CERT_HAS_EXPIRED issue on SonarQube

Cristiano.Rodrigues · June 1, 2020, 3:22pm

Hi, I’m receiving this message using a community version (internal Host).

Version 7.9.2.30863

Starting: Preparando análise do Sonar
==============================================================================
Task         : Prepare Analysis Configuration
Description  : Prepare SonarQube analysis configuration
Version      : 4.10.0
Author       : sonarsource
Help         : Version: 4.10.0. [More Information](http://redirect.sonarsource.com/doc/install-configure-scanner-tfs-ts.html)
==============================================================================
##[error][SQ] API GET '/api/server/version' failed, error was: {"code":"CERT_HAS_EXPIRED"}

Ashen_Fernando · June 1, 2020, 3:25pm

Hi Alex,

We have tried to run our pipeline today(01st of June 2020). But we got the below error from sonar qube.
##[error][SQ] API GET ‘/api/server/version’ failed, error was: {“code”:“CERT_HAS_EXPIRED”}.

This pipeline was working fine in 14th May 2020 with the same configuration.

Please check

Carlos_Jimenez_Saiz · June 2, 2020, 6:05am

Hi Alex,

Same problem here with SonarQube 8.2.0.32929 Developer Edition.
curl and wget works properly after apply the fix proposed by Andrew Ayer, so it’s looks that the problem in the client that perform the request and the CA certificates that it use.

AlxO · June 2, 2020, 6:20am

Hi @Carlos_Jimenez_Saiz,

Thanks for posting to the community!

Could you clarify what site you’re connecting to? I mean; you’re mentioning SonarQube Developer Edition, hence I understand you run your own infrastructure, not SonarCloud, am I understanding this right?

If it so, then the solution should be within your control and you should check the page I referenced in my first reply. Thanks!

mickaelcaro · June 2, 2020, 6:23am

Hi @Ashen_Fernando and @Carlos_Jimenez_Saiz

What are your build agent version please ?

Thanks.

Ashen_Fernando · June 2, 2020, 6:43am

Hi @mickaelcaro,

Please note that we are using Azure dev ops, Agent pool - Hosted VS2017

Thanks

mickaelcaro · June 2, 2020, 6:45am

Thanks, but i need the agent version, you can read it from the Initialize Job task, it should be displayed, like this :

Current agent version: ‘2.165.2’

Ashen_Fernando · June 2, 2020, 6:50am

@mickaelcaro it is - Current agent version: ‘2.169.1’

Carlos_Jimenez_Saiz · June 2, 2020, 7:17am

@mickaelcaro our Agente version is 2.165.0.
@AlxO, yes it’s our own infrastructure and we have solved the issue for all the different tools that perform request to the domain that uses this certificate, and even from the same host it’s possible to perform curl and wget request (before the fix it was not possible), the only tools that still show the problem it’s this task.
Is this task based on Java or Nodejs?

mickaelcaro · June 2, 2020, 7:32am

The request that are failing are made with NodeJs, that why i asked for the agent version, because apparently starting with some specific version of Node, it can work, but haven’t tested on my side, since it’s an internal asset of the agent.

Is your SonarQube protected by SSL ? Is yes, what does said the cert chain ?

Colin · June 2, 2020, 7:38am

Hey all!

Quick housekeeping – I’ve moved this to a separate thread as this is now specifically related to on-prem SonarQube instances (instead of SonarCloud, where the issue is resolved)

Carlos_Jimenez_Saiz · June 2, 2020, 8:29am

@mickaelcaro Our Instance is protected with TLS, even we have tested to set NODE_TLS_REJECT_UNAUTHORIZED to 0 env variable with no result, but this have no sense if you are using nodejs, we are going to test other ways to set this variable in order to confirm that the problems is the “internal” CAs of Nodejs.

We used to set the Nodejs version in the pipeline, right now we have test 12.14, but I am not sure if this have a real effect in the way that this task is performed.

Ashen_Fernando · June 2, 2020, 8:31am

Hi @mickaelcaro

Our instance also SSL protected. Issued by COMODO RSA certification authority

mickaelcaro · June 2, 2020, 9:53am

@Carlos_Jimenez_Saiz the nodejs that is used is i guess the one referenced on the ‘externals’ folder of the build agent, there are 2 versions inside, one on 6.X, the other on 10.X.

I’ll try to have a deeper look, but i guess that there’s not much we can do right now if that’s purely on node/azure’s side.

Thanks @Ashen_Fernando, what does said a SSLHopper for example on the full chain ? Do you still have a cert expired somewhere or is that full green ?

Ealenn · June 2, 2020, 11:55am

Be careful, especially if your certificate comes from Gandi https://status.gandi.net/incidents/026k81gp3vmk

Ashen_Fernando · June 2, 2020, 3:24pm

@mickaelcaro Thanks for the information. I got this warnings from SSLSHopper. Can you please confirm that the issue is due to this.

mickaelcaro · June 3, 2020, 5:52am

Yes for sure !

andre.avelar · June 3, 2020, 6:58pm

Hello, i am facing the same problem, our certificate is also issued by COMODO RSA. I blacklisted the expiring certificate https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020 and internal tests are working fine.

Also I checked certificate chain and the expired one is not listed. I can GET myserver/api/server/version from anywhere with no SSL problem.

Azure Devops Service
Agent version 2.164.8

Exactly the same error: ##[error][SQ] API GET ‘/api/server/version’ failed, error was: {“code”:“CERT_HAS_EXPIRED”}.

Rehan · June 12, 2020, 11:09am

I am getting this error
##[error][SQ] API GET ‘/api/server/version’ failed, error was: {“code”:“CERT_HAS_EXPIRED”}
in Azure Devops pipeline on task ‘Prepare analysis on Sonarqube’ .
The issue occurred after I upgraded to version 6.7 . Interestingly same version on other server is working fine .
Let me know how to resolve this .

Regards,
Rehan

Joao_Simoes · March 1, 2021, 12:50pm

Hi all,

I’ve the same issue as @Rehan on azure DevOps. How can I solve ? Exists any workaround?

Regards
Joao