...unable to find valid certification path to requested target

  • Operating system: Windows 10 Enterprise
  • SonarLint plugin version: 3.7.0
  • Is connected mode used:
    • Connected to SonarQube: Version 9.5 (build 56709)

Since Version 3.6.0 i am getting the following error:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I also did the SSLPoke check which worked out well.
I think the error is connected to the newly introduced “Connected mode”.
When switching back to v3.5.4, everything works fine…

Thank you for your efforts and the awesome product.

Kind regards

Hello, welcome to the community! And thanks for your feedback.

Connected mode is not really a new feature :wink: however what is new in 3.7 is that we now embed our own JRE (on Windows, Linux and macOS).

My hypothesis is that you ran the SSLPoke test with the “public” JRE that is installed on your machine and that probably has some internal root certificate (or a different set of enabled crypto algorithms).

For investigation purposes, would it be possible for you to run the SSLPoke test with the extension’s JRE instead? On Windows, it should be located somewhere like %USERPROFILE%\.vscode\extensions\sonarsource.sonarlint-vscode-3.7.0-win32-x64\jre\17.0.3-win32-x86_64.tar\bin\java.exe.

One possible workaround would be to download the “Universal” VSIX from the extension page and use your machine’s public JRE instead of the one embedded in the Windows-specific VSIX.

Screenshot from 2022-07-27 13-12-54

had the same problem, I didn’t notice that it now comes with it’s own jre (I had the setting active that points to my “normal” JRE/JDK installation but it does not seem to affect this problem).

What I did to fix it was grab the cacerts of my normal installation and overwrite the one that the packaged version comes with. Seems to to the trick and now the connected mode is working again :slight_smile:


Hi Sebastian,
how did you overwite cacerts ?

I had the same issue.
So I replaced the cacerts in the version 3.8 JRE, but now the extension is upgraded to 3.9 and I’m back with:

sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Is there a nice ((to be?) documented?) way to fix this?


You can check out another community post on the same topic. We have a ticket in our backlog to make sure that SonarLint honors the sonarlint.ls.javaHome, even when the JRE is embedded. The ticket has a high priority and should be fixed soon, but meanwhile, as a workaround, you can follow the instructions specified here. I hope this helps :slight_smile:

Thanks a lot for your feedback,

Hello all! :wave:

I’m happy to let you know that SonarLint for VSCode v3.11 is released and starting from this version, the sonarlint.ls.javaHome setting will be respected on all platforms, meaning that you can specify your own Java Runtime and not use the one embedded by the extension.

Thanks all for your feedback :slight_smile:

1 Like