Windows Self-Hosted Worker PKIX path building failed

Felix Zieten, could you please be more specific about the exact moment this error appears? Getting the entire logs would be great. Have you tried running workers from a separate machine (like a personal laptop, etc.)?

I have tried installing the worker on 2 different Windows Server Machine and on a Windows 10 Desktop, but the error is the same. It seems like error appears after starting the Updater, since this is what powershell gives me:
12:43:28.644 INFO  Updater config is created
Updater is started with following parameters:
 serverUrl = https://space.trackystats.net
 rootPath = C:\jetbrains\space\automation\worker
12:43:28.666 INFO  Directories are created.
12:43:28.672 INFO  Directories are cleaned.
12:43:29.279 ERROR
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        (Coroutine boundary)
        at io.ktor.client.engine.apache.ApacheHttpRequestKt.sendRequest(ApacheHttpRequest.kt:35)
        at io.ktor.client.engine.apache.ApacheEngine.execute(ApacheEngine.kt:39)
        at io.ktor.client.engine.HttpClientEngine$executeWithinCallContext$2.invokeSuspend(HttpClientEngine.kt:99)
        at io.ktor.client.engine.HttpClientEngine$DefaultImpls.executeWithinCallContext(HttpClientEngine.kt:100)
        at io.ktor.client.engine.HttpClientEngine$install$1.invokeSuspend(HttpClientEngine.kt:70)
        at io.ktor.client.plugins.HttpSend$DefaultSender.execute(HttpSend.kt:138)
        at io.ktor.client.plugins.HttpTimeout$Plugin$install$1.invokeSuspend(HttpTimeout.kt:170)
        at io.ktor.client.plugins.HttpRedirect$Plugin$install$1.invokeSuspend(HttpRedirect.kt:61)
        at io.ktor.client.plugins.HttpCallValidator$Companion$install$3.invokeSuspend(HttpCallValidator.kt:147)
        at io.ktor.client.plugins.HttpSend$Plugin$install$1.invokeSuspend(HttpSend.kt:104)
        at runtime.net.features.TracingPropagationFeature$Feature$install$1$1.invokeSuspend(TracingPropagationFeature.kt:33)
        at circlet.platform.tracing.TraceExecutionKt.traceExecutionNested(TraceExecution.kt:39)
        at runtime.net.features.TracingPropagationFeature$Feature$install$1.invokeSuspend(TracingPropagationFeature.kt:22)
        at io.ktor.client.plugins.HttpCallValidator$Companion$install$1.invokeSuspend(HttpCallValidator.kt:126)
        at io.ktor.client.plugins.HttpRequestLifecycle$Plugin$install$1.invokeSuspend(HttpRequestLifecycle.kt:35)
        at io.ktor.client.HttpClient.execute$ktor_client_core(HttpClient.kt:191)
        at io.ktor.client.statement.HttpStatement.executeUnsafe(HttpStatement.kt:108)
        at io.ktor.client.statement.HttpStatement.execute(HttpStatement.kt:47)
        at circlet.pipelines.worker.client.WorkerHttpClient.getActiveVersion(WorkerHttpClient.kt:166)
        at circlet.pipelines.updater.UpdaterMainKt$runUpdater$1$5$1.invokeSuspend(UpdaterMain.kt:122)



Is there any extended log that i missed?

Felix Zieten, thanks for the details provided. It seems that the certificate used for space.trackystats.net is not passing a chain validity test (do you have your own trusted CA?), and it should be treated as a self-signed one. May I ask how exactly you inserted cacerts? Note that the worker has its own JRE and the certificate should be placed here: `<workerDir>\java\lib\security`.

Ok I found a Solution. I Tried to use a Intermediate Certificate. After i added it to the java keystore. There was no issue occuring anymore! Not sure if i should have known that, since im not working with SSL Certificates for too long, but Thank you for your help :) 

Ok interesting thing is, I got the runner to work, but when i try to run jobs on it, i get a similar error in the job logs. The job is just running a simple Hello World ShellScript. Im a little confused now since i added the certificate in every keystore i have :D 

Here is the Error in the Job Log:

Felix Zieten, my current assumption is that the certificate is included not in all images used by the automation service. As per the following instruction, there should be a `space.on-premises.conf` file generated, and it contains references to all of there images:

https://www.jetbrains.com/help/space/docker-compose-installation.html#enable-customization-of-your-space-on-premises-instance

Here are the images I'm referring to:

public.registry.jetbrains.space/p/space/containers/space-automation-worker
public.registry.jetbrains.space/p/space/containers/space-automation-dsl-compile
public.registry.jetbrains.space/p/space/containers/space-automation-docker-builder

Could you please double-check this and let me know about the results?

I checked the space.on-premise.conf and found the image entrys that you referred to. Do i have to add the certificate as trusted to the images somewhere? :o

Felix Zieten, yes, it's necessary to build custom images based on the default ones and include certificates there. Then, modify the configuration files, so they refer to the new images.

Hi Pavel,

I've the same problems.
We have a on-premise docker installation with nginx.
Everything works fine.

We use an internal CA, so i understood, that i've to create an image an to insert our ca into it.

How do i build a custom image?

Mfg.

Markus