PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to fin

MaheshReddy · November 29, 2023, 10:33am

Hi Team,
I am facing below error, when i ran the sonar-scanner.bat from bamboo agent command prompt.

Java version: jdk-17.0.8.7-hotspot

Sonar Scanner : sonar-scanner-cli-5.0.1

sonarqube server: sonarqube-8.9.10.61524

Even though i added my sonarqube certificate on this location jdk-17.0.8.7-hotspot/lib/security/cacerts

‘’’
D:\sonar-scanner-cli-5.0.1\sonar-scanner\bin>sonar-scanner.bat -D"sonar.projectKey=test" -D"sonar.sources=." -D"sonar.host.url=https://.com"
-D"sonar.login=a32c61c130db53*"

INFO: Scanner configuration file: D:\sonar-scanner-cli-5.0.1\sonar-scanner\bin..\conf\sonar-scanner.properties
INFO: Project root configuration file: NONE
INFO: SonarScanner 5.0.1.3006
INFO: Java 17.0.7 Eclipse Adoptium (64-bit)
INFO: Windows Server 2019 10.0 amd64
INFO: User cache: C:\Users\mduddukunta_psm.sonar\cache
ERROR: SonarQube server [https://********************.com] can not be reached
INFO: ------------------------------------------------------------------------
INFO: EXECUTION FAILURE
INFO: ------------------------------------------------------------------------
INFO: Total time: 0.594s
INFO: Final Memory: 3M/28M
INFO: ------------------------------------------------------------------------
ERROR: Error during SonarScanner execution
org.sonarsource.scanner.api.internal.ScannerException: Unable to execute SonarScanner analysis
at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.lambda$createLauncher$0(IsolatedLauncherFactory.java:85)
at java.base/java.security.AccessController.doPrivileged(Unknown Source)
at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.createLauncher(IsolatedLauncherFactory.java:74)
at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.createLauncher(IsolatedLauncherFactory.java:70)
at org.sonarsource.scanner.api.EmbeddedScanner.doStart(EmbeddedScanner.java:185)
at org.sonarsource.scanner.api.EmbeddedScanner.start(EmbeddedScanner.java:123)
at org.sonarsource.scanner.cli.Main.execute(Main.java:74)
at org.sonarsource.scanner.cli.Main.main(Main.java:62)
Caused by: java.lang.IllegalStateException: Fail to get bootstrap index from server
at org.sonarsource.scanner.api.internal.BootstrapIndexDownloader.getIndex(BootstrapIndexDownloader.java:42)
at org.sonarsource.scanner.api.internal.JarDownloader.getScannerEngineFiles(JarDownloader.java:58)
at org.sonarsource.scanner.api.internal.JarDownloader.download(JarDownloader.java:53)
at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.lambda$createLauncher$0(IsolatedLauncherFactory.java:76)
… 7 more
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
‘’’

Colin · December 1, 2023, 9:16am

Since there’s a difference here (17.0.8 vs. 17.0.7) I would guess you haven’t put the certs in the right place.

Which flavor of the SonarScanner CLI did you download? If you want to make sure that the Java version you have installed on your machine (and not a separate one, bundled with the scanner) gets used, I would suggest downloading the “Any (Requires a pre-installed JVM)” flavor.

Ralph · December 20, 2023, 12:32pm

Hi
I think we are facing the same problem with the sonar-maven-plugin. We wanted to migrate from OpenJDK17 to Eclipse Adoptium 17.0.7 (64-bit). We have all needed CA in the default truststore “/opt/java/openjdk/lib/security/cacerts”, but the remote sonar server certificate cannot be verified, see the logs below. We only changed the JDK, maven and maven-sonar-plugin remain on the same version. From the same job, several TLS connections could be established successfully e.g. Nexus, only the maven-sonar-plugin seem to have a that issue

[ERROR] Failed to execute goal org.sonarsource.scanner.maven:sonar-maven-plugin:3.10.0.2594:sonar (default-cli) on project irs: Unable to execute SonarScanner analysis: Fail to get bootstrap index from server: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target -> [Help 1]
# many more lines
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Colin · December 20, 2023, 1:35pm

@Ralph Let me suggest taking the Maven plugin out of the equation entirely and using a tool like SSLPoke to test the different Java distribution and whether it is able to make the connection to your SonarQube server with what it has in its trust store.

Ralph · December 21, 2023, 11:15am

Hi Colin
thanks for your reply. With SSLPoke most of our internal servers could be reached, a few e.g. Sonar did not work.
We solved the problem with the Eclipse Adoptium Temurin JDK by using an alternative cacerts taken from an OpenJDK and adding the parameter e.g. -Djavax.net.ssl.trustStore=/opt/java/openjdk/lib/security/cacerts

Topic		Replies	Views
Getting PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException SonarQube Server / Community Build sonarqube , scanner	2	22	February 20, 2025
Error SonarQube server can not be reached and PKIX path building failed SonarQube Server / Community Build scanner	5	13213	October 16, 2023
Sonar Scanner cannot talk to Server due to PKIX path building failed SonarQube Server / Community Build dotnet , ssl , cert , dotnet6 , sonar-scanner	2	976	March 21, 2023
SonarQube Server can not be reached - SonarScanner 4.8.0.2856 SonarQube Server / Community Build dotnet	1	415	September 20, 2023
Custom Java path for SonarScanner for .NET SonarQube Server / Community Build java , scanner , dotnet	3	657	February 5, 2024

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to fin

Related topics