SELF_SIGNED_CERT_IN_CHAIN Error on Prepare analysis step when using Azure DevOps and internal SonarQube Server


(Peter Mourfield) #1

Hello -

I am attempting to connect to an internal SonarQube server that uses a self-signed certificate. When our Azure DevOps build server attempts to connect to the SQ server I am getting this error in the build log:

[error][SQ] API GET ‘/api/server/version’ failed, error was: {“code”:“SELF_SIGNED_CERT_IN_CHAIN”}

What I can do to move past this?

Thanks!


(G Ann Campbell) #2

Hi,

I’m going to guess that the project you’re trying to analyze includes JavaScript because… don’t they all now? but also because this error seems to relate to NPM, which is the package manager for node.js, which we use in JS analysis.

The npm Blog has some recommendations.

 
:slight_smile:
Ann


(Peter Mourfield) #5

Hey Ann!

Thanks for getting back. Unfortunately it isn’t a node project. From the detail log it looks like Azure DevOps “Prepare analysis on SonarQube” module uses Node and NPM. I’m happy to send over the detail log offline. Just let me know how best to get it to you.

Pete


(G Ann Campbell) #6

Hi Pete,

In fact, I’m told that the scanner extension for Azure Devops is based on TypeScript & uses node, so the same advice applies.

 
Ann


(Colin Mueller) #7

Pete,

To complement Ann’s advice, you might want to look into a certificate from a provider like LetsEncrypt like one user recently did. (See: SonarQube Azure DevOps issue (Tasks missing, deprecated task error))

You might also try running

npm config set strict-ssl false

Both using self-signed certs and turning off strict SSL come with their own security risks, but it might remain an option.

Colin


(Peter Mourfield) #8

Thanks, Folks!

I’ve tried all these suggestions and more:

set NODE_TLS_REJECT_UNAUTHORIZED=0

npm config set strict-ssl=false

npm install npm -g --ca=null

npm config set ca “”

And still get the same error message. Unfortunately, I am not going to be able to use a LetsEncrypt certificate as we are using an internal certificate authority.

I’ve submitted a [https://github.com/SonarSource/sonar-scanner-vsts/pull/55](GitHub Pull Request) that disables the rejectUnauthorized setting in Node. Ideally, this would be a sonar.* property that could be set based on the user’s security posture.

Pete