Eclipse (neon) with SonarLint (3.1) won't connect to SonarQube server (5.6.1)

Question

There are some similar questions with older versions here, but the solutions provided there, didn't help in my case - so I hope for some insight on this more up to date configuration.

I installed the newest SonarLint (3.1) through Eclipse marketplace, but I can't get SonarLint to connect to our SonarQube server (5.6.1).

When I click Test connection in the SonarQube servers view, it fails to connect to https://our.sonarqube-server.com/api/system/status with javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed.

The browser will show the info (some id, version 5.6.1, UP) on https://our.sonarqube-server.com/api/system/status. So the server is up and running.

To make sure I have the right certificates installed, I checked under Help -> About Eclipse -> Installation Details -> Configuration that I'm running a jre1.8.0_131. I downloaded the 3 certificates from the chain of our.sonarqube-server.com and installed them with bin\keytool.exe -import -trustcacerts -keystore lib\security\cacerts -storepass changeit ... in the truststore and checked with -list that they're really there.

The versions should be compatible (SonarLint 3.1 is said to be compatible with SonarQube server 5.6+).

Do you have any idea what could be still wrong with this configuration? When I installed a local SonarQube server on my own machine, I could successfully connect to localhost:9000 the same way (with generating a token - just like I did on our.sonarqube-server.com). As localhost:9000 has no SSL involved, I guess that SonarLint plugin is looking somewhere else for the certificates, but I don't see how to find out, where it looks ...

Thanks for your help.

Answer 1

I ran into something similar myself using SonarLint 3.1 and SonarQube 6.7.

In IntelliJ I kept running into this error message

Failed to connect to the server. Please check the configuration. 
Error: Fail to request https://<SONARQUBE>/api/system/status 

However I could access that URL through my browser without any issues.

When you WireShark the requests coming from the browser and the IDE you can see that the cypher suite is quite different and that the IDE plugin gets a TLS handshake failure.

That lead me to discover that Java still ships with limited strength cryptographic functions. That’s either because of US export policy or because nobody has gotten around to fixing it. The internet isn’t quite sure.

Either way, you can download the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files from Oracle: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html

Once I installed those onto the IntelliJ JVM, I no longer got the underlying TLS handshake failure when trying to connect to SonarQube and the connection works.

IntelliJ will ask you about the certificate, so all of that will be easier than messing with certs manually.