Error in startup: Certificates do not conform to algorithm constraints

I am attempting to upgrade from 9.7 to 9.9. SonarQube is running on a RHEL 8.7

java -version
openjdk version "17.0.6" 2023-01-17 LTS
OpenJDK Runtime Environment (Red_Hat- (build 17.0.6+10-LTS)
OpenJDK 64-Bit Server VM (Red_Hat- (build 17.0.6+10-LTS, mixed mode, sharing)

I am connecting to a MSSQL named instance with no SSL and no encryption. As such, my connection string does have encrypt=false;

When starting the service (either via systemctl or running console), I am getting this error (located in the web.log file)

2023.02.27 10:08:39 INFO  web[][o.s.p.ProcessEntryPoint] Starting Web Server
2023.02.27 10:08:40 INFO  web[][o.s.s.p.LogServerVersion] SonarQube Server / / ce743843018827cb30c05735e7971523de34bb48
2023.02.27 10:08:40 INFO  web[][o.sonar.db.Database] Create JDBC data source for jdbc:sqlserver://\INFS;databaseName=SonarQube;encrypt=false;
2023.02.27 10:08:40 INFO  web[][c.z.h.HikariDataSource] HikariPool-1 - Starting...
2023.02.27 10:08:41 ERROR web[][c.z.h.p.HikariPool] HikariPool-1 - Exception during pool initialization. The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "Certificates do not conform to algorithm constraints". ClientConnectionId:e27c1aa5-634d-47d4-a2b6-899ce85f58f9
        at com.zaxxer.hikari.util.DriverDataSource.getConnection(
        at com.zaxxer.hikari.pool.PoolBase.newConnection(
        at com.zaxxer.hikari.pool.PoolBase.newPoolEntry(
        at com.zaxxer.hikari.pool.HikariPool.createPoolEntry(
        at com.zaxxer.hikari.pool.HikariPool.checkFailFast(
        at com.zaxxer.hikari.pool.HikariPool.<init>(
        at com.zaxxer.hikari.HikariDataSource.<init>(
        at org.sonar.db.DefaultDatabase.createHikariDataSource(
        at org.sonar.db.DefaultDatabase.initDataSource(
        at org.sonar.db.DefaultDatabase.start(

Way down at the bottom of the stack trace, this error shows: Algorithm constraints check failed on signature algorithm: SHA1withRSA but as I am not using any encryption between this server and SQL, and there is no cert on SonarQube (as I am running it through nginx), I don’t know what cert needs to be fixed in order to make this go away.

I appreciate any insights.

After posting here, I found the solution, and it looks to be specific to RHEL.

It appears the crypto policy was set incorrectly on my sever… so I changed the crypto policy to default and it fixed itself after a reboot.
See this for more details: Chapter 4. Using system-wide cryptographic policies Red Hat Enterprise Linux 8 | Red Hat Customer Portal

1 Like