SonarQube SAML error - Error loading privatekey from properties

ddetweiler · April 4, 2024, 12:29pm

Hello! I am inheriting a project someone else setup. This is Sonarqube community edition 9.9.1.69595, installed on linux . In the past a handful of users were using local credentials but they really want to use SSO integration to Okta.

I setup the reverse proxy, got a good certificate from lets encrypt, followed the SAML setup document. We got as far as Okta showing success however when attemping SSO login, Sonarqube states “You’re not authorized to access this page. Please contact the administrator.” I assumed it was a permission issue, but after every combination I can think of, it still did not work. So… I followed the debug log steps to track the web.log file and this is what I’m receiving.

2024.04.03 21:04:54 ERROR web[AYotpSHrOgRLNt25APqx][o.s.a.s.SamlAuthenticator] Error in parsing service provider private key, please make sure that it is in PKCS 8 format.
2024.04.03 21:04:54 DEBUG web[AYotpSHrOgRLNt25APqx][c.o.saml2.Auth] Settings validated
2024.04.03 21:04:54 DEBUG web[AYotpSHrOgRLNt25APqx][c.o.s.a.AuthnRequest] AuthNRequest --> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_412734b1-908a-43a0-a1ee-a6941533519d" Version="2.0" IssueInstant="2024-04-03T21:04:54Z" Destination="https://contfinco.okta.com/app/contfinco_sonarqube_1/exk8m0e8jh32J2ckw697/sso/saml" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://cfc-sonarqube.contfinco.com/oauth2/callback/saml"><saml:Issuer>SonarQube</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" /></samlp:AuthnRequest>
2024.04.03 21:04:54 DEBUG web[AYotpSHrOgRLNt25APqx][c.o.saml2.Auth] AuthNRequest sent to https://contfinco.okta.com/app/contfinco_sonarqube_1/exk8m0e8jh32J2ckw697/sso/saml --> fZJbj9owEIX/SuT3xHESdsECJLr0QkWBLrQPfUGDGYpLYmc9zu7239dJupc+dCVLlo7n2N+Z8ZigKms5a/zZ3OJdg+Sjx6o0JLuDCWuckRZIkzRQIUmv5Hb2ZSmzJJW1s94qW7JXlrcdQITOa2tYtJhP2Hr1frn+uFjtC5Fd58VBxKN0CHGRQxqDQIzhalSIQZ4PxOjIou/oKHgnLFwVLiBqcGHIg/FBSrMiTsPKd5mQaSEHxQ8WzUMebcB3rrP3NUnOlTX+pI2yib14SJStONT1i7wna8DdNQfcC46Pl2GV4vDXOc8+Z+rycDW65kSWt2FZtPnbgnfaHLX5+Xb6Q19E8tNut4k36+2ORbOnjtxYQ02FbovuXiv8drvsiVvgk4qfmZIX/JbcQhhdxhWU5QHUpceajttNdh1y021r/RqsY/5aHvejXwXMxXxjS61+Rx+sq8D/P4VIRKfoY3zqSmVjqEalTxrDgGZlaR9uHILHCfOuQRbxaf/qv39s+gc=
2024.04.03 21:04:55 ERROR web[AYotpSHrOgRLNt25APqy][c.o.s.s.SettingsBuilder] Error loading privatekey from properties.
java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: IOException : DerInputStream.getLength(): lengthTag=111, too big.
	at java.base/sun.security.rsa.RSAKeyFactory.engineGeneratePrivate(RSAKeyFactory.java:253)
	at java.base/java.security.KeyFactory.generatePrivate(KeyFactory.java:389)
2024.04.03 21:04:55 ERROR web[AYotpSHrOgRLNt25APqy][o.s.a.s.SamlAuthenticator] Error in parsing service provider private key, please make sure that it is in PKCS 8 format.
2024.04.03 21:04:55 DEBUG web[AYotpSHrOgRLNt25APqy][c.o.saml2.Auth] Settings validated
2024.04.03 21:04:55 WARN  web[AYotpSHrOgRLNt25APqy][o.s.s.a.AuthenticationError] Fail to callback authentication with 'saml'
java.lang.IllegalStateException: Failed to process the authentication response

Please let me know where to go from here, according to Okta its handing off and happy, but sonarqube is not. I dont understand why its asking the key to be in pkcs8. Okta provides a x509 certificate but nothing extra. When googling I did not see anything about changing the x509 to pkcs8.

Colin · April 5, 2024, 8:08am

Hey there.

If I understand correctly, SonarQube requires a PKCS8 for assertion encryption support.

As documented, SonarQube + Okta doesn’t support signing requests.

Can you make sure, if you’re using Okta, that you have Sign requests turned off in your SAML config and no values for Service provider private key and Service provider certificate?

ddetweiler · April 5, 2024, 1:42pm

Can confirm here the fields are blank

Colin · April 5, 2024, 2:04pm

Gee, that’s weird.

If you look at http:/<SONARQUBE_URL>/api/settings/values (while logged in as your user), do you see sonar.auth.saml.sp.privateKey.secured set anywhere? That would imply a value has been set.

ddetweiler · April 5, 2024, 8:08pm

It does show that exact string.

Colin · April 8, 2024, 9:38am

Can you try deleting your configuration and reconfiguring it, making sure not to touch the three properties I mentioned?

ddetweiler · April 8, 2024, 5:49pm

Please excuse my ignorance but is there a specific method for deleting the configuration other than blanking out all the options and hitting save?

Colin · April 9, 2024, 2:15pm

In SonarQube v10.4, yes! But in SonarQube v9.9 LTS, no. Sorry, I forgot!

Perhaps you can try using the API, like this:

curl -X POST -u username:password '<SONARQUBE_URL>/api/settings/reset?keys=sonar.auth.saml.sp.privateKey.secured'

You can also use a token

curl -X POST -u THIS_IS_MY_TOKEN:'<SONARQUBE_URL>/api/settings/reset?keys=sonar.auth.saml.sp.privateKey.secured'

ddetweiler · April 22, 2024, 3:51pm

Late reply but im a little unsure where i’m making this change. directly on the installed box or through the user interface?

Colin · April 23, 2024, 8:49am

I’m suggesting you reset the setting using the Web API (curl, via your terminal), rather than using the UI. Whether this is done on the server itself or on your local machine is up to you.

ddetweiler · April 23, 2024, 1:57pm

OKAY! Progress…I was doing step 3 marked as optional which was why It was expecting a key. I set Assertion Encryption to unencrypted now.

Now when I do a test, I am receiving

The response was received at http:/%URL%/oauth2/callback/saml instead of https://%URL%/oauth2/callback/saml

Looks like I have an issue with the reverse proxy?

web.log says Caused by: com.onelogin.saml2.exception.Error: SAML Response not found, Only supported HTTP_POST Binding

Colin · April 24, 2024, 9:18am

What reverse proxy are you using?

ddetweiler · April 24, 2024, 6:32pm

nginx

ubuntu@ip-xx-xx-xx-xx:/etc/nginx/conf.d$ cat sonar.conf
server {
    server_name <name>;
    access_log /var/log/nginx/sonar.access.log;
    error_log /var/log/nginx/sonar.error.log;
    proxy_buffers 16 64k;
    proxy_buffer_size 128k;

    location / {
        proxy_pass http://xx.xx.xx.xx:9000;
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
        proxy_redirect off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto http;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/<name>/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live<name>/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}







server {
    if ($host = <name>) {
        return 301 https://$host$request_uri;
    } # managed by Certbot



    listen 80;
    server_name <name>;
    return 404; # managed by Certbot

Colin · April 25, 2024, 5:33am

This should be set to https

ddetweiler · April 25, 2024, 2:12pm

That did it!!! Thank you so much for your help. Our dev team is so excited to start using this.

dpratt · May 1, 2024, 9:14pm

Follow up question on this thread. If one did want to use assertion encryption for an additional layer of security, how might one generate or acquire the key and cert? I can generate a key and cert pair in pkcs8 format but Okta won’t accept it. Also, my understanding is that AES256-GCM is symetric so shouldn’t that mean they use a shared key? Any advice would be welcome. I’ve not found a workable answer so far.

Thank you!
David

system · May 8, 2024, 9:14pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.