Error in startup: Certificates do not conform to algorithm constraints

SonarQube Server / Community Build
1

I am attempting to upgrade from 9.7 to 9.9. SonarQube is running on a RHEL 8.7

java -version
openjdk version "17.0.6" 2023-01-17 LTS
OpenJDK Runtime Environment (Red_Hat-17.0.6.0.10-3.el8_7) (build 17.0.6+10-LTS)
OpenJDK 64-Bit Server VM (Red_Hat-17.0.6.0.10-3.el8_7) (build 17.0.6+10-LTS, mixed mode, sharing)

I am connecting to a MSSQL named instance with no SSL and no encryption. As such, my connection string does have encrypt=false;
sonar.jdbc.url=jdbc:sqlserver://<servername>\\<namedinstance>;databaseName=SonarQube;encrypt=false;

When starting the service (either via systemctl or running sonar.sh console), I am getting this error (located in the web.log file)

2023.02.27 10:08:39 INFO  web[][o.s.p.ProcessEntryPoint] Starting Web Server
2023.02.27 10:08:40 INFO  web[][o.s.s.p.LogServerVersion] SonarQube Server / 9.9.0.65466 / ce743843018827cb30c05735e7971523de34bb48
2023.02.27 10:08:40 INFO  web[][o.sonar.db.Database] Create JDBC data source for jdbc:sqlserver://scs-sqlinst04.res.lhiniv.net\INFS;databaseName=SonarQube;encrypt=false;
2023.02.27 10:08:40 INFO  web[][c.z.h.HikariDataSource] HikariPool-1 - Starting...
2023.02.27 10:08:41 ERROR web[][c.z.h.p.HikariPool] HikariPool-1 - Exception during pool initialization.
com.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "Certificates do not conform to algorithm constraints". ClientConnectionId:e27c1aa5-634d-47d4-a2b6-899ce85f58f9
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.terminate(SQLServerConnection.java:3806)
        at com.microsoft.sqlserver.jdbc.TDSChannel.enableSSL(IOBuffer.java:1906)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:3329)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:2950)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectInternal(SQLServerConnection.java:2790)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:1663)
        at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:1064)
        at com.zaxxer.hikari.util.DriverDataSource.getConnection(DriverDataSource.java:121)
        at com.zaxxer.hikari.pool.PoolBase.newConnection(PoolBase.java:359)
        at com.zaxxer.hikari.pool.PoolBase.newPoolEntry(PoolBase.java:201)
        at com.zaxxer.hikari.pool.HikariPool.createPoolEntry(HikariPool.java:470)
        at com.zaxxer.hikari.pool.HikariPool.checkFailFast(HikariPool.java:561)
        at com.zaxxer.hikari.pool.HikariPool.<init>(HikariPool.java:100)
        at com.zaxxer.hikari.HikariDataSource.<init>(HikariDataSource.java:81)
        at org.sonar.db.DefaultDatabase.createHikariDataSource(DefaultDatabase.java:159)
        at org.sonar.db.DefaultDatabase.initDataSource(DefaultDatabase.java:148)
        at org.sonar.db.DefaultDatabase.start(DefaultDatabase.java:126)

Way down at the bottom of the stack trace, this error shows: Algorithm constraints check failed on signature algorithm: SHA1withRSA but as I am not using any encryption between this server and SQL, and there is no cert on SonarQube (as I am running it through nginx), I don’t know what cert needs to be fixed in order to make this go away.

I appreciate any insights.

2

After posting here, I found the solution, and it looks to be specific to RHEL.

It appears the crypto policy was set incorrectly on my sever… so I changed the crypto policy to default and it fixed itself after a reboot.
See this for more details: Chapter 4. Using system-wide cryptographic policies Red Hat Enterprise Linux 8 | Red Hat Customer Portal

1 Like