How to install SonarQube with Let’s Encrypt on Ubuntu 20.04

It is every developer’s dream to have clean, bug-free code that can be easily deployed in staging and production environments. A tool that can help you achieve this is in your CI / CD pipeline: SonarQube. SonarQube is a cross-platform, web-based tool for continuous review of the source code. It’s written in Java. SonarQube allows you to write cleaner, safer code by reviewing the code and identifying errors and other inconsistencies.

SonarQube can be integrated with platforms such as GitHub, Gitlab, BitBucket, and Azure DevOps, to name a few. It is available in different editions, including Community, Developer, Enterprise, and Datacenter editions.

In this tutorial we will learn how to install SonarQube on Ubuntu 20.04. We are going to install the Community Edition as it is free to download and the SSL certificate (https) can be activated with Let’s Encrypt by setting Nginx as the reverse proxy.

requirements

Before starting, make sure you meet the following requirements:

  1. Ubuntu 20.04 LTS with a configured sudo user.
  2. Make sure your system has at least 4 GB of RAM and 2 vCPU cores

You need to install some tools

$ sudo apt update
$ sudo apt install net-tools unzip vim curl

You also need to increase the virtual memory kernel

$ sudo sysctl -w vm.max_map_count=262144

with the maximum number of open files

$ sudo sysctl -w fs.file-max=65536

and the resource limits

$ ulimit -n 65536
$ ulimit -u 4096

You can make the changes permanent by changing the system parameters in the configuration file /etc/sysctl.conf

$ sudo vim /etc/sysctl.conf

Add the following lines.

vm.max_map_count=262144
fs.file-max=65536
ulimit -n 65536
ulimit -u 4096

Save and close. Then open the limits.conf file

$ sudo vim /etc/security/limits.conf

At the very bottom, add the following lines

sonarqube - nofile 65536
sonarqube - nproc 4096

Save and close. Restart your server for the changes to take effect.

Step 1: Install OpenJDK

Since SonarQube is written in Java, it depends on Java to work. We are going to install OpenJDK 11 which provides Java.

$ sudo apt install openjdk-11-jdk

After the installation, you can check the Java version.

$ java -version

Step 2: Install the PostgreSQL database

As of 2016, SonarQube stopped supporting MySQL and now only supports PostgreSQL. Hence we need to install the PostgreSQL database.

First, download and add the PostgreSQL GPG key.

$ wget -q https://www.postgresql.org/media/keys/ACCC4CF8.asc -O - | sudo apt-key add -

Then add the PostgreSQL repository.

$ sudo sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt/ `lsb_release -cs`-pgdg main" >> /etc/apt/sources.list.d/pgdg.list'

Then update the package index to synchronize the new repository.

$ sudo apt update

After you’ve updated the package lists, install the PostgreSQL database and its dependencies.

$ sudo apt install postgresql postgresql-contrib

By default, the PostgreSQL service starts after installation, if it doesn’t start, run the following command.

$ sudo systemctl start postgresql

To confirm that everything is running as expected, check the execution status.

$ sudo systemctl status postgresql

You can also confirm the port it is listening on:

$ sudo netstat -pnltu | grep 5432
tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      7768/postgres       
tcp6       0      0 ::1:5432                :::*                    LISTEN      7768/postgres    

Enable PostgreSQL to start automatically at boot:

$ sudo systemctl enable postgresql

So far our PostgreSQL has been running without any problems.

Step 3: configure PostgreSQL

In the following we will set the password for the Postgres user, which is normally used by default when installing PostgreSQL. To do this, run the command:

$ sudo passwd postgres

Enter the password and confirm it. Next, switch to the Postgres user.

$ su - postgres

Next, go ahead and create a new database user.

$ createuser sonar

When you’re done, switch to the PostgreSQL prompt with the command:

$ psql

With access to the PostgreSQL shell, create a password for the user you just created.

 ALTER USER sonar WITH ENCRYPTED PASSWORD 'strong_password';

Next, create a SonarQube database with the user you created as the owner

CREATE DATABASE sonarqube OWNER sonar;

Then assign all permissions to the database usage or grant them so that they have all permissions to modify the database.

GRANT ALL PRIVILEGES ON DATABASE sonarqube to sonar;

Now exit the database.

q

Step 4: Download and Configure SonarQube

Next, we’re going to download the latest binary ZIP file from SonarQube. Currently, the latest version of the Community Edition, which is a Long Term Service (LTS) version, is SonarQube version 9.0.1. You can too SonarQube download page for the latest downloads.

To download the zip file, enter the command:

$ wget https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-9.0.1.46107.zip 

Next, unzip the zipped file.

$ unzip sonarqube-9.0.1.46107.zip

And move it to the / opt / path.

$ sudo mv sonarqube-9.0.1.46107 /opt/sonarqube

Step 5: Create a new user and group

Next, we’ll create a new user and group that will run the SonarQube service. So create the group.

$ sudo groupadd sonar

Next, create the user with the home directory on / opt / sonarqube while adding the user to the newly created group.

$ sudo useradd -c "SonarQube - User" -d /opt/sonarqube/ -g sonar sonar

Then set ownership to the / opt / sonarqube directory.

$ sudo chown -R sonar:sonar /opt/sonarqube/

Step 6: Configure the SonarQube

Now let’s configure SonarQube. Open the SonarQube configuration file.

$ sudo vim  /opt/sonarqube/conf/sonar.properties

Find and comment on the following lines

sonar.jdbc.username=
sonar.jdbc.password=

These represent the SonarQube database user and password that we created on the PostgreSQL database server. Therefore, enter the values ​​accordingly.

sonar.jdbc.username=sonar_user
sonar.jdbc.password=strong_password

Next, modify these lines to look like they are provided

sonar.jdbc.url=jdbc:postgresql://localhost:5432/sonarqube
sonar.search.javaOpts=-Xmx512m -Xms512m -XX:MaxDirectMemorySize=256m -XX:+HeapDumpOnOutOfMemoryError

Then modify the following lines so that they appear as they appear.

sonar.web.host=0.0.0.0
sonar.web.port=9000
sonar.web.javaAdditionalOpts=-server
sonar.log.level=INFO
sonar.path.logs=logs

Next, change the user who is running the SonarQube service by editing the file shown.

$ sudo vim /opt/sonarqube/bin/linux-x86-64/sonar.sh

Scroll down and make sure the line below appears as shown.

RUN_AS_USER=sonar

Step 7: Create a systemd service file for SonarQube

Currently, our system has no way of starting the SonarQube service. Hence we need to create a systemd service. To do this, run the command:

$ sudo vim  /etc/systemd/system/sonarqube.service

Add the following lines.

[Unit]
Description=SonarQube service
After=syslog.target network.target

[Service]
Type=forking
ExecStart=/opt/sonarqube/bin/linux-x86-64/sonar.sh start
ExecStop=/opt/sonarqube/bin/linux-x86-64/sonar.sh stop
User=sonar
Group=sonar
Restart=always
LimitNOFILE=65536
LimitNPROC=4096

[Install]
WantedBy=multi-user.target

Save your changes and exit the file.

Enable the SonarQube service to start at boot

$ sudo systemctl enable sonarqube

And start the SonarQube service.

$ sudo systemctl start sonarqube

To make sure the SonarQube service is running, run the command:

$ sudo systemctl status sonarqube

Also make sure port 9000 is open

$ sudo ufw allow '9000'
Rules updated
Rules updated (v6)

Check that the service is listening on port 9000

$ sudo netstat -pnltu | grep 9000
tcp6       0      0 :::9000                 :::*                    LISTEN      65140/java  

Now you can try to check if you can access the login page by entering the public IP of your server and the port number of your browser, e.g. http: //: 9000 /. The default administrator username is ‘admin’ and the password is ‘admin’.

Sonarqube will prompt you to update the password to change the default password.

Step 8: install and configure Nginx with SSL (optional)

To access your Sonarqube with an SSL-enabled domain name, you will need to install a reverse proxy such as Nginx. The web server connects to SonarQube as a proxy so developers can access it from a secure domain name.

Installing Nginx is simple and straightforward and can be done with a single command.

$ sudo apt install nginx

Once installed, enable the Nginx web server to start at boot.

$ sudo systemctl enable nginx

And start the service

$ sudo systemctl start nginx

So that the web server recognizes SonarQube, we create a configuration file as shown.

$ sudo vim  /etc/nginx/sites-available/sonarqube.conf

Then paste in the provided content.

server {

listen 80;
server_name example.com or SERVER-IP;
access_log /var/log/nginx/sonar.access.log;
error_log /var/log/nginx/sonar.error.log;
proxy_buffers 16 64k;
proxy_buffer_size 128k;

location / {
proxy_pass http://127.0.0.1:9000;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto http;
}
}

Save and close. Then activate the Sonarqube site:

$ sudo ln -s /etc/nginx/sites-available/sonarqube.conf  /etc/nginx/sites-enabled/sonarqube.conf

Check that the configuration is correct

$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Then restart the Nginx web server for the changes to take effect.

$ sudo systemctl restart nginx

Now we need to configure the UFW firewall to allow nginx. To do this, run the commands

$ sudo ufw allow 'Nginx Full'

Then reload the firewall for the changes to take effect.

$ sudo ufw --reload

You can now access your SonarQube by its domain name

Here we use the free Let’s Encrypt certificate. To configure this we need to run cerbot for Nginx:

$ sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
 Plugins selected: Authenticator nginx, Installer nginx
 Enter email address (used for urgent renewal and security notices) (Enter 'c' to
 cancel): alain@websitefortesting.com                                                    
 
 Please read the Terms of Service at
 https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
 agree in order to register with the ACME server at
 https://acme-v02.api.letsencrypt.org/directory
 
 (A)gree/(C)ancel: A
 
 Would you be willing to share your email address with the Electronic Frontier
 Foundation, a founding partner of the Let's Encrypt project and the non-profit
 organization that develops Certbot? We'd like to send you email about our work
 encrypting the web, EFF news, campaigns, and ways to support digital freedom.
 
 (Y)es/(N)o: N
Saving debug log to /var/log/letsencrypt/letsencrypt.log
 Plugins selected: Authenticator nginx, Installer nginx
 Which names would you like to activate HTTPS for?
 
 1: websitefortesting.com
 
 Select the appropriate numbers separated by commas and/or spaces, or leave input
 blank to select all options shown (Enter 'c' to cancel): 1
 Obtaining a new certificate
 Performing the following challenges:
 http-01 challenge for websitefortesting.com
 Waiting for verification…
 Cleaning up challenges
 Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/sonarqube.conf
 Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
 
 1: No redirect - Make no further changes to the webserver configuration.
 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
 new sites, or if you're confident your site works on HTTPS. You can undo this
 change by editing your web server's configuration.
 
 Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
 Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/sonarqube.conf
 
 Congratulations! You have successfully enabled https://websitefortesting.com
 You should test your configuration at:
 https://www.ssllabs.com/ssltest/analyze.html?d=websitefortesting.com
 
 IMPORTANT NOTES:
 Congratulations! Your certificate and chain have been saved at:
 /etc/letsencrypt/live/websitefortesting.com/fullchain.pem
 Your key file has been saved at:
 /etc/letsencrypt/live/websitefortesting.com/privkey.pem
 Your cert will expire on 2021-11-27. To obtain a new or tweaked
 version of this certificate in the future, simply run certbot again
 with the "certonly" option. To non-interactively renew all of
 your certificates, run "certbot renew"
 If you like Certbot, please consider supporting our work by:
 Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 Donating to EFF:                    https://eff.org/donate-le 

Let’s encrypt adds some lines to the Nginx server block file by default.

You should have something like this

server {
         server_name websitefortesting.com;
         add_header Strict-Transport-Security max-age=2592000;
         #rewrite ^ https://$server_name$request_uri? permanent;
         access_log  /var/log/nginx/sonarqube.access.log;
         error_log   /var/log/nginx/sonarqube.error.log;
     proxy_buffers 16 64k;     
           proxy_buffer_size 128k;     

           location / {
             proxy_pass http://127.0.0.1:9000;            
             proxy_set_header Host $host;             
             proxy_set_header X-Real-IP $remote_addr;             
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;             
             proxy_set_header X-Forwarded-Proto http;     
           } 
          listen 443 ssl; # managed by Certbot 
          ssl_certificate /etc/letsencrypt/live/websitefortesting.com/fullchain.pem; # managed by Certbot 
           ssl_certificate_key /etc/letsencrypt/live/websitefortesting.com/privkey.pem; # managed by Certbot 
          include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot 
          ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
 }
 server {
     if ($host = websitefortesting.com) {
         return 301 https://$host$request_uri;
     } # managed by Certbot
     
            listen 80;     
            server_name websitefortesting.com; return 404; # managed by Certbot

 }

Step 10: Access SonarQube using HTTPS

Now you can securely access SonarQube with an HTTPS URL configured with let’s encrypt.

https://domain-name

After logging in, you will be shown the landing page.

diploma

In this tutorial we learned how to install SonarQube on Ubuntu 20.04. We have activated Sonarqube with SSL with the Let’s Encrypt certificate with Nginx as a reverse proxy.

Leave a Comment

Your email address will not be published. Required fields are marked *