Problem configuring SonarQube to connect Enterprise GitHub with self-signed-certificate

barorion · August 13, 2019, 11:29am

Hi,

I’m trying to get my SonarQube server decorate PRs of my GitHub Enterprise instance, and getting an error, apparently related to my github using a self signed certificate:

2019.07.28 14:17:47 ERROR ce[AWw48biGb_3ypyi12UhK][c.s.C.A.C.A.A.C] Failed to request /repos/\<my org>/\<my repo>/installation
javax.net.ssl.SSLPeerUnverifiedException: Hostname \<my hostname> not verified:
    certificate: sha256/U9/\<...>
    DN: EMAILADDRESS=\<...>, CN=\<my hostname>, OU=\<...>, O=\<...>, L=Tel Aviv, ST=Israel, C=IL
    subjectAltNames: [  ]
        at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:350)
        at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:300)
        at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:185)
        at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.java:224)
        at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.java:108)
        at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.java:88)
        at okhttp3.internal.connection.Transmitter.newExchange(Transmitter.java:169)
        at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:41)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
        at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:94)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
        at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
        at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:88)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
        at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:221)
        at okhttp3.RealCall.execute(RealCall.java:81)

(stacktrace slightly obfuscated to remove private data)

I’ve tried adding the certificate to SonarQube’s JDK level or to my RHEL instance level, but it does not seems to work.
Googling around seems to suggest that OkHttp requires code level adjustments in order to support self signed certificates (code changes that I cannot do as the relevant code is invoked by SonarQube).

I’m running SonarQube Developer Edition, Version 7.9.1 (build 27448)

any suggestions?

Thanks
Gilad

Colin · August 13, 2019, 1:20pm

This error usually occurs (in many circumstances where communication over SSL is taking place) when the hostname is not listed in the subjectAltNames of the certificate.

If you’re interested, you can check out this okhttp commit for some more details. okhttp is the library SonarQube is using.

barorion · June 3, 2020, 7:10am

I can confirm that was indeed the issue. thanks!

system · June 10, 2020, 7:22am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.