We use Maven to perform Sonarqube scanning on our project:
$ mvn sonar:sonar \
-Dsonar.host.url=https://sonarqube.example.com \
-Dsonar.login=71b7130c8 \
-Dsonar.projectKey=FOO_bar \
-Dsonar.branch.name=release/6.0
However, for projects using an old JDK 1.8.0_60, this failed with:
[ERROR] SonarQube server [https://sonarqube.example.com] can not be reached
[ERROR] Failed to execute goal
org.sonarsource.scanner.maven:sonar-maven-plugin:3.8.0.2131:sonar
(default-cli) on project core: Unable to execute SonarScanner
analysis: Fail to get bootstrap index from server:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target -> [Help 1]
Adding this parameter was helpful in seeing what was going inside the JDK:
-Djavax.net.debug="ssl,handshake"
The reason was that the cacerts SSL/TLS certificate store in the JDK
was out of date. It didn't have the certificates needed to establish
the chain of trust used when generating the TLS certificate on
sonarqube.example.com.
To remedy this, I used the cacerts provided with apt-get installed
openjdk-11-jdk-headless package:
# cd /usr/lib/jvm/java-1.8.0_60-oracle/jre/lib/security
# mv cacerts cacerts.orig
# ln -s /etc/ssl/certs/java/cacerts
That's it. Java, and by that, the Maven and the Sonarqube scanner, can
now connect to websites served over https.
