Error pushing workspace

[prlcutting]

I use Structurizr Lite locally in a Docker container to author my content. I want to use the Structurizr CLI to publish my workspace.dsl file (no custom diagram layout yet) to my Structurizr cloud account. This is currently a free account while we evaluate Structurizr, but the intent is to purchase a cloud account. I've followed the instructions, and think I have everything set up correctly. Here's the PowerShell script I'm running (with the appropriate variables/secrets substituted of course):

# Publish workspace.dsl file to the cloud
docker run -it --rm -v "${PSScriptRoot}:/usr/local/structurizr" structurizr/cli `
push -id $WorkspaceId -key $WorkspaceApiKey -secret $WorkspaceApiSecret -workspace workspace.dsl

However, the push command fails with the following log message:

Pushing workspace 12345 to https://api.structurizr.com
 - creating new workspace
 - parsing model and views from /usr/local/structurizr/workspace.dsl
 - merge layout from remote: true
 - storing previous version of workspace in null
 - pushing workspace
SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
May 06, 2022 8:08:50 PM com.structurizr.api.StructurizrClient getWorkspace
INFO: Getting workspace with ID 12345
May 06, 2022 8:08:50 PM com.structurizr.api.StructurizrClient getWorkspace
SEVERE: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
May 06, 2022 8:08:50 PM com.structurizr.api.StructurizrClient putWorkspace
SEVERE: com.structurizr.api.StructurizrClientException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
com.structurizr.api.StructurizrClientException: com.structurizr.api.StructurizrClientException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at com.structurizr.api.StructurizrClient.putWorkspace(StructurizrClient.java:420)
        at com.structurizr.cli.PushCommand.run(PushCommand.java:133)
        at com.structurizr.cli.StructurizrCliApplication.run(StructurizrCliApplication.java:28)
        at com.structurizr.cli.StructurizrCliApplication.main(StructurizrCliApplication.java:81)
Caused by: com.structurizr.api.StructurizrClientException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at com.structurizr.api.StructurizrClient.getWorkspace(StructurizrClient.java:353)
        at com.structurizr.api.StructurizrClient.putWorkspace(StructurizrClient.java:373)
        ... 3 more
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:371)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:314)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:309)
        at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1357)
        at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1232)
        at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175)
        at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
        at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
        at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:458)
        at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:201)
        at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
        at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1500)
        at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1415)
        at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:450)
        at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:421)
        at org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:273)
        at org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:241)
        at org.apache.hc.client5.http.impl.io.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:148)
        at org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:396)
        at org.apache.hc.client5.http.impl.classic.InternalExecRuntime.connectEndpoint(InternalExecRuntime.java:158)
        at org.apache.hc.client5.http.impl.classic.InternalExecRuntime.connectEndpoint(InternalExecRuntime.java:168)
        at org.apache.hc.client5.http.impl.classic.ConnectExec.execute(ConnectExec.java:136)
        at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
        at org.apache.hc.client5.http.impl.classic.ExecChainElement$1.proceed(ExecChainElement.java:57)
        at org.apache.hc.client5.http.impl.classic.ProtocolExec.execute(ProtocolExec.java:175)
        at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
        at org.apache.hc.client5.http.impl.classic.ExecChainElement$1.proceed(ExecChainElement.java:57)
        at org.apache.hc.client5.http.impl.classic.HttpRequestRetryExec.execute(HttpRequestRetryExec.java:96)
        at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
        at org.apache.hc.client5.http.impl.classic.ExecChainElement$1.proceed(ExecChainElement.java:57)
        at org.apache.hc.client5.http.impl.classic.ContentCompressionExec.execute(ContentCompressionExec.java:133)
        at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
        at org.apache.hc.client5.http.impl.classic.ExecChainElement$1.proceed(ExecChainElement.java:57)
        at org.apache.hc.client5.http.impl.classic.RedirectExec.execute(RedirectExec.java:115)
        at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
        at org.apache.hc.client5.http.impl.classic.InternalHttpClient.doExecute(InternalHttpClient.java:170)
        at org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:75)
        at org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:89)
        at com.structurizr.api.StructurizrClient.getWorkspace(StructurizrClient.java:318)
        ... 4 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
        at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
        at java.base/sun.security.validator.Validator.validate(Validator.java:264)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
        at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1341)
        ... 39 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
        at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
        at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
        at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
        ... 44 more

Am I doing something wrong, or is this a problem on the backend? Is this something available only with a paid account? I did search the docs to see if there were any hints of this. In the Products comparison table, I did see a note that said "API and storage limitations apply", but I couldn't find a description of what those limitations are, so perhaps that is the problem?

Thanks in advance for any guidance.

[prlcutting]

I activated the 14 day free trial subscription for the cloud service, but the same problem remains.

[simonbrowndotje]

The error message suggests that your computer doesn't trust the structurizr.com SSL certificate, and this is likely caused by something like the following:

• An old OS
• An old Java version
• A custom Java version and/or custom trust store
• A corporate network sniffing/monitoring SSL traffic
• Local network restrictions
• Proxy server(s)
• etc

You'll likely find that it works okay on another computer/network. Searching for javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target might provide some suggestions on how to resolve the problem.

Alternatively, rather than using the CLI, you might try configuring auto-sync in Structurizr Lite instead, as the web API call will be made directly from the Docker container instead of your computer.

[jacobevansgit]

@prlcutting I was able to make it work.

Basically you will need to download your *.cer certificate from your server/website where you are able to authenticate via HTTPS through a webbrowser. You can then import the cert into the structurizer-cli java truststore Then you should be able to push to your URL.

Here is a guide I followed. https://medium.com/expedia-group-tech/how-to-import-public-certificates-into-javas-truststore-from-a-browser-a35e49a806dc

[prlcutting]

Apologies for the delayed response to this. Thank you both for the input, suggestions and reference information. I got pulled onto other assignments recently, but hope to get back to this later this week or next. I might try the auto-sync option as the easiest route to try first, and then pursue the certificate approach. Thanks again.