CA cert not trusted when connecting to intermediate proxy
26 views
Skip to first unread message
Dani Cronce
Oct 18, 2025, 8:12:08 PMOct 18
to ZAP User Group
Hi everyone,
As the title says, I'm having issues with ZAP connecting through an intermediate proxy. No, this is not a corporate proxy or docker. I am running a local mitmproxy instance with a script loaded so that I can inject my custom headers into requests. I've read all of the other forum posts with this problem, and none of them seem to pertain to my situation. I am running NixOS, so the main keystore is in some wonky location and is read-only. I have created my own keystore, added the mitmproxy CA's certificate to it, and then set the JAVAX_NET_SSL_TRUSTSTORE environment variable to point at it. I received an error "`java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty", but I verified that the mitmproxy CA cert is in there. Assuming that the trust store password was required, I tried passing it in to the ZAP commandline as a "-D" parameter, but I received the error "unsupported option."
```
[dani@the-empress:~/Git/acs-tools]$ export JAVAX_NET_SSL_TRUSTSTORE=/home/dani/Git/acs-tools/acs_keystore
[dani@the-empress:~/Git/acs-tools]$ keytool -keystore $JAVAX_NET_SSL_TRUSTSTORE -list
Enter keystore password:
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 1 entry
mitmca, 19 okt. 2025, trustedCertEntry,
Certificate fingerprint (SHA-256): 36:52:09:FA:B4:4C:C9:7D:93:18:79:30:38:BE:B1:4B:39:3A:C1:3C:A5:91:0C:85:BD:D4:F5:9D:5F:02:9D:4A
Enter keystore password:
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 1 entry
mitmca, 19 okt. 2025, trustedCertEntry,
Certificate fingerprint (SHA-256): 36:52:09:FA:B4:4C:C9:7D:93:18:79:30:38:BE:B1:4B:39:3A:C1:3C:A5:91:0C:85:BD:D4:F5:9D:5F:02:9D:4A
```
```
57360 [ZAP-cfu] ERROR org.zaproxy.addon.callhome.ExtensionCallHome - Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
javax.net.ssl.SSLException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:132) ~[?:?]
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:383) ~[?:?]
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:326) ~[?:?]
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321) ~[?:?]
at java.base/sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1708) ~[?:?]
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:470) ~[?:?]
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426) ~[?:?]
at org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory.executeHandshake(SSLConnectionSocketFactory.java:303) ~[?:?]
at org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:275) ~[?:?]
at org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:251) ~[?:?]
at org.zaproxy.addon.network.internal.client.apachev5.SslConnectionSocketFactory.connectSocket(SslConnectionSocketFactory.java:195) ~[?:?]
at org.apache.hc.client5.http.impl.io.ZapHttpClientConnectionOperator.connect(ZapHttpClientConnectionOperator.java:147) ~[?:?]
at org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:447) ~[?:?]
at org.apache.hc.client5.http.impl.classic.InternalExecRuntime.connectEndpoint(InternalExecRuntime.java:162) ~[?:?]
at org.apache.hc.client5.http.impl.classic.InternalExecRuntime.connectEndpoint(InternalExecRuntime.java:172) ~[?:?]
at org.apache.hc.client5.http.impl.classic.ConnectExec.execute(ConnectExec.java:142) ~[?:?]
at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51) ~[?:?]
at org.apache.hc.client5.http.impl.classic.ZapProtocolExec.execute(ZapProtocolExec.java:179) ~[?:?]
at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51) ~[?:?]
at org.apache.hc.client5.http.impl.classic.ZapHttpRequestRetryExec.execute(ZapHttpRequestRetryExec.java:81) ~[?:?]
at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51) ~[?:?]
at org.apache.hc.client5.http.impl.classic.ZapInternalHttpClient.doExecute(ZapInternalHttpClient.java:173) ~[?:?]
at org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:245) ~[?:?]
at org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:188) ~[?:?]
at org.zaproxy.addon.network.internal.client.apachev5.HttpSenderApache.sendImpl0(HttpSenderApache.java:486) ~[?:?]
at org.zaproxy.addon.network.internal.client.apachev5.HttpSenderApache.sendImpl(HttpSenderApache.java:365) ~[?:?]
at org.zaproxy.addon.network.internal.client.apachev5.HttpSenderApache.sendImpl(HttpSenderApache.java:116) ~[?:?]
at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendRateLimited(BaseHttpSender.java:415) ~[?:?]
at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendAuthenticated(BaseHttpSender.java:383) ~[?:?]
at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendNoRedirections(BaseHttpSender.java:351) ~[?:?]
at org.zaproxy.addon.network.internal.client.BaseHttpSender.send(BaseHttpSender.java:307) ~[?:?]
at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendAndReceive(BaseHttpSender.java:278) ~[?:?]
at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendAndReceive(BaseHttpSender.java:234) ~[?:?]
at org.parosproxy.paros.network.HttpSender.sendImpl(HttpSender.java:536) ~[zap-2.16.1.jar:2.16.1]
at org.parosproxy.paros.network.HttpSender.sendAndReceive(HttpSender.java:529) ~[zap-2.16.1.jar:2.16.1]
at org.zaproxy.addon.callhome.ExtensionCallHome.sendServiceRequest(ExtensionCallHome.java:197) ~[?:?]
at org.zaproxy.addon.callhome.ExtensionCallHome.getServiceData(ExtensionCallHome.java:216) ~[?:?]
at org.zaproxy.addon.callhome.ExtensionCallHome.getCheckForUpdatesData(ExtensionCallHome.java:225) ~[?:?]
at org.zaproxy.addon.callhome.ExtensionCallHome.get(ExtensionCallHome.java:235) ~[?:?]
at org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate.getRemoteConfiguration(ExtensionAutoUpdate.java:1011) [zap-2.16.1.jar:2.16.1]
at org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate$4.run(ExtensionAutoUpdate.java:1139) [zap-2.16.1.jar:2.16.1]
Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at java.base/sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:97) ~[?:?]
at java.base/sun.security.validator.Validator.getInstance(Validator.java:173) ~[?:?]
at java.base/sun.security.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:308) ~[?:?]
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(X509TrustManagerImpl.java:183) ~[?:?]
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:198) ~[?:?]
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132) ~[?:?]
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1311) ~[?:?]
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1204) ~[?:?]
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1147) ~[?:?]
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:393) ~[?:?]
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:476) ~[?:?]
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:447) ~[?:?]
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:206) ~[?:?]
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172) ~[?:?]
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1506) ~[?:?]
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1421) ~[?:?]
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455) ~[?:?]
... 35 more
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at java.base/java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200) ~[?:?]
at java.base/java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120) ~[?:?]
at java.base/java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104) ~[?:?]
at java.base/sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:94) ~[?:?]
at java.base/sun.security.validator.Validator.getInstance(Validator.java:173) ~[?:?]
at java.base/sun.security.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:308) ~[?:?]
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(X509TrustManagerImpl.java:183) ~[?:?]
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:198) ~[?:?]
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132) ~[?:?]
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1311) ~[?:?]
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1204) ~[?:?]
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1147) ~[?:?]
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:393) ~[?:?]
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:476) ~[?:?]
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:447) ~[?:?]
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:206) ~[?:?]
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172) ~[?:?]
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1506) ~[?:?]
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1421) ~[?:?]
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455) ~[?:?]
... 35 more
57360 [ZAP-cfu] ERROR org.zaproxy.addon.callhome.ExtensionCallHome - Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
javax.net.ssl.SSLException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:132) ~[?:?]
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:383) ~[?:?]
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:326) ~[?:?]
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321) ~[?:?]
at java.base/sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1708) ~[?:?]
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:470) ~[?:?]
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426) ~[?:?]
at org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory.executeHandshake(SSLConnectionSocketFactory.java:303) ~[?:?]
at org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:275) ~[?:?]
at org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:251) ~[?:?]
at org.zaproxy.addon.network.internal.client.apachev5.SslConnectionSocketFactory.connectSocket(SslConnectionSocketFactory.java:195) ~[?:?]
at org.apache.hc.client5.http.impl.io.ZapHttpClientConnectionOperator.connect(ZapHttpClientConnectionOperator.java:147) ~[?:?]
at org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:447) ~[?:?]
at org.apache.hc.client5.http.impl.classic.InternalExecRuntime.connectEndpoint(InternalExecRuntime.java:162) ~[?:?]
at org.apache.hc.client5.http.impl.classic.InternalExecRuntime.connectEndpoint(InternalExecRuntime.java:172) ~[?:?]
at org.apache.hc.client5.http.impl.classic.ConnectExec.execute(ConnectExec.java:142) ~[?:?]
at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51) ~[?:?]
at org.apache.hc.client5.http.impl.classic.ZapProtocolExec.execute(ZapProtocolExec.java:179) ~[?:?]
at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51) ~[?:?]
at org.apache.hc.client5.http.impl.classic.ZapHttpRequestRetryExec.execute(ZapHttpRequestRetryExec.java:81) ~[?:?]
at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51) ~[?:?]
at org.apache.hc.client5.http.impl.classic.ZapInternalHttpClient.doExecute(ZapInternalHttpClient.java:173) ~[?:?]
at org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:245) ~[?:?]
at org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:188) ~[?:?]
at org.zaproxy.addon.network.internal.client.apachev5.HttpSenderApache.sendImpl0(HttpSenderApache.java:486) ~[?:?]
at org.zaproxy.addon.network.internal.client.apachev5.HttpSenderApache.sendImpl(HttpSenderApache.java:365) ~[?:?]
at org.zaproxy.addon.network.internal.client.apachev5.HttpSenderApache.sendImpl(HttpSenderApache.java:116) ~[?:?]
at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendRateLimited(BaseHttpSender.java:415) ~[?:?]
at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendAuthenticated(BaseHttpSender.java:383) ~[?:?]
at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendNoRedirections(BaseHttpSender.java:351) ~[?:?]
at org.zaproxy.addon.network.internal.client.BaseHttpSender.send(BaseHttpSender.java:307) ~[?:?]
at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendAndReceive(BaseHttpSender.java:278) ~[?:?]
at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendAndReceive(BaseHttpSender.java:234) ~[?:?]
at org.parosproxy.paros.network.HttpSender.sendImpl(HttpSender.java:536) ~[zap-2.16.1.jar:2.16.1]
at org.parosproxy.paros.network.HttpSender.sendAndReceive(HttpSender.java:529) ~[zap-2.16.1.jar:2.16.1]
at org.zaproxy.addon.callhome.ExtensionCallHome.sendServiceRequest(ExtensionCallHome.java:197) ~[?:?]
at org.zaproxy.addon.callhome.ExtensionCallHome.getServiceData(ExtensionCallHome.java:216) ~[?:?]
at org.zaproxy.addon.callhome.ExtensionCallHome.getCheckForUpdatesData(ExtensionCallHome.java:225) ~[?:?]
at org.zaproxy.addon.callhome.ExtensionCallHome.get(ExtensionCallHome.java:235) ~[?:?]
at org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate.getRemoteConfiguration(ExtensionAutoUpdate.java:1011) [zap-2.16.1.jar:2.16.1]
at org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate$4.run(ExtensionAutoUpdate.java:1139) [zap-2.16.1.jar:2.16.1]
Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at java.base/sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:97) ~[?:?]
at java.base/sun.security.validator.Validator.getInstance(Validator.java:173) ~[?:?]
at java.base/sun.security.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:308) ~[?:?]
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(X509TrustManagerImpl.java:183) ~[?:?]
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:198) ~[?:?]
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132) ~[?:?]
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1311) ~[?:?]
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1204) ~[?:?]
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1147) ~[?:?]
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:393) ~[?:?]
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:476) ~[?:?]
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:447) ~[?:?]
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:206) ~[?:?]
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172) ~[?:?]
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1506) ~[?:?]
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1421) ~[?:?]
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455) ~[?:?]
... 35 more
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at java.base/java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200) ~[?:?]
at java.base/java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120) ~[?:?]
at java.base/java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104) ~[?:?]
at java.base/sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:94) ~[?:?]
at java.base/sun.security.validator.Validator.getInstance(Validator.java:173) ~[?:?]
at java.base/sun.security.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:308) ~[?:?]
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(X509TrustManagerImpl.java:183) ~[?:?]
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:198) ~[?:?]
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132) ~[?:?]
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1311) ~[?:?]
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1204) ~[?:?]
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1147) ~[?:?]
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:393) ~[?:?]
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:476) ~[?:?]
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:447) ~[?:?]
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:206) ~[?:?]
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172) ~[?:?]
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1506) ~[?:?]
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1421) ~[?:?]
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455) ~[?:?]
... 35 more
```
```
[dani@the-empress:~/Git/acs-tools]$ zap -Djavax.net.ssl.keyStore=$JAVAX_NET_SSL_TRUSTSTORE
```
```
6007 [ZAP-BootstrapGUI] ERROR org.zaproxy.zap.GuiBootstrap - Unsupported option '-Djavax.net.ssl.keyStore=/home/dani/Git/acs-tools/acs_keystore'.;
java.lang.Exception: Unsupported option '-Djavax.net.ssl.keyStore=/home/dani/Git/acs-tools/acs_keystore'.;
at org.parosproxy.paros.CommandLine.parse(CommandLine.java:365) ~[zap-2.16.1.jar:2.16.1]
at org.parosproxy.paros.CommandLine.parse(CommandLine.java:247) ~[zap-2.16.1.jar:2.16.1]
at org.parosproxy.paros.extension.ExtensionLoader.hookCommandLineListener(ExtensionLoader.java:1131) ~[zap-2.16.1.jar:2.16.1]
at org.zaproxy.zap.GuiBootstrap.initControlAndPostViewInit(GuiBootstrap.java:324) ~[zap-2.16.1.jar:2.16.1]
at org.zaproxy.zap.GuiBootstrap$2.run(GuiBootstrap.java:174) ~[zap-2.16.1.jar:2.16.1]
at java.base/java.lang.Thread.run(Thread.java:1583) [?:?]
java.lang.Exception: Unsupported option '-Djavax.net.ssl.keyStore=/home/dani/Git/acs-tools/acs_keystore'.;
at org.parosproxy.paros.CommandLine.parse(CommandLine.java:365) ~[zap-2.16.1.jar:2.16.1]
at org.parosproxy.paros.CommandLine.parse(CommandLine.java:247) ~[zap-2.16.1.jar:2.16.1]
at org.parosproxy.paros.extension.ExtensionLoader.hookCommandLineListener(ExtensionLoader.java:1131) ~[zap-2.16.1.jar:2.16.1]
at org.zaproxy.zap.GuiBootstrap.initControlAndPostViewInit(GuiBootstrap.java:324) ~[zap-2.16.1.jar:2.16.1]
at org.zaproxy.zap.GuiBootstrap$2.run(GuiBootstrap.java:174) ~[zap-2.16.1.jar:2.16.1]
at java.base/java.lang.Thread.run(Thread.java:1583) [?:?]
```
[dani@the-empress:~/Git/acs-tools]$ zap -Djavax.net.ssl.trustStore=$JAVAX_NET_SSL_TRUSTSTORE
```
```
6237 [ZAP-BootstrapGUI] ERROR org.zaproxy.zap.GuiBootstrap - Unsupported option '-Djavax.net.ssl.trustStore=/home/dani/Git/acs-tools/acs_keystore'.;
java.lang.Exception: Unsupported option '-Djavax.net.ssl.trustStore=/home/dani/Git/acs-tools/acs_keystore'.;
at org.parosproxy.paros.CommandLine.parse(CommandLine.java:365) ~[zap-2.16.1.jar:2.16.1]
at org.parosproxy.paros.CommandLine.parse(CommandLine.java:247) ~[zap-2.16.1.jar:2.16.1]
at org.parosproxy.paros.extension.ExtensionLoader.hookCommandLineListener(ExtensionLoader.java:1131) ~[zap-2.16.1.jar:2.16.1]
at org.zaproxy.zap.GuiBootstrap.initControlAndPostViewInit(GuiBootstrap.java:324) ~[zap-2.16.1.jar:2.16.1]
at org.zaproxy.zap.GuiBootstrap$2.run(GuiBootstrap.java:174) ~[zap-2.16.1.jar:2.16.1]
at java.base/java.lang.Thread.run(Thread.java:1583) [?:?]
java.lang.Exception: Unsupported option '-Djavax.net.ssl.trustStore=/home/dani/Git/acs-tools/acs_keystore'.;
at org.parosproxy.paros.CommandLine.parse(CommandLine.java:365) ~[zap-2.16.1.jar:2.16.1]
at org.parosproxy.paros.CommandLine.parse(CommandLine.java:247) ~[zap-2.16.1.jar:2.16.1]
at org.parosproxy.paros.extension.ExtensionLoader.hookCommandLineListener(ExtensionLoader.java:1131) ~[zap-2.16.1.jar:2.16.1]
at org.zaproxy.zap.GuiBootstrap.initControlAndPostViewInit(GuiBootstrap.java:324) ~[zap-2.16.1.jar:2.16.1]
at org.zaproxy.zap.GuiBootstrap$2.run(GuiBootstrap.java:174) ~[zap-2.16.1.jar:2.16.1]
at java.base/java.lang.Thread.run(Thread.java:1583) [?:?]
```
Realizing that ZAP itself may be complaining about the options not existing and not Java, I tried to set the JAVA_TOOL_OPTIONS environment variable. But that once again resulted in the "non-empty trust anchors" error.
```
[dani@the-empress:~/Git/acs-tools]$ export JAVA_TOOL_OPTIONS="-Djavax.net.ssl.trustStore=/home/dani/Git/acs-tools/acs_keystore -Djavax.net.ssl.keyStorePassword=XXXXXX"
```
thc202
Oct 19, 2025, 4:03:30 AMOct 19
to zaprox...@googlegroups.com
Hi,
What's `zap`? Is that the zap.sh script?
See: https://www.zaproxy.org/docs/desktop/ui/dialogs/options/jvm/
Best regards.
What's `zap`? Is that the zap.sh script?
See: https://www.zaproxy.org/docs/desktop/ui/dialogs/options/jvm/
Best regards.
Dani Cronce
Oct 19, 2025, 8:49:43 AMOct 19
to ZAP User Group
Thanks for the reply! Actually, the script in my PATH appears to be even another layer of indirection on my system; it calls zap.sh. The fact that I'm getting different behavior by setting those environment variables implies that they have some effect. I decided to add the "-Djavax.net.ssl.keyStore=/home/dani/acs-tools/acs_keystore -Djavax.net.ssl.keyStorePassword=XXXXXX" parameters inside the JVM parameters section of the GUI, but I still get "Certificate chain may be invalid. Are you using a corporate or intermediate proxy?". Also when I added those parameters, the web browser function of ZAP stopped working, and it started working again after I removed them. It said something like "no browser implementation found." I've come to the conclusion that most of error messages I receive are unrelated to whatever the real issue is, so I decided to do the opposite of what they said. Something weird that I noticed was that despite ZAP complaining about the certificate, I would still get the response after the 20 second timeout. mitmproxy has actually been reporting that it has both received the request and passed back the response with tens of milliseconds. So instead of increasing the timeout, I decreased it to 1 second and completely discarded any options for the trust store.
ZAP is now operating 20 times faster, and the message about certificate chains doesn't seem to stop it from connecting. Is there something with the proxy that is preventing ZAP from understanding that it actually does in fact have the response already? Some HTTP header maybe that impacts how the connection itself is being handled?
thc202
Oct 21, 2025, 2:02:10 AMOct 21
to zaprox...@googlegroups.com
Can you share the response header of one of those messages?
Best regards.
Best regards.
Reply all
Reply to author
Forward
0 new messages