I am attempting to connect to an internal SonarQube server that uses a self-signed certificate. When our Azure DevOps build server attempts to connect to the SQ server I am getting this error in the build log:
[error][SQ] API GET ‘/api/server/version’ failed, error was: {“code”:“SELF_SIGNED_CERT_IN_CHAIN”}
I’m going to guess that the project you’re trying to analyze includes JavaScript because… don’t they all now? but also because this error seems to relate to NPM, which is the package manager for node.js, which we use in JS analysis.
Thanks for getting back. Unfortunately it isn’t a node project. From the detail log it looks like Azure DevOps “Prepare analysis on SonarQube” module uses Node and NPM. I’m happy to send over the detail log offline. Just let me know how best to get it to you.
And still get the same error message. Unfortunately, I am not going to be able to use a LetsEncrypt certificate as we are using an internal certificate authority.
I’ve submitted a [https://github.com/SonarSource/sonar-scanner-vsts/pull/55](GitHub Pull Request) that disables the rejectUnauthorized setting in Node. Ideally, this would be a sonar.* property that could be set based on the user’s security posture.
Do you have a solution to accept a self-signed certificate?
We need to join a Sonar server with self-signed certificate from an Azure DevOps Server but I tried every workaround as NODE_TLS_REJECT_UNAUTHORIZED=0 or empty the certificate but nothing works. Furthermore, deactivating TLS is a security risk and we prefer to set a property to allow a self-signed server certificate.
Hello,
You need to add the server certificate to the node certification chain.
It is possible to do it by setting the NODE_EXTRA_CA_CERTS environment variable with the certificate.
You can test first if the certificate is working by running the following command: npm config set cafile CertificateFile.crt
you may need to convert your certificate to crt format.
Alex.
I have the same problem. I have tried setting NODE_EXTRA_CA_CERTS in the Azure Dev Ops pipeline but it does not have any effect. NODE_TLS_REJECT_UNAUTHORIZED=0 does work for me, but this is not a long-term solution as it introduces other security risks.
I had a look at the documentation and is says
Neither the well known nor extra certificates are used when the ca
options property is explicitly specified for a TLS or HTTPS client or server.
This environment variable is ignored when node runs as setuid root or
has Linux file capabilities set.
Could one of these factors be why it’s not working? Has it worked for anyone else? I am using a Linux build agent in case it’s relevant.
I can confirm i was having the same issue…
i fixed it by creating a custom CA bundle file (x509) and storing it in Azure secure files (in the library section of pipelines).
then using a ‘DownloadSecureFile@1’ task to download the ca bundle and put it in etc/ssl/certs/ca.crt on the node running the pipleine… then just made sure my sonar tasks used that bundle by setting
env: ‘/etc/ssl/certs/ca.crt’
on the tasks
found: VSTS - Publish Quality Gate Result: unable to get local issuer certificate - SonarQube - Sonar Community (sonarsource.com) The answer was to create a folder in c:\ called “Certs”, ensuring that System & Authenticated users had full control to the folders. Exported the CA chain in base 64. Took each cert out of the chain, exported to “root.pem” and “issuer.pem”. Took contents of each pem file, root first, then issuer and put into “C:\Certs\sonar.pem” Added a SYSTEM environment variable: NODE_EXTRA_CA_CERTS C:\Certs\sonar.pem Rebooted box. The Sonar build plugin, which runs in node.js then picked up this variable, read the sonar.pem file and saw it as a trusted Cert and passed the check.
However, this only fixed the node.js azure devops build script. Our build then fell over at the sonar java scanner on an SSL error connecting to our sonar server