VSTS - Publish Quality Gate Result: unable to get local issuer certificate

Hi,

We are using SonarQube Community Edition - Version 7.9.1 (build 27448) and the SonarQube extensions 4.8.0 for TFS 2018.

The tasks “Prepare analysis on SonarQube” and “Run Code Analysis” work normal, but the task “Publish Quality Gate Result” fails with “unable to get local issuer certificate” as seen here:

2019-09-17_11h48_481301×313 32.4 KB

I googled and found the following posting with a proposed solution, which describes my problem (we are also using a self signed certificate for our sonar server)

So I added the enviornment variable: NODE_EXTRA_CA_CERTS

I created PEM file with all the certificate chain in BASE64 as it was described:

I gave access to everyone to this file (just in case it is an permission problem), but I keep having the same problem.

Any ideas to get more detailed error descriptions, logs or even better: Any solution that works for me?

Thank you,
Dominik

Hi,

How is your agent running ? Maybe a dumb question but did you restart it after adding the environment variable ? If yes, can you make sure that it has correct access to it ?

Hi,

I restarted the agents and even the entire server. To really make sure, that the agent gets the value of the environment variable, I added a powershell build step like this:
Write-Host “NODE_EXTRA_CA_CERTS: $Env:NODE_EXTRA_CA_CERTS”

When starting the build, it prints out:
2019-09-18T05:11:12.1059106Z NODE_EXTRA_CA_CERTS: D:\Certs\Certs.pem

So the build agent gets the variable.

Build Agent details:

I recheckd, if the SSL certificate itself, and the entire certificate chain is inside the D:\Certs\Certs.pem file. So this seems to be okay.

I don’t get any more logs / details, so it is hard for me to find out, what to do next

In order to try the content of the environment variable, I created a very small node script, as seen below:

var request = require("request");

request(
    { uri: "https://sonar.oe.wknet/about" },
    function(error, response, body) {
        console.log(body);
        console.log(error);
    }
);

I could see that as soon I removed the certificates from the pem file, the request fails:
{ Error: unable to get local issuer certificate
at TLSSocket.onConnectSecure (_tls_wrap.js:1058:34)
at TLSSocket.emit (events.js:198:13)
at TLSSocket._finishInit (_tls_wrap.js:636:8) code: ‘UNABLE_TO_GET_ISSUER_CERT_LOCALLY’

But if all certificates are stored in the pem file, I get a proper 200-OK HTTP Response with my node script.

So it is really hard to track down the issue for me

Do you have an Azure DevOps / TFS instance over SSL as well ? Did this server has it’s local certificate on your Certs.pem as well ?

We make an extra call over to the AzDO REST API to post some build properties, so as long as you don’t have any extra message on your log, i suspect that this is this call which is failing.

Thank you for this hint, I was focusing on the certificate chain of web server, where SonarQube is running and I didn’t know that also the certifciates of Tfs (AND ITS CHAIN!) are also needed to add to the PEM file. This solved my problem.

Hi everyone,

I recently came across this issue and I’m really confused with the solution. I use https, and I have setup an IIS server as reverse proxy in order to enforce https. I extracted the certificate that I use for SSL (generated by corporate CA) as a cer file and did create the environment variable, restarted the agent with no luck. What I found out is that the file has only the final certificate of the IIS, not the intermediate or root. But these certificates are already trusted in the server since these are the corporate root and intermediate authorities. What am I missing here? (because there is no doubt I am missing something).

Thanks in advance

Hi Dominik,
I am also facing same issue. Kindly share the final success step you performed with the Azure Devops cert combing with Sonarqube .pem and placing/installing in a location.

Hi Mickael,

Need you support too here.

Please help.

This was a great help in getting the azure devops build to run but it then fell over at sonar’s java based scanner which also failed to recognise the self signed cert. Has anyone worked out how to get java to connect to the self signed cert? I tried to import my certs into cacert using keytool but this didn’t work. Has anyone else tried?

To resolve the unable_to_get_issuer_cert_locally error in Node.js, you can use the NODE_EXTRA_CA_CERTS environment variable to specify additional CA certificates. Here’s how to configure it:

1. Set Environment Variable: Export the path to your CA certificate file by running:

export NODE_EXTRA_CA_CERTS=/path/to/ca-cert.pem

Replace /path/to/ca-cert.pem with the actual path to your CA certificate file.

2. Verify Certificate Chain: Ensure the CA certificate file includes the necessary certificates for validating the server’s certificate chain.

3. Restart Node.js Application: After setting the environment variable, restart your Node.js application to apply the changes.

This approach helps Node.js locate and use the additional CA certificates for SSL/TLS verification.To know more about this ‘UNABLE_TO_GET_ISSUER_CERT_LOCALLY’ error checkout this.

The “unable to get local issuer certificate” error in Publish Quality Gate Result occurs because SonarQube cannot verify the SSL certificate of the server. To fix it:

1. **Disable SSL Verification

• In the build pipeline, add:
  NODE_TLS_REJECT_UNAUTHORIZED=0
• This bypasses SSL checks but reduces security.

2. Import the CA Certificate

• Get the root CA or intermediate certificate used by your SonarQube server.
• Add it to your trusted store or specify it in the pipeline using:

NODE_EXTRA_CA_CERTS=path/to/ca.pem

3. Check SSL Configuration

• Verify the certificate chain using an SSL checker.
• Ensure SonarQube’s SSL certificate is correctly installed and not expired.

For secure SSL solutions, check out:- https://certera.com/kb/how-to-fix-ssl-certificate-problem-unable-to-get-local-issuer-certificate/