We have SonarQube Developer Edition, deployed to a Windows VM.
We are attempting to integrate this into our Azure DevOps pipelines, and we are receiving the ‘Unable to verify the first certificate’ error during the SonarQubePrepare task.
I’ve gone through the forum and several other search results, with no luck.
In particular, i’ve gone through the steps listed here without success:
I’m not a Java person so I’m hoping its some simple thing I’m missing that someone can point out.
I have
added the cert to windows via certutil
NODE_EXTRA_CA_CERTS environment variable set
in the ‘for all recent scanners’ step, I wasn’t able to find the ‘truststore.p12’ store it referenced. I added it to our java ‘cacerts’ store instead.
Does it need to be in the ‘default’ trust store for SonarQube? And if so, how do I find it?
I’ve read that one, and it’s one reason i have set the NODE_EXTRA_CA_CERTS as I mentioned into an environment variable. I have it pointing to our ‘self signed’ cert info bundle stored in a file on the SonarQube server.
We aren’t writing code that’s calling upon SonarQube, it’s configuring Azure Devops ‘SonarQubePrepare’ task and that’s receiving an error calling SonarQube. This means we can’t try some of the explicit solutions listed in that post.
Here is the error:
[ERROR] SonarQube: Error while executing task Prepare: API GET ‘/api/server/version’ failed. Error message: unable to verify the first certificate.
I did run the SSLLabs tests recommended, and it is not saying our cert is incomplete, just not trusted (because of self signed cert.
Am i looking at this correctly? That the issue is when DevOps calls upon SonarQube, the cert provided by SonarQube can’t be verified?
This error means the scanner can’t talk to the server, apparently because you’re using a self-signed certificate on a server that doesn’t supply the intermediate certificate.
The SO answer linked in the post I referred you to tells you how to provide the intermediate certs without writing code.
And I’ve done all the steps listed in the SO post as well as the docs.sonarsource.com link I listed before I posted.
I have created the intermediate cert file, registered it with windows and java (using keytool and certutil), set the environment variables, etc.
However, I’m still getting the issue and looking for further guidance.
Particularly:
am i correct that I’m doing this on the SonarQube server, so that DevOps can call it
my question above about the "For all recent scanners’ step in the Link i provide, regarding ‘cacerts’ vs the ‘default’ trust store,
is the cert file i’m adding to these places the CA cert, or do i need to build a full chain including the domain ssl and the CA?
Does the or any other gotchas, maybe particular to Azure DevOps…
The documentation indicates all of this needed to be done at the ‘SonarScanner’ level, I didn’t read that as the build agent.
We use DevOps ‘built in’ agents, we don’t host or configure anything ourselves.
Based on the SonarSource documentation, “If you are using Microsoft-hosted build agents then there is nothing else to install. The extension will work with all of the hosted agents”.
That documentation’s troubleshooting guide only references the ‘NODE_EXTRA_CA_CERTS’ fix for DevOps.
"If you have integrated SonarQube with Azure DevOps, define the following environment variable to add the server self-signed certificate:
Key: NODE_EXTRA_CA_CERTS
Value: path to the certificate"
Is this configuration supposed to be done in the SonarQube DevOps extension?
Configured in the YAML of the pipeline?
If so, how do we reference the reference the CA file?
I missing where this data is actually supposed to be set.
We are currently updating all scanners progressively to move away from a Java-specific way to configure SSL. However, this effort is not fully completed and depends on your version of Sonarqube.
If you are using SonarQube Server LTS (9.9) then you can not benefit from the new way to configure SSL (using a common ~/.sonar/ssl/truststore.p12). You have to put your certificates in the JVM truststore.
But if you are using SonarQube Server 10.7, then it should be sufficient to create a PKCS12 keystore containing your certificate to trust, and put it at the location ~/.sonar/ssl/truststore.p12.
Let me know your SonarQube Server version if you need more specific help.