我有一个Node.js服务器,它在AKS集群中使用MongoDb和Neo4j,所有这些都通过Helm Charts部署。我有Let's Encrypt颁发的证书,用于服务器和Neo4j螺栓连接。我在2月份部署了集群,一切正常,但现在当写入Neo4j时,它会抛出Failed to connect to server
错误,其中包含Socket responded with: CERT_HAS_EXPIRED
原因,并且Browser
未连接到数据库。
Neo4jError: Failed to connect to server. Please ensure that your database is listening on the correct host and port and that you have compatible encryption settings both on Neo4j server and driver. Note that the default encryption setting has changed in Neo4j 4.0. Caused by: Server certificate is not trusted. If you trust the database you are connecting to, use TRUST_CUSTOM_CA_SIGNED_CERTIFICATES and add the signing certificate, or the server certificate, to the list of certificates trusted by this driver using `neo4j.driver(.., { trustedCertificates:['path/to/certificate.crt']}). This is a security measure to protect against man-in-the-middle attacks. If you are just trying Neo4j out and are not concerned about encryption, simply disable it using `encrypted="ENCRYPTION_OFF"` in the driver options. Socket responded with: CERT_HAS_EXPIRED
0|server | at new Neo4jError (/usr/app/node_modules/neo4j-driver-core/lib/error.js:77:16)
0|server | at newError (/usr/app/node_modules/neo4j-driver-core/lib/error.js:113:12)
0|server | at NodeChannel._handleConnectionError (/usr/app/node_modules/neo4j-driver-bolt-connection/lib/channel/node/node-channel.js:227:56)
0|server | at TLSSocket.<anonymous> (/usr/app/node_modules/neo4j-driver-bolt-connection/lib/channel/node/node-channel.js:69:17)
0|server | at Object.onceWrapper (node:events:641:28)
0|server | at TLSSocket.emit (node:events:527:28)
0|server | at TLSSocket.onConnectSecure (node:_tls_wrap:1564:10)
0|server | at TLSSocket.emit (node:events:527:28)
0|server | at TLSSocket._finishInit (node:_tls_wrap:945:8)
0|server | at ssl.onhandshakedone (node:_tls_wrap:726:12) {
0|server | constructor: [Function: Neo4jError] { isRetriable: [Function (anonymous)] },
0|server | code: 'ServiceUnavailable',
0|server | retriable: true
0|server | }
证书已经在四月份更新了,我猜Neo4j只是坚持使用第一个证书,这可能吗?
这是证书
Name: tls-certificate
Namespace: default
Labels: app.kubernetes.io/managed-by=Helm
Annotations: meta.helm.sh/release-name: cluster
meta.helm.sh/release-namespace: default
API Version: cert-manager.io/v1
Kind: Certificate
Metadata:
Creation Timestamp: 2023-02-15T15:25:52Z
Generation: 1
Managed Fields:
API Version: cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.:
f:meta.helm.sh/release-name:
f:meta.helm.sh/release-namespace:
f:labels:
.:
f:app.kubernetes.io/managed-by:
f:spec:
.:
f:dnsNames:
f:issuerRef:
.:
f:kind:
f:name:
f:secretName:
Manager: helm
Operation: Update
Time: 2023-02-15T15:25:52Z
API Version: cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:status:
f:revision:
Manager: cert-manager-certificates-issuing
Operation: Update
Subresource: status
Time: 2023-04-16T14:27:13Z
API Version: cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:status:
.:
f:conditions:
.:
k:{"type":"Ready"}:
.:
f:lastTransitionTime:
f:message:
f:observedGeneration:
f:reason:
f:status:
f:type:
f:notAfter:
f:notBefore:
f:renewalTime:
Manager: cert-manager-certificates-readiness
Operation: Update
Subresource: status
Time: 2023-04-16T14:27:13Z
Resource Version: 20023818
UID: 9edc761c-9382-4597-8048-ec5e85d0871d
Spec:
Dns Names:
xxx.westeurope.cloudapp.azure.com
Issuer Ref:
Kind: ClusterIssuer
Name: letsencrypt-issuer
Secret Name: tls-secret
Status:
Conditions:
Last Transition Time: 2023-02-15T15:26:48Z
Message: Certificate is up to date and has not expired
Observed Generation: 1
Reason: Ready
Status: True
Type: Ready
Not After: 2023-07-15T13:27:11Z
Not Before: 2023-04-16T13:27:12Z
Renewal Time: 2023-06-15T13:27:11Z
Revision: 2
Events: <none>
现在来看这条信息
使用TRUST_CUSTOM_CA_SIGNED_CERTIFICATES并使用`neo4j.driver(..,{ trustedCertificates:['path/to/certificate.crt']})将签名证书或服务器证书添加到此驱动程序信任的证书列表中
我看到我没有将证书放在受信任证书的数组中,而只是使用了证书创建的密钥。
Neo4j图表中的Neo 4 ssl设置值:
ssl:
# setting per "connector" matching neo4j config
bolt:
privateKey:
secretName: tls-secret
subPath: tls.key
publicCertificate:
secretName: tls-secret
subPath: tls.crt
trustedCerts:
sources: []
revokedCerts:
sources: []
在将Neo4j集群缩减到0个副本和最多1个副本之后,它都可以像预期的那样重新开始工作,但是我如何设置它以使其自动化?我在Neo4j图表的值中没有看到任何TRUST_CUSTOM_CA_SIGNED_CERTIFICATES
参数。path/to/certificate.crt
是什么?我是否应该在trustedCerts.sources
数组中添加证书的名称,如sources: [tls-certificate]
?
非常感谢。
1条答案
按热度按时间5t7ly7z51#
假设你使用的是Helm charts https://github.com/neo4j/helm-charts,你需要刷新你用证书创建的secret,然后滚动你的集群,或者在你的情况下,缩放到0,然后备份以获取secret。目前(Neo4j 5.8.0)仅在启动时获取证书。参见https://neo4j.com/docs/operations-manual/current/kubernetes/configuration/#configure-ssl