Sonarlint-cli issue with connected mode and non SSL SonarQube server

[cat.a...@gmail.com]

Hi,

I'm trying to connect Sonarlint-cli to a SonarQube server, which does not use SSL. The server configuration is managed at a corporate level so I can't change it.

It seems that sonarlint tries to connect in SSL mode, which leads to the following error:

$ sonarlint -u -e -X --src "app/**" --html-report "reports/sonarlint.htm"

INFO: Java 1.8.0_91 Oracle Corporation (64-bit)

INFO: Linux 4.4.0-36-generic amd64

INFO: Error stacktraces are turned on.

INFO: Connected mode (myproject:project1)

DEBUG: Create : /home/username/.sonarlint/plugins

DEBUG: Plugin cache: /home/username/.sonarlint/plugins

DEBUG: Create : /home/username/.sonarlint/plugins/_tmp

DEBUG: Load plugins

DEBUG: Load plugins (done) | time=1ms

DEBUG: No plugins loaded

INFO: No storage for server 'myproject'. Please update.

INFO: Updating binding..

DEBUG: Create : /home/username/.sonarlint/plugins

DEBUG: Plugin cache: /home/username/.sonarlint/plugins

DEBUG: Create : /home/username/.sonarlint/plugins/_tmp

DEBUG: GET 404 http://myserver:myserverport/sonar/api/system/status | time=73ms

DEBUG: GET 200 http://myserver:myserverport/sonar/api/server/version | time=36ms

DEBUG: Create : /home/username/.sonarlint/plugins

DEBUG: Plugin cache: /home/username/.sonarlint/plugins

DEBUG: Create : /home/username/.sonarlint/plugins/_tmp

DEBUG: Load plugins

DEBUG: Load plugins (done) | time=0ms

DEBUG: No plugins loaded

INFO: No storage for server 'myproject'. Please update.

INFO: ------------------------------------------------------------------------

INFO: EXECUTION FAILURE

INFO: ------------------------------------------------------------------------

INFO: Total time: 412210:32:12.879s

INFO: Final Memory: 8M/240M

INFO: ------------------------------------------------------------------------

ERROR: Error executing SonarLint

java.lang.IllegalStateException: Fail to request http://myserver:myserverport/sonar/api/properties?format=json

    at org.sonarqube.ws.client.HttpConnector.doCall(HttpConnector.java:204)

    at org.sonarqube.ws.client.HttpConnector.get(HttpConnector.java:145)

    at org.sonarqube.ws.client.HttpConnector.call(HttpConnector.java:134)

    at org.sonarsource.sonarlint.core.container.connected.SonarLintWsClient.rawGet(SonarLintWsClient.java:99)

    at org.sonarsource.sonarlint.core.container.connected.SonarLintWsClient.get(SonarLintWsClient.java:66)

    at org.sonarsource.sonarlint.core.container.connected.update.GlobalPropertiesDownloader.fetchGlobalPropertiesTo(GlobalPropertiesDownloader.java:46)

    at org.sonarsource.sonarlint.core.container.connected.update.GlobalUpdateExecutor.update(GlobalUpdateExecutor.java:77)

    at org.sonarsource.sonarlint.core.container.connected.ConnectedContainer.update(ConnectedContainer.java:73)

    at org.sonarsource.sonarlint.core.ConnectedSonarLintEngineImpl.update(ConnectedSonarLintEngineImpl.java:191)

    at org.sonarsource.sonarlint.core.ConnectedSonarLintEngineImpl.update(ConnectedSonarLintEngineImpl.java:177)

    at org.sonarlint.cli.analysis.ConnectedSonarLint.update(ConnectedSonarLint.java:88)

    at org.sonarlint.cli.analysis.ConnectedSonarLint.start(ConnectedSonarLint.java:57)

    at org.sonarlint.cli.Main.run(Main.java:84)

    at org.sonarlint.cli.Main.execute(Main.java:167)

    at org.sonarlint.cli.Main.main(Main.java:134)

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)

    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)

    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)

    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)

    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)

    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)

    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)

    at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)

    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)

    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)

    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)

    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)

    at okhttp3.internal.io.RealConnection.connectTls(RealConnection.java:239)

    at okhttp3.internal.io.RealConnection.establishProtocol(RealConnection.java:196)

    at okhttp3.internal.io.RealConnection.buildConnection(RealConnection.java:171)

    at okhttp3.internal.io.RealConnection.connect(RealConnection.java:111)

    at okhttp3.internal.http.StreamAllocation.findConnection(StreamAllocation.java:187)

    at okhttp3.internal.http.StreamAllocation.findHealthyConnection(StreamAllocation.java:123)

    at okhttp3.internal.http.StreamAllocation.newStream(StreamAllocation.java:93)

    at okhttp3.internal.http.HttpEngine.connect(HttpEngine.java:296)

    at okhttp3.internal.http.HttpEngine.sendRequest(HttpEngine.java:248)

    at okhttp3.RealCall.getResponse(RealCall.java:243)

    at okhttp3.RealCall$ApplicationInterceptorChain.proceed(RealCall.java:201)

    at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:163)

    at okhttp3.RealCall.execute(RealCall.java:57)

    at org.sonarqube.ws.client.HttpConnector.doCall(HttpConnector.java:201)

    ... 14 more

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)

    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)

    at sun.security.validator.Validator.validate(Validator.java:260)

    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)

    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)

    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)

    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)

    ... 35 more

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)

    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)

    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)

    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)

    ... 41 more

My sonarlint configuration is as follows:

global.json:

{

  "servers": [
    {
      "id": "myproject",
      "url": "http://myserver:myserverport/sonar/"
    }
  ]

} 

sonarlint.json:

{

"serverId": "myproject",

"projectKey":"myproject:project1"

}

Any idea how I could get the connect mode to work with this server?

Regards,
Catherine.

[Duarte Meneses]

Hi Catherine,

It seems that the SonarQube server is using a SSL certificate issues by an authority that is not recognized, by default in Java's truststore.

The solution is to use keytool to import the certificate to the truststore used by your JVM (usually in java_home/jre/lib/security/cacerts).

--
You received this message because you are subscribed to the Google Groups "SonarLint" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarlint+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarlint/6f752728-feab-46c5-8a6a-41b1872d886b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Duarte MENESES | SonarSource

http://sonarsource.com

[Duarte Meneses]

Sorry, I read your email too fast and didn't see that you are not using https.

Is your server perhaps redirecting http to https? If you try to browse to the SonarQube server, does it stay in http without any certificates?

[cat.a...@gmail.com]

There is no redirection from http to https when I browse to the SonarQube server, and no certificate. 

echo -n | openssl s_client -connect myserver:myserverport

CONNECTED(00000003)

140467335644824:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794:

---

no peer certificate available

---

No client certificate CA names sent

---

SSL handshake has read 7 bytes and written 307 bytes

---

New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : 0000

    Session-ID: 

    Session-ID-ctx: 

    Master-Key: 

    Key-Arg   : None

    PSK identity: None

    PSK identity hint: None

    SRP username: None

    Start Time: 1483964867

    Timeout   : 300 (sec)

    Verify return code: 0 (ok)

---

To unsubscribe from this group and stop receiving emails from it, send an email to sonarlint+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/sonarlint/6f752728-feab-46c5-8a6a-41b1872d886b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Duarte MENESES | SonarSource

http://sonarsource.com

[duarte.meneses]

Could you try to fetch "http://myserver:myserverport/sonar/api/properties?format=json" (with wget/curl/browser for example) and see if it is successful or if it requires authentication, for example?

I see that there is a code 200 returned for /api/server/version (where authentication is never required) while for the WS where it fails, authentication might be required.
That wouldn't explain why it would switch to SSL, thought.

[cat.a...@gmail.com]

You're right, I didn't notice it in the browser because of the SSO system, but it is obvious with a curl: there is a redirection to an authentication server, which explains the switch to SSL.

Many thanks for you help!