Hello,
we have a Sonarqube server exposed in https, so we have to configure the tls certificate.
Until version SonarScanner CLI 10 the jre had keytool, since SonarScanner CLI 11 the jre keytool disappeared. How can I configure the tls?
The documentation on SonarScanner CLI (sonarsource.com) doesn’t clarify the point.
Thanks
Hi Paolo,
With the recent scanner CLI versions, we are trying to decouple from Java. The new supported way to configure extra server certificates is to put the server certificate in a separate pkcs12 keystore (not the JRE cacerts).
The default location is ~/.sonar/ssl/truststore.p12 (password sonar) but you can also use the scanner properties sonar.scanner.truststorePath and sonar.scanner.truststorePassword to pass custom values.
Our idea was that users would prepare the p12 keystore outside the scanner docker image, and copy it to the image, or mount a volume. Another option will be to use openssl inside the scanner docker image to convert from PEM to p12, but this will only work after the next release of the Scanner CLI Docker, because of this issue.
We are happy to hear some feedback about that new approach.
thanks Julien for the answer, in the previous version (<11) I used the keytool of sonarscanner image, so now I’ve to prepare the trustore in a different stage of the same dockerfile. I’ll post the solution when I’ve one 
.
We are struggling to find a nice migration path for users of our Docker image having custom SSL configuration (like you). We are likely going to add back a JDK and keytool in the scanner image.
I just wanted to inform you so that you don’t spend too much time on it. We are going to deploy a new Docker image soon and work on improving the documentation.
Thanks for the feedback, it was helpful.
In the latest version of the Scanner CLI Docker image, the keytool utility is back, as well as the old way to configure SSL by mounting certificates folder to /tmp/cacerts.
This is no more the recommended way. We have updated the documentation accordingly.