Facebook
TwitterUsername:
TITLE
Apache2 ModSec Error - Apache2 fails to start and AH00111 error
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE
Product version: Plesk Obsidian 18.0.56.4
OS version: Ubuntu 18.04 x86_64
Build date: 2023/11/06 22:00
Revision: 7f3265358b91416f035eddb5dfe564171fd100a4
PROBLEM DESCRIPTION
BUG
Bug caused by a wrong entry in
/etc/apache2/modsecurity.d/rules/tortix/modsec/tortix_waf.conf
on line 35, with this line being
SecAuditLog logs/audit_log
ERROR
The entry on line 35 refers to a non-existing directory, being the "logs" directory.
First, see symptoms below.
Afterwards, see workarounds below.
SYMPTOM 1
Apache fails to
- start
- restart (gracefully)
- run a stop/start sequence
as a result of a ModSec related conflict, when having Tortix (Atomicorp) ruleset installed.
SYMPTOM 2
The WAF is not configured to use the Tortix (Atomicorp) ruleset!!!!!!!
It is kind of problematic that a ruleset that is not used by the WAF can cause havoc in Apache!!!
WORKAROUND 1
Change line 35 of
/etc/apache2/modsecurity.d/rules/tortix/modsec/tortix_waf.conf
to
SecAuditLog audit_log
This is a TEMPORARY fix!
WORKAROUND 2
Run the command : mkdir /etc/apache2/logs && touch /etc/apache2/logs/audit_log
SOLUTION
The bug should be resolved by editing the tortix_waf.conf in a persistent way.
However, it does not explain why Apache is being bothered by a config file that should not have been loaded.
It is apparent that the Apache config should also be improved!!
STEPS TO REPRODUCE
NOTE
It might not even be possible to reproduce, since the situation occurs on ModSec installations that
- previously used Atomicorp (advanced) rulesets
- then were forced to use Comodo or OWASP rulesets (since Atomicorp rulesets were not supported anymore)
- finally received support for Ubuntu 18.04 LTS
and so on.
STR
Install ModSec and Atomicorp ruleset.
Just select OWASP or Comodo in the Plesk Panel.
Then update to the latest version of Plesk for Ubuntu 18.04 LTS.
Then start to experiment with starting/stopping/restarting Apache and/or using apachectl command.
ACTUAL RESULT
APACHE START - Output
Nov 26 07:07:59 [server] apachectl[15470]: [Sun Nov 26 07:07:59.040422 2023] [core:warn] [pid 15481] AH00111: Config variable ${} is not defined
Nov 26 07:07:59 [server] apachectl[15470]: [Sun Nov 26 07:07:59.040423 2023] [core:warn] [pid 15481] AH00111: Config variable ${} is not defined
Nov 26 07:07:59 [server] apachectl[15470]: [Sun Nov 26 07:07:59.040424 2023] [core:warn] [pid 15481] AH00111: Config variable ${} is not defined
Nov 26 07:07:59 [server] apachectl[15470]: AH00526: Syntax error on line 35 of /etc/apache2/modsecurity.d/rules/tortix/modsec/tortix_waf.conf:
Nov 26 07:07:59 [server] apachectl[15470]: ModSecurity: Failed to open the audit log file: /etc/apache2/logs/audit_log
Nov 26 07:07:59 [server] apachectl[15470]: Action 'start' failed.
Nov 26 07:07:59 [server] apachectl[15470]: The Apache error log may have more information.
Nov 26 07:07:59 [server] systemd[1]: apache2.service: Control process exited, code=exited status=1
Nov 26 07:07:59 [server] systemd[1]: apache2.service: Failed with result 'exit-code'.
Nov 26 07:07:59 [server] systemd[1]: Failed to start The Apache HTTP Server.
APACHE CONFIGTEST - Output
[Sun Nov 26 08:12:45.422323 2023] [so:warn] [pid 19503] AH01574: module security2_module is already loaded, skipping
[Sun Nov 26 08:12:45.422350 2023] [so:warn] [pid 19503] AH01574: module unique_id_module is already loaded, skipping
[Sun Nov 26 08:12:45.468125 2023] [core:warn] [pid 19503] AH00111: Config variable ${} is not defined
[Sun Nov 26 08:12:45.468133 2023] [core:warn] [pid 19503] AH00111: Config variable ${} is not defined
[Sun Nov 26 08:12:45.468134 2023] [core:warn] [pid 19503] AH00111: Config variable ${} is not defined
[Sun Nov 26 08:12:45.468135 2023] [core:warn] [pid 19503] AH00111: Config variable ${} is not defined
[Sun Nov 26 08:12:45.468136 2023] [core:warn] [pid 19503] AH00111: Config variable ${} is not defined
EXPECTED RESULT
NO referral to the
/etc/apache2/logs/audit_log
file that does NOT exist, since the logs directory does not exist.
CAUSE
Line 35 in /etc/apache2/modsecurity.d/rules/tortix/modsec/tortix_waf.conf that contains
SecAuditLog logs/audit_log
and that SHOULD be
SecAuditLog audit_log
ANY ADDITIONAL INFORMATION
See Above.
Solution is provided.
This is a severe bug causing Apache to stop, each time the tortix_waf.conf file gets updated/regenerated : that is each and every day / morning!
NOTE
The AH00111 error is inherent to Apache and can safely be ignored, even though additional research is recommended!
YOUR EXPECTATIONS FROM PLESK SERVICE TEAM
Confirm bug
TITLE
Apache2 ModSec Error - Apache2 fails to start and AH00111 error
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE
Product version: Plesk Obsidian 18.0.56.4
OS version: Ubuntu 18.04 x86_64
Build date: 2023/11/06 22:00
Revision: 7f3265358b91416f035eddb5dfe564171fd100a4
PROBLEM DESCRIPTION
BUG
Bug caused by a wrong entry in
/etc/apache2/modsecurity.d/rules/tortix/modsec/tortix_waf.conf
on line 35, with this line being
SecAuditLog logs/audit_log
ERROR
The entry on line 35 refers to a non-existing directory, being the "logs" directory.
First, see symptoms below.
Afterwards, see workarounds below.
SYMPTOM 1
Apache fails to
- start
- restart (gracefully)
- run a stop/start sequence
as a result of a ModSec related conflict, when having Tortix (Atomicorp) ruleset installed.
SYMPTOM 2
The WAF is not configured to use the Tortix (Atomicorp) ruleset!!!!!!!
It is kind of problematic that a ruleset that is not used by the WAF can cause havoc in Apache!!!
WORKAROUND 1
Change line 35 of
/etc/apache2/modsecurity.d/rules/tortix/modsec/tortix_waf.conf
to
SecAuditLog audit_log
This is a TEMPORARY fix!
WORKAROUND 2
Run the command : mkdir /etc/apache2/logs && touch /etc/apache2/logs/audit_log
SOLUTION
The bug should be resolved by editing the tortix_waf.conf in a persistent way.
However, it does not explain why Apache is being bothered by a config file that should not have been loaded.
It is apparent that the Apache config should also be improved!!
STEPS TO REPRODUCE
NOTE
It might not even be possible to reproduce, since the situation occurs on ModSec installations that
- previously used Atomicorp (advanced) rulesets
- then were forced to use Comodo or OWASP rulesets (since Atomicorp rulesets were not supported anymore)
- finally received support for Ubuntu 18.04 LTS
and so on.
STR
Install ModSec and Atomicorp ruleset.
Just select OWASP or Comodo in the Plesk Panel.
Then update to the latest version of Plesk for Ubuntu 18.04 LTS.
Then start to experiment with starting/stopping/restarting Apache and/or using apachectl command.
ACTUAL RESULT
APACHE START - Output
Nov 26 07:07:59 [server] apachectl[15470]: [Sun Nov 26 07:07:59.040422 2023] [core:warn] [pid 15481] AH00111: Config variable ${} is not defined
Nov 26 07:07:59 [server] apachectl[15470]: [Sun Nov 26 07:07:59.040423 2023] [core:warn] [pid 15481] AH00111: Config variable ${} is not defined
Nov 26 07:07:59 [server] apachectl[15470]: [Sun Nov 26 07:07:59.040424 2023] [core:warn] [pid 15481] AH00111: Config variable ${} is not defined
Nov 26 07:07:59 [server] apachectl[15470]: AH00526: Syntax error on line 35 of /etc/apache2/modsecurity.d/rules/tortix/modsec/tortix_waf.conf:
Nov 26 07:07:59 [server] apachectl[15470]: ModSecurity: Failed to open the audit log file: /etc/apache2/logs/audit_log
Nov 26 07:07:59 [server] apachectl[15470]: Action 'start' failed.
Nov 26 07:07:59 [server] apachectl[15470]: The Apache error log may have more information.
Nov 26 07:07:59 [server] systemd[1]: apache2.service: Control process exited, code=exited status=1
Nov 26 07:07:59 [server] systemd[1]: apache2.service: Failed with result 'exit-code'.
Nov 26 07:07:59 [server] systemd[1]: Failed to start The Apache HTTP Server.
APACHE CONFIGTEST - Output
[Sun Nov 26 08:12:45.422323 2023] [so:warn] [pid 19503] AH01574: module security2_module is already loaded, skipping
[Sun Nov 26 08:12:45.422350 2023] [so:warn] [pid 19503] AH01574: module unique_id_module is already loaded, skipping
[Sun Nov 26 08:12:45.468125 2023] [core:warn] [pid 19503] AH00111: Config variable ${} is not defined
[Sun Nov 26 08:12:45.468133 2023] [core:warn] [pid 19503] AH00111: Config variable ${} is not defined
[Sun Nov 26 08:12:45.468134 2023] [core:warn] [pid 19503] AH00111: Config variable ${} is not defined
[Sun Nov 26 08:12:45.468135 2023] [core:warn] [pid 19503] AH00111: Config variable ${} is not defined
[Sun Nov 26 08:12:45.468136 2023] [core:warn] [pid 19503] AH00111: Config variable ${} is not defined
EXPECTED RESULT
NO referral to the
/etc/apache2/logs/audit_log
file that does NOT exist, since the logs directory does not exist.
CAUSE
Line 35 in /etc/apache2/modsecurity.d/rules/tortix/modsec/tortix_waf.conf that contains
SecAuditLog logs/audit_log
and that SHOULD be
SecAuditLog audit_log
ANY ADDITIONAL INFORMATION
See Above.
Solution is provided.
This is a severe bug causing Apache to stop, each time the tortix_waf.conf file gets updated/regenerated : that is each and every day / morning!
NOTE
The AH00111 error is inherent to Apache and can safely be ignored, even though additional research is recommended!
YOUR EXPECTATIONS FROM PLESK SERVICE TEAM
Confirm bug
