SonarLint Eclipse unable to connect to SonarQube server

Hello,

I’m using SonarQube 8.4.1 developer edition together with SonarLint 5.3 for Eclipse C++ (version 2019.9). The SonarQube server is configured to only allow https connections. If I try to bind the Eclipse project with the SonarQube server project I always get the following exceptions:

Starting SonarLint for Eclipse 5.3.0.19940
Fail to request https://xxx.yyy.zzz/sonarqube/api/system/status
java.lang.IllegalStateException: Fail to request https://xxx.yyy.zzz/sonarqube/api/system/status
at org.sonarsource.sonarlint.core.util.ws.HttpConnector.doCall(HttpConnector.java:196)
at org.sonarsource.sonarlint.core.util.ws.HttpConnector.get(HttpConnector.java:122)
at org.sonarsource.sonarlint.core.util.ws.HttpConnector.call(HttpConnector.java:109)
at org.sonarsource.sonarlint.core.container.connected.SonarLintWsClient.rawGet(SonarLintWsClient.java:120)
at org.sonarsource.sonarlint.core.container.connected.SonarLintWsClient.get(SonarLintWsClient.java:85)
at org.sonarsource.sonarlint.core.container.connected.validate.ServerVersionAndStatusChecker.lambda$fetchServerInfos$0(ServerVersionAndStatusChecker.java:97)
at org.sonarsource.sonarlint.core.container.connected.SonarLintWsClient.processTimed(SonarLintWsClient.java:226)
at org.sonarsource.sonarlint.core.container.connected.validate.ServerVersionAndStatusChecker.fetchServerInfos(ServerVersionAndStatusChecker.java:96)
at org.sonarsource.sonarlint.core.container.connected.validate.ServerVersionAndStatusChecker.checkVersionAndStatus(ServerVersionAndStatusChecker.java:60)
at org.sonarsource.sonarlint.core.container.connected.validate.ServerVersionAndStatusChecker.checkVersionAndStatus(ServerVersionAndStatusChecker.java:50)
at org.sonarsource.sonarlint.core.WsHelperImpl.validateConnection(WsHelperImpl.java:65)
at org.sonarsource.sonarlint.core.WsHelperImpl.validateConnection(WsHelperImpl.java:58)
at org.sonarlint.eclipse.core.internal.engine.connected.ConnectedEngineFacade.testConnection(ConnectedEngineFacade.java:421)
at org.sonarlint.eclipse.ui.internal.binding.wizard.connection.ServerConnectionTestJob.run(ServerConnectionTestJob.java:53)
at org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:122)
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:320)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:263)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:258)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:641)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:460)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:360)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:177)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1180)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1091)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
at org.sonarsource.sonarlint.shaded.okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:336)
at org.sonarsource.sonarlint.shaded.okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:300)
at org.sonarsource.sonarlint.shaded.okhttp3.internal.connection.RealConnection.connect(RealConnection.java:185)
at org.sonarsource.sonarlint.shaded.okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.java:224)
at org.sonarsource.sonarlint.shaded.okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.java:108)
at org.sonarsource.sonarlint.shaded.okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.java:88)
at org.sonarsource.sonarlint.shaded.okhttp3.internal.connection.Transmitter.newExchange(Transmitter.java:169)
at org.sonarsource.sonarlint.shaded.okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:41)
at org.sonarsource.sonarlint.shaded.okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at org.sonarsource.sonarlint.shaded.okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
at org.sonarsource.sonarlint.shaded.okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:94)
at org.sonarsource.sonarlint.shaded.okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at org.sonarsource.sonarlint.shaded.okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
at org.sonarsource.sonarlint.shaded.okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
at org.sonarsource.sonarlint.shaded.okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at org.sonarsource.sonarlint.shaded.okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:88)
at org.sonarsource.sonarlint.shaded.okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at org.sonarsource.sonarlint.shaded.okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
at org.sonarsource.sonarlint.shaded.okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:221)
at org.sonarsource.sonarlint.shaded.okhttp3.RealCall.execute(RealCall.java:81)
at org.sonarsource.sonarlint.core.util.ws.HttpConnector.doCall(HttpConnector.java:194)
… 14 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:384)
at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:289)
at java.base/sun.security.validator.Validator.validate(Validator.java:264)
at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:625)
… 45 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:379)
… 51 more

I already tried to define -Djavax.net.ssl.trustStore in the eclipse.ini file but that didn’t fix the problem. Is there any way to tell the plugin to use a specific trust store?

Hello Christoph,

Thanks for raising this issue.

A few questions first: is it a self-signed certificate ? Was the full certificate chain added to your custom trust store ? You may have intermediate certificates that also need to be imported to the trust store. Also which JDK version are you using ?

Could you send us the commands you used to generate your custom trust store, and also the eclipse.ini file you used ? Did you set a password on the trust store ?

Thanks
Damien

It’s not only a single certificate it’s a trust strore with multiple certificates. The trust store was generated by our IT department.
The read access isn’t password protected. I’m using the same trust store when running the sonar scanner by setting an environemt variable in a batch file before starting the scanner:
“set SONAR_SCANNER_OPTS=(path to trust store file)”

I’m using OpenJDK 12.0.2 under Windows 10 /64bit and here is the content of the eclipse.ini (my changes are bold):

-startup
plugins/org.eclipse.equinox.launcher_1.5.700.v20200207-2156.jar
–launcher.library
plugins/org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.1200.v20200508-1552
-product
org.eclipse.epp.package.cpp.product
-showsplash
org.eclipse.epp.package.common
–launcher.defaultAction
openFile
–launcher.defaultAction
openFile
–launcher.appendVmargs
-vmargs
-Dosgi.requiredJavaVersion=1.8
-Dosgi.instance.area.default=@user.home/eclipse-workspace
-XX:+UseG1GC
-XX:+UseStringDeduplication
–add-modules=ALL-SYSTEM
-Dosgi.requiredJavaVersion=1.8
-Dosgi.dataAreaRequiresExplicitInit=true
-Djavax.net.ssl.trustStore=(path to trust store file)
-Xms256m
-Xmx2048m
–add-modules=ALL-SYSTEM

Hello Christoph,

Usually trust stores have an associated password. Maybe you forgot to provide that password as another option:

-Djavax.net.ssl.trustStorePassword=(changeit)

In any case I don’t recommend using those 2 properties, because you are basically overriding the default trust store provided by Java. This could lead to problems with other https connection, for example you could be unable to contact the Eclipse marketplace.

The default trust store is located in $JAVA_HOME/lib/security/cacerts. Maybe you could try to add your certificates in this default store with the keytool command ?

If you still have problems, I would recommend you to double check that the certificates you have are an exact match of what is used on the server-side (please check all fields like Alternative Name)

Hi Damien,

thanks for the hint. I imported the certificates to the java default key store and now I can connect to the server.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.