Scanner certificate issue

hi,

Unfortunatelly I have the same issue despite fact that I had setup and import self signed cert to the custom keystore.
When I run manually sonnarscanner I have following output which seems to point that my certs are not read or not available in the keystore but when I list the keystore I can see it there. I had tried also to import the cert directly to cacerts of the JVM but still I got the very same error. All acl are correct and all selinux is disabled.

[jenkins@jenkins]$ /jenkins/home/tools/hudson.plugins.sonar.SonarRunnerInstallation/SonarQubeScanner-4.6.0.2311/bin/sonar-scanner -Dsonar.host.url=https://sonar.example.com -Dsonar.projectKey=backend-integration -Djavax.net.ssl.trustStore=/jenkins/keystore/cacerts -Djavax.net.ssl.trustStorePassword='changeit' -Dsonar.sources=. -X -Djavax.net.debug="ssl,handshake"
11:05:11.960 INFO: Scanner configuration file: /jenkins/home/tools/hudson.plugins.sonar.SonarRunnerInstallation/SonarQubeScanner-4.6.0.2311/conf/sonar-scanner.properties
11:05:11.972 INFO: Project root configuration file: NONE
11:05:11.997 INFO: SonarScanner 4.6.0.2311
11:05:11.997 INFO: Java 1.8.0_282 Red Hat, Inc. (64-bit)
11:05:11.997 INFO: Linux 3.10.0-1160.15.2.el7.x86_64 amd64
11:05:12.143 DEBUG: keyStore is : 
11:05:12.143 DEBUG: keyStore type is : jks
11:05:12.143 DEBUG: keyStore provider is : 
11:05:12.143 DEBUG: init keystore
11:05:12.144 DEBUG: init keymanager of type SunX509
11:05:12.223 DEBUG: Create: /jenkins/home/.sonar/cache
11:05:12.231 INFO: User cache: /jenkins/home/.sonar/cache
11:05:12.231 DEBUG: Create: /jenkins/home/.sonar/cache/_tmp
11:05:12.242 DEBUG: Extract sonar-scanner-api-batch in temp...
11:05:12.255 DEBUG: Get bootstrap index...
11:05:12.255 DEBUG: Download: https://sonar.example.com/batch/index
11:05:12.370 ERROR: SonarQube server [https://sonar.example.com] can not be reached
11:05:12.371 INFO: ------------------------------------------------------------------------
11:05:12.371 INFO: EXECUTION FAILURE
11:05:12.371 INFO: ------------------------------------------------------------------------
11:05:12.372 INFO: Total time: 0.437s
11:05:12.410 INFO: Final Memory: 5M/238M
11:05:12.411 INFO: ------------------------------------------------------------------------
11:05:12.411 ERROR: Error during SonarScanner execution
org.sonarsource.scanner.api.internal.ScannerException: Unable to execute SonarScanner analysis
	at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.lambda$createLauncher$0(IsolatedLauncherFactory.java:85)
	at java.security.AccessController.doPrivileged(Native Method)
	at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.createLauncher(IsolatedLauncherFactory.java:74)
	at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.createLauncher(IsolatedLauncherFactory.java:70)
	at org.sonarsource.scanner.api.EmbeddedScanner.doStart(EmbeddedScanner.java:185)
	at org.sonarsource.scanner.api.EmbeddedScanner.start(EmbeddedScanner.java:123)
	at org.sonarsource.scanner.cli.Main.execute(Main.java:73)
	at org.sonarsource.scanner.cli.Main.main(Main.java:61)
Caused by: java.lang.IllegalStateException: Fail to get bootstrap index from server
	at org.sonarsource.scanner.api.internal.BootstrapIndexDownloader.getIndex(BootstrapIndexDownloader.java:42)
	at org.sonarsource.scanner.api.internal.JarDownloader.getScannerEngineFiles(JarDownloader.java:58)
	at org.sonarsource.scanner.api.internal.JarDownloader.download(JarDownloader.java:53)
	at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.lambda$createLauncher$0(IsolatedLauncherFactory.java:76)
	... 7 more
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.ssl.Alert.createSSLException(Alert.java:131)
	at sun.security.ssl.TransportContext.fatal(TransportContext.java:324)
	at sun.security.ssl.TransportContext.fatal(TransportContext.java:267)
	at sun.security.ssl.TransportContext.fatal(TransportContext.java:262)
	at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
	at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
	at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
	at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377)
	at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
	at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422)
	at sun.security.ssl.TransportContext.dispatch(TransportContext.java:182)
	at sun.security.ssl.SSLTransport.decode(SSLTransport.java:149)
	at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1143)
	at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1054)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:394)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.RealConnection.connectTls(RealConnection.java:336)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.RealConnection.establishProtocol(RealConnection.java:300)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.RealConnection.connect(RealConnection.java:185)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.java:224)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.java:108)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.ExchangeFinder.find(ExchangeFinder.java:88)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.Transmitter.newExchange(Transmitter.java:169)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:41)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:94)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:88)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.RealCall.getResponseWithInterceptorChain(RealCall.java:221)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.RealCall.execute(RealCall.java:81)
	at org.sonarsource.scanner.api.internal.ServerConnection.callUrl(ServerConnection.java:115)
	at org.sonarsource.scanner.api.internal.ServerConnection.downloadString(ServerConnection.java:99)
	at org.sonarsource.scanner.api.internal.BootstrapIndexDownloader.getIndex(BootstrapIndexDownloader.java:39)
	... 10 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:456)
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:323)
	at sun.security.validator.Validator.validate(Validator.java:271)
	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:315)
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:223)
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
	at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)
	... 43 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:451)
	... 49 more

Here is custom keystore(s):

[jenkins@jenkins]$ keytool -keystore /jenkins/keystore/jenkins.jks -list
Enter keystore password:  
Keystore type: jks
Keystore provider: SUN

Your keystore contains 2 entries

jenkins.example.com, Apr 16, 2021, PrivateKeyEntry, 
Certificate fingerprint (SHA1): 5B:42:45:66:DA:6F:DE:99:3F:86:82:74:1C:D1:91:6D:0E:71:05:89
sonar.example.com, Apr 15, 2021, trustedCertEntry, 
Certificate fingerprint (SHA1): 87:4B:5F:E4:86:58:A7:44:35:60:38:BB:D6:77:B2:14:7A:75:7B:11

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /jenkins/keystore/jenkins.jks -destkeystore /jenkins/keystore/jenkins.jks -deststoretype pkcs12".

Here is cacerts taken from jvm and copie over to custom location in jenkins keystore

[root@jenkins]# keytool -keystore cacerts -storepass changeit -list
Keystore type: jks
Keystore provider: SUN

Your keystore contains 139 entries

<SNIP>
sonar.example.com, Apr 16, 2021, trustedCertEntry, 
Certificate fingerprint (SHA1): 87:4B:5F:E4:86:58:A7:44:35:60:38:BB:D6:77:B2:14:7A:75:7B:11
<SNIP>

And here I providing list of command where I imported the cert into jks keystore (sonar.crt was downloaded from the sonar website in my lab network):
LINK:
How to Configure SonarQube plugin for HTTPS Sonar Server?

keytool -import -trustcacerts -keystore /jenkins/keystore/jenkins.jks -storepass '1234qwer' -alias sonar.example.com -import -file /jenkins/keystore/sonar.crt

And here for the cacerts from jvm

cp /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.282.b08-1.el7_9.x86_64/jre/lib/security/cacerts /jenkins/keystore/
keytool -import -trustcacerts -keystore /jenkins/keystore/cacerts -storepass 'changeit' -alias sonar.example.com -import -file /jenkins/keystore/sonar.crt

**Can you pls help me to solve this issue? What I am missing? **

Hey there.

Try sticking your Java options related to keystores, etc. in the SONAR_SCANNER_OPTS environment variable rather than as analysis parameters to the sonar-scanner command. You’ll know you’ve done it right when you see something like this in the logs.

INFO: SONAR_SCANNER_OPTS=-DmyJavaOpt
INFO: User cache: /Users/colin/.sonar/cache
INFO: SonarQube server 8.7.0

This assumes your keystore/parameters are A tool like MichalHecko/SSLPoke is a great way to check.

You suggestion works when invoked in the command of the sonnar-scanner, however it seems like defining the very same settings on the global config of the SonarQube scanner does not work which aparently should do the same thing? (pls correct me here if I am wrong) - snip from my jenkins config

jenkins-sonar809×275 19.9 KB

So I constructed nested pipeline in which I injected the global scannet keystore params

withSonarQubeEnv{
    withenv([‘SONAR_SCANNER_OPTS=-Djavax.net.ssl.trustStore=/jenkins/keystore/cacerts -Djavax.net.ssl.trustStorePassword=changeit']){
    //run sonarscanner section here
    sh '''${SCANNER_HOME}/bin/sonar-scanner -X \
                      -Dsonar.projectKey=${PROJECT_NAME} \
                      -Dsonar.java.binaries=**/* \
                      -Dsonar.sources=.'''
    }
}

and this seems to be working. All the keystores were tested with SSLPoke as you suggested and they are ok.
Another workaround is to symlink you custom keystore to the JVM keystore(s) or make all you keystores link to the one keystore location.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.