which versions are you using (SonarQube): 9.7.0-enterprise
how is SonarQube deployed: Docker
what are you trying to achieve:
I am trying to integrate SonarQube with Bitbucket Cloud. I have created OAuth Consumer in BB as per Sonar docs. During the configuration in Sonar we have exception Error returned by Bitbucket Cloud
When checked in the logs found exception Error returned by Bitbucket Cloud: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Please note on Sonar side there is no issues of Certificates, it can reach Bitbucket fine.
So I am confused who is throwing this exception, is it BB Cloud ? Does it try to connect to SonarQube server when responding OAuth request from Sonar ?
Our Sonar is on-prem and certificates are signed by internal CA.
As per docs during the OAuth consumer creation on BB Cloud, we should give any random Callback URL, I have tried many things like https://random, https://{our_sonar_domain} there hoping it would make difference but no.
Appreciate if you can let me know what am i missing.
Hi,
No, its not related.
What I am trying is on SonarQube server side, and does not involve any pipelines.
Under Administration -> General Settings -> DevOps Platform Integrations I have added bitbucket cloud, and when clicked Check configuration we get below exception
web[AYd69uOpcYuBJqUrAACC][o.s.a.c.b.b.BitbucketCloudRestClient] Error returned by Bitbucket Cloud: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Like I have mentioned the first thread SonarQube itself does not have any issues to reach Bitbucket for OAuth. But something is happening after the OAuth request.
Ok, After removing the trustStore settings from SonarQube startup I see that Bitbucket cloud integration works fine.
Its strange because this trustStore file already contains all certificates of bitbucket.org.
We can’t remove the trust store setting because it contains certificates of our other integrations, without which they fail with SSL exception.
So it looks like just adding bitbucket.org certs is not enough.
Any idea what other certs I should add into trust store ?
I have tried setting Sonarqube server log level to TRACE hoping it will print the details of request/response with Bitbucket, but no luck. Just that same exception of certificate missing nothing more.
Hi,
Sorry no its not relevant.
The post is about Bitbucket pipelines which are reaching SonarQube during the build and failing with self signed certificates.
But in my case I am trying to configure Bitbucket on SonarQube (DevOps platform) side which is one way communication only SonarQube → Bitbucket Cloud (Other way round wont even work because our SonarQube is in corporate firewall and can’t be reached from internet by Bitbucket cloud)
As a workaround I have copied the cacerts from Java installation inside the SonarQube docker container to outside and added our internal CA certs into it. And then used it in the SonarQube startup java args (instead of our original small truststore).
I think the problem is when SonarQube is communicating with Bitbucket cloud for OAuth request, it reaching two domains one is bitbucket.org and something else for which the CA certificate was missing originally in trust store. If we know what is this other domain it will be easier to add its cert also into trust store.
At root, this is a SSL/certificate/proxy problem, and using a self-signed certificate is always dicey for these things. This is not our area of expertise.
