-nodes \
-keyout private.key \
-new \
-out public.crt \
-subj /CN=Hostname \
-reqexts SAN \
-extensions SAN \
-config <(cat /etc/ssl/openssl.cnf \
    <(printf '[SAN]\nsubjectAltName=DNS:hostname,IP:<my_host_ip>')) \
-sha256 \
-days 365

[jennyowen]

@darshanmehta10 I'm using a self- signed certificate and I'm getting the same results as you. I'm going to need to consult with my colleagues about how to fix this. Sorry about that. You may be able to use cypher-shell (downloadable from https://neo4j.com/download-center) to interact with your database through the command line.

[darshanmehta10]

@jennyowen thanks for the update, I will await the fix. As my requirement is to primarily visualize the data, I would need neo4j browser along with cypher-shell. And yes, I am looking into tools like bloom as well.
While we fix this, do you know whether this would work with older versions (3.x) of the image?

[jennyowen]

@darshanmehta10 3.5 versions and earlier support the legacy ssl interface which is much simpler to set up for docker. See:

• https://neo4j.com/docs/operations-manual/3.5/docker/security/
• https://neo4j.com/docs/operations-manual/3.5/security/ssl-framework/#legacy-ssl-system

Instead of having your certificates at /root/neo4j/certificates/https/{private.key,public.crt}, rename it to /root/neo4j/certificates/(neo4j.key,neo4j.cert}. Then you can mount /root/neo4j/certificates to /ssl and it just works.

I was able to connect and log in with the browser over https by making the certificates change and running:

docker run --rm \
    --publish=7473:7473 \
    --publish=7474:7474 \
    --publish=7687:7687 \
    --volume=/path/to/certificates:/ssl \
    --user="$(id -u):$(id -g)" \
    --env NEO4J_AUTH=none \
    neo4j:3.5

I would recommend making a backup copy of your data folder though, because downgrading the database isn't something we generally test for.

[eastlondoner]

Hi @darshanmehta10 I have a draft article on how to do tls with neo4j 4.0 docker containers that might help you.

I can't guarantee that it will but here is a link to it - please let me know if you try it whether or not it works
https://medium.com/@aejefferson/connecting-to-neo4j-4-0-with-ssl-1fe9a4e1a9f7
p.s. you will have to log in to view it on Medium because it is a draft article, sorry if that's difficult.

[rogierc]

@darshanmehta10
My run command is issued by docker-compose based on the configuration given above. It's a very basic setup for experimenting using unencrypted communication. I'm not using a certificate right now.

[darshanmehta10]

@jennyowen I am able to run the container successfully using neo4j:3.5, thanks for your inputs.
@eastlondoner Thanks for the article, I will have a look at it and come back to you.