I am trying to run an analysis of C# code using the SonarScanner for .NET and found that compared to other languages, I can’t seem to make use of a java key store, but need to have a password-protected client certificate instead.
We are running SonarQube 9.9 LTS as a standalone server within our company network, secured behind an Apache server with URL-rewrites, so we can access it through https/ssl only.
I managed to get analysis running using the sonar scanner docker image for things like dockerfiles, typescript etc, and through Maven for Java, both of which required a key store with a server certificate: However, there are so many options on how and where to create a client certificate, I’m not even sure where to start for .Net:
- Do I need a separate client certificate for every client / build agent which tries to run the analysis, or do I just need any certificate which can be verified?
- Does the client certificate have to share a common Root CA with the server, meaning I have to request a certificate for every client / build agent through our IT department?
- Can I create a local root CA on the machine hosting sonarqube instead, and answer client CSRs with that?
- Is it possible to create these certificates on-the-fly (via command line) on the build agents? (some Windows, some Linux)
[Edit] Here’s what I tried, using openssl
- Create a local root ca on the server
- Create a local server certificate using this root ca on the same server
- Installed the local root CA as trusted CA on the server
- Installed the local server certificate on the server
- Installed the local root CA as trusted CA on the client
- Created a CSR using a password protected key on the client, and created a client certificated from it using the local root CA on the server
- Installed the client certificate on the client
- Tried running the sonar scanner
The begin step works as it always does, but the end step still comes up with the usual “javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target”
I assume this is because the Apache reverse proxy uses an “official” certificate which does not share a common ancestor with my local root CA, and the sonarscanner tries establishing two-way ssl authentication using the “official” certificate and the locally signed client certificate?
Unfortunately, getting our IT department to answer a CSR for a client certificate is likely to take weeks and involve lots of discussion, so I’d like to get some more insight before I try that way.