We are using Sonarcloud with Jenkins and the latest version of the SonarScanner for Maven.
The Sonar scan from our Jenkins builds is working fine. The waitForQualityGate() is also working if the analysis is ready when the initial call is made. If not, it waits until the timeout we set and fails.
If I look at the webhook configuration in Sonarcloud, the URL and secret are correct but all of the recent invocations are marked as failed for “Server Unreachable” even though I have no problem hitting the endpoint from my laptop using curl (it correctly reports an invalid secret but never fails). The Jenkins server is Internet accessible so I don’t understand why Sonarcloud is reporting that the server is unreachable.
I should mention that GitHub is able to reach another endpoint at https://build.weblogick8s.org:8443/ without issue so I just don’t understand why Sonarcloud is failing…
I had a few theories – like maybe something funky was happening in a firewall around your Jenkins instance that was preventing communication from AWS (where SonarCloud is hosted).
I ended up spinning up an EC2 instance and trying to contact your Jenkins instance. It failed both on curl and a Java-based connection test.
[ec2-user@ip-obfuscated ~]$ curl https://build.weblogick8s.org:8443/sonarqube-webhook/
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
.......
[ec2-user@ip-obfuscated ~]$ java -jar SSLPoke.jar build.weblogick8s.org 8443
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certificat
ion path to requested target
On my local machine, these work fine.
So I’m inclined to say that ~something~ is not working well between AWS and your Jenkins instance. And it’s hard to say more than that right now. I’m also inclined to say that this isn’t a SonarCloud issue – you should be able to spin up an AWS EC2 instance and get the same results.
Interestingly (perhaps just frustratingly), running the same tests with https://valid-isrgrootx1.letsencrypt.org/ (which has the same cert chain as you) are successful.
I’ll pass this thread along to some experts to see if they have any other thoughts.
I think I figured it out. The Let’s Encrypt test website is returning the entire certificate chain but the build.weblogick8s.org site is not. So it seems that the problem is in our server certificate configuration…
If you don’t already, you might want to document that the SonarCloud webhook mechanism requires that the server being called serve the entire certificate chain and not just the certificate itself…