I’m trying to configure the SonarLint plugin for Intellij so that it connects to our internal Sonarqube server. But when I configure the connection to the server using a token, the connection always fails with the error “Failed to connect to the server. Please check the configuration. Error: Not authorized. Please check server credentials”. I’m providing the additional certificate that is required for the connection as part of the VM configuration.
In the log the following error is shown:
Connection test failed
java.lang.IllegalStateException: Not authorized. Please check server credentials.
at org.sonarsource.sonarlint.core.serverapi.ServerApiHelper.handleError(ServerApiHelper.java:103)
at org.sonarsource.sonarlint.core.serverapi.ServerApiHelper.get(ServerApiHelper.java:71)
at org.sonarsource.sonarlint.core.container.connected.validate.ServerVersionAndStatusChecker.lambda$fetchServerInfos$0(ServerVersionAndStatusChecker.java:97)
at org.sonarsource.sonarlint.core.serverapi.ServerApiHelper.processTimed(ServerApiHelper.java:198)
at org.sonarsource.sonarlint.core.container.connected.validate.ServerVersionAndStatusChecker.fetchServerInfos(ServerVersionAndStatusChecker.java:96)
at org.sonarsource.sonarlint.core.container.connected.validate.ServerVersionAndStatusChecker.checkVersionAndStatus(ServerVersionAndStatusChecker.java:60)
at org.sonarsource.sonarlint.core.container.connected.validate.ServerVersionAndStatusChecker.checkVersionAndStatus(ServerVersionAndStatusChecker.java:50)
at org.sonarsource.sonarlint.core.client.api.connected.ConnectionValidator.validateConnection(ConnectionValidator.java:44)
at org.sonarlint.intellij.tasks.ConnectionTestTask.run(ConnectionTestTask.java:48)
at com.intellij.openapi.progress.impl.CoreProgressManager.startTask(CoreProgressManager.java:450)
at com.intellij.openapi.progress.impl.ProgressManagerImpl.startTask(ProgressManagerImpl.java:117)
at com.intellij.openapi.progress.impl.CoreProgressManager.lambda$runProcessWithProgressSynchronously$8(CoreProgressManager.java:556)
at com.intellij.openapi.progress.impl.ProgressRunner.lambda$new$0(ProgressRunner.java:81)
at com.intellij.openapi.progress.impl.ProgressRunner.lambda$submit$3(ProgressRunner.java:243)
at com.intellij.openapi.progress.impl.CoreProgressManager.lambda$runProcess$2(CoreProgressManager.java:183)
at com.intellij.openapi.progress.impl.CoreProgressManager.registerIndicatorAndRun(CoreProgressManager.java:705)
at com.intellij.openapi.progress.impl.CoreProgressManager.executeProcessUnderProgress(CoreProgressManager.java:647)
at com.intellij.openapi.progress.impl.ProgressManagerImpl.executeProcessUnderProgress(ProgressManagerImpl.java:63)
at com.intellij.openapi.progress.impl.CoreProgressManager.runProcess(CoreProgressManager.java:170)
at com.intellij.openapi.progress.impl.ProgressRunner.lambda$submit$4(ProgressRunner.java:243)
at java.base/java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1700)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.util.concurrent.Executors$PrivilegedThreadFactory$1$1.run(Executors.java:668)
at java.base/java.util.concurrent.Executors$PrivilegedThreadFactory$1$1.run(Executors.java:665)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at java.base/java.util.concurrent.Executors$PrivilegedThreadFactory$1.run(Executors.java:665)
at java.base/java.lang.Thread.run(Thread.java:829)
I’m using IntelliJ IDEA 2021.2 and Sonarlint 5.2.0.35150.
How can I find out what is actually going wrong? The token should be fine as I created it only for that specific connection.
This situation can be tricky to debug. First let me ask some questions:
Is there a proxy between you and your SonarQube instance ? It could be that this proxy doesn’t forward the credentials properly or that some credentials/configuration is missing
you mentioned a certificate, is it a server or a client certificate ? When you say you configured it in your VM, how did you do it ?
For both proxy and server certificates, there are settings in IntelliJ that need to be configured as shown here:
No, there is no proxy server involved - I’m using a direct connection to the Sonarqube server.
I’m using a client certificate to access the server and it is configured in the custom VM options:
-Djavax.net.ssl.keyStoreType=PKCS12
-Djavax.net.ssl.keyStorePassword=password
-Djavax.net.ssl.keyStore=/Users/hflocken/certificate.p12
So far no Server certificate was configured. In the Server Certificate section I have now added the certificate of the Sonarqube server as well as the certificates of the 2 CAs.
I restarted IntelliJ, but I’m still getting the same error.
Where did you use those VM options ? How do you provide them to IntelliJ ? Did you create the connection in SonarLint using https:// ? Might be trivial but I’m trying to guess here.
This error happens on a call to api/system/status on the server, and this call does not need authentication, so it’s not a problem with the token. The call returns a 401 which suggests a problem with the client certificate.
Could you have a look in IntelliJ logs ? You can find the log file through IntelliJ (Help > Show Log in Finder in your case). You should see some traces related to the key store, like:
Loading custom key store specified with VM options: …
By any chance do you have a way to debug the request that is received on the server ?
I added the VM Options using Help → Edit Custom VM Options…
I tried to connect to the Sonarqube server again and afterwards checked the idea.log. But I wasn’t able to find any log entries from the plugin or the connection.
I guess this might be somehow an internal issue with the domain names. I’m connecting to the domain https://new.domain.com/sonarqube and that fails. The old domain was https:/old.domain.com/sonarqube and there still seems to be an outdated version of Sonarqube. I’m able to connect to that one, but then I get an error that the repository cannot be found.
The strange thing is that when I use openssl s_client -connect new.domain.com:443 the certificate of old.domain.com is returned. But when I use curl -kv https://new.domain.com I’m receiving the correct page from the new domain.
Pretty confusing I guess
Is there a way to change the debug level of IntelliJ so that I can see a trace of the SSL connection? I tried adding :trace to Diagnostic Tools → Debug Log Settings… But the change is not stored and it doesn’t change the logging.
From the logs you posted, I can see that the request we make to the SQ instance is redirected:
redirect requested to location ‘https://[REDACTED]/saml-login?redirect=%2fsonarqube%2fapi%2fsystem%2fstatus’
I guess providing the client certificate is not enough, there is a SSO service expecting some authentication (through cookies or maybe headers).
We don’t support this use case for the moment in SonarLint, and I don’t see any workaround. You could try to contact your security/tools administrator, they might come with some ideas.
I also encourage you to open a feature request on this forum, with the sonarlint tag.
