Get the most out of your Centmin Mod LEMP stack
Become a Member

Opendkim wrong values generated

Discussion in 'Bug Reports' started by pamamolf, Dec 17, 2024.

  1. pamamolf

    pamamolf Premium Member Premium Member

    4,084
    428
    83
    May 31, 2014
    Ratings:
    +834
    Local Time:
    11:56 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    Hello,

    Using Rocky Linux and latest Centminmod beta just installed i tried to generate opendkim keys as always and i got it as two parts splited by "

    /usr/local/src/centminmod/addons/opendkim.sh
    or
    /usr/local/src/centminmod/addons/opendkim.sh domain.com


    Code:
    v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAux3TkFWCF9IhTmC3LiEkTUKGwOki3Yrt7bLjS88NMdZwRpDco/NW06Na+7v18Xd5t83KN8Fpsfsw22E47kUTGUYc/h9q+DxwwQwZginI7KmG3s/PtvJVlLhAnpzAsRn7cYChin2AQ8Q5Ycldpde2N89DO58ujaQ//7efCparubcBB1fEuwFyiyH0X32HyL+a3udS0VcxZvbmRL"    "7a3vWBtvQ6eLZLnRwB9kQtrDw4mZ0HVe3h8QwNrYQ4rmLexarEmY0n53+rPfsGHY5+j1wDjnwhgiY7wl03GY1eCSLat7IJDzCN9Y1/q1VqjKaonzMl7f6gDXVc84wh2o8t/dvXrQIDAQAB"
    and is not accepted as invalid...

    Thanks
     
  2. eva2000

    eva2000 Administrator Staff Member

    54,573
    12,224
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,793
    Local Time:
    7:56 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    what's output for debug run

    Code (Text):
    bash -x /usr/local/src/centminmod/addons/opendkim.sh
    
     
  3. eva2000

    eva2000 Administrator Staff Member

    54,573
    12,224
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,793
    Local Time:
    7:56 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Try this patch and see if it works

    Code (Text):
    cmupdate
    cmdir
    wget -O /usr/local/src/centminmod/opendkim.patch https://gist.github.com/centminmod/39d6d0cb48bf13629810fbaa4c5d5dfa/raw/opendkim.patch
    patch -p1 < opendkim.patch
    

    then run clean commands for mainhostname and your domain name to wipe the bad entries from previous runs
    Code (Text):
    /usr/local/src/centminmod/addons/opendkim.sh clean
    /usr/local/src/centminmod/addons/opendkim.sh clean domain.com
    

    then complete rest of the guide at https://community.centminmod.com/th...ver-email-doesnt-end-up-in-spam-inboxes.6999/ and test if DKIM works via mail-tester.com i.e. https://community.centminmod.com/th...oesnt-end-up-in-spam-inboxes.6999/#post-46858
     
  4. pamamolf

    pamamolf Premium Member Premium Member

    4,084
    428
    83
    May 31, 2014
    Ratings:
    +834
    Local Time:
    11:56 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    I updated to latest Centminmod and i used:

    Code:
    /usr/local/src/centminmod/addons/opendkim.sh clean
    /usr/local/src/centminmod/addons/opendkim.sh clean domain.com
    Then i run:

    Code:
    /usr/local/src/centminmod/addons/opendkim.sh
    /usr/local/src/centminmod/addons/opendkim.sh domain.com
    i didn't get any output at the screen as i did in the first time so checked at /root/centminlogs/ and i found the latest entries...

    Then i use as selector in the TXT record:

    Code:
    default2024._domainkey.domain.com
    and the key v=DKIM1; k=rsa; p=MIIBIjA.....

    Cloudflare automatically remove the domain from the selector and set it as:

    Code:
    default2024._domainkey
    Then i checked on various online checkers using the domain name and both selectors and in both cases i got not found.

    It was always easy to get that in the past. Not sure what i did :)
     
  5. eva2000

    eva2000 Administrator Staff Member

    54,573
    12,224
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,793
    Local Time:
    7:56 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    If you ran clean command beforehand, it repopulates the entries so you do not need to re-run it without clean command. IIRC, the non-clean command won't output anything if entries already exist - and they would exist as clean command repopulates the entries.

    what does SSH command line dig check give i.e.

    Code (Text):
    dig +short TXT default2024._domainkey.domain.com
     
  6. pamamolf

    pamamolf Premium Member Premium Member

    4,084
    428
    83
    May 31, 2014
    Ratings:
    +834
    Local Time:
    11:56 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    On a brand new latest beta 140 setup i got again a dkim key as:

    Code:
    "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy5j3CRprtfOZYlh2AJs3VNFD3CijwEw9AR55ksGaHph6Qjaw+cMGjTTlJS7MLyyl4JvjiXI+/IKWtglae5+Vc6DTiYnHgGnQVx/y+PoaN+O3Luv9LsDm5tQQIsMOelgvbK8PI7c9oaqIij77vXGI67SfI9EMqtDVK3Lr5lpi3R6E40X+j5RfL/DHcfKMViOi2EuSU3o/biPKR3"    "kMDRWrHy4EVZSEYhORjKMHNADMEIjXNZuqHpjA8Q/r4euyUuuNeNSfxawIFiP+MI37JqLSBuqjfDTSQKqgogBBE8/lI/C3TLkpnGCyfHCFvnayGUBxaAkomN7BH3HGU5YMXBfN7QIDAQAB"
    on my previous generated keys i didn't have in the middle of the key the " and the space:

    Code:
    3"    "k
    i t was like this:

    Code:
    "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy5j3CRprtfOZYlh2AJs3VNFD3CijwEw9AR55ksGaHph6Qjaw+cMGjTTlJS7MLyyl4JvjiXI+/IKWtglae5+Vc6DTiYnHgGnQVx/y+PoaN+O3Luv9LsDm5tQQIsMOelgvbK8PI7c9oaqIij77vXGI67SfI9EMqtDVK3Lr5lpi3R6E40X+j5RfL/DHcfKMViOi2EuSU3o/biPKR3kMDRWrHy4EVZSEYhORjKMHNADMEIjXNZuqHpjA8Q/r4euyUuuNeNSfxawIFiP+MI37JqLSBuqjfDTSQKqgogBBE8/lI/C3TLkpnGCyfHCFvnayGUBxaAkomN7BH3HGU5YMXBfN7QIDAQAB"
    Any ideas?

    Thanks
     
  7. eva2000

    eva2000 Administrator Staff Member

    54,573
    12,224
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,793
    Local Time:
    7:56 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    strange that should of been previously fixed

    are you running
    Code (Text):
    addons/opendkim.sh

    or
    Code (Text):
    addons/opendkim.sh domain.com


    can you private message me the opendkim log from addons/opendkim.sh run should be the entry listed saved in /root/centminlogs from
    Code (Text):
    ls -Alhrt /root/centminlogs | grep 'opendkim_'
    
     
  8. pamamolf

    pamamolf Premium Member Premium Member

    4,084
    428
    83
    May 31, 2014
    Ratings:
    +834
    Local Time:
    11:56 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    The issue is the same for:

    Code:
    addons/opendkim.sh
    and
    Code:
    addons/opendkim.sh domain.com
    Check your DM.

    Thanks !!!
     
  9. eva2000

    eva2000 Administrator Staff Member

    54,573
    12,224
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,793
    Local Time:
    7:56 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    just updated 140.00beta01 with fix so run cmupdate and then
    Code (Text):
    /usr/local/src/centminmod/addons/opendkim.sh clean
    
     
  10. pamamolf

    pamamolf Premium Member Premium Member

    4,084
    428
    83
    May 31, 2014
    Ratings:
    +834
    Local Time:
    11:56 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    i run the:

    Code:
    /usr/local/src/centminmod/addons/opendkim.sh clean
    and then:

    Code:
    addons/opendkim.sh
    and
    Code:
    addons/opendkim.sh domain.com
    I notice that there was no output on terminal for both that was helpful to just copy the info.

    Then i checked on the logs and i found the new generated entry for the hostname like server.domain.com and the format was fine now but there was no entry for the specific domain.

    so it will be great to have the output on terminal to be easier to copy the values than checking the logs and to get a fix for the command:

    Code:
    addons/opendkim.sh domain.com
    that after the clean command does not generate the log file....


    also it seems that is not getting validated using online services...

    It works when i use the dig +short TXT command...

    Maybe is related to Cloudflare needed quotation marks or something?


    Thanks !!!!
     
    Last edited: Jan 25, 2025
  11. eva2000

    eva2000 Administrator Staff Member

    54,573
    12,224
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,793
    Local Time:
    7:56 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    clean option cleans old entries + re does new entries so if you ran without clean it will skip the process as clean already re-did the process, so you can take clean option output as the new spf/dkim entries
    Code (Text):
    /usr/local/src/centminmod/addons/opendkim.sh clean
    /usr/local/src/centminmod/addons/opendkim.sh clean domain.com
    

    make sure that TXT DNS records on Cloudflare DO NOT enable orange cloud proxy.

    Best way to verify DKIM is correct is through testing instructions outlined in posts for thread at https://community.centminmod.com/th...ver-email-doesnt-end-up-in-spam-inboxes.6999/

    FYI, on online DKIM testing sites like DKIM Inspector - dmarcian be sure to enter DKIM selector and domain properly so for a apex domain i.e. @domain.com

    default2025.domain_key.domain.com where default2025 is DKIM selector and domain = domain.com

    but for server hostname i.e. host1.domain.com DKIM with default2025.domain_key.host1.domain.com, the default2025 is DKIM selector but domain to test = host1.domain.com. If you incorrectly test this against domain.com instead of host1.domain.com, the online tool will not be able to verify your DKIM DNS entry.

    More info on DKIM Selectors at DKIM Selectors - dmarcian
     
  12. eva2000

    eva2000 Administrator Staff Member

    54,573
    12,224
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,793
    Local Time:
    7:56 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    FYI, Centmin Mod addons/opendkim.sh changed from default 1024bit to 2048bit DKIM keys, so they are longer, I noticed while I entered one long DKIM key into Cloudflare DNS, on editing TXT record, it's split by double quotes, as Cloudflare auto does that https://help.mailgun.com/hc/en-us/articles/15585722150299-Cloudflare-DNS-Setup-Guide#:~:text=Cloudflare does support 2048-bit,records automatically on your behalf.

     
  13. eva2000

    eva2000 Administrator Staff Member

    54,573
    12,224
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,793
    Local Time:
    7:56 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    you can also use --force flag

    the added --force option to the addons/opendkim.sh script, enabling forced regeneration of DKIM keys and backing up existing keys and configurations to /etc/centminmod/dkim_backups.

    To force the regeneration of DKIM keys for the main hostname and backup existing keys:

    Code (Text):
    ./opendkim.sh --force


    To force update DKIM keys for a specific domain (e.g., example.com) and backup existing keys:

    Code (Text):
    ./opendkim.sh --force example.com


    By using the --force option, the script will:

    1. Regenerate DKIM keys even if they already exist.
    2. Backup existing DKIM keys and configurations before making changes.
    3. Store backups in a timestamped directory under /etc/centminmod/dkim_backups.
    4. Note: Remember to update your DNS records with the new DKIM public keys after running the script with --force.
     
  14. pamamolf

    pamamolf Premium Member Premium Member

    4,084
    428
    83
    May 31, 2014
    Ratings:
    +834
    Local Time:
    11:56 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    TXT records doesn't have the cloud orange option...

    I think that it may help to use the A record for server.domain.com without the orange cloud option...
     
  15. eva2000

    eva2000 Administrator Staff Member

    54,573
    12,224
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,793
    Local Time:
    7:56 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    For this updated https://community.centminmod.com/th...oesnt-end-up-in-spam-inboxes.6999/#post-29848 mention for DKIM too for 2048bit DKIM keys and formatting.
     
  16. pamamolf

    pamamolf Premium Member Premium Member

    4,084
    428
    83
    May 31, 2014
    Ratings:
    +834
    Local Time:
    11:56 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    When tested using mail-tester I can’t get open dkim as valid and it seems that having the same dns records I have issues with emails that I didn’t had before.

    can you please add an option to use the old format using 1024 key ?

    Thank you !
     
  17. eva2000

    eva2000 Administrator Staff Member

    54,573
    12,224
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,793
    Local Time:
    7:56 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Did you make sure to follow official Centmin Mod getting started guide step 1 to have proper fully resolvable server main hostname setup first Getting Started Guide - CentminMod.com LEMP Nginx web stack for CentOS, AlmaLinux, Rocky Linux ?

    Some of the bigger mail providers are now rejecting DKIM 1024bit keys, and only accepting 2048bit keys, hence why I switched to 2048bit keys which worked for me.

    But you can edit addons/opendkim.sh there's a variable you can edit before running it. I haven't added support for persistent config file /etc/centminmod/custom_config.ini method override yet
    Code (Text):
    # DKIM key length of 1024bit, 2048bit, or 4096bit
    DKIM_LENGTH='2048'
    
     
  18. eva2000

    eva2000 Administrator Staff Member

    54,573
    12,224
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,793
    Local Time:
    7:56 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Ok found the root issues/bugs in addons/opendkim.sh so updated both Centmin Mod 131.00stable and 140.00beta01.

    Existing users who have issues with DKIM failing mail-tester.com as per https://community.centminmod.com/th...ver-email-doesnt-end-up-in-spam-inboxes.6999/, can run cmupdate and then re-run clean argument to regenerate server hostname's DKIM keys i.e.
    Code (Text):
    addons/opendkim.sh clean

    after running addons/opendkim.sh clean, the newly regenerated DKIM TXT DNS record needs to be updated with your domain's DNS provider. Then re-test with mail-tester.com