Send client certificate to Gitlab for Merge Request decoration

al.red · October 26, 2022, 2:36pm

Hello,

Versions:

SonarQube Enterprise Edition 9.6.1
Gitlab 15.3.3

I host SonarQube and Gitlab on two different virtual machines. Each machine is behind a proxy implementing mutual TLS, i.e. I need to send a client certificate to connect to them.

SonarScanner can successfully send its report from Gitlab’s machine to SonarQube. It sends a client certificate thanks to the following command line prior to its execution :

export SONAR_SCANNER_OPTS=“-Djavax.net.ssl.keyStore=/path/to/my-cert.pfx -Djavax.net.ssl.keyStorePassword=whatever”

However I also want to get the analysis details in Gitlab’s Merge Request page. So I need SonarQube to send a client certificate to Gitlab along with the MR decoration.

When I go to Administration > DevOps Platform Integration > Gitlab and click on ‘Check configuration’, the page displays : Could not validate GitLab url. Got an unexpected answer.
In SonarQube’s web.log file, I get the following message:

400 No required SSL certificate was sent

My question is: how can I get Sonar to send a local client certificate with its requests to my Gitlab server?

I tried to force Sonar to use my keystore by exporting the two following variables before restarting Sonar but it did not work:

export SONAR_CE_JAVAADDITIONALOPTS=“-Djavax.net.ssl.keyStore=/path/to/my-cert.pfx -Djavax.net.ssl.keyStorePassword=whatever”

export SONAR_WEB_JAVAADDITIONALOPTS=“-Djavax.net.ssl.keyStore=/path/to/my-cert.pfx -Djavax.net.ssl.keyStorePassword=whatever”

Thanks,
Adrien

ganncamp · October 27, 2022, 5:26pm

Hi Adrien,

Welcome to the community!

I’m not an expert in the topic of SSL, but I believe you’ll need to import the SQ certificate into the trust store of the JRE GitLab is using. That’s assuming the request was rejected at the GitLab level, and not at the proxy…?

HTH,
Ann

al.red · October 28, 2022, 3:57pm

Hello Ann,

Thank you for your answer.
The Gitlab machine already has the public key of the Sonar machine in its trust store.
The problem is that the certificate is not sent from SonarQube, and I don’t know how to add the certificate in the requests from Sonar to Gitlab.

Thanks,
Adrien

ganncamp · October 31, 2022, 3:17pm

Hi Adrien,

In fact, SSL isn’t implemented at the SonarQube level, but by the layer in front of it; your proxy. So it’s not a question of getting SonarQube to send anything, but of getting your proxy to send it. You should talk to your network folks.

HTH,
Ann

Topic		Replies	Views
Connecting Sonarqube and Gitlab on premise (certificate issue) SonarQube Server / Community Build	3	159	November 18, 2024
Sonarqube docker-compose disable ssl certificate SonarQube Server / Community Build sonarqube , docker , ssl	0	788	August 25, 2021
SonarQube-Gitlab integration auth issue SonarQube Server / Community Build sonarqube , gitlab , authentication , cert	12	1206	November 15, 2023
Certificate issue with Gitlab SonarQube Server / Community Build gitlab , docker , ssl	2	2919	September 30, 2022
Unable to connect Sonarqube with Internal Gitlab server SonarQube Server / Community Build gitlab , ssl	7	3765	April 23, 2021

Send client certificate to Gitlab for Merge Request decoration

Related topics