Sonarqube with reverse Proxy (Traefik) and Gitlab certificate issue (self signed)

Hi,

I have SonarQube developer edition installed within a Docker behind a Reverse proxy (Traefik). We use a self signed certificate. We have also a Gitlab. The HTTPS reverse proxy is working fine for Gitlab and SonarQube.

Versions :

  • SonarQube version : 8.6.1.40680
  • Gitlab version : 13.8.3 ce

When I’m trying to setup Gitlab authentication following documentation : https://docs.sonarqube.org/latest/analysis/gitlab-integration/

From this forum, I found that I have to add my certificate (.pem file ?) into java truststore.

keytool -import -v -trustcacerts -alias mycompagnycert -file /cert.pem -keystore ${JAVA_HOME}/lib/security/cacerts -noprompt -storepass changeit

No error message here. But I still have this error in docker logs

2021.02.12 13:25:24 WARN  web[AXeV3GJms8DgjbSqAABw][o.s.s.a.AuthenticationError] Fail to callback authentication with 'gitlab'
java.lang.IllegalStateException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
   at org.sonar.auth.gitlab.GitLabIdentityProvider.callback(GitLabIdentityProvider.java:104)
    at org.sonar.server.authentication.OAuth2CallbackFilter.handleOAuth2Provider(OAuth2CallbackFilter.java:98)
...
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)

I don’t understand what I’m doing wrong ? Any help would be very appreciate :blush:

Thank you.

Hi, welcome to the community forum!

First of all, make sure you added the certificate that contains the full certification path, from the root certificate to your own.

Then, for self-signed certificates, alias hostnames are often missing. If you run into a “hostname not verified”, you will need to regenerate your certificate, including the hostname and aliases. More specifically, you need to add the X509v3 Subject Alternative Name extension to your certificate.

Thank you for your answer, the certificate is valid within web browser, so I don’t think it’s a certificate issue.

I found the solution :

I’m using docker-compose so I have to do as follow :

  • Use a Dockerfile called by docker-compose.yml
  • In this Dockerfile import my custom certificate using keytool command

Here an example :

Dockerfile :

FROM sonarqube:8-developer
ADD ./mycompagnycert.pem /
RUN keytool -import -v -trustcacerts \
    -alias sonarqube -file /mycompagnycert.pem \
    -keystore ${JAVA_HOME}/lib/security/cacerts -noprompt -storepass changeit

docker-compose.yml:

services:
  sonarqube:
    build:
      context: .
      dockerfile: Dockerfile
...

Now, I have to configure sonar-scanner in the same way.

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.