Scanner https access sonarqube via nginx

which versions are you using

sonarqube 9.0

sonar-scanner 4.6.2.2472

JDK11

nginx:1.21.1

what are you trying to achieve

Scanner https access sonarqube via nginx

what have you tried so far to achieve this

1 copy nginx cert to jdk11 trustcacerts

keytool -import -v -trustcacerts -alias keyAlias -file server.cer -keystore cacerts.jks -keypass changeit

check import cert is ok

2 startup sonarscanner

#! /bin/bash
echo 'hello world'

#export SONAR_SCANNER_OPTS="-Djavax.net.ssl.trustStore=/root/store/sonar.jks -Djavax.net.ssl.trustStorePassword=123456"
export SONAR_SCANNER_OPTS="-Djavax.net.ssl.trustStore=/root/soft/jdk-11/lib/security/cacerts -Djavax.net.ssl.trustStorePassword=changeit"
#export SONAR_SCANNER_OPTS="-Djavax.net.ssl.trustStore=/root/cert/server.crt"
#export SONAR_SCANNER_OPTS="-Djavax.net.ssl.trustStore=/root/store/sonartruststore.jks"
#export SONAR_SCANNER_OPTS="-Djavax.net.ssl.trustStore=/root/store/sonartruststore.jks"

#export SONAR_SCANNER_OPTS="-Djavax.net.ssl.trustStore=/root/store/sonar-server.crt"
sonar-scanner -Djavax.net.ssl.trustStore=/root/soft/jdk-11/lib/security/cacerts  -Dsonar.projectKey=vuekey  -Dsonar.projectName=vueproject  -Dsonar.sources=src -Dsonar.login=0402b380a52f9cead2354155b148548a23f2ad9c

3 results

WARN: Property 'javax.net.ssl.trustStore' with value '/root/soft/jdk-11/lib/security/cacerts' is overridden with value '/root/soft/jdk-11/lib/security/cacerts'
INFO: Scanner configuration file: /root/sonar-scanner/conf/sonar-scanner.properties
INFO: Project root configuration file: NONE
INFO: SonarScanner 4.6.2.2472
INFO: Java 11.0.11 AdoptOpenJDK (64-bit)
INFO: Linux 3.10.0-1160.24.1.el7.x86_64 amd64
INFO: SONAR_SCANNER_OPTS=-Djavax.net.ssl.trustStore=/root/soft/jdk-11/lib/security/cacerts -Djavax.net.ssl.trustStorePassword=changeit
INFO: User cache: /root/.sonar/cache
ERROR: SonarQube server [https://sonar.com] can not be reached
INFO: ------------------------------------------------------------------------
INFO: EXECUTION FAILURE
INFO: ------------------------------------------------------------------------
INFO: Total time: 2.194s
INFO: Final Memory: 3M/17M
INFO: ------------------------------------------------------------------------
ERROR: Error during SonarScanner execution
org.sonarsource.scanner.api.internal.ScannerException: Unable to execute SonarScanner analysis
        at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.lambda$createLauncher$0(IsolatedLauncherFactory.java:85)
        at java.base/java.security.AccessController.doPrivileged(Native Method)
        at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.createLauncher(IsolatedLauncherFactory.java:74)
        at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.createLauncher(IsolatedLauncherFactory.java:70)
        at org.sonarsource.scanner.api.EmbeddedScanner.doStart(EmbeddedScanner.java:185)
        at org.sonarsource.scanner.api.EmbeddedScanner.start(EmbeddedScanner.java:123)
        at org.sonarsource.scanner.cli.Main.execute(Main.java:73)
        at org.sonarsource.scanner.cli.Main.main(Main.java:61)
Caused by: java.lang.IllegalStateException: Fail to get bootstrap index from server
        at org.sonarsource.scanner.api.internal.BootstrapIndexDownloader.getIndex(BootstrapIndexDownloader.java:42)
        at org.sonarsource.scanner.api.internal.JarDownloader.getScannerEngineFiles(JarDownloader.java:58)
        at org.sonarsource.scanner.api.internal.JarDownloader.download(JarDownloader.java:53)
        at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.lambda$createLauncher$0(IsolatedLauncherFactory.java:76)
        ... 7 more
Caused by: javax.net.ssl.SSLPeerUnverifiedException: Hostname sonar.com not verified:
    certificate: sha256/mva40x9/c4RSufb4i565CooMaL/CkHdujZ0c3JBzKrU=
    DN: CN=sonar.com, OU=cn, O=cn, L=cn, ST=cn, C=cn
    subjectAltNames: []
        at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.RealConnection.connectTls(RealConnection.java:350)
        at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.RealConnection.establishProtocol(RealConnection.java:300)
        at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.RealConnection.connect(RealConnection.java:185)
        at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.java:224)
        at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.java:108)
        at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.ExchangeFinder.find(ExchangeFinder.java:88)
        at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.Transmitter.newExchange(Transmitter.java:169)
        at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:41)
        at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
        at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
        at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:94)
        at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
        at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
        at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
        at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
        at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:88)
        at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
        at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
        at org.sonarsource.scanner.api.internal.shaded.okhttp.RealCall.getResponseWithInterceptorChain(RealCall.java:221)
        at org.sonarsource.scanner.api.internal.shaded.okhttp.RealCall.execute(RealCall.java:81)
        at org.sonarsource.scanner.api.internal.ServerConnection.callUrl(ServerConnection.java:115)
        at org.sonarsource.scanner.api.internal.ServerConnection.downloadString(ServerConnection.java:99)
        at org.sonarsource.scanner.api.internal.BootstrapIndexDownloader.getIndex(BootstrapIndexDownloader.java:39)
        ... 10 more
ERROR:
ERROR: Re-run SonarScanner using the -X switch to enable full debug logging.

Hey there.

SonarQube uses a library called OkHTTP to handle things like communication over SSL. At some point in the past, when upgrading the version of OkHTTP used in SonarQube, it became no longer valid to use a certificate with the hostname only declared in the CN .

Hostnames now need to be defined in the subjectAltNames of a certificate in order for SSL to function correctly.

This is typically the cause of the issue seen above.

Based on the logs shared, you will need to fix this in the certificate installed on your SonarQube server.

Thank you very much ,you help me a lot. I spend a lot of time on it. Thank you ！