Getting 'unable to verify leaf signature' error in VSTS prepare task

Hi there,

We are using SonarQube with VSTS, and now we meet an issue, please see the followed picture for your reference:

Please help us, thanks.

Hi Leo,

Looks like you’re hitting an error from the underlying Node.js framework that the VSTS task is based on. More information here: https://developer.ibm.com/answers/questions/26698/unable-to-verify-leaf-signature-when-calling-rest-apis-from-node-js/

FYI you can leverage comments on VSTS-147 for hints on passing extra certificates if needed (though again this is a pure Node.js consideration).

Did you ever get a resolution for this? I’m encountering the same issue but with TFS on prem.

As stated by Nicolas this is caused by incomplete certificate chains. You have to ensure that the server terminating the SSL in front of your sonarqube returns potential intermediate certificates.
You could use https://www.ssllabs.com/ssltest to check if certificates are missing.

hello, when I want to replicate your steps I get this error “## [error] [SQ] API GET ‘/ api / server / version’ failed, the error was: {” code “:” UNABLE_TO_VERIFY_LEAF_SIGNATURE “}”, in step Prepare the analysis in SonarQube. Can you help me? Thank you

Was anyone able to solve this problem?

Since this is the latest reference I’ve found of this issue online i’ll write the solution that worked for me:

  1. Make sure that the SSL termination on your SonarQube publishes a full chain from the SonarQube certificate to your root CA.
  2. set NODE_EXTRA_CA_CERTS to point to your root ca in a .pem format.
    This should suffice for the prepare analysis task to work properly.
    If you’re using the standalone scanner option in the run code analysis task make sure to add your root ca to your java keystore.
1 Like