Sonar scanner end fails to connect

We are using SonarQube Community Edition Version 9.4 (build 54424)
I try to scan a .Net 6 (6.0.301) Windows project from GitLab 15.1.2-ee.

Scanner:
SonarScanner for MSBuild 5.7.2
Using the .NET Core version of the Scanner for MSBuild
INFO: SonarScanner 4.7.0.2747
INFO: Java 17.0.3 Microsoft (64-bit)
INFO: Windows Server 2019 10.0 amd64

I try to run the following commands:

dotnet sonarscanner begin /k:\"..." /d:sonar.login=\"$SONAR_TOKEN\" /d:\"sonar.host.url=$SONAR_HOST_URL\" "
dotnet build LAB.Dev.slnf"
dotnet sonarscanner end /d:sonar.login=\"$SONAR_TOKEN\""

During the “sonarscanner end” I get the following error logs (this are just some of it):

Caused by: java.lang.IllegalStateException: Fail to get bootstrap index from server
 at org.sonarsource.scanner.api.internal.BootstrapIndexDownloader.getIndex(BootstrapIndexDownloader.java:42)
 at org.sonarsource.scanner.api.internal.JarDownloader.getScannerEngineFiles(JarDownloader.java:58)
 at org.sonarsource.scanner.api.internal.JarDownloader.download(JarDownloader.java:53)
 at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.lambda$createLauncher$0(IsolatedLauncherFactory.java:76)
 ... 7 more
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I can connect to the SonarQube server and it shows all certificates are valid.
I tried the same from a Docket container and failed with the “sonarscanner begin” at the beginning. But reached the same issue after adding the root certificate and SubCA.
The certificated are in the OS certificate store.

Why is “sonarscanner begin” reaching the server and “sonarscanner end” fails?

What is going wrong and how can I get it working?

Best Regards,
Nico

Hey there.

sonarscanner begin uses .NET to establish the connection, which is will integrated into your system certificates.
sonarscanner end uses Java which typically has its own truststore.

  • You can modify the Java truststore to trust your SonarQube server’s certificate, or
  • Create and pass a custom truststore to the SONAR_SCANNER_OPTS environment variable
  • …stop using a self-signed certificate? :smiley:

OK.

I tried to add the certificates to the Java truststore

keytool -import -alias ca -file CA.crt -keystore cacerts -storepass changeit -noprompt
keytool -import -alias SubCA -file SubCA01.crt -keystore cacerts -storepass changeit -noprompt

But, It still don|t work.
I added set SONAR_SCANNER_OPTS=-Djavax.net.debug=“ssl,handshake”
But, I didn|t see more

SSLPoke might be a useful tool to make sure the changes that you make are having the expected impact on Java being able to successfully connect to your SonarQube server.