[Step 4/8] Failed to request and parse 'https://sonar-host/api/server/version': [Step 4/8] The underlying connection was closed: Could not establish trust relationship [Step 4/8] for the SSL/TLS secure channel. [Step 4/8] 14:23:52.577 A server certificate could not be validated. Possible cause: you [Step 4/8] are using a self-signed SSL certificate but the certificate has not been [Step 4/8] installed on the client machine. Please make sure that you can access [Step 4/8] https://sonar-host without encountering certificate errors.
This error was solved by adding our sonar server’s root cert (did not need the full cert chain, just the root CA to trust) to the windows cert store.
This guide explains how to manually add a cert to the windows cert store: https://support.globalsign.com/ssl/ssl-certificates-installation/import-and-export-certificate-microsoft-windows
However, this is only the first SSL hurdle. Re-running the scanner, we now get:
[Step 7/8] ERROR: SonarQube server [https://sonar-host] can not be reached [Step 7/8] 15:44:30.222 ERROR: Error during SonarQube Scanner execution [Step 7/8] org.sonarsource.scanner.api.internal.ScannerException: Unable to execute [Step 7/8] SonarQube [Step 7/8] at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.lambda$crea [Step 7/8] teLauncher$0(IsolatedLauncherFactory.java:85) [Step 7/8] at java.security.AccessController.doPrivileged(Native Method) [Step 7/8] at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.createLaunc [Step 7/8] her(IsolatedLauncherFactory.java:74) [Step 7/8] at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.createLaunc [Step 7/8] her(IsolatedLauncherFactory.java:70) [Step 7/8] at [Step 7/8] org.sonarsource.scanner.api.EmbeddedScanner.doStart(EmbeddedScanner.java:167) [Step 7/8] at [Step 7/8] org.sonarsource.scanner.api.EmbeddedScanner.start(EmbeddedScanner.java:113) [Step 7/8] at org.sonarsource.scanner.cli.Main.execute(Main.java:73) [Step 7/8] at org.sonarsource.scanner.cli.Main.main(Main.java:61) [Step 7/8] Caused by: java.lang.IllegalStateException: Fail to get bootstrap index from [Step 7/8] server [Step 7/8] at org.sonarsource.scanner.api.internal.BootstrapIndexDownloader.getIndex(B [Step 7/8] ootstrapIndexDownloader.java:42) [Step 7/8] at org.sonarsource.scanner.api.internal.JarDownloader.getScannerEngineFiles [Step 7/8] (JarDownloader.java:58) [Step 7/8] at org.sonarsource.scanner.api.internal.JarDownloader.download(JarDownloade [Step 7/8] r.java:53) [Step 7/8] at org.sonarsource.scanner.api.internal.IsolatedLauncherFactory.lambda$crea [Step 7/8] teLauncher$0(IsolatedLauncherFactory.java:76) [Step 7/8] ... 7 more [Step 7/8] Caused by: javax.net.ssl.SSLHandshakeException: [Step 7/8] sun.security.validator.ValidatorException: PKIX path building failed: [Step 7/8] sun.security.provider.certpath.SunCertPathBuilderException: unable to find [Step 7/8] valid certification path to requested targethBuilderException: unable to find [15:44:31][Step 7/8] valid certification path to requested target
We attempted to add the root ca (& then full chain) to the cacerts of the JRE on the machine
keytool -import -file c:\root-ca.crt -keystore "C:\Program Files (x86)\java\jre8\lib\security\cacerts" -alias "root-ca" -storepass changeit
and the cert does appear to be in the cacerts, but we still get the above error.
This leads me to believe that the MSBuild scanner is bundled with its own JRE, but I cannot find information on whether this is the case or not.
Is this the case? If so, where can we find this bundled JRE in the installation?