Webhooks delivery error PKIX path building failed

[Stoyan Kanev]

Hello sonarqube support,

When we switched the jenkins from http to https in webhooks configuration f.e. Name: Jenknshttps; URL: https://workflowservice-jenkins:8080/sonarqube-webhook/ the following error message can be seen (by calling https://sonarci:8443/sonar/api/webhooks/delivery?deliveryId=AV85EuJEg0aJVHoWn9Mg):

...

{\"metric\":\"new_coverage\",\"operator\":\"LESS_THAN\",\"value\":\"75.0\",\"status\":\"ERROR\",\"onLeakPeriod\":true,\"errorThreshold\":\"80\",\"warningThreshold\":\"60\"}]},\"properties\":{}}","errorStacktrace":"javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target\n\tat sun.security.ssl.Alerts.getSSLException(Alerts.java:192)\n\tat sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)\n\tat sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)\n\tat sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)\n\tat sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)\n\tat sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)\n\tat sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)\n\tat sun.security.ssl.Handshaker.process_record(Handshaker.java:914)\n\tat sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)\n\tat sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)\n\tat sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)\n\tat sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)\n\tat okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:268)\n\tat okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:238)\n\tat okhttp3.internal.connection.RealConnection.connect(RealConnection.java:149)\n\tat okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:192)\n\tat okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:121)\n\tat okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:100)\n\tat okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42)\n\tat okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)\n\tat okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)\n\tat okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93)\n\tat okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)\n\tat okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)\n\tat okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)\n\tat okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)\n\tat okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:120)\n\tat okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)\n\tat okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)\n\tat okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:185)\n\tat okhttp3.RealCall.execute(RealCall.java:69)\n\tat org.sonar.server.computation.task.projectanalysis.webhook.WebhookCallerImpl.execute(WebhookCallerImpl.java:83)\n\tat org.sonar.server.computation.task.projectanalysis.webhook.WebhookCallerImpl.call(WebhookCallerImpl.java:63)\n\tat org.sonar.server.computation.task.projectanalysis.webhook.WebhookPostTask.process(WebhookPostTask.java:86)\n\tat org.sonar.server.computation.task.projectanalysis.webhook.WebhookPostTask.finished(WebhookPostTask.java:65)\n\tat org.sonar.server.computation.task.projectanalysis.api.posttask.PostProjectAnalysisTasksExecutor.executeTask(PostProjectAnalysisTasksExecutor.java:106)\n\tat org.sonar.server.computation.task.projectanalysis.api.posttask.PostProjectAnalysisTasksExecutor.finished(PostProjectAnalysisTasksExecutor.java:100)\n\tat org.sonar.server.computation.task.step.ComputationStepExecutor.executeListener(ComputationStepExecutor.java:71)\n\tat org.sonar.server.computation.task.step.ComputationStepExecutor.execute(ComputationStepExecutor.java:56)\n\tat org.sonar.server.computation.task.projectanalysis.taskprocessor.ReportTaskProcessor.process(ReportTaskProcessor.java:75)\n\tat org.sonar.ce.taskprocessor.CeWorkerImpl.executeTask(CeWorkerImpl.java:92)\n\tat org.sonar.ce.taskprocessor.CeWorkerImpl.call(CeWorkerImpl.java:59)\n\tat org.sonar.ce.taskprocessor.CeWorkerImpl.call(CeWorkerImpl.java:35)\n\tat java.util.concurrent.FutureTask.run(FutureTask.java:266)\n\tat java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)\n\tat java.util.concurrent.FutureTask.run(FutureTask.java:266)\n\tat java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)\n\tat java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)\n\tat java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)\n\tat java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)\n\tat java.lang.Thread.run(Thread.java:805)\nCaused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target\n\tat sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)\n\tat sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)\n\tat sun.security.validator.Validator.validate(Validator.java:260)\n\tat sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)\n\tat sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)\n\tat sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)\n\tat sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)\n\t... 46 more\nCaused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target\n\tat sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)\n\tat sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)\n\tat java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)\n\tat sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)\n\t... 52 more\n"}}

All needed root certificates has been installed into java trusted keystore of sonarqube sonarci instance.

Can you have a look please?

Best regards,

Stoyan

[Stoyan Kanev]

The problem had been fixed. Shortly said our last sonarqube instance 6.5 had been run with a java installation without imported all trusted certificates into  $JAVA_HOME/lib/security/cacerts.
Replacing the cacerts file and restarting the instance solved this problem. 

Here I found a good description of the PKIX issue: https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-779355358.html 

Best Regards,

Stoyan

[Eric Hartmann]

Thanks Stoyan for the follow up.

--
You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/f95148e7-6bdf-4d8b-be62-99d392c4929f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Eric HARTMANN | SonarSource

http://sonarsource.com