Connecting Sonarqube and Gitlab on premise (certificate issue)

Martin_Schmid · November 9, 2024, 11:25pm

Dear SQ community,

I am using Sonarqube:

deployed with docker-compose
version v10.7
on-premise
together with GitLab Enterprise Edition [v17.5.1-ee]

I am trying to set up the Gitlab integration with sonarqube so I can use SQ in my Gitlab-CI pipelines. So far, that has been unsuccesful.

Both my gitlab and my sonarqube instance are behind reverse proxies outfitted with SSL certificates from a private CA. After setting up the URL:

https://gitlab.brave-vesperia.com/api/v4

the Sonarqube docker container reports:

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
	at java.base/java.security.cert.CertPathBuilder.build(Unknown Source)
	... 199 common frames omitted

After doing some research, I think I’m supposed to import some certificates into the trusted store of SQ by using certtool. However, so far I don’t know how to achieve that and furthermore, I’m very unsure which certificate I’m supposed to import in the first place (shouldn’t the CA cert not be enough?)

Please kindly assist. There are some guides out there on the internet, but I either don’t understand them well enough or they are not applicable to my issues.

KR

Colin · November 13, 2024, 4:22pm

Hey there.

You’ll need to mount a directory containing your certificates to <JAVA_HOME>/lib/security/cacerts as documented here.

The root certificate should be enough, although frankly, I have always found it easiest to just pull the cert from the website you’re targeting.

For example, with SonarCloud (here you would substitute your internal Gitlab server)

1. Pull the cert chain

openssl s_client -connect sonarcloud.io:443 -servername sonarcloud.io -showcerts </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > certchain.pem

2. Create a new truststore with this cert

keytool -import -file certchain.pem -alias customalias -keystore custom.truststore -storepass changeit

3. Bind mount this truststore to <JAVA_HOME>/lib/security/cacerts.

docker run -d --name sonarqube -v /path/to/your/cacerts.truststore:/opt/java/openjdk/lib/security/cacerts:ro -p 9000:9000 sonarqube

SSLPoke is a super helpful tool to make sure you have your truststore configured correctly.

Martin_Schmid · November 18, 2024, 9:16pm

Hey there. Super answer.

Thank you so much.

system · November 25, 2024, 9:16pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.