Received Email Notification That Update Did Not Finish Due To Error

Hi,

I am running

AlmaLinux v8.10.0 STANDARD kvm

cPanel Version 126.0.16

I am also using

OWASP ModSecurity Core Rule Set V3.0

i received this email from my server...

The cPanel & WHM update process failed for the following reason:

[2025-05-14 22:59:20 +0000] E [/usr/local/cpanel/scripts/modsec_vendor] The “/usr/local/cpanel/scripts/modsec_vendor update --auto” command (process 691891) reported error number 1 when it ended.

I logged into WHM and restarted the server, then i ran system update and update server software, they both finished successfully with limited to no changes and nothing said of modsec_vendor.

I check here and could not find a recent post. Then i asked google AI and it said the following. Should i follow this AI suggestion?

AI Overview

The message "Maintenance ended; however, it did not exit cleanly (256)" in cPanel/WHM indicates a failed update process, specifically related to the modsec_vendor script. This likely means the modsec_vendor update process encountered an error, causing the overall maintenance process to terminate prematurely.

Here's what you can do:

1. Check the update logs:

Review the cPanel/WHM update logs to determine the specific error that caused the modsec_vendor update to fail. This will help you identify the root cause.

2. Run needs-restarting:

Access the server's command line as the root user and run /usr/bin/needs-restarting -s. This will identify any services that need to be restarted.

3. Run upcp:

If the needs-restarting script shows no issues, run the upcp script (/usr/local/cpanel/scripts/upcp) to trigger the update process again.

4. Review error messages:

If the update still fails, examine the error messages in the log files for clues about the problem. Common issues include disk space problems, conflicts with other updates, or errors in the modsec_vendor installation.

5. Consider cPanel support:

If you're unable to resolve the issue on your own, contact cPanel support. They can provide guidance and assistance.

The error code 256 suggests that the modsec_vendor update script itself might have encountered an error, rather than a more general system issue. By carefully reviewing the logs and following the steps above, you should be able to pinpoint the problem and fix it.

In the log there are some connection errors for modsec with some domains such as these for example:

[2025-05-14 22:58:57 +0000] [/usr/local/cpanel/scripts/update-packages] [Wed May 14 22:53:52.671346 2025] [security2:error] [pid 680963:tid 680963] [client 80.82.77.202:60000] [client 80.82.77.202] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "303"] [id "920280"] [rev "2"] [msg "Request Missing a Host Header"] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "servername.example.com"] [uri "/"] [unique_id "REMOVED"]

[2025-05-14 22:58:57 +0000] [/usr/local/cpanel/scripts/update-packages] [Wed May 14 22:47:53.142733 2025] [security2:error] [pid 680118:tid 680118] [client 43.166.1.243:42320] [client 43.166.1.243] ModSecurity: Warning. Pattern match "\\\\b(keep-alive|close),\\\\s?(keep-alive|close)\\\\b" at REQUEST_HEADERS:Connection. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RE

[2025-05-14 22:58:57 +0000] [/usr/local/cpanel/scripts/update-packages] QUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "198"] [id "920210"] [rev "2"] [msg "Multiple/Conflicting Connection Header Data Found."] [data "keep-alive, close"] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "6"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ"] [hostname "example.com"] [uri "/search.php"] [unique_id "REMOVED"]

but at the end of the log there is this, i think this would be the main issue.

2025-05-14 22:59:18 +0000] - Processing command `/usr/local/cpanel/scripts/modsec_vendor update --auto`
[2025-05-14 22:59:20 +0000] [/usr/local/cpanel/scripts/modsec_vendor] The system failed to update the vendor from the URL “http://httpupdate.cpanel.net/modsecurity-rules/meta_OWASP3.yaml”: The vendor metadata does not contain an entry for your version of ModSecurity, “2.9.8”. The only versions of ModSecurity this rule set supports are “2.9.0”, “2.9.2”, “2.9.3”, “2.9.4”, “2.9.5”, “2.9.6”, “2.9.7”, “3.0.0”, “3.0.1”, “3.0.2”, “3.0.3”, and “3.0.4”.
[2025-05-14 22:59:20 +0000] E [/usr/local/cpanel/scripts/modsec_vendor] The “/usr/local/cpanel/scripts/modsec_vendor update --auto” command (process 691891) reported error number 1 when it ended.

[2025-05-14 22:59:20 +0000] The Administrator will be notified to review this output when this script completes

[2025-05-14 22:59:20 +0000] - Finished command `/usr/local/cpanel/scripts/modsec_vendor update --auto` in 1.431 seconds

Thanks :)

cPRex Jurassic Moderator

May 15, 2025 23:11

Hey there! There was an issue overnight that caused a problem with the update - you can find the full details here:

https://support.cpanel.net/hc/en-us/articles/32119572299287-Error-installing-updating-OWASP-ModSecurity-Core-Rule-Set-from-WHM

At this time it's been resolved so there's nothing else you need to do on your end.

durangod

May 16, 2025 01:32

Thanks for the link and the solution. I did run the work around and it completed successfully. :)

Received Email Notification That Update Did Not Finish Due To Error

Comments

Didn't find what you were looking for?