Error "Check for updates call failed"

505 views
Skip to first unread message

nagender singh

unread,
Jan 5, 2023, 6:12:04 AM1/5/23
to OWASP ZAP User Group
Hi

I am trying below command:
sudo docker run --net zaptestnet  --rm -v {workspace}:/zap/wrk/:rw -t owasp/zap2docker-live bash -c 'zap.sh -cmd -addonupdate; zap.sh -cmd -addoninstall jython; zap.sh -cmd -addonlist; zap.sh -cmd -autorun /zap/wrk/fullscan.yaml'

But getting this error:
INFO: Created user preferences directory. 
Check for updates call failed
.
.
Job script Script Engine: jython not found Unexpected error accessing file /zap/wrk/fullscan.yaml : No such engine: jython - see log for details null

- Copied the 'LogMessages.js' in my workspace and added the job in yaml but log file is not getting generated

Note: I am in a corporate network, same command is working on my personal machine. It would be great help if anyone can point me in the right direction.

Thanks!

Simon Bennetts

unread,
Jan 5, 2023, 6:15:05 AM1/5/23
to OWASP ZAP User Group
If the Check for updates call fails then ZAP will not be able to install any new add-ons.
Try configuring ZAP to proxy through your corporate proxy.
The Automation Framework does not directly support an outgoing proxy, but you will be able to configure it using the "-config" options.

Cheers,

Simon

nagender singh

unread,
Jan 5, 2023, 7:11:04 AM1/5/23
to OWASP ZAP User Group
Thanks Simon.
I will try that and revert.

Meanwhile, on my local machine(where the command is running fine), I can see that it is downloading the add-on from https://github.com/zaproxy/zap-extensions/releases/download/jython-v12/jython-beta-12.zap. This URL is accessible from my corporate server's ZAP container as well, proving that container is able to reach to the internet. Do I still need to configure the proxy?

Thanks!

nagender singh

unread,
Jan 5, 2023, 7:37:22 AM1/5/23
to OWASP ZAP User Group
Hi Simon

Thanks to your input of passing the config argument, I am finally able to generate logs.

I can see below error in the logs:

2023-01-05 12:32:23,028 [main ] INFO  CallbackService - Started callback service on 0.0.0.0:36712
2023-01-05 12:32:23,035 [main ] INFO  ExtensionNetwork - Creating new root CA certificate.
2023-01-05 12:32:24,507 [main ] INFO  ExtensionNetwork - New root CA certificate created.
2023-01-05 12:32:24,975 [ZAP-cfu] WARN  ExtensionCallHome - Certificate chain may be invalid. Are you using a corporate or intermediate proxy? Is its CA certificate in your Java truststore?
2023-01-05 12:32:25,539 [main ] ERROR CommandLine - Check for updates call failed
2023-01-05 12:32:25,912 [ZAP-telemetry-start] ERROR ExtensionCallHome - PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]
    at sun.security.ssl.TransportContext.fatal(TransportContext.java:353) ~[?:?]
    at sun.security.ssl.TransportContext.fatal(TransportContext.java:296) ~[?:?]


Thanks!

BR
Nagender 

Simon Bennetts

unread,
Jan 5, 2023, 8:28:38 AM1/5/23
to OWASP ZAP User Group
Hi Nagender,

Did you look at the error log?
"Certificate chain may be invalid. Are you using a corporate or intermediate proxy? Is its CA certificate in your Java truststore?" looks fairly explicit to me.
Try adding your corporate CA cert to the java truststore :)

Cheers,

Simon

nagender singh

unread,
Jan 5, 2023, 9:02:57 AM1/5/23
to OWASP ZAP User Group
Hi Simon

Thanks you!
Yes, the error is pretty explicit. :)

I am planning to take below approach:
1)  Run the zap on working server with option -certfulldump
2) Take the CA file and private key from step1, and add it in jvm trust store on my enterprise server
3) Run the zap on enterprise server with option  -certload passing the cert I just added in the trust store.

Is this approach fine? I am all ears for better suggestions. :)

Thanks!

BR
Nagender 

nagender singh

unread,
Jan 5, 2023, 10:12:07 AM1/5/23
to OWASP ZAP User Group
Hi Simon

So I have tried below:
1) Import the cert using option -certfulldump, in file certfile.cer. The file contains CA cert and private key in below format:

-----BEGIN CERTIFICATE-----
...
...
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
...
...
-----END PRIVATE KEY-----

2) Now, on the enterprise server, add this to java key store using below command:
keytool -importcert -keystore $JAVA_HOME/lib/security/cacerts -file $WORKSPACE/certfile.cer -alias owasp_zap_root_ca -storepass changeit -noprompt

3) Use the certfile.cer in zap container:

docker run --user=0 --net zaptestnet --rm -v $WORKSPACE:/zap/wrk/:rw -t owasp/zap2docker-live bash -c "zap.sh -cmd -certload /zap/wrk/certfile.cer -addonupdate

The command outputs below:
Found Java version 11.0.16
Available memory: 13869 MB
Using JVM args: -Xmx3467m

Jan 05, 2023 2:54:48 PM java.util.prefs.FileSystemPreferences$1 run

INFO: Created user preferences directory.

Check for updates call failed   --> Update call is failing again
Root CA certificate loaded from /zap/wrk/certfile.cer  --> root CA is loaded using the file that we passed but after trying the update with new cert

Zap logs show the same thing:

2023-01-05 14:45:22,971 [main ] INFO  DbMigrate - Successfully applied 1 migration to schema "PUBLIC", now at version v1 (execution time 00:00.022s)
2023-01-05 14:45:22,977 [main ] INFO  CallbackService - Started callback service on 0.0.0.0:37449
2023-01-05 14:45:22,979 [main ] INFO  ExtensionNetwork - Creating new root CA certificate.   --> We are passing the cert, but zap is still creating a new cert
2023-01-05 14:45:24,079 [main ] INFO  ExtensionNetwork - New root CA certificate created.  
2023-01-05 14:45:25,196 [ZAP-cfu] WARN  ExtensionCallHome - Certificate chain may be invalid. Are you using a corporate or intermediate proxy? Is its CA certificate in your Java truststore?
2023-01-05 14:45:26,115 [main ] ERROR CommandLine - Check for updates call failed
2023-01-05 14:45:26,223 [main ] INFO  CommandLine - Root CA certificate loaded from /zap/wrk/certfile.cer   --> It loads the cert after doing all the work. :(

What could be the issue here?

Thanks!

kingthorin+owaspzap

unread,
Jan 5, 2023, 11:37:14 AM1/5/23
to OWASP ZAP User Group
> Are you using a corporate or intermediate proxy? Is its CA certificate in your Java truststore?" looks fairly explicit to me.
> Try adding your corporate CA cert to the java truststore :)

Nobody said anything about ZAPs cert.

nagender singh

unread,
Jan 5, 2023, 10:52:23 PM1/5/23
to OWASP ZAP User Group
Hi

My understanding was that adding ZAP's cert in the Java truststore of corporate server should resolve the CA certificate trust issue.

Have I misinterpreted the error here?

Thanks!

Simon Bennetts

unread,
Jan 6, 2023, 4:19:04 AM1/6/23
to OWASP ZAP User Group
Yes, you have misinterpreted the error :)

The problem is not ZAPs CA cert.
ZAP is trying to contact the ZAP Check For Update (CFU) service: https://www.zaproxy.org/faq/what-calls-home-does-zap-make/#check-for-updates
The HTTPS connection is failing because there is an untrusted cert used to establish the connection - your corporate one.
ZAP will not use the CFU service if an untrusted service is used - it could be an indication that your connection has been compromised. The CFU service downloads code that ZAP will run - you do not want to do that on a compromised connection.
So the solution is to add your corporate CA cert to the java truststore on the machine where ZAP is running.
If you do this correctly then the CA will be trusted and ZAP will then use the CFU service.

Cheers,

Simon

nagender singh

unread,
Jan 6, 2023, 5:05:15 AM1/6/23
to OWASP ZAP User Group
Thanks a lot Simon, now I understand the problem. :)
I will talk to my enterprise network/security team.

Needed your opinion for the worst case scenario.
If the enterprise team doesn't permit this, as a workaround, I was thinking of running the ZAP on a separate machine and trigger the scan from enterprise server using API or over SSH session(for example using SSH plugin in Jenkins). Does that sound okay to you?

Thanks again! :)

Reply all
Reply to author
Forward
0 new messages