Error executing "Prepare Analysis Configuration" task in Azure Devops javascript pipeline

SonarQube
, ,
1

Trying to run analysis on a angular project AzureDevops pipeline.
We keep getting the same error whenever it reaches the task " Prepare Analysis Configuration"

##[error][SQ] API GET '/api/server/version' failed, error was: {"code":"UNABLE_TO_VERIFY_LEAF_SIGNATURE"}

Actual version of extension being used in our Azure devops organization is 4.23.1 (Latest).
Our sonar is running on a public server with an Entrust signed certificate (it is not selfsigned).
We are using Azure Devops public agents to run all of the tasks in the pipeline.
So far we’ve tried:

  1. Downloading the cert to the task running agent and setting the NODE_EXTRA_CA_CERTS variable.
  2. Importing the certificate to the cacerts keystore using keytool -import ... command.
  3. Installing ssl-root-cas using npm install ssl-root-cas
  4. Reinstalling the sonarqube extension.
  5. Recreating the Service Connection to our Sonarqube.
3

Hi @gfernandez ,

Welcoem to SonarSource Community :sonarsource:

Can you please attach the full DEBUG logs of your Sonar analysis in your pipeline? Add sonar.verbose=true to the extraProperties key in SonarQubePrepare task with Azure pipelines yaml.

Joe

5

Hi @Joe
using sonar.verbose=true option we get exactly the same error.

imagen
imagen951×324 11.9 KB

Right before the SonarQubePrepare step we are running these preparatory steps, but none of them work:
1.- npm install --save node_extra_ca_certs_mozilla_bundle
2.- npm config set strict-ssl false
3.- npm install ssl-root-cas
4.- We download our Entrust signed public certificate to the agent running the tasks.
5.- Copy the cert to /etc/ssl/certs in the Azure Devops agent running our tasks.
6.- Run keytool -import -trustcacerts -alias evobanco -keystore cacerts -file $(PATH_TO_OUR_CERTIFICATE) -storepass changeit -noprompt
7.- Set NODE_EXTRA_CA_CERTS with the path of our just downloaded certificate
8.- Run sudo update-ca-certificates
9.- npm config set cafile $(PATH_TO_OUR_CERTIFICATE)
10.- npm run build

7

Hi @gfernandez

There is now a new version 5 of the Azure Devops Extension that supports specifying a client certificate and password. Does that help?

Thanks

Tom

1 Like
8

hi @Tom_Howlett
This made no change on the behaviour of the step.
We keep getting the same error.

9

Error using sonarqube version 5.0.0

imagen
imagen883×310 11.1 KB

These are the main extra sonar properties passed to this step:
sonar.clientcert.path=/etc/ssl/certs/OURCERTIFICATE.pem
sonar.projectKey=*******
sonar.host.url=https://********.com:2443/sonarqube
sonar.verbose=true

12

Hi @gfernandez

I think you need to put your full certification path (root + intermediate + cert) in the certificate store of the machine.

Hope that helps
Mickaël

13

Hi @mickaelcaro
I forgot to mention that this is almost the first thing we did.

14

Have you restarted the agent after that ?

Can you try to issue a call to your SQ instance from that machine using a curl command to see if it passes ?

15

Hi @mickaelcaro
we are not using a dedicated agent, the pipeline uses the Azure Devops hosted agent pool in which we can only specify the OS version. The agents in this pool are not controlled by us, the dedicated agents are created and destroyed for the only purpose of executing the pipeline jobs and are also not reachable via ssh or any other methods.
I will try to use a dedicated agent though.

16

Oh, ok, sorry about that !

Then you can test to add the paths to those certs by using this env variable :

export NODE_EXTRA_CA_CERTS=[your CA certificate file path]

HTH,

17

@mickaelcaro did that too.

18

Well there should be something not complete i would guess in your setup, did you include the full cert chain in this variable ?