Azure pipeline Error while executing SonarQube:Prepare task:[SQ]API GET '/api/server/version'failed

raavimanu · December 17, 2024, 11:50am

which versions are you using (SonarQube Server / Community Build, Scanner, Plugin, and any relevant extension) : Sonar Qube Version: v9.9.5 (build 90363)
how is SonarQube deployed: zip, Docker, Helm: : We use SonarQube Developer Edition, hosted on Azure Windows VM.

Error: 2024-12-09T13:02:03.8285493Z ##[section]Starting: Prepare Code Analysis
2024-12-09T13:02:03.8293483Z ==============================================================================
2024-12-09T13:02:03.8293644Z Task : Prepare Analysis Configuration
2024-12-09T13:02:03.8293729Z Description : Prepare SonarQube analysis configuration
2024-12-09T13:02:03.8293839Z Version : 6.3.4
2024-12-09T13:02:03.8293916Z Author : sonarsource
2024-12-09T13:02:03.8293989Z Help : More Information
2024-12-09T13:02:03.8294162Z ==============================================================================
2024-12-09T13:02:05.9237181Z ##[warning]Error while executing SonarQube:Prepare task: [SQ] API GET ‘/api/server/version’ failed, error is request to https://rhs-sq.alight.com/api/server/version failed, reason: unable to get local issuer certificate
2024-12-09T13:02:05.9241004Z ##[error][SQ] API GET ‘/api/server/version’ failed, error is request to https://rhs-sq.alight.com/api/server/version failed, reason: unable to get local issuer certificate
2024-12-09T13:02:05.9375479Z ##[section]Finishing: Prepare Code Analysis

Colin · December 18, 2024, 8:30am

Hey there.

It looks like your SonarQube server uses some self-signed certificates to serve itself over HTTPS. You’ll need to pass your certificate to the Node process. Here’s some advice already offered int his community:

raavimanu · December 19, 2024, 5:19pm

so cert is mandatory to resolve this issue, we are using Azure VMSS Agent for the pipeline do we have any documentation for the process to place the files and use it in the pipeline.

Colin · December 19, 2024, 7:41pm

It sounds like you may need to customize your scale set so that the cert is available on all agents.

While doing this, you can even set NODE_EXTRA_CA_CERTS on the VM so that it applies to all jobs, and you don’t have to handle any config in your pipeline.

How do you handle this for other services in your CI/CD job that are hosted-on prem with self-signed certificates? Or is SonarQube the only one? If so, it might be good to question whether or not using a self-signed cert is really a good idea here.

raavimanu · January 23, 2025, 8:49am

Do I need to install the Sonar Qube cert in the agent VM.

Colin · January 23, 2025, 10:34am

Yes ultimately, if you continue to use a SonarQube server with a self-signed certificate, that cert will somehow need to be recognized within your agent VM. Please see my previous post.

raavimanu · January 23, 2025, 10:49am

Can I install the Service certificate the Host cert which I installed on the Sonar Qube server or need to generate the self signed cert again or can I use the cert I used in SAML configuration.

Colin · January 23, 2025, 10:56am

SAML configuration probably isn’t relevant here. If you’re not sure how to find your cert, I suggest downloading it using a command line tool like openssl.

raavimanu · January 28, 2025, 9:39am

I have done the suggested changes added the cert in the azure agent machine and defined the NODE_EXTRA_CA_CERTS environment variable as well but still same issue.

Colin · January 28, 2025, 10:16am

I believe you need to use a .pem file.

raavimanu · January 28, 2025, 11:58am

I have generated the .pem file and updated the environment variable still facing same issue.

Colin · January 28, 2025, 12:50pm

It looks like you’ve set a private key, not a certificate.

For example if I run

openssl s_client -connect sonarcloud.io:443 -showcerts

I get the following CERTIFICATEs.

-----BEGIN CERTIFICATE-----
MIIF+jCCBOKgAwIBAgIQDm3FP0VQy9ge5lY5MXrdMjANBgkqhkiG9w0BAQsFADA8
MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRwwGgYDVQQDExNBbWF6b24g
UlNBIDIwNDggTTAzMB4XDTI0MDMwNTAwMDAwMFoXDTI1MDQwMzIzNTk1OVowGDEW
MBQGA1UEAxMNc29uYXJjbG91ZC5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAKdCCM70CbM2So7mU9oMnTp1Zc20akgCPZJfg8Vqk6aq+0/BSPeihiL1
WqC0Dbk2fyGI1+MMGktb5m9AkWITMz0MCCWcfyaogSOYM1tA2v3+TGDrNKQW0KFa
wvqXNCKJwDaL2Kusbr7ehBp0ACB5CkMRw5nxW9i0LAlO8OOojr3mUvVReylicpzw
yHyGZcWjz1Sa/MUB5JY2E9Jf8n//lnHogJwqkSUwvW5q+F1/upMN6S4ajjFljXyr
4JZUBllSo0NGrXzndA2IM8aW1PcSL8MCrfkgSbKl94bfAuQU3nnAMZo2CMwJ32WT
94/1ZwVIhthNRsGO++tDlNSChnVIC6UCAwEAAaOCAxowggMWMB8GA1UdIwQYMBaA
FFXZGF/SHMwB4Vi0vqvZVUIB1y4CMB0GA1UdDgQWBBR8fPcwb3Y21iJQE7nv8C6G
bSOyvzBLBgNVHREERDBCgg1zb25hcmNsb3VkLmlvgg8qLnNvbmFyY2xvdWQuaW+C
ECouc29uYXJjbG91ZC5jb22CDnNvbmFyY2xvdWQuY29tMBMGA1UdIAQMMAowCAYG
Z4EMAQIBMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
BQUHAwIwOwYDVR0fBDQwMjAwoC6gLIYqaHR0cDovL2NybC5yMm0wMy5hbWF6b250
cnVzdC5jb20vcjJtMDMuY3JsMHUGCCsGAQUFBwEBBGkwZzAtBggrBgEFBQcwAYYh
aHR0cDovL29jc3AucjJtMDMuYW1hem9udHJ1c3QuY29tMDYGCCsGAQUFBzAChipo
dHRwOi8vY3J0LnIybTAzLmFtYXpvbnRydXN0LmNvbS9yMm0wMy5jZXIwDAYDVR0T
AQH/BAIwADCCAX8GCisGAQQB1nkCBAIEggFvBIIBawFpAHcATnWjJ1yaEMM4W2zU
3z9S6x3w4I4bjWnAsfpksWKaOd8AAAGODpS9awAABAMASDBGAiEAjhEgTmizkQXH
fYNVokplP98mJt3xzbCtX/BfQSsppO4CIQDM3PwCczE2lIC0alLZBDpFS3XDo7Nd
dbUUkj1J/9kymAB3AH1ZHhLheCp7HGFnfF79+NCHXBSgTpWeuQMv2Q6MLnm4AAAB
jg6UvdsAAAQDAEgwRgIhAMJ+6dmVV8QeDwZJgyButXxx/0GI4Uy8M6vF8MsSRB16
AiEAogT/GBeeV9+hXImesXo8uG3oMgoleyV6SQdJ69haqSAAdQDm0jFjQHeMwRBB
Btdxuc7B0kD2loSG+7qHMh39HjeOUAAAAY4OlL3OAAAEAwBGMEQCICpxhQJNbTTr
6jxOeqh9318uqMDhqrO93xtpkAk3vRHaAiBq6mXfKv0GE9sfX23W1zCqA1tvJAkq
7wSUrmjt8EyvbzANBgkqhkiG9w0BAQsFAAOCAQEAd2+Ul401JqHxueVAYTb7RvdC
CGL9MjjR3oWY0qSOk38ZPMvabXd6ZDkhTQQVWkF9wFKnHetk0g5tUihfEvZRPpwX
bLr1DL30LmOfKtEIcrv83tnxDqjAbLTpLTXuqITz0xuBnYhPqc6Z1Ke7huy3iq6v
6RjzeKD3con6Tl9/Kc+8109I2dlKp0gmPmZPA1IGmA6ewc7k9fiR8k7qhmsDSDLN
2/J998x/ggao2ideflIaC1Zrbdx0MVSVu8EhXfFI9c4vrxn//JSYrhY+vtqacw0p
iDGg0D/1alIdfOFoLJ1pTjNTzn7nYeA80dJrB8JnLV4opBrdqAUFugGhePF5XA==
-----END CERTIFICATE-----
 1 s:C=US, O=Amazon, CN=Amazon RSA 2048 M03
   i:C=US, O=Amazon, CN=Amazon Root CA 1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug 23 22:26:04 2022 GMT; NotAfter: Aug 23 22:26:04 2030 GMT
-----BEGIN CERTIFICATE-----
MIIEXjCCA0agAwIBAgITB3MSTNQG0mfAmRzdKZqfODF5hTANBgkqhkiG9w0BAQsF
ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6
b24gUm9vdCBDQSAxMB4XDTIyMDgyMzIyMjYwNFoXDTMwMDgyMzIyMjYwNFowPDEL
MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEcMBoGA1UEAxMTQW1hem9uIFJT
QSAyMDQ4IE0wMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALd/pVko
8vuM475Tf45HV3BbCl/B9Jy89G1CRkFjcPY06WA9lS+7dWbUA7GtWUKoksr69hKM
wcMsNpxlw7b3jeXFgxB09/nmalcAWtnLzF+LaDKEA5DQmvKzuh1nfIfqEiKCQSmX
Xh09Xs+dO7cm5qbaL2hhNJCSAejciwcvOFgFNgEMR42wm6KIFHsQW28jhA+1u/M0
p6fVwReuEgZfLfdx82Px0LJck3lST3EB/JfbdsdOzzzg5YkY1dfuqf8y5fUeZ7Cz
WXbTjujwX/TovmeWKA36VLCz75azW6tDNuDn66FOpADZZ9omVaF6BqNJiLMVl6P3
/c0OiUMC6Z5OfKcCAwEAAaOCAVowggFWMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYD
VR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNV
HQ4EFgQUVdkYX9IczAHhWLS+q9lVQgHXLgIwHwYDVR0jBBgwFoAUhBjMhTTsvAyU
lC4IWZzHshBOCggwewYIKwYBBQUHAQEEbzBtMC8GCCsGAQUFBzABhiNodHRwOi8v
b2NzcC5yb290Y2ExLmFtYXpvbnRydXN0LmNvbTA6BggrBgEFBQcwAoYuaHR0cDov
L2NydC5yb290Y2ExLmFtYXpvbnRydXN0LmNvbS9yb290Y2ExLmNlcjA/BgNVHR8E
ODA2MDSgMqAwhi5odHRwOi8vY3JsLnJvb3RjYTEuYW1hem9udHJ1c3QuY29tL3Jv
b3RjYTEuY3JsMBMGA1UdIAQMMAowCAYGZ4EMAQIBMA0GCSqGSIb3DQEBCwUAA4IB
AQAGjeWm2cC+3z2MzSCnte46/7JZvj3iQZDY7EvODNdZF41n71Lrk9kbfNwerK0d
VNzW36Wefr7j7ZSwBVg50W5ay65jNSN74TTQV1yt4WnSbVvN6KlMs1hiyOZdoHKs
KDV2UGNxbdoBYCQNa2GYF8FQIWLugNp35aSOpMy6cFlymFQomIrnOQHwK1nvVY4q
xDSJMU/gNJz17D8ArPN3ngnyZ2TwepJ0uBINz3G5te2rdFUF4i4Y3Bb7FUlHDYm4
u8aIRGpk2ZpfXmxaoxnbIBZRvGLPSUuPwnwoUOMsJ8jirI5vs2dvchPb7MtI1rle
i02f2ivH2vxkjDLltSpe2fiC
-----END CERTIFICATE-----
 2 s:C=US, O=Amazon, CN=Amazon Root CA 1
   i:C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Services Root Certificate Authority - G2
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: May 25 12:00:00 2015 GMT; NotAfter: Dec 31 01:00:00 2037 GMT
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgITBn+USionzfP6wq4rAfkI7rnExjANBgkqhkiG9w0BAQsF
ADCBmDELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNj
b3R0c2RhbGUxJTAjBgNVBAoTHFN0YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4x
OzA5BgNVBAMTMlN0YXJmaWVsZCBTZXJ2aWNlcyBSb290IENlcnRpZmljYXRlIEF1
dGhvcml0eSAtIEcyMB4XDTE1MDUyNTEyMDAwMFoXDTM3MTIzMTAxMDAwMFowOTEL
MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv
b3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXj
ca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM
9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qw
IFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6
VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L
93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQm
jgSubJrIqg0CAwEAAaOCATEwggEtMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/
BAQDAgGGMB0GA1UdDgQWBBSEGMyFNOy8DJSULghZnMeyEE4KCDAfBgNVHSMEGDAW
gBScXwDfqgHXMCs4iKK4bUqc8hGRgzB4BggrBgEFBQcBAQRsMGowLgYIKwYBBQUH
MAGGImh0dHA6Ly9vY3NwLnJvb3RnMi5hbWF6b250cnVzdC5jb20wOAYIKwYBBQUH
MAKGLGh0dHA6Ly9jcnQucm9vdGcyLmFtYXpvbnRydXN0LmNvbS9yb290ZzIuY2Vy
MD0GA1UdHwQ2MDQwMqAwoC6GLGh0dHA6Ly9jcmwucm9vdGcyLmFtYXpvbnRydXN0
LmNvbS9yb290ZzIuY3JsMBEGA1UdIAQKMAgwBgYEVR0gADANBgkqhkiG9w0BAQsF
AAOCAQEAYjdCXLwQtT6LLOkMm2xF4gcAevnFWAu5CIw+7bMlPLVvUOTNNWqnkzSW
MiGpSESrnO09tKpzbeR/FoCJbM8oAxiDR3mjEH4wW6w7sGDgd9QIpuEdfF7Au/ma
eyKdpwAJfqxGF4PcnCZXmTA5YpaP7dreqsXMGz7KQ2hsVxa81Q4gLv7/wmpdLqBK
bRRYh5TmOTFffHPLkIhqhBGWJ6bt2YFGpn6jcgAKUj6DiAdjd4lpFw85hdKrCEVN
0FE6/V1dN2RMfjCyVSRCnTawXZwXgWHxyvkQAiSr6w10kY17RSlQOYiypok1JR4U
akcjMS9cmvqtmg5iUaQqqcT5NJ0hGA==
-----END CERTIFICATE-----
 3 s:C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Services Root Certificate Authority - G2
   i:C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2 Certification Authority
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  2 00:00:00 2009 GMT; NotAfter: Jun 28 17:39:16 2034 GMT
-----BEGIN CERTIFICATE-----
MIIEdTCCA12gAwIBAgIJAKcOSkw0grd/MA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNV
BAYTAlVTMSUwIwYDVQQKExxTdGFyZmllbGQgVGVjaG5vbG9naWVzLCBJbmMuMTIw
MAYDVQQLEylTdGFyZmllbGQgQ2xhc3MgMiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0
eTAeFw0wOTA5MDIwMDAwMDBaFw0zNDA2MjgxNzM5MTZaMIGYMQswCQYDVQQGEwJV
UzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTElMCMGA1UE
ChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjE7MDkGA1UEAxMyU3RhcmZp
ZWxkIFNlcnZpY2VzIFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVDDrEKvlO4vW+GZdfjohTsR8/
y8+fIBNtKTrID30892t2OGPZNmCom15cAICyL1l/9of5JUOG52kbUpqQ4XHj2C0N
Tm/2yEnZtvMaVq4rtnQU68/7JuMauh2WLmo7WJSJR1b/JaCTcFOD2oR0FMNnngRo
Ot+OQFodSk7PQ5E751bWAHDLUu57fa4657wx+UX2wmDPE1kCK4DMNEffud6QZW0C
zyyRpqbn3oUYSXxmTqM6bam17jQuug0DuDPfR+uxa40l2ZvOgdFFRjKWcIfeAg5J
Q4W2bHO7ZOphQazJ1FTfhy/HIrImzJ9ZVGif/L4qL8RVHHVAYBeFAlU5i38FAgMB
AAGjgfAwge0wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0O
BBYEFJxfAN+qAdcwKziIorhtSpzyEZGDMB8GA1UdIwQYMBaAFL9ft9HO3R+G9FtV
rNzXEMIOqYjnME8GCCsGAQUFBwEBBEMwQTAcBggrBgEFBQcwAYYQaHR0cDovL28u
c3MyLnVzLzAhBggrBgEFBQcwAoYVaHR0cDovL3guc3MyLnVzL3guY2VyMCYGA1Ud
HwQfMB0wG6AZoBeGFWh0dHA6Ly9zLnNzMi51cy9yLmNybDARBgNVHSAECjAIMAYG
BFUdIAAwDQYJKoZIhvcNAQELBQADggEBACMd44pXyn3pF3lM8R5V/cxTbj5HD9/G
VfKyBDbtgB9TxF00KGu+x1X8Z+rLP3+QsjPNG1gQggL4+C/1E2DUBc7xgQjB3ad1
l08YuW3e95ORCLp+QCztweq7dp4zBncdDQh/U90bZKuCJ/Fp1U1ervShw3WnWEQt
8jxwmKy6abaVd38PMV4s/KCHOkdp8Hlf9BRUpJVeEXgSYCfOn8J3/yNTd126/+pZ
59vPr5KW7ySaNRB6nJHGDn2Z9j8Z3/VyVOEVqQdZe4O/Ui5GjLIAZHYcSNPYeehu
VsyuLAOQ1xk4meTKCRlb/weWsKh/NEnfVqn3sF/tM+2MR7cwA130A4w=
-----END CERTIFICATE-----

This is the format you should expect to have.

raavimanu · January 28, 2025, 1:01pm

I have update it and generated it again in cert format. below are the commands I used.
openssl s_client -connect rhs-sq.alight.com:443 -showcerts
openssl pkcs12 -in rhs-sq.alight.com.pfx -passin pass:password1 -out crt.pem -clcerts -nokeys. Still same error

raavimanu · January 28, 2025, 1:30pm

I have done the below steps, but still facing error.

generate the pem file. used the commands openssl s_client -connect rhs-sq.alight.com:443 -showcerts
openssl pkcs12 -in rhs-sq.alight.com.pfx -passin pass:password1 -out crt.pem -clcerts -nokeys
added the .pem cert to the azure Agent VM trusted root cert
added environment variable NODE_EXTRA_CA_CERTS in azure agent VM and gave path to the .pem cert.
added the .pem cert to the Java truststore.
I have done above 3 steps still facing error, no change in the error message.
I have restarted the agent VM and checked if the they changes are applied before running the pipeline.
from agent VM able to resolve the Sonar qube site DNS. and able to do curl command for https://rhs-sq.alight.com/api/server/version and able to get the value also.

raavimanu · January 28, 2025, 3:07pm

When I run command, I could only see 2 Certificate details, in your details I could see 4. Is that an issue?

And I can see below error, when I run command openssl s_client -connect rhs-sq.alight.com:443 -showcerts on both Azure Agent VM and Sonar server.

Topic		Replies	Views
##[error][SQ] API GET '/api/server/version' failed, error was: {"code":"ENOENT","errno":"ENOENT","syscall":"getaddrinfo","hostname":"localhost","host":"localhost","port":"9000"} SonarQube Server / Community Build sonarqube , scanner	7	2254	April 30, 2021
[SQ] API GET '/api/server/version' failed, error is The operation was aborted SonarQube Server / Community Build	10	1615	August 29, 2024
##[error][ERROR] SonarQube Server: Error while executing task Prepare: API GET '/api/server/version' SonarQube Server / Community Build sonarqube	2	59	March 21, 2025
Prepare Analysis Configuration Fails in version 6.3.2 SonarQube Server / Community Build dotnet	16	636	October 31, 2024
Azure DevOps Pipeline for Sonarqube with MsBuild is failing on Prepare Analysis Configuration // [SQ] API GET '/api/server/version' failed, error was: {"code":"ENOTFOUND" SonarQube Server / Community Build sonarqube , msbuild	4	2382	February 4, 2022

Azure pipeline Error while executing SonarQube:Prepare task:[SQ]API GET '/api/server/version'failed

Related topics