Delegate authentication to GitLab with a custom SSL certificate

hustlibraco · April 13, 2020, 2:20pm

Hello. I’m meeting similar problem, but not reasons you guys talked above.

I have a self-host Gitlab(version 12.9) and a self-host sonaruqbe(8.2-community), both are serving in https, self sign cert. I want to delegate Authentication with Gitlab.

First, I created sonarqube app on gitlab.
Second, put application id and secret in sonarqube, allow user sign-up, disable group sync.Set the right Server base URL .

Then I can see “Log in with GitLab” icon in login page, and get this response:

and web log:

2020.04.13 14:16:18 WARN  web[AXFzahyz3CdktahgAAaD][o.s.s.a.AuthenticationError] Fail to callback authentication with 'gitlab'
java.lang.IllegalStateException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderEx
ception: unable to find valid certification path to requested target
        at org.sonar.auth.gitlab.GitLabIdentityProvider.callback(GitLabIdentityProvider.java:104)
        at org.sonar.server.authentication.OAuth2CallbackFilter.handleOAuth2Provider(OAuth2CallbackFilter.java:98)
        at org.sonar.server.authentication.OAuth2CallbackFilter.handleProvider(OAuth2CallbackFilter.java:77)
        at org.sonar.server.authentication.OAuth2CallbackFilter.doFilter(OAuth2CallbackFilter.java:70)
        at org.sonar.server.platform.web.MasterServletFilter$GodFilterChain.doFilter(MasterServletFilter.java:139)
        at org.sonar.server.platform.web.MasterServletFilter.doFilter(MasterServletFilter.java:108)

I seems problem with cert. But I can’t figure it out. Anyone can help?

hustlibraco · April 13, 2020, 2:24pm

This is my nginx conf for sonarqube. Does it right?

server {

    listen 80;

    return 301 https://$host$request_uri;

}

server {

    listen 443 ssl;

    ssl_certificate   /etc/nginx/certs/server.crt;

    ssl_certificate_key  /etc/nginx/certs/server.key;

    

    ssl_session_timeout 5m;

    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    ssl_prefer_server_ciphers on;

    location / {

        proxy_pass http://sonarqube:9000/;

        # proxy_redirect off;

        # proxy_set_header Host $host;

        # proxy_set_header X-Real-IP $remote_addr;

        # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_set_header X-Forwarded-Proto https;

    }

}

pierreguillot · April 14, 2020, 8:24am

Hi, welcome to the community!

Did you added the GitLab SSL certificate on the jre running SonarQube truststore ? What exact java version is SonarQube using ?

jgallucci32 · February 8, 2021, 4:51am

I ran into it and was able to resolve it after I better understood the requirements for using custom cacerts with the Oteemo Helm Chart. I had an entire bundle as a single file with all my certs. What ended up having to do was put all the certs into a directory and create the kubernetes secret based on the path, not the single file. After the redeploy it was able pickup the certs and get past this error message (GitLab fully integrated now too)