The sonar-scanner utility cannot be installed via brew because the machines do not trust the Sectigo certificate authority.
Where did the issue happen?
Stack used:Xcode 11.3.x, on macOS 10.14.6 (Mojave)
Which build Step causes the issue and which version of the step?
| id: scriptGitHub - bitrise-io/bitrise-steplib: New Bitrise StepLib
Does a “Rebuild” help? (You can trigger a rebuild from the Build’s page, by clicking the “Rebuild” button in the top right corner of a finished build) : NODoes a rebuild without caches help? (You can remove the Cache:Pull and Cache:Push steps temporarily to not to use the cache, or you can delete all the caches on the Settings tab of the app . : NODoes the issue happen sporadically, or every time? : EverytimeDoes upgrading the build Step to the latest version help? : NOWhen did the issue start? :
Visiting the site via browser shows the certificate used for the site https://binaries.sonarsource.com/ is valid up to the Sectigo root certificate.
This is the error after issuing “brew install sonar-source” in the script step. It is likely the CA root and intermediate certs are not installed and trusted by the operating system.
==> Downloading https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.3.0.2102.zip
curl: (60) SSL certificate problem: certificate has expired
More details here: curl - SSL CA Certificates
curl performs SSL certificate verification by default, using a “bundle”
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn’t adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you’d like to turn off curl’s verification of the certificate, use
the -k (or --insecure) option.
HTTPS-proxy has similar options --proxy-cacert and --proxy-insecure.
Error: Failed to download resource “sonar-scanner”
Download failed: https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.3.0.2102.zip
1 Like
koral
May 31, 2020, 1:42pm
2
It seems that certificate has been expired:expire date: Apr 8 23:59:59 2021 GMT
This kind of issue should be reported directly to SonarSource.
1 Like
bkteo
June 1, 2020, 12:21am
3
hmm? I thought it was expiring year 2021?
1 Like
koral
June 1, 2020, 9:21am
4
Sorry, I was able to reproduce that error using commandline curl but pasted incorrect line of curl output to the previous post.
Nevertheless, at the time of writing this issue should be gone:
$ curl -v --head https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.3.0.2102.zip
* Trying 91.134.125.245...
* TCP_NODELAY set
* Connected to binaries.sonarsource.com (91.134.125.245) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=*.sonarsource.com
* start date: Jun 1 00:00:00 2020 GMT
* expire date: Apr 8 23:59:59 2021 GMT
* subjectAltName: host "binaries.sonarsource.com" matched cert's "*.sonarsource.com"
* issuer: C=FR; ST=Paris; L=Paris; O=Gandi; CN=Gandi Standard SSL CA 2
* SSL certificate verify ok.
> HEAD /Distribution/sonar-scanner-cli/sonar-scanner-cli-4.3.0.2102.zip HTTP/1.1
> Host: binaries.sonarsource.com
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Mon, 01 Jun 2020 09:23:06 GMT
Date: Mon, 01 Jun 2020 09:23:06 GMT
< Server: Apache
Server: Apache
< Strict-Transport-Security: max-age=63072000; preload
Strict-Transport-Security: max-age=63072000; preload
< Last-Modified: Thu, 20 Feb 2020 13:56:47 GMT
Last-Modified: Thu, 20 Feb 2020 13:56:47 GMT
< ETag: "8fb11-59f0246a81f58"
ETag: "8fb11-59f0246a81f58"
< Accept-Ranges: bytes
Accept-Ranges: bytes
< Content-Length: 588561
Content-Length: 588561
< Content-Type: application/zip
Content-Type: application/zip
<
* Connection #0 to host binaries.sonarsource.com left intact
* Closing connection 0
Thanks @koral . I can confirm that the error is no longer occuring.
1 Like
system
July 1, 2020, 1:40pm
6
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.