Connecting with ldaps - Installing self-signed server certificate into Java truststore

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
  1. SonarQube 7.8 Community Edition (Docker)
  2. Postgresql 10 (Docker)
  3. RHEL 7
  4. Nginx Proxy
  • what are you trying to achieve

Interacting with in-house MS Active Directory through ldaps

  • what have you tried so far to achieve this

Trying to connect to ldapjs, but unable to do so due to certificate error.

From sonar.properties, there a message about installing the server certificate into the Java truststore. My understanding is that, probably i need to modify the java truststore within the SonarQube docker container itself?

I have followed the suggestion given by https://github.com/SonarSource/docker-sonarqube/issues/207

Which are

  1. Create a jks based on my internal root cert
  2. Build a refined sonarqube image , Dockerfile as follow
FROM sonarqube:7.8-community
COPY someca.jks /usr/local/openjdk-8/jre/lib/security/cacerts
  1. Add the following into sonar.properties
sonar.ce.javaAdditionalOpts=-Djavax.net.ssl.trustStore=/opt/sonarqube/conf/someca.jks -Djavax.net.ssl.trustStorePassword=changeit

Unfortunately, i still got some errors . I have verify the keystore and its looks fine too.

Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
	at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
	at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120)
	at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104)
	at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:89)

Are there any standard ways we can add our internal self-signed certificate into the java truststore?

Robin

Hi,

Just an update. I probably didn’t chain my certificates properly.

Will share the exact steps on how we can tackle this issue , especially updating self-signed certificates into java trust store.

1 Like

Hi,

I managed to solved this by building a refined sonarqube docker image. Do look at the github link abvoe for inspiration.

Dockerfile

FROM openjdk:8 AS builder

COPY /certs/server.crt /tmp/
COPY /certs/intermediate.crt /tmp/
COPY /certs/root.crt /tmp/

RUN keytool -import -v -trustcacerts -alias sonarqube -file /tmp/server.crt  \
    -keystore ${JAVA_HOME}/jre/lib/security/cacerts -noprompt -storepass changeit

RUN keytool -import -v -trustcacerts -alias intermediate -file /tmp/intermediate.crt \
    -keystore ${JAVA_HOME}/jre/lib/security/cacerts -noprompt -storepass changeit

RUN keytool -import -v -trustcacerts -alias root -file /tmp/root.crt \
    -keystore ${JAVA_HOME}/jre/lib/security/cacerts -noprompt -storepass changeit

FROM sonarqube:7.8-community
COPY --from=builder ${JAVA_HOME}/jre/lib/security/cacerts ${JAVA_HOME}/jre/lib/security/cacerts

Do a docker build based on the above file… which will copy your self-signed certificates into the container java trust store. As such, i manage to make a successful connection to my internal MS active directory through ldaps.

Mainly, you need to understand how your CA and server certificates are chained properly.

Robin