添加链接 注册    登录
link管理
链接快照平台
  • 输入网页链接,自动生成快照
  • 标签化管理网页链接
相关文章推荐
闯红灯的柿子  ·  "sonar-report.json" - ...·  2 周前    · 
风流倜傥的乒乓球  ·  Scanner certificate ...·  昨天    · 
阳刚的蚂蚁  ·  Unity ...·  9 月前    · 
沉着的太阳  ·  在 ...·  9 月前    · 
犯傻的黄豆  ·  OpenSeadragon学习笔记-CSDN博客·  1 年前    · 
儒雅的碗  ·  《掬水月在手》:一场对坚守的致敬 - 知乎·  1 年前    · 
坏坏的大海  ·  有没有那种不俗套的漫画推荐? - 知乎·  1 年前    · 
link管理  ›  Scanner certificate issue - SonarQube Server / Community Build - Sonar Community
info sonar jenkins sonarqube
https://community.sonarsource.com/t/scanner-certificate-issue/41785
风流倜傥的乒乓球
昨天

Unfortunatelly I have the same issue despite fact that I had setup and import self signed cert to the custom keystore.
When I run manually sonnarscanner I have following output which seems to point that my certs are not read or not available in the keystore but when I list the keystore I can see it there. I had tried also to import the cert directly to cacerts of the JVM but still I got the very same error. All acl are correct and all selinux is disabled. 

[jenkins@jenkins]$ /jenkins/home/tools/hudson.plugins.sonar.SonarRunnerInstallation/SonarQubeScanner-4.6.0.2311/bin/sonar-scanner -Dsonar.host.url=https://sonar.example.com -Dsonar.projectKey=backend-integration -Djavax.net.ssl.trustStore=/jenkins/keystore/cacerts -Djavax.net.ssl.trustStorePassword='changeit' -Dsonar.sources=. -X -Djavax.net.debug="ssl,handshake"
11:05:11.960 INFO: Scanner configuration file: /jenkins/home/tools/hudson.plugins.sonar.SonarRunnerInstallation/SonarQubeScanner-4.6.0.2311/conf/sonar-scanner.properties
11:05:11.972 INFO: Project root configuration file: NONE
11:05:11.997 INFO: SonarScanner 4.6.0.2311
11:05:11.997 INFO: Java 1.8.0_282 Red Hat, Inc. (64-bit)
11:05:11.997 INFO: Linux 3.10.0-1160.15.2.el7.x86_64 amd64
11:05:12.143 DEBUG: keyStore is : 
11:05:12.143 DEBUG: keyStore type is : jks
11:05:12.143 DEBUG: keyStore provider is : 
11:05:12.143 DEBUG: init keystore
11:05:12.144 DEBUG: init keymanager of type SunX509
11:05:12.223 DEBUG: Create: /jenkins/home/.sonar/cache
11:05:12.231 INFO: User cache: /jenkins/home/.sonar/cache
11:05:12.231 DEBUG: Create: /jenkins/home/.sonar/cache/_tmp
11:05:12.242 DEBUG: Extract sonar-scanner-api-batch in temp...
11:05:12.255 DEBUG: Get bootstrap index...
11:05:12.255 DEBUG: Download: https://sonar.example.com/batch/index
11:05:12.370 ERROR: SonarQube server [https://sonar.example.com] can not be reached
11:05:12.371 INFO: ------------------------------------------------------------------------
11:05:12.371 INFO: EXECUTION FAILURE
11:05:12.371 INFO: ------------------------------------------------------------------------
11:05:12.372 INFO: Total time: 0.437s
11:05:12.410 INFO: Final Memory: 5M/238M
11:05:12.411 INFO: ------------------------------------------------------------------------
11:05:12.411 ERROR: Error during SonarScanner execution
org.sonarsource.scanner.api.internal.ScannerException: Unable to execute SonarScanner analysis
	at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.lambda$createLauncher$0(IsolatedLauncherFactory.java:85)
	at java.security.AccessController.doPrivileged(Native Method)
	at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.createLauncher(IsolatedLauncherFactory.java:74)
	at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.createLauncher(IsolatedLauncherFactory.java:70)
	at org.sonarsource.scanner.api.EmbeddedScanner.doStart(EmbeddedScanner.java:185)
	at org.sonarsource.scanner.api.EmbeddedScanner.start(EmbeddedScanner.java:123)
	at org.sonarsource.scanner.cli.Main.execute(Main.java:73)
	at org.sonarsource.scanner.cli.Main.main(Main.java:61)
Caused by: java.lang.IllegalStateException: Fail to get bootstrap index from server
	at org.sonarsource.scanner.api.internal.BootstrapIndexDownloader.getIndex(BootstrapIndexDownloader.java:42)
	at org.sonarsource.scanner.api.internal.JarDownloader.getScannerEngineFiles(JarDownloader.java:58)
	at org.sonarsource.scanner.api.internal.JarDownloader.download(JarDownloader.java:53)
	at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.lambda$createLauncher$0(IsolatedLauncherFactory.java:76)
	... 7 more
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.ssl.Alert.createSSLException(Alert.java:131)
	at sun.security.ssl.TransportContext.fatal(TransportContext.java:324)
	at sun.security.ssl.TransportContext.fatal(TransportContext.java:267)
	at sun.security.ssl.TransportContext.fatal(TransportContext.java:262)
	at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
	at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
	at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
	at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377)
	at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
	at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422)
	at sun.security.ssl.TransportContext.dispatch(TransportContext.java:182)
	at sun.security.ssl.SSLTransport.decode(SSLTransport.java:149)
	at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1143)
	at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1054)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:394)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.RealConnection.connectTls(RealConnection.java:336)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.RealConnection.establishProtocol(RealConnection.java:300)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.RealConnection.connect(RealConnection.java:185)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.java:224)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.java:108)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.ExchangeFinder.find(ExchangeFinder.java:88)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.Transmitter.newExchange(Transmitter.java:169)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:41)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:94)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:88)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.RealCall.getResponseWithInterceptorChain(RealCall.java:221)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.RealCall.execute(RealCall.java:81)
	at org.sonarsource.scanner.api.internal.ServerConnection.callUrl(ServerConnection.java:115)
	at org.sonarsource.scanner.api.internal.ServerConnection.downloadString(ServerConnection.java:99)
	at org.sonarsource.scanner.api.internal.BootstrapIndexDownloader.getIndex(BootstrapIndexDownloader.java:39)
	... 10 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:456)
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:323)
	at sun.security.validator.Validator.validate(Validator.java:271)
	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:315)
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:223)
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
	at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)
	... 43 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:451)
	... 49 more

Here is custom keystore(s):


[jenkins@jenkins]$ keytool -keystore /jenkins/keystore/jenkins.jks -list
Enter keystore password:  
Keystore type: jks
Keystore provider: SUN
Your keystore contains 2 entries
jenkins.example.com, Apr 16, 2021, PrivateKeyEntry, 
Certificate fingerprint (SHA1): 5B:42:45:66:DA:6F:DE:99:3F:86:82:74:1C:D1:91:6D:0E:71:05:89
sonar.example.com, Apr 15, 2021, trustedCertEntry, 
Certificate fingerprint (SHA1): 87:4B:5F:E4:86:58:A7:44:35:60:38:BB:D6:77:B2:14:7A:75:7B:11
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /jenkins/keystore/jenkins.jks -destkeystore /jenkins/keystore/jenkins.jks -deststoretype pkcs12".

Here is cacerts taken from jvm and copie over to custom location in jenkins keystore


[root@jenkins]# keytool -keystore cacerts -storepass changeit -list
Keystore type: jks
Keystore provider: SUN
Your keystore contains 139 entries
sonar.example.com, Apr 16, 2021, trustedCertEntry, 
Certificate fingerprint (SHA1): 87:4B:5F:E4:86:58:A7:44:35:60:38:BB:D6:77:B2:14:7A:75:7B:11

And here I providing list of command where I imported the cert into jks keystore (sonar.crt was downloaded from the sonar website in my lab network):

LINK:

How to Configure SonarQube plugin for HTTPS Sonar Server?


keytool -import -trustcacerts -keystore /jenkins/keystore/jenkins.jks -storepass '1234qwer' -alias sonar.example.com -import -file /jenkins/keystore/sonar.crt

And here for the cacerts from jvm


cp /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.282.b08-1.el7_9.x86_64/jre/lib/security/cacerts /jenkins/keystore/
keytool -import -trustcacerts -keystore /jenkins/keystore/cacerts -storepass 'changeit' -alias sonar.example.com -import -file /jenkins/keystore/sonar.crt

**Can you pls help me to solve this issue? What I am missing? **

              
Hey there.


Try sticking your Java options related to keystores, etc. in the SONAR_SCANNER_OPTS environment variable rather than as analysis parameters to the sonar-scanner command. You’ll know you’ve done it right when you see something like this in the logs.


INFO: SONAR_SCANNER_OPTS=-DmyJavaOpt
INFO: User cache: /Users/colin/.sonar/cache
INFO: SonarQube server 8.7.0

This assumes your keystore/parameters are :+1:  A tool like MichalHecko/SSLPoke is a great way to check.


You suggestion works when invoked in the command of the sonnar-scanner, however it seems like defining the very same settings on the global config of the SonarQube scanner does not work which aparently should do the same thing? (pls correct me here if I am wrong) - snip from my jenkins config


jenkins-sonar
jenkins-sonar809×275 19.9 KB


So I constructed nested pipeline in which I injected the global scannet keystore params


withSonarQubeEnv{
    withenv([‘SONAR_SCANNER_OPTS=-Djavax.net.ssl.trustStore=/jenkins/keystore/cacerts -Djavax.net.ssl.trustStorePassword=changeit']){
    //run sonarscanner section here
    sh '''${SCANNER_HOME}/bin/sonar-scanner -X \
                      -Dsonar.projectKey=${PROJECT_NAME} \
                      -Dsonar.java.binaries=**/* \
                      -Dsonar.sources=.'''

and this seems to be working. All the keystores were tested with SSLPoke as you suggested and they are ok.

Another workaround is to symlink you custom keystore to the JVM keystore(s) or make all you keystores link to the one keystore location.
 
推荐文章
闯红灯的柿子  ·  "sonar-report.json" - Is this file still available? - SonarQube Server / Community Build - Sonar Com
2 周前
风流倜傥的乒乓球  ·  Scanner certificate issue - SonarQube Server / Community Build - Sonar Community
昨天
阳刚的蚂蚁  ·  Unity 内存研究——一些常见会导致内存泄漏的情况_unity在开发过程中哪些地方比较容易造成内存泄漏和内存泄漏问题?如何避免?-CSDN博客
9 月前
沉着的太阳  ·  在 Vue3中使用Fabric.js实现渐变(Gradient)效果,包括径向渐变radial - 掘金
9 月前
犯傻的黄豆  ·  OpenSeadragon学习笔记-CSDN博客
1 年前
儒雅的碗  ·  《掬水月在手》:一场对坚守的致敬 - 知乎
1 年前
坏坏的大海  ·  有没有那种不俗套的漫画推荐? - 知乎
1 年前
Link管理   ·   51好读   ·   Sov5搜索   ·   小百科
link管理 - 链接快照平台