Question

我正在尝试让插件正常工作。 Sonarsource 5.6，插件1.2。我有一个SSL错误，我认为这是由我的github企业实例从内部因此不受信任的CA（或者可能根本没有设置权限）授予SSL证书引起的。日志复制在下面。

我有哪些选择？我想

我可以通过sudo docker exec <my container id> openssl s_client -connect my-sonarqube-hostname:443 -showcerts下载证书，然后（如果我知道我在做什么）使用keytool来...将它戳进商店（？）
我可以禁用证书验证a）如果我知道如何，并且b）我是否认为可以冒险使用MITM来获取我的源代码（我没有）
我可以尝试理解下面的文章，但它们似乎都涉及编译某些内容以获取证书以将其放入商店
- https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-779355358.html
我可以尝试让拥有GHE的团队使用真正的证书
....？别的吗？

我在Amazon Linux EC2实例的docker容器中运行sonarqube - 非常容易上手，但现在很难修改（虽然我想我可以拉Dockerfile并分叉它 - 我怀疑我的问题是独一无二的对于内部设置，所以也许我想出的任何东西值得回馈？）

日志：

    2016.06.10 07:50:01 ERROR web[o.s.s.a.AuthenticationError] Fail to callback authentication with 'github'
com.github.scribejava.core.exceptions.OAuthConnectionException: There was a problem while creating a connection to the remote service: https://my-github-enterprise-hostname/login/oauth/access_token?client_id=02e2f2cd8f567478c80d&client_secret=68c1ec2fe7d5c99a75e478c476965bdbefdc55dd&code=1b8c6e1323ef66e7a8f0&redirect_uri=https%3A%2F%2Fmy-sonarqube-hostname%2Foauth2%2Fcallback%2Fgithub
        at com.github.scribejava.core.model.OAuthRequest.send(OAuthRequest.java:39) ~[na:na]
        at com.github.scribejava.core.oauth.OAuth20ServiceImpl.getAccessToken(OAuth20ServiceImpl.java:36) ~[na:na]
        at org.sonarsource.auth.github.GitHubIdentityProvider.callback(GitHubIdentityProvider.java:111) ~[na:na]
        at org.sonar.server.authentication.OAuth2CallbackFilter.doFilter(OAuth2CallbackFilter.java:71) ~[sonar-server-5.6.jar:na]
        at org.sonar.server.platform.MasterServletFilter$GodFilterChain.doFilter(MasterServletFilter.java:125) [sonar-server-5.6.jar:na]
        at org.sonar.server.platform.MasterServletFilter.doFilter(MasterServletFilter.java:94) [sonar-server-5.6.jar:na]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [tomcat-embed-core-8.0.30.jar:8.0.30]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [tomcat-embed-core-8.0.30.jar:8.0.30]
        at org.sonar.server.user.UserSessionFilter.doFilter(UserSessionFilter.java:59) [sonar-server-5.6.jar:na]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [tomcat-embed-core-8.0.30.jar:8.0.30]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [tomcat-embed-core-8.0.30.jar:8.0.30]
        at org.sonar.server.platform.ProfilingFilter.doFilter(ProfilingFilter.java:84) [sonar-server-5.6.jar:na]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [tomcat-embed-core-8.0.30.jar:8.0.30]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [tomcat-embed-core-8.0.30.jar:8.0.30]
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212) [tomcat-embed-core-8.0.30.jar:8.0.30]
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106) [tomcat-embed-core-8.0.30.jar:8.0.30]
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141) [tomcat-embed-core-8.0.30.jar:8.0.30]
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) [tomcat-embed-core-8.0.30.jar:8.0.30]
        at ch.qos.logback.access.tomcat.LogbackValve.invoke(LogbackValve.java:191) [logback-access-1.1.3.jar:na]
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) [tomcat-embed-core-8.0.30.jar:8.0.30]
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:521) [tomcat-embed-core-8.0.30.jar:8.0.30]
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1096) [tomcat-embed-core-8.0.30.jar:8.0.30]
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:674) [tomcat-embed-core-8.0.30.jar:8.0.30]
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1500) [tomcat-embed-core-8.0.30.jar:8.0.30]
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1456) [tomcat-embed-core-8.0.30.jar:8.0.30]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_91]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_91]
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-8.0.30.jar:8.0.30]
        at java.lang.Thread.run(Thread.java:745) [na:1.8.0_91]
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[na:1.8.0_91]
        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) ~[na:1.8.0_91]
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) ~[na:1.8.0_91]
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) ~[na:1.8.0_91]
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509) ~[na:1.8.0_91]
        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[na:1.8.0_91]
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) ~[na:1.8.0_91]
        at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) ~[na:1.8.0_91]
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) ~[na:1.8.0_91]
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) ~[na:1.8.0_91]
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) ~[na:1.8.0_91]
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) ~[na:1.8.0_91]
        at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559) ~[na:1.8.0_91]
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) ~[na:1.8.0_91]
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153) ~[na:1.8.0_91]
        at com.github.scribejava.core.model.Response.<init>(Response.java:30) ~[na:na]
        at com.github.scribejava.core.model.OAuthRequest.doSend(OAuthRequest.java:57) ~[na:na]
        at com.github.scribejava.core.model.OAuthRequest.send(OAuthRequest.java:37) ~[na:na]
        ... 28 common frames omitted
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) ~[na:1.8.0_91]
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) ~[na:1.8.0_91]
        at sun.security.validator.Validator.validate(Validator.java:260) ~[na:1.8.0_91]
        at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[na:1.8.0_91]
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) ~[na:1.8.0_91]
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) ~[na:1.8.0_91]
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491) ~[na:1.8.0_91]
        ... 41 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) ~[na:1.8.0_91]
        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) ~[na:1.8.0_91]
        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) ~[na:1.8.0_91]
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) ~[na:1.8.0_91]
        ... 47 common frames omitted

Answer 1

在我看来，您的Enterprise Github URL未使用您的应用程序服务器接受的证书进行签名。

您必须使用JDK的keytool将服务器SSL密钥添加到应用程序服务器密钥库（see corresponding documentation）。

Answer 2

我最终做了

#!/bin/bash
HOST=my-github-hostname
PORT=443
KEYSTOREFILE=/etc/ssl/certs/java/cacerts
KEYSTOREPASS=changeit

# get the SSL certificate
openssl s_client -connect ${HOST}:${PORT} </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ${HOST}.cert

# copy it into the running docker container
sudo docker cp ${HOST}.cert sonarqube-web:/opt/sonarqube/${HOST}.cert

# import certificate into the container's keystore

sudo docker exec sonarqube-web keytool -import -noprompt -trustcacerts -alias ${HOST} -file /opt/sonarqube/${HOST}.cert -keystore ${KEYSTOREFILE} -storepass ${KEYSTOREPASS}

# verify we've got it.
sudo docker exec sonarqube-web keytool -list -v -keystore ${KEYSTOREFILE} -storepass ${KEYSTOREPASS} -alias ${HOST}

exit 0

我意识到修改正在运行的docker容器可能是我要刻录的东西，但OTOH实例每次启动时都会获取一个新的cert副本，所以......

SonarQube安装 - Github身份验证插件失败，“PKIX路径构建失败”

2 个答案: