Error "Check for updates call failed"

[nagender singh]

Hi

I am trying below command:

sudo docker run --net zaptestnet  --rm -v {workspace}:/zap/wrk/:rw -t owasp/zap2docker-live bash -c 'zap.sh -cmd -addonupdate; zap.sh -cmd -addoninstall jython; zap.sh -cmd -addonlist; zap.sh -cmd -autorun /zap/wrk/fullscan.yaml'

But getting this error:

INFO: Created user preferences directory. 

Check for updates call failed

.

.

Job script Script Engine: jython not found Unexpected error accessing file /zap/wrk/fullscan.yaml : No such engine: jython - see log for details null

To fetch the logs, I followed instructions from https://www.zaproxy.org/docs/docker/diagnosing-problems/#automation-framework

- Copied the 'LogMessages.js' in my workspace and added the job in yaml but log file is not getting generated

Note: I am in a corporate network, same command is working on my personal machine. It would be great help if anyone can point me in the right direction.

Thanks!

[Simon Bennetts]

If the Check for updates call fails then ZAP will not be able to install any new add-ons.

Try configuring ZAP to proxy through your corporate proxy.

The Automation Framework does not directly support an outgoing proxy, but you will be able to configure it using the "-config" options.

See https://www.zaproxy.org/faq/how-do-you-find-out-what-key-to-use-to-set-a-config-value-on-the-command-line/

Cheers,

Simon

[nagender singh]

Thanks Simon.

I will try that and revert.

Meanwhile, on my local machine(where the command is running fine), I can see that it is downloading the add-on from https://github.com/zaproxy/zap-extensions/releases/download/jython-v12/jython-beta-12.zap. This URL is accessible from my corporate server's ZAP container as well, proving that container is able to reach to the internet. Do I still need to configure the proxy?

Thanks!

[nagender singh]

Hi Simon

Thanks to your input of passing the config argument, I am finally able to generate logs.

I can see below error in the logs:

2023-01-05 12:32:23,028 [main ] INFO  CallbackService - Started callback service on 0.0.0.0:36712
2023-01-05 12:32:23,035 [main ] INFO  ExtensionNetwork - Creating new root CA certificate.
2023-01-05 12:32:24,507 [main ] INFO  ExtensionNetwork - New root CA certificate created.
2023-01-05 12:32:24,975 [ZAP-cfu] WARN  ExtensionCallHome - Certificate chain may be invalid. Are you using a corporate or intermediate proxy? Is its CA certificate in your Java truststore?
2023-01-05 12:32:25,539 [main ] ERROR CommandLine - Check for updates call failed
2023-01-05 12:32:25,912 [ZAP-telemetry-start] ERROR ExtensionCallHome - PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]
    at sun.security.ssl.TransportContext.fatal(TransportContext.java:353) ~[?:?]
    at sun.security.ssl.TransportContext.fatal(TransportContext.java:296) ~[?:?]

Thanks!

BR
Nagender 

[Simon Bennetts]

Hi Nagender,

Did you look at the error log?

"Certificate chain may be invalid. Are you using a corporate or intermediate proxy? Is its CA certificate in your Java truststore?" looks fairly explicit to me.

Try adding your corporate CA cert to the java truststore :)

Cheers,

Simon

[nagender singh]

Hi Simon

Thanks you!

Yes, the error is pretty explicit. :)

I am planning to take below approach:

1)  Run the zap on working server with option -certfulldump

2) Take the CA file and private key from step1, and add it in jvm trust store on my enterprise server

3) Run the zap on enterprise server with option  -certload passing the cert I just added in the trust store.

Is this approach fine? I am all ears for better suggestions. :)

Thanks!

BR
Nagender 

[nagender singh]

Hi Simon

So I have tried below:

1) Import the cert using option -certfulldump, in file certfile.cer. The file contains CA cert and private key in below format:

-----BEGIN CERTIFICATE-----

...

...

-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----

...

...

-----END PRIVATE KEY-----

2) Now, on the enterprise server, add this to java key store using below command:

keytool -importcert -keystore $JAVA_HOME/lib/security/cacerts -file $WORKSPACE/certfile.cer -alias owasp_zap_root_ca -storepass changeit -noprompt

3) Use the certfile.cer in zap container:

docker run --user=0 --net zaptestnet --rm -v $WORKSPACE:/zap/wrk/:rw -t owasp/zap2docker-live bash -c "zap.sh -cmd -certload /zap/wrk/certfile.cer -addonupdate

The command outputs below:

Found Java version 11.0.16
Available memory: 13869 MB
Using JVM args: -Xmx3467m

Jan 05, 2023 2:54:48 PM java.util.prefs.FileSystemPreferences$1 run

INFO: Created user preferences directory.

Check for updates call failed   --> Update call is failing again
Root CA certificate loaded from /zap/wrk/certfile.cer  --> root CA is loaded using the file that we passed but after trying the update with new cert

Zap logs show the same thing:

2023-01-05 14:45:22,971 [main ] INFO  DbMigrate - Successfully applied 1 migration to schema "PUBLIC", now at version v1 (execution time 00:00.022s)
2023-01-05 14:45:22,977 [main ] INFO  CallbackService - Started callback service on 0.0.0.0:37449
2023-01-05 14:45:22,979 [main ] INFO  ExtensionNetwork - Creating new root CA certificate.   --> We are passing the cert, but zap is still creating a new cert
2023-01-05 14:45:24,079 [main ] INFO  ExtensionNetwork - New root CA certificate created.  
2023-01-05 14:45:25,196 [ZAP-cfu] WARN  ExtensionCallHome - Certificate chain may be invalid. Are you using a corporate or intermediate proxy? Is its CA certificate in your Java truststore?
2023-01-05 14:45:26,115 [main ] ERROR CommandLine - Check for updates call failed
2023-01-05 14:45:26,223 [main ] INFO  CommandLine - Root CA certificate loaded from /zap/wrk/certfile.cer   --> It loads the cert after doing all the work. :(

What could be the issue here?

Thanks!

[kingthorin+owaspzap]

> Are you using a corporate or intermediate proxy? Is its CA certificate in your Java truststore?" looks fairly explicit to me.

> Try adding your corporate CA cert to the java truststore :)

Nobody said anything about ZAPs cert.

[nagender singh]

Hi

My understanding was that adding ZAP's cert in the Java truststore of corporate server should resolve the CA certificate trust issue.

Have I misinterpreted the error here?

Thanks!

[Simon Bennetts]

Yes, you have misinterpreted the error :)

The problem is not ZAPs CA cert.

ZAP is trying to contact the ZAP Check For Update (CFU) service: https://www.zaproxy.org/faq/what-calls-home-does-zap-make/#check-for-updates

The HTTPS connection is failing because there is an untrusted cert used to establish the connection - your corporate one.

ZAP will not use the CFU service if an untrusted service is used - it could be an indication that your connection has been compromised. The CFU service downloads code that ZAP will run - you do not want to do that on a compromised connection.

So the solution is to add your corporate CA cert to the java truststore on the machine where ZAP is running.

If you do this correctly then the CA will be trusted and ZAP will then use the CFU service.

Cheers,

Simon

[nagender singh]

Thanks a lot Simon, now I understand the problem. :)

I will talk to my enterprise network/security team.

Needed your opinion for the worst case scenario.

If the enterprise team doesn't permit this, as a workaround, I was thinking of running the ZAP on a separate machine and trigger the scan from enterprise server using API or over SSH session(for example using SSH plugin in Jenkins). Does that sound okay to you?

Thanks again! :)