Relevant extensions/plugins: Using AI CodeFix feature
We are trying to use the AI CodeFix feature in SonarQube, but it fails with an error in the UI stating:
AI CodeFix Error The AI CodeFix service is reachable but returned an error. Check logs for more details.
We reviewed the logs and found the following error in web.log:
WARN web[a335b610-5e7a-4d16-9597-814cb9eeb0b1][c.s.f.s.api.K.Y] Error while checking AI CodeFix service status
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
We confirmed that:
There is no proxy configured in conf/sonar.properties.
Our SonarQube instance runs over HTTPS with a valid certificate.
Network connectivity from the server is working normally.
Could you please advise if:
The AI CodeFix service uses a certificate chain that must be manually trusted via the JVM truststore?
There is a recommended certificate or CA we should import?
Let us know how best to proceed to resolve the SSL handshake issue.
Just to clarify, api.sonarqube.io uses trusted, industry-standard certificates—there’s nothing unusual or proprietary about them. Java distributions should trust this certificate chain by default, unless the JVM is running with a custom truststore that’s missing some root or intermediate certificates.
A few things to check:
Are you using a custom truststore? Sometimes, teams point the JVM at a specific truststore (with -Djavax.net.ssl.trustStore options), which may not contain the latest public CAs. It’s worth reviewing your conf/sonar.properties config, especially sonar.web.javaOpts or sonar.web.javaAdditionalOpts, to see if anything is overriding Java’s default trust manager.
Since your deployment is via .zip and you aren’t using a proxy, this is the most likely scenario: a custom truststore or an outdated system CA bundle.
To rule any SonarQube-specific out, try testing connectivity and trust by using an external Java SSL test tool like SSLPoke:
If this fails with the same exception, you’ll know it’s an environment-wide truststore issue rather than a SonarQube-specific bug.
As you suspected, the issue was due to a custom truststore missing the required CA certificates. We exported the certificate from api.sonarqube.io, imported it into our truststore, and pointed SonarQube to use it via configuration.
After this, the connectivity issue was resolved.
Appreciate your help—hopefully this will assist others facing the same error!