Getting UNABLE_TO_VERIFY_LEAF_SIGNATURE while running SonarQubePrepare task

Hi all,
we are trying to integrate Azure DevOps Server with SonarQube.

These are the details of our environment:

  • Azure DevOps Server 2020 update 1
  • SonarQube 9.6.1 (Developer Edition)
  • SonarScanner for Azure DevOps 5.8.0

The VSTS build SERVER is installed on Ubuntu Linux while the SonarQube server is running on a Linux container in Kubernetes.
Everything is on premise and all the web sites are using https with certificates provided by our internal CA.

Problem details

During the “Prepare Analysis Configuration” task we get the error

##[error][SQ] API GET ‘/api/server/version’ failed, error was: {“code”: “UNABLE_TO_VERIFY_LEAF_SIGNATURE”}

I have seen from other posts that this error is quite common and is due to an SSL certificate problem.
the solution usually proposed is.

  1. set NODE_EXTRA_CA_CERTS to point to your root ca in a .pem format
  2. if using the standalone scanner option in the run code analysis task make sure to add the root ca to the java keystore

However, in no post is the solution described in detail.
Is it possible from those who have solved the problem to attach the detailed solution, especially related to point 1? (NODE_EXTRA_CA_CERTS)

Thanks in advance

Hi, could you please clarify if you are running into this error message on the scanner side, or on SonarQube side?

Hi, it happens on the scanner side

Hi, In this situation the recommended way is to add your custom certificate by defining the environment variable NODE_EXTRA_CA_CERTS to specify the path to the certificate.

See this post or this one for similar questions.

Hi Pierre, I did it, so far without success.
I report here the commands executed:

sudo chmod a+rwx cert.crt
export NODE_EXTRA_CA_CERTS=/ca/cert.crt

I’ve tried different certificates:

  • the wildcard certificate
  • the wildcard certificate + the intermediate + the root of our internal CA
  • the root of our internal CA

After each change I restarted the VSTS build SERVER.