Ignore AzureDevops Certificate validation

Hello !

I’m trying to connect to our on premise AzureDevOps instance.
I’m installing SonarQube Developer 9.8

Sonar is installed in http on its own server
Same goes for Azure DevOps

Both are “published” through an F5 appliance and are then accessed through https :

Problem comes when sonar tries to access https://azuredevops.ourdomain.com

2022.12.26 17:26:17 ERROR web[][o.s.a.c.a.AzureDevOpsHttpClient] Unable to contact Azure DevOps server for request [https://azuredevops.ourdomain.com/MainCollection/_apis/projects?api-version=3.0]: [PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

The certificate on the F5 is a wildcard public certificate (*.ourdomain.com)

What I tried so far :

  • -Dcom.sun.net.ssl.checkRevocation=false in sonar.web.javaOpts
  • -Dcom.sun.net.ssl.checkRevocation=false in sonar.web.javaAdditionalOpts
  • .\keytool -import -v -trustcacerts -alias ipa -file ourdomain-chain.pem -keystore ..\lib\security\cacerts -noprompt -storepass changeit adding the chain certs to java cacerts then adding -Djavax.net.ssl.trustStore=D:\\javaXXXX\\lib\\security\\cacerts -Djavax.net.ssl.trustStorePassword=changeit to sonar.web.javaOpts

I have tested these options against :

  • RedHat OpenJDK 11.0.2
  • RedHat OpenJDK 11.0.3
  • RedHat OpenJDK
  • RedHat OpenJDK

When starting manually the instance, the parameters do appear in the [web] startup of sonarqube.

Is there a working way to the make Sonar completely ignore the validation ? or tell me which certificates I have to put in the cacerts ?
Internal policies prohibit the change http to https directly on the instance.

Any help appreciated !
Thank you

It turned out https://azuredevops.ourdomain.com was not going through the F5 and was self-signed. :face_with_diagonal_mouth:

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.