Brew installation of sonar-scanner fails due to TLS CA issue

Description of the issue

The sonar-scanner utility cannot be installed via brew because the machines do not trust the Sectigo certificate authority.

Environment:

Where did the issue happen?

Stack used:Xcode 11.3.x, on macOS 10.14.6 (Mojave)
Build tags: --osx-xcode-11.3.x, --elite

Which build Step causes the issue and which version of the step?

| id: script
| version: 1.1.6
| collection: https://github.com/bitrise-io/bitrise-steplib.git
| toolkit: bash
| time: 2020-05-30T18:24:41Z

Reproducibility

  • Does a “Rebuild” help? (You can trigger a rebuild from the Build’s page, by clicking the “Rebuild” button in the top right corner of a finished build) : NO
  • Does a rebuild without caches help? (You can remove the Cache:Pull and Cache:Push steps temporarily to not to use the cache, or you can delete all the caches on the Settings tab of the app. : NO
  • Does the issue happen sporadically, or every time? : Everytime
  • Does upgrading the build Step to the latest version help? : NO
  • When did the issue start? :

Local reproduction

Visiting the site via browser shows the certificate used for the site https://binaries.sonarsource.com/ is valid up to the Sectigo root certificate.

Build log

This is the error after issuing “brew install sonar-source” in the script step. It is likely the CA root and intermediate certs are not installed and trusted by the operating system.

==> Downloading https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.3.0.2102.zip

curl: (60) SSL certificate problem: certificate has expired

More details here: https://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a “bundle”

of Certificate Authority (CA) public keys (CA certs). If the default

bundle file isn’t adequate, you can specify an alternate file

using the --cacert option.

If this HTTPS server uses a certificate signed by a CA represented in

the bundle, the certificate verification probably failed due to a

problem with the certificate (it might be expired, or the name might

not match the domain name in the URL).

If you’d like to turn off curl’s verification of the certificate, use

the -k (or --insecure) option.

HTTPS-proxy has similar options --proxy-cacert and --proxy-insecure.

Error: Failed to download resource “sonar-scanner”

Download failed: https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.3.0.2102.zip

1 Like

It seems that certificate has been expired:
expire date: Apr 8 23:59:59 2021 GMT

This kind of issue should be reported directly to SonarSource.

1 Like

hmm? I thought it was expiring year 2021?

1 Like

Sorry, I was able to reproduce that error using commandline curl but pasted incorrect line of curl output to the previous post.

Nevertheless, at the time of writing this issue should be gone:

$ curl -v --head https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.3.0.2102.zip
*   Trying 91.134.125.245...
* TCP_NODELAY set
* Connected to binaries.sonarsource.com (91.134.125.245) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=*.sonarsource.com
*  start date: Jun  1 00:00:00 2020 GMT
*  expire date: Apr  8 23:59:59 2021 GMT
*  subjectAltName: host "binaries.sonarsource.com" matched cert's "*.sonarsource.com"
*  issuer: C=FR; ST=Paris; L=Paris; O=Gandi; CN=Gandi Standard SSL CA 2
*  SSL certificate verify ok.
> HEAD /Distribution/sonar-scanner-cli/sonar-scanner-cli-4.3.0.2102.zip HTTP/1.1
> Host: binaries.sonarsource.com
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Mon, 01 Jun 2020 09:23:06 GMT
Date: Mon, 01 Jun 2020 09:23:06 GMT
< Server: Apache
Server: Apache
< Strict-Transport-Security: max-age=63072000; preload
Strict-Transport-Security: max-age=63072000; preload
< Last-Modified: Thu, 20 Feb 2020 13:56:47 GMT
Last-Modified: Thu, 20 Feb 2020 13:56:47 GMT
< ETag: "8fb11-59f0246a81f58"
ETag: "8fb11-59f0246a81f58"
< Accept-Ranges: bytes
Accept-Ranges: bytes
< Content-Length: 588561
Content-Length: 588561
< Content-Type: application/zip
Content-Type: application/zip

<
* Connection #0 to host binaries.sonarsource.com left intact
* Closing connection 0

Thanks @koral. I can confirm that the error is no longer occuring.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.