Sonarqube server can not be reached for HTTPS servers by sonar-scanner-cli-docker

Currently I’m using sonar-scan-cli-docker to scan our Python project as following.

docker run -e SONAR_HOST_URL=https://an.internal.server -it -v "$(pwd):/usr/src" sonarsource/sonar-scanner-cli

It raised error saying

ERROR: SonarQube server [https://an.internal.server] can not be reached

I checked some threads with similiar issues sonarqube-server-cannot-be-reached and sonarqube-server-can-not-be-reached-error, it says we need to add certificate into JAVA certificate trust store.

I cloned the whole project sonar-scan-cli-docker and want to do the change myself. I found inside the image, sonar-scanner(/opt/sonar-scanner) shipped a JRE(/opt/sonar-scanner/jre) with it. But inside the JRE there’s no keytool which imports the certificate to JAVA trust store.

Here’s what I found from internet(just for reference).

keytool -import -alias your-alias -keystore cacerts -file certificate.der

So the question is how to add certificate, if keytool cannot be found in JRE shipped with sonnar-scanner-cli-docker image.

I’m very new to Java. Thanks for advise.

SonarQube Scanner

Welcome to the community! One solution could be to extend the docker image to build your own, with keytool installed and your keystore customized. Another option could be to build your own keystore outside the docker image, and bind it in the jre folder.

1 Like

Thanks for the reply!

I finally get it done by build my own keystore outside the image and bind it.

I’m NOT quite sure, but during the process I tried different keytool from different JRE versions and different platforms(Mac, Linux), seems the cacerts(keystore) created doesn’t all work.

E.g. I use the keytool in my Mac to create the cacerts. But it doesn’t work. Then I switch to a Linux, and use the keytool there, then the cacerts created works.

Just FYI~, incase anyone else met same issue.

great, thanks for sharing the solution! Indeed, it make sense to use the same keystore as the target. SonarQube base image is openjdk:slim, which is debian-based.

Hi, I am facing same issue. How did you fix it? I am trying to run the sonarscanner in CI job pipeline and getting this error. How do i import my local server cert to sonarscanner-cli docker image