SonarQube Bindings View: New Connection… → SonarQube Server → URL: https://myurl.intranet → Token: mytoken-1234567890 → Next
Error appears: javax.net.ssl.SSLHandshakeException: (certificate_unknown) The certificate chain is not trusted
Observations:
On Windows: The server works fine over plain HTTP (http://myurl.intranet), but any HTTPS request from Eclipse (via the SonarLint plugin or the embedded scanner) fails.
On Linux: The same configuration works without issues.
What I’ve already tried:
Imported the certificate into the embedded JRE’s cacerts (same approach that works on Linux).
Tried adding the certificate inside the plugin JAR (org.sonarlint.eclipse.sloop.windows.x64_12.2.1.84686.jar) in the plugins folder of the SonarQube P2 mirror directory — not recommended, but still doesn’t work.
Modified eclipse-inst.ini to remove -Djavax.net.ssl.trustStore=NONE.
Question:
What is the correct way on Windows to ensure that the SonarQube Eclipse plugin uses a keystore that includes our internal CA? Is there a specific keystore location or configuration that SonarLint requires on Windows that differs from Linux?
Can you please provide the verbose logs from the IDE startup? It will contain the information on which JRE is used by the IDE plug-in, and also the full stack traces.
This will be helpful to pinpoint exactly which JRE is messing with you.
Here below the verbose Window log.
Please let me know if you need any additional information.
Thanks for you help
Using Java installation of Eclipse
Using JRE from C:\Users\guy\Documents\jdk-25.0.0+36-certified
Starting SonarLint for Eclipse 11.9.0.82894
Started embedded server on port 64120
Can't open directory channel. Log directory fsync won't be performed.
Monitoring is disabled by feature flag.
Request failed
javax.net.ssl.SSLHandshakeException: (certificate_unknown) The certificate chain is not trusted
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:130)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:376)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:319)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:314)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:651)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:471)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:367)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:421)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:477)
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1207)
at org.apache.hc.core5.reactor.ssl.SSLIOSession.doRunTask(SSLIOSession.java:343)
at org.apache.hc.core5.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:414)
at org.apache.hc.core5.reactor.ssl.SSLIOSession.access$100(SSLIOSession.java:74)
at org.apache.hc.core5.reactor.ssl.SSLIOSession$1.inputReady(SSLIOSession.java:201)
at org.apache.hc.core5.reactor.InternalDataChannel.onIOEvent(InternalDataChannel.java:143)
at org.apache.hc.core5.reactor.InternalChannel.handleIOEvent(InternalChannel.java:51)
at org.apache.hc.core5.reactor.SingleCoreIOReactor.processEvents(SingleCoreIOReactor.java:176)
at org.apache.hc.core5.reactor.SingleCoreIOReactor.doExecute(SingleCoreIOReactor.java:125)
at org.apache.hc.core5.reactor.AbstractSingleCoreIOReactor.execute(AbstractSingleCoreIOReactor.java:92)
at org.apache.hc.core5.reactor.IOReactorWorker.run(IOReactorWorker.java:44)
at java.base/java.lang.Thread.run(Thread.java:1474)
Caused by: java.security.cert.CertificateException: The certificate chain is not trusted
at nl.altindag.ssl.trustmanager.CombinableX509TrustManager.checkTrusted(CombinableX509TrustManager.java:61)
at nl.altindag.ssl.trustmanager.AggregatedX509ExtendedTrustManager.checkServerTrusted(AggregatedX509ExtendedTrustManager.java:91)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:629)
... 16 more
Suppressed: java.security.cert.CertificateException: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at nl.altindag.ssl.trustmanager.CombinableX509TrustManager.checkTrusted(CombinableX509TrustManager.java:54)
... 18 more
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at java.base/java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:202)
at java.base/java.security.cert.PKIXParameters.<init>(PKIXParameters.java:121)
at java.base/java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:105)
at java.base/sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:93)
at java.base/sun.security.validator.Validator.getInstance(Validator.java:173)
at java.base/sun.security.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:308)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(X509TrustManagerImpl.java:183)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:254)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144)
at nl.altindag.ssl.trustmanager.DelegatingX509ExtendedTrustManager.checkServerTrusted(DelegatingX509ExtendedTrustManager.java:53)
at nl.altindag.ssl.trustmanager.AggregatedX509ExtendedTrustManager.lambda$checkServerTrusted$5(AggregatedX509ExtendedTrustManager.java:91)
at nl.altindag.ssl.trustmanager.CombinableX509TrustManager.checkTrusted(CombinableX509TrustManager.java:41)
... 18 more
Suppressed: java.security.cert.CertificateException: No X509ExtendedTrustManager implementation available
at nl.altindag.ssl.trustmanager.DummyX509ExtendedTrustManager.checkServerTrusted(DummyX509ExtendedTrustManager.java:69)
at nl.altindag.ssl.trustmanager.DelegatingX509ExtendedTrustManager.checkServerTrusted(DelegatingX509ExtendedTrustManager.java:53)
at nl.altindag.ssl.trustmanager.HotSwappableX509ExtendedTrustManager.lambda$checkServerTrusted$2(HotSwappableX509ExtendedTrustManager.java:71)
at nl.altindag.ssl.trustmanager.HotSwappableX509ExtendedTrustManager.checkTrusted(HotSwappableX509ExtendedTrustManager.java:92)
at nl.altindag.ssl.trustmanager.HotSwappableX509ExtendedTrustManager.checkServerTrusted(HotSwappableX509ExtendedTrustManager.java:71)
at nl.altindag.ssl.trustmanager.InflatableX509ExtendedTrustManager.lambda$checkServerTrusted$4(InflatableX509ExtendedTrustManager.java:119)
at nl.altindag.ssl.trustmanager.InflatableX509ExtendedTrustManager.checkTrusted(InflatableX509ExtendedTrustManager.java:150)
at nl.altindag.ssl.trustmanager.InflatableX509ExtendedTrustManager.checkServerTrusted(InflatableX509ExtendedTrustManager.java:119)
at nl.altindag.ssl.trustmanager.AggregatedX509ExtendedTrustManager.lambda$checkServerTrusted$5(AggregatedX509ExtendedTrustManager.java:91)
at nl.altindag.ssl.trustmanager.CombinableX509TrustManager.checkTrusted(CombinableX509TrustManager.java:41)
... 18 more
GET https://myurl.intranet/api/system/status javax.net.ssl.SSLHandshakeException: (certificate_unknown) The certificate chain is not trusted | failed after 149ms
Based on the second line of the log, the JDK at C:\Users\guy\Documents\jdk-25.0.0+36-certified is used. Have you configured this as well?
You can change what Java Runtime (not necessarily a JDK) is used by SonarQube for IDE inside the preferences, please see this documentation.
As this is not the JDK bundled with the Eclipse IDE nor the one SonarQube for IDE, have you changed the setting in the preferences, or did you configure your Eclipse IDE to use this very JDK as the runtime?
This information would be all that is needed to investigate further!
The certificate has been added to the standard JDK 25, and this certified JDK is used during the Eclipse installation. My eclipse.ini contains the line :
