Hello,
I use OLS, and I use cPGuard for the security of the VPS
Since October 1st, 2021, (date of the Let's Encrypt root certificate change), the WAF module doesn't work anymore and the VPS can't connect to their server to get the ModSecurity rules.
I updated the root certificate following the link https://forum.directadmin.com/threads/windows-7-chrome-let’s-encrypt-problems.64652/post-336442 and also the second variant of this link (https://forum.directadmin.com/threads/windows-7-chrome-let’s-encrypt-problems.64652/post-336508) but unfortunately, this did not solve the problem
I opened a ticket with CPGuard and after investigation, here is their answer
Seems like the OLS package is not detecting the latest updated CA bundle yet...they may be hiding something or have some internal reference for trusted CA. Please check this with the OLS support/forum because this is not something that we can fix or we do not know what is the issue with OLS. But the error really states that the SSL in rules server is not trusted which is not true and happening only because of outdated CA bundle reference.
Error dispalyed:
021-10-03 05:17:51.718165 [ERROR] [126589] [Module:mod_security]setSecRule(type 2) /usr/local/lsws/conf/httpd-modsecurity.conf failed, ret -1, reason: 'Rules error. File: https://rules.malware.expert/download.php?rules=generic&extra=cpgrbl,cpgrecaptcha,webshell,scanner. Line: 1. Column: 0.
SecRule FILES_TMPNAMES "@inspectFile /etc/cpguard/scripts/cpgModsecScan.php" "phase:2,t:none,block,msg:'cPGuard Upload Scanner bad uploaded file',id:'5583453'"
Include /etc/cpguard/cpguard_modsec101.conf
- Failed to download: SSL peer certificate or SSH remote key was not OK'.
For information, I also have another VPS that has the same configuration except for the webserver (Apache+Nginx), and I don't encounter any problem (WAF module functional)
Any help is welcome.
I use OLS, and I use cPGuard for the security of the VPS
Since October 1st, 2021, (date of the Let's Encrypt root certificate change), the WAF module doesn't work anymore and the VPS can't connect to their server to get the ModSecurity rules.
I updated the root certificate following the link https://forum.directadmin.com/threads/windows-7-chrome-let’s-encrypt-problems.64652/post-336442 and also the second variant of this link (https://forum.directadmin.com/threads/windows-7-chrome-let’s-encrypt-problems.64652/post-336508) but unfortunately, this did not solve the problem
I opened a ticket with CPGuard and after investigation, here is their answer
Seems like the OLS package is not detecting the latest updated CA bundle yet...they may be hiding something or have some internal reference for trusted CA. Please check this with the OLS support/forum because this is not something that we can fix or we do not know what is the issue with OLS. But the error really states that the SSL in rules server is not trusted which is not true and happening only because of outdated CA bundle reference.
Error dispalyed:
021-10-03 05:17:51.718165 [ERROR] [126589] [Module:mod_security]setSecRule(type 2) /usr/local/lsws/conf/httpd-modsecurity.conf failed, ret -1, reason: 'Rules error. File: https://rules.malware.expert/download.php?rules=generic&extra=cpgrbl,cpgrecaptcha,webshell,scanner. Line: 1. Column: 0.
SecRule FILES_TMPNAMES "@inspectFile /etc/cpguard/scripts/cpgModsecScan.php" "phase:2,t:none,block,msg:'cPGuard Upload Scanner bad uploaded file',id:'5583453'"
Include /etc/cpguard/cpguard_modsec101.conf
- Failed to download: SSL peer certificate or SSH remote key was not OK'.
For information, I also have another VPS that has the same configuration except for the webserver (Apache+Nginx), and I don't encounter any problem (WAF module functional)
Any help is welcome.