Sonarqube delegate authtication to Gitlab fail

Question

• which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)

  • Sonarqube: 8.2 community, serve as https://10.92.6.200/
  • Gitlab: GitLab Community Edition [12.9.0], serve as https://10.225.96.206/

• what are you trying to achieve

  I try to delegate sonarqube authtication to Gitlab SSO.

• what have you tried so far to achieve this

  I create a Gitlab Application named sonarqube, and set callback url https://10.92.6.200/oauth2/callback/gitlab, grant read_user and api scope:

  Then configure sonarqube ALM Integration with Gitlab, Force user authentication, set Server base URL to https://10.92.6.200, so I can see this in sonarqube login page:

  When I click Log in with Gitlab, I get this: sonarqube web log show:

  2020.04.14 03:30:13 WARN  web[AXFzahyz3CdktahgAAf0][o.s.s.a.AuthenticationError] Fail to callback authentication with 'gitlab'
  java.lang.IllegalStateException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
          at org.sonar.auth.gitlab.GitLabIdentityProvider.callback(GitLabIdentityProvider.java:104)
          at org.sonar.server.authentication.OAuth2CallbackFilter.handleOAuth2Provider(OAuth2CallbackFilter.java:98)
          at org.sonar.server.authentication.OAuth2CallbackFilter.handleProvider(OAuth2CallbackFilter.java:77)
          at org.sonar.server.authentication.OAuth2CallbackFilter.doFilter(OAuth2CallbackFilter.java:70)
          at org.sonar.server.platform.web.MasterServletFilter$GodFilterChain.doFilter(MasterServletFilter.java:139)
          at org.sonar.server.platform.web.MasterServletFilter.doFilter(MasterServletFilter.java:108)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
          at org.sonar.server.platform.web.UserSessionFilter.doFilter(UserSessionFilter.java:88)
          at org.sonar.server.platform.web.UserSessionFilter.doFilter(UserSessionFilter.java:72)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
          at org.sonar.server.platform.web.CacheControlFilter.doFilter(CacheControlFilter.java:76)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
          at org.sonar.server.platform.web.SecurityServletFilter.doHttpFilter(SecurityServletFilter.java:76)
          at org.sonar.server.platform.web.SecurityServletFilter.doFilter(SecurityServletFilter.java:48)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
          at org.sonar.server.platform.web.RedirectFilter.doFilter(RedirectFilter.java:58)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
          at org.sonar.server.platform.web.RequestIdFilter.doFilter(RequestIdFilter.java:66)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
          at org.sonar.server.platform.web.RootFilter.doFilter(RootFilter.java:62)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
          at org.apache.catalina.filters.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:109)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
          at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
          at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
          at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493)
          at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137)
          at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
          at ch.qos.logback.access.tomcat.LogbackValve.invoke(LogbackValve.java:256)
          at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
          at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
          at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:798)
          at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
          at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:808)
          at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)
          at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
          at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
          at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
          at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
          at java.base/java.lang.Thread.run(Unknown Source)
  Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
          at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source)
          at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
          at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
          at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
          at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(Unknown Source)
          at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(Unknown Source)
          at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(Unknown Source)
          at java.base/sun.security.ssl.SSLHandshake.consume(Unknown Source)
          at java.base/sun.security.ssl.HandshakeContext.dispatch(Unknown Source)
          at java.base/sun.security.ssl.HandshakeContext.dispatch(Unknown Source)
          at java.base/sun.security.ssl.TransportContext.dispatch(Unknown Source)
          at java.base/sun.security.ssl.SSLTransport.decode(Unknown Source)
          at java.base/sun.security.ssl.SSLSocketImpl.decode(Unknown Source)
          at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source)
          at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
          at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
          at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
          at java.base/sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(Unknown Source)
          at java.base/sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source)
          at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(Unknown Source)
          at com.github.scribejava.core.httpclient.jdk.JDKHttpClient.prepareConnectionForBodyAndGetOutputStream(JDKHttpClient.java:269)
          at com.github.scribejava.core.httpclient.jdk.JDKHttpClient.addBody(JDKHttpClient.java:195)
          at com.github.scribejava.core.httpclient.jdk.JDKHttpClient.access$100(JDKHttpClient.java:26)
          at com.github.scribejava.core.httpclient.jdk.JDKHttpClient$BodyType$1.setBody(JDKHttpClient.java:147)
          at com.github.scribejava.core.httpclient.jdk.JDKHttpClient.doExecute(JDKHttpClient.java:129)
          at com.github.scribejava.core.httpclient.jdk.JDKHttpClient.execute(JDKHttpClient.java:95)
          at com.github.scribejava.core.oauth.OAuthService.execute(OAuthService.java:114)
          at com.github.scribejava.core.oauth.OAuth20Service.sendAccessTokenRequestSync(OAuth20Service.java:46)
          at com.github.scribejava.core.oauth.OAuth20Service.getAccessToken(OAuth20Service.java:97)
          at com.github.scribejava.core.oauth.OAuth20Service.getAccessToken(OAuth20Service.java:92)
          at org.sonar.auth.gitlab.GitLabIdentityProvider.onCallback(GitLabIdentityProvider.java:115)
          at org.sonar.auth.gitlab.GitLabIdentityProvider.callback(GitLabIdentityProvider.java:102)
          ... 47 common frames omitted
  Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
          at java.base/sun.security.validator.PKIXValidator.doBuild(Unknown Source)
          at java.base/sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
          at java.base/sun.security.validator.Validator.validate(Unknown Source)
          at java.base/sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
          at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
          at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
          ... 75 common frames omitted
  Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
          at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
          at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
          at java.base/java.security.cert.CertPathBuilder.build(Unknown Source)
          ... 81 common frames omitted
  

Is there someone can help me, I would be so appreciate.

Answer 1

The relevant error is

PKIX path building failed:    
  sun.security.provider.certpath.SunCertPathBuilderException: 
  unable to find valid certification path to requested targe

This is typical of a java application (here Sonar) which does not have the proper certificate (one needed by GitLab) in its keystore.

You can use openssl to get the GitLab server certificate

You can then add it to the java keystore (java used to run Sonar)