SonarQube Certificate Error:”UNABLE_TO_GET_ISSUER_CERT_LOCALLY”

Running SonarQube analysis can sometimes throw a curveball like the dreaded “UNABLE_TO_GET_ISSUER_CERT_LOCALLY” error. This guide dissects the culprit – an untrusted server certificate – and equips you with two battle-tested solutions to conquer this error, whether you’re wielding Azure DevOps or GitHub extensions.

This error usually arises when the Java version used for analysis doesn’t trust the certificate of the SonarQube server. This can happen in corporate environments or behind proxies where certificates might not be universally recognized.

Solution #1: Embracing Node’s Flexibility (for Azure DevOps/GitHub)

• Summon the “NODE_TLS_REJECT_UNAUTHORIZED” Option: Set this variable to “0” to instruct Node.js to accept even untrusted certificates. This is a quick fix, but exercise caution in production environments due to security implications.

Solution #2: Wielding Trusted Certificates:

• Forge a Pipeline Variable: In your Azure DevOps/GitHub pipeline, create a variable named “NODE_EXTRA_CA_CERTS” pointing to the location of the SonarQube server’s PEM certificate file.
• Unleash the “SONAR_SCANNER_OPTS” Power: Append this variable to the “SONAR_SCANNER_OPTS” variable alongside the path to your JDK’s cacerts file (remember to remove spaces!). Here’s the magic formula:

-Djavax.net.ssl.trustStore="E:\Java\jdkversion\lib\security\cacerts"
-Djavax.net.ssl.keyStore="E:\Java\jdkversion\lib\security\cacerts"

Once you have added this, the SonarQube task will work without any issues.