TFS buid server cannot connect to teh SonarQube server over SSL


(Chris Hardie) #1

I have SonarQube server running and have an IIS server in front enforcing SSL. From a browser i have no problem accessing the server. TFS Build server is failing on the task “Prepare analysis on SonarQube” with the error "

[SQ] API GET '/api/server/version' failed, error was: {"code":"UNABLE_TO_GET_ISSUER_CERT_LOCALLY"}"

If I use the http url over port 9000, it works fine. has anyone come across this and what did they do to fix it. I have added the cert, intermediate, and root authority to the java cacerts to no avail.


(Nicolas Bontoux) #2

Hi Chris,

Careful there, while there are some Java processes intervening in the SonarQube VSTS tasks (mostly in ‘Run Code Analysis’), keep in mind that the task themselves are .Net components, and have some .Net logic in them. All that to say that updating Java trusted certificates is likely to not be sufficient, you should also make sure that custom certificates are trusted by Windows itself on the agent. (and one approach to troubleshoot could therefore be for you to login directly in that agent and see if you can successfully connect to SonarQube via proxy, independently of any Java process consideration).

EDIT: see reply below for Node.js aspects too

Configuring Prepare Analysis Configuration task in Azure DevOps with self-signed certificate
(Nicolas Bontoux) #3

Actually I mixed things a bit:

  • there is a Java part as discussed
  • there is a .Net consideration to all this, but ultimately it’s possible that Windows has trust there given the domain/environment to which your machines all belong
  • some tasks follow Microsoft good practices and leverage Node.js, in which case it’s important to have that stack accept your custom certificates too. See this thread:

(Chris Hardie) #4

The issue was that we are using internal certificates and the CA was untrusted as we thought. The fix was not what we thought, it was the fact that we needed to set a global variable, NODE_EXTRA_CA_CERTS, and set it to a copy of the root cert we had stored locally in a directory. See this article:!msg/sonarqube/1W8raF6ZMVM/iFgQhVENAAAJ