Self signed certificate SonarScanner

srsukhov · January 20, 2020, 9:32am

Hello everyone.
I experienced a problem with self signed certificate used on my Gitlab CE. I already add my CA to truststrore of my SonarQube and it helps me to fix Gitlab Auth in SonarQube web ui. But for unknown reason pull request decorations still dont working, i only receive message about Gitlab connectivity problem and Exceptions in Compute Engine’s logs about problems with authority of certificate that used on my Gitlab. Could anybody help me with my problem, please.
Here is my setup:
Gitlab CE 11.11 with self signed certificate.
SonarQube DE 8.1.0.31237 in docker image.
SonarScanner 4.2 in docker image.
My gitlab ci job description:

sonarqube-check:
  stage: analisis
  variables:
    SONAR_TOKEN: $SONARQUBE_TOKEN
    SONAR_HOST_URL: $SONARQUBE_URL
    GIT_DEPTH: 0
  script:
    - sonar-scanner -Dsonar.qualitygate.wait=true -Dsonar.projectKey=my_project
  image:
    name: sonarsource/sonar-scanner-cli:4.2
    entrypoint: [""]
  allow_failure: true
  only:
    - /^feature.*$/
    - merge_requests
    - develop
    - master
  tags:
    - docker

Here is error log:

2020.01.20 07:55:36 ERROR ce[AW_B8xuqksHmgDExOdt6][c.s.C.D.D.A] An exception was thrown during Pull request decoration : Hostname as-git-pcrepo.pc.net not verified:
    certificate: sha256/WZ28jhSF5NSdnStuAhC23xIbGctPIH9+JBATVbR85GM=
    DN: CN=as-git-pcrepo.pc.net
    subjectAltNames: []
2020.01.20 07:55:36 ERROR ce[AW_B8xuqksHmgDExOdt6][o.s.c.t.p.a.p.PostProjectAnalysisTasksExecutor] Execution of task class com.sonarsource.C.D.a failed
java.lang.IllegalStateException: Hostname as-git-pcrepo.pc.net not verified:
    certificate: sha256/WZ28jhSF5NSdnStuAhC23xIbGctPIH9+JBATVbR85GM=
    DN: CN=as-git-pcrepo.pc.net
    subjectAltNames: []
                at com.sonarsource.C.D.D.E.A(Unknown Source)
                at com.sonarsource.C.D.D.E.B(Unknown Source)
                at com.sonarsource.C.D.D.A.A(Unknown Source)
                at com.sonarsource.C.D.a.A(Unknown Source)
                at java.base/java.util.Optional.ifPresent(Unknown Source)
                at com.sonarsource.C.D.a.B(Unknown Source)
                at com.sonarsource.C.D.a.A(Unknown Source)
                at org.sonar.ce.async.SynchronousAsyncExecution.addToQueue(SynchronousAsyncExecution.java:27)
                at com.sonarsource.C.D.a.A(Unknown Source)
                at java.base/java.util.Optional.ifPresent(Unknown Source)
                at com.sonarsource.C.D.a.finished(Unknown Source)
                at org.sonar.ce.task.projectanalysis.api.posttask.PostProjectAnalysisTasksExecutor.executeTask(PostProjectAnalysisTasksExecutor.java:118)
                at org.sonar.ce.task.projectanalysis.api.posttask.PostProjectAnalysisTasksExecutor.finished(PostProjectAnalysisTasksExecutor.java:109)
                at org.sonar.ce.task.step.ComputationStepExecutor.executeListener(ComputationStepExecutor.java:91)
                at org.sonar.ce.task.step.ComputationStepExecutor.execute(ComputationStepExecutor.java:63)
                at org.sonar.ce.task.projectanalysis.taskprocessor.ReportTaskProcessor.process(ReportTaskProcessor.java:81)
                at org.sonar.ce.taskprocessor.CeWorkerImpl$ExecuteTask.executeTask(CeWorkerImpl.java:209)
                at org.sonar.ce.taskprocessor.CeWorkerImpl$ExecuteTask.run(CeWorkerImpl.java:191)
                at org.sonar.ce.taskprocessor.CeWorkerImpl.findAndProcessTask(CeWorkerImpl.java:158)
                at org.sonar.ce.taskprocessor.CeWorkerImpl$TrackRunningState.get(CeWorkerImpl.java:133)
                at org.sonar.ce.taskprocessor.CeWorkerImpl.call(CeWorkerImpl.java:85)
                at org.sonar.ce.taskprocessor.CeWorkerImpl.call(CeWorkerImpl.java:53)
                at com.google.common.util.concurrent.TrustedListenableFutureTask$TrustedFutureInterruptibleTask.runInterruptibly(TrustedListenableFutureTask.java:125)
                at com.google.common.util.concurrent.InterruptibleTask.run(InterruptibleTask.java:69)
                at com.google.common.util.concurrent.TrustedListenableFutureTask.run(TrustedListenableFutureTask.java:78)
                at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
                at java.base/java.util.concurrent.FutureTask.run(Unknown Source)
                at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown Source)
                at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
                at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
                at java.base/java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLPeerUnverifiedException: Hostname as-git-pcrepo.pc.net not verified:
    certificate: sha256/WZ28jhSF5NSdnStuAhC23xIbGctPIH9+JBATVbR85GM=
    DN: CN=as-git-pcrepo.pc.net
    subjectAltNames: []
                at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:350)
                at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:300)
                at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:185)
                at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.java:224)
                at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.java:108)
                at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.java:88)
                at okhttp3.internal.connection.Transmitter.newExchange(Transmitter.java:169)
                at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:41)
                at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
                at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
                at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:94)
                at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
                at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
                at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
                at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
                at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:88)
                at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
                at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
                at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:221)
                at okhttp3.RealCall.execute(RealCall.java:81)
                ... 31 common frames omitted
2020.01.20 07:55:36 INFO  ce[AW_B8xuqksHmgDExOdt6][o.s.c.t.p.a.p.PostProjectAnalysisTasksExecutor] Pull Request decoration | status=FAILED | time=64ms
2020.01.20 07:55:36 INFO  ce[AW_B8xuqksHmgDExOdt6][o.s.c.t.CeWorkerImpl] Executed task | project=p2p-page | type=REPORT | pullRequest=1 | id=AW_B8xuqksHmgDExOdt6 | submitter=admin | status=SUCCESS | time=3116ms

srsukhov · January 20, 2020, 10:53am

I added my ca to sonar-scanner-cli, but it did not any effect

Colin · January 20, 2020, 11:57am

The issue may not be in fact that the Java does not trust the certificate (with respect to who signed it), but that the certificate installed on as-git-pcrepo.pc.net does not pass a specific check that an underlying library uses which verifies the certificate.

As a part of the upgrade of this library (okhttp), at some point it became no longer possible to verify a certificate with the hostname only declared in the CN.

Hostnames now need to be defined as a SubjectAlternativeName in a certificate.

The certificate will need to be regenerated with the proper SubjectAlternativeName(s) and installed on the as-git-pcrepo.pc.net. Right now it appears to be missing.

java.lang.IllegalStateException: Hostname as-git-pcrepo.pc.net not verified:
    certificate: sha256/WZ28jhSF5NSdnStuAhC23xIbGctPIH9+JBATVbR85GM=
    DN: CN=as-git-pcrepo.pc.net
    subjectAltNames: []

srsukhov · January 21, 2020, 10:42am

Hi, thank you for your reply. I recreated certificate for my Gitlab instance, but for some reason, if i enable pull request decoration background taks for pull request analysis become stucked and stayed in state In progress. What logs do you need to help me with it? Compute engine logs? And which type, debug or trace?

srsukhov · January 21, 2020, 11:42pm

Hello again, job finished in 1h and 9 minutes and still has warning about pull request decoration .
Here is Compute Engine log:

2020.01.21 11:44:48 ERROR ce[AW_HrXwnQcqUbqDvSFIK][c.s.C.D.D.A] An exception was thrown during Pull request decoration : Couldn't kickstart handshaking
2020.01.21 11:44:48 ERROR ce[AW_HrXwnQcqUbqDvSFIK][o.s.c.t.p.a.p.PostProjectAnalysisTasksExecutor] Execution of task class com.sonarsource.C.D.a failed
java.lang.IllegalStateException: Couldn't kickstart handshaking
	at com.sonarsource.C.D.D.E.A(Unknown Source)
	at com.sonarsource.C.D.D.A.A(Unknown Source)
	at com.sonarsource.C.D.a.A(Unknown Source)
	at java.base/java.util.Optional.ifPresent(Unknown Source)
	at com.sonarsource.C.D.a.B(Unknown Source)
	at com.sonarsource.C.D.a.A(Unknown Source)
	at org.sonar.ce.async.SynchronousAsyncExecution.addToQueue(SynchronousAsyncExecution.java:27)
	at com.sonarsource.C.D.a.A(Unknown Source)
	at java.base/java.util.Optional.ifPresent(Unknown Source)
	at com.sonarsource.C.D.a.finished(Unknown Source)
	at org.sonar.ce.task.projectanalysis.api.posttask.PostProjectAnalysisTasksExecutor.executeTask(PostProjectAnalysisTasksExecutor.java:118)
	at org.sonar.ce.task.projectanalysis.api.posttask.PostProjectAnalysisTasksExecutor.finished(PostProjectAnalysisTasksExecutor.java:109)
	at org.sonar.ce.task.step.ComputationStepExecutor.executeListener(ComputationStepExecutor.java:91)
	at org.sonar.ce.task.step.ComputationStepExecutor.execute(ComputationStepExecutor.java:63)
	at org.sonar.ce.task.projectanalysis.taskprocessor.ReportTaskProcessor.process(ReportTaskProcessor.java:81)
	at org.sonar.ce.taskprocessor.CeWorkerImpl$ExecuteTask.executeTask(CeWorkerImpl.java:209)
	at org.sonar.ce.taskprocessor.CeWorkerImpl$ExecuteTask.run(CeWorkerImpl.java:191)
	at org.sonar.ce.taskprocessor.CeWorkerImpl.findAndProcessTask(CeWorkerImpl.java:158)
	at org.sonar.ce.taskprocessor.CeWorkerImpl$TrackRunningState.get(CeWorkerImpl.java:133)
	at org.sonar.ce.taskprocessor.CeWorkerImpl.call(CeWorkerImpl.java:85)
	at org.sonar.ce.taskprocessor.CeWorkerImpl.call(CeWorkerImpl.java:53)
	at com.google.common.util.concurrent.TrustedListenableFutureTask$TrustedFutureInterruptibleTask.runInterruptibly(TrustedListenableFutureTask.java:125)
	at com.google.common.util.concurrent.InterruptibleTask.run(InterruptibleTask.java:69)
	at com.google.common.util.concurrent.TrustedListenableFutureTask.run(TrustedListenableFutureTask.java:78)
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
	at java.base/java.util.concurrent.FutureTask.run(Unknown Source)
	at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown Source)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at java.base/java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLException: Couldn't kickstart handshaking
	at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source)
	at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
	at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
	at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:336)
	at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:300)
	at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:185)
	at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.java:224)
	at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.java:108)
	at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.java:88)
	at okhttp3.internal.connection.Transmitter.newExchange(Transmitter.java:169)
	at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:41)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
	at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:94)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
	at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
	at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:88)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
	at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:221)
	at okhttp3.RealCall.execute(RealCall.java:81)
	... 30 common frames omitted
	Suppressed: java.net.SocketException: Broken pipe (Write failed)
		at java.base/java.net.SocketOutputStream.socketWrite0(Native Method)
		at java.base/java.net.SocketOutputStream.socketWrite(Unknown Source)
		at java.base/java.net.SocketOutputStream.write(Unknown Source)
		at java.base/sun.security.ssl.SSLSocketOutputRecord.encodeAlert(Unknown Source)
		... 53 common frames omitted
Caused by: java.net.SocketException: Broken pipe (Write failed)
	at java.base/java.net.SocketOutputStream.socketWrite0(Native Method)
	at java.base/java.net.SocketOutputStream.socketWrite(Unknown Source)
	at java.base/java.net.SocketOutputStream.write(Unknown Source)
	at java.base/sun.security.ssl.SSLSocketOutputRecord.flush(Unknown Source)
	at java.base/sun.security.ssl.HandshakeOutStream.flush(Unknown Source)
	at java.base/sun.security.ssl.ClientHello$ClientHelloKickstartProducer.produce(Unknown Source)
	at java.base/sun.security.ssl.SSLHandshake.kickstart(Unknown Source)
	at java.base/sun.security.ssl.ClientHandshakeContext.kickstart(Unknown Source)
	at java.base/sun.security.ssl.TransportContext.kickstart(Unknown Source)
	... 51 common frames omitted
2020.01.21 11:44:48 INFO  ce[AW_HrXwnQcqUbqDvSFIK][o.s.c.t.p.a.p.PostProjectAnalysisTasksExecutor] Pull Request decoration | status=FAILED | time=4049493ms
2020.01.21 11:44:48 INFO  ce[AW_HrXwnQcqUbqDvSFIK][o.s.c.t.CeWorkerImpl] Executed task | project=p2p-page | type=REPORT | pullRequest=1 | id=AW_HrXwnQcqUbqDvSFIK | submitter=admin | status=SUCCESS | time=4053678ms

srsukhov · February 3, 2020, 7:43am

Any idea? Still haven’t found any solution

Alexandre_Frigout · February 13, 2020, 8:15am

Hello @srsukhov,
Could you please add the following property to the sonar.ce.javaOpts:
-Djavax.net.debug=all
Then try to decorate a pull request and attach a zip of the $SONAR_HOME/logs folder.
Alex.

srsukhov · February 13, 2020, 8:39am

Hello,
Thank you for your reply, sadly my evaluation license ends, i will buy one soon and provide you debug logs.

srsukhov · February 21, 2020, 6:49am

Hello,
I finished setup of Sonarqube Developer, i moved it to another node and now its working great! Few days earlier i recreated certificate, included IP SANs and Domain SANs, may be it affect on it.
Anyway, thank you for your help!