Serving Sonarqube over https
5,402 views
Skip to first unread message
SK
May 17, 2017, 1:35:29 AM5/17/17
to SonarQube
Hi
Thanks for reading my post. I am unable to get Sonarqube served over https. I have a test Sonarqube 6.3 running on http://10.0.165.26:9000. Its working fine. I want it to be served over https.
I have httpd running with mod_proxy as suggested in this: https://docs.sonarqube.org/display/SONAR/Securing+the+Server+Behind+a+Proxy#SecuringtheServerBehindaProxy-ServerConfiguration
I have the following at the very end of the httpd.conf and httpd starts up without any errors.
LoadModule proxy_module modules/mod_proxy.soLoadModule proxy_balancer_module modules/mod_proxy_balancer.soLoadModule proxy_http_module modules/mod_proxy_http.soProxyRequests OffProxyPreserveHost On<VirtualHost *:80>RequestHeader set X_FORWARDED_PROTO httpsServerName 10.0.165.26ServerAdmin <username>@<company>.comProxyPass / http://10.0.165.26:9000/ProxyPassReverse / http://10.0.165.26ErrorLog logs/ss8/sonar/error.logCustomLog logs/ss8/sonar/access.log common</VirtualHost>
Eric Hartmann
May 17, 2017, 3:01:55 AM5/17/17
to SK, SonarQube
Hi Sam,
The documentation you've read and applied is for using a reverse proxy over http.
To verify this first step just comment the line "RequestHeader set X_FORWARDED_PROTO https", restart httpd and verify that you can access SonarQube through http://10.0.165.26
Next you have to configure httpd to serve the VirtualHost through TLS. There are many tutorials for this configuration, here are some pointers :
- https://httpd.apache.org/docs/2.2/ssl/ssl_howto.html
- https://wiki.centos.org/HowTos/Https
- https://devops.profitbricks.com/tutorials/how-to-set-up-apache-web-server-on-centos-7/
Cheers,
--
You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/adae8db8-e1df-424d-bcb0-ec5861909282%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
Eric HARTMANN | SonarSource
SK
May 17, 2017, 6:59:07 PM5/17/17
to SonarQube, sreer...@gmail.com
Hi Eric
I followed the instructions in the centos wiki. It was very helpful to get my ssl certificates in place.
I am able to access Sonarqube on the http://10.0.165.26:9000 just fine.
After bringing up httpd, I see the centOS welcome page at https://10.0.165.26. But I cannot still access sonarqube at port 9000 or 443.
In your message, when you asked if sonarqube is accessible at http://10.0.165.26, did you suggest running it on port 80 and then doing the https configuration? I tried that, but httpd wont come up because of port clash.
This is what I have for the httpd.conf
[root@sonarqube-backup conf]# diff httpd.conf httpd.conf_orig
96c96
< ServerName 10.0.165.26:9000
---
>
354,374d353
<
< <VirtualHost *:80>
< <Directory /var/www/html>
< AllowOverride All
< </Directory>
< DocumentRoot /var/www/html
< ServerName 10.0.165.26
< </VirtualHost>
<
< NameVirtualHost *:443
<
< <VirtualHost *:443>
< SSLEngine on
< SSLCertificateFile /etc/pki/tls/certs/ca.crt
< SSLCertificateKeyFile /etc/pki/tls/private/ca.key
< <Directory /var/www/html>
< AllowOverride All
< </Directory>
< DocumentRoot /var/www/html
< ServerName 10.0.165.26
< </VirtualHost>
Eric Hartmann
May 18, 2017, 8:22:04 AM5/18/17
to SK, SonarQube
Hi Sam,
In your configuration file you are missing all the configuration of the reverse proxy such as :
RequestHeader set X_FORWARDED_PROTO https
ProxyPass / http://10.0.165.26:9000/
ProxyPassReverse / http://10.0.165.26
And you've copied a DocumentRoot to serve local files from /var/www/html directory.
Previously, my point was to make your reverse proxy work on http and then you must include the different directives to add SSL to your virtual host (updating the port to 443, adding your SSL/TLS certificates, etc).
And you've copied a DocumentRoot to serve local files from /var/www/html directory.
Previously, my point was to make your reverse proxy work on http and then you must include the different directives to add SSL to your virtual host (updating the port to 443, adding your SSL/TLS certificates, etc).
Cheers,
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/221bff99-c849-4027-b957-4c130229fd44%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
SK
May 18, 2017, 2:19:09 PM5/18/17
to SonarQube, sreer...@gmail.com
Hi Eric
Thanks for the response. I am now playing with the configuration. With this, I can now get Sonarqube welcome page on both http://<IP> as well as http://<IP>:9000. So, I did achieve something out of the exercise. :)
However, still nothing but apache welcome page on https://<IP> or https://<IP>:9000
This is the current configuration. I've tried commenting/moving around the X-Forwarded around, to no use. once again, thanks for any help.
LoadModule proxy_module modules/mod_proxy.soProxyRequests OffProxyPreserveHost On
<VirtualHost *:80>RequestHeader set X-Forwarded-Proto "https"ServerName 10.0.165.26ServerAdmin <user>@company.com
ProxyPass / http://10.0.165.26:9000/
ProxyPassReverse / http://10.0.165.26/ErrorLog logs/company/sonar/error.logCustomLog logs/company/sonar/access.log common</VirtualHost><VirtualHost *:443>ServerName 10.0.165.26ServerAdmin <user>@company.com
ProxyPass / http://10.0.165.26:9000/
ProxyPassReverse / https://10.0.165.26/ErrorLog logs/company/sonar/error.logCustomLog logs/company/sonar/access.log common</VirtualHost>
Logs:
ssl_error_log:
[Thu May 18 11:17:42.145466 2017] [ssl:warn] [pid 32012] AH01909: RSA certificate configured for 10.0.165.26:443 does NOT include an ID which matches the server name
[Thu May 18 11:17:42.163959 2017] [ssl:warn] [pid 32012] AH01909: RSA certificate configured for 10.0.165.26:443 does NOT include an ID which matches the server name
SK
May 18, 2017, 5:12:02 PM5/18/17
to SonarQube
Hi
With the below configuration I am now able to access sonarqube over https but on a random port of my choosing. I cannot get it to work with 443 port as I keep getting 'address already in use' even though there is only one mention of 'Listen 443' in the httpd.conf (I already looked in all files under /etc/httpd). After shutting down httpd, port 443 is no longer in use.
I hope this unblocks my bitbucket plugin work. Thanks! :)
LoadModule proxy_module modules/mod_proxy.so
Listen 8443
<VirtualHost *:8443>
RequestHeader set X-Forwarded-Proto "https"
ServerName 10.0.165.26
SSLEngine On
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key
#SSLCertificateChainFile /path/to/file
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
AddDefaultCharset Off
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://10.0.165.26:9000/
ProxyPassReverse / http://10.0.165.26:9000/
ErrorLog logs/ss8/sonar/error.log
CustomLog logs/ss8/sonar/access.log common
</VirtualHost>
SK
May 18, 2017, 7:52:28 PM5/18/17
to SonarQube
Hi
Please help. Sonarqube is available on http://<IP address>:9000 as well as https://<IP>:8443 as per my previous post. But in sonar-scanner's conf if I put the http address for sonar.host.url. it works fine. but it does not work for the https link.
#----- Default SonarQube server
#sonar.host.url=http://10.0.156.172
sonar.host.url=https://10.0.165.26:8443 <----------- this fails
#sonar.host.url=http://10.0.165.26:9000 <----------- works
This is the error message.
ERROR: SonarQube server [https://10.0.165.26:8443] can not be reached
INFO: ------------------------------------------------------------------------
INFO: EXECUTION FAILURE
INFO: ------------------------------------------------------------------------
INFO: Total time: 0.460s
INFO: Final Memory: 3M/72M
INFO: ------------------------------------------------------------------------
ERROR: Error during SonarQube Scanner execution
org.sonarsource.scanner.api.internal.ScannerException: Unable to execute SonarQube
at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory$1.run(IsolatedLauncherFactory.java:84)
at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory$1.run(IsolatedLauncherFactory.java:71)
at java.security.AccessController.doPrivileged(Native Method)
at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.createLauncher(IsolatedLauncherFactory.java:71)
at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.createLauncher(IsolatedLauncherFactory.java:67)
at org.sonarsource.scanner.api.EmbeddedScanner.doStart(EmbeddedScanner.java:218)
at org.sonarsource.scanner.api.EmbeddedScanner.start(EmbeddedScanner.java:156)
at org.sonarsource.scanner.cli.Main.execute(Main.java:74)
at org.sonarsource.scanner.cli.Main.main(Main.java:61)
Caused by: java.lang.IllegalStateException: Fail to get bootstrap index from server
at org.sonarsource.scanner.api.internal.Jars.getBootstrapIndex(Jars.java:100)
at org.sonarsource.scanner.api.internal.Jars.getScannerEngineFiles(Jars.java:76)
at org.sonarsource.scanner.api.internal.Jars.download(Jars.java:70)
at org.sonarsource.scanner.api.internal.JarDownloader.download(JarDownloader.java:39)
at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory$1.run(IsolatedLauncherFactory.java:75)
... 8 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.RealConnection.connectTls(RealConnection.java:267)
at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.RealConnection.establishProtocol(RealConnection.java:237)
at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.RealConnection.connect(RealConnection.java:148)
at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:186)
at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:121)
at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.StreamAllocation.newStream(StreamAllocation.java:100)
at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42)
at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93)
at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:120)
at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
at org.sonarsource.scanner.api.internal.shaded.okhttp.RealCall.getResponseWithInterceptorChain(RealCall.java:179)
at org.sonarsource.scanner.api.internal.shaded.okhttp.RealCall.execute(RealCall.java:63)
at org.sonarsource.scanner.api.internal.ServerConnection.callUrl(ServerConnection.java:113)
at org.sonarsource.scanner.api.internal.ServerConnection.downloadString(ServerConnection.java:98)
at org.sonarsource.scanner.api.internal.Jars.getBootstrapIndex(Jars.java:96)
... 12 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)
... 41 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
... 47 more
ERROR:
ERROR: Re-run SonarQube Scanner using the -X switch to enable full debug logging.
Eric Hartmann
May 19, 2017, 2:34:30 AM5/19/17
to SK, SonarQube
Hi Sam,
If port 443 is in used, then you have another process binding this port.
For your second problem, you have created an autosigned certificate, SSL/TLS is requiring a trusted third party (authority) to sign the certificate and it's the responsability of the client (in this case Maven) to check that the certificate is signed by a valid authority. In order to install properly the certificate you can have a look at http://blog.kunicki.org/blog/2015/09/10/ssl-client-certificates-on-the-jvm/
Cheers
--
You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/953de5b4-66be-4c54-925b-98dba48d739c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages