NodeJS AKS集群中的Ne4j社区不再将证书视为有效，因为它已被续订

myss37ts 于 2023-06-05 发布在 Node.js

关注(0)|答案(1)|浏览(187)

我有一个Node.js服务器，它在AKS集群中使用MongoDb和Neo4j，所有这些都通过Helm Charts部署。我有Let's Encrypt颁发的证书，用于服务器和Neo4j螺栓连接。我在2月份部署了集群，一切正常，但现在当写入Neo4j时，它会抛出Failed to connect to server错误，其中包含Socket responded with: CERT_HAS_EXPIRED原因，并且Browser未连接到数据库。

Neo4jError: Failed to connect to server. Please ensure that your database is listening on the correct host and port and that you have compatible encryption settings both on Neo4j server and driver. Note that the default encryption setting has changed in Neo4j 4.0. Caused by: Server certificate is not trusted. If you trust the database you are connecting to, use TRUST_CUSTOM_CA_SIGNED_CERTIFICATES and add the signing certificate, or the server certificate, to the list of certificates trusted by this driver using `neo4j.driver(.., { trustedCertificates:['path/to/certificate.crt']}). This  is a security measure to protect against man-in-the-middle attacks. If you are just trying  Neo4j out and are not concerned about encryption, simply disable it using `encrypted="ENCRYPTION_OFF"` in the driver options. Socket responded with: CERT_HAS_EXPIRED
0|server  |     at new Neo4jError (/usr/app/node_modules/neo4j-driver-core/lib/error.js:77:16)
0|server  |     at newError (/usr/app/node_modules/neo4j-driver-core/lib/error.js:113:12)
0|server  |     at NodeChannel._handleConnectionError (/usr/app/node_modules/neo4j-driver-bolt-connection/lib/channel/node/node-channel.js:227:56)
0|server  |     at TLSSocket.<anonymous> (/usr/app/node_modules/neo4j-driver-bolt-connection/lib/channel/node/node-channel.js:69:17)
0|server  |     at Object.onceWrapper (node:events:641:28)
0|server  |     at TLSSocket.emit (node:events:527:28)
0|server  |     at TLSSocket.onConnectSecure (node:_tls_wrap:1564:10)
0|server  |     at TLSSocket.emit (node:events:527:28)
0|server  |     at TLSSocket._finishInit (node:_tls_wrap:945:8)
0|server  |     at ssl.onhandshakedone (node:_tls_wrap:726:12) {
0|server  |   constructor: [Function: Neo4jError] { isRetriable: [Function (anonymous)] },
0|server  |   code: 'ServiceUnavailable',
0|server  |   retriable: true
0|server  | }

证书已经在四月份更新了，我猜Neo4j只是坚持使用第一个证书，这可能吗？
这是证书

Name:         tls-certificate
Namespace:    default
Labels:       app.kubernetes.io/managed-by=Helm
Annotations:  meta.helm.sh/release-name: cluster
              meta.helm.sh/release-namespace: default
API Version:  cert-manager.io/v1
Kind:         Certificate
Metadata:
  Creation Timestamp:  2023-02-15T15:25:52Z
  Generation:          1
  Managed Fields:
    API Version:  cert-manager.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .:
          f:meta.helm.sh/release-name:
          f:meta.helm.sh/release-namespace:
        f:labels:
          .:
          f:app.kubernetes.io/managed-by:
      f:spec:
        .:
        f:dnsNames:
        f:issuerRef:
          .:
          f:kind:
          f:name:
        f:secretName:
    Manager:      helm
    Operation:    Update
    Time:         2023-02-15T15:25:52Z
    API Version:  cert-manager.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:status:
        f:revision:
    Manager:      cert-manager-certificates-issuing
    Operation:    Update
    Subresource:  status
    Time:         2023-04-16T14:27:13Z
    API Version:  cert-manager.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:status:
        .:
        f:conditions:
          .:
          k:{"type":"Ready"}:
            .:
            f:lastTransitionTime:
            f:message:
            f:observedGeneration:
            f:reason:
            f:status:
            f:type:
        f:notAfter:
        f:notBefore:
        f:renewalTime:
    Manager:         cert-manager-certificates-readiness
    Operation:       Update
    Subresource:     status
    Time:            2023-04-16T14:27:13Z
  Resource Version:  20023818
  UID:               9edc761c-9382-4597-8048-ec5e85d0871d
Spec:
  Dns Names:
    xxx.westeurope.cloudapp.azure.com
  Issuer Ref:
    Kind:       ClusterIssuer
    Name:       letsencrypt-issuer
  Secret Name:  tls-secret
Status:
  Conditions:
    Last Transition Time:  2023-02-15T15:26:48Z
    Message:               Certificate is up to date and has not expired
    Observed Generation:   1
    Reason:                Ready
    Status:                True
    Type:                  Ready
  Not After:               2023-07-15T13:27:11Z
  Not Before:              2023-04-16T13:27:12Z
  Renewal Time:            2023-06-15T13:27:11Z
  Revision:                2
Events:                    <none>

现在来看这条信息
使用TRUST_CUSTOM_CA_SIGNED_CERTIFICATES并使用`neo4j.driver（..，{ trustedCertificates：['path/to/certificate.crt']}）将签名证书或服务器证书添加到此驱动程序信任的证书列表中
我看到我没有将证书放在受信任证书的数组中，而只是使用了证书创建的密钥。
Neo4j图表中的Neo 4 ssl设置值：

ssl:
    # setting per "connector" matching neo4j config
    bolt:
      privateKey:
        secretName: tls-secret
        subPath: tls.key
      publicCertificate:
        secretName: tls-secret
        subPath: tls.crt
      trustedCerts:
        sources: []
      revokedCerts:
        sources: []

在将Neo4j集群缩减到0个副本和最多1个副本之后，它都可以像预期的那样重新开始工作，但是我如何设置它以使其自动化？我在Neo4j图表的值中没有看到任何TRUST_CUSTOM_CA_SIGNED_CERTIFICATES参数。path/to/certificate.crt是什么？我是否应该在trustedCerts.sources数组中添加证书的名称，如sources: [tls-certificate]？
非常感谢。

node.js

来源：https://stackoverflow.com/questions/76346015/ne4j-community-in-aks-cluster-doesnt-see-the-certificate-as-valid-anymore-dough

1条答案

按热度按时间

5t7ly7z51#

假设你使用的是Helm charts https://github.com/neo4j/helm-charts，你需要刷新你用证书创建的secret，然后滚动你的集群，或者在你的情况下，缩放到0，然后备份以获取secret。目前（Neo4j 5.8.0）仅在启动时获取证书。参见https://neo4j.com/docs/operations-manual/current/kubernetes/configuration/#configure-ssl

赞(0）回复(0）举报 2023-06-05

我来回答

NodeJS AKS集群中的Ne4j社区不再将证书视为有效，因为它已被续订

1条答案

相关问题

热门标签

最新问答