# Troubleshooting

## Failed to connect to the marketplace via proxy <a href="#marketplace" id="marketplace"></a>

Double-check that settings for proxy are correctly set in `<sonarqubeHome>/conf/sonar.properties`. Note that if your proxy username contains a backslash, then it should be escaped; a username `domain\user` in the file should look like this example:

```css-79elbk
http.proxyUser=domain\\user
```

For some proxies, the exception `java.net.ProtocolException: Server redirected too many times` might mean an incorrect username or password has been configured.

## Exception java.lang.RuntimeException: cannot run elasticsearch as root <a href="#elasticsearch" id="elasticsearch"></a>

SonarQube starts an Elasticsearch process, and the same account that is running SonarQube itself will be used for the Elasticsearch process. Since Elasticsearch cannot be run as root, that means SonarQube can’t be either. You must choose some other, non-root account with which to run SonarQube, preferably an account dedicated to the purpose.

## SonarQube DNS cache <a href="#dns-cache" id="dns-cache"></a>

When reporting Quality Gate status to DevOps platforms, SonarQube uses a DNS cache time to live policy of 30 seconds. If necessary, you can change this setting in your JVM:

```css-79elbk
echo "networkaddress.cache.ttl=5" >> "${JAVA_HOME}/conf/security/java.security" 
```

Please be aware that low values increase the risk of DNS spoofing attacks.

## Self Signed Certificates of DevOps platforms <a href="#selfsigned-certificates" id="selfsigned-certificates"></a>

When running in an environment where the DevOps platform or other related tooling is secured by self-signed certificates, the CA needs to be added to the java truststore of SonarQube.

In a zip installation, the systems truststore can be found in `$JAVA_HOME/lib/security/cacerts`. In order to add a new certificate to the truststore you can use the following command as an example:

```css-79elbk
keytool -importcert -file $PATH_TO_CERTIFICATE -alias $CERTIFICATE_NAME -keystore /$JAVA_HOME/lib/security/cacerts -storepass changeit -trustcacerts -noprompt
```

In our official Docker images, you can find the systems truststore in `<JAVA_HOME>/lib/security/cacerts`. In order to add new certificates here as well you can:

* Bind mount an existing truststore containing your certificates to `<JAVA_HOME>/lib/security/cacerts`.

<details>

<summary>Example</summary>

```css-79elbk
docker run -d --name sonarqube -v /path/to/your/cacerts.truststore:/opt/java/openjdk/lib/security/cacerts:ro -p 9000:9000 sonarqube 
```

</details>

* Import your CA certificate the same way as in the zip installation but inside the container.

If you deploy SonarQube on Kubernetes using the official Helm Chart, you can create a new secret containing your required certificates and reference this via:

```css-79elbk
caCerts:
  enabled: true
  image: adoptopenjdk/openjdk17:alpine
  secret: your-secret
```

## Issues with IIS and SAML integration <a href="#iis-through-saml" id="iis-through-saml"></a>

If you are using an IIS reverse proxy with SAML authentication, you may encounter one of the following issues:

* The URL redirection to the SAML Identity Provider (sonar.auth.saml.loginUrl) is not managed correctly.
* "You are not authorized to access this page" error is raised when logging in.

In that case, make sure that, at the IIS server level, you have performed all the configuration steps described in the section **Securing the server behind a proxy>Using IIS on Windows** in [operating-the-server](https://docs.sonarsource.com/sonarqube-server/10.3/setup-and-upgrade/configure-and-operate-a-server/operating-the-server "mention").


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.sonarsource.com/sonarqube-server/10.3/setup-and-upgrade/install-the-server/troubleshooting.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.