Sonarqube server can not be reached for HTTPS servers by sonar-scanner-cli-docker

Currently I’m using sonar-scan-cli-docker to scan our Python project as following.

docker run -e SONAR_HOST_URL=https://an.internal.server -it -v "$(pwd):/usr/src" sonarsource/sonar-scanner-cli

It raised error saying

ERROR: SonarQube server [https://an.internal.server] can not be reached

I checked some threads with similiar issues sonarqube-server-cannot-be-reached and sonarqube-server-can-not-be-reached-error, it says we need to add certificate into JAVA certificate trust store.

I cloned the whole project sonar-scan-cli-docker and want to do the change myself. I found inside the image, sonar-scanner(/opt/sonar-scanner) shipped a JRE(/opt/sonar-scanner/jre) with it. But inside the JRE there’s no keytool which imports the certificate to JAVA trust store.

Here’s what I found from internet(just for reference).

keytool -import -alias your-alias -keystore cacerts -file certificate.der

So the question is how to add certificate, if keytool cannot be found in JRE shipped with sonnar-scanner-cli-docker image.

I’m very new to Java. Thanks for advise.

SonarQube Scanner

Welcome to the community! One solution could be to extend the docker image to build your own, with keytool installed and your keystore customized. Another option could be to build your own keystore outside the docker image, and bind it in the jre folder.

1 Like

Thanks for the reply!

I finally get it done by build my own keystore outside the image and bind it.

I’m NOT quite sure, but during the process I tried different keytool from different JRE versions and different platforms(Mac, Linux), seems the cacerts(keystore) created doesn’t all work.

E.g. I use the keytool in my Mac to create the cacerts. But it doesn’t work. Then I switch to a Linux, and use the keytool there, then the cacerts created works.

Just FYI~, incase anyone else met same issue.

great, thanks for sharing the solution! Indeed, it make sense to use the same keystore as the target. SonarQube base image is openjdk:slim, which is debian-based.

Hi, I am facing same issue. How did you fix it? I am trying to run the sonarscanner in CI job pipeline and getting this error. How do i import my local server cert to sonarscanner-cli docker image

Hi, I am using the latest sonar-qube-cli docker and run into the same problem. It seems that the image has changed since this topic was written. The keytool is now available in the image.
I tried to add the needed certs by using

keytool -import -alias myCert -file myCert.cer -cacerts

I get asked for a password I do not know. I am pretty new to Java, Docker and certs handling.
My questions now:
Am I on the right path to add my certificates?

Any help is highly appreciated.

INFO: Scanner configuration file: /opt/sonar-scanner/conf/
INFO: Project root configuration file: /usr/src/
INFO: SonarScanner
INFO: Java 11.0.15 Alpine (64-bit)
INFO: Linux 5.10.124-linuxkit amd64