UNABLE_TO_VERIFY_LEAF_SIGNATURE even with SonarQube behind Application Gateway with SSL Termination

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
  • what are you trying to achieve
  • what have you tried so far to achieve this

I have setup a SonarQube server on an Azure Windows Server 2016 machine, which sits behind an Azure Application Gateway, with SSL termination. Essentially requests are sent to a public ip address, using HTTPS, the Application Gateway manages SSL with an Azure Self-Signed certificate and sends the request in HTTP to the backend pool, where the VM with SonarQube sits.

I made sure that for the ApplicationGateway the frontend listener uses HTTPS (on port 9000) and the backend HTTP settings is set to HTTP (still on port 9000).

I successfully manage to connect to the VM via browser, i.e. browsing https://“publicIP”:9000. I can also receive the response to this request https://“publicIP”:9000/api/server/version (the response is In both cases, I have to confirm to proceed (after receiving “Your Connection is not private. NET:ERR_CERT_AUTHORITY_INVALID”), but that should be expected with self-signed certificates.

The problem arises when I try to run an Azure DevOps YAML pipeline (which used to work fine, in the first tests with only HTTP connection). The error I receive is “[error][SQ] API GET ‘/api/server/version’ failed, error was: {“code”:“UNABLE_TO_VERIFY_LEAF_SIGNATURE”}”, in the SonarQubePrepare@4 task:

  • task: SonarQubePrepare@4

      SonarQube: 'SonarQubeServiceConnection'        
      scannerMode: 'MSBuild'
      projectKey: 'DevTest'

SonarQubeServiceConnection is the Azure DevOps service connection which includes the public IP address (with port) and the personal access token (for SonarQube).

From browsing for answers, it seem that the error "UNABLE_TO_VERIFY_LEAF_SIGNATURE” should be related to SSL certificate problems, but I would have though that the Application Gateway SSL termination should have had prevented any SSL checks from the SonarQube side.

Thanks for any help given.