Error prepare analysis on SonarQUbe

Recently, after my digital certificate expired, I replaced it. After this replacement, it started generating an error in the “prepare analysis” pipeline on SonarQube.

[SQ] API GET '/api/server/version' failed, error is request to https://sonarqube.***/api/server/version failed, reason: unable to get local issuer certificate

SonarQube version: 10.4.1

I am using the classic editor in my Azure DevOps.

Any more people ocorred it?

I’m resolved my problem in following step by step below

Step 1: Install the PFX Certificate on Windows

Locate the PFX Certificate:

  • Go to the location where your .pfx file is stored (e.g., C:\cert\cert.pfx).

Install the Certificate:

  • Right-click on the .pfx file and select Install Certificate.
  • Choose the Local Machine option.
  • Choose the certificate store:
    • Personal or Trusted Root Certification Authorities if the certificate is for root authentication.
  • Enter the certificate password when prompted.

Change the Certificate for the SITE in IIS (SonarQube):

  • Select the site in IIS.
  • In the right-hand side panel, click on Bindings.
  • Select the route/port and change the certificate.

Step 2: Export the PFX Certificate to Base64 Format (.cer)

After installing the certificate, export it in Base64 format to be used in the commands.

Open Windows Certificate Manager:

Press Win + R, type certmgr.msc, and press Enter.

Locate the Certificate:

  • In the left panel, expand Personal or Trusted Root Certification Authorities, and click on Certificates.
  • Find the certificate you just installed.

Export the Certificate:

  • Right-click on the certificate and select All Tasks → Export.
  • Choose to export without the private key.
  • Select the Base-64 encoded X.509 (.CER) format and save the file as C:\certificado\certexport.cer.

Step 3: Add the Certificate to the Windows Truststore (Servers)**

Now, add the exported certificate to the Windows Truststore on both servers: Azure DevOps and SonarQube.

Open Command Prompt as Administrator:

  • Execute the following command to add the certificate to the “ROOT” store:

bash

certutil -addstore -f “ROOT” C:\certificado\certexport.cer

  • This will add the certificate to the trusted certificate store on the server.

Step 4: Add the Certificate to the Java Truststore (Servers)

You also need to add the certificate to the Java Truststore (cacerts) on both servers if SonarScanner or SonarQube depends on Java.

Locate the Java Truststore:

  • The cacerts file is usually located at C:\Program Files\Java\jdk-17\lib\security\cacerts.

Add the Certificate to the Java Truststore:

  • Use the keytool command to import the certificate into the Java truststore.

Java Default Tool for Managing Certificates:

The default Java tool to manage certificates in the keystore is located at:

bash

“C:\Program Files\Java\jdk-17\bin\keytool.exe” -import -trustcacerts -keystore “C:\Program Files\Java\jdk-17\lib\security\cacerts” -storepass changeit -alias -file C:\cert\certexport.cer

Explanation of Parameters:

  • -keystore: Defines the path to the cacerts file.
  • -storepass: Defines the password for the truststore (default is changeit).
  • -alias: Defines an alias for the certificate in the truststore.
  • -file: Path to the exported certificate (in Base64 format).

Step 5: Restart to Apply Changes

Aditional documentation: Managing TLS certificates on the client side

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.