PKIX path building failed: unable to fin

Hi Team,
I am facing below error, when i ran the sonar-scanner.bat from bamboo agent command prompt.

Java version: jdk-

Sonar Scanner : sonar-scanner-cli-5.0.1

sonarqube server: sonarqube-

Even though i added my sonarqube certificate on this location jdk-

D:\sonar-scanner-cli-5.0.1\sonar-scanner\bin>sonar-scanner.bat -D"sonar.projectKey=test" -D"sonar.sources=." -D""

INFO: Scanner configuration file: D:\sonar-scanner-cli-5.0.1\sonar-scanner\bin..\conf\
INFO: Project root configuration file: NONE
INFO: SonarScanner
INFO: Java 17.0.7 Eclipse Adoptium (64-bit)
INFO: Windows Server 2019 10.0 amd64
INFO: User cache: C:\Users\mduddukunta_psm.sonar\cache
ERROR: SonarQube server [https://********************.com] can not be reached
INFO: ------------------------------------------------------------------------
INFO: ------------------------------------------------------------------------
INFO: Total time: 0.594s
INFO: Final Memory: 3M/28M
INFO: ------------------------------------------------------------------------
ERROR: Error during SonarScanner execution
org.sonarsource.scanner.api.internal.ScannerException: Unable to execute SonarScanner analysis
at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.lambda$createLauncher$0(
at java.base/ Source)
at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.createLauncher(
at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.createLauncher(
at org.sonarsource.scanner.api.EmbeddedScanner.doStart(
at org.sonarsource.scanner.api.EmbeddedScanner.start(
at org.sonarsource.scanner.cli.Main.execute(
at org.sonarsource.scanner.cli.Main.main(
Caused by: java.lang.IllegalStateException: Fail to get bootstrap index from server
at org.sonarsource.scanner.api.internal.BootstrapIndexDownloader.getIndex(
at org.sonarsource.scanner.api.internal.JarDownloader.getScannerEngineFiles(
at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.lambda$createLauncher$0(
… 7 more
Caused by: PKIX path building failed:
unable to find valid certification path to requested target

Since there’s a difference here (17.0.8 vs. 17.0.7) I would guess you haven’t put the certs in the right place.

Which flavor of the SonarScanner CLI did you download? If you want to make sure that the Java version you have installed on your machine (and not a separate one, bundled with the scanner) gets used, I would suggest downloading the “Any (Requires a pre-installed JVM)” flavor.

I think we are facing the same problem with the sonar-maven-plugin. We wanted to migrate from OpenJDK17 to Eclipse Adoptium 17.0.7 (64-bit). We have all needed CA in the default truststore “/opt/java/openjdk/lib/security/cacerts”, but the remote sonar server certificate cannot be verified, see the logs below. We only changed the JDK, maven and maven-sonar-plugin remain on the same version. From the same job, several TLS connections could be established successfully e.g. Nexus, only the maven-sonar-plugin seem to have a that issue

[ERROR] Failed to execute goal org.sonarsource.scanner.maven:sonar-maven-plugin: (default-cli) on project irs: Unable to execute SonarScanner analysis: Fail to get bootstrap index from server: PKIX path building failed: unable to find valid certification path to requested target -> [Help 1]
# many more lines
Caused by: PKIX path building failed: unable to find valid certification path to requested target

@Ralph Let me suggest taking the Maven plugin out of the equation entirely and using a tool like SSLPoke to test the different Java distribution and whether it is able to make the connection to your SonarQube server with what it has in its trust store.

Hi Colin
thanks for your reply. With SSLPoke most of our internal servers could be reached, a few e.g. Sonar did not work.
We solved the problem with the Eclipse Adoptium Temurin JDK by using an alternative cacerts taken from an OpenJDK and adding the parameter e.g.

1 Like