Org.sonarsource.scanner.maven should work with Godaddy certificate without checking java truststore

andgru · April 12, 2019, 11:49am

Hello,

SonarQube version = 6.7.5 Community version, plugin = org.sonarsource.scanner.maven , sonar.version 3.5.0.1254

when running mvn sonar:sonar against our SonarQube server with godaddy certificate.
(which works with openssl s_client -showcerts -connect :443 from buildserver)

we still got certificate errors, since the plugin seems to check java truststrore only.
Failed to execute goal org.sonarsource.scanner.maven:sonar-maven-plugin:3.5.0.1254:sonar (default-cli) on project teamcity-test: Unable to execute SonarQube: Fail to get bootstrap index from server: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target -> [Help 1]*

So i want an option or similar so the plugin to check the sonarqube server cert and not the local java truststore on the buildserver.

Thanks& Regards
/Anders

Scott · April 12, 2019, 12:52pm

What’s your Java version? I had some problems in the past with newer certificates (from Let’s Encrypt Authority in that case) and it was fixed by simply updating the JRE.

andgru · April 12, 2019, 1:11pm

Hello,
ok, we re using different version,but does not worj wih java version “1.8.0_201” and Maven 3.5.4

Scott · April 12, 2019, 1:42pm

I just tested with a Go Daddy certificate and it works for me. I’m using java 1.8.0_201 too (this is a default installation, I never added anything to the cacerts file).

The root certificates exist on the java cacerts:

keytool -list -v -keystore "C:\Program Files\Java\jdk1.8.0_201\jre\lib\security\cacerts" -storepass changeit -alias "godaddyclass2ca [jdk]"
...
Owner: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US

keytool -list -v -keystore "C:\Program Files\Java\jdk1.8.0_201\jre\lib\security\cacerts" -storepass changeit -alias "godaddyrootg2ca [jdk]"
...
Owner: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US

andgru · April 12, 2019, 1:45pm

Ok, thanks!
Sounds good!
I will check in our environment then.

andgru · April 25, 2019, 11:36am

I check now and the java trust store is ok.
But the Go Daddy class 2 cert is not included in my sonarqube server cert chain.

andgru · May 6, 2019, 10:22am

The java trustsstore is ok, and our godaddy cert too, but still fails.
Any ideas ?