Pull Request Decoration SSL error on Azure Devops Server

Hi,

We are on SonarQube Dev #8.1.0.31237, using Azure DevOps Server Update 1 (on premise) with a Self Hosted build agent v2.153.1, SonarQube Azure DevOps extension installed v4.8.1

When running an analysis, everything is working correclty but the pull request decoration fails.

There is a warning on the Publish Quality Gate Result :

SYSTEMVSSCONNECTION exists true
SYSTEMVSSCONNECTION exists true
##[warning]Failed to create a build property. Not blocking unless you are using the Sonar Pre-Deployment gate in Release Pipelines. Exception : Error: unable to get local issuer certificate
##[section]Finishing: Publish Quality Gate Result

This is the log from the Compute Engine

2020.01.08 11:56:01 WARN  ce[AW-GFX6UxA2ofF7yQX9J][c.s.C.D.C.C] Failed to decorate Azure DevOps Pull Request
com.microsoft.alm.client.model.VssResourceNotFoundException: API resource location 225f7195-f9c7-4d14-ab28-a83f7ff77e1f is not registered on https://tfs/DefaultCollection/. javax.net.ssl.SSLException: Connection reset
	at com.microsoft.alm.client.DefaultRestClientHandler.createTarget(DefaultRestClientHandler.java:125)
	at com.microsoft.alm.client.DefaultRestClientHandler.createRequest(DefaultRestClientHandler.java:85)
	at com.microsoft.alm.client.VssHttpClientBase.createRequest(VssHttpClientBase.java:200)
	at com.microsoft.alm.client.VssHttpClientBase.createRequest(VssHttpClientBase.java:104)
	at com.microsoft.alm.teamfoundation.sourcecontrol.webapi.GitHttpClientBase.getRepository(GitHttpClientBase.java:16284)
	at com.sonarsource.C.D.C.G.A(Unknown Source)
	at com.sonarsource.C.D.C.C.A(Unknown Source)
	at com.sonarsource.C.D.C.C.A(Unknown Source)
	at java.base/java.util.Optional.ifPresent(Optional.java:183)
	at com.sonarsource.C.D.C.C.A(Unknown Source)
	at com.sonarsource.C.D.a.A(Unknown Source)
	at java.base/java.util.Optional.ifPresent(Optional.java:183)
	at com.sonarsource.C.D.a.B(Unknown Source)
	at com.sonarsource.C.D.a.A(Unknown Source)
	at org.sonar.ce.async.SynchronousAsyncExecution.addToQueue(SynchronousAsyncExecution.java:27)
	at com.sonarsource.C.D.a.A(Unknown Source)
	at java.base/java.util.Optional.ifPresent(Optional.java:183)
	at com.sonarsource.C.D.a.finished(Unknown Source)
	at org.sonar.ce.task.projectanalysis.api.posttask.PostProjectAnalysisTasksExecutor.executeTask(PostProjectAnalysisTasksExecutor.java:118)
	at org.sonar.ce.task.projectanalysis.api.posttask.PostProjectAnalysisTasksExecutor.finished(PostProjectAnalysisTasksExecutor.java:109)
	at org.sonar.ce.task.step.ComputationStepExecutor.executeListener(ComputationStepExecutor.java:91)
	at org.sonar.ce.task.step.ComputationStepExecutor.execute(ComputationStepExecutor.java:63)
	at org.sonar.ce.task.projectanalysis.taskprocessor.ReportTaskProcessor.process(ReportTaskProcessor.java:81)
	at org.sonar.ce.taskprocessor.CeWorkerImpl$ExecuteTask.executeTask(CeWorkerImpl.java:209)
	at org.sonar.ce.taskprocessor.CeWorkerImpl$ExecuteTask.run(CeWorkerImpl.java:191)
	at org.sonar.ce.taskprocessor.CeWorkerImpl.findAndProcessTask(CeWorkerImpl.java:158)
	at org.sonar.ce.taskprocessor.CeWorkerImpl$TrackRunningState.get(CeWorkerImpl.java:133)
	at org.sonar.ce.taskprocessor.CeWorkerImpl.call(CeWorkerImpl.java:85)
	at org.sonar.ce.taskprocessor.CeWorkerImpl.call(CeWorkerImpl.java:53)
	at com.google.common.util.concurrent.TrustedListenableFutureTask$TrustedFutureInterruptibleTask.runInterruptibly(TrustedListenableFutureTask.java:125)
	at com.google.common.util.concurrent.InterruptibleTask.run(InterruptibleTask.java:69)
	at com.google.common.util.concurrent.TrustedListenableFutureTask.run(TrustedListenableFutureTask.java:78)
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: javax.ws.rs.ProcessingException: javax.net.ssl.SSLException: Connection reset
	at org.glassfish.jersey.client.internal.HttpUrlConnector.apply(HttpUrlConnector.java:294)
	at org.glassfish.jersey.client.ClientRuntime.lambda$null$3(ClientRuntime.java:187)
	at org.glassfish.jersey.internal.Errors$1.call(Errors.java:272)
	at org.glassfish.jersey.internal.Errors$1.call(Errors.java:268)
	at org.glassfish.jersey.internal.Errors.process(Errors.java:316)
	at org.glassfish.jersey.internal.Errors.process(Errors.java:298)
	at org.glassfish.jersey.internal.Errors.process(Errors.java:268)
	at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:312)
	at org.glassfish.jersey.client.ClientRuntime.lambda$createRunnableForAsyncProcessing$4(ClientRuntime.java:163)
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	... 3 common frames omitted
Caused by: javax.net.ssl.SSLException: Connection reset
	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:127)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:259)
	at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:137)
	at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
	at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
	at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567)
	at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
	at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1587)
	at java.base/sun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1507)
	at java.base/sun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1505)
	at java.base/java.security.AccessController.doPrivileged(Native Method)
	at java.base/java.security.AccessController.doPrivilegedWithCombiner(AccessController.java:795)
	at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1504)
	at java.base/java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:527)
	at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:334)
	at org.glassfish.jersey.client.internal.HttpUrlConnector._apply(HttpUrlConnector.java:390)
	at org.glassfish.jersey.client.internal.HttpUrlConnector.apply(HttpUrlConnector.java:292)
	... 13 common frames omitted
	Suppressed: java.net.SocketException: Connection reset by peer: socket write error
		at java.base/java.net.SocketOutputStream.socketWrite0(Native Method)
		at java.base/java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:110)
		at java.base/java.net.SocketOutputStream.write(SocketOutputStream.java:150)
		at java.base/sun.security.ssl.SSLSocketOutputRecord.encodeAlert(SSLSocketOutputRecord.java:81)
		at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:352)
		... 31 common frames omitted
Caused by: java.net.SocketException: Connection reset
	at java.base/java.net.SocketInputStream.read(SocketInputStream.java:186)
	at java.base/java.net.SocketInputStream.read(SocketInputStream.java:140)
	at java.base/sun.security.ssl.SSLSocketInputRecord.read(SSLSocketInputRecord.java:448)
	at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:165)
	at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:108)
	... 28 common frames omitted
2020.01.08 11:56:01 INFO  ce[AW-GFX6UxA2ofF7yQX9J][o.s.c.t.p.a.p.PostProjectAnalysisTasksExecutor] Pull Request decoration | status=SUCCESS | time=1438ms
2020.01.08 11:56:02 INFO  ce[AW-GFX6UxA2ofF7yQX9J][o.s.c.t.CeWorkerImpl] Executed task | project=SuperOutilBackend | type=REPORT | pullRequest=1819 | id=AW-GFX6UxA2ofF7yQX9J | submitter=XXXXXX| status=SUCCESS | time=8516ms

I added the following setting in the config
http.nonProxyHosts=https://tfs/DefaultCollection/

SonarQube and Azure Devops are on the same server, does the pull request decoration start from SonarQube to Azure Devops or is this something that the build server does?

Hi @vincentmatte and welcome to the community !

As your AzDo server is exposed through HTTPS, i suspect that the SSL certificate used here is not used / registered at the SQ level (ie the certificate store used by SonarQube).

But i’m wondering if both instances are on the same server, why not just exposed an extra localhost post on HTTP for AzDo, that SonarQube will be using for PR decoration ? So then for that particular case, you can get rid of SSL issues that are not especially need for a internal communication.

Mickaël

Hi, I managed to get it working by adding the correct certificates in the store, and an agent was not configured to use https.

Thanks

1 Like