cannot connect to sonarqube over ssl from intellij
652 views
Skip to first unread message
douwe.o...@yoursurprise.com
Oct 11, 2016, 6:42:12 AM10/11/16
to SonarLint
Hello,
I'm trying to connect to a remote server over https (like https://sonar.example.com). As far as I can see the sonarqube installation is working fine; I can reach it with my browser, the ssl certs are valid and /api/system/status gives the output you would expect.
However when I try to connect from sonarlint I get 'Fail to request https://sonar.example.com/api/system/status', it does not seem to make a difference if I use Token or user/password to authenticate. I've checked, doublechecked and triplechecked my credentials.
It looks like a lot like this bug: https://jira.sonarsource.com/browse/SLI-75, however that bug shouldn't occur anymore with the versions of phpstorm and sonarlint that I'm running.
Sonarlint (intelliJ) 2.3.2
PhpStorm 2016.2.1
Ubuntu 16.04
Any help would be much appreciated.
Regards,
Douwe
I'm trying to connect to a remote server over https (like https://sonar.example.com). As far as I can see the sonarqube installation is working fine; I can reach it with my browser, the ssl certs are valid and /api/system/status gives the output you would expect.
However when I try to connect from sonarlint I get 'Fail to request https://sonar.example.com/api/system/status', it does not seem to make a difference if I use Token or user/password to authenticate. I've checked, doublechecked and triplechecked my credentials.
It looks like a lot like this bug: https://jira.sonarsource.com/browse/SLI-75, however that bug shouldn't occur anymore with the versions of phpstorm and sonarlint that I'm running.
Sonarlint (intelliJ) 2.3.2
PhpStorm 2016.2.1
Ubuntu 16.04
Any help would be much appreciated.
Regards,
Douwe
Duarte Meneses
Oct 11, 2016, 7:57:58 AM10/11/16
to douwe.o...@yoursurprise.com, SonarLint
Hi,
Is there a cause in the stack trace? --
You received this message because you are subscribed to the Google Groups "SonarLint" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarlint+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarlint/d73cf021-66e9-4bb9-828d-3c080a43e67e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
Duarte MENESES | SonarSource
douwe.o...@yoursurprise.com
Oct 11, 2016, 8:49:44 AM10/11/16
to SonarLint, douwe.o...@yoursurprise.com
Hi,
I should have probably mentioned that I have another sonarqube instance running locally on our lan, I can connect to that instance no problem over http on port 9000, so that is why I suspected SSL to be the culprit.
Adding the line to the config like you asked yields a lot of output, I suspect this to be the relevant part:
It seems that the issuer of our certificate is trusted, if I understand correctly:
If needed I can post the complete stack trace, but it's a lot (7500 lines before bash's history runs out)
It looks like certificate problems to me, however I am not a Java dev and do not fully understand the way Java handles this.
Regards,
Douwe
Op dinsdag 11 oktober 2016 13:57:58 UTC+2 schreef duarte.meneses:
I should have probably mentioned that I have another sonarqube instance running locally on our lan, I can connect to that instance no problem over http on port 9000, so that is why I suspected SSL to be the culprit.
Adding the line to the config like you asked yields a lot of output, I suspect this to be the relevant part:
ApplicationImpl pooled thread 16, READ: TLSv1.2 Alert, length = 2
ApplicationImpl pooled thread 16, RECV TLSv1.2 ALERT: fatal, handshake_failure
ApplicationImpl pooled thread 16, called closeSocket()
ApplicationImpl pooled thread 16, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
ApplicationImpl pooled thread 16, called close()
ApplicationImpl pooled thread 16, called closeInternal(true)It seems that the issuer of our certificate is trusted, if I understand correctly:
adding as trusted cert:
Subject: CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB
Issuer: CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB
Algorithm: RSA; Serial number: 0x1
Valid from Thu Jan 01 01:00:00 CET 2004 until Mon Jan 01 00:59:59 CET 2029If needed I can post the complete stack trace, but it's a lot (7500 lines before bash's history runs out)
It looks like certificate problems to me, however I am not a Java dev and do not fully understand the way Java handles this.
Regards,
Douwe
Op dinsdag 11 oktober 2016 13:57:58 UTC+2 schreef duarte.meneses:
If you suspect the problem is linked to SSL, you could try to find the reason by adding "-Djavax.net.debug=all" to your idea64.vmoptions and check the log in the stdout.Hi,Is there a cause in the stack trace?
On 11 October 2016 at 12:42, <douwe.o...@yoursurprise.com> wrote:
Hello,
I'm trying to connect to a remote server over https (like https://sonar.example.com). As far as I can see the sonarqube installation is working fine; I can reach it with my browser, the ssl certs are valid and /api/system/status gives the output you would expect.
However when I try to connect from sonarlint I get 'Fail to request https://sonar.example.com/api/system/status', it does not seem to make a difference if I use Token or user/password to authenticate. I've checked, doublechecked and triplechecked my credentials.
It looks like a lot like this bug: https://jira.sonarsource.com/browse/SLI-75, however that bug shouldn't occur anymore with the versions of phpstorm and sonarlint that I'm running.
Sonarlint (intelliJ) 2.3.2
PhpStorm 2016.2.1
Ubuntu 16.04
Any help would be much appreciated.
Regards,
Douwe
--
You received this message because you are subscribed to the Google Groups "SonarLint" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarlint+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarlint/d73cf021-66e9-4bb9-828d-3c080a43e67e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
duarte.meneses
Oct 24, 2016, 11:56:43 AM10/24/16
to SonarLint, douwe.o...@yoursurprise.com
Sorry for the late response.
I can't figure out what is the problem based on the provided logs. If the server's CA is in the client's truststore, It might be a good idea to also have a look at the SSL debug logs on the server side - perhaps it requires a client certificate and none was provided or trusted, or it wasn't able to negotiate which version of SSL to use.
As described by SLI-75, SonarLint does not use the server certificates configured in Intellij's Settings (Settings -> Tools -> Server Certificates). It uses the certificates provided directly to the JVM, so if you need to change any client's keys or certificates, you'll have to do it by changing directly the truststore/keystore. The files containing them should be logged in the very beginning when enabling the SSL debug logs (probably they will be within Intellij's embedded JVM).
I can't figure out what is the problem based on the provided logs. If the server's CA is in the client's truststore, It might be a good idea to also have a look at the SSL debug logs on the server side - perhaps it requires a client certificate and none was provided or trusted, or it wasn't able to negotiate which version of SSL to use.
As described by SLI-75, SonarLint does not use the server certificates configured in Intellij's Settings (Settings -> Tools -> Server Certificates). It uses the certificates provided directly to the JVM, so if you need to change any client's keys or certificates, you'll have to do it by changing directly the truststore/keystore. The files containing them should be logged in the very beginning when enabling the SSL debug logs (probably they will be within Intellij's embedded JVM).
Reply all
Reply to author
Forward
0 new messages