VSTS - Publish Quality Gate Result: unable to get local issuer certificate

Hi,

We are using SonarQube Community Edition - Version 7.9.1 (build 27448) and the SonarQube extensions 4.8.0 for TFS 2018.

The tasks “Prepare analysis on SonarQube” and “Run Code Analysis” work normal, but the task “Publish Quality Gate Result” fails with “unable to get local issuer certificate” as seen here:

I googled and found the following posting with a proposed solution, which describes my problem (we are also using a self signed certificate for our sonar server)

So I added the enviornment variable: NODE_EXTRA_CA_CERTS
2019-09-17_11h49_52

I created PEM file with all the certificate chain in BASE64 as it was described:
2019-09-17_11h50_19

I gave access to everyone to this file (just in case it is an permission problem), but I keep having the same problem.

Any ideas to get more detailed error descriptions, logs or even better: Any solution that works for me?

Thank you,
Dominik

1 Like

Hi,

How is your agent running ? Maybe a dumb question but did you restart it after adding the environment variable ? If yes, can you make sure that it has correct access to it ?

Hi,

I restarted the agents and even the entire server. To really make sure, that the agent gets the value of the environment variable, I added a powershell build step like this:
Write-Host “NODE_EXTRA_CA_CERTS: $Env:NODE_EXTRA_CA_CERTS”

When starting the build, it prints out:
2019-09-18T05:11:12.1059106Z NODE_EXTRA_CA_CERTS: D:\Certs\Certs.pem

So the build agent gets the variable.

Build Agent details:
2019-09-18_07h03_56

I recheckd, if the SSL certificate itself, and the entire certificate chain is inside the D:\Certs\Certs.pem file. So this seems to be okay.

I don’t get any more logs / details, so it is hard for me to find out, what to do next

In order to try the content of the environment variable, I created a very small node script, as seen below:

var request = require("request");

request(
    { uri: "https://sonar.oe.wknet/about" },
    function(error, response, body) {
        console.log(body);
        console.log(error);
    }
);

I could see that as soon I removed the certificates from the pem file, the request fails:
{ Error: unable to get local issuer certificate
at TLSSocket.onConnectSecure (_tls_wrap.js:1058:34)
at TLSSocket.emit (events.js:198:13)
at TLSSocket._finishInit (_tls_wrap.js:636:8) code: ‘UNABLE_TO_GET_ISSUER_CERT_LOCALLY’

But if all certificates are stored in the pem file, I get a proper 200-OK HTTP Response with my node script.

So it is really hard to track down the issue for me :frowning:

Do you have an Azure DevOps / TFS instance over SSL as well ? Did this server has it’s local certificate on your Certs.pem as well ?

We make an extra call over to the AzDO REST API to post some build properties, so as long as you don’t have any extra message on your log, i suspect that this is this call which is failing.

Thank you for this hint, I was focusing on the certificate chain of web server, where SonarQube is running and I didn’t know that also the certifciates of Tfs (AND ITS CHAIN!) are also needed to add to the PEM file. This solved my problem.

1 Like

Hi everyone,

I recently came across this issue and I’m really confused with the solution. I use https, and I have setup an IIS server as reverse proxy in order to enforce https. I extracted the certificate that I use for SSL (generated by corporate CA) as a cer file and did create the environment variable, restarted the agent with no luck. What I found out is that the file has only the final certificate of the IIS, not the intermediate or root. But these certificates are already trusted in the server since these are the corporate root and intermediate authorities. What am I missing here? (because there is no doubt I am missing something).

Thanks in advance