Sonarlint for Eclipse does not propose to accept https certificate of sonarlint and sonarsource

Hi,

This an issue which only happens on various corporate environments. With home internet, I don’t have this issue.

When I try to install the Sonarlint plugin from Eclipse marketplace, it raises this error “PKIX path building failed”.
So no worries, I open the link in Google Chrome and then I click on the certificate padlock icon and export the certificate into a file. On the web page https://eclipse-uc.sonarlint.org/compositeContent.xml, there were also links to distributions using another domain “sonarsource.com”, so that’s 2 certificates named sonarlint_uc.cer and sonarsource.cer.
So I shutdown Eclipse and install the 2 certificates with keytool:

  • C:\Users\xxxxx\Downloads\eclipse-java-2022-12-R-win32-x86_64\eclipse\plugins\org.eclipse.justj.openjdk.hotspot.jre.full.win32.x86_64_17.0.5.v20221102-0933\jre>bin\keytool.exe -import -file C:\Users\xxxxx\sonarlint_uc.cer -cacerts -alias sonarlint_uc
  • C:\Users\xxxxx\Downloads\eclipse-java-2022-12-R-win32-x86_64\eclipse\plugins\org.eclipse.justj.openjdk.hotspot.jre.full.win32.x86_64_17.0.5.v20221102-0933\jre>bin\keytool.exe -import -file C:\Users\xxxxx\sonarsource.cer -cacerts -alias sonarsource

I enter the password “changeit” and confirm “yes”.
And then only when I restart Eclipse, I’m able to download and install Sonarlint plugin.

The strange thing is, with other plugins, such as SpotBugs, I don’t have this issue. I just have a popup prompting me to accept or refuse the certificate. Is it possible to implement this in the Sonarlint plugin ?

  • Operating system: Windows 10
  • SonarLint plugin version: 7.8
  • Programming language you’re coding in: JAVA
  • Is connected mode used: No

Kind regards,
Nicolas Baumann.

Hi Nicolas,

One possibility is that you have a proxy in your corporate environment that is acting as a man in the middle and changing SSL certificates dynamically (example).

Our SSL certificates (both for https://eclipse-uc.sonarlint.org/ and https://binaries.sonarsource.com) are signed by well-known third parties, so AFAIK they should be trusted by default in JVM or OS truststores.

This is a pretty common problem nowadays. See for example this thread: Eclipse Community Forums: Eclipse Platform » unable to find valid certification path to requested target

If you are in this situation, a better solution for you would be to install your proxy intermediate certificate in Eclipse truststore. This would save you to have to install every other certificates.

The strange thing is, with other plugins, such as SpotBugs, I don’t have this issue.

Maybe because we are using a composite update site, and Eclipse doesn’t handle that the same way? If you have the opportunity, you can try (with a fresh truststore) to manually configure a SonarLint update site pointing directly to https://binaries.sonarsource.com/SonarLint-for-Eclipse/releases/7.8.0.63129/ to skip the composite update site, and see if you observe the same behavior as for other plugins.

Anyway we have plans to remove this composite update site soon.

Hi Julien,

One possibility is that you have a proxy in your corporate environment that is acting as a man in the middle and changing SSL certificates dynamically (example).

Indeed we have Zscaler at work.

If you are in this situation, a better solution for you would be to install your proxy intermediate certificate in Eclipse truststore. This would save you to have to install every other certificates.

Willing to test this approach. However, I have no idea where to find that.

Maybe because we are using a composite update site, and Eclipse doesn’t handle that the same way? If you have the opportunity, you can try (with a fresh truststore) to manually configure a SonarLint update site pointing directly to https://binaries.sonarsource.com/SonarLint-for-Eclipse/releases/7.8.0.63129/ to skip the composite update site, and see if you observe the same behavior as for other plugins.

No, unfortunately. It’s a “PKIX path building failed” again.

Unable to read repository at https://binaries.sonarsource.com/SonarLint-for-Eclipse/releases/7.8.0.63129/content.xml.

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Kind regards,
Nicolas Baumann.

The first step is to get the Zscaler certificate. You should ask your IT department since it is critical for your security to use the right one.

Then add the Zscaler certificate to the Eclipse truststore.

Then I am not sure why there is a different behavior between SpotBugs and SonarLint update sites. This would require a better understanding of your corporate setup (are both sites filtered the same way by ZScaler?).
Anyway, I don’t think we are doing anything special, so to me the trick is somewhere between Eclipse and Zscaler, and I can’t really commit to helping you more in this direction.