Fixing Java PKIX path building failed errors

We use Maven to perform Sonarqube scanning on our project:

$mvnsonar:sonar\
-Dsonar.host.url=https://sonarqube.example.com\
-Dsonar.login=71b7130c8\
-Dsonar.projectKey=FOO_bar\
-Dsonar.branch.name=release/6.0

However, for projects using an old JDK 1.8.0_60, this failed with:

[ERROR]SonarQubeserver[https://sonarqube.example.com]cannotbereached
[ERROR]Failedtoexecutegoal
org.sonarsource.scanner.maven:sonar-maven-plugin:3.8.0.2131:sonar
(default-cli)onprojectcore:UnabletoexecuteSonarScanner
analysis:Failtogetbootstrapindexfromserver:
sun.security.validator.ValidatorException:PKIXpathbuildingfailed:
sun.security.provider.certpath.SunCertPathBuilderException:unableto
findvalidcertificationpathtorequestedtarget->[Help 1]

Adding this parameter was helpful in seeing what was going inside the JDK:

-Djavax.net.debug="ssl,handshake"

The reason was that the cacerts SSL/TLS certificate store in the JDK was out of date. It didn't have the certificates needed to establish the chain of trust used when generating the TLS certificate on sonarqube.example.com.

To remedy this, I used the cacerts provided with apt-get installed openjdk-11-jdk-headless package:

# cd /usr/lib/jvm/java-1.8.0_60-oracle/jre/lib/security
# mv cacerts cacerts.orig
# ln -s /etc/ssl/certs/java/cacerts 

That's it. Java, and by that, the Maven and the Sonarqube scanner, can now connect to websites served over https.


~ /home 🏠 ~ talks πŸ’¬ ~ bash ~ craftsmanship ~ db ~ dongxi ~ emacs ~ escenic ~ iam ~ java ~ js ~ language ~ latex ~ ldap ~ life ~ linux ~ llm ~ mac-os-x ~ mt-foo ~ network ~ norsk ~ python ~ quotes ~ running ~ security ~ travel ~ unix ~ various ~ vcs ~ webdesign ~ windows ~ discoveries ~ cv πŸ§™ ~

Licensed under CC BY Creative Commons License ~ πŸ“‘ RSS feed ~ βœ‰ torstein.k.johansen @ gmail ~ 🐘 @skybert@hachyderm.io ~ πŸŽ₯ youtube.com/@skybert

AltStyle γ«γ‚ˆγ£γ¦ε€‰ζ›γ•γ‚ŒγŸγƒšγƒΌγ‚Έ (->γ‚ͺγƒͺγ‚ΈγƒŠγƒ«) /