Could not create SSL/TLS secure channel issue in Sonarqube 9.6

We have hosted Sonarqube 9.6 in Azure Kubernetes and is using internal certificate. Till few days back it was working good and suddenly we are getting " Could not create SSL/TLS secure channel" error. None of the certificate we are using have expired and there was no change in any configuration.

Issue is only when we use “Integrate with msbuild” option in azure task. Standalone scanner is not giving any error. All build agents are internally hosted.

We have set variable “NODE_EXTRA_CA_CERTS” to point to pem file containing internal, intermediate and root certificates.

We are using latest version of azure task for initiating ‘integration with msbuild’ scan.
Below mentioned is the error in pipeline on enabling debug option in pipeline.

Note: I can confirm that Sonarqube URL is accessible from server and there is no firewall issue

10:19:16.999  Downloading from https://XXXXXXXXX.com/api/server/version...
##[error]10:19:17.03  Unable to connect to server. Please check if the server is running and if the address is correct. Url: 'https://XXXXXXXXXXXXXX.com/api/server/version'.
##[debug]Processed: ##vso[task.logissue type=error;]10:19:17.03  Unable to connect to server. Please check if the server is running and if the address is correct. Url: 'https://XXXXXXXXXXXXX.com/api/server/version'.
10:19:17.03  Unable to connect to server. Please check if the server is running and if the address is correct. Url: 'https://XXXXXXXXXXXX.com/api/server/version'.
10:19:17.03  System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
   at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
   at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)
##[error]10:19:17.03  An error occured while querying the server version! Please check if the server is running and if the address is correct.
##[debug]Processed: ##vso[task.logissue type=error;]10:19:17.03  An error occured while querying the server version! Please check if the server is running and if the address is correct.
10:19:17.03  An error occured while querying the server version! Please check if the server is running and if the address is correct.
##[error]10:19:17.03  Pre-processing failed. Exit code: 1
##[debug]Processed: ##vso[task.logissue type=error;]10:19:17.03  Pre-processing failed. Exit code: 1
10:19:17.03  Pre-processing failed. Exit code: 1

Hey there.

Were you doing this before it stopped working, or is this something you tried after it stopped working?

we had added the variable few months back during our initial infrastructure setup.

It was working fine till a week back and now we are getting this error.

Recently there is no change in any certificate in our infrastructure.

Enabling debug in Azure task is not providing info required to track the certificate it is expecting.

Hey there.

In fact, I misunderstood the problem from the first read. Sorry about that.

Indeed, when the Scanner for .NET is used, it is using the system certificates (on the build agent) to establish trust. Not NodeJS or Java.

Is it possible these certificates can no longer be found on the build agent, or that they themselves have expired? Is your SonarQube server using a modern version of TLS/SSL?

If SonarScanner.MSBuild.exe is using system certificates, then why is it throwing below mentioned error when I provide incorrect pem file to variable “NODE_EXTRA_CA_CERTS”.

API GET '/api/server/version' failed, error was: {"code":"UNABLE_TO_VERIFY_LEAF_SIGNATURE"}

and when I provide correct certificate, error is “System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel”.

We had never installed sonarqube certificate on any build agents. Only change on build agents was to add certificate to java cacerts file and set variable “NODE_EXTRA_CA_CERTS” with pem file.

Is there a way to identify which certitifate is not trusted. Enabling debug is only providing error attached in initial query.

Multiple technologies (NodeJS, Java, and .NET Framework) are used to communicate with the SonarQube server. The error you presented in the first post refers to .NET Framework. You are probably facing the issue at different steps in your pipeline.

It might be that a root certificate is expired that would otherwise verify your SonarQube certificate. I would expect a Powershell run pointing to your SonarQube server would produce the same issue.

It looks like there are some good scripts for debugging exactly this.