unable to find valid certification path to requested target

It is always preferred to use https instead of http (specially when using passwords and so on…)

We have switched our SonarQube (tool for Continuous Inspection of code quality) to use https for security reasons. Anyway I have noticed that Jenkins stop sending new quality codes to our sonar. When I have checked the logs I have seen this stacktrace:

Exception in thread "main" java.lang.IllegalStateException: Fail to request server version
	at org.sonar.runner.Bootstrapper.getServerVersion(Bootstrapper.java:73)
	at org.sonar.runner.Runner.checkSonarVersion(Runner.java:220)
	at org.sonar.runner.Runner.execute(Runner.java:150)
	at org.sonar.runner.Main.execute(Main.java:84)
	at org.sonar.runner.Main.main(Main.java:56)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1584)
	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
	at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:848)
	at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)
	at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
	at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:877)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1089)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1116)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1100)
	at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:402)
	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:951)
	at java.net.URLConnection.getContent(URLConnection.java:682)
	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getContent(HttpsURLConnectionImpl.java:406)
	at org.sonar.runner.Bootstrapper.remoteContent(Bootstrapper.java:125)
	at org.sonar.runner.Bootstrapper.getServerVersion(Bootstrapper.java:71)
	... 4 more

So here you can see that Jenkins has problem to “handshake” ssl certificate.

follow these steps:

Download InstallCert.java

Search google – it originally was done in Sun, but you can find this program on google codes or somewhere else. You can even download binaries of this file.

Add Trusted Keystore

Run “InstallCert.java” on server (where you run your https service). something like java InstallCert localhost:443 -> press “1”  when asked. It will add your “localhost” as a trusted keystore, and generate a file named “jssecacerts“.

[user@sonar ~]$ java InstallCert localhost:443
Loading KeyStore /usr/java/jdk1.6.0_37/jre/lib/security/cacerts...
Opening connection to localhost:443...
Starting SSL handshake..
Server sent 1 certificate(s):
1 Subject CN=Unknown, OU=Unknown, O=Vendavo, L=Unknown, ST=Czech republic, C=CZ
Enter certificate to add to trusted keystore or 'q' to quit: [1]
1
Added certificate to keystore 'jssecacerts' using alias 'localhost-1'

I have removed most of the parts but the main parts are here:

a) press 1 when assked – you agree to add certificate for this domain into keystore

b) it created jssecacerts file

Verify Trusted Keystore

Run same command again 🙂  (this is full export – removed hashed data)

[mchowaniok@sonar ~]$ java InstallCert sonar.vmcz.vendavo.com:443
Loading KeyStore jssecacerts...
Opening connection to sonar.vmcz.vendavo.com:443...
Starting SSL handshake...
No errors, certificate is already trusted
Server sent 1 certificate(s):
1 Subject CN=Unknown, OU=Unknown, O=Vendavo, L=Unknown, ST=Czech republic, C=CZ
 Issuer CN=Unknown, OU=Unknown, O=Vendavo, L=Unknown, ST=Czech republic, C=CZ
 sha1 
 md5 
Enter certificate to add to trusted keystore or 'q' to quit: [1]
q
KeyStore not changed

Copy jssecacerts

copy jssecacerts file into java/jre/lib/security folder (I had to done it under sudo )

[user@sonar ~]$ sudo cp jssecacerts /usr/java/default/jre/lib/security/

Done

verify it 🙂   in my case, run Jenkins job and verify data are uploaded to Sonar.


Jenkins on openshift #3 – building repo from github or bitbucket

Next task I wanted to do is to create jenkins on openshift and be able to build projects from github or bitbucket. It sounds simple, but you will face quite a lot of issues. So let’s do it:

Create Jenkins gear

  • this creates gear called “jenkins” using jenkins-1 application and includes ssh wrapper “git-ssh” which helps you to overcome ssh obstacles (openshift forbids to write into .ssh folder) – as you will see we will have to solve this problem several times later as well

Set jenkins slave

jenkins needs other linux machines (called slaves) to use them for building, anyway we don’t have so much free gears, so we will use jenkins itself for it.

Manage Jenkins -> Configure System -> 
# of executors = 1
Labels = put here anything

Generate ssh key

Add public key (id_rsa.pub) to github & bitbucket

search github/ bitbucket how to do it 🙂

Add new Jenkins Job

  • in begining I mentioned that home folder is not writeable, so we are encountering several problems, like ssh can’t write into .ssh , maven can’t write into .m2 folder and so on. The only solution is to point all applications into writeable folder which is $OPENSHIFT_DATA_DIR
  • Because of the problem above, you can’t use standard maven jobs but you have to use “Build a free-style software project”
  • Source Code Management: git: your git url (i.e. git@bitbucket.org:majecek/testtest.git)
  • Build: (add Execute shell): enter:

  • this creates setings.xml file and when runing maven commands – you have to specify where is the settings file
  • check this site for more info
  • next step is to add hooks in github/bitbucket – so after push in repo they will trigger jenkins to create new build – again check it in github/bitbucke or this site

Feed Sonar with data from Jenkins

This was quite a problem. I have to admit that I didn’t finish it, but found solution. Here is another problem, sonar and specially it’s mysql runs on different gear and openshift by default don’t allow any connection between gears nor from outside.

  • install Sonar plugin into jenkins, add URL & jdbc url and all info needed
  • I had to add into Sonar Aditional properties: -DSONAR_USER_HOME=$OPENSHIFT_DATA_DIR
    • this is again, because sonar can’t write into home directory, so you have to point to writeable folder

Now you will face problem, that jenkins can’t connect to MYSQL DB – as said above, this is because gears can’t communicate to each other. There are 2 solutions:

  • set up SONAR as scaled application – scalled applications can communicate to each other
  • setup ssh port forwarding between applications

You can read more here.


SonarQube part #2 – let’s feed it with some data

In previous article, I have showed you how to build sonarqube 4.0 on openshift , but let’s feed it with some data.

  • Let’s create dummy j2ee project using maven
    • mvn archetype:generate
    • cd <<project_name>>
    • mvn clean compile
  • openshift port forward to access database
    • rhc port-forward <<APPLICATION_NAME>>
    • you should see something like this:
      Service      Local                            OpenShift
      ——- ————–       —-     —————
      java     127.0.0.1:8080 => 127.X.X.X:8080
      mysql 127.0.0.1:3306 => 127.X.X.X:3306
    • database can be accessed on localhost:3306

Now we have few options how to feed sonar

  • maven – best for maven projects
  • sonarqube runner – best for java legacy code
  • jenkins,….

Maven projects

5 things to change or consider:

  1. jdbc url – make sure you have correct url, port, application name
  2. mysql username
  3. mysql password
  4. sonar host url
  5. I am using maven version 3 – in case you have maven version 2 you have set different dependences

to run:

mvn clean compile sonar:sonar 

or (including profile name to be used)

mvn clean compile sonar:sonar -Dsonar.profile="Sun checks"

SonarQube Runner

4 things to change or consider:

  1. jdbc url – make sure you have correct url, port, application name
  2. mysql username
  3. mysql password
  4. sonar host url

to run:

  • you have to download SonarQube runner & set PATH variable
    export SONAR_RUNNER_HOME=/Path/to/SonnarRunner/sonar-runner-2.3
    export PATH=$SONAR_RUNNER_HOME/bin:$PATH
  • create file called “sonar-project.properties” and fill it with info mentioned above in gist
  • run:
    sonar-runner

Now change code (i.e. add empty private method, named with upper case letter, ….) and run analysis again to feed sonar. Check sonar – it shows you all violations and issues in your code, …  (also it depends on plugins you have installed on your sonar)

Example project can be found on Bitbucket


How to run SonarQube 4.0 on openshift

I have managed to run latest SonarQube on openshift for free.

Because openshift has bug you can’t just have one-line command to do all setup for you, but I had to separate it into several commands and two git repos.

Bug

you can’t have .openshift folder in repo – so I have to have 2 git repos

  1. git repo with sonar without (.openshift folder)
  2. git repo with .openshift folder  with start & stop commands

How to get SonarQube 4.0 running on openshift

Description

  1. when RedHat fixes the bug, you should be fine, just with line #1
  2. cd into project
  3. add another git repo which holds .openshift folder with start & stop commands
  4. get changes from repo above
  5. pull from origin repo – git was complaining when I didn’t do pull
  6. push into openshift
  7. wait several minutes until sonar gets running

Thanks

Big thanks goes to Rui Rodrigues(@rodriguesrmb) as he managed to solve port binding problems and update java wrapper with new version