Problem configuring SonarQube to connect Enterprise GitHub with self-signed-certificate

Hi,

I’m trying to get my SonarQube server decorate PRs of my GitHub Enterprise instance, and getting an error, apparently related to my github using a self signed certificate:

2019.07.28 14:17:47 ERROR ce[AWw48biGb_3ypyi12UhK][c.s.C.A.C.A.A.C] Failed to request /repos/\<my org>/\<my repo>/installation
javax.net.ssl.SSLPeerUnverifiedException: Hostname \<my hostname> not verified:
    certificate: sha256/U9/\<...>
    DN: EMAILADDRESS=\<...>, CN=\<my hostname>, OU=\<...>, O=\<...>, L=Tel Aviv, ST=Israel, C=IL
    subjectAltNames: [  ]
        at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:350)
        at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:300)
        at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:185)
        at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.java:224)
        at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.java:108)
        at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.java:88)
        at okhttp3.internal.connection.Transmitter.newExchange(Transmitter.java:169)
        at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:41)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
        at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:94)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
        at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
        at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:88)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
        at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:221)
        at okhttp3.RealCall.execute(RealCall.java:81)

(stacktrace slightly obfuscated to remove private data)

I’ve tried adding the certificate to SonarQube’s JDK level or to my RHEL instance level, but it does not seems to work.
Googling around seems to suggest that OkHttp requires code level adjustments in order to support self signed certificates (code changes that I cannot do as the relevant code is invoked by SonarQube).

I’m running SonarQube Developer Edition, Version 7.9.1 (build 27448)

any suggestions?

Thanks
Gilad

This error usually occurs (in many circumstances where communication over SSL is taking place) when the hostname is not listed in the subjectAltNames of the certificate.

If you’re interested, you can check out this okhttp commit for some more details. okhttp is the library SonarQube is using.

3 Likes