SonarQube Community Build | Analyzing source code | Scanners | Scanner environment | TLS certificates on client side

Managing the TLS certificates on the client side

Managing the self-signed server certificate

Introduction to server authentication

During the TLS authentication of the server, the client requests the server certificate from the server and verifies that this certificate is signed by a CA it trusts by checking its truststore. In case a self-signed server certificate is used, it must be added to the truststore of the client. The figure below shows the certificates involved in the authentication of SonarQube Community Build by the SonarScanner.

Adding the self-signed server certificate to the trusted CA certificates

Proceed as follows:

Provide a PKCS #12 keystore containing the server or CA certificates to trust (a.k.a. the truststore): see instructions below.
If you use one of the following CI tools, an additional step is necessary (see the corresponding step below):
- GitHub Action
- Azure Pipelines
Otherwise, if you use one of the following scanners, an additional step is necessary (see the corresponding step below):
- SonarScanner for .NET
- SonarScanner for Maven, SonarScanner for Gradle, SonarScanner for CLI with version < 6.0 , or SonarScanner for NPM with version < 4.0

Providing a PKCS#12 keystore

Consider the following when generating the PKCS#12 keystore:

The default location for the truststore is $SONAR_USER_HOME/ssl/truststore.p12 (default value for SONAR_USER_HOME is ~/.sonar). This location can be overridden using the scanner property sonar.scanner.truststorePath.
The default password for the truststore is sonar. This password can be overridden using the property sonar.scanner.truststorePassword.

Generating the PKCS#12 keystore

If you have a PEM or DER certificate, you can use OpenSSL or Keytool to generate the PKCS #12 keystore:

With OpenSSL:

openssl pkcs12 -export -caname sonar -out "truststore.p12" -in "server.pem" -passout pass:"<truststorePassword>" -nokeys

With Keytool

keytool -import -storetype PKCS12 -alias sonar -keystore truststore.p12 -file server.pem -storepass "<truststorePassword>"

Keytool will not accept such a short password as the default sonar password. You will have to use a longer password.

If running the scanner in Docker: use a mounted volume

The preferred way is to mount a folder containing the PKCS #12 file under /opt/sonar-scanner/.sonar/ssl.

docker pull sonarsource/sonar-scanner-cli

docker run \

    --rm \

    -v ${DIR_WITH_TRUSTSTORE_DOT_P12}:/opt/sonar-scanner/.sonar/ssl \

    -v ${YOUR_CACHE_DIR}:/opt/sonar-scanner/.sonar/cache \

    -v ${YOUR_REPO}:/usr/src \

    -e SONAR_HOST_URL="http://${SONARQUBE_URL}" \

    sonarsource/sonar-scanner-cli \

    -Dsonar.scanner.truststorePassword=<truststorePassword> // Not needed if the default password is used

If using GitHub Action

If you use the sonarqube-scan-action for your GitHub Action and your SonarQube Community Build instance has certificates that need to be recognized by the GitHub runner, you'll need to set the SONAR_ROOT_CERT environment variable in GitHub.

To do this, go to your GitHub repository > Settings > Secrets and Variables and add the SONAR_ROOT_CERT environment variable in PEM format. You can also add it at the level of your GitHub organization (recommended).

Due to a known GitHub issue, if your GitHub Action v4 and above

uses SONAR_ROOT_CERT
and is executed in a containerized environment, for example when the job running the action declares container: <docker-image-name>

you need to explicitly set the SONAR_USER_HOME environment variable to be the "$HOME/.sonar".

You can do that by adding the following step before executing the action:

# Workaround for https://github.com/actions/runner/issues/863

- name: Workaround for containerized environments

  run: echo "SONAR_USER_HOME=$HOME/.sonar" >> $GITHUB_ENV

- name: Run sonar analysis

  uses: SonarSource/sonarqube-scan-action@<action version>

  ...

If using Azure Pipelines

If you want to add the SonarQube analysis to your Azure build pipeline and your SonarQube Community Build instance uses a self-signed certificate, you must provide the server certificate so that the AzureDevOps Extension for SonarQube can connect to SonarQube during the Prepare Analyze Configuration and Run Code Analysis tasks.

Proceed as follows:

Define the following environment variable (this setup is required for the Prepare Analyze Configuration task):
- Key: NODE_EXTRA_CA_CERTS
- Value: path to the certificate
An additional step is necessary (for the Run Code Analysis task) if you use:
- SonarScanner for .Net: see If using SonarScanner for .NET below.
- SonarScanner for Maven, Gradle, or CLI with version < 6.0: see If using SonarScanner for Maven, Gradle, CLI < 6.0 , or NPM < 4.0 below.

If using SonarScanner for .NET

Add the self-signed server certificate to the operating system truststore:

On Linux and MacOS:
1. Copy the self-signed server certificate to /usr/local/share/ca-certificates
2. Run sudo update-ca-certificates
On Windows: use certutil.
Example:

certutil -addstore -f "ROOT" <path/to/certificate>

In addition, since SonarScanner for .NET invokes SonarScanner CLI, you must add the self-signed certificate to the Java truststore as explained above.

If using SonarScanner for Maven, Gradle, CLI < 6.0 , or NPM < 4.0

These scanners are still relying on the Java VM for the SSL configuration.

You can either:

Insert your certificate in the default JVM truststore (something like \jre\lib\security\cacerts). To add the self-signed server certificate to the default truststore, use the JVM tool keytool. The instructions depend on your operating system and you will find many resources online, such as this one for Linux.
See also Self Signed certificate of DevOps platforms.
Provide a custom Java truststore by using the following properties:
- javax.net.ssl.trustStore: path to the truststore file (pkcs12 format is recommended)
- javax.net.ssl.trustStorePassword: password of the truststore.

These javax.net properties are JVM properties, not scanner properties. They should be passed using the SONAR_SCANNER_OPTS environment variable.

For example: SONAR_SCANNER_OPTS="-Djavax.net.ssl.trustStore=C:/ssl/truststore.p12 -Djavax.net.ssl.trustStorePassword=changeit"

On Windows, use forward slashes as path separators.

Managing the client certificates

Introduction to client authentication

If mutual TLS is used then both the client and the server authenticate the other party. During the TLS authentication of the client, the client must provide its certificate with the corresponding CA certificate chain (intermediate and root CA certificates) to the server. The client manages its certificates in its own keystore. The figure below shows the certificates involved in SonarQube Community Build's TLS authentication of the SonarScanner.

Defining the access to the client certificates

For SonarScanner for Maven, Gradle, CLI, or NPM

Store the client certificate and CA certificate chain in a keystore file and define the access to this file through the following properties:

javax.net.ssl.keyStore or (for SonarScanner CLI from version 6.0 and SonarScanner for NPM from version 4.0) sonar.scanner.keystorePath: path to the keystore file.
javax.net.ssl.keyStorePassword or (for SonarScanner CLI from version 6.0 and SonarScanner for NPM from version 4.0) sonar.scanner.keystorePassword: password of the keystore file.

For SonarScanner for .NET

Store the client certificate and CA certificate chain in a keystore file and define the access to this file through the following properties:
- sonar.clientcert.path : path to the keystore file, must be set in the begin step.
- sonar.clientcert.password: password of the keystore file, must be set in both the begin and end steps.
In addition, set the following options before the end step (for the SonarScanner CLI invocation):
- javax.net.ssl.keyStore: same value as sonar.clientcert.path
- javax.net.ssl.keyStorePassword: same value as sonar.clientcert.password

Was this page helpful?