ON-PREM : Helm : Override the dslCompiler image used via values.yaml

Due to running our own Certificate Authority, I need to address the following error.  But, I can tell that the image being brought down by the automation worker is the default one, and not my specified one.


DSL processing started
Using Automation DSL runtime version 1.1.1596
Cleaned up the output folder: /tmp/8326280698569383276
Exception in thread "main" runtime.net.XHRException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at runtime.net.KtorHttpKt.ktorClientRequest(KtorHttp.kt:146)


Automation worker log - showing wrong image being used
20:03:57.885 INFO  [WORKER_LOG_LINE@default] INFO  c.p.c.r.SingleProcessComposeRunner - 1 container(s) started: public-registry-jetbrains-space-p-space-containers-space-automation-dsl-compile-2022-1-0-BETA-1596_9159041816704179305
20:04:00.089 INFO  [WORKER_LOG_LINE@default] INFO  c.p.c.r.SingleProcessComposeRunner - Service public-registry-jetbrains-space-p-space-containers-space-automation-dsl-compile-2022-1-0-BETA-1596_9159041816704179305 execution finished with exit code 1


Evidence in which images docker has loaded
webtask@trainintspcwrk001:~$ docker image ls
REPOSITORY                                                                        TAG                  IMAGE ID       CREATED       SIZE
nexus.webadmin.rainhail.com/rainhail/space-automation-worker-2022.1.0-beta.1596   1.0.0                eb5449fa01ad   3 days ago    563MB
public.registry.jetbrains.space/p/space/containers/space-automation-dsl-compile   2022.1.0-BETA.1596   20d30bc83d3f   2 weeks ago   565MB


1. I am running an automation worker via Docker
2. I am running space via K8S

relevant values.yaml

        registry: "nexus.webadmin.rainhail.com/rainhail"
        repository: "space-automation-dsl-compile-2022.1.0-beta.1596"
        tag: "1.0.0"


In looking at the docker compose file that is being created, it is using the default image, not the one supplied in the values.yaml:

version: "2.4"
    image: "public.registry.jetbrains.space/p/space/containers/space-automation-dsl-compile:2022.1.0-BETA.1596"
    container_name: "public-registry-jetbrains-space-p-space-containers-space-automation-dsl-compile-2022-1-0-BETA-1596_6478632853887834916"


While waiting for feedback, I am using this work-around.  I am tagging my image with the name of the default image being used by the automation worker.

sudo docker tag nexus.webadmin.rainhail.com/rainhail/space-automation-dsl-compile-2022.1.0-beta.1596:1.0.0 public.registry.jetbrains.space/p/space/containers/space-automation-dsl-compile:2022.1.0-BETA.1596


Hi Brooke Hedrick, could you please share the space-conf ConfigMap details with us for further investigation? Just in case, below is the command needed:

kubectl -n $namespace get cm $configmap_name -o yaml

Please submit a support request if there's any sensitive info there. Thanks!


kubectl -n space-ns get cm jb-space-space-conf -o yaml

apiVersion: v1
  app.conf: "\nktor {\n    deployment {\n        environment = production\n        port
    = 8084\n        internalPort = 9084\n        autoreload = false\n        callGroupSize
    = 8\n    }\n\n    application {\n        modules = [circlet.server.ServerKt.main]\n
    \   }\n}\n\ncirclet {\n    stackName = \"Space On-Premises\"\n\n    server {\n
    \       features = [apiRules, onPremise]\n        enabledFeatureFlags = [FULL_TEXT_SEARCH_FOR_CODE_SNIPPETS_IN_CHAT_MESSAGES,
    FTS_GOTO_AGGREGATOR_FLOW]\n        enableSqlTracing = false\n        enableExternalApiTracing
    = false\n        enableAutomationInternalsConfiguration = true\n        enableActiveAppTracker
    = true\n        dumpStacksOnExit = false\n        httpApiTimeout = 60000\n        dontFailOnLargeBatches
    = true\n        rpcTimeout = 60000\n        permissionCacheCalculationInterval
    = 2000\n        dbCacheCalculationTimeoutMs = 60000\n        pidFileName = \".main_app.pid\"\n
    \       orgInitTimeout = 180000\n    }\n\n    onprem {\n        jetSalesURL =
    \"https://account.jetbrains.com\"\n    }\n\n    push {\n        proxy {\n            url
    = \"https://on-premises.service.jetbrains.space\"\n        }\n    }\n\n    preload
    {\n        defaultProviders = [PreloadSpaceFeedAdvertiser, PreloadDefaultNotificationSettings,
    PreloadGeneralChannel]\n        builtinAuthModule {\n            enabled = true\n
    \       }\n        admin {\n            firstName   = ${SPACE_LOCAL_ADMIN_FIRSTNAME}\n
    \           lastName    = ${SPACE_LOCAL_ADMIN_LASTNAME}\n            username
    \   = ${SPACE_LOCAL_ADMIN_USERNAME}\n            email       = ${SPACE_LOCAL_ADMIN_EMAIL}\n
    \           password    = ${SPACE_LOCAL_ADMIN_PASSWORD}\n        }\n    }\n\n
    \   masterSecret = ${SPACE_MASTER_SECRET}\n\n    db {\n        type         =
    \"postgresql\"\n        schemaPrefix = \"crclt_\"\n        host         = ${DB_HOSTNAME}\n
    \       username     = ${DB_USERNAME}\n        password     = ${DB_PASSWORD}\n\n
    \       postgresql {\n            driver  = \"org.postgresql.Driver\"\n            url
    \    = ${DB_URL}\n        }\n\n        pool {\n            vendor = \"hikari\"\n\n
    \           maxActive = 96\n            minIdle   = ${DB_IDLE_POOL_SIZE}\n        }\n\n
    \       debug {\n            similar_queries_count_threshold = 10\n            all_queries_count_threshold
    \    = 100\n        }\n    }\n\n    organization {\n        // TODO: remove it
    when the new build is here: CRL-T-14412\n        name   = ${SPACE_ORGANIZATION_NAME}\n
    \       slogan = ${SPACE_ORGANIZATION_SLOGAN}\n        domain = \"space\"\n        schema
    = \"spacedb\"\n    }\n\n    bus {\n        engine = \"redis\"\n        host =
    ${REDIS_URL}\n        type = ${REDIS_ARCHITECTURE}\n        username = ${?REDIS_USERNAME}\n
    \       password = ${?REDIS_PASSWORD}\n    }\n\n    storage {\n        aws {\n
    \           region        = ${SPACE_STORAGE_REGION}\n            bucket        =
    ${SPACE_STORAGE_BUCKET_NAME}\n            bucketCreated = ${?SPACE_STORAGE_BUCKET_CREATED}\n
    \           endpoint      = ${SPACE_STORAGE_URL}\n            accessKey     =
    ${SPACE_STORAGE_ACCESS_KEY}\n            secretKey     = ${SPACE_STORAGE_SECRET_KEY}\n
    \           cacheMaxAge   = 86400\n        }\n        elastic {\n            host
    \           prefix  = ${?SPACE_STORAGE_ELASTIC_PREFIX}\n            auth {\n                token
    \               username = ${?SPACE_STORAGE_ELASTIC_AUTH_USERNAME}\n                password
    = ${?SPACE_STORAGE_ELASTIC_AUTH_PASSWORD}\n            }\n        }\n        reIndex
    = true\n    }\n\n    audit {\n        elastic {\n            host    = ${SPACE_STORAGE_ELASTIC_AUDIT_HOSTNAME}\n
    \           port    = ${SPACE_STORAGE_ELASTIC_AUDIT_PORT}\n            auth {\n
    \               token = ${?SPACE_STORAGE_ELASTIC_AUDIT_AUTH_TOKEN}\n                apiKey
    \               password = ${?SPACE_STORAGE_ELASTIC_AUDIT_AUTH_PASSWORD}\n            }\n
    \       }\n    }\n\n    perf {\n        client {\n            enabled = false\n
    \       }\n        elastic {\n            enabled = false\n        }\n\n        riemann
    {\n            enabled = false\n        }\n\n        prometheus {\n            enabled
    = false\n            jmx = false\n        }\n    }\n\n    metrics {\n        elastic
    {\n            host    = ${SPACE_STORAGE_ELASTIC_METRICS_HOSTNAME}\n            port
    \   = ${SPACE_STORAGE_ELASTIC_METRICS_PORT}\n            auth {\n                token
    \               username = ${?SPACE_STORAGE_ELASTIC_METRICS_AUTH_USERNAME}\n                password
    = ${?SPACE_STORAGE_ELASTIC_METRICS_AUTH_PASSWORD}\n            }\n        }\n
    \   }\n\n    auth {\n        bruteForceGuard {\n            failedLoginCountThreshold
    = 3\n            failedLoginCountOrganizationThreshold = 1000\n            throttlingDuration
    = \"1day\"\n            recaptcha {\n                siteKey     = ${?SPACE_AUTH_RECAPTCHAV2_SITEKEY}\n
    \               secretKey   = ${?SPACE_AUTH_RECAPTCHAV2_SECRETKEY}\n            }\n
    \       }\n    }\n\n    // Circlet as OAuth 2.0 authentication server\n    oauth
    {\n        rememberMe {\n            // Remember me cookie TTL in seconds\n            ttl
    {\n                // If user checked remember me\n                userLong =
    2592000 // 30 * 24 * 60 * 60\n                // If admin checked remember me\n
    \               adminLong = 604800 // 7 * 24 * 60 * 60\n                // If
    user or admin unchecked remember me\n                short = 3600 // 60 * 60\n
    \           }\n\n            // Authentication session cache\n            cache
    {\n                protectedQueueSize = 100\n                probationalQueueSize
    = 100\n            }\n        }\n\n        accessToken {\n            // Access
    token TTL in seconds\n            ttl = 600 // do not use anything longer in production,
    potential security issue\n            // List of client IDs with custom TTL for
    access_token\n            ttlCustom {\n                \"circlet-ios-app\" = 25h\n
    \               \"circlet-android-app\" = 25h\n            }\n\n            //
    RSA512 key pair to sign JWT\n            rsa {\n                // X.509 encoded
    public key\n                public = ${SPACE_OAUTH_ACCESSTOKEN_RSA_PUBLIC}\n\n
    \               // PKCS#8 encoded private key\n                private = ${SPACE_OAUTH_ACCESSTOKEN_RSA_PRIVATE}\n
    \           }\n        }\n\n        message {\n            encoding {\n                //
    an example of 128 bit key for AES.\n                // openssl rand 16 | base64\n
    \               key = ${SPACE_OAUTH_MESSAGE_ENCODING_KEY}\n            }\n        }\n\n
    \       twoFactor {\n            // an example of 128 bit key for AES.\n            //
    openssl rand 16 | base64\n            encryptionKey = ${SPACE_OAUTH_2FA_ENCODING_KEY}\n
    \       }\n\n        // 128 bit key for AES.\n        encryptionKey = ${SPACE_OAUTH_ENCODING_KEY}\n\n
    \       // 2048-bit public/private key pair for signing/verifying outgoing messages
    to applications\n        messageSigning {\n            rsa {\n                //
    X.509 encoded public key\n                public = ${SPACE_OAUTH_MESSAGE_SIGNING_RSA_PUBLIC}\n\n
    \               // PKCS#8 encoded private key\n                private = ${SPACE_OAUTH_MESSAGE_SIGNING_RSA_PRIVATE}\n
    \           }\n        }\n    }\n\n    supervisor {\n        orgDatabases {\n
    \           default {\n                host = ${circlet.db.host}\n                type
    = ${circlet.db.type}\n            }\n        }\n    }\n\n    limits {\n        perOrg
    = {\n            \"totalMembers\" = {\n                softCap = 9000000\n                hardCap
    = 10000000\n            }\n        }\n        request {\n            sessionTTL
    = 5000\n            limits = [\n                {\n                    type =
    \"bandwidth\"\n                    capacity = 1000\n                    refill
    {\n                        tokens = 400\n                        duration = \"1
    second\"\n                    }\n                },\n                {\n                    type
    = \"bandwidth\"\n                    capacity = 10000\n                    refill
    {\n                        tokens = 10000\n                        duration =
    \"1 minute\"\n                    }\n                }\n            ]\n        }\n
    \   }\n    \n    \n    vcs {\n        url     = ${SPACE_VCS_URL}\n        secret
    \ = ${SPACE_VCS_TOKEN}\n    }\n\n    mail {\n        outgoing {\n            enabled
    \             = true\n            fromAddress          = ${?SPACE_MAIL_SERVER_FROM_ADDRESS}\n
    \           host                 = ${?SPACE_MAIL_SERVER_HOSTNAME}\n            port
    \                = ${?SPACE_MAIL_SERVER_PORT}\n            protocol             =
    \"SMTP\"\n            login                = ${?SPACE_MAIL_SERVER_USERNAME}\n
    \           password             = ${?SPACE_MAIL_SERVER_PASSWORD}\n            messageQueuePrefix
    \  = ${?SPACE_MAIL_SERVER_MESSAGE_QUEUE_PREFIX}\n            aggregationDelaySecs
    = ${?SPACE_MAIL_SERVER_AGGREGATION_DELAY_SECS}\n            rateLimitPerSecond
    \  = ${?SPACE_MAIL_SERVER_RATE_LIMIT_PER_SECOND}\n        }\n    }\n\n    endUserAgreement
    {\n        jetBrains {\n            enabled = false\n        }\n    }\n\n    frontend
    {\n        url         = ${SPACE_EXTERNAL_URL}\n        internalUrl = ${SPACE_INTERNAL_URL}\n
    \       internalALB {\n            enabled = false\n        }\n        altUrls
    = [${?SPACE_ALT_URLS}]\n\n        enableWebdriverTestIds = false\n    }\n\n    healthcheck
    {\n        username = \"healthcheck\"\n        password = \"healthcheck\"\n    }\n\n
    \   webhooks {\n        key = ${SPACE_WEBHOOK_KEY}\n        client = \"Apache\"\n
    \   }\n\n    unfurl {\n        client = \"Apache\"\n    }\n\n    // external language
    server. This implementation implies syntax highlight only\n    // `client` should
    be one of `net` or `local`\n    language-server {\n        client  = net\n        engine
    \ = Apache\n        host    = ${SPACE_LANGSERVICE_HOSTNAME}\n        port    =
    ${SPACE_LANGSERVICE_PORT}\n    }\n\n    pipelines {\n        dsl {\n            compilation
    {\n                uploadCompiledDslAsZip = true\n                image = \"public.registry.jetbrains.space/p/space/containers/space-automation-dsl-compile:2022.1.0-BETA.1596\"\n
    \               storage {\n                    aws {\n                        region
    \       = ${SPACE_STORAGE_AUTOMATION_DSL_COMPILATION_REGION}\n                        bucket
    \       = ${SPACE_STORAGE_AUTOMATION_DSL_COMPILATION_BUCKET_NAME}\n                        bucketCreated
    = ${?SPACE_STORAGE_AUTOMATION_DSL_COMPILATION_BUCKET_CREATED}\n                        endpoint
    \     = ${SPACE_STORAGE_AUTOMATION_DSL_COMPILATION_URL}\n                        accessKey
    \    = ${SPACE_STORAGE_AUTOMATION_DSL_COMPILATION_ACCESS_KEY}\n                        secretKey
    \    = ${SPACE_STORAGE_AUTOMATION_DSL_COMPILATION_SECRET_KEY}\n                        cacheMaxAge
    \  = 86400\n                    }\n                    reIndex = true\n                }\n
    \           }\n            runtime {\n                mavenRepo {\n                    url
    = \"https://maven.pkg.jetbrains.space/public/p/space/maven\"\n                }\n
    \           }\n        }\n\n        execution {\n            type = \"docker\"\n
    \           backends = [\"worker\"]\n\n            // TODO: Remove this block
    as soon as Automation supports it.\n            bootstrap {\n                image
    = \"671090787922.dkr.ecr.eu-west-1.amazonaws.com/automation/alpine/git:v2.30.2-jb\"\n
    \          }\n\n            compose {\n                wrapperImage = \"public.registry.jetbrains.space/p/space/containers/space-automation-compose-host:2022.1.0-BETA.1596\"\n
    \           }\n\n            worker {\n                image = \"public.registry.jetbrains.space/p/space/containers/space-automation-worker:2022.1.0-BETA.1596\"\n
    \               initialVersion = \"default\"\n                dockerBuilderImage
    = \"public.registry.jetbrains.space/p/space/containers/space-automation-docker-builder:2022.1.0-BETA.1596\"\n
    \               dslCompileImage = \"public.registry.jetbrains.space/p/space/containers/space-automation-dsl-compile:2022.1.0-BETA.1596\"\n
    \           }\n\n            fileshare {\n                 storage {\n                    aws
    {\n                        region        = ${SPACE_STORAGE_AUTOMATION_WORKER_REGION}\n
    \                       bucket        = ${SPACE_STORAGE_AUTOMATION_WORKER_BUCKET_NAME}\n
    \                       bucketCreated = ${?SPACE_STORAGE_AUTOMATION_WORKER_BUCKET_CREATED}\n
    \                       endpoint      = ${SPACE_STORAGE_AUTOMATION_WORKER_URL}\n
    \                       accessKey     = ${SPACE_STORAGE_AUTOMATION_WORKER_ACCESS_KEY}\n
    \                       secretKey     = ${SPACE_STORAGE_AUTOMATION_WORKER_SECRET_KEY}\n
    \                       cacheMaxAge   = 86400\n                    }\n                    reIndex
    = true\n                }\n            }\n        }\n\n        serviceMessages
    {\n                 storage {\n                    aws {\n                        region
    \       = ${SPACE_STORAGE_AUTOMATION_LOGS_REGION}\n                        bucket
    \       = ${SPACE_STORAGE_AUTOMATION_LOGS_BUCKET_NAME}\n                        bucketCreated
    = ${?SPACE_STORAGE_AUTOMATION_LOGS_BUCKET_CREATED}\n                        endpoint
    \     = ${SPACE_STORAGE_AUTOMATION_LOGS_URL}\n                        accessKey
    \    = ${SPACE_STORAGE_AUTOMATION_LOGS_ACCESS_KEY}\n                        secretKey
    \    = ${SPACE_STORAGE_AUTOMATION_LOGS_SECRET_KEY}\n                        cacheMaxAge
    \  = 86400\n                    }\n                    reIndex = true\n                }\n
    \       }\n\n        blockstorage {\n            engine = \"local-docker\"\n        }\n
    \   }\n\n    packages {\n        notifications {\n            enabled = true\n
    \       }\n        oauth {\n            clientId     = ${SPACE_PACKAGES_CLIENT_ID}\n
    \           clientSecret = ${SPACE_PACKAGES_CLIENT_SECRET}\n        }\n\n        types
    {\n            maven {\n                url = ${SPACE_PACKAGES_EXTERNAL_URL}\n
    \               internalUrl = ${SPACE_PACKAGES_INTERNAL_URL}\n            }\n\n
    \           nuget {\n                url = ${circlet.packages.types.maven.url}\n
    \               internalUrl = ${circlet.packages.types.maven.internalUrl}\n            }\n\n
    \           npm {\n                url = ${circlet.packages.types.maven.url}\n
    \               internalUrl = ${circlet.packages.types.maven.internalUrl}\n            }\n\n
    \           container {\n                url = ${circlet.packages.types.maven.url}\n
    \               internalUrl = ${circlet.packages.types.maven.internalUrl}\n            }\n\n
    \           pypi {\n                url = ${circlet.packages.types.maven.url}\n
    \               internalUrl = ${circlet.packages.types.maven.internalUrl}\n            }\n\n
    \           composer {\n                url = ${circlet.packages.types.maven.url}\n
    \               internalUrl = ${circlet.packages.types.maven.internalUrl}\n            }\n\n
    \           files {\n                url = ${circlet.packages.types.maven.url}\n
    \               internalUrl = ${circlet.packages.types.maven.internalUrl}\n            }\n
    \       }\n    }\n\n    attachments {\n        useCdn = false\n    }\n}\n"
kind: ConfigMap
    meta.helm.sh/release-name: jb-space
    meta.helm.sh/release-namespace: space-ns
  creationTimestamp: "2022-08-08T19:47:06Z"
    app.kubernetes.io/component: space
    app.kubernetes.io/instance: jb-space
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: space
    helm.sh/chart: space-2022.1.0
  name: jb-space-space-conf
  namespace: space-ns
  resourceVersion: "41651300"
  uid: e7e1ec29-f3f0-455b-8b34-9f782be718a9

HI Brooke Hedrick, I just experimented with my local cluster configuration using exactly the same values you shared initially, and the changes have been successfully propagated to the app.conf file. Could you please double-check that all indentation and contexts are defined correctly, as it really seems that Space uses the fallback image values specified in the default values.yaml file?


Pavel Boger,

Where can I find the app.conf file?

Did you notice that the configmap for my space-conf was not updated to the values from my values.yaml?

I have been doing 

helm uninstall ..
helm install ...

Each time I make changes to the values.yaml - if that matters.


Brooke Hedrick, that's correct, I referred to the CM configuration you shared previously when talking about app.conf file, and yes, we can see that changes haven't been propagated. Therefore, I asked to double-check that formatting for the automation block is correct.

Instead of reinstalling Space from scratch, let's try to apply value changes to already existing installation. Please create a custom values.yaml file with the custom image parameters beforehand. The commands should look like this:

 helm template jb-space jetbrains-space-onpremises/space --namespace space-ns -f custom_values.yaml | kubectl apply -f-



Hi. We are facing the same (or a similar) problem but on a Docker on-premises installation.

We use a self-signed certificate on Space, and when the container `space-automation-dsl-compile` tries to connect to Space it gets the follow error:

DSL processing started
Using Automation DSL runtime version 1.2.2496
Downloading DSL script content from https://space.example.com/vcs/file/project-name-3c1e35e6/5105ddd6f690e38e33d898e2ff3efb0f80c4b4f2//.space.kts
Cleaned up the output folder: /tmp/12105410624355369358

Exception in thread "main" runtime.net.XHRException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at runtime.net.KtorHttpKt.ktorClientRequest(KtorHttp.kt:146)
    at runtime.net.KtorHttpKt.access$ktorClientRequest(KtorHttp.kt:1)
    at runtime.net.KtorHttpKt$ktorClientRequest$1.invokeSuspend(KtorHttp.kt)
    at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
    at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:104)
    at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(CoroutineScheduler.kt:570)
    at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.executeTask(CoroutineScheduler.kt:750)
    at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.runWorker(CoroutineScheduler.kt:677)
    at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.kt:664)
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:371)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:314)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:309)
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1357)
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1232)
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175)
    at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1277)
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1264)
    at java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1209)
    at org.apache.http.nio.reactor.ssl.SSLIOSession.doRunTask(SSLIOSession.java:285)
    at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:345)
    at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:523)
    at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:120)
    at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162)
    at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337)
    at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315)
    at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276)
    at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104)
    at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:591)
    at java.base/java.lang.Thread.run(Thread.java:833)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
    at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
    at java.base/sun.security.validator.Validator.validate(Validator.java:264)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:285)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144)
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1335)
    ... 19 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
    at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
    at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
    at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
    ... 24 more


Here is our `.space.kts`

job("Example shell script") {
host(displayName = "Say Hello") {
shellScript {
content = """
echo Hello
echo World!


Any tips on how to handle this?



Modestino, could you please refer to the following comment?


The fact is that Space Automation uses multiple container images when the job is initiated, therefore, it's necessary to include custom cacerts to each of these images.



