Unable to add SSL cert with latest image

shayan · March 25, 2025, 8:48am

Hi support,

We have a SonarQube Developer Edition which we self host via an internal DNS. As such, we use the keytool CLI to add the SSL cert in order for the sonar-scanner-cli stage to work.

We are using Gitlab CI and I can confirm this is indeed an issue with the latest sonar-scanner-cli image. I cannot replicate this issue with the image tag 5.0.1.

This is very similar to the issue linked here.

I have replicated this in a forked repo in Gitlab CI which I will paste below:

stages:
  - triggers

sonarqube-check-full:
  before_script:
    - mkdir -p $SONAR_USER_HOME/ssl
    - keytool -noprompt -importcert -storetype PKCS12  -alias sonarqube -keystore $SONAR_USER_HOME/ssl/truststore.p12 -storepass changeit -file /srv/shared/sonarqube-cert.pem
  stage: triggers
  image:
    name: sonarsource/sonar-scanner-cli:latest
    entrypoint: ['']
  variables:
    SONAR_USER_HOME: '${CI_PROJECT_DIR}/.sonar'
    GIT_DEPTH: '0'
  cache:
    key: '${CI_JOB_NAME}'
    paths:
      - .sonar/cache
  script:
    - sonar-scanner -Dsonar.qualitygate.wait=true
  allow_failure: true

The error I am getting in our Gitlab pipeline is this:

$ mkdir -p $SONAR_USER_HOME/ssl
$ keytool -import -noprompt -storetype PKCS12 -alias sonar -keystore truststore.p12 -file /srv/shared/sonarqube-cert.pem -storepass changeit
Certificate was added to keystore
$ sonar-scanner -Dsonar.qualitygate.wait=true -Dsonar.scanner.truststorePassword=changeit
07:34:25.652 INFO  Scanner configuration file: /opt/sonar-scanner/conf/sonar-scanner.properties
07:34:25.657 INFO  Project root configuration file: /builds/xxxxxxxx/xxxxxxxxx/sonar-project.properties
07:34:25.672 INFO  SonarScanner CLI 7.1.0.4889
07:34:25.674 INFO  Java 17.0.14 Amazon.com Inc. (64-bit)
07:34:25.674 INFO  Linux 5.15.0-1077-aws amd64
07:34:25.709 INFO  User cache: /builds/xxxxxxxx/xxxxxxxxx/.sonar/cache
07:34:29.037 ERROR Failed to query server version: Call to URL [https://sonarqubeSomeDomain.internal/api/v2/analysis/version] failed: None of the TrustManagers trust this certificate chain
07:34:29.037 INFO  EXECUTION FAILURE
07:34:29.039 INFO  Total time: 3.391s

PS: I have masked some bits in the logs for obvious reasons.

Will be great to get some help as we have just renewed our license and cannot proceed.

Thanks

ganncamp · March 26, 2025, 1:22pm

Hi,

Thanks for sharing your pipeline commands & output.

It’s not clear to me from this, however that the pkcs12 truststore is located in

I see you make the $SONAR_USER_HOME/ssl directory, but I don’t see you cd into it before creating the keystore.

Ann

shayan · March 26, 2025, 5:16pm

That was it indeed! Sorry I missed that.

system · April 2, 2025, 5:16pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Issue when running Sonar-scanner command SonarQube Server / Community Build ssl	2	797	July 15, 2021
TLS cert with SonarScanner CLI Docker 11 SonarQube Server / Community Build scanner , docker	4	702	October 4, 2024
SonarScanner CLI Self Signed Cert failure SonarQube Server / Community Build scanner	5	673	April 17, 2024
SonarQube issues with Gitlab-CI pipeline SonarQube Server / Community Build	4	96	December 26, 2024
Sonarqube server can not be reached for HTTPS servers by sonar-scanner-cli-docker SonarQube Server / Community Build ssl	5	4543	October 6, 2022

Unable to add SSL cert with latest image

Related topics