Dotnet sonarscanner running in a docker - How to install self-signed server certificate?

SonarQube Server / Community Build
, , ,
1
  • SonarServer : 9.9.1.69595
  • DotNet SonarScanner : 5.13.1

Hello,

I am trying to run dotnet sonarscanner from a docker container targeting our internal SonarServer hosted with self signed SSL certificate.

Following the disgruntled response on a previous post : Sonar-scanner fails with self-signed certificate - #12 by TouDick, I wish to know if there is a way to install a certificate in the sonarScanner truststore in such deployment ?

Here is the errors I get when running the scanner:

SonarScanner for MSBuild 5.13.1
Using the .NET Core version of the Scanner for MSBuild
Pre-processing started.
Preparing working directories...
08:56:14.586  Updating build integration targets...
08:56:14.95  Unable to connect to server. Please check if the server is running and if the address is correct. Url: 'https://<Redacted>/api/server/version'.
08:56:14.972  An error occured while querying the server version! Please check if the server is running and if the address is correct.
08:56:14.974  Pre-processing failed. Exit code: 1

I don’t have any issue fetching this url from the container using curl.

2

Hey there.

I can’t determine from the logs shared if this is running in a Linux or a Windows container. Can you tell us which it is?

3

Hi Colin,
It’s running in a Linux container.

4

Thanks!

So far, I’m not sure we can be certain that it’s an SSL error, unless there’s a stacktrace that hasn’t been provided (let me know if so). We just see that the connection failed.

Are there more details in your logs? I just want to make sure you’re focusing on the right problem.

5

Sure Colin,
Here is more logs, with a curl request that proves that connectivity works. Hope this will help.

update-ca-certificates
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
$ curl https://<redacted>/api/server/version
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    11  100    11    0     0    366      0 --:--:-- --:--:-- --:--:--   366
9.9.1.69595$ dotnet restore
  Determining projects to restore...
  Restored /builds/<redacted>.csproj (in 2.25 sec).
  Restored /builds/<redacted>.csproj (in 2.26 sec).
  Restored /builds/<redacted>.csproj (in 2.92 sec).
$ export PATH="$PATH:/root/.dotnet/tools"
$ dotnet tool install --global dotnet-sonarscanner
You can invoke the tool using the following command: dotnet-sonarscanner
Tool 'dotnet-sonarscanner' (version '5.13.1') was successfully installed.
$ dotnet sonarscanner begin /k:"<redacted>" /d:sonar.login="<redacted>"  /d:sonar.host.url=<redacted> /d:sonar.branch.name=${CI_COMMIT_BRANCH} /d:sonar.verbose=true
SonarScanner for MSBuild 5.13.1
Using the .NET Core version of the Scanner for MSBuild
Default properties file was found at /root/.dotnet/tools/.store/dotnet-sonarscanner/5.13.1/dotnet-sonarscanner/5.13.1/tools/net5.0/any/SonarQube.Analysis.xml
Loading analysis properties from /root/.dotnet/tools/.store/dotnet-sonarscanner/5.13.1/dotnet-sonarscanner/5.13.1/tools/net5.0/any/SonarQube.Analysis.xml
sonar.verbose=true was specified - setting the log verbosity to 'Debug'
Pre-processing started.
Preparing working directories...
Using environment variables to determine the download directory...
09:40:19.698  09:40:19.689  Loading analysis properties from /root/.dotnet/tools/.store/dotnet-sonarscanner/5.13.1/dotnet-sonarscanner/5.13.1/tools/net5.0/any/SonarQube.Analysis.xml
09:40:19.698  09:40:19.698  sonar.verbose=true was specified - setting the log verbosity to 'Debug'
09:40:19.7  Updating build integration targets...
09:40:19.705  Installed SonarQube.Integration.ImportBefore.targets to /root/.local/share/Microsoft/MSBuild/4.0/Microsoft.Common.targets/ImportBefore
09:40:19.705  Installed SonarQube.Integration.ImportBefore.targets to /root/.local/share/Microsoft/MSBuild/10.0/Microsoft.Common.targets/ImportBefore
09:40:19.705  Installed SonarQube.Integration.ImportBefore.targets to /root/.local/share/Microsoft/MSBuild/11.0/Microsoft.Common.targets/ImportBefore
09:40:19.705  Installed SonarQube.Integration.ImportBefore.targets to /root/.local/share/Microsoft/MSBuild/12.0/Microsoft.Common.targets/ImportBefore
09:40:19.705  Installed SonarQube.Integration.ImportBefore.targets to /root/.local/share/Microsoft/MSBuild/14.0/Microsoft.Common.targets/ImportBefore
09:40:19.706  Installed SonarQube.Integration.ImportBefore.targets to /root/.local/share/Microsoft/MSBuild/15.0/Microsoft.Common.targets/ImportBefore
09:40:19.706  Installed SonarQube.Integration.ImportBefore.targets to /root/.local/share/Microsoft/MSBuild/Current/Microsoft.Common.targets/ImportBefore
09:40:19.706  Installed SonarQube.Integration.ImportBefore.targets to /root/Microsoft/MSBuild/15.0/Microsoft.Common.targets/ImportBefore
09:40:19.706  Installed SonarQube.Integration.ImportBefore.targets to /root/Microsoft/MSBuild/Current/Microsoft.Common.targets/ImportBefore
09:40:19.707  Installed SonarQube.Integration.targets to /builds/mdrm-teams-grp/playready-ls/.sonarqube/bin/targets
09:40:19.708  Creating config and output folders...
09:40:19.709  Creating directory: /builds/mdrm-teams-grp/playready-ls/.sonarqube/conf
09:40:19.709  Creating directory: /builds/mdrm-teams-grp/playready-ls/.sonarqube/out
09:40:19.725  Fetching server version...
09:40:19.727  Downloading from https://<redacted>/api/server/version...
09:40:20.049  Unable to connect to server. Please check if the server is running and if the address is correct. Url: 'https://<redacted>/api/server/version'.
09:40:20.059  System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: PartialChain
   at System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception)
   at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions)
   at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
09:40:20.061  An error occured while querying the server version! Please check if the server is running and if the address is correct.
09:40:20.063  Pre-processing failed. Exit code: 1
6

Thanks! This helps.

Something tells me that curl is okay with a partial chain, but for some reason the .NET layer isn’t.

Is this representing a certificate you’ve added as a part of your docker image, or do you get this message no matter what? I’m asking because maybe you’re including the certificate for the SonarQube server, but not the full certificate chain, i.e. root and all intermediate certificates.

7

It’s a certificate I am adding as part of my docker image.
I am running those commands beforehand:

openssl s_client -showcerts -connect <redacted>:443 </dev/null | sed -ne '/-BEGIN/,/-END/p' >crtchain.crt
cp crtchain.crt /usr/local/share/ca-certificates/

“redacted” being the sonar server host.

Edit. : For reference, I am using mcr.microsoft.com/dotnet/sdk:6.0 as base docker image

8

@Colin
I feel like I am already adding the full chain certificate.
Any cluse what’s wrong in my setup ?

9

Hey there.

Unfortunately, I’m not sure :confused:

Do you get a different error message if you supply no certificate at all? (no update-ca-certificates). This might help us understand if the certs are being read at all.

10

Hello,
yes, I get the same errors.

11

Hi Bastien. I’m wondering if you managed to fix this in the end? I’m also facing this same issue

12

In case someone needs this, I used this snippet to mount an existing Java truststore into the Docker container:

if [ -z "${JAVA_HOME:-}" ]; then
    JAVA_HOME="$( ( java -XshowSettings:properties -version 2>&1 > /dev/null | grep 'java.home' | awk '{print $NF}' ) || true )"
fi

if [ -f "$JAVA_HOME/lib/security/cacerts" ]; then
    flags+=( -v "$(realpath "$JAVA_HOME/lib/security/cacerts"):/etc/ssl/certs/java/cacerts:ro" )
fi

It would be nice if the image entrypoint offered a funcionality to add the certificates at startup time, though.