Sadiq
July 10, 2025, 10:02am
1
which versions are you using (SonarQube Server - 10.6)
We are using azure MDP agents(Dynamically created servers for build). We can’t login to those servers, So, using script we imported certificate to windows certificates using below mentioned script
$certPath = '$(DownloadSecureFile.secureFilePath)'
$certStoreLocation = 'Cert:\LocalMachine\Root'
Write-Host "Importing certificate $certPath to $certStoreLocation..."
$params = @{
FilePath = $certPath
CertStoreLocation = $certStoreLocation
}
Import-Certificate @params
Also, we configured below mentioned environment variable and the azure devops task for sonarqube is still not trusting the certificate.
Key: NODE_EXTRA_CA_CERTSValue: Path to the certificate
Is there anything else that should be configured apart from this for dotnet scans.
Colin
July 11, 2025, 7:52am
2
Hey there.
What’s the exact error you’re getting?
Sadiq
July 14, 2025, 3:30am
3
Here is the error we are getting:
========================== Starting Command Output ===========================
#-----------logs from certificate adding task---------------
"C:\Windows\system32\cmd.exe" /D /E:ON /V:OFF /S /C "CALL "D:\a\_work\_temp\84d149d5-0988-4522-bf0e-eb90143a4f3d.cmd""
Adding certificate to Trusted Root Certification Authorities...
CA "Intermediate Certification Authorities"
Certificate "sonarqube-ent.internal.xyz.com.au" added to store.`Preformatted text`
CertUtil: -addstore command completed successfully.
Finishing: Add Certificate to Trusted Root Store
#---------------------------------------------------------------------------------
Import CA certificate to LocalMachine root store
View raw log
Starting: Import CA certificate to LocalMachine root store
Task : PowerShell
Description : Run a PowerShell script on Linux, macOS, or Windows
Version : 2.247.1
Author : Microsoft Corporation
Help : https://docs.microsoft.com/azure/devops/pipelines/tasks/utility/powershell
Generating script.
========================== Starting Command Output ===========================
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -Command ". 'D:\a\_work\_temp\fdedae1e-aceb-4480-a850-2184b7ac4c5b.ps1'"
Importing certificate D:\a\_work\_temp\sonarqube-ent.cer to Cert:\LocalMachine\Root...
PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\Root
Thumbprint Subject
---------- -------
XXXXXXXXXXXXXXXXXX CN=sonarqube-ent.internal.xyz.com.au
#----------------Sonarqube error logs ------------------------#
Task : Prepare Analysis Configuration
Description : Prepare SonarQube Server analysis configuration
Version : 7.3.0
Author : sonarsource
Help : [More Information](https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/scanners/sonarqube-extension-for-azure-devops/)
##[error][ERROR] SonarQube Server: Error while executing task Prepare: API GET '/api/server/version' failed. Error message: unable to verify the first certificate.
##[error]API GET '/api/server/version' failed. Error message: unable to verify the first certificate
Colin
July 16, 2025, 7:37am
4
Thanks!
I think we should continue to focus on configuring this trust via NODE_EXTRA_CA_CERTS, rather than importing it into the root truststore. To be honest, I’m not sure if that will help/hurt.
Having the correct file referenced by NODE_EXTRA_CA_CERTS should solve things.
This means:
The file referenced by NODE_EXTRA_CA_CERTS is in PEM format (.pem)
The PEM file includes the complete certificate chain (root, intermediate, and leaf certificates if necessary).