Sonarcloud webhook for Jenkins failing

We are using Sonarcloud with Jenkins and the latest version of the SonarScanner for Maven.

The Sonar scan from our Jenkins builds is working fine. The waitForQualityGate() is also working if the analysis is ready when the initial call is made. If not, it waits until the timeout we set and fails.

If I look at the webhook configuration in Sonarcloud, the URL and secret are correct but all of the recent invocations are marked as failed for “Server Unreachable” even though I have no problem hitting the endpoint from my laptop using curl (it correctly reports an invalid secret but never fails). The Jenkins server is Internet accessible so I don’t understand why Sonarcloud is reporting that the server is unreachable.

The endpoint is https://build.weblogick8s.org:8443/sonarqube-webhook/

I should mention that GitHub is able to reach another endpoint at https://build.weblogick8s.org:8443/ without issue so I just don’t understand why Sonarcloud is failing…

Hey @rpatrick

Sorry for the delay on this one.

I had a few theories – like maybe something funky was happening in a firewall around your Jenkins instance that was preventing communication from AWS (where SonarCloud is hosted).

I ended up spinning up an EC2 instance and trying to contact your Jenkins instance. It failed both on curl and a Java-based connection test.

[ec2-user@ip-obfuscated ~]$ curl https://build.weblogick8s.org:8443/sonarqube-webhook/
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
.......
[ec2-user@ip-obfuscated ~]$ java -jar SSLPoke.jar build.weblogick8s.org 8443
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certificat
ion path to requested target

On my local machine, these work fine.

So I’m inclined to say that ~something~ is not working well between AWS and your Jenkins instance. And it’s hard to say more than that right now. I’m also inclined to say that this isn’t a SonarCloud issue – you should be able to spin up an AWS EC2 instance and get the same results.

Interestingly (perhaps just frustratingly), running the same tests with https://valid-isrgrootx1.letsencrypt.org/ (which has the same cert chain as you) are successful.

I’ll pass this thread along to some experts to see if they have any other thoughts.

Can you try this:

curl -k https://build.weblogick8s.org:8443/sonarqube-webhook/

[ec2-user@ip-172-31-7-157 ~]$ curl -i --cacert lets-encrypt-r3.pem  -X POST -d@payload.json https://build.weblogick8s.org:8443/sonarqube_webhook/
HTTP/1.1 403 Forbidden
Server: nginx/1.12.2
Date: Thu, 07 Apr 2022 17:15:08 GMT
Content-Type: text/html;charset=iso-8859-1
Content-Length: 561
Connection: keep-alive
X-Content-Type-Options: nosniff
Cache-Control: must-revalidate,no-cache,no-store
X-SSH-Endpoint: build.weblogick8s.org:50022

<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>Error 403 No valid crumb was included in the request</title>
</head>
<body><h2>HTTP ERROR 403 No valid crumb was included in the request</h2>
<table>
<tr><th>URI:</th><td>/sonarqube_webhook/</td></tr>
<tr><th>STATUS:</th><td>403</td></tr>
<tr><th>MESSAGE:</th><td>No valid crumb was included in the request</td></tr>
<tr><th>SERVLET:</th><td>Stapler</td></tr>
</table>
<hr><a href="https://eclipse.org/jetty">Powered by Jetty:// 9.4.43.v20210629</a><hr/>

</body>
</html>
[ec2-user@ip-172-31-7-157 ~]$ 

I examined both the build.weblogick8s.org and valid-isrgrootx1.letsencrypt.org certs and they are both signed by identical intermediate and root CA certificates so I don’t get it.

I think I figured it out. The Let’s Encrypt test website is returning the entire certificate chain but the build.weblogick8s.org site is not. So it seems that the problem is in our server certificate configuration…

[ec2-user@ip-172-31-7-157 ~]$ curl -i -X POST -d@payload.json https://build.weblogick8s.org:8443/sonarqube_webhook/
HTTP/1.1 403 Forbidden
Server: nginx/1.12.2
Date: Thu, 07 Apr 2022 18:20:21 GMT
Content-Type: text/html;charset=iso-8859-1
Content-Length: 561
Connection: keep-alive
X-Content-Type-Options: nosniff
Cache-Control: must-revalidate,no-cache,no-store
X-SSH-Endpoint: build.weblogick8s.org:50022

<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>Error 403 No valid crumb was included in the request</title>
</head>
<body><h2>HTTP ERROR 403 No valid crumb was included in the request</h2>
<table>
<tr><th>URI:</th><td>/sonarqube_webhook/</td></tr>
<tr><th>STATUS:</th><td>403</td></tr>
<tr><th>MESSAGE:</th><td>No valid crumb was included in the request</td></tr>
<tr><th>SERVLET:</th><td>Stapler</td></tr>
</table>
<hr><a href="https://eclipse.org/jetty">Powered by Jetty:// 9.4.43.v20210629</a><hr/>

</body>
</html>
[ec2-user@ip-172-31-7-157 ~]$ 

That fixed it, thanks!

If you don’t already, you might want to document that the SonarCloud webhook mechanism requires that the server being called serve the entire certificate chain and not just the certificate itself…

1 Like

Really glad you got it fixed!

We’ll consider documenting it. Personally I err on the side of waiting for another report (this is the first we’ve had).

Out of curiosity, what did you need to do on the LetsEncrypt side to have the full chain served?