Sonar Scanner for .NET: What kind of client certificate is required?

Hi,
I am trying to run an analysis of C# code using the SonarScanner for .NET and found that compared to other languages, I can’t seem to make use of a java key store, but need to have a password-protected client certificate instead.

We are running SonarQube 9.9 LTS as a standalone server within our company network, secured behind an Apache server with URL-rewrites, so we can access it through https/ssl only.

I managed to get analysis running using the sonar scanner docker image for things like dockerfiles, typescript etc, and through Maven for Java, both of which required a key store with a server certificate: However, there are so many options on how and where to create a client certificate, I’m not even sure where to start for .Net:

• Do I need a separate client certificate for every client / build agent which tries to run the analysis, or do I just need any certificate which can be verified?
• Does the client certificate have to share a common Root CA with the server, meaning I have to request a certificate for every client / build agent through our IT department?
• Can I create a local root CA on the machine hosting sonarqube instead, and answer client CSRs with that?
• Is it possible to create these certificates on-the-fly (via command line) on the build agents? (some Windows, some Linux)

[Edit] Here’s what I tried, using openssl

• Create a local root ca on the server
• Create a local server certificate using this root ca on the same server
• Installed the local root CA as trusted CA on the server
• Installed the local server certificate on the server
• Installed the local root CA as trusted CA on the client
• Created a CSR using a password protected key on the client, and created a client certificated from it using the local root CA on the server
• Installed the client certificate on the client
• Tried running the sonar scanner

The begin step works as it always does, but the end step still comes up with the usual “javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target”

I assume this is because the Apache reverse proxy uses an “official” certificate which does not share a common ancestor with my local root CA, and the sonarscanner tries establishing two-way ssl authentication using the “official” certificate and the locally signed client certificate?

Unfortunately, getting our IT department to answer a CSR for a client certificate is likely to take weeks and involve lots of discussion, so I’d like to get some more insight before I try that way.

Hey there.

I think there’s a bit of confusion. You probably don’t need a client certificate, and even if you had one, it’s not even being given to the Java process where you are getting the error (even when wrapped by .NET, Java is still doing the heavy lifting here, except for the Begin step, which you already have working!)

You just need to make sure that the Java distribution running the bulk of the end step has access to a keystore (trust store) that can verify the certificate installed on your SonarQube server. If you already have those java parameters ready and a keystore sitting on your agents, you can just pass them to SONAR_SCANNER_OPTS

SONAR_SCANNER_OPTS = -Djavax.net.ssl.trustStore=trustStore.keystore -Djavax.net.ssl.trustStorePassword=changeit

A tool like SSLPoke is great for this, and can help you troubleshoot the Java distribution without running a full scan each time (and figuring out what options to hand to SONAR_SCANNER_OPTS.

If you can adjust the default trust store of the Java installation being used, you don’t have to worry about SONAR_SCANNER_OPTS

In summary: I think we just have to focus on this part.

Thanks, that was the missing piece.
I had tried with /d:javax.net.ssl.trustStore etc as a command line argument to the dotnet call, but when that failed, everything I could find on the subject led me to the client certificate command line options.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.