Start Free
Latest | Server installation and setup | Installing the server | Troubleshooting

Troubleshooting the installation

On this page

Failed to connect to the marketplace via proxy Exception java.lang.RuntimeException: cannot run elasticsearch as root SonarQube DNS cache Self Signed Certificates of DevOps platforms Database-related issues

Failed to connect to the marketplace via proxy

Double-check that settings for proxy are correctly set in <sonarqubeHome>/conf/sonar.properties. Note that if your proxy username contains a backslash, then it should be escaped; a username domain\user in the file should look like this example:

http.proxyUser=domain\\user

For some proxies, the exception java.net.ProtocolException: Server redirected too many times might mean an incorrect username or password has been configured.

Exception java.lang.RuntimeException: cannot run elasticsearch as root

SonarQube starts an Elasticsearch process, and the same account that is running SonarQube itself will be used for the Elasticsearch process. Since Elasticsearch cannot be run as root, that means SonarQube can't be either. You must choose some other, non-root account with which to run SonarQube, preferably an account dedicated to the purpose.

SonarQube DNS cache

When reporting Quality Gate status to DevOps platforms, SonarQube uses a DNS cache time to live policy of 30 seconds. If necessary, you can change this setting in your JVM:

echo "networkaddress.cache.ttl=5" >> "${JAVA_HOME}/conf/security/java.security"

Please be aware that low values increase the risk of DNS spoofing attacks.

Self Signed Certificates of DevOps platforms

When running in an environment where the DevOps platform or other related tooling is secured by self-signed certificates, the CA needs to be added to the java truststore of SonarQube.

In a zip installation, the systems truststore can be found in $JAVA_HOME/lib/security/cacerts. In order to add a new certificate to the truststore you can use the following command as an example:

keytool -importcert -file $PATH_TO_CERTIFICATE -alias $CERTIFICATE_NAME -keystore /$JAVA_HOME/lib/security/cacerts -storepass changeit -trustcacerts -noprompt

In our official Docker images, you can find the systems truststore in <JAVA_HOME>/lib/security/cacerts. In order to add new certificates here as well you can:

  • Bind mount an existing truststore containing your certificates to <JAVA_HOME>/lib/security/cacerts.
Example
docker run -d --name sonarqube -v /path/to/your/cacerts.truststore:/opt/java/openjdk/lib/security/cacerts:ro -p 9000:9000 sonarqube
  • Import your CA certificate the same way as in the zip installation but inside the container.

If you deploy SonarQube on Kubernetes using the official Helm Chart, you can create a new secret containing your required certificates and reference this via:

caCerts:
  enabled: true
  image: adoptopenjdk/openjdk17:alpine
  secret: your-secret

Database-related issues

For more information on self-signed certificates, see Managing the TLS certificates on the client side.

Oracle JDBC driver blocked

See If using an Oracle database in Pre-installation steps on Linux.

Was this page helpful?

© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARLINT, SONARQUBE, SONARCLOUD, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Creative Commons License