• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Resolved Issue installing modsecurity

Winnstorm

Winnstorm

Basic Pleskian
Hello,
I'm facing an issue with modsecurity, actually one website is facing a false-positive for comodo waf rules:
[file "/etc/httpd/conf/modsecurity.d/rules/comodo_free/20_Outgoing_FiltersEnd.conf"] [line "38"] [id "214940"]
[file "/etc/httpd/conf/modsecurity.d/rules/comodo_free/15_Outgoing_FilterASP.conf"] [line "14"] [id "214450"]

I've switched off, disabled, almost anything related to WAF domain configuration and nothing happened. So I tried to swap the WAF from Comodo default to Atomic free, and then the same issue is happening on the log (after the change) but now the rules are not working and also I cannot revert back to comodo since when I change from the WAF config I receive the following error:

Failed to install the ModSecurity rule set: modsecurity_ctl failed: ERROR:root:Error Traceback (most recent call last): File "/usr/lib64/plesk-9.0/modsecurity_get_vendor_ruleset/modsecurity_get_vendor_ruleset.py", line 53, in main File "/usr/lib64/plesk-9.0/modsecurity_get_vendor_ruleset/modsecurity_get_vendor_ruleset.py", line 35, in get_vendor_ruleset File "/usr/lib64/plesk-9.0/modsecurity_get_vendor_ruleset/plesk_atomic.py", line 105, in download with closing(urllib2.urlopen(url, timeout=15)) as fin: File "/usr/lib64/python2.7/urllib2.py", line 154, in urlopen return opener.open(url, data, timeout) File "/usr/lib64/python2.7/urllib2.py", line 431, in open response = self._open(req, data) File "/usr/lib64/python2.7/urllib2.py", line 449, in _open '_open', req) File "/usr/lib64/python2.7/urllib2.py", line 409, in _call_chain result = func(*args) File "/usr/lib64/python2.7/urllib2.py", line 1258, in https_open context=self._context, check_hostname=self._check_hostname) File "/usr/lib64/python2.7/urllib2.py", line 1214, in do_open raise URLError(err) URLErrorWrapper: Error interacting with https://waf.comodo.com/doc/meta_comodo_apache.yaml: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)> Unable to download comodo_free rule set

Any help will be appreciated :)

Thanks
best regards
 
Try to fix it with following steps:
  1. Back up the /usr/lib/ssl/certs directory:
    # mv /usr/lib/ssl/certs{,.backup}
  2. Create a symlink in /usr/lib/ssl/certs pointing to /etc/ssl/certs/ directory:
    # ln -s /etc/ssl/certs /usr/lib/ssl/certs
 
IgorG said:
Try to fix it with following steps:
  1. Back up the /usr/lib/ssl/certs directory:
    # mv /usr/lib/ssl/certs{,.backup}
  2. Create a symlink in /usr/lib/ssl/certs pointing to /etc/ssl/certs/ directory:
    # ln -s /etc/ssl/certs /usr/lib/ssl/certs
Click to expand...

thanks for your answer!!

I tried the commands but it seems that the folder is non existant on my current centos installation:

mv: cannot stat ‘/usr/lib/ssl/certs’: No such file or directory

EDIT: Created the dir on usr but after creating the simlink the issue still persist, same error on plesk panel after changing for comodo waf.
 
Last edited:
Another question is, related to atomic basic set (the free option):

On security tags there is blank (no object) to activate or deactivate. Is this correct??? Why I can only see these objects on comodo??
1591109596792.png
 
IgorG said:
Try to fix it with following steps:
  1. Back up the /usr/lib/ssl/certs directory:
    # mv /usr/lib/ssl/certs{,.backup}
  2. Create a symlink in /usr/lib/ssl/certs pointing to /etc/ssl/certs/ directory:
    # ln -s /etc/ssl/certs /usr/lib/ssl/certs
Click to expand...

This is an issue with the ROOT certificate of waf.comodo.com.

Common name: USERTrust RSA Certification Authority
Organization: The USERTRUST Network
Location: Jersey City, New Jersey, US
Valid from May 30, 2000 to May 30, 2020 !!!
Serial Number: 13ea28705bf4eced0c36630980614336
Signature Algorithm: sha384WithRSAEncryption
Issuer: AddTrust External CA Root
 
expired Sectigo Root Cerificate may need to be removed manually, instructions are os specific, i managed to resolve the issue on centos 7 with following instructions Sectigo Root and Intermediate Certificate Expiry - May 2020 - Red Hat Customer Portal



  • Figure out the expired CA certificate with:

# trust list

  • Create a blacklist file: (filter part need to be copied from above result from the AddTrust External Root part)

# trust dump --filter "pkcs11:id=%AD%BD%98%7A%34%B4%26%F7%FA%C4%26%54%EF%03%BD%E0%24%CB%54%1A;type=cert" > /etc/pki/ca-trust/source/blacklist/addtrust-external-root.p11-kit

  • Update the system trust store:

# update-ca-trust

  • Make sure that the CA is not listed anymore as trusted with:

# trust list
 
You must log in or register to reply here.

Similar threads

R
Issue Problem with web application firewall - file extension is restricted by policy
Replies
3
Views
464
Linulex
Linulex
F
Issue Issue with modsecurity
Replies
3
Views
5K
payday
P
B
Issue Web Application Firewall - Can't change to "Comodo (free)" [modsecurity_ctl: failed]?
Replies
3
Views
1K
IgorG
IgorG
G
Issue WAF ModSecurity Comodo (Free) Error
Replies
5
Views
5K
ahoi
A
U
Issue Error message ID 19494#0, 5467#0 and ModSecurity
Replies
3
Views
2K
Peter Debik
P
Back
Top