search

ciricihq / gitlab-sonar-scanner

This project is no longer maintained
GNU General Public License v3.0
80 stars 62 forks source link

Unable to find valid certification path to requested target #40

Open matskr90dev opened 5 years ago

matskr90dev commented 5 years ago

Hi, at the beginning I would like to thank you for the nice image I've been using it for some time. But now we move our SonarQube server behind SSL and we have problem with certs. So I should import my certificate but when certs are located in this image?

In another projects I import certificate using this command:

- echo -n | openssl s_client -connect <ip>:443  | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ./cert.cert
- keytool -import -noprompt -trustcacerts -file ./cert.cert -alias certalias -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit

But here i get following error: /bin/sh: eval: line 73: openssl: not found

It's part of my gitlab-ci file:

sonarqube-reports:
  stage: analysis
  image: ciricihq/gitlab-sonar-scanner
  variables:
    SONAR_URL: 'https://main-domain/sonar/'
    SONAR_ANALYSIS_MODE: publish
  script:
    - gitlab-sonar-scanner
  only:
    - master

It's gitlab log: ERROR: Error during SonarQube Scanner execution org.sonarsource.scanner.api.internal.ScannerException: Unable to execute SonarQube at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory$1.run(IsolatedLauncherFactory.java:84) at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory$1.run(IsolatedLauncherFactory.java:71) at java.security.AccessController.doPrivileged(Native Method) at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.createLauncher(IsolatedLauncherFactory.java:71) at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.createLauncher(IsolatedLauncherFactory.java:67) at org.sonarsource.scanner.api.EmbeddedScanner.doStart(EmbeddedScanner.java:218) at org.sonarsource.scanner.api.EmbeddedScanner.start(EmbeddedScanner.java:156) at org.sonarsource.scanner.cli.Main.execute(Main.java:74) at org.sonarsource.scanner.cli.Main.main(Main.java:61) Caused by: java.lang.IllegalStateException: Fail to get bootstrap index from server at org.sonarsource.scanner.api.internal.Jars.getBootstrapIndex(Jars.java:100) at org.sonarsource.scanner.api.internal.Jars.getScannerEngineFiles(Jars.java:76) at org.sonarsource.scanner.api.internal.Jars.download(Jars.java:70) at org.sonarsource.scanner.api.internal.JarDownloader.download(JarDownloader.java:39) at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory$1.run(IsolatedLauncherFactory.java:75) ... 8 more Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) at sun.security.ssl.Handshaker.process_record(Handshaker.java:987) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397) at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.RealConnection.connectTls(RealConnection.java:267) at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.RealConnection.establishProtocol(RealConnection.java:237) at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.RealConnection.connect(RealConnection.java:148) at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:186) at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:121) at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.StreamAllocation.newStream(StreamAllocation.java:100) at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42) at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67) at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93) at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67) at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93) at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:120) at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67) at org.sonarsource.scanner.api.internal.shaded.okhttp.RealCall.getResponseWithInterceptorChain(RealCall.java:179) at org.sonarsource.scanner.api.internal.shaded.okhttp.RealCall.execute(RealCall.java:63) at org.sonarsource.scanner.api.internal.ServerConnection.callUrl(ServerConnection.java:113) at org.sonarsource.scanner.api.internal.ServerConnection.downloadString(ServerConnection.java:98) at org.sonarsource.scanner.api.internal.Jars.getBootstrapIndex(Jars.java:96) ... 12 more Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596) ... 41 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) ... 47 more

How can I import certificates for this image? Thank you in advance

elboletaire commented 5 years ago

We're using sonarqube behind an SSL certificate and we don't have such problems. However, our configuration may differ from yours, as we're using a proxy which adds the SSL certificates and redirects all HTTP calls to HTTPS.

So, in our case we only configured the proxy to have SSL certificates and redirect all calls to https instead of http, and it's working. No changes were needed for the gitlab-sonar-scanner :thinking:

jebog commented 5 years ago

I have the same issue. I have sonarqube behind a proxy too. SSL is configured on the proxy server to redirect all traffic with https... Someone can help ?

INFO: EXECUTION FAILURE INFO: ------------------------------------------------------------------------ INFO: Total time: 0.438s INFO: Final Memory: 4M/72M INFO: ------------------------------------------------------------------------ ERROR: Error during SonarQube Scanner execution ERROR: Unable to execute SonarQube ERROR: Caused by: Fail to get bootstrap index from server ERROR: Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target ERROR: Caused by: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target ERROR: Caused by: unable to find valid certification path to requested target

petersipos commented 5 years ago

I've opened a new issue #43 If that one is resolved it will give a possible solution for this issue. You need to pass the

-Djavax.net.ssl.trustStore=/usr/bin/local.keystore -Djavax.net.ssl.trustStorePassword=changeit

parameter to the gitlab-sonar-scanner command, where the /usr/bin/local.keystore is the absolut path of the custom keystore which contain the new CA certificate, and the changeit is the password of the keystore.

In out environment, I am using wget to download that keystore from a https location (with ignored certificate check) in a previous script step in gitlab-cy.yml eg.:

wget https://custom-cloud-storage/local.keystore -O /usr/bin/local.keystore --no-check-certificate

I think it can be possible to add these parameters to sonar-project.properties file without the -D prefix, I tried it but it didn't works unfortunately.

elboletaire commented 5 years ago

Thanks for pointing that out @petersipos. I've just released version 3.2.1 which fixes the multiple parameters issue. Can you please give it a try and tell me if this fixed the SSL issue you're having?

petersipos commented 5 years ago

@elboletaire Unfortunately not. But if I add the SONAR_SCANNER_OPTS env variable before the scanner run with the proper keyStore parameters the scanner is accept it. Example:

    script:
        - wget https://custom-cloud-storage/local.keystore -O /usr/bin/local.keystore
        - export SONAR_SCANNER_OPTS="-Djavax.net.ssl.keyStore=/usr/bin/local.keystore -Djavax.net.ssl.keyStorePassword=changeit"
        - gitlab-sonar-scanner -X

OR

    variables:
        SONAR_SCANNER_OPTS: "-Djavax.net.ssl.keyStore=/usr/bin/local.keystore -Djavax.net.ssl.keyStorePassword=changeit"
    script:
        - wget https://custom-cloud-storage/local.keystore -O /usr/bin/local.keystore
        - gitlab-sonar-scanner -X

It should be to mentioned this in the README.md :)