If the intermediate is in a separate cert file, do you add its path in the environment variable mentioned above as well ?
I’m not quite sure what you are asking but I added the following in the variables tab of the job, but it failed.
Here is the portion of the log.
[SQ] API GET: ‘/api/server/version’ with query “undefined”
(node:16864) Warning: Ignoring extra certs from E:\Temp\sq_cert.crt.cer,E:\Temp\DigiCertSHA2SecureServerCA.cer, load failed: error:0200107B:system library:fopen:Unknown error
[SQ] API GET ‘/api/server/version’ failed, error was: {“code”:“UNABLE_TO_VERIFY_LEAF_SIGNATURE”}
task result: Failed
[SQ] API GET ‘/api/server/version’ failed, error was: {“code”:“UNABLE_TO_VERIFY_LEAF_SIGNATURE”}
Processed: ##vso[task.issue type=error;][SQ] API GET ‘/api/server/version’ failed, error was: {“code”:“UNABLE_TO_VERIFY_LEAF_SIGNATURE”}
Processed: ##vso[task.complete result=Failed;][SQ] API GET ‘/api/server/version’ failed, error was: {“code”:“UNABLE_TO_VERIFY_LEAF_SIGNATURE”}
Can I turn up any more logging? What command is the agent sending that is generating the error so that I can test from there?
[SQ] API GET: ‘/api/server/version’ with query “undefined”
[SQ] API GET ‘/api/server/version’ failed, error was: {“code”:“UNABLE_TO_VERIFY_LEAF_SIGNATURE”}
What is the command that it’s trying to run that produces the 2 errors above?
My bad, in fact, this environment variable accepts only one file as value, and all certificates should be contains in PEM format inside this file.
See the doc here : https://nodejs.org/api/cli.html#cli_node_extra_ca_certs_file
I converted the .crt to the .pem file and updated the variable but it still failed. What command is being sent that creates this error?
SonarQube=8f36bfb6-b06d-43a0-951d-34af7848628d
8f36bfb6-b06d-43a0-951d-34af7848628d=https://sonar-corp-d1.wpsic.com/
8f36bfb6-b06d-43a0-951d-34af7848628d auth param apitoken = null
8f36bfb6-b06d-43a0-951d-34af7848628d auth param username = ***
8f36bfb6-b06d-43a0-951d-34af7848628d auth param password = null
organization=null
scannerMode=MSBuild
projectKey=ML-Test
projectName=ML-Test
projectVersion=1.0
organization=null
[SQ] API GET: ‘/api/server/version’ with query “undefined”
[SQ] API GET ‘/api/server/version’ failed, error was: {“code”:“UNABLE_TO_VERIFY_LEAF_SIGNATURE”}
task result: Failed
[SQ] API GET ‘/api/server/version’ failed, error was: {“code”:“UNABLE_TO_VERIFY_LEAF_SIGNATURE”}
Processed: ##vso[task.issue type=error;][SQ] API GET ‘/api/server/version’ failed, error was: {“code”:“UNABLE_TO_VERIFY_LEAF_SIGNATURE”}
Processed: ##vso[task.complete result=Failed;][SQ] API GET ‘/api/server/version’ failed, error was: {“code”:“UNABLE_TO_VERIFY_LEAF_SIGNATURE”}
That didn’t see to work, I get the same error.
What is the command it is trying to send to maybe I can troubleshoot at a lower level?
This is “simple” node.js request, so yes, maybe you can try unit test it with passing the certificate that you added in the environment variable.
Given some other community thread, that trick should solve the problem, seems strange that it didn’t in your case. (TFS buid server cannot connect to teh SonarQube server over SSL)
I’m still getting the same error. What node.js command would I run to test this?
This kind of request should do the trick.
Can you make sure that the env variable you set is well accessible by the task itself ? Did you try to output system env variables just before the “Prepare Analysis Configuration” task ?
Thanks !
Yes I did , I rebooted the build server.
Is there a simple command line test I can do to narrow it down to see if it really is a cert issue?
There’s no “simple” command line as this is a proper programming language, so you’ll have to create a tiny program to run an HTTP request.
You can see some examples here : https://www.twilio.com/blog/2017/08/http-requests-in-node-js.html
Thanks I’ll test this
So when I ran the script I wrote I got the following error:
Error: unable to verify the first certificate
Just to narrow this down a little, does the Java Keystore play any role in this. My Build server is a Windows 10 PC (test environment) the SonarQube server (Enterprise) is on Redhat. The cert on SonarQube is self signed.
I don’t think so.
Even if it’s self signed, have you added all the certificate chain inside the single file you define in the env variable ?
Thanks.
Well the good news the node.js script that I wrote for troubleshooting the cert issue now works. I work worked with my Linux team that gave me a new PEM file. After rereading the node.js docs about NODE_EXTRA_CA_CERTS, It an Environment variable not a command line option, so that’s why my stand-alone node.js script was failing. I added the NODE_EXTRA_CA_CERTS to systems variables on the build machine(windows) and for grins removed it from the variables in the build definition and when I ran the build it got past the version check. So I will call this issue closed. I will go back and troubleshoot the next part of the script…
That’s a great news ! Thank you for your feedback.
Mickaël