Good day ,
We are currently testing the new upgrade of SonarQube in a dev environment.
Upgrading SonarQube v9.x to v2025.1 LTA.
We are having issue’s with PKI certs, we have executed keytool commands to imort to the jdk used by sonar in our bamboo agents.
We have issue with all our pipeline’s failing with :
Caused by: java.security.cert.CertificateException: None of the TrustManagers trust this certificate chain
build 08-Sep-2025 11:22:32 at nl.altindag.ssl.trustmanager.CombinableX509TrustManager.checkTrusted(CombinableX509TrustManager.java:61)
build 08-Sep-2025 11:22:32 at nl.altindag.ssl.trustmanager.CompositeX509ExtendedTrustManager.checkServerTrusted(CompositeX509ExtendedTrustManager.java:86)
build 08-Sep-2025 11:22:32 … 121 common frames omitted
keytools :
root@sbg-java-Agent7-sdc-New:/opt/jdk-17.0.4.1/lib/security# keytool -import -trustcacerts -alias sb-root -file /opt/aws-tools.standardbank.co.za/StandardBankROOTCA.crt -keystore /opt/jdk-17.0.4.1/lib/security/cacerts -storepass changeit
Certificate already exists in keystore under alias
Do you still want to add it? [no]: Certificate was not added to keystore
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using “keytool -importkeystore -srckeystore /opt/jdk-17.0.4.1/lib/security/cacerts -destkeystore /opt/jdk-17.0.4.1/lib/security/cacerts -deststoretype pkcs12”.
root@sbg-java-Agent7-sdc-New:/opt/jdk-17.0.4.1/lib/security#
root@sbg-java-Agent7-sdc-New:/opt/jdk-17.0.4.1/lib/security# /opt/jdk-17.0.4.1/bin/keytool -import -trustcacerts -alias sb-root -file /opt/aws-tools.standardbank.co.za/StandardBankROOTCA.crt -keystore /opt/jdk-17.0.4.1/lib/security/cacerts -storepass changeit
Warning: use -cacerts option to access cacerts keystore
Certificate already exists in keystore under alias
Do you still want to add it? [no]: yes
Certificate was added to keystore
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using “keytool -importkeystore -srckeystore /opt/jdk-17.0.4.1/lib/security/cacerts -destkeystore /opt/jdk-17.0.4.1/lib/security/cacerts -deststoretype pkcs12”.
root@sbg-java-Agent7-sdc-New:/opt/jdk-17.0.4.1/lib/security# /opt/jdk-17.0.4.1/bin/keytool -import -trustcacerts -alias sb-ca113 -file /opt/aws-tools.standardbank.co.za/StandardBankCA113.crt -keystore /opt/jdk-17.0.4.1/lib/security/cacerts -storepass changeit
Warning: use -cacerts option to access cacerts keystore
Certificate already exists in keystore under alias
Do you still want to add it? [no]: yes
Certificate was added to keystore
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using “keytool -importkeystore -srckeystore /opt/jdk-17.0.4.1/lib/security/cacerts -destkeystore /opt/jdk-17.0.4.1/lib/security/cacerts -deststoretype pkcs12”.
root@sbg-java-Agent7-sdc-New:/opt/jdk-17.0.4.1/lib/security# /opt/jdk-17.0.4.1/bin/keytool -import -trustcacerts -alias sb-policyca11 -file /opt/aws-tools.standardbank.co.za/StandardBankPolicyCA11.crt -keystore /opt/jdk-17.0.4.1/lib/security/cacerts -storepass changeit
Warning: use -cacerts option to access cacerts keystore
Certificate already exists in keystore under alias
Do you still want to add it? [no]: yes
Certificate was added to keystore
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using “keytool -importkeystore -srckeystore /opt/jdk-17.0.4.1/lib/security/cacerts -destkeystore /opt/jdk-17.0.4.1/lib/security/cacerts -deststoretype pkcs12”.
kindly please advise.
Regards,
Bongani