##[error][SQ] API GET '/api/server/version' failed, error was: {"code":"CERT_CHAIN_TOO_LONG"}

We are Using Azure DevOps Server 2020 on Premise and SonarQube Enterprise 8.9.4.

Since Updating the VSTS Extension from 4.25.1 to 5.1.1 we get in the Prepare Task the following error:

##[error][SQ] API GET '/api/server/version' failed, error was: {"code":"CERT_CHAIN_TOO_LONG"}

We are using the NODE_EXTRA_CA_CERTS environment variable to set our PEM File for the agents.
No changes here… Only the extension was updated.
Certs are valid.

Any Ideas how we can fix this?


Hi @ArminPrieschl
thanks for this report.
The 4.23 and 5.1 tasks versions would mostly differ in their dependencies, with Node pushed to version 10 (was 6) but I don’t believe any specific change was applied to SSL settings.
This behavior change is probably triggered by the update, in Node 10, of the underlying openssl implementation. As per OpenSSL documentation, the default maximum chain length is 10, in version 10. I did not find what the value was in Node 6.

As the VSTS extension in version 5 was expressly targeting certificate problems. If it causes new problems for you, you should continue to use version 4 while we check version 5 behavior.

Can you provide this additional information about your setup:

  • What is the length of your certificate chain?
  • What is is the version of your TFS agent?

Hi @Sylvain_Combe

Length of certificate chain: 5
Agent Version: 2.181.2

I noticed that it no longer works even with V4. But with the message:
##[error][SQ] API GET '/api/server/version' failed, error was: {"code":"UNABLE_TO_GET_ISSUER_CERT"}

That’s why I checked my PEM file, which is automatically created daily with a Powershell Script from the Windows certificate store.
Therefore the error has nothing to do with the task update … It just happened at the same time :frowning:
and the message CERT_CHAIN_TOO_LOONG was a bit confusing in this case.

Unfortunately I cannot say exactly what has changed in the Windows Cert store on my Server.

I have now only inserted the required certificates in the PEM file. => It works again now.


1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.