Scanners downloading JDKs dynamically causing certificate problems

Must-share information (formatted with Markdown):

• SonarQube Version 10.3
• Sonarscanner for dotnet 10.1.2
• how is SonarQube deployed: zip
• We use a Bamboo add-on called Code Quality
• The new version of the scanner(s) pulls the appropriate JDK from the internet and does not use the server settings on our CI server Bamboo. This results in certificate issues.
• How can one deal with this dynamic when JDKs are downloaded dynamically? Cert has to be installed dynamically as well.

16-Jul-2025 22:20:30 22:20:30.856 ERROR: SonarQube server [SERVER-NAME] can not be reached
16-Jul-2025 22:20:30 22:20:30.857 INFO: EXECUTION FAILURE
16-Jul-2025 22:20:30 22:20:30.857 INFO: ------------------------------------------------------------------------
16-Jul-2025 22:20:30 22:20:30.858 INFO: Total time: 1.877s
16-Jul-2025 22:20:30 22:20:30.880 INFO: Final Memory: 4M/20M
16-Jul-2025 22:20:30 22:20:30.880 INFO: ------------------------------------------------------------------------
16-Jul-2025 22:20:30 22:20:30.880 ERROR: Error during SonarScanner execution
16-Jul-2025 22:20:30 org.sonarsource.scanner.api.internal.ScannerException: Unable to execute SonarScanner analysis
16-Jul-2025 22:20:30 at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.lambda$createLauncher$0(IsolatedLauncherFactory.java:85)
16-Jul-2025 22:20:30 at java.base/java.security.AccessController.doPrivileged(Unknown Source)
16-Jul-2025 22:20:30 at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.createLauncher(IsolatedLauncherFactory.java:74)
16-Jul-2025 22:20:30 at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.createLauncher(IsolatedLauncherFactory.java:70)
16-Jul-2025 22:20:30 at org.sonarsource.scanner.api.EmbeddedScanner.doStart(EmbeddedScanner.java:185)
16-Jul-2025 22:20:30 at org.sonarsource.scanner.api.EmbeddedScanner.start(EmbeddedScanner.java:123)
16-Jul-2025 22:20:30 at org.sonarsource.scanner.cli.Main.execute(Main.java:74)
16-Jul-2025 22:20:30 at org.sonarsource.scanner.cli.Main.main(Main.java:62)
16-Jul-2025 22:20:30 Caused by: java.lang.IllegalStateException: Fail to get bootstrap index from server
16-Jul-2025 22:20:30 at org.sonarsource.scanner.api.internal.BootstrapIndexDownloader.getIndex(BootstrapIndexDownloader.java:42)
16-Jul-2025 22:20:30 at org.sonarsource.scanner.api.internal.JarDownloader.getScannerEngineFiles(JarDownloader.java:58)
16-Jul-2025 22:20:30 at org.sonarsource.scanner.api.internal.JarDownloader.download(JarDownloader.java:53)
16-Jul-2025 22:20:30 at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.lambda$createLauncher$0(IsolatedLauncherFactory.java:76)
16-Jul-2025 22:20:30 … 7 more
16-Jul-2025 22:20:30 Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
16-Jul-2025 22:20:30 at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source)
16-Jul-2025 22:20:30 at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
16-Jul-2025 22:20:30 at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)

Hey there.

This is only true for SonarQube v10.6+.

Are you sure that’s the SQ version you’re using? Can you check the footer of your instance?

No, you are right. We have version v2025.1.1 on our dev system where the scanners are updated.

Thanks! Just wanted to make sure we were talking about the same thing.

The documentation for Managing the TLS certificates on the client side should help you out.

We had to export the full certificate path from the SonarQube server to all clients using it.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.