javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown

[JnMik]

Hello guys !

neo4j version: 4.1.1-enterprise
In docker using the helm chart, with only 3 core containers
The certificate is a self signed certificate mounted as volume, that was generated by cert-manager.

I discovered this in my logs

2020-08-28 15:07:38 | 2020-08-28 19:07:38.217+0000 ERROR [o.n.b.t.TransportSelectionHandler] Fatal error occurred when initialising pipeline: [id: 0xe9077ca6, L:/10.4.17.125:7687 ! R:/10.4.12.17:9888] javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown -- | --

Only the third server on a cluster on 3 is having this in his logs. (Maybe because it's the write server of some DB or something like that). All my container use the same certificate so it's a bit weird that this is only occurring on the third node.

I checked the certificate content in each container and they are identical.

The clients doesn't seem to have issue to connect to the cluster.

Do you have any guidance that could help me out figure this ?

Thanks !

[jennyowen]

@JnMik The documentation for SSL encryption with docker containers is here:
https://neo4j.com/docs/operations-manual/current/docker/security/
which has a worked example for bolt and https encryption. Since you can connect to the cluster already, I'll guess that you already saw that though.

Self signed certificates can be troublesome, and it sounds like you have quite a few moving parts that could be contributing to the problem.
Here's how I'd recommend breaking down investigating this:

• try your certificate and ssl configuration settings with a docker container running locally. If that works, it's not your certificate that's broken.
• launch a standalone neo4j pod (so no clustering), using your ssl settings and k8s networking settings. Does that work?