Ssl error when sending report from scanner to sonarQube local instance

SonarQube Server / Community Build
,
1

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
    SonarQube : From https://mysonarqubeinstance.local/admin/system : 9.1.0.47736
    scanner for .Net :
    dotnet tool list -g
    ID de package Version Commandes

dotnet-sonarscanner 5.5.3 dotnet-sonarscanner

  • what are you trying to achieve
    Sending a first report to the SonarQube instance for the project test
    dotnet sonarscanner begin /k:Test /d:sonar.cs.opencover.reportsPaths=MyProjectTests/coverage.opencover.xml /d:sonar.coverage.exclusions="*Test.cs" /d:sonar.host.url=“https://mysonarqubeinstance.local” /d:sonar.login=“MYTOKEN”
    dotnet build --no-restore
    dotnet test /p:CollectCoverage=true /p:CoverletOutputFormat=opencover --no-restore
    dotnet sonarscanner end /d:sonar.login=“MYTOKEN”

Getting Error :
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I’m trying to make it work from a local windows computer.

For the moment I exported my certificate from the site with the command :

echo -n | openssl s_client -connect mysonarqubeinstance.local:443 | sed -ne ‘/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p’ > ./cert.cert

Afterwards, I don’t know how to import it in the local JRE keystore of the dotnet-sonar-scanner or how to use a brand local keystore with the instance to get rid of the error.

Can someone tell me what are the next steps to be able to force the downloaded certificate to be used with the sonarqube scanner ?

Thanks in advance,

Regards,
Franck Leveque

2

Ok,

After spending the last 4 hours to understand what is lacking, I just tried a couple of thing which leads me to a working version.

First is to find what version of JAVA is currently used by the scanner.

This can be achieved by

  • looking at the JAVA_HOME environnement variable
  • There the default store is located in lib/security. It seems the name of the file is different according to the version. cacerts seems to be for older version.

Once you have the path under which the JAVA used is installed you can import the certificate of your site.
Under windows, you can achieved it like this
keytool -import -noprompt -trustcacerts -file ./cert.cert -alias certalias -keystore “%JAVA_HOME%/lib/security/cacerts” -storepass changeit
endlocal

I have encounered two more errors the first one was that the JAVA installed on my computer (openjdk version “1.8.0_322”) was not able to read some files. So I installed the last OpenJDK 18.0.1.1

Next error was “the trustAnchors parameter must be non-empty”
To solve this you need to locate where is the dotnet tool installed, I got the answer from .net core - Where are dotnet tools stored by default? - Stack Overflow

This site also helped me to understand what was the problem : Debugging yet another SSL/TLS error: the trustAnchors parameter must be non-empty | by Gus Calcaterra | Medium

For my case the cause was that the scanner was not able to open cacerts as the password was not known (might also have a problem trying to force TLS 1.3 on a server using TLS 1.2).

To solve those issues Change the batch file of sonar-scanner in dotnet-sonarscanner\5.5.3\dotnet-sonarscanner\5.5.3\tools\net5.0\any\sonar-scanner-4.6.2.2472\bin\sonar-scanner.bat
and add -Djdk.tls.client.protocols=TLSv1.2 -Djavax.net.ssl.trustStorePassword=changeit to the options
You should obtain something like :

%JAVA_EXEC% -Djava.awt.headless=true -Djdk.tls.client.protocols=TLSv1.2 -Djavax.net.ssl.trustStorePassword=changeit %SONAR_SCANNER_DEBUG_OPTS% %SONAR_SCANNER_OPTS% -cp “%SONAR_SCANNER_HOME%\lib\sonar-scanner-cli-4.6.2.2472.jar” “-Dscanner.home=%SONAR_SCANNER_HOME%” “-Dproject.home=%PROJECT_HOME%” org.sonarsource.scanner.cli.Main %*

I hope this will help other people encountering the issue.

Regards

1 Like