I’m seing the exact same issue. But I’m not missing any intermediate certificates.
When SonarQube starts up it prunes the gitlab projects and fails to verify TLS cert.
I turned on DEBUG logging and I see that sonarqube picks up the same CA-Root-Cert but fails to validate… How can that be?? I have added my CN into the SAN fields. Curl with the --cacert option pointing to the same file I imported into cacerts works as well. Just like all major browsers.
Having the same issue.
My on-prem Gitlab cert validates fine via browsers and also using curl inside the container (running sonarqube under Docker). curl --cacert against my gitlab instance validates fine. Added the same root-cert to the keystore under /usr/lib/jvm/java-11-openjdk/lib/security/. Restarted the container but still the same issue. No intermidiate certs exists.
When I try against a server with self-signed it fails as expected…
bash-5.1# /usr/lib/jvm/java-11-openjdk/bin/java -jar ssltest.jar -showsslerrors -check-certificate web01.xxxx.net:443
Testing server web01.xxxx.net:443
Supported Protocol Cipher
Untrusted TLSv1.2 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
Server certificate is not trusted. All other connections will fail similarly.
Server certificate is not trusted, cannot complete handshake. Try -no-check-certificate
I’ve moved your topic (and posts on other threads) into its own post.
If I had to make a guess, the reverse proxy sitting in front of your SonarQube server (responsible for serving it over HTTPS) only accepts the TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 cipher, which is relatively new and might not be trusted on older versions of Java 11 (I believe it became trusted in 11.0.13)
You might want to expand the list of cipher suites, or make sure you are using the latest version of Java 11 when connecting to your SonarQube server.