SonarQube issues with Gitlab-CI pipeline

SonarQube Server / Community Build
1

version-info:

  • Gitlab-CI community: 17.7
  • Sonarqube community: 10.7
  • Sonarqube scanner: 11
  • deployment: docker-compose

I’m trying to run my giltab-ci pipeline with Sonarqube. I’m running into an error with Sonarqube-Scanner related to the certificate chain. Here’s my gitlab-ci stage:

sonarqube-check:
  stage: sonarqube-check
  image:
    name: sonarsource/sonar-scanner-cli:latest
    entrypoint: [ "" ]
  variables:
    SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"  # Defines the location of the analysis task cache
    GIT_DEPTH: "0"  # Tells git to fetch all the branches of the project, required by the analysis task
    CA_CRT: bv-ca.crt
    SQ_CRT: sq.crt
    KEYSTORE: /opt/sonar-scanner/.sonar/ssl/truststore.p12
    KEYSTORE_PASS: "sonar"
    SQ_URI: "sonarqube.brave-vesperia.com"
  before_script:
    # prep truststore
    - mkdir -p /opt/sonar-scanner/.sonar/ssl/
    - openssl s_client -showcerts -connect ${SQ_URI}:443 < /dev/null | openssl x509 -outform PEM > sq.pem
    - openssl pkcs12 -export -caname sonar -out ${KEYSTORE} -in "sq.pem" -passout pass:${KEYSTORE_PASS} -nokeys
    #- keytool -import
    #          -storetype PKCS12
    #          -noprompt
    #          -trustcacerts
    #          -alias sonar
    #          -keystore ${KEYSTORE}
    #          -file sq.pem
    #          -storepass ${KEYSTORE_PASS}
    - keytool -list -v -keystore ${KEYSTORE} -storepass ${KEYSTORE_PASS}
  script:
    - sonar-scanner -Dsonar.host.url="${SONAR_HOST_URL}" 
                    #-Dsonar.scanner.keystorePath=${KEYSTORE}
                    #-Dsonar.scanner.keystorePassword=$KEYSTORE_PASS
  allow_failure: false
  rules:
    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
    - if: $CI_COMMIT_BRANCH == 'master'
    - if: $CI_COMMIT_BRANCH == 'main'
    - if: $CI_COMMIT_BRANCH == 'develop'
    - if: $CI_COMMIT_BRANCH == 'sonarqube_integration'

Here is the output of that build stage:

java.lang.IllegalStateException: Failed to get server version
	at org.sonarsource.scanner.lib.ScannerEngineBootstrapper.getServerVersion(ScannerEngineBootstrapper.java:194)
	at org.sonarsource.scanner.lib.ScannerEngineBootstrapper.bootstrap(ScannerEngineBootstrapper.java:117)
	at org.sonarsource.scanner.cli.Main.analyze(Main.java:75)
	at org.sonarsource.scanner.cli.Main.main(Main.java:63)
	Suppressed: java.lang.IllegalStateException: Call to URL [https://sonarqube.brave-vesperia.com/api/v2/analysis/version] failed
		at org.sonarsource.scanner.lib.internal.http.ScannerHttpClient.callUrl(ScannerHttpClient.java:159)
		at org.sonarsource.scanner.lib.internal.http.ScannerHttpClient.callApi(ScannerHttpClient.java:126)
		at org.sonarsource.scanner.lib.internal.http.ScannerHttpClient.callRestApi(ScannerHttpClient.java:104)
		at org.sonarsource.scanner.lib.ScannerEngineBootstrapper.getServerVersion(ScannerEngineBootstrapper.java:189)
		... 3 common frames omitted
	Caused by: javax.net.ssl.SSLHandshakeException: None of the TrustManagers trust this certificate chain
		at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
		at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:378)
		at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
		at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:316)
		at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1351)
		at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1226)
		at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1169)
		at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
		at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
		at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:458)
		at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:201)
		at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
----

Clearly, there is something wrong with my certificate chain, but I cannot figure out what it is. I’m pulling the cert from the target website and adding it to my keystone. I did the same with the ca-cert. What is wrong? Is there an option to simply add the ca-cert to sonarqube-scanner (it should be enough)?

2

I tried to further debug the issue with SSLPoke, but to no avail:

$ keytool -import -storetype PKCS12 -noprompt -trustcacerts -alias sonar -keystore ${KEYSTORE} -file ${SQ_CRT} -storepass ${KEYSTORE_PASS}
Certificate was added to keystore
$ **java -Djavax.net.ssl.trustStore=${KEYSTORE} -Djavax.net.ssl.trustStorePassword=${KEYSTORE_PASS} -jar SSLPoke.jar ${SQ_URI} 443**
**Successfully connected**
$ **sonar-scanner -Dsonar.host.url="${SONAR_HOST_URL}" -Dsonar.scanner.keystorePath=${KEYSTORE} -Dsonar.scanner.keystorePassword=${KEYSTORE_PASS}**
13:56:15.225 INFO  Scanner configuration file: /opt/sonar-scanner/conf/sonar-scanner.properties
13:56:15.228 INFO  Project root configuration file: /builds/misc/autoinstallbuilder/sonar-project.properties
13:56:15.239 INFO  SonarScanner CLI 6.2.1.4610
13:56:15.240 INFO  Java 17.0.12 Amazon.com Inc. (64-bit)
13:56:15.241 INFO  Linux 6.8.0-51-generic amd64
13:56:15.262 INFO  User cache: /builds/misc/autoinstallbuilder/.sonar/cache
13:56:16.015 INFO  EXECUTION FAILURE
13:56:16.018 INFO  Total time: 0.796s
13:56:16.018 ERROR Error during SonarScanner CLI execution
java.lang.IllegalStateException: Failed to get server version
	at org.sonarsource.scanner.lib.ScannerEngineBootstrapper.getServerVersion(ScannerEngineBootstrapper.java:194)
	at org.sonarsource.scanner.lib.ScannerEngineBootstrapper.bootstrap(ScannerEngineBootstrapper.java:117)
	at org.sonarsource.scanner.cli.Main.analyze(Main.java:75)
	at org.sonarsource.scanner.cli.Main.main(Main.java:63)
	Suppressed: java.lang.IllegalStateException: Call to URL [https://sonarqube.brave-vesperia.com/api/v2/analysis/version] failed
		at org.sonarsource.scanner.lib.internal.http.ScannerHttpClient.callUrl(ScannerHttpClient.java:159)
		at org.sonarsource.scanner.lib.internal.http.ScannerHttpClient.callApi(ScannerHttpClient.java:126)
		at org.sonarsource.scanner.lib.internal.http.ScannerHttpClient.callRestApi(ScannerHttpClient.java:104)
		at org.sonarsource.scanner.lib.ScannerEngineBootstrapper.getServerVersion(ScannerEngineBootstrapper.java:189)
		... 3 common frames omitted
....

TLDR: SSLPoke succeeds, Sonar-scanner fails with a certificate error. Same trust store, same password.

3

Hey @Martin_Schmid

Thanks for reporting this. I have a few thoughts about what could be going wrong, but what immediately jumped out to me is that you’re using sonar.scanner.keystorePath and sonar.scanner.keystorePassword instead of sonar.scanner.truststorePath and sonar.scanner.truststorePassword. The former would be used to present client certficates for authentication while the latter is the equivalent of what you’re passing to SSLPoke (certs to trust to establish the connection).

Relevant StackOverflow here:

Does swapping them out make a difference?

4

Hi Colin,

thanks so much for the answer! That certainly helped. I’m now unto the next error message :slight_smile:

Happy Christmas to you :innocent:

1 Like
5

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.