GitLab Integration doesn't work with self-signed certificate unable to find valid certification path

bubliman · July 2, 2024, 11:50am

Hi,

we are using the following versions:

SonarQube Community: v10.6.92116
GitLab Free: v17.1

SonarQube is deployed via zip on a windows server and GitLab is self-hosted and using a self-signed certificate.

What I’m trying to do

I’m trying to add the GitLab DevOps Platform Integration into our SonarQube.

Related logs

And I get the following log Error in web.log:


2024.07.02 12:04:57 INFO web[][o.s.a.c.g.GitlabApplicationClient] Gitlab API call to [https://gitlab.example.com/api/v4/projects] failed with error message : [PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I have attempted to import the certificate into the Java trust store and now I get this log when SonarQube starts in sonar.log: (DEBUG level enabled)


2024.07.02 10:34:14 DEBUG app[][jdk.event.security] X509Certificate: Alg:SHA256withRSA, Serial:45cd46d7c2e767f31a591d77f9599e2e, Subject:CN=gitlab.example.com, O=Org, L=Brno, ST=CR, C=CZ, Issuer:C=SK, O="Example Organization", CN=Example CA, Key type:RSA, Length:2048, Cert Id:1047345666, Valid from:03.03.23 15:22, Valid until:03.03.25 16:22

From this log I assume that the certificate has beed successfully imported into the Java runtime.

Here are some similar issues that did not help solve my problem:

1. Self signed certificate SonarScanner #18973

In this issue the log is different and the Subject Alt Names is actually defined correctly in our certificate.


Subject Alt Names

DNS Name gitlab

DNS Name gitlab.example.com

2. SonarQube not Connecting to a self-signed certificate GitLab server #58023

Based on the log from sonar.log the certificate is actually imported into JRE so the solution that helped there does not seem to work for me, unless I’m wrong about the fact that the CA certificate is imported into the JRE.

Any ideas on how to fix this?

Thanks ahead,
Ondrej

Colin · July 3, 2024, 9:45am

Hey @bubliman

A tool like SSLPoke is great for removing SonarQube from the equation and making sure your certs have been imported correctly. Can you give it a try? Make sure it’s running with the same JVM you’re starting SonarQube with.

bubliman · July 4, 2024, 9:08am

Hey,
thanks for the info, I’ll try out the tool you’ve recommended.

I was reading the docs and stumbled on this:

Import from DevOps Platforms (Enterprise edition and above): If your project is bound to a DevOps platform and you want to benefit from the integration features out of the box (pull request decoration, code scanning alerts, permission synchronization, etc.), go to Create Project > Import from DevOps Platforms from the homepage.
Creating and importing projects

So at this point I’m not even sure whether it is worth it / possible to fix these issues, because the functionality that I wanted to use here is only Enterprise and above. Are there any other benefits to integrating GitLab into SonarQube?

I guess at least one platform is possible in the Community version, so the docs are a bit misleading.

So far I have been able to run scans using Gitlab CI, so I’m wondering what the integration would actually do for us.

Colin · July 4, 2024, 1:35pm

It will allow you to easily select repos to onboard from your connected Gitlab server (and auto-generate project keys, etc.), but you’re right, the integration is fairly insignificant with Community Edition.

bubliman · July 17, 2024, 6:07am

hi @Colin,
Managed to fix the issue by importing the CA certificate into the Java TrustStore. SSLPoke was extremely helpful, thanks for your help.

Take care,
bubliman

system · July 24, 2024, 6:08am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.