SonarScanner CLI Self Signed Cert failure

Must-share information (formatted with Markdown):

• which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
• how is SonarQube deployed: Helm (AKS)
• what are you trying to achieve: Update our Scanner CLI image that is used in our Gitlab build pipelines to a newer image which requires adding a non-standard cert (not an actual self-signed cert but is deployed into an air-gapped environment that lacks the ability to reach out to verify the CA so it is viewed as a self-signed cert)
• what have you tried so far to achieve this
  followed the instructions posted by sonarqube here:
  https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/scanner-environment/install-self-signed-certificate/
  Do not share screenshots of logs – share the text itself (bonus points for being well-formatted)!
  These are the output from the Gitlab Pipeline showing the errors received trying to use the image. The Docker build command successfully runs and doesn’t show any indication of failures

$ sonar-scanner -Dsonar.projectKey=$SonarQubeProject \ # collapsed multi-line command
17:23:00.933 INFO: Scanner configuration file: /opt/sonar-scanner/conf/sonar-scanner.properties
17:23:00.943 INFO: Project root configuration file: /builds/ai2c/pmx/griffin-ai/sonar-project.properties
17:23:00.962 INFO: SonarScanner 5.0.1.3006
17:23:00.962 INFO: Java 17.0.8 Alpine (64-bit)
17:23:00.962 INFO: Linux 5.15.0-1052-azure amd64
17:23:01.068 DEBUG: keyStore is : 
17:23:01.069 DEBUG: keyStore type is : pkcs12
17:23:01.069 DEBUG: keyStore provider is : 
17:23:01.069 DEBUG: init keystore
17:23:01.069 DEBUG: init keymanager of type SunX509
17:23:01.142 DEBUG: Create: /opt/sonar-scanner/.sonar/cache
17:23:01.143 INFO: User cache: /opt/sonar-scanner/.sonar/cache
17:23:01.143 DEBUG: Create: /opt/sonar-scanner/.sonar/cache/_tmp
17:23:01.145 DEBUG: Extract sonar-scanner-api-batch in temp...
17:23:01.147 DEBUG: Get bootstrap index...
17:23:01.147 DEBUG: Download: https://sonarqube.REDACTED/batch/index
17:23:01.256 ERROR: SonarQube server [https://sonarqube.REDACTED] can not be reached
17:23:01.257 INFO: ------------------------------------------------------------------------
17:23:01.257 INFO: EXECUTION FAILURE
17:23:01.257 INFO: ------------------------------------------------------------------------
17:23:01.257 INFO: Total time: 0.330s
17:23:01.277 INFO: Final Memory: 19M/224M
17:23:01.277 INFO: ------------------------------------------------------------------------
17:23:01.277 ERROR: Error during SonarScanner execution
org.sonarsource.scanner.api.internal.ScannerException: Unable to execute SonarScanner analysis
	at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.lambda$createLauncher$0(IsolatedLauncherFactory.java:85)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:318)
	at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.createLauncher(IsolatedLauncherFactory.java:74)
	at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.createLauncher(IsolatedLauncherFactory.java:70)
	at org.sonarsource.scanner.api.EmbeddedScanner.doStart(EmbeddedScanner.java:185)
	at org.sonarsource.scanner.api.EmbeddedScanner.start(EmbeddedScanner.java:123)
	at org.sonarsource.scanner.cli.Main.execute(Main.java:74)
	at org.sonarsource.scanner.cli.Main.main(Main.java:62)
Caused by: java.lang.IllegalStateException: Fail to get bootstrap index from server
	at org.sonarsource.scanner.api.internal.BootstrapIndexDownloader.getIndex(BootstrapIndexDownloader.java:42)
	at org.sonarsource.scanner.api.internal.JarDownloader.getScannerEngineFiles(JarDownloader.java:58)
	at org.sonarsource.scanner.api.internal.JarDownloader.download(JarDownloader.java:53)
	at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.lambda$createLauncher$0(IsolatedLauncherFactory.java:76)
	... 7 more
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:378)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:316)
	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
	at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:458)
	at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:201)
	at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
	at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1510)
	at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1425)
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.RealConnection.connectTls(RealConnection.java:336)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.RealConnection.establishProtocol(RealConnection.java:300)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.RealConnection.connect(RealConnection.java:185)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.java:224)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.java:108)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.ExchangeFinder.find(ExchangeFinder.java:88)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.Transmitter.newExchange(Transmitter.java:169)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:41)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:94)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:88)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.RealCall.getResponseWithInterceptorChain(RealCall.java:221)
	at org.sonarsource.scanner.api.internal.shaded.okhttp.RealCall.execute(RealCall.java:81)
	at org.sonarsource.scanner.api.internal.ServerConnection.callUrl(ServerConnection.java:115)
	at org.sonarsource.scanner.api.internal.ServerConnection.downloadString(ServerConnection.java:99)
	at org.sonarsource.scanner.api.internal.BootstrapIndexDownloader.getIndex(BootstrapIndexDownloader.java:39)
	... 10 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
	at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
	at java.base/sun.security.validator.Validator.validate(Validator.java:264)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)
	... 44 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:146)
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:127)
	at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
	at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
	... 49 more
Cleaning up project directory and file based variables
00:00
ERROR: Job failed: command terminated with exit code

Hi,

Welcome to the community!

The docs should help.

 
Ann

These are the instructions from Sonarqube that we used and they don’t work.

The certs are encrypted so you can’t just add them in in plain text or they won’t be accepted. We have tried following the external instructions for adding them via keytool commands and the commands run but the certs don’t seem to show up.

Hi,

Sorry, you did link to those same docs in your initial post.

Unfortunately, this encrypted cert issue is a bit out of scope for us.

 
Ann

Our team figured it out by looking at the layers of the image and realizing the sonarqube instructions do not match the layers in the image

here is the solution:

1. Put your custom cert into a .crt file
2. Build the image with a Dockerfile with these instructions:

FROM sonar-scanner-cli:5
COPY ./sonarqube.crt ./
WORKDIR /usr/lib/jvm/java-17-openjdk/lib/security
RUN keytool -import -trustcacerts -noprompt -alias sonarqube -file /usr/src/sonarqube.crt -keystore cacerts -storepass changeit
WORKDIR /usr/src

Thanks for the solution, @WilliamMedanoGutshal.

I’ve created a documentation ticket to look at making an improvement regarding image layers and your experiences with encrypted certificates.