“PKIX path building failed: unable to find valid certification path to requested”

I have a server running SonarQube in a Docker container. On this server, I also use an SSL certificate issued by a Certificate Authority (CA). However, when performing code analysis through the GitLab CI/CD pipeline, I encounter the error “PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.” My code is written in dotnet 8.0. How can I validate the certificate to resolve this issue? Recent documentation has not been clear about the correct way to validate TLS certificates.

Sonarqube version: 10.6.0-community
SonarScanner 5.0.1.3006

sonarqube-check:
  stage: sonarqube-check
  image: mcr.microsoft.com/dotnet/sdk:8.0
  variables:
    SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"
    GIT_DEPTH: "0"
    SONAR_HOST_URL: "https://my-domain.com.br"
  cache:
    policy: pull
    key: "${CI_COMMIT_SHORT_SHA}"
    paths:
      - sonar-scanner
  before_script:
    - cp ${CI_PROJECT_DIR}/certs/truststore.p12 /usr/local/share/ca-certificates/truststore.p12
    - update-ca-certificates
  script: 
      - "apt-get update"
      - "apt-get install --yes --no-install-recommends openjdk-17-jre"
      - "dotnet tool install --global dotnet-sonarscanner"
      - "export PATH=\"$PATH:$HOME/.dotnet/tools\""
      - "dotnet sonarscanner begin /k:\"project_my_token\" /d:sonar.token=\"$SONAR_TOKEN\" /d:\"sonar.host.url=$SONAR_HOST_URL\" /d:sonar.scanner.skipJreProvisioning=true /d:sonar.projectBaseDir=\"${CI_PROJECT_DIR}\" /d:sonar.clientcert.path=/usr/local/share/ca-certificates/truststore.p12\ /d:sonar.clientcert.password=mypassword"
      - "dotnet build ${CI_PROJECT_DIR}/my-project.sln --no-incremental"
      - "dotnet sonarscanner end /d:sonar.token=\"$SONAR_TOKEN\""
  allow_failure: true

Hello @Marcos_Vinicius,

I noticed in your configuration when specifying the client cert path that you wrote:

/d:sonar.clientcert.path=/usr/local/share/ca-certificates/truststore.p12\ /d:sonar.clientcert.password=mypassword
                                                                        ^ // This backslash should not be here

I believe there is a backslash (\) that should not be here.
It seems to match the error as /usr/local/share/ca-certificates/truststore.p12\ /d:sonar.clientcert.password=mypassword is not a valid path.

Can you try removing it?

/d:sonar.clientcert.path=/usr/local/share/ca-certificates/truststore.p12 /d:sonar.clientcert.password=mypassword

Hello, @sebastien.marichal !

I removed the slash as instructed, but the same error persists. What are the alternative solutions for this issue?

Hello @Marcos_Vinicius,

From what I can see you are trying to set up your CI to use client certificates.

You probably need to set the following options before the end step:

• javax.net.ssl.keyStore (same value as sonar.clientcert.path)
• javax.net.ssl.keyStorePassword (same value as sonar.clientcert.password)

Unfortunately, you cannot set those values from the begin step.
To do so, you can set the SONAR_SCANNER_OPTS environment variable.
In your gitlab-ci.yml config, it should look like this:

sonarqube-check:
  stage: sonarqube-check
  image: mcr.microsoft.com/dotnet/sdk:8.0
  variables:
    SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"
    GIT_DEPTH: "0"
    SONAR_HOST_URL: "https://my-domain.com.br"
    SONAR_SCANNER_OPTS: "-Djavax.net.ssl.keyStore=/usr/local/share/ca-certificates/truststore.p12 -Djavax.net.ssl.keyStorePassword=mypassword"
# ... skipping as not relevant

The SONAR_SCANNER_OPTS allows you to pass arguments to the SonarScanner CLI that cannot be passed through the begin step.

If this does not solve your issue, to be able to do further investigation, I would need you to share with me the verbose log of both the begin and end steps.
To do so, do not forget to add the /d:sonar.verbose=true to the begin step.

I hope this helps!

Hello, @sebastien.marichal

Even after passing the arguments as you suggested, I’m still receiving the same error message when trying to use client certificates.

This is the latest version of the .gitlab-ci.yml and I’ve attached the detailed log for reference.

sonarqube-check:
  stage: sonarqube-check
  image: mcr.microsoft.com/dotnet/sdk:8.0
  dependencies:
    - test
  variables:
    SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"
    GIT_DEPTH: "0"
    SONAR_HOST_URL: "https://my-domain.com.br"
    SONAR_SCANNER_OPTS: "-Dsonar.clientcert.path=/usr/local/share/ca-certificates/truststore.p12 -Dsonar.clientcert.password=mypassword -Djavax.net.ssl.keyStore=/usr/local/share/ca-certificates/truststore.p12 -Djavax.net.ssl.keyStorePassword=mypassword"
  cache:
    policy: pull
    key: "${CI_COMMIT_SHORT_SHA}"
    paths:
      - sonar-scanner/
  before_script:
    - cp /${CI_PROJECT_DIR}/certs/truststore.p12 /usr/local/share/ca-certificates/truststore.p12
    - update-ca-certificates
  script: 
    - "apt-get update"
    - ls -la /usr/local/share/ca-certificates/truststore.p12
    - "apt-get install --yes --no-install-recommends openjdk-17-jre && apt-get install -y libxml2 libc6"
    - "dotnet tool install --global dotnet-sonarscanner"
    - "dotnet tool install --global dotnet-coverage"
    - "export PATH=\"$PATH:$HOME/.dotnet/tools\""
    - "dotnet sonarscanner begin /k:\"project_key\" 
        /d:sonar.token=\"$SONAR_TOKEN\" 
        /d:\"sonar.host.url=$SONAR_HOST_URL\" 
        /d:sonar.scanner.skipJreProvisioning=true 
        /d:sonar.projectBaseDir=\"${CI_PROJECT_DIR}\"
        /d:sonar.verbose=true
        /d:sonar.clientcert.path=/usr/local/share/ca-certificates/truststore.p12\ /d:sonar.clientcert.password=mypassword
        /d:javax.net.ssl.keyStore=/usr/local/share/ca-certificates/truststore.p12\ /d:javax.net.ssl.keyStorePassword=mypassword"
    - "dotnet restore ./my-proj.csproj"
    - "dotnet build ${CI_PROJECT_DIR}/my-proj.sln --no-incremental"
    - "dotnet add ./my-proj.csproj package Microsoft.NET.Test.Sdk"
    - "dotnet-coverage collect dotnet test ./my-proj.csproj -f xml -o coverage.xml"
    - "dotnet sonarscanner end /d:sonar.token=\"$SONAR_TOKEN\" "
  allow_failure: true

For security reasons, I needed to alter some data that identified my server. I hope you understand.
SonarScanner for MSBuild 9.0.2.txt (336.8 KB)

Hello @Marcos_Vinicius,

I would like to make some clarifications about what you are trying to achieve here.
I was under the impression that you were trying to set up the usage of client certificates.
However, the error in your logs seems to suggest that the error is about server certificates.

Do you use client certificates as part of your authentication process?

In any case, to fix the current error you have, you can set the javax.net.ssl.trustStore & javax.net.ssl.trustStorePassword options:

sonarqube-check:
  # ...
  variables:
    # ...
    SONAR_SCANNER_OPTS: "-Djavax.net.ssl.trustStore=/usr/local/share/ca-certificates/truststore.p12 -Djavax.net.ssl.trustStorePassword=mypassword"

If you do not need client certificates, you can completely remove both the javax.net.ssl.keyStore* and sonar.clientcert.* options.

If you need client certificates as well, you will need to set both trustStore and keyStore options:

sonarqube-check:
  # ...
  variables:
    # ...
    SONAR_SCANNER_OPTS: "-Djavax.net.ssl.trustStore=/usr/local/share/ca-certificates/truststore.p12 -Djavax.net.ssl.trustStorePassword=mypassword -Djavax.net.ssl.keyStore=/usr/local/share/ca-certificates/truststore.p12 -Djavax.net.ssl.keyStorePassword=mypassword"

However, it is unlikely to be the same file.
You will also need to keep the sonar.clientcert.* options.

You can find more about this in the documentation:

• Server certificates configuration
• Client certificates configuration

Be aware that you will need to apply the configuration for both the SonarScanner for .NET and SonarScanner CLI

Let me know if it solves your issue.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.