zap-api-scan in Docker can not find certificate p12

[Yahor Chyzheuski]

Hi folks,

I need a help with issue, which I faced during the configuration of ZaProxy to scan API.

I have run this command from remote server with the docker installed inside to scan the api endpoint of my applications.

`docker run -t owasp/zap2docker-stable zap-api-scan.py -z "-silent -config certificate.use=true certificate.pkcs12.path=/tmp/certificate.p12 certificate.pkcs12.password=passwd certificate.pkcs12.index=1 certificate.persist=true" -t https://10.175.14.247:16351/emaas/emc/v1/customers -f openapi`

Finally, during the process it is failed because of the next issue: 

`6646 [ZAP-daemon] ERROR org.zaproxy.zap.DaemonBootstrap - File not found 'certificate.pkcs12.path=/tmp/certificate.p12'

java.lang.Exception: File not found 'certificate.pkcs12.path=/tmp/certificate.p12'
    at org.parosproxy.paros.CommandLine.parse(CommandLine.java:305) ~[zap-2.11.1.jar:2.11.1]
    at org.parosproxy.paros.extension.ExtensionLoader.hookCommandLineListener(ExtensionLoader.java:1058) ~[zap-2.11.1.jar:2.11.1]
    at org.zaproxy.zap.DaemonBootstrap$1.run(DaemonBootstrap.java:85) [zap-2.11.1.jar:2.11.1]
    at java.lang.Thread.run(Thread.java:829) [?:?]

`

The p12 file is exist on the remote server. I have tried to change the direction of this certificate from one directory to another and each time got the same issue.

I will appreciate any help. Thanks.

Best regards,

Yahor

[thc...@gmail.com]

Hi.

You need to specify -config for each of the configuration properties.

Best regards.

[kingthorin+owaspzap]

> The p12 file is exist on the remote server.

But it doesn't within the docker image where you're trying to use it.

[Yahor Chyzheuski]

Hi,

I have updated the command and mount directory from remote server to the docker container, bust still getting the same issue: My new command is:

`docker run --rm -v "$(pwd):/zap/wrk/:rw" -t owasp/zap2docker-stable zap-api-scan.py -z "-silent -config certificate.use=true certificate.pkcs12.path=/zap/wrk/certificate.p12 certificate.pkcs12.password="passwd" certificate.pkcs12.index=1 certificate.persist=true" -t https://10.175.14.247:16351/emaas/emc/v1/customers -f openapi`

Any ideas how to proceed?

[thc...@gmail.com]

As mentioned in a previous reply you need to specify -config for each
configuration, i.e.:

-config certificate.use=true -config
certificate.pkcs12.path=/zap/wrk/certificate.p12

https://www.zaproxy.org/docs/desktop/cmdline/#options

Best regards.

[Yahor Chyzheuski]

Hi,

I have already tried that @thc202, but still have the same issue.

What steps I did also:

1. I created a container via command `docker run --rm -v "$(pwd):/zap/wrk/:rw" -t owasp/zap2docker-stable`.

2. Then I went inside the container and proceeded to /zap/wrk directory. File certificate.p12 is there. 

3. The next step was I have tried to run the python script inside the container: `zap-api-scan.py -z "-silent -config certificate.use=true certificate.pkcs12.path=/zap/wrk/certificate.p12 certificate.pkcs12.password="passwd" certificate.pkcs12.index=1 certificate.persist=true" -t https://10.175.14.247:16351/emaas/emc/v1/customers -f openapi` But still it shows me that certificate.p12 is not found.

4. Then I have tried to move the certificate file and placed it behind zap-api-scan.py script (at the same directory) and then run script again with the changes in the path (at first attempt were configured the whole path to the certificate, at the second, just file, not the whole path): 

• `zap-api-scan.py -z "-silent -config certificate.use=true certificate.pkcs12.path="/zap/certificate.p12" certificate.pkcs12.password="passwd" certificate.pkcs12.index=1 certificate.persist=true" -t https://10.175.14.247:16351/emaas/emc/v1/customers -f openapi`
• zap-api-scan.py -z "-silent -config certificate.use=true certificate.pkcs12.path=certificate.p12 certificate.pkcs12.password="passwd" certificate.pkcs12.index=1 certificate.persist=true" -t https://10.175.14.247:16351/emaas/emc/v1/customers -f openapi
  

5. Also, I have changed the permission of the certificate to the 'zap' user and it also did not help.

Unfortunately, after all these attempts I'm getting the same issue, that the certificate file is not found. Could please someone suggest how to proceed?

[thc...@gmail.com]

Your commands show that you are still using just one -config

Best regards.

On 03/06/2022 09:45, Yahor Chyzheuski wrote:
> Hi,
>

> I have already tried that @thc202, but still have the same issue.
>
> What steps I did also:
>
> 1. I created a container via command `docker run --rm -v
> "$(pwd):/zap/wrk/:rw" -t owasp/zap2docker-stable`.
> 2. Then I went inside the container and proceeded to /zap/wrk directory.
> File certificate.p12 is there.
> 3. The next step was I have tried to run the python script inside the
> container: `zap-api-scan.py -z "-silent -config certificate.use=true
> certificate.pkcs12.path=/zap/wrk/certificate.p12
> certificate.pkcs12.password="passwd" certificate.pkcs12.index=1
> certificate.persist=true" -t
> https://10.175.14.247:16351/emaas/emc/v1/customers -f openapi` But still it
> shows me that certificate.p12 is not found.
> 4. Then I have tried to move the certificate file and placed it behind
> zap-api-scan.py script (at the same directory) and then run script again
> with the changes in the path (at first attempt were configured the whole
> path to the certificate, at the second, just file, not the whole path):
>

> - `zap-api-scan.py -z "-silent -config certificate.use=true

> certificate.pkcs12.path="/zap/certificate.p12"
> certificate.pkcs12.password="passwd" certificate.pkcs12.index=1
> certificate.persist=true" -t
> https://10.175.14.247:16351/emaas/emc/v1/customers -f openapi`

> - zap-api-scan.py -z "-silent -config certificate.use=true

[Yahor Chyzheuski]

Hi @thc202,

Now the issue is gone. Thank you, but I'm getting another issue about the updates, I have already set the option -z '-silent', but it still checking for updates:

46333 [ZAP-cfu] WARN  org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate - Failed to check for updates using: https://raw.githubusercontent.com/zaproxy/zap-admin/master/ZapVersions-2.11.xml
java.net.SocketTimeoutException: connect timed out
    at java.net.PlainSocketImpl.socketConnect(Native Method) ~[?:?]
    at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:412) ~[?:?]
    at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:255) ~[?:?]
    at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:237) ~[?:?]
    at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) ~[?:?]
    at java.net.Socket.connect(Socket.java:609) ~[?:?]
    at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:305) ~[?:?]
    at org.parosproxy.paros.network.SSLConnector.createSocket(SSLConnector.java:460) ~[zap-2.11.1.jar:2.11.1]
    at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:728) ~[zap-2.11.1.jar:2.11.1]
    at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361) ~[commons-httpclient-3.1.jar:2.11.1]
    at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:457) ~[zap-2.11.1.jar:2.11.1]
    at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:207) ~[zap-2.11.1.jar:2.11.1]
    at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) ~[commons-httpclient-3.1.jar:2.11.1]
    at org.parosproxy.paros.network.HttpSender.executeMethod(HttpSender.java:430) ~[zap-2.11.1.jar:2.11.1]
    at org.parosproxy.paros.network.HttpSender.runMethod(HttpSender.java:672) ~[zap-2.11.1.jar:2.11.1]
    at org.parosproxy.paros.network.HttpSender.send(HttpSender.java:627) ~[zap-2.11.1.jar:2.11.1]
    at org.parosproxy.paros.network.HttpSender.sendAuthenticated(HttpSender.java:602) ~[zap-2.11.1.jar:2.11.1]
    at org.parosproxy.paros.network.HttpSender.sendAuthenticated(HttpSender.java:585) ~[zap-2.11.1.jar:2.11.1]
    at org.parosproxy.paros.network.HttpSender.sendAndReceive(HttpSender.java:490) ~[zap-2.11.1.jar:2.11.1]
    at org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate.getRemoteConfigurationUrl(ExtensionAutoUpdate.java:1037) ~[zap-2.11.1.jar:2.11.1]
    at org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate.access$900(ExtensionAutoUpdate.java:93) ~[zap-2.11.1.jar:2.11.1]
    at org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate$8.run(ExtensionAutoUpdate.java:1206) [zap-2.11.1.jar:2.11.1]
47224 [ZAP-daemon] ERROR org.parosproxy.paros.CommandLine - Check for updates call failed
87282 [ZAP-cfu] WARN  org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate - Failed to check for updates using: https://raw.githubusercontent.com/zaproxy/zap-admin/master/ZapVersions-2.11.xml
java.net.SocketTimeoutException: connect timed out
    at java.net.PlainSocketImpl.socketConnect(Native Method) ~[?:?]
    at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:412) ~[?:?]
    at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:255) ~[?:?]
    at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:237) ~[?:?]
    at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) ~[?:?]
    at java.net.Socket.connect(Socket.java:609) ~[?:?]
    at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:305) ~[?:?]
    at org.parosproxy.paros.network.SSLConnector.createSocket(SSLConnector.java:460) ~[zap-2.11.1.jar:2.11.1]
    at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:728) ~[zap-2.11.1.jar:2.11.1]
    at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361) ~[commons-httpclient-3.1.jar:2.11.1]
    at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:457) ~[zap-2.11.1.jar:2.11.1]
    at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:207) ~[zap-2.11.1.jar:2.11.1]
    at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) ~[commons-httpclient-3.1.jar:2.11.1]
    at org.parosproxy.paros.network.HttpSender.executeMethod(HttpSender.java:430) ~[zap-2.11.1.jar:2.11.1]
    at org.parosproxy.paros.network.HttpSender.runMethod(HttpSender.java:672) ~[zap-2.11.1.jar:2.11.1]
    at org.parosproxy.paros.network.HttpSender.send(HttpSender.java:627) ~[zap-2.11.1.jar:2.11.1]
    at org.parosproxy.paros.network.HttpSender.sendAuthenticated(HttpSender.java:602) ~[zap-2.11.1.jar:2.11.1]
    at org.parosproxy.paros.network.HttpSender.sendAuthenticated(HttpSender.java:585) ~[zap-2.11.1.jar:2.11.1]
    at org.parosproxy.paros.network.HttpSender.sendAndReceive(HttpSender.java:490) ~[zap-2.11.1.jar:2.11.1]
    at org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate.getRemoteConfigurationUrl(ExtensionAutoUpdate.java:1037) ~[zap-2.11.1.jar:2.11.1]
    at org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate.access$900(ExtensionAutoUpdate.java:93) ~[zap-2.11.1.jar:2.11.1]
    at org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate$8.run(ExtensionAutoUpdate.java:1206) [zap-2.11.1.jar:2.11.1]
88233 [ZAP-daemon] ERROR org.parosproxy.paros.CommandLine - Check for updates call failed
88233 [ZAP-daemon] INFO  org.zaproxy.addon.callhome.ExtensionCallHome - Shh! Silent mode or telemetry turned off
88235 [ZAP-daemon] INFO  org.zaproxy.zap.DaemonBootstrap - ZAP is now listening on 0.0.0.0:37684
88235 [ZAP-daemon] INFO  org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate - Shh! No check-for-update - silent mode enabled
89330 [ZAP-ProxyThread-8] WARN  org.zaproxy.zap.extension.openapi.ExtensionOpenApi - Broken pipe (Write failed)
java.net.SocketException: Broken pipe (Write failed)
    at java.net.SocketOutputStream.socketWrite0(Native Method) ~[?:?]
    at java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:110) ~[?:?]
    at java.net.SocketOutputStream.write(SocketOutputStream.java:150) ~[?:?]
    at sun.security.ssl.SSLSocketOutputRecord.encodeChangeCipherSpec(SSLSocketOutputRecord.java:231) ~[?:?]
    at sun.security.ssl.OutputRecord.changeWriteCiphers(OutputRecord.java:187) ~[?:?]
    at sun.security.ssl.ChangeCipherSpec$T10ChangeCipherSpecProducer.produce(ChangeCipherSpec.java:118) ~[?:?]
    at sun.security.ssl.Finished$T12FinishedProducer.onProduceFinished(Finished.java:395) ~[?:?]
    at sun.security.ssl.Finished$T12FinishedProducer.produce(Finished.java:379) ~[?:?]
    at sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:436) ~[?:?]
    at sun.security.ssl.ServerHelloDone$ServerHelloDoneConsumer.consume(ServerHelloDone.java:182) ~[?:?]
    at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) ~[?:?]
    at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443) ~[?:?]
    at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421) ~[?:?]
    at sun.security.ssl.TransportContext.dispatch(TransportContext.java:183) ~[?:?]
    at sun.security.ssl.SSLTransport.decode(SSLTransport.java:172) ~[?:?]
    at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1506) ~[?:?]
    at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1416) ~[?:?]
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:456) ~[?:?]
    at sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:921) ~[?:?]
    at sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1291) ~[?:?]
    at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:81) ~[?:?]
    at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:142) ~[?:?]
    at org.apache.commons.httpclient.HttpConnection.flushRequestOutputStream(HttpConnection.java:860) ~[zap-2.11.1.jar:2.11.1]
    at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.flushRequestOutputStream(MultiThreadedHttpConnectionManager.java:1565) ~[commons-httpclient-3.1.jar:2.11.1]
    at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2278) ~[zap-2.11.1.jar:2.11.1]
    at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1160) ~[zap-2.11.1.jar:2.11.1]
    at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:470) ~[zap-2.11.1.jar:2.11.1]
    at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:207) ~[zap-2.11.1.jar:2.11.1]
    at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) ~[commons-httpclient-3.1.jar:2.11.1]
    at org.parosproxy.paros.network.HttpSender.executeMethod(HttpSender.java:430) ~[zap-2.11.1.jar:2.11.1]
    at org.parosproxy.paros.network.HttpSender.runMethod(HttpSender.java:672) ~[zap-2.11.1.jar:2.11.1]
    at org.parosproxy.paros.network.HttpSender.send(HttpSender.java:627) ~[zap-2.11.1.jar:2.11.1]
    at org.parosproxy.paros.network.HttpSender.sendAuthenticated(HttpSender.java:602) ~[zap-2.11.1.jar:2.11.1]
    at org.parosproxy.paros.network.HttpSender.sendAuthenticated(HttpSender.java:585) ~[zap-2.11.1.jar:2.11.1]
    at org.parosproxy.paros.network.HttpSender.sendAndReceive(HttpSender.java:490) ~[zap-2.11.1.jar:2.11.1]
    at org.zaproxy.zap.extension.openapi.network.Requestor.getResponseBody(Requestor.java:93) ~[openapi-beta-27.zap:?]
    at org.zaproxy.zap.extension.openapi.ExtensionOpenApi.importOpenApiDefinitionV2(ExtensionOpenApi.java:254) [openapi-beta-27.zap:?]
    at org.zaproxy.zap.extension.openapi.ExtensionOpenApi.importOpenApiDefinition(ExtensionOpenApi.java:239) [openapi-beta-27.zap:?]
    at org.zaproxy.zap.extension.openapi.OpenApiAPI.handleApiAction(OpenApiAPI.java:113) [openapi-beta-27.zap:?]
    at org.zaproxy.zap.extension.api.API.handleApiRequest(API.java:513) [zap-2.11.1.jar:2.11.1]
    at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(ProxyThread.java:497) [zap-2.11.1.jar:2.11.1]
    at org.parosproxy.paros.core.proxy.ProxyThread.run(ProxyThread.java:333) [zap-2.11.1.jar:2.11.1]

    at java.lang.Thread.run(Thread.java:829) [?:?]

89332 [ZAP-ProxyThread-8] ERROR org.zaproxy.zap.extension.api.API - Exception while handling API request:
java.lang.NullPointerException: null
    at org.zaproxy.zap.extension.openapi.ExtensionOpenApi.importOpenApiDefinition(ExtensionOpenApi.java:239) ~[?:?]
    at org.zaproxy.zap.extension.openapi.OpenApiAPI.handleApiAction(OpenApiAPI.java:113) ~[?:?]
    at org.zaproxy.zap.extension.api.API.handleApiRequest(API.java:513) [zap-2.11.1.jar:2.11.1]
    at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(ProxyThread.java:497) [zap-2.11.1.jar:2.11.1]
    at org.parosproxy.paros.core.proxy.ProxyThread.run(ProxyThread.java:333) [zap-2.11.1.jar:2.11.1]

    at java.lang.Thread.run(Thread.java:829) [?:?]

[Simon Bennetts]

You can ignore the ExtensionAutoUpdate error - thats not relevant here.

The problem is the "ExtensionOpenApi - Broken pipe (Write failed)" - its failing while requesting your OpenAPI definition, during the SSL handshake :/

Cheers,

Simon

[Simon Bennetts]

Have a look at https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#Debug

The "-Djavax.net.debug=all" option should help.

Cheers,

Simon