Connecting with ldaps - Installing self-signed server certificate into Java truststore

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
  1. SonarQube 7.8 Community Edition (Docker)
  2. Postgresql 10 (Docker)
  3. RHEL 7
  4. Nginx Proxy
  • what are you trying to achieve

Interacting with in-house MS Active Directory through ldaps

  • what have you tried so far to achieve this

Trying to connect to ldapjs, but unable to do so due to certificate error.

From, there a message about installing the server certificate into the Java truststore. My understanding is that, probably i need to modify the java truststore within the SonarQube docker container itself?

I have followed the suggestion given by

Which are

  1. Create a jks based on my internal root cert
  2. Build a refined sonarqube image , Dockerfile as follow
FROM sonarqube:7.8-community
COPY someca.jks /usr/local/openjdk-8/jre/lib/security/cacerts
  1. Add the following into

Unfortunately, i still got some errors . I have verify the keystore and its looks fine too.

Caused by: the trustAnchors parameter must be non-empty

Are there any standard ways we can add our internal self-signed certificate into the java truststore?



Just an update. I probably didn’t chain my certificates properly.

Will share the exact steps on how we can tackle this issue , especially updating self-signed certificates into java trust store.

1 Like


I managed to solved this by building a refined sonarqube docker image. Do look at the github link abvoe for inspiration.


FROM openjdk:8 AS builder

COPY /certs/server.crt /tmp/
COPY /certs/intermediate.crt /tmp/
COPY /certs/root.crt /tmp/

RUN keytool -import -v -trustcacerts -alias sonarqube -file /tmp/server.crt  \
    -keystore ${JAVA_HOME}/jre/lib/security/cacerts -noprompt -storepass changeit

RUN keytool -import -v -trustcacerts -alias intermediate -file /tmp/intermediate.crt \
    -keystore ${JAVA_HOME}/jre/lib/security/cacerts -noprompt -storepass changeit

RUN keytool -import -v -trustcacerts -alias root -file /tmp/root.crt \
    -keystore ${JAVA_HOME}/jre/lib/security/cacerts -noprompt -storepass changeit

FROM sonarqube:7.8-community
COPY --from=builder ${JAVA_HOME}/jre/lib/security/cacerts ${JAVA_HOME}/jre/lib/security/cacerts

Do a docker build based on the above file… which will copy your self-signed certificates into the container java trust store. As such, i manage to make a successful connection to my internal MS active directory through ldaps.

Mainly, you need to understand how your CA and server certificates are chained properly.