Skip to content
This repository has been archived by the owner on Jun 22, 2020. It is now read-only.

Unable to find valid certification path to requested target #40

Open
matskr90dev opened this issue Mar 29, 2019 · 5 comments
Open

Unable to find valid certification path to requested target #40

matskr90dev opened this issue Mar 29, 2019 · 5 comments

Comments

@matskr90dev
Copy link

matskr90dev commented Mar 29, 2019
edited
Loading

Hi, at the beginning I would like to thank you for the nice image I've been using it for some time. But now we move our SonarQube server behind SSL and we have problem with certs. So I should import my certificate but when certs are located in this image?

In another projects I import certificate using this command:

- echo -n | openssl s_client -connect <ip>:443  | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ./cert.cert
- keytool -import -noprompt -trustcacerts -file ./cert.cert -alias certalias -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit

But here i get following error:
/bin/sh: eval: line 73: openssl: not found

It's part of my gitlab-ci file:

sonarqube-reports:
  stage: analysis
  image: ciricihq/gitlab-sonar-scanner
  variables:
    SONAR_URL: 'https://main-domain/sonar/'
    SONAR_ANALYSIS_MODE: publish
  script:
    - gitlab-sonar-scanner
  only:
    - master

It's gitlab log:
ERROR: Error during SonarQube Scanner execution org.sonarsource.scanner.api.internal.ScannerException: Unable to execute SonarQube at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory$1.run(IsolatedLauncherFactory.java:84) at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory$1.run(IsolatedLauncherFactory.java:71) at java.security.AccessController.doPrivileged(Native Method) at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.createLauncher(IsolatedLauncherFactory.java:71) at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.createLauncher(IsolatedLauncherFactory.java:67) at org.sonarsource.scanner.api.EmbeddedScanner.doStart(EmbeddedScanner.java:218) at org.sonarsource.scanner.api.EmbeddedScanner.start(EmbeddedScanner.java:156) at org.sonarsource.scanner.cli.Main.execute(Main.java:74) at org.sonarsource.scanner.cli.Main.main(Main.java:61) Caused by: java.lang.IllegalStateException: Fail to get bootstrap index from server at org.sonarsource.scanner.api.internal.Jars.getBootstrapIndex(Jars.java:100) at org.sonarsource.scanner.api.internal.Jars.getScannerEngineFiles(Jars.java:76) at org.sonarsource.scanner.api.internal.Jars.download(Jars.java:70) at org.sonarsource.scanner.api.internal.JarDownloader.download(JarDownloader.java:39) at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory$1.run(IsolatedLauncherFactory.java:75) ... 8 more Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) at sun.security.ssl.Handshaker.process_record(Handshaker.java:987) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397) at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.RealConnection.connectTls(RealConnection.java:267) at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.RealConnection.establishProtocol(RealConnection.java:237) at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.RealConnection.connect(RealConnection.java:148) at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:186) at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:121) at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.StreamAllocation.newStream(StreamAllocation.java:100) at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42) at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67) at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93) at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67) at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93) at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:120) at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67) at org.sonarsource.scanner.api.internal.shaded.okhttp.RealCall.getResponseWithInterceptorChain(RealCall.java:179) at org.sonarsource.scanner.api.internal.shaded.okhttp.RealCall.execute(RealCall.java:63) at org.sonarsource.scanner.api.internal.ServerConnection.callUrl(ServerConnection.java:113) at org.sonarsource.scanner.api.internal.ServerConnection.downloadString(ServerConnection.java:98) at org.sonarsource.scanner.api.internal.Jars.getBootstrapIndex(Jars.java:96) ... 12 more Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596) ... 41 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) ... 47 more

How can I import certificates for this image? Thank you in advance
@elboletaire
Copy link
Contributor

We're using sonarqube behind an SSL certificate and we don't have such problems. However, our configuration may differ from yours, as we're using a proxy which adds the SSL certificates and redirects all HTTP calls to HTTPS.

So, in our case we only configured the proxy to have SSL certificates and redirect all calls to https instead of http, and it's working. No changes were needed for the gitlab-sonar-scanner 🤔

@jebog
Copy link

jebog commented Apr 9, 2019
edited
Loading

I have the same issue. I have sonarqube behind a proxy too. SSL is configured on the proxy server to redirect all traffic with https... Someone can help ?

INFO: EXECUTION FAILURE INFO: ------------------------------------------------------------------------ INFO: Total time: 0.438s INFO: Final Memory: 4M/72M INFO: ------------------------------------------------------------------------ ERROR: Error during SonarQube Scanner execution ERROR: Unable to execute SonarQube ERROR: Caused by: Fail to get bootstrap index from server ERROR: Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target ERROR: Caused by: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target ERROR: Caused by: unable to find valid certification path to requested target

@petersipos petersipos mentioned this issue Apr 11, 2019
Closed
@petersipos
Copy link

petersipos commented Apr 11, 2019
edited
Loading

I've opened a new issue #43 If that one is resolved it will give a possible solution for this issue.
You need to pass the

-Djavax.net.ssl.trustStore=/usr/bin/local.keystore -Djavax.net.ssl.trustStorePassword=changeit

parameter to the gitlab-sonar-scanner command, where the /usr/bin/local.keystore is the absolut path of the custom keystore which contain the new CA certificate, and the changeit is the password of the keystore.

In out environment, I am using wget to download that keystore from a https location (with ignored certificate check) in a previous script step in gitlab-cy.yml eg.:

wget https://custom-cloud-storage/local.keystore -O /usr/bin/local.keystore --no-check-certificate

I think it can be possible to add these parameters to sonar-project.properties file without the -D prefix, I tried it but it didn't works unfortunately.

elboletaire added a commit that referenced this issue Apr 11, 2019
@elboletaire
Fix getting only first argument in bash script
b8bcc64 
closes #43
refs #40
@elboletaire
Copy link
Contributor

Thanks for pointing that out @petersipos. I've just released version 3.2.1 which fixes the multiple parameters issue. Can you please give it a try and tell me if this fixed the SSL issue you're having?

@petersipos
Copy link

@elboletaire Unfortunately not. But if I add the SONAR_SCANNER_OPTS env variable before the scanner run with the proper keyStore parameters the scanner is accept it.
Example:

    script:
        - wget https://custom-cloud-storage/local.keystore -O /usr/bin/local.keystore
        - export SONAR_SCANNER_OPTS="-Djavax.net.ssl.keyStore=/usr/bin/local.keystore -Djavax.net.ssl.keyStorePassword=changeit"
        - gitlab-sonar-scanner -X

OR

    variables:
        SONAR_SCANNER_OPTS: "-Djavax.net.ssl.keyStore=/usr/bin/local.keystore -Djavax.net.ssl.keyStorePassword=changeit"
    script:
        - wget https://custom-cloud-storage/local.keystore -O /usr/bin/local.keystore
        - gitlab-sonar-scanner -X

It should be to mentioned this in the README.md :)

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@elboletaire @jebog @matskr90dev @petersipos