Unable to fetch API V2 /analysis/version: Error: unable to verify the first certificate

We are trying to use the SonarScanner CLI to run locally against fetched repos but are getting the following error:

Unable to fetch API V2 /analysis/version: Error: unable to verify the first certificate. Falling back on /api/server/version

We have imported our certificate into the cacerts store within the \sonar-scanner-7.2.0.5079-windows-x64\jre\lib\security path and validated it is in the cacert store

When executing a command to analyze we receive the following:

[INFO] Bootstrapper: Platform: win32 x64
[DEBUG] Bootstrapper: Detecting proxy: No proxy detected
[INFO] Bootstrapper: Server URL: ``https://oursonar
[INFO] Bootstrapper: Version: 4.3.0
[DEBUG] Bootstrapper: Check if Server supports JRE provisioning
[DEBUG] Bootstrapper: Detecting SonarQube server version
[DEBUG] Bootstrapper: Fetching API V2 /analysis/version
[DEBUG] Bootstrapper: Unable to fetch API V2 /analysis/version: Error: unable to verify the first certificate. Falling back on /api/server/version
[DEBUG] Bootstrapper: Not using axios instance for ``https://oursonar/api/server/version
[ERROR] Bootstrapper: Failed to fetch server version: Error: unable to verify the first certificate
[ERROR] Bootstrapper: Verify that ``https://oursonar`` is a valid SonarQube server
[ERROR] Bootstrapper: An error occurred: Error: unable to verify the first certificate

Any ideas on next steps? Do we need an environmental variable as well since the repos we are analyzing are cloned from Azure DevOps?

Hey there.

Have you read the docs on managing the client TLS certificates for the SonarScanner for NPM?

Since you’re using SonarScanner for NPM 4.3, you’lll want to specifically read the docs on SonarScanner for NPM >= 4.0 and SonarScanner CLI >= 6.0.

Yes, multiple times and use the commands SonarQube gives me to call for the repo. I have updated the properties file and tried environmental variables. Still fails. I even tried a full call with a path to my keystore. Example:

sonar-scanner -Dsonar.host.url=https://mysonar.local -Dsonar.token=mytoken -Dsonar.sonar.scanner.truststorePath=“C:\mypath\sonar-scanner-cli-7.2.0.5079-windows-x64\sonar-scanner-7.2.0.5079-windows-x64\jre\bin\mystore.jks” -Dsonar.sonar.scanner.truststorePassword=“storepass” -Dsonar.verbose=true

The truststore must be in .p12 (PKCS#12) format, not .jks. Also, the correct property to override the truststore path is sonar.scanner.truststorePath, not sonar.sonar.scanner.truststorePath.

Thank you Colin, we had also tried the .p12 and had the same error. I have the path as Dsonar.sonar.scanner to match -Dsonar.host, etc. I will remove the Dsonar and test.

Same error running this from a command line:

sonar-scanner -Dsonar.host.url=https://mysonar.local -Dsonar.token=mytoken sonar.scanner.truststorePath=“C:\MyPath\sonar-scanner-cli-7.2.0.5079-windows-x64\sonar-scanner-7.2.0.5079-windows-x64\jre\bin\mysonar.p12” sonar.scanner.truststorePassword=“storepass” -Dsonar.verbose=true

We also tried setting the truststorepath and password in the sonar-scanner.properties file. Same result.

You still need -D before sonar.scanner.truststorePath and sonar.scanner.truststorePassword to indicate you’re passing an analysis parameter.

Thank you Colin. I will give this a go. Any ideas why setting the truststorepath and password in the sonar-scanner.properties file doesn’t work… or does that need to go into a project specific properties file?

Alright, I made this call:

sonar-scanner -Dsonar.host.url=https://mysonar.local -Dsonar.token=mytoken -Dsonar.scanner.truststorePath=“C:\mypath\sonar-scanner-cli-7.2.0.5079-windows-x64\sonar-scanner-7.2.0.5079-windows-x64\jre\bin\mysonar.p12” -Dsonar.scanner.truststorePassword=“storepass” -Dsonar.verbose=true

This indicates it is using the storepath but still fails:

[INFO] Bootstrapper: Platform: win32 x64
[DEBUG] Bootstrapper: Detecting proxy: No proxy detected
[DEBUG] Bootstrapper: Using truststore at C:\mypath\sonar-scanner-cli-7.2.0.5079-windows-x64\sonar-scanner-7.2.0.5079-windows-x64\jre\bin\mysonar.p12
[DEBUG] Bootstrapper: 1 CA certificates found in truststore
[INFO] Bootstrapper: Server URL: ``https://mysonar.local
[INFO] Bootstrapper: Version: 4.3.0
[DEBUG] Bootstrapper: Check if Server supports JRE provisioning
[DEBUG] Bootstrapper: Detecting SonarQube server version
[DEBUG] Bootstrapper: Fetching API V2 /analysis/version
[DEBUG] Bootstrapper: Unable to fetch API V2 /analysis/version: Error: unable to verify the first certificate. Falling back on /api/server/version
[DEBUG] Bootstrapper: Not using axios instance for ``https://mysonar.local/api/server/version
[ERROR] Bootstrapper: Failed to fetch server version: Error: unable to verify the first certificate
[ERROR] Bootstrapper: Verify that ``https://mysonar.local`` is a valid SonarQube server
[ERROR] Bootstrapper: An error occurred: Error: unable to verify the first certificate

Any other ideas @Colin? Of note, I don’t see a “default location for the TrustStore is $SONAR_USER_HOME/ssl/truststore.p12 (default value for SONAR_USER_HOME is ~/.sonar)” in the SonarScanner I downloaded from the SonarQube site. Where is the /ssl/truststore?

That’s the default location where the scanner will go look for a truststore. Nothing is there unless you put it there.

At least now we can be certain a certificate is being found.

What I would guess is that it’s the wrong certificate, or not the full chain.

What command are you using to get the cert? Give this one a try.

openssl s_client -connect mysonar.local:443 -showcerts < /dev/null | keytool -importcert -storetype PKCS12 -alias sonar -keystore truststore.p12 -storepass "changeit" -noprompt

I am having a heck of a time reproducing this myself, and I do wonder if it’s the result of something “in the middle” (ZScaler is a common culprit). I’ll come back to this tomorrow on my own network and see if that changes anything.

Thank you Colin, for all the help on this one. We will test and post the updates. We were wondering the same thing per our VPN as our SonarQube is internally facing.

No such luck. We are using a Self-Signed Cert so maybe that is the issue? Our cert is generated from an internal CA:

Connecting to 7.7.777.77
depth=0 C=US, ST=AA, L=ABC, O=MyOU, OU=IT, CN=mysonar.local
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C=US, ST=AA, L=ABC, O=MyOU, OU=IT, CN=mysonar.local
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 C=US, ST=AA, L=ABC, O=MyOU, OU=IT, CN=mysonar.local
verify return:1

Hm. Can you try one more command?

echo | openssl s_client -connect mysonar.local:443 -showcerts 2>/dev/null | sed -n '/BEGIN/,/END/p' | openssl pkcs12 -export -nokeys -out truststore.p12 -passout pass:changeit

By the way, I saw this morning we have a bug where the SonarScanner for NPM isn’t picking up the deafult truststore location. So keep on specifying -Dsonar.scanner.truststorePath.

Thanks Colin. It failed with the same error on that generated truststore.. would having a public CA cert be better?

Update, I am running SonarScanner from a jump box (no VPN as my local machine is behind a VPN) and getting much further. Will report back if I can get it to run completely.