Configuring Prepare Analysis Configuration task in Azure DevOps with self-signed certificate

sonarqube
vsts

(WeiweiCai) #1

Hello,

I am trying to configure “Prepare Analysis Configuration” against one of our sonarqube severs that uses a certificate signed by our own CA. I have added the certificate to the java cacerts in the agent, but the following error is thrown:

[SQ] API GET ‘/api/server/version’ failed, error was: {“code”:“DEPTH_ZERO_SELF_SIGNED_CERT”}

What actions / properties need to be done to configure the task against a Sonarqube server that uses a certificate signed by our own CA.

Regards!


(WeiweiCai) #2

Is there anyone can help me??


(WeiweiCai) #3

Are there any one can help check this issue?


(Duarte Meneses) #4

Hi,

First of all sorry for the long delay, we are not used to deal with certificate problems.
SonarQube relies in JVM’s truststore and keystore for https authentication, so the steps you took should be enough.

Can you successfully access api/server/version using another tool or a web server?
Is there any proxy between the scanner and the server?


(Marcos) #5

Hello Duarte,

First of all, thanks for replying.

I am able to properly access the server from any other resource.
There is no proxy.

I think that the issue is related in how the configure task works; I think it uses some kind of nodejs wrapper? So, even if I add the certificate to the java trustore, the task that sets the configuration uses a different runtime (not java at least) to communicate with the server, that’s why I still get that certificate error.


(Colin Mueller) #6

Hey Marcos,

Check out Nico’s response here, which echoes your deduction: TFS buid server cannot connect to teh SonarQube server over SSL

You might try using the NODE_EXTRA_CA_CERTS environment variable and setting it to a file with your root cert (I’ll admit my detailed knowledge of this is a little lacking, but this should get you on the right path).

Colin


(Marcos) #7

Hello Colin,

With that property, it did the trick and properly used the certificate. I have not finished the integration (different error from the certificate) but I think I could continue.

Thanks!