SSL Connection to Server not working Intellij 2016/ SonarLint 2.0.2

christian polzer

unread,

May 3, 2016, 11:17:24 AM5/3/16

to SonarLint

Hi,

I am running into issues when connecting to our locally hosted Sonar Server via SSL.

When editing and testing a Sonar Server, an alert s shown "Fail to request to https://sonar.domain/sonar/api/system/status"

So I wanted to know if someone else is running into these problems?

Details:

1.) Software Versions:

IntelliJ IDEA 2016.1.1 Build #IU-145.597, built on March 29, 2016

SonarLint 2.0.2

JRE: 1.8.0_40-release-b132 x86_64

SonarQube :"version":"5.2" (via https://sonar.domain/sonar/api/system/status )

2.) My own certs are imported into the jvm and this is validated:

<code>

$JAVA_HOME/bin/java SSLPoke sonar.domain443

Successfully connected

</code>

//got this from here https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-779355358.html

3.) Also testing the desired connection via Intellij's proxy testing dialog is working.

4.) Intellij logs show the connection has the classic ssl connection problems( log output at the bottom).

2016-05-03 16:34:09,382 [1263634] INFO - intellij.core.ServerUpdateTask - Error updating from server 'Sonar'

java.lang.IllegalStateException: Fail to request https://pathtoserver

at org.sonarqube.ws.client.HttpConnector.doCall(HttpConnector.java:202)

at org.sonarqube.ws.client.HttpConnector.get(HttpConnector.java:144)

at org.sonarqube.ws.client.HttpConnector.call(HttpConnector.java:133)

at org.sonarsource.sonarlint.core.container.connected.SonarLintWsClient.rawGet(SonarLintWsClient.java:98)

at org.sonarsource.sonarlint.core.container.connected.validate.ServerVersionAndStatusChecker.fetchServerInfos(ServerVersionAndStatusChecker.java:97)

at org.sonarsource.sonarlint.core.container.connected.validate.ServerVersionAndStatusChecker.checkVersionAndStatus(ServerVersionAndStatusChecker.java:61)

at org.sonarsource.sonarlint.core.container.connected.validate.ServerVersionAndStatusChecker.checkVersionAndStatus(ServerVersionAndStatusChecker.java:51)

at org.sonarsource.sonarlint.core.container.connected.update.GlobalUpdateExecutor.update(GlobalUpdateExecutor.java:70)

at org.sonarsource.sonarlint.core.container.connected.ConnectedContainer.update(ConnectedContainer.java:73)

at org.sonarsource.sonarlint.core.ConnectedSonarLintEngineImpl.update(ConnectedSonarLintEngineImpl.java:186)

at org.sonarlint.intellij.core.ServerUpdateTask.run(ServerUpdateTask.java:82)

at org.sonarlint.intellij.core.ServerUpdateTask$1.run(ServerUpdateTask.java:61)

at com.intellij.openapi.progress.impl.CoreProgressManager$TaskRunnable.run(CoreProgressManager.java:563)

at com.intellij.openapi.progress.impl.CoreProgressManager$8.run(CoreProgressManager.java:357)

at com.intellij.openapi.progress.impl.CoreProgressManager$2.run(CoreProgressManager.java:142)

at com.intellij.openapi.progress.impl.CoreProgressManager.a(CoreProgressManager.java:446)

at com.intellij.openapi.progress.impl.CoreProgressManager.executeProcessUnderProgress(CoreProgressManager.java:392)

at com.intellij.openapi.progress.impl.ProgressManagerImpl.executeProcessUnderProgress(ProgressManagerImpl.java:54)

at com.intellij.openapi.progress.impl.CoreProgressManager.runProcess(CoreProgressManager.java:127)

at com.intellij.openapi.application.impl.ApplicationImpl$13$1.run(ApplicationImpl.java:633)

at com.intellij.openapi.application.impl.ApplicationImpl$8.run(ApplicationImpl.java:369)

at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)

at java.util.concurrent.FutureTask.run(FutureTask.java:266)

at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)

at java.lang.Thread.run(Thread.java:745)

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)

at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)

at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)

at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)

at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1506)

at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)

at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)

at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)

at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)

at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)

at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)

at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)

at com.squareup.okhttp.internal.io.RealConnection.connectTls(RealConnection.java:192)

at com.squareup.okhttp.internal.io.RealConnection.connectSocket(RealConnection.java:149)

at com.squareup.okhttp.internal.io.RealConnection.connect(RealConnection.java:112)

at com.squareup.okhttp.internal.http.StreamAllocation.findConnection(StreamAllocation.java:184)

at com.squareup.okhttp.internal.http.StreamAllocation.findHealthyConnection(StreamAllocation.java:126)

at com.squareup.okhttp.internal.http.StreamAllocation.newStream(StreamAllocation.java:95)

at com.squareup.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:281)

at com.squareup.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:224)

at com.squareup.okhttp.Call.getResponse(Call.java:286)

at com.squareup.okhttp.Call$ApplicationInterceptorChain.proceed(Call.java:243)

at com.squareup.okhttp.Call.getResponseWithInterceptorChain(Call.java:205)

at com.squareup.okhttp.Call.execute(Call.java:80)

at org.sonarqube.ws.client.HttpConnector.doCall(HttpConnector.java:199)

... 25 more

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)

at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)

at sun.security.validator.Validator.validate(Validator.java:260)

at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)

at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)

at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)

at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1488)

... 45 more

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:146)

at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)

at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)

at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)

... 51 more

nicolas...@sonarsource.com

unread,

May 4, 2016, 2:58:26 AM5/4/16

to SonarLint

Hi,

You could push the SSLPoke test one step forward to look for differences with IntelliJ-Sonar connection:

run the SSLPoke test with -Djavax.net.debug=all , you'll get very verbose logs, save those somewhere
run IntelliJ with the same -Djavax.net.debug=all and do the connection as usual with SonarLint
in both logs, look for 'trustStore is:' . A possible scenario is that IntelliJ's JVM is using another trust store (which wouldn't contain the SonarQube server certificate) than the one used by SSLPoke JVM. The Javax debug logs with help you identify that very quickly.

Nicolas

nicolas...@sonarsource.com

unread,

May 4, 2016, 3:45:38 AM5/4/16

to SonarLint

Note: it could also be due to SLI-75 (as discussed here) but I suggest you check the Javax debug logs first (as per my previous message) to make sure.

Nicolas

duarte.meneses

unread,

May 4, 2016, 5:34:03 AM5/4/16

to SonarLint

Thanks for the help Nicolas.

I confirm that because of SLI-75, the trust store needs to be configured for the JVM (and not within IntelliJ), so it could be indeed that the embedded JRE that IntelliJ uses is not properly configured.

christian polzer

unread,

May 6, 2016, 4:01:36 AM5/6/16

to SonarLint

Hi!

When using -Djavax.net.debug=all on SSLPoke, i get very detailed logs about the ssl handshakes. When testing this in intellij I don't get these extended infomations.

Just to be clear: I am starting intellij with custom "idea.vmoptions" including -Djavax.net.debug=all.

I can confirm that the config is working in intelij's log:

016-05-06 09:55:01,758 [ 31] INFO - #com.intellij.idea.Main - JVM Args: -Dfile.encoding=UTF-8 -XX:+UseConcMarkSweepGC -XX:SoftRefLRUPolicyMSPerMB=50 -ea -Dsun.io.useCanonCaches=false -Djava.net.preferIPv4Stack=true -XX:+HeapDumpOnOutOfMemoryError -XX:-OmitStackTraceInFastThrow -Xverify:none -Xbootclasspath/a:../lib/boot.jar -Xms256m -Xmx2048m -XX:MaxPermSize=512m -XX:ReservedCodeCacheSize=240m -XX:+UseCompressedOops -Djavax.net.debug=all -Djb.vmOptionsFile=/Users/username/Library/Preferences/IntelliJIdea2016.1/idea.vmoptions -Didea.java.redist=jdk-bundled -Didea.home.path=/Applications/IntelliJ IDEA.app/Contents -Didea.executable=idea -Didea.paths.selector=IntelliJIdea2016.1

christian polzer

unread,

May 6, 2016, 8:28:39 AM5/6/16

to SonarLint

...and with this I just found out, that Intellij is again (update to 2016?) using it's internal jvm. Switching the jvm to the one where I have imported my certds i csan confirm, the plugin is working.

THX

Duarte Meneses

unread,

May 11, 2016, 7:45:37 AM5/11/16

to christian polzer, SonarLint

Great, thanks for letting us know.

--
You received this message because you are subscribed to the Google Groups "SonarLint" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarlint+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarlint/4cc75ccf-dace-433d-8f13-38b3198173bf%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Duarte MENESES | SonarSource

http://sonarsource.com

philip...@gmail.com

unread,

Dec 5, 2017, 11:24:17 PM12/5/17

to SonarLint

I ran into this problem or at least a similar one myself using SonarLint 3.1 and SonarQube 6.7.

In IntelliJ I kept running into this error message

Failed to connect to the server. Please check the configuration.

Error: Fail to request https://<SONARQUBE>/api/system/status

However I could access that URL through my browser without any issues.

When you WireShark the requests coming from the browser and the IDE you can see that the cypher suite is quite different and that the IDE plugin gets a TLS handshake failure.

That lead me to discover that Java still ships with limited strength cryptographic functions. That’s either because of US export policy or because nobody has gotten around to fixing it. The internet isn’t quite sure.

Either way, you can download the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files from Oracle: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html

Once I installed those onto the IntelliJ JVM, I no longer got the underlying TLS handshake failure when trying to connect to SonarQube and the connection works.