Invalid Azure URL or Personal Access Token

We use the Azure DevOps ALM Integration for pull request decoration.
After the update to Sonarqube 8.9.0 build 43852 this functionality has stopped working. In the configuration section for the ALM Integration I get the error “Invalid Azure URL or Personal Access Token”.

At first I tried to generate a new access token (with full access) just to verify that this was still correct and double checked the url. I searched for this error and came across this post: Invalid Azure URL or Personal Access Token for ALM Integration.
I followed the tips in this post to check what could be the problem. I enabled debug logging in Sonarqube and rechecked the connection to Azure DevOps.
Upon checking the logs, the only line I see in the logging is the one that says “checking pat” with the url of our DevOps server. So this suggest that Sonarqube can’t create te tls/ssl secure channel. I verified that the certificates for DevOps are trusted in the JVM TrustStore and when I open the url from the log in a browser I get a result.

What am I missing here?
For some reason it’s not working for us anymore and I have no idea why anymore.

Hi @FreddieH,

In order to better understand your issue, I’d need to know from which version of SonarQube you were migrating from?

I’d also recommend reviewing all the information you’ve input in the Azure DevOps ALM settings page. Is your Azure DevOps Server URL containing the collection part? Has your token the proper permissions? All the information you need are available here.

Let me know if you find anything wrong.

Cheers

Hi @Philippe_Perrin,

We have upgraded from version 8.5.1.38104.
In the previous version everything was working correctly. I did not change anything in the ALM settings after upgrading. I did try different url’s (with/without the collection part) but to no avail.
The token was still valid, but I did generate a new one with the correct permissions and even tried a token with full access.

In the ce log when the code for a pull request is checked I see this error:
ce[AXmIvM7QOgS_MgHpdDX7][c.s.F.D.D.C] Pull Request decoration failed
java.lang.IllegalArgumentException: Unable to contact Azure DevOps server
Caused by: javax.net.ssl.SSLPeerUnverifiedException: Hostname xxx not verified:

So I still think it is caused by sonarqube not able to create the connection because of the certificate validation. I checked the certificate again with the help of the java keytool and the SSL certificate and the CA certificate are both there.

Hey @FreddieH

SonarQube uses a library called OkHTTP to handle things like communication over SSL. At some point in the past, when upgrading the version of OkHTTP used in SonarQube, it became no longer valid to use a certificate with the hostname only declared in the CN.

Hostnames now need to be defined in the subjectAltNames of a certificate in order for SSL to function correctly.

This is typically the cause of the issue seen above.

Can you check the certificate installed on your Azure DevOps server and see if this is indeed the case?

Hey @Colin,

Looks like this is the issue since the certificate doesn’t have the subject alt names. Is there a workaround we can use or do we need to replace the certificate?

No workaround that I’m aware of besides reissuing the cert with the subject alt names, I’m afraid.

We replaced the certificate with a new one. Everything is working again.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.