Invalid Azure URL or Personal Access Token (Azure DevOps Server)

SonarQube Server / Community Build
1

SonarQube ID information
Server ID: 147B411E-AZBzTJ15JZa3c5yA42WR
Version: 10.6.0.92116
Date: 2024-07-03
Windows Server 2019
Deployed as ZIP

I am trying to setup Azure DevOps integration. We are using a self-hosted Azure DevOps 2022 with a self-signed certificate.

I followed the steps to setup the DevOps platform integration and the PAT I use has the required permissions.

I exported the certificate and added it to the JAVA trust store and the Trusted Root Certificate Authorities store on the machine running SonarQube. But I am still unable to register our Azure DevOps Server in SonarQube using https. I set the Log Level of SonarQube to Debug and in the web log the following can be found (server and collection masked!):

2024.07.03 14:46:16 DEBUG web[3efdf88d-3497-400b-a743-1027a0a2be93][o.s.w.c.OkHttpClientBuilder] --> GET https://<our_server>/tfs/<our_collection>/_apis/projects?api-version=3.0
2024.07.03 14:46:16 DEBUG web[3efdf88d-3497-400b-a743-1027a0a2be93][o.s.w.c.OkHttpClientBuilder] <-- HTTP FAILED: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
2024.07.03 14:46:16 ERROR web[3efdf88d-3497-400b-a743-1027a0a2be93][o.s.a.c.a.AzureDevOpsHttpClient] Unable to contact Azure DevOps server for request [https://<our_server>/tfs/<our_collection>/_apis/projects?api-version=3.0]: [PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

Calling the URL found in the logs above returns the appropriate JSON data from the Azure DevOps server and the used certificate is shown as trusted.

I have absolutely no idea what I am doing wrong.

2

Hey @bubliman

A tool like SSLPoke is great for removing SonarQube from the equation and making sure your certs have been imported correctly. Can you give it a try? Make sure it’s running with the same JVM you’re starting SonarQube with.

1 Like
3

Hi @Colin ,

I am no JAVA developer and barly know how to fix issues with JAVA. But when trying to compile SSLPoke I get errors:

image
image1153×293 10.2 KB

java -version
openjdk version "17.0.11" 2024-04-16
OpenJDK Runtime Environment Temurin-17.0.11+9 (build 17.0.11+9)
OpenJDK 64-Bit Server VM Temurin-17.0.11+9 (build 17.0.11+9, mixed mode, sharing)

Any other options?

4

You can just grab the jar from here.

5

This returns:

javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source)
        at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
        at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
        at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(Unknown Source)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(Unknown Source)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(Unknown Source)
        at java.base/sun.security.ssl.SSLHandshake.consume(Unknown Source)
        at java.base/sun.security.ssl.HandshakeContext.dispatch(Unknown Source)
        at java.base/sun.security.ssl.HandshakeContext.dispatch(Unknown Source)
        at java.base/sun.security.ssl.TransportContext.dispatch(Unknown Source)
        at java.base/sun.security.ssl.SSLTransport.decode(Unknown Source)
        at java.base/sun.security.ssl.SSLSocketImpl.decode(Unknown Source)
        at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source)
        at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(Unknown Source)
        at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(Unknown Source)
        at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(Unknown Source)
        at sk.mhecko.ssl.SSLPoke.main(SSLPoke.java:27)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.validator.PKIXValidator.doBuild(Unknown Source)
        at java.base/sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
        at java.base/sun.security.validator.Validator.validate(Unknown Source)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
        ... 15 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
        at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
        at java.base/java.security.cert.CertPathBuilder.build(Unknown Source)
        ... 20 more
6

Then you can be sure it’s an issue with Java having the right certs installed, rather than an issue with SonarQube.

So this step seems to have gone wrong.

For what it’s worth, I’ve always found this tutorial and this guide quite useful when I’m stuck with certs and Java.

7

Hi Colin,

I think I am getting closer to it, but I still have no idea how to solve the issue. I imported the certificate to C:\Program Files\Eclipse Adoptium\jre-17.0.11.9-hotspot\cacerts. Neither SSLPoke nor SonarQube seem to find this keystore.

I made another test creating my own keystore and trying it with that keystore with SSLPoke:

java -Djavax.net.ssl.trustStore=my.keystore -Djavax.net.ssl.trustStorePassword=****** -jar SSLPoke.jar <server> 443
Successfully connected
8

After importing to the correct keystore it works. Magic :slight_smile:

But now I am getting the same issue when trying to run analysis from a Azure DevOps Pipeline in step Prepare analysis on SonarQube

##[warning]Error while executing SonarQube:Prepare task: [SQ] API GET '/api/server/version' failed, error is request to https://sonarqube.local/api/server/version failed, reason: unable to verify the first certificate
##[error][SQ] API GET '/api/server/version' failed, error is request to https://sonarqube.local/api/server/version failed, reason: unable to verify the first certificate
9

Believe it or not there’s another layer you have to consider when using the Extension for Azure DevOps, whichis NodeJS.

Self-signed certs are a real pain. :slight_smile:

NODE_EXTRA_CA_CERTS environment variable can be used to extend the certs available to NodeJS.

13

I have placed now the certificate of the reverse proxy, the certificate of the AzDO server and the intermediate certifcate in one PEM file and set the NODE_EXTRA_CA_CERTS environment variable to the path of the PEM file.

The configuration was made on the server hosting the Azure Build Agent. On the same server SonarQube is running right now.

But I still get the error from above.

14

Ok problem solved. I have added the certificate of the reverse proxy to the Azure DevOps server.
Then the analysis started and I can analyze now the results in SonarQube.

1 Like