Unable to add Secure sonar SSL certificates in MS Build Sonar scanner

I had the same issue as @santosh3702 & @lalitkhatri12:

[Step 4/8] Failed to request and parse 'https://sonar-host/api/server/version': 
[Step 4/8] The underlying connection was closed: Could not establish trust relationship 
[Step 4/8] for the SSL/TLS secure channel.
[Step 4/8] 14:23:52.577  A server certificate could not be validated. Possible cause: you 
[Step 4/8] are using a self-signed SSL certificate but the certificate has not been 
[Step 4/8] installed on the client machine. Please make sure that you can access 
[Step 4/8] https://sonar-host without encountering certificate errors.

This error was solved by adding our sonar server’s root cert (did not need the full cert chain, just the root CA to trust) to the windows cert store.

This guide explains how to manually add a cert to the windows cert store: https://support.globalsign.com/ssl/ssl-certificates-installation/import-and-export-certificate-microsoft-windows

However, this is only the first SSL hurdle. Re-running the scanner, we now get:

[Step 7/8] ERROR: SonarQube server [https://sonar-host] can not be reached
[Step 7/8] 15:44:30.222 ERROR: Error during SonarQube Scanner execution
[Step 7/8] org.sonarsource.scanner.api.internal.ScannerException: Unable to execute
[Step 7/8] SonarQube
[Step 7/8]     at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.lambda$crea
[Step 7/8] teLauncher$0(IsolatedLauncherFactory.java:85)
[Step 7/8]     at java.security.AccessController.doPrivileged(Native Method)
[Step 7/8]     at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.createLaunc
[Step 7/8] her(IsolatedLauncherFactory.java:74)
[Step 7/8]     at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.createLaunc
[Step 7/8] her(IsolatedLauncherFactory.java:70)
[Step 7/8]     at
[Step 7/8] org.sonarsource.scanner.api.EmbeddedScanner.doStart(EmbeddedScanner.java:167)
[Step 7/8]     at
[Step 7/8] org.sonarsource.scanner.api.EmbeddedScanner.start(EmbeddedScanner.java:113)
[Step 7/8]     at org.sonarsource.scanner.cli.Main.execute(Main.java:73)
[Step 7/8]     at org.sonarsource.scanner.cli.Main.main(Main.java:61)
[Step 7/8] Caused by: java.lang.IllegalStateException: Fail to get bootstrap index from
[Step 7/8] server
[Step 7/8]     at org.sonarsource.scanner.api.internal.BootstrapIndexDownloader.getIndex(B
[Step 7/8] ootstrapIndexDownloader.java:42)
[Step 7/8]     at org.sonarsource.scanner.api.internal.JarDownloader.getScannerEngineFiles
[Step 7/8] (JarDownloader.java:58)
[Step 7/8]     at org.sonarsource.scanner.api.internal.JarDownloader.download(JarDownloade
[Step 7/8] r.java:53)
[Step 7/8]     at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.lambda$crea
[Step 7/8] teLauncher$0(IsolatedLauncherFactory.java:76)
[Step 7/8]     ... 7 more
[Step 7/8] Caused by: javax.net.ssl.SSLHandshakeException:
[Step 7/8] sun.security.validator.ValidatorException: PKIX path building failed:
[Step 7/8] sun.security.provider.certpath.SunCertPathBuilderException: unable to find
[Step 7/8] valid certification path to requested targethBuilderException: unable to find
[15:44:31][Step 7/8] valid certification path to requested target

We attempted to add the root ca (& then full chain) to the cacerts of the JRE on the machine
keytool -import -file c:\root-ca.crt -keystore "C:\Program Files (x86)\java\jre8\lib\security\cacerts" -alias "root-ca" -storepass changeit

and the cert does appear to be in the cacerts, but we still get the above error.

This leads me to believe that the MSBuild scanner is bundled with its own JRE, but I cannot find information on whether this is the case or not.

Is this the case? If so, where can we find this bundled JRE in the installation?
Thanks

it still doesn’t work for me,(i am using DC edition)
i also uploaded all certs to window cert store(mmc), but no luck.

I suspect it is something related to TLS 1.2 version support,
can we change something in Tomcat settings, i understand Sonarqube comes with embadded Tomcat, any way to change some settings in Tomcat ?

Thanks
lalit KJHATRI

Hello @lukebickell and @lalitkhatri12
I don’t have an answer to this; this issue is a java https connectivity problem, and not something raised (imhu) by SonarQube implementation specifically, but I can share a few tips.

  1. Debug logs. The environment variable SONAR_SCANNER_OPTS may be set with -Djavax.net.debug=all. It may help you understand what is happening.
  2. Checking the SSL connectivity for java, not the scanner. There are several SSLPoke samples around, consisting in a single very simple Java class having as sole purpose the troubleshooting of SSL connectivity. Please consider using it to validate and troubleshoot your Windows Java to SonarQube connectivity.
  3. Forcing SSL 1.2, in rare cases adding -Dhttps.protocols=TLSv1.2 to the scanner parameters have helped.

Let us know
Best.
Sylvain

1 Like