Pull Request Decoration on self managed gitlab fails due to java error

SonarQube Scanner
Java 12.0.2 Oracle Corporation (64-bit)
INFO: Mac OS X 10.15.7 x86_64
SonarQube server 8.4.1
gitlab server satisfies 13.7.4

We are trying to get Pull Request Decoration working against a self managed gitlab server. The relevant certificates have been imported into the java truststore cacerts, however, the ce.log shows the following error:

Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
2021.01.25 02:47:01 INFO  ce[AXc3b-r-TGBgmd8Jjj0Z][o.s.c.t.p.a.p.PostProjectAnalysisTasksExecutor] Pull Request decoration | status=FAILED | time=30ms

I think this implies some kind of ssl issue but not sure how to address it. We do use a self signed certificate and this seems to be applied correctly since sonarqube is able to contact our LDAP server on the same domain as our gitlab server.

I can also curl the gitlab server from the sonarqube host command line using the gitlab auth token I put into the sonarqube console so I know that the ALM Integration for gitlab is correct:
$ curl --header “PRIVATE-TOKEN: XXXXXXXX” “https://gitlab.XXXXX.com/api/v4/version

I’d be very grateful for any guidance on addressing this error. Thanks!

For anyone looking here. First check you have a cert for the gitlab instance in your Truststore. If not import it:
keytool --list ---keystore /etc/ssl/certs/java/cacerts --storepass <password>
keytool -importcert -cacerts -storepass <password> -alias gitlab.<yourdomain> -file /etc/ssl/certs/gitlab.crt

I then had to change my sonar.properties, see the COMPUTE ENGINE section:
sonar.ce.javaOpts=-Xmx512m -Xms128m -XX:+HeapDumpOnOutOfMemoryError -Djavax.net.ssl.trustStore=/etc/ssl/certs/java/cacerts -Djavax.net.ssl.trustStorePassword=<password>

After restarting the server, the problem is resolved, in my case on Ubuntu:
service sonarqube restart

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.