We build for example dotnet framework apps on windows build servers using azure devops. Sonarsource provides some build tasks for azure devops to help with executing a sonarqube scan in a build pipeline. These tasks require Java and nodejs to be present on the build server because they use them in some aspect in the sonarqube scan process. Both Java and Nodejs use their own certificate trust store and not the windows certificate store, thus your domain trusted private CA will not by default be trusted by the Java and Nodejs processes used in the sonarqube scan.
See also this topic:
I am simply pointing out that the causes you listed are not exhaustive, and that managing sonarqube with a private CA signed certificate was, for my organisation, too much of a hassle which is why we now use public certificates on all sonarqubes.