19

I am trying to integrate SonarQube with TFS 2013 builds. The SonarQube instance is configured to use https. For some reason, TFS throws the below error trying to reach out to SonarQube:

ERROR: Error during SonarQube Scanner execution <br /> ERROR: Unable to execute SonarQube ERROR: Caused by: Fail to get bootstrap index from server ERROR: Caused by: sun.security.validator.ValidatorException: PKIX path building failed:Sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target ERROR: Caused by: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target ERROR: Caused by: unable to find valid certification path to requested target

I found this SO post: "PKIX path building failed" and "unable to find valid certification path to requested target" and exported the certificate and used keytool to import it into java keystore. I am still getting the same error. It seems like sonarQube somehow does not pick up the certificate from the default java keystore.

I tried running sonar-scanner manually and passing the certificate information in the parameters but still it does not pick up the certificate. 

C:\SonarScanner\sonar-scanner-3.2.0.1227\bin>sonar-scanner.bat -X -Djavax.net.debug="ssl,handshake" -Djavax.net.ssl.trustStore="C:/Program Files/Java/jre1.8.0_121/lib/security/cacerts" -Djavax.net.ssl.keyStore="C:/Program Files/Java/jre1.8.0_121/lib/security/cacerts"

Looking at the Debug messages, it hasn't recognized the additional parameters. enter image description here

Any suggestions?

Cœur
  • 37,241
  • 25
  • 195
  • 267
DevOpsy
  • 667
  • 1
  • 8
  • 18
  • Did you restart the Agents? – Jeroen Heier Oct 26 '18 at 18:04
  • Yes, I did after importing the cert. – DevOpsy Oct 28 '18 at 22:55
  • Do you need -X before each argument? Do you need a space between the -X and the JavaVM arg? (and if you get that far, do you need to also specify keystore/truststore passwords?) Could you just specify the keystore and such as properties in that properties file it's reading anyway, instead? – moilejter Oct 28 '18 at 23:17
  • @moilejter: -X is the switch for getting the debug output. -D is the switch to define properties passed on to the JavaVM. I tried to pass the KeyStorePassword as well but it still doesn't pick up the certificate. – DevOpsy Oct 28 '18 at 23:53

1 Answers1

21

Setting "SONAR_SCANNER_OPTS" environment variable to -Djavax.net.ssl.trustStore="C:/Program Files/Java/jre1.8.0_121/lib/security/cacerts" -Djavax.net.ssl.keyStore="C:/Program Files/Java/jre1.8.0_121/lib/security/cacerts" did the trick for me.

The debug log now shows that it is pointing to the keystore as set in the environment variable. It worked both from command line using Sonar-Scanner.bat and while running as part of the TFS 2013 build.

DevOpsy
  • 667
  • 1
  • 8
  • 18
  • 1
    @guilhermecgs: How are you running the scanner? What is the error that you are getting? Is the debug log showing the keystore location or is it blank? – DevOpsy Sep 18 '19 at 01:37
  • I am running inside a grade task in my local machine. And yes, the keystore is NOT blank. See here: https://www.dropbox.com/s/h8vlqko7c0a70tz/Screenshot%20at%20Sep%2018%2010-11-31.png?dl=0 . The command is "./gradlew sonarqube (...) " I already added the certificate using "keytool" -importcert -file (...) " Any clues? – guilhermecgs Sep 18 '19 at 13:17
  • 1
    @guilhermecgs: I am not sure. I haven't used gradle. May be ask a separate question and someone should be able to help. – DevOpsy Sep 19 '19 at 00:52