SonarLint + ZScaler certificate javax.net.ssl.SSLHandshakeException: PKIX

SonarLint VS Code
1

Please provide

  • Operating system: Windows 10 and Mac OS 13
  • SonarLint plugin version: v3.14.0
  • Programming language you’re coding in: Python, C#
  • Is connected mode used:
    • Connected to SonarCloud or SonarQube (and which version): SonarQube Enterprise 8.9.9 (build 56886)

And a thorough description of the problem / question:
SonarQube cannot connect with the SonarQube server and present the following error

Suppressed: java.lang.NullPointerException: Cannot invoke “org.sonarsource.sonarlint.core.commons.http.HttpClient$Response.code()” because “response” is null
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)

When I disable ZScaler the problem doesn’t present. I believe the issue is with ZScaler, the question is what can be done about it as other applications work regardless of it.
It’d be important to find a solution to be implemented for all our developers and to disable ZScaler is out of question.

2

Hey there.

We feel your pain.

You will need to make sure that the Java installation used by SonarLint trusts the ZScaler root certificate. Something like:

sudo keytool -import -file ZscalerRootCertificate-2048-SHA256.crt -cacerts

3 Likes
3

Please also note that if you are using the Java runtime that is shipped with SonarLint, you have 2 options:

  • You can add the certificate to the trust store of the embedded runtime (which you’ll need to do after each update of the extension)
  • You can also create a separate trust store and refer to it in the SonarLint settings, with something like this in your user settings:
{
  "sonarlint.ls.vmargs": " -Djavax.net.ssl.trustStore=path/to/cacerts"
}

If you are specifying a Java runtime through sonarlint.ls.javaHome, please make sure that you add the Zscaler root certificate to its trust store.

1 Like