10.5 | Analyzing source code | Scanner environment | Managing TLS certificates on client side

Was this page helpful?

On this page

Start Free

Managing the TLS certificates on the client side

If your SonarQube server is configured with HTTPS and a self-signed certificate then you must add the self-signed certificate to the trusted CA certificates of the SonarScanner.

In addition, if mutual TLS is used then you must define the access to the client certificate at the SonarScanner level.

Managing the self-signed server certificate

Introduction to server authentication

During the TLS authentication of the server, the client requests the server certificate from the server and verifies that this certificate is signed by a CA it trusts by checking its truststore. In case a self-signed server certificate is used, it must be added to the truststore of the client. The figure below shows the certificates involved in the authentication of the SonarQube server by the SonarScanner.

Adding the self-signed server certificate to the trusted CA certificates 

For SonarScanner for Maven, Gradle, or CLI

You can either use:

  • The default JVM truststore (\jre\lib\security\cacerts).
    To add the self-signed server certificate to the default truststore, use the JVM tool keytool. The instructions depend on your operating system and you will find many resources online, such as this one for Linux.

    See also: Self Signed certificates of DevOps platforms.
  • A custom Java truststore by using the following properties:
    • javax.net.ssl.trustStore: path to the truststore file
    • javax.net.ssl.trustStorePassword: password to the truststore
    • javax.net.ssl.trustStoreType (optional, if the truststore file type is not JKS or PKCS12)

Define the properties by using the SONAR_SCANNER_OPTS environment variable.
Example (on Windows, use forward slashes as path separators): SONAR_SCANNER_OPTS="-Djavax.net.ssl.trustStore=/repositories/tls-mutual-nginx/cacerts -Djavax.net.ssl.trustStorePassword=changeit" 

For SonarScanner for .NET

Add the self-signed server certificate to the operating system truststore:

  • On Linux and MacOS: 
    1. Copy the self-signed server certificate to /usr/local/share/ca-certificates
    2. Run sudo update-ca-certificates
  • On Windows: use certutil.
    Example: certutil -addstore -f "ROOT" <path/to/certificate>

In addition, since SonarScanner for .NET invokes SonarScanner CLI, you must add the self-signed certificate to the Java truststore as explained above.

If running the scanner with Docker

If you need to configure a self-signed certificate for the scanner to communicate with your SonarQube instance, you can use a volume under /tmp/cacerts to add it to the containers java trust store:

docker pull sonarsource/sonar-scanner-cli
docker run \
    --rm \
    -v ${YOUR_CERTS_DIR}/cacerts:/tmp/cacerts \
    -v ${YOUR_CACHE_DIR}:/opt/sonar-scanner/.sonar/cache \
    -v ${YOUR_REPO}:/usr/src \
    -e SONAR_HOST_URL="http://${SONARQUBE_URL}" \
    sonarsource/sonar-scanner-cli

Alternatively, you can create your own container that includes the modified cacerts file. Create a Dockerfile with the following contents:

FROM sonarsource/sonar-scanner-cli
COPY cacerts /usr/lib/jvm/default-jvm/jre/lib/security/cacerts

Then, assuming both the cacerts and Dockerfile are in the current directory, create the new image with a command such as:

docker build --tag our-custom/sonar-scanner-cli .

Managing the client certificates

Introduction to client authentication

If mutual TLS is used then both the client and the server authenticate the other party. During the TLS authentication of the client, the client must provide its certificate with the corresponding CA certificate chain (intermediate and root CA certificates) to the server. The client manages its certificates in its own keystore. The figure below shows the certificates involved in the TLS authentication of the SonarScanner by the SonarQube Server. 

Defining the access to the client certificates

For SonarScanner for Maven, Gradle, or CLI

Store the client certificate and CA certificate chain in a keystore file and define the access to this file through the following properties:

  • javax.net.ssl.keyStore: path to the keystore file
  • javax.net.ssl.keyStorePassword: password of the keystore file
  • javax.net.ssl.keyStoreType (optional, if the keystore file type is not JKS  or PKCS12)
For SonarScanner for .NET
  1. Store the client certificate and CA certificate chain in a keystore file and define the access to this file through the following properties:
    • sonar.clientcert.path : path to the keystore file, must be set in the begin step.
    • sonar.clientcert.password: password of the keystore file, must be set in both the begin and end steps.
  2. In addition, set the following options before the end step (for the SonarScanner CLI invocation):
    • javax.net.ssl.keyStore: same value as sonar.clientcert.path
    • javax.net.ssl.keyStorePassword: same value as sonar.clientcert.password

© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARLINT, SONARQUBE, SONARCLOUD, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Creative Commons License