SSLPeerUnverifiedException: Hostname XXXXXXX not verified (no certificates)

I am trying to use the pull request decoration but I am intermittently getting the following exception

javax.net.ssl.SSLPeerUnverifiedException: Hostname XXXXXXX not verified (no certificates)
	at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:353)
	at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:300)
	at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:185)
	at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.java:224)
	at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.java:108)
	at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.java:88)
	at okhttp3.internal.connection.Transmitter.newExchange(Transmitter.java:169)
	at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:41)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
	at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:94)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
	at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
	at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:88)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
	at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:221)
	at okhttp3.RealCall.execute(RealCall.java:81)
	at com.sonarsource.C.B.B.A.A.D.A(Unknown Source)
	at com.sonarsource.C.B.B.A.A.C.A(Unknown Source)
	at com.sonarsource.C.B.B.A.A.C.A(Unknown Source)
	at com.sonarsource.C.D.E.A.C(Unknown Source)
	at com.sonarsource.C.D.E.A.A(Unknown Source)
	at com.sonarsource.C.D.E.I.A(Unknown Source)
	at com.sonarsource.C.D.a.A(Unknown Source)
	at java.base/java.util.Optional.ifPresent(Optional.java:183)
	at com.sonarsource.C.D.a.B(Unknown Source)
	at com.sonarsource.C.D.a.A(Unknown Source)
	at org.sonar.ce.async.SynchronousAsyncExecution.addToQueue(SynchronousAsyncExecution.java:27)
	at com.sonarsource.C.D.a.A(Unknown Source)
	at java.base/java.util.Optional.ifPresent(Optional.java:183)
	at com.sonarsource.C.D.a.finished(Unknown Source)
	at org.sonar.ce.task.projectanalysis.api.posttask.PostProjectAnalysisTasksExecutor.executeTask(PostProjectAnalysisTasksExecutor.java:118)
	at org.sonar.ce.task.projectanalysis.api.posttask.PostProjectAnalysisTasksExecutor.finished(PostProjectAnalysisTasksExecutor.java:109)
	at org.sonar.ce.task.step.ComputationStepExecutor.executeListener(ComputationStepExecutor.java:91)
	at org.sonar.ce.task.step.ComputationStepExecutor.execute(ComputationStepExecutor.java:63)
	at org.sonar.ce.task.projectanalysis.taskprocessor.ReportTaskProcessor.process(ReportTaskProcessor.java:81)
	at org.sonar.ce.taskprocessor.CeWorkerImpl$ExecuteTask.executeTask(CeWorkerImpl.java:209)
	at org.sonar.ce.taskprocessor.CeWorkerImpl$ExecuteTask.run(CeWorkerImpl.java:191)
	at org.sonar.ce.taskprocessor.CeWorkerImpl.findAndProcessTask(CeWorkerImpl.java:158)
	at org.sonar.ce.taskprocessor.CeWorkerImpl$TrackRunningState.get(CeWorkerImpl.java:133)
	at org.sonar.ce.taskprocessor.CeWorkerImpl.call(CeWorkerImpl.java:85)
	at org.sonar.ce.taskprocessor.CeWorkerImpl.call(CeWorkerImpl.java:53)
	at com.google.common.util.concurrent.TrustedListenableFutureTask$TrustedFutureInterruptibleTask.runInterruptibly(TrustedListenableFutureTask.java:125)
	at com.google.common.util.concurrent.InterruptibleTask.run(InterruptibleTask.java:69)
	at com.google.common.util.concurrent.TrustedListenableFutureTask.run(TrustedListenableFutureTask.java:78)
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.base/java.lang.Thread.run(Thread.java:834)

This is connecting to GitHub Enterprise 2.20.1 which has a valid certificate. This is with SonarQube Developer Edition 8.2 (build 32929) but it has also been observed with 7.9 as well.

1 Like

Hello @darrenlewis,

We already saw that in the past. If it’s an intermittent error, the certificate itself is not to blame. SonarQube uses a recent version of the library okhttp3, but what could happen is that other third-party plugins could use a less recent one. Sometimes, for some Java classpath management reasons (that I personally won’t be able to give details about), the older okhttp3 is used and it can lead to this kind of error.

Before checking what to do: do you indeed use third-party plugins on your SQ install? Which one and which version?

Hi @Antoine, thanks for the reply. This is a fresh install so I don’t think there is anything out of the ordinary. Here are the plugins that we’ve got:

ls sonarqube/extensions/plugins/
README.txt                            sonar-javascript-plugin-6.2.0.12043.jar               sonar-security-java-frontend-plugin-8.2.1.1259.jar
sonar-abap-plugin-3.8.0.2034.jar      sonar-kotlin-plugin-1.5.0.315.jar                     sonar-security-php-frontend-plugin-8.2.1.1259.jar
sonar-cfamily-plugin-6.7.0.15300.jar  sonar-php-plugin-3.3.0.5166.jar                       sonar-security-plugin-8.2.1.1259.jar
sonar-csharp-plugin-8.4.0.15306.jar   sonar-plsql-plugin-3.4.1.2576.jar                     sonar-security-python-frontend-plugin-8.2.1.1259.jar
sonar-css-plugin-1.2.0.1325.jar       sonar-python-plugin-2.5.0.5733.jar                    sonar-swift-plugin-4.2.2.77.jar
sonar-flex-plugin-2.5.1.1831.jar      sonar-ruby-plugin-1.5.0.315.jar                       sonar-tsql-plugin-1.4.0.3334.jar
sonar-go-plugin-1.6.0.719.jar         sonar-scala-plugin-1.5.0.315.jar                      sonar-typescript-plugin-2.1.0.4359.jar
sonar-html-plugin-3.2.0.2082.jar      sonar-scm-git-plugin-1.9.1.1834.jar                   sonar-vbnet-plugin-8.4.0.15306.jar
sonar-jacoco-plugin-1.0.2.475.jar     sonar-scm-svn-plugin-1.9.0.1295.jar                   sonar-xml-plugin-2.0.1.2020.jar
sonar-java-plugin-6.1.0.20866.jar     sonar-security-csharp-frontend-plugin-8.2.1.1259.jar

I have same problem too.

Caused by: javax.net.ssl.SSLPeerUnverifiedException: Hostname xxxx.xxxx.com not verified (no certificates)
at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:353)
at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:300)
at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:185)
at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.java:224)
at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.java:108)
at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.java:88)
at okhttp3.internal.connection.Transmitter.newExchange(Transmitter.java:169)
at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:41)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:94)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:88)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:221)
at okhttp3.RealCall.execute(RealCall.java:81)
at org.sonarqube.ws.client.HttpConnector.doCall(HttpConnector.java:198)
… 25 more

Hello @darrenlewis,

It is indeed quite standard, no third-party plugins here.
Again, as it’s intermittent, you have to focus of what could change in the SSL handshake process. Here are few ideas gathered from what we know about the topic:

  • Do you know what version of the TLS protocol is used in your config? Could that change and sometimes be TLS 1.2, some other times 1.3? It will be good to force it so you could potentially narrowdown the issue
  • Does your certificate defines a SubjectAlternativeName? It should.
  • Could you be affected by JDK-8214060? Then upgrade your JVM.

I hope this will help.

Hi @darrenlewis,

i found a point try upgrade java.
Before i use openjdk 11.0.0.2 upgrade to 11.0.0.6 it solved problem.

@Antoine Thank you for your guide

3 Likes