SELF_SIGNED_CERT_IN_CHAIN Error on Prepare analysis step when using Azure DevOps and internal SonarQube Server

Hello -

I am attempting to connect to an internal SonarQube server that uses a self-signed certificate. When our Azure DevOps build server attempts to connect to the SQ server I am getting this error in the build log:

[error][SQ] API GET ‘/api/server/version’ failed, error was: {“code”:“SELF_SIGNED_CERT_IN_CHAIN”}

What I can do to move past this?

Thanks!

Hi,

I’m going to guess that the project you’re trying to analyze includes JavaScript because… don’t they all now? but also because this error seems to relate to NPM, which is the package manager for node.js, which we use in JS analysis.

The npm Blog has some recommendations.

 
:slight_smile:
Ann

Hey Ann!

Thanks for getting back. Unfortunately it isn’t a node project. From the detail log it looks like Azure DevOps “Prepare analysis on SonarQube” module uses Node and NPM. I’m happy to send over the detail log offline. Just let me know how best to get it to you.

Pete

Hi Pete,

In fact, I’m told that the scanner extension for Azure Devops is based on TypeScript & uses node, so the same advice applies.

 
Ann

Pete,

To complement Ann’s advice, you might want to look into a certificate from a provider like LetsEncrypt like one user recently did. (See: SonarQube Azure DevOps issue (Tasks missing, deprecated task error))

You might also try running

npm config set strict-ssl false

Both using self-signed certs and turning off strict SSL come with their own security risks, but it might remain an option.

Colin

Thanks, Folks!

I’ve tried all these suggestions and more:

set NODE_TLS_REJECT_UNAUTHORIZED=0

npm config set strict-ssl=false

npm install npm -g --ca=null

npm config set ca “”

And still get the same error message. Unfortunately, I am not going to be able to use a LetsEncrypt certificate as we are using an internal certificate authority.

I’ve submitted a [https://github.com/SonarSource/sonar-scanner-vsts/pull/55](GitHub Pull Request) that disables the rejectUnauthorized setting in Node. Ideally, this would be a sonar.* property that could be set based on the user’s security posture.

Pete

Hi,

Do you have a solution to accept a self-signed certificate?
We need to join a Sonar server with self-signed certificate from an Azure DevOps Server but I tried every workaround as NODE_TLS_REJECT_UNAUTHORIZED=0 or empty the certificate but nothing works. Furthermore, deactivating TLS is a security risk and we prefer to set a property to allow a self-signed server certificate.

Arnaud

1 Like

Any solution you found for this issue as I am stuck with the same prob while integrating Sonar Qube secured url with Azure pipeline.

Hello,
You need to add the server certificate to the node certification chain.
It is possible to do it by setting the NODE_EXTRA_CA_CERTS environment variable with the certificate.
You can test first if the certificate is working by running the following command: npm config set cafile CertificateFile.crt
:warning: you may need to convert your certificate to crt format.
Alex.

I have the same problem. I have tried setting NODE_EXTRA_CA_CERTS in the Azure Dev Ops pipeline but it does not have any effect. NODE_TLS_REJECT_UNAUTHORIZED=0 does work for me, but this is not a long-term solution as it introduces other security risks.

I had a look at the documentation and is says

Neither the well known nor extra certificates are used when the ca
options property is explicitly specified for a TLS or HTTPS client or server.
This environment variable is ignored when node runs as setuid root or
has Linux file capabilities set.

Could one of these factors be why it’s not working? Has it worked for anyone else? I am using a Linux build agent in case it’s relevant.

Hi, I followed this post and the @mickaelcaro response gave me the route.

Just need to add an evironment variable pointing to the root certificate and thats all.

1 Like

I can confirm i was having the same issue…
i fixed it by creating a custom CA bundle file (x509) and storing it in Azure secure files (in the library section of pipelines).
then using a ‘DownloadSecureFile@1’ task to download the ca bundle and put it in etc/ssl/certs/ca.crt on the node running the pipleine… then just made sure my sonar tasks used that bundle by setting
env: ‘/etc/ssl/certs/ca.crt’
on the tasks

found: VSTS - Publish Quality Gate Result: unable to get local issuer certificate - SonarQube - Sonar Community (sonarsource.com) The answer was to create a folder in c:\ called “Certs”, ensuring that System & Authenticated users had full control to the folders. Exported the CA chain in base 64. Took each cert out of the chain, exported to “root.pem” and “issuer.pem”. Took contents of each pem file, root first, then issuer and put into “C:\Certs\sonar.pem” Added a SYSTEM environment variable: NODE_EXTRA_CA_CERTS C:\Certs\sonar.pem Rebooted box. The Sonar build plugin, which runs in node.js then picked up this variable, read the sonar.pem file and saw it as a trusted Cert and passed the check.

However, this only fixed the node.js azure devops build script. Our build then fell over at the sonar java scanner on an SSL error connecting to our sonar server