Sonarqube delegate authtication to Gitlab fail

SonarQube
, ,
1

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)

  • what are you trying to achieve

    I try to delegate sonarqube authtication to Gitlab SSO.

  • what have you tried so far to achieve this

    I create a Gitlab Application named sonarqube, and set callback url https://10.92.6.200/oauth2/callback/gitlab, grant read_user and api scope:

    gitlab app
    gitlab app709×367 11.7 KB

    Then configure sonarqube ALM Integration with Gitlab, Force user authentication, set Server base URL to https://10.92.6.200, so I can see this in sonarqube login page:
    log in with gitlab

    When I click Log in with Gitlab, I get this:

    image
    image880×315 4.19 KB

    sonarqube web log show:

      2020.04.14 03:30:13 WARN  web[AXFzahyz3CdktahgAAf0][o.s.s.a.AuthenticationError] Fail to callback authentication with 'gitlab'
  java.lang.IllegalStateException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
          at org.sonar.auth.gitlab.GitLabIdentityProvider.callback(GitLabIdentityProvider.java:104)
          at org.sonar.server.authentication.OAuth2CallbackFilter.handleOAuth2Provider(OAuth2CallbackFilter.java:98)
          at org.sonar.server.authentication.OAuth2CallbackFilter.handleProvider(OAuth2CallbackFilter.java:77)
          at org.sonar.server.authentication.OAuth2CallbackFilter.doFilter(OAuth2CallbackFilter.java:70)
          at org.sonar.server.platform.web.MasterServletFilter$GodFilterChain.doFilter(MasterServletFilter.java:139)
          at org.sonar.server.platform.web.MasterServletFilter.doFilter(MasterServletFilter.java:108)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
          at org.sonar.server.platform.web.UserSessionFilter.doFilter(UserSessionFilter.java:88)
          at org.sonar.server.platform.web.UserSessionFilter.doFilter(UserSessionFilter.java:72)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
          at org.sonar.server.platform.web.CacheControlFilter.doFilter(CacheControlFilter.java:76)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
          at org.sonar.server.platform.web.SecurityServletFilter.doHttpFilter(SecurityServletFilter.java:76)
          at org.sonar.server.platform.web.SecurityServletFilter.doFilter(SecurityServletFilter.java:48)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
          at org.sonar.server.platform.web.RedirectFilter.doFilter(RedirectFilter.java:58)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
          at org.sonar.server.platform.web.RequestIdFilter.doFilter(RequestIdFilter.java:66)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
          at org.sonar.server.platform.web.RootFilter.doFilter(RootFilter.java:62)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
          at org.apache.catalina.filters.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:109)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
          at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
          at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
          at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493)
          at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137)
          at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
          at ch.qos.logback.access.tomcat.LogbackValve.invoke(LogbackValve.java:256)
          at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
          at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
          at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:798)
          at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
          at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:808)
          at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)
          at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
          at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
          at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
          at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
          at java.base/java.lang.Thread.run(Unknown Source)
  Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
          at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source)
          at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
          at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
          at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
          at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(Unknown Source)
          at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(Unknown Source)
          at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(Unknown Source)
          at java.base/sun.security.ssl.SSLHandshake.consume(Unknown Source)
          at java.base/sun.security.ssl.HandshakeContext.dispatch(Unknown Source)
          at java.base/sun.security.ssl.HandshakeContext.dispatch(Unknown Source)
          at java.base/sun.security.ssl.TransportContext.dispatch(Unknown Source)
          at java.base/sun.security.ssl.SSLTransport.decode(Unknown Source)
          at java.base/sun.security.ssl.SSLSocketImpl.decode(Unknown Source)
          at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source)
          at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
          at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
          at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
          at java.base/sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(Unknown Source)
          at java.base/sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source)
          at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(Unknown Source)
          at com.github.scribejava.core.httpclient.jdk.JDKHttpClient.prepareConnectionForBodyAndGetOutputStream(JDKHttpClient.java:269)
          at com.github.scribejava.core.httpclient.jdk.JDKHttpClient.addBody(JDKHttpClient.java:195)
          at com.github.scribejava.core.httpclient.jdk.JDKHttpClient.access$100(JDKHttpClient.java:26)
          at com.github.scribejava.core.httpclient.jdk.JDKHttpClient$BodyType$1.setBody(JDKHttpClient.java:147)
          at com.github.scribejava.core.httpclient.jdk.JDKHttpClient.doExecute(JDKHttpClient.java:129)
          at com.github.scribejava.core.httpclient.jdk.JDKHttpClient.execute(JDKHttpClient.java:95)
          at com.github.scribejava.core.oauth.OAuthService.execute(OAuthService.java:114)
          at com.github.scribejava.core.oauth.OAuth20Service.sendAccessTokenRequestSync(OAuth20Service.java:46)
          at com.github.scribejava.core.oauth.OAuth20Service.getAccessToken(OAuth20Service.java:97)
          at com.github.scribejava.core.oauth.OAuth20Service.getAccessToken(OAuth20Service.java:92)
          at org.sonar.auth.gitlab.GitLabIdentityProvider.onCallback(GitLabIdentityProvider.java:115)
          at org.sonar.auth.gitlab.GitLabIdentityProvider.callback(GitLabIdentityProvider.java:102)
          ... 47 common frames omitted
  Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
          at java.base/sun.security.validator.PKIXValidator.doBuild(Unknown Source)
          at java.base/sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
          at java.base/sun.security.validator.Validator.validate(Unknown Source)
          at java.base/sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
          at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
          at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
          ... 75 common frames omitted
  Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
          at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
          at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
          at java.base/java.security.cert.CertPathBuilder.build(Unknown Source)
          ... 81 common frames omitted

Is there someone can help me, I would be so appreciate.

2

Hi, did you added the GitLab SSL certificate on the truststore of the jre running SonarQube? What exact java version is SonarQube using ?

3

I run sonarqube in docker. Java version is openjdk version "11.0.6" 2020-01-14.

Depending on your tips, I add gitlab cert file in sonarqube cacerts. Report this:

2020.04.14 12:05:20 WARN web[AXF4k+MGm5GF9YEiAAAj][o.s.s.a.AuthenticationError] Fail to callback authentication with 'gitlab'
java.lang.IllegalStateException: javax.net.ssl.SSLHandshakeException: No subject alternative names present

Seems that gitlab cert generated by itself doesn’t have subject alternative names field. so
sonarqube delegate authtication can not work.

Finally I signed a certificate manaully, which has right subject alternative names, then resovled this problem.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            e7:8c:65:3a:23:42:94:e7
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CN, ST = Some-State, O = Internet Widgits Pty Ltd, CN = 10.225.96.206
        Validity
            Not Before: Apr 14 12:40:35 2020 GMT
            Not After : Apr 12 12:40:35 2030 GMT
        Subject: C = CN, ST = Some-State, O = Internet Widgits Pty Ltd, CN = 10.225.96.206
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:de:e4:1f:d2:b0:f6:97:60:9d:29:d1:5b:36:f5:
                    74:65:2a:95:3a:f4:f7:e2:e5:0f:cf:4c:14:e9:77:
                    0c:fc:ef:1e:43:b2:86:00:95:96:95:de:8d:b5:63:
                    bd:c8:d5:f8:6f:53:d0:fb:3f:2b:54:50:a9:61:45:
                    2a:40:81:e9:78:b7:5c:da:79:42:f6:87:86:03:5f:
                    ca:73:1a:01:ff:de:be:71:bb:88:21:08:df:35:a7:
                    34:9e:f2:67:4b:0a:7a:8e:0f:cc:70:d8:35:33:68:
                    ae:46:4d:92:ae:18:ec:1c:48:10:a8:64:8e:22:e5:
                    85:fc:4d:56:89:79:e4:81:d7:af:14:17:4a:50:53:
                    6e:21:8a:b2:ea:9a:1e:1b:a0:c4:da:33:3a:32:28:
                    73:37:e8:8b:52:32:cf:89:12:70:b7:93:00:5e:77:
                    cb:c1:07:34:30:2b:3e:32:89:5e:4e:fa:bc:9f:03:
                    ab:6f:27:32:5d:c5:5b:05:9c:b8:d8:f1:10:36:30:
                    e2:2b:2a:bc:db:64:5c:cb:e9:03:46:29:ce:cd:6a:
                    35:38:56:8f:17:1c:23:9c:22:8e:11:55:3e:77:0a:
                    40:57:ff:b5:c4:28:e2:fb:d6:c6:2a:9c:af:ac:e4:
                    28:8c:ef:47:05:b5:bf:06:45:3a:a8:6f:01:99:e8:
                    a6:4d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:localhost, IP Address:10.225.96.206
    Signature Algorithm: sha256WithRSAEncryption
         18:6b:75:17:bf:0d:0b:77:ed:dd:92:65:ef:d5:94:76:f4:4b:
         b6:cb:6d:db:3d:3c:1e:43:32:f0:82:36:06:35:79:74:ea:89:
         f3:c1:11:be:53:df:81:60:94:a1:78:ec:c2:8c:c4:83:b9:b9:
         ef:ee:cf:16:c0:44:ca:f6:ac:27:44:00:19:b1:98:e7:8e:85:
         2d:ba:57:4a:70:2f:0b:94:bc:73:f7:b5:61:fb:52:40:1d:d1:
         8d:b3:39:e6:8d:73:fb:ad:8b:26:10:19:f4:2f:c0:9b:db:5f:
         8d:ed:00:b8:0b:f0:7f:39:9c:35:63:75:aa:58:81:07:2a:ba:
         de:1f:1a:d2:38:fd:b9:5c:69:63:69:a5:3b:d9:ef:50:c4:d4:
         9c:2f:97:9c:2d:e2:17:38:89:ba:8c:07:a4:3c:42:ac:71:e4:
         71:ee:5d:f3:36:a1:7e:ec:3c:25:44:34:20:c2:b2:67:23:91:
         73:c4:9c:f9:f5:98:2f:0c:3d:19:ce:15:c8:8f:97:c4:ee:52:
         01:98:2b:47:85:cf:6a:cf:cd:c7:a2:9e:df:3d:c7:8e:62:d0:
         d4:4e:a7:19:69:4c:a5:89:52:ad:2b:9f:bf:70:46:26:39:70:
         3e:ad:e3:8d:2d:58:fa:bd:a7:44:34:34:3a:a5:b3:29:84:4b:
         8c:c9:1b:4b

Perhaps you can improve the next version of this issue.

4

Hi, I’m having the exact same issue.

How did you do to add the cert file to the sonarqube docker image?

5

You can find detail in this answer: https://stackoverflow.com/questions/61200455/sonarqube-delegate-authtication-to-gitlab-fail