您的位置: 首页  >  技术问答  >  SonarQube安装 - Github身份验证插件失败,“PKIX路径构建失败”

SonarQube安装 - Github身份验证插件失败,“PKIX路径构建失败”

分类: 技术问答 2022-05-17 13:56:28
问题描述:

我试图让插件工作。 Sonarsource 5.6,插件1.2。我有一个SSL错误,我认为这是由我的github企业实例具有从内部和因此不可信的CA授予的SSL证书(或者根本没有设置正确)导致的。该日志复制在下面。SonarQube安装 - Github身份验证插件失败,“PKIX路径构建失败”

我有什么选择?我认为

  • 我可以通过sudo docker exec <my container id> openssl s_client -connect my-sonarqube-hostname:443 -showcerts下载证书,然后(如果我知道我在做什么)使用keytool来......捅它进入商店(?)
  • 我可以禁用证书验证一)如果我知道如何,和b)如果我认为这是可以风险MITM的东西,将有我的源代码(我不)
  • 我可以尝试理解下面的文章,但他们似乎都涉及编译东西取得证书,将其放入商店
  • 我可以尝试让拥有GHE使用真实的证书
  • 团队....?还要别的吗?

我在Amazon Linux的EC2实例泊坞窗容器中运行sonarqube - 很容易得到有去,但现在棘手的修改(但我想我可以拉Dockerfile和叉子 - 我怀疑我问题是内部设置独特的,所以也许无论我拿出价值贡献背面)

日志:

2016.06.10 07:50:01 ERROR web[o.s.s.a.AuthenticationError] Fail to callback authentication with 'github' 
com.github.scribejava.core.exceptions.OAuthConnectionException: There was a problem while creating a connection to the remote service: https://my-github-enterprise-hostname/login/oauth/access_token?client_id=02e2f2cd8f567478c80d&client_secret=68c1ec2fe7d5c99a75e478c476965bdbefdc55dd&code=1b8c6e1323ef66e7a8f0&redirect_uri=https%3A%2F%2Fmy-sonarqube-hostname%2Foauth2%2Fcallback%2Fgithub 
     at com.github.scribejava.core.model.OAuthRequest.send(OAuthRequest.java:39) ~[na:na] 
     at com.github.scribejava.core.oauth.OAuth20ServiceImpl.getAccessToken(OAuth20ServiceImpl.java:36) ~[na:na] 
     at org.sonarsource.auth.github.GitHubIdentityProvider.callback(GitHubIdentityProvider.java:111) ~[na:na] 
     at org.sonar.server.authentication.OAuth2CallbackFilter.doFilter(OAuth2CallbackFilter.java:71) ~[sonar-server-5.6.jar:na] 
     at org.sonar.server.platform.MasterServletFilter$GodFilterChain.doFilter(MasterServletFilter.java:125) [sonar-server-5.6.jar:na] 
     at org.sonar.server.platform.MasterServletFilter.doFilter(MasterServletFilter.java:94) [sonar-server-5.6.jar:na] 
     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [tomcat-embed-core-8.0.30.jar:8.0.30] 
     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [tomcat-embed-core-8.0.30.jar:8.0.30] 
     at org.sonar.server.user.UserSessionFilter.doFilter(UserSessionFilter.java:59) [sonar-server-5.6.jar:na] 
     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [tomcat-embed-core-8.0.30.jar:8.0.30] 
     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [tomcat-embed-core-8.0.30.jar:8.0.30] 
     at org.sonar.server.platform.ProfilingFilter.doFilter(ProfilingFilter.java:84) [sonar-server-5.6.jar:na] 
     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [tomcat-embed-core-8.0.30.jar:8.0.30] 
     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [tomcat-embed-core-8.0.30.jar:8.0.30] 
     at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212) [tomcat-embed-core-8.0.30.jar:8.0.30] 
     at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106) [tomcat-embed-core-8.0.30.jar:8.0.30] 
     at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141) [tomcat-embed-core-8.0.30.jar:8.0.30] 
     at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) [tomcat-embed-core-8.0.30.jar:8.0.30] 
     at ch.qos.logback.access.tomcat.LogbackValve.invoke(LogbackValve.java:191) [logback-access-1.1.3.jar:na] 
     at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) [tomcat-embed-core-8.0.30.jar:8.0.30] 
     at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:521) [tomcat-embed-core-8.0.30.jar:8.0.30] 
     at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1096) [tomcat-embed-core-8.0.30.jar:8.0.30] 
     at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:674) [tomcat-embed-core-8.0.30.jar:8.0.30] 
     at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1500) [tomcat-embed-core-8.0.30.jar:8.0.30] 
     at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1456) [tomcat-embed-core-8.0.30.jar:8.0.30] 
     at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_91] 
     at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_91] 
     at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-8.0.30.jar:8.0.30] 
     at java.lang.Thread.run(Thread.java:745) [na:1.8.0_91] 
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target 
     at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[na:1.8.0_91] 
     at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) ~[na:1.8.0_91] 
     at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) ~[na:1.8.0_91] 
     at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) ~[na:1.8.0_91] 
     at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509) ~[na:1.8.0_91] 
     at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[na:1.8.0_91] 
     at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) ~[na:1.8.0_91] 
     at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) ~[na:1.8.0_91] 
     at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) ~[na:1.8.0_91] 
     at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) ~[na:1.8.0_91] 
     at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) ~[na:1.8.0_91] 
     at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) ~[na:1.8.0_91] 
     at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559) ~[na:1.8.0_91] 
     at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) ~[na:1.8.0_91] 
     at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153) ~[na:1.8.0_91] 
     at com.github.scribejava.core.model.Response.<init>(Response.java:30) ~[na:na] 
     at com.github.scribejava.core.model.OAuthRequest.doSend(OAuthRequest.java:57) ~[na:na] 
     at com.github.scribejava.core.model.OAuthRequest.send(OAuthRequest.java:37) ~[na:na] 
     ... 28 common frames omitted 
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target 
     at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) ~[na:1.8.0_91] 
     at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) ~[na:1.8.0_91] 
     at sun.security.validator.Validator.validate(Validator.java:260) ~[na:1.8.0_91] 
     at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[na:1.8.0_91] 
     at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) ~[na:1.8.0_91] 
     at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) ~[na:1.8.0_91] 
     at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491) ~[na:1.8.0_91] 
     ... 41 common frames omitted 
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target 
     at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) ~[na:1.8.0_91] 
     at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) ~[na:1.8.0_91] 
     at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) ~[na:1.8.0_91] 
     at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) ~[na:1.8.0_91] 
     ... 47 common frames omitted

我落得这样做

#!/bin/bash 
HOST=my-github-hostname 
PORT=443 
KEYSTOREFILE=/etc/ssl/certs/java/cacerts 
KEYSTOREPASS=changeit 

# get the SSL certificate 
openssl s_client -connect ${HOST}:${PORT} </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ${HOST}.cert 

# copy it into the running docker container 
sudo docker cp ${HOST}.cert sonarqube-web:/opt/sonarqube/${HOST}.cert 

# import certificate into the container's keystore 

sudo docker exec sonarqube-web keytool -import -noprompt -trustcacerts -alias ${HOST} -file /opt/sonarqube/${HOST}.cert -keystore ${KEYSTOREFILE} -storepass ${KEYSTOREPASS} 

# verify we've got it. 
sudo docker exec sonarqube-web keytool -list -v -keystore ${KEYSTOREFILE} -storepass ${KEYSTOREPASS} -alias ${HOST} 

exit 0

我意识到修改正在运行的泊坞窗容器可能是东西,我会烧,但OTOH实例将获取每次自举时证书的新鲜副本,所以。 ..

在我看来,你的企业Github的网址与证书申请签约服务器接受。

您必须将服务器的SSL密钥添加到您的应用程序服务器密钥库(see corresponding documentation以了解使用来自JDK的keytool的详细信息)。

+0

诊断完全正确。谢谢;我有那么多。我发现你指出的文档对于不熟悉java的人来说并不那么有用,所以我写了一些脚本,其中列出了实际的命令。 –

相关推荐