Sonar scanner cannot established to https sonarqube server

Sonarqube server = Version 8.9.9 (build 56886)
Sonar Scanner = 4.7.0.2747

Please can someone help

run sonar scanner as docker and build images as instructed in SonarScanner | SonarQube Docs
FROM sonarsource/sonar-scanner-cli
COPY cacert /usr/lib/jvm/default-jvm/jre/lib/security/cacerts

but sonar scanner cannot find valid certificate (error below):

08:56:37.206 INFO: Scanner configuration file: /usr/lib/sonar-scanner/conf/sonar-scanner.properties

08:56:37.211 INFO: Project root configuration file: /workdir/sonar-project.properties

08:56:37.280 INFO: SonarScanner 4.7.0.2747

08:56:37.280 INFO: Java 11.0.14.1 Eclipse Adoptium (64-bit)

08:56:37.280 INFO: Linux 5.10.47-linuxkit amd64

08:56:37.536 DEBUG: keyStore is :

08:56:37.536 DEBUG: keyStore type is : pkcs12

08:56:37.536 DEBUG: keyStore provider is :

08:56:37.536 DEBUG: init keystore

08:56:37.537 DEBUG: init keymanager of type SunX509

08:56:37.735 DEBUG: Create: /root/.sonar/cache

08:56:37.736 INFO: User cache: /root/.sonar/cache

08:56:37.737 DEBUG: Create: /root/.sonar/cache/_tmp

08:56:37.741 DEBUG: Extract sonar-scanner-api-batch in temp...

08:56:37.746 DEBUG: Get bootstrap index...

08:56:37.747 DEBUG: Download: https://xxxx/batch/index

08:56:38.047 ERROR: SonarQube server [https://xxxx] can not be reached

08:56:38.047 INFO: ------------------------------------------------------------------------

08:56:38.048 INFO: EXECUTION FAILURE

08:56:38.048 INFO: ------------------------------------------------------------------------

08:56:38.048 INFO: Total time: 0.856s

08:56:38.067 ERROR: Error during SonarScanner execution

08:56:38.066 INFO: Final Memory: 3M/17M

08:56:38.066 INFO: ------------------------------------------------------------------------

org.sonarsource.scanner.api.internal.ScannerException: Unable to execute SonarScanner analysis

at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.lambda$createLauncher$0(IsolatedLauncherFactory.java:85)

at java.base/java.security.AccessController.doPrivileged(Native Method)

at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.createLauncher(IsolatedLauncherFactory.java:74)

at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.createLauncher(IsolatedLauncherFactory.java:70)

at org.sonarsource.scanner.api.EmbeddedScanner.doStart(EmbeddedScanner.java:185)

at org.sonarsource.scanner.api.EmbeddedScanner.start(EmbeddedScanner.java:123)

at org.sonarsource.scanner.cli.Main.execute(Main.java:73)

at org.sonarsource.scanner.cli.Main.main(Main.java:61)

Caused by: java.lang.IllegalStateException: Fail to get bootstrap index from server

at org.sonarsource.scanner.api.internal.BootstrapIndexDownloader.getIndex(BootstrapIndexDownloader.java:42)

at org.sonarsource.scanner.api.internal.JarDownloader.getScannerEngineFiles(JarDownloader.java:58)

at org.sonarsource.scanner.api.internal.JarDownloader.download(JarDownloader.java:53)

at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.lambda$createLauncher$0(IsolatedLauncherFactory.java:76)

... 7 more

Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source)

at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)

at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)

at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)

at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(Unknown Source)

at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(Unknown Source)

at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(Unknown Source)

at java.base/sun.security.ssl.SSLHandshake.consume(Unknown Source)

at java.base/sun.security.ssl.HandshakeContext.dispatch(Unknown Source)

at java.base/sun.security.ssl.HandshakeContext.dispatch(Unknown Source)

at java.base/sun.security.ssl.TransportContext.dispatch(Unknown Source)

at java.base/sun.security.ssl.SSLTransport.decode(Unknown Source)

at java.base/sun.security.ssl.SSLSocketImpl.decode(Unknown Source)

at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source)

at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)

at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)

at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.RealConnection.connectTls(RealConnection.java:336)

at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.RealConnection.establishProtocol(RealConnection.java:300)

at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.RealConnection.connect(RealConnection.java:185)

at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.java:224)

at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.java:108)

at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.ExchangeFinder.find(ExchangeFinder.java:88)

at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.Transmitter.newExchange(Transmitter.java:169)

at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:41)

at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)

at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)

at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:94)

at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)

at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)

at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)

at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)

at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:88)

at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)

at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)

at org.sonarsource.scanner.api.internal.shaded.okhttp.RealCall.getResponseWithInterceptorChain(RealCall.java:221)

at org.sonarsource.scanner.api.internal.shaded.okhttp.RealCall.execute(RealCall.java:81)

at org.sonarsource.scanner.api.internal.ServerConnection.callUrl(ServerConnection.java:115)

at org.sonarsource.scanner.api.internal.ServerConnection.downloadString(ServerConnection.java:99)

at org.sonarsource.scanner.api.internal.BootstrapIndexDownloader.getIndex(BootstrapIndexDownloader.java:39)

... 10 more

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at java.base/sun.security.validator.PKIXValidator.doBuild(Unknown Source)

at java.base/sun.security.validator.PKIXValidator.engineValidate(Unknown Source)

at java.base/sun.security.validator.Validator.validate(Unknown Source)

at java.base/sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)

at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)

at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)

... 45 more

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)

at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)

at java.base/java.security.cert.CertPathBuilder.build(Unknown Source)

Hi @darwin ,

Please check our documentation on Using self-signed certificates when using the sonar-scanner-cli Docker image:

If you need to configure a self-signed certificate for the scanner to communicate with your SonarQube instance, you can use a volume under /tmp/cacerts to add it to the containers java trust store:

docker pull sonarsource/sonar-scanner-cli
docker run \
--rm \
-v ${YOUR_CERTS_DIR}/cacerts:/tmp/cacerts \
-v ${YOUR_CACHE_DIR}:/opt/sonar-scanner/.sonar/cache \
-v ${YOUR_REPO}:/usr/src \
-e SONAR_HOST_URL="http://${SONARQUBE_URL}" \
sonarsource/sonar-scanner-cli

Alternatively, you can create your own container that includes the modified cacerts file. Create a Dockerfile with the following contents:

FROM sonarsource/sonar-scanner-cli
COPY cacerts /usr/lib/jvm/default-jvm/jre/lib/security/cacerts

Then, assuming both the cacerts and Dockerfile are in the current directory, create the new image with a command such as:

docker build --tag our-custom/sonar-scanner-cli .
2 Likes

Hi @Joe ,

Thanks for your response, i did the same as the document to create own container from docker file below

FROM sonarsource/sonar-scanner-cli
COPY cacerts /usr/lib/jvm/default-jvm/jre/lib/security/cacert

But still after the image build the scanner container can’t communicate with the sonar server.
I use the same cacert and insert it to sonar-scanner 4.6 and it’s work but somehow it not work on sonar-scanner 4.7

Hi @Joe

Finally it’s connected. Thanks

Hi @darwin! I’m glad to hear that it works for you. Did it work for you with 4.6 or 4.7 Sonar scanner version? Or what did you change to make it work with 4.7?

Hi @Joe

it’s work for both version , it seem for scanner 4.6 and 4.7 the keystore path is different.

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.