SELF_SIGNED_CERT_IN_CHAIN Error on Prepare analysis step when using Azure DevOps and internal SonarQube Server

Hello -

I am attempting to connect to an internal SonarQube server that uses a self-signed certificate. When our Azure DevOps build server attempts to connect to the SQ server I am getting this error in the build log:

[error][SQ] API GET ‘/api/server/version’ failed, error was: {“code”:“SELF_SIGNED_CERT_IN_CHAIN”}

What I can do to move past this?

Thanks!

Hi,

I’m going to guess that the project you’re trying to analyze includes JavaScript because… don’t they all now? but also because this error seems to relate to NPM, which is the package manager for node.js, which we use in JS analysis.

The npm Blog has some recommendations.

 
:slight_smile:
Ann

Hey Ann!

Thanks for getting back. Unfortunately it isn’t a node project. From the detail log it looks like Azure DevOps “Prepare analysis on SonarQube” module uses Node and NPM. I’m happy to send over the detail log offline. Just let me know how best to get it to you.

Pete

Hi Pete,

In fact, I’m told that the scanner extension for Azure Devops is based on TypeScript & uses node, so the same advice applies.

 
Ann

Pete,

To complement Ann’s advice, you might want to look into a certificate from a provider like LetsEncrypt like one user recently did. (See: SonarQube Azure DevOps issue (Tasks missing, deprecated task error))

You might also try running

npm config set strict-ssl false

Both using self-signed certs and turning off strict SSL come with their own security risks, but it might remain an option.

Colin

Thanks, Folks!

I’ve tried all these suggestions and more:

set NODE_TLS_REJECT_UNAUTHORIZED=0

npm config set strict-ssl=false

npm install npm -g --ca=null

npm config set ca “”

And still get the same error message. Unfortunately, I am not going to be able to use a LetsEncrypt certificate as we are using an internal certificate authority.

I’ve submitted a [https://github.com/SonarSource/sonar-scanner-vsts/pull/55](GitHub Pull Request) that disables the rejectUnauthorized setting in Node. Ideally, this would be a sonar.* property that could be set based on the user’s security posture.

Pete

Hi,

Do you have a solution to accept a self-signed certificate?
We need to join a Sonar server with self-signed certificate from an Azure DevOps Server but I tried every workaround as NODE_TLS_REJECT_UNAUTHORIZED=0 or empty the certificate but nothing works. Furthermore, deactivating TLS is a security risk and we prefer to set a property to allow a self-signed server certificate.

Arnaud

1 Like

Any solution you found for this issue as I am stuck with the same prob while integrating Sonar Qube secured url with Azure pipeline.

Hello,
You need to add the server certificate to the node certification chain.
It is possible to do it by setting the NODE_EXTRA_CA_CERTS environment variable with the certificate.
You can test first if the certificate is working by running the following command: npm config set cafile CertificateFile.crt
:warning: you may need to convert your certificate to crt format.
Alex.

I have the same problem. I have tried setting NODE_EXTRA_CA_CERTS in the Azure Dev Ops pipeline but it does not have any effect. NODE_TLS_REJECT_UNAUTHORIZED=0 does work for me, but this is not a long-term solution as it introduces other security risks.

I had a look at the documentation and is says

Neither the well known nor extra certificates are used when the ca
options property is explicitly specified for a TLS or HTTPS client or server.
This environment variable is ignored when node runs as setuid root or
has Linux file capabilities set.

Could one of these factors be why it’s not working? Has it worked for anyone else? I am using a Linux build agent in case it’s relevant.

Hi, I followed this post and the @mickaelcaro response gave me the route.

Just need to add an evironment variable pointing to the root certificate and thats all.