Sonarqube server cannot be reached

Hi, I’m currently trying to run sonar-scanner through a CI/CD job in GitLab, and I’m encountering the following problem:
06:52:40.123 ERROR: SonarQube server [https://gmvsonarqube.gmv.es] cannot be reached.

If I use HTTP instead of HTTPS (without using the TLS/SSL certificate verification), the server can be reached without issues. Therefore, the problem is related to the TLS/SSL certificate authentication.

I’ve downloaded/exported the complete chain (GMV_Root_CA and *.gmv.es) and added it to /usr/local/share/ca-certificates. I have also imported the Certificates into Java Keystore (cacerts) as I’m running the runner directly on the virtual machine. I’ve imported the certificates and then updated the CA certificates through the console.

I’ve also changed the config.toml file of the runner to point to these two certificates and then restarted the GitLab runner. The problem still appears after all these changes, and I do not know why.

I’ve also made the next through the gitlab-runner user inside my machine:

  • Check SSL connectivity and ensure the certificates are trusted: "openssl s_client -connect gmvsonarqube.gmv.es:443 -CAfile /etc/ssl/GMV_Root_CA.crt < /dev/null
    "

  • Ensure the Gitlab-Runner user can access the SonarQube server:
    “curl -v -k --cacert /etc/ssl/GMV_Root_CA.crt https://gmvsonarqube.gmv.es

In the first one the SSL verification process seems to work okay but with curl command I have this warning: " SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway."

Any possible solution? Many thanks in advance.

PS: The problem is not related to the .gitlab-ci.yml file where the job is configured, as it works fine if I change the server from HTTPS to HTTP.

Hi,

Welcome to the community!

If you’re getting

I believe you haven’t gotten as far as the handshake, so this is likely not about the certificate. (That would be a PKIX error.) I would start with DNS and/or your network folks.

 
HTH,
Ann

Hi Ann,

Thank you for your answer. That was one of my concerns, and I tried disabling the firewall, but the error persists. In any case, I will share your insights with my network team and see if they can find a solution.

PS: I add also the whole error message with debug information where the sentence “unable to find valid


certification path to requested target” can be read

Hi,

Well… then it might be a certificate error after all. Having the full stacktrace is always helpful.

 
Ann

Any suggestions?

Hi,

The docs may help.

 
Ann

Hi, I finally found the root of the problem. SonarScanner requires a JRE (Java Runtime Environment) to run. This JRE can be provided either by the system or bundled with the scanner. In my case (I do not know if this is always the case, but I suppose it is), the JRE was bundled in SonarScanner, and thus its TrustStore is the one that is used by default. Therefore, the certificates must be placed there, normally at /sonar_path/jre/lib/security/cacerts.

I was using the system-wide trustStore, which corresponds to the Java installed on my machine, which is not the one that Sonar-scanner uses.

The solution is:

  • To directly import the certificates into the cacerts file of the Sonar-scanner JRE at /sonar_path/jre/lib/security/cacerts

  • Or to use the SONAR_SCANNER_OPTS environment variable in the gitlab-ci.yml file (file for running the CI/CD job) to point to the system-wide Java TrustStore or to a custom one. Here is the information on how to do it: TLS certificates on client side & SonarQube Docs (sonarsource.com).

I did not manage to tell Sonar-scanner to use the Java I’ve installed on my machine. I don’t know if it is possible at all or even something desirable.

Many thanks

1 Like