SonarQube scanner fails due to self-signed certificate in certificate chain

Published by Tobias Hofmann on

6 min read

You are using a self-hosted SonarQube server and want to run the SonarQube scanner to analyze a project. The execution flow of the scanner is to connect to the server, download needed files, scan the project and upload the files to the server. For this to work, the scanner needs to be able to communicate with the SonarQube server. The base configuration therefore is to provide a server URL and a project key. Normally this works just fine, except when your SonarQube server is only accessible by HTTPS and is using a self-signed certificate. The scanner does not offer an option to disable certificate validation. Therefore, the server certificate needs to be valid.

Ein Bild, das Screenshot, Text, Schrift enthält. KI-generierte Inhalte können fehlerhaft sein.

Turning a self-signed into a valid one is done by trusting it. The trust is established when the CA’s involved and the server certificate is trusted. From the documentation you can see that it is not enough to trust only the involved CAs.

The solution is to create a trust store that includes the certificates and make the sonar scanner use this store.

Obtain server certificate

The first step is to obtain the server certificates. When opening the certificate of the server in the browser, you can see the certificate details and the CA information.

Ein Bild, das Text, Screenshot, Display, Software enthält. KI-generierte Inhalte können fehlerhaft sein.

You can export the certificates from there. Be aware: maybe not all involved CAs are listed. For instance, when the root CA that issued the intermediate CA is not included, then you must download it from separately. OpenSSL allows you to download certificates. In case you do not have access to OpenSSL, but to Java, keytool is the best alternative.

Keytool

Java comes with a tool that not only is used to manage certificates but can also download them from a server.

keytool -printcert -rfc –sslserver <server> > certs.pem

Ein Bild, das Text, Software, Multimedia-Software, Grafiksoftware enthält. KI-generierte Inhalte können fehlerhaft sein.

In my case, the certificate chain shown by the browser showed 2 certificates:

  • Intermediate CA and
  • server certificate

The keytool downloaded 3 certificates:

  • Root CA
  • Intermediate CA
  • Self-hosted SonarQube server certificate

The above command stores the retrieved certificates in the file certs.pem.

Ein Bild, das Text, Screenshot, Schrift enthält. KI-generierte Inhalte können fehlerhaft sein.

Add certificate to keystore

You might be tempted to add the certificate chain to the keystore and the sonar scanner is able to connect to your server. For some reasons, this is not working. Each certificate must be added individually. Instead of adding one certificate, three certificates will be part of the keystore.

Extract certificate

Separating the certificates is easily done by simply copying each certificate to a new file. Everything between BEGIN and END CERTIFICATE is the certificate.

Ein Bild, das Text, Screenshot, Schrift enthält. KI-generierte Inhalte können fehlerhaft sein.

Import certificate

Using keytool and Windows and adding all 3 certificates independently to the key store.

Certificate 1:

type tmp1 | keytool -import -alias test1 -keystore test.p12 -storepass test1234 -noprompt

Certificate 2:

type tmp2 | keytool -import -alias test2 -keystore test.p12 -storepass test1234 -noprompt

Certificate 3:

type tmp3 | keytool -import -alias test3 -keystore test.p12 -storepass test1234 -noprompt

Ein Bild, das Text, Screenshot, Schrift, Reihe enthält. KI-generierte Inhalte können fehlerhaft sein.

Short explanation of the prompt: type tmp1 prints the content of the file to stdout. Keytool can then read it from there and -noprompt ensures that the command runs through without asking any questions to the user.

Validate keystore

To validate if the keystore contains all certificates you can list its content. Keytool offers the -list command for this. In the result the containing certificates with their alias are displayed.

keytool -list -keystore test.p12 -storepass test1234

Ein Bild, das Text, Screenshot, Schrift, Software enthält. KI-generierte Inhalte können fehlerhaft sein.

Configure sonar scanner

The created keystore now contains all needed certificates to enable the sonar scanner to pass the server HTTPS validation. The self-signed certificate is now trusted. To make the scanner use the new keystore the sonar configuration must be adjusted. This is done in the sonar-project.properties files.

  • sonar.scanner.truststrorePath=test.p12
  • sonar.scanner.truststorePassword=test1234
Ein Bild, das Text, Schrift, Screenshot enthält. KI-generierte Inhalte können fehlerhaft sein.

Result

Running npx @sonar/scan and providing the keystore test.p12 will allow the scanner to communicate with the SonarQube server.

Ein Bild, das Text, Screenshot, Schrift enthält. KI-generierte Inhalte können fehlerhaft sein.

Additional hints

Adding keychain

Adding the keychain as one single certificate is not working. Add keychain certificate (the one with all 3 certificates in it) to keystore.

type certs.pem | keytool -import -alias test -keystore test.p12 -storepass test1234 -noprompt

Sonar Scanner will fail to connect to the server due to self-signed certificate.

Validate keystore

keytool -list -keystore test.p12 -storepass test1234

Ein Bild, das Text, Screenshot, Schrift, Software enthält. KI-generierte Inhalte können fehlerhaft sein.
Let the world know
Categories: Technology
Tags:

Tobias Hofmann

Doing stuff with SAP since 1998. Open, web, UX, cloud. I am not a Basis guy, but very knowledgeable about Basis stuff, as it's the foundation of everything I do (DevOps). Performance is king, and unit tests is something I actually do. Developing HTML5 apps when HTML5 wasn't around. HCP/SCP user since 2012, NetWeaver since 2002, ABAP since 1998.

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Posts

Technology

Sizing? Was ist das?

3 min read Vor nicht allzu langer Zeit wurde ich zu einem Projekt hinzugerufen. Es war ein kleines Projekt mit einer an sich kleinen Aufgabe und kurzer Laufzeit. Daten sollten von einem Quellsystem an SAP Read more…

Technology

Roadmaps

16 min read Software that targets companies needs to fulfil some requirements to be enterprise ready. While there are no universal requirements that are valid for all companies and all software, some are well established. Read more…

SAP Technology

Wait, that’s possible?

6 min read At the ABAPConf 2025 community day on 3rd June 2025 I gave a presentation with the title “Wait, that’s possible?”. In this post I’ll explain in more detail the reasoning behind the Read more…