SonarDelphi could not be retrieved from GitHub due to SSL certification failure

[JonRobertson]

Prerequisites

• This bug is in DelphiLint, not SonarDelphi, SonarQube, or my Delphi code.
• This bug has not already been reported.

Delphi IDE version

Delphi 11 Version 28.0.48361.3236

DelphiLint version

1.0.0

SonarDelphi version

None

SonarQube version

No response

Issue description

New install of DelphiLint. When trying to analyze a file, this dialog appears:

DelphiLint encountered a problem during analysis.

SonarDelphi could not be retrieved from GitHub. Please check your internet connection and try again.

Steps to reproduce

Install DelphiLint in Delphi 11.
Open a project in Delphi.
Open a source file from the project.
From the DelphiLint menu, select Analyze This File.

Minimal Delphi code exhibiting the issue

No response

[fourls]

Hi, thanks for raising this issue.

At %APPDATA%\DelphiLint\logs, there should be one or more log files prefixed delphilint-server. Would you be able to upload these log files?

Alternatively, if you'd rather not upload the whole file, please look for a message that says Fallback provider could not provide plugin and send that snippet, including the error+stack trace that comes after it.

[fourls]

Hi @JonRobertson, just wondering if you have had time to look through those logs? They have a 7-day retention period, so will be deleted soon.

[JonRobertson]

Here is the requested log file

delphilint-server-2024-03-19-1.log

[fourls]

Thanks!

The issue seems to be that when DelphiLint tries to access GitHub via HTTPS, its certificate is not issued by a trusted certificate authority. GitHub's certificate is issued by the USERTrust ECC Certification Authority, which should certainly be trusted.

Judging by some of your other issues, it sounds like you are in a corporate setting where security is quite strict. Is it possible that a corporate proxy is decrypting HTTPS traffic, inspecting it, and resigning using a company root certificate (e.g. using WatchGuard or similar)? You should be able to check this by going to GitHub in a browser and seeing whether your company certificate is in the certificate chain (see here).

If this is the case, your system will be configured to trust the company root certificate, but the JVM maintains its own list of trusted certificates. You can see instructions for adding a new certificate to the JVM keystore here.

[JonRobertson]

Yes, our company uses WatchGuard. This is transparent (to me) for most internet servers/services. I will try to add our certificate to the JVM keystore.

[JonRobertson]

If this is the case, your system will be configured to trust the company root certificate, but the JVM maintains its own list of trusted certificates. You can see instructions for adding a new certificate to the JVM keystore here.

Thank you. I installed our certificate in the JVM keystore and deleted DEFAULT-sonar-delphi-1.3.0.jar. Then I Analyzed File and DelphiLint was able to download the SonarDelphi jar file.

[fourls]

Really glad to hear that fixed it!

Unfortunately, since it's all JVM-side there's not much we can do to improve this experience. That being said, I think this would be a useful addition to the FAQ - others may have the same problem in the future.

I'm closing the issue now, but I'll update the FAQ today or early next week with these steps.