API GET '/api/server/version' failed, error was: {"code":"CERT_HAS_EXPIRED"}

Hi all,

I have an issue when running sonarqube task from azure devops. I’ve got this error message:

API GET ‘/api/server/version’ failed, error was: {“code”:“CERT_HAS_EXPIRED”}

Version of sonarqube: 9.0
Azure devops agent version: ubuntu-18.04

Certificate on website is still available
Even restart the server didn’t resolve my problem

5 Likes

Are you using LetsEncrypt for certificate issuance for your SonarQube instance? We’re experiencing the same issue right now, with LetsEncrypts DST Root CA X3 expired today, with certificate issuance handled by cert-manager in our k8s cluster (where SonarQube is deployed via DockerHub 8.9.2 LTS image).

Tried updating/restarting hosted Azure DevOps agents, the box they are hosted on. Still getting the CERT_HAS_EXPIRED error as well.

edit: cert chain is valid from browsers and CLI tools (e.g. WGET) on both Windows and Linux boxes. So this seems to be an issue with the Azure DevOps task or the build agents.

edit 2: this is occuring on the SonarQubePrepare task in our pipeline

edit 3: To be clear, the box our build agents are hosted on trusts the new ISRG Root X1 cert (which expires in 2035) already, and which is the root CA on our LetsEncrypt cert securing our SonarQube deployment.

2 Likes

The same thing is happening to us in Azure DevOps, the task failing is SonarQubePrepare, running from a Windows Server 2019 VM.

1 Like

We have the same issue
Exactly same debug process has been tested as Chris Crook’s above.

1 Like

Just to follow up further: we had LetsEncrypt re-issue a cert for our SonarQube deployment via:

kubectl cert-manager renew <tls secret name>

Confirmed the new cert was re-issued today. Still get the CERT_HAS_EXPIRED error.

sonarqube ← R3 ← ISRG Root X1 cert chain on both the new and old cert

@crookc I’ve also renewed my certificates today, to be sure, and the error persisted.

These are the steps I tried:

  • Renew letsencrypt server certificates for my Sonarqube instance.
  • Update Azure Devops self-hosted runners.
  • Restart Azure Devops self-hosted runners services.

None of these worked. My SonarQube instance is completely accessible, and my browser and other services are not getting the same error regarding the certificate, only the “SonarQubePrepare” task in Azure Devops.

PS. my infrastructure is not running on K8S, it is a standalone Ubuntu 20.04 Server.

1 Like

Same issue from azure devops pipeline .

Additionally, we deleted and recreated our SonarQube Service Connection in AzureDevops. Still not functional.

1 Like

Additionally from github action it works

1 Like

Still not sure the root cause of this. Per CERT_HAS_EXPIRED issue on SonarQube - Get help / SonarQube - SonarSource Community it was potentially related to a node JS version / issue.

Confirmed that quick node script performing a GET to the indicated /api/server/version endpoint works just fine on the machine where our hosted build agents are running. So that appears to be ruled out.

This is a blocker to our CI system at the moment. cc: @mickaelcaro since you ran into something similar before.

Same here - we are facing this issue as well. I created a ticket in the repo of the hosted agents. Those are okay at least for java (as the installed java version is only java 8).

Guess this plugin needs a fix.

1 Like

Same problem here

As many of you my issue append during preparation task.
upgrading agent, changing from ubuntu to windows have no effect.
downgrade task version (from 4.* to 3.*) neither

for your information, we have just received a reply to our sonarqube support email. the answer is to change the server certificate. We are testing and I will get back to you.

Hi there,

Thanks for the report

Please post any update of question on that thread so that we can centralize communication : CERT_HAS_EXPIRED issue on SonarQube - #22 by mattduguid

I’m closing this one.

Thanks.

Hi All

Please see this update as we are having to revert the previous fix and action may be required by you.

Apologies for any inconvenience this may cause

Tom