Invalid certificate for downloads.sonarsource.com due to missing intermediate?

Hello,

we try to download stuff from downloads.sonarsource.com. However, we get a certificate error:

$ python3 -c 'import urllib.request; urllib.request.urlopen("https://downloads.sonarsource.com/plugins/")'                                                                                                                               
Traceback (most recent call last):
  File "/usr/local/Cellar/python/3.7.3/Frameworks/Python.framework/Versions/3.7/lib/python3.7/urllib/request.py", line 1317, in do_open
    encode_chunked=req.has_header('Transfer-encoding'))
  File "/usr/local/Cellar/python/3.7.3/Frameworks/Python.framework/Versions/3.7/lib/python3.7/http/client.py", line 1229, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/usr/local/Cellar/python/3.7.3/Frameworks/Python.framework/Versions/3.7/lib/python3.7/http/client.py", line 1275, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "/usr/local/Cellar/python/3.7.3/Frameworks/Python.framework/Versions/3.7/lib/python3.7/http/client.py", line 1224, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/usr/local/Cellar/python/3.7.3/Frameworks/Python.framework/Versions/3.7/lib/python3.7/http/client.py", line 1016, in _send_output
    self.send(msg)
  File "/usr/local/Cellar/python/3.7.3/Frameworks/Python.framework/Versions/3.7/lib/python3.7/http/client.py", line 956, in send
    self.connect()
  File "/usr/local/Cellar/python/3.7.3/Frameworks/Python.framework/Versions/3.7/lib/python3.7/http/client.py", line 1392, in connect
    server_hostname=server_hostname)
  File "/usr/local/Cellar/python/3.7.3/Frameworks/Python.framework/Versions/3.7/lib/python3.7/ssl.py", line 412, in wrap_socket
    session=session
  File "/usr/local/Cellar/python/3.7.3/Frameworks/Python.framework/Versions/3.7/lib/python3.7/ssl.py", line 853, in _create
    self.do_handshake()
  File "/usr/local/Cellar/python/3.7.3/Frameworks/Python.framework/Versions/3.7/lib/python3.7/ssl.py", line 1117, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)

This is not a problem when browsing with e,g. Safari, as the intermediate is cached by browsers.

PS: binaries.sonarsource.com does not have this problem and uses the same intermediate:

$ python3 -c 'import urllib.request; print(urllib.request.urlopen("https://binaries.sonarsource.com/").read())'                                                                                                                          
b'<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">\n<html>\n <head>\n  <title>Index of /</title>\n </head>\n <body>\n<h1>Index of /</h1>\n<ul><li><a href="CommercialDistribution/"> CommercialDistribution/</a></li>\n<li><a href="Distribution/"> Distribution/</a></li>\n<li><a href="SonarLint-for-Eclipse/"> SonarLint-for-Eclipse/</a></li>\n<li><a href="robots.txt"> robots.txt</a></li>\n<li><a href="sonarsource-public.key"> sonarsource-public.key</a></li>\n</ul>\n</body></html>\n'

Hi,

Thanks for this report.

Could you share where you’re getting the links to downloads.sonarsource.com? I have the feeling that’s the root of the problem; you should probably be pointed to binaries.sonarsource.com instead.

 
Ann

Hello @ganncamp,

we have scripting to update the plugins in our Docker image. For this we analyze https://update.sonarsource.org/update-center.properties

$ curl -s https://update.sonarsource.org/update-center.properties | grep downloads.sonarsource.com
scmcvs.1.0.downloadUrl=https\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/sonar-scm-cvs-plugin/1.0/sonar-scm-cvs-plugin-1.0.jar
java.3.2.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/java/sonar-java-plugin/3.2/sonar-java-plugin-3.2.jar
javascript.2.5.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/javascript/sonar-javascript-plugin/2.5/sonar-javascript-plugin-2.5.jar
findbugs.2.4.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/java/sonar-findbugs-plugin/2.4/sonar-findbugs-plugin-2.4.jar
xml.1.2.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/xml/sonar-xml-plugin/1.2/sonar-xml-plugin-1.2.jar
web.2.3.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/sonar-web-plugin/2.3/sonar-web-plugin-2.3.jar
l10nde.1.1.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/l10n/sonar-l10n-de-plugin/1.1/sonar-l10n-de-plugin-1.1.jar
scmgit.1.0.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/sonar-scm-git-plugin/1.0/sonar-scm-git-plugin-1.0.jar
java.3.3.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/java/sonar-java-plugin/3.3/sonar-java-plugin-3.3.jar
ldap.1.4.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/sonar-ldap-plugin/1.4/sonar-ldap-plugin-1.4.jar
scmsvn.1.0.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/sonar-scm-svn-plugin/1.0/sonar-scm-svn-plugin-1.0.jar
javascript.2.6.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/javascript/sonar-javascript-plugin/2.6/sonar-javascript-plugin-2.6.jar
pmd.2.3.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/java/sonar-pmd-plugin/2.3/sonar-pmd-plugin-2.3.jar
python.1.3.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/python/sonar-python-plugin/1.3/sonar-python-plugin-1.3.jar
l10nel.1.8.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/l10n/sonar-l10n-el-plugin/1.8/sonar-l10n-el-plugin-1.8.jar
groovy.1.0.1.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/sonar-groovy-plugin/1.0.1/sonar-groovy-plugin-1.0.1.jar
l10nfr.1.13.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/l10n/sonar-l10n-fr-plugin/1.13/sonar-l10n-fr-plugin-1.13.jar
groovy.1.1.1.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/sonar-groovy-plugin/1.1.1/sonar-groovy-plugin-1.1.1.jar
scmgit.1.1.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/sonar-scm-git-plugin/1.1/sonar-scm-git-plugin-1.1.jar
csharp.4.0.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/dotnet/csharp/sonar-csharp-plugin/4.0/sonar-csharp-plugin-4.0.jar
scmsvn.1.1.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/sonar-scm-svn-plugin/1.1/sonar-scm-svn-plugin-1.1.jar
pmd.2.4.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/java/sonar-pmd-plugin/2.4/sonar-pmd-plugin-2.4.jar
python.1.4.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/python/sonar-python-plugin/1.4/sonar-python-plugin-1.4.jar
php.2.4.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/php/sonar-php-plugin/2.4/sonar-php-plugin-2.4.jar
scmperforce.1.0.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/sonar-scm-perforce-plugin/1.0/sonar-scm-perforce-plugin-1.0.jar
scmtfvc.1.0.downloadUrl=https\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/sonar-scm-tfs-plugin/1.0/sonar-scm-tfs-plugin-1.0.jar
pitest.0.6.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/sonar-pitest-plugin/0.6/sonar-pitest-plugin-0.6.jar
scmmercurial.1.0.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/sonar-scm-mercurial-plugin/1.0/sonar-scm-mercurial-plugin-1.0.jar
clover.3.0.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/sonar-clover-plugin/3.0/sonar-clover-plugin-3.0.jar
python.1.5.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/python/sonar-python-plugin/1.5/sonar-python-plugin-1.5.jar
php.2.4.1.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/php/sonar-php-plugin/2.4.1/sonar-php-plugin-2.4.1.jar
findbugs.3.0.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/java/sonar-findbugs-plugin/3.0/sonar-findbugs-plugin-3.0.jar
php.2.5.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/php/sonar-php-plugin/2.5/sonar-php-plugin-2.5.jar
scmjazzrtc.1.1.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/sonar-scm-jazzrtc-plugin/1.1/sonar-scm-jazzrtc-plugin-1.1.jar
scmperforce.1.1.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/sonar-scm-perforce-plugin/1.1/sonar-scm-perforce-plugin-1.1.jar
csharp.3.2.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/dotnet/csharp/sonar-csharp-plugin/3.2/sonar-csharp-plugin-3.2.jar
scmmercurial.1.1.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/sonar-scm-mercurial-plugin/1.1/sonar-scm-mercurial-plugin-1.1.jar
javascript.2.2.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/javascript/sonar-javascript-plugin/2.2/sonar-javascript-plugin-2.2.jar
l10nit.1.3.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/l10n/sonar-l10n-it-plugin/1.3/sonar-l10n-it-plugin-1.3.jar
findbugs.3.1.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/java/sonar-findbugs-plugin/3.1/sonar-findbugs-plugin-3.1.jar
php.2.6.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/php/sonar-php-plugin/2.6/sonar-php-plugin-2.6.jar
csharp.3.3.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/dotnet/csharp/sonar-csharp-plugin/3.3/sonar-csharp-plugin-3.3.jar
l10nko.1.0.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/l10n/sonar-l10n-ko-plugin/1.0/sonar-l10n-ko-plugin-1.0.jar
crowd.1.0.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/sonar-crowd-plugin/1.0/sonar-crowd-plugin-1.0.jar
checkstyle.2.2.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/java/sonar-checkstyle-plugin/2.2/sonar-checkstyle-plugin-2.2.jar
crowd.2.0.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/sonar-crowd-plugin/2.0/sonar-crowd-plugin-2.0.jar
groovy.1.1.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/sonar-groovy-plugin/1.1/sonar-groovy-plugin-1.1.jar
android.1.0.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/android/sonar-android-plugin/1.0/sonar-android-plugin-1.0.jar
javascript.2.3.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/javascript/sonar-javascript-plugin/2.3/sonar-javascript-plugin-2.3.jar
findbugs.3.2.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/java/sonar-findbugs-plugin/3.2/sonar-findbugs-plugin-3.2.jar
l10nja.1.3.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/l10n/sonar-l10n-ja-plugin/1.3/sonar-l10n-ja-plugin-1.3.jar
Sonargraph.3.4.1.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/sonar-sonargraph-plugin/3.4.1/sonar-sonargraph-plugin-3.4.1.jar
csharp.3.4.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/dotnet/csharp/sonar-csharp-plugin/3.4/sonar-csharp-plugin-3.4.jar
flex.2.1.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/flex/sonar-flex-plugin/2.1/sonar-flex-plugin-2.1.jar
checkstyle.2.3.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/java/sonar-checkstyle-plugin/2.3/sonar-checkstyle-plugin-2.3.jar
android.1.1.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/android/sonar-android-plugin/1.1/sonar-android-plugin-1.1.jar
javascript.2.4.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/javascript/sonar-javascript-plugin/2.4/sonar-javascript-plugin-2.4.jar
csharp.3.2.1.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/dotnet/csharp/sonar-csharp-plugin/3.2.1/sonar-csharp-plugin-3.2.1.jar
pmd.2.4.1.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/java/sonar-pmd-plugin/2.4.1/sonar-pmd-plugin-2.4.1.jar
l10nes.1.13.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/l10n/sonar-l10n-es-plugin/1.13/sonar-l10n-es-plugin-1.13.jar
Sonargraph.3.4.2.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/sonar-sonargraph-plugin/3.4.2/sonar-sonargraph-plugin-3.4.2.jar
web.2.2.downloadUrl=http\://downloads.sonarsource.com/plugins/org/codehaus/sonar-plugins/sonar-web-plugin/2.2/sonar-web-plugin-2.2.jar

As you can see, some plugins are still stored in downloads. We probably might not have a real problem here, as newer versions are delivered via binaries, I just wanted to notify you here.

Regards
Mirko

Hm. I now see that the references all point to the non-SSL variant. We download stuff indirectly via an internal mirror and previously connected succesfully to https://downloads.sonarsource.com.

Hi Mirko,

Thanks for filling in the details. We’re on this internally.

 
:slight_smile:
Ann