Can't generate dkim private key in domain creation page

Discussion in 'Installation/Configuration' started by fazelukario, Jan 9, 2023.

  1. fazelukario

    fazelukario New Member

    System: Ubuntu 22.04 (LTS)
    ISPConfig version: 3.2.9
    PHP CLI version: 8.1.14
    Using postfix and dovecot.

    When I try to generate dkim key in domain creation page I get blank output:

    upload_2023-1-9_14-13-9.png

    In the network tab of my browser's developer tools, I found that when I click a button, ispconfig makes a request to:
    Code:
    https://mydomain.tld:8080/mail/ajax_get_json.php?1673266479269&domain_id=mydomain.tld&dkim_public=ul&dkim_selector=dkim&type=create_dkim
    And receives in response:
    Code:
    {"dkim_private":"","dkim_public":"ul","dkim_selector":"dkim","dns_record":"","domain":"mydomain.tld"}
    How can I create mail domain with dkim?
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Check your php.ini, might be that you disabled php exec functions there, which prevents ISPConfig from running OpenSSL commands to create the dkim key.
     
  3. fazelukario

    fazelukario New Member

    I'm using a clean install of ispconfig installed a few hours ago with the help of the installer, but still here is my php.ini (/etc/php/8.1/fpm):
     

    Attached Files:

  4. fazelukario

    fazelukario New Member

    Also another php.ini (/etc/php/8.1/cli):
     

    Attached Files:

  5. fazelukario

    fazelukario New Member

    @till Any ideas about what's wrong?
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Check the global web server error log to see if you get an error logged there when clicking on the generate key button.
     
  7. fazelukario

    fazelukario New Member

    @till Nope, no errors related to this (error log attached)
     

    Attached Files:

  8. fazelukario

    fazelukario New Member

    @till Any ideas how to fix?
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    Not really, Dkim generation works fine on Ubuntu systems installed by the auto installer, just verified on a freshly installed system. So its not a bug but something related to your specific system only. And as there are no errors, it's not easy to find out what's wrong with your server. Most likely, probably the best way would be trying to debug the commands that generate the dkim key in ajax_get_json.php file.
     
  10. fazelukario

    fazelukario New Member

    @till How can I do this?
     
  11. pyte

    pyte Well-Known Member HowtoForge Supporter

    The file is localted in /usr/local/ispconfig/interface/web/mail/ajax_get_json.php. The commands till mentioned are the openssl commands that generate the keys:

    Code:
    ...
        $app->system->exec_safe('openssl rand -out ../../temp/random-data.bin '.$rnd_val.' 2> /dev/null');
        $app->system->exec_safe('openssl genrsa -rand ../../temp/random-data.bin '.$dkim_strength.' 2> /dev/null');
        $app->system->exec_safe('echo ?|openssl rsa -pubout -outform PEM 2> /dev/null', $dkim_private);
        $app->system->exec_safe('echo ?|openssl rsa -pubout -outform PEM 2> /dev/null', $dkim_private);
    ...
    So for example, try to run "openssl rand -out ../../temp/random-data.bin RANDOMDATA" and see if it works properly.
    There might be more commands within that file that get executed, so make sure to check that all commands work, and there is not something missing or returning a error.
     
  12. Nicolas Attingo

    Nicolas Attingo New Member

    I've exactly the same problem. "generate DKIM" button fails. Fresh Ubuntu Server 22.04 installation.

    Used:
    wget -O - XXXXXX://get.ispconfig.org | sh -s -- --use-ftp-ports=40110-40210 --ssh-harden --ssh-port=222 --monit --monit-alert-email=xxxxxxxx --use-php=7.4,8.1 --lang=de

    Tried several times from blank Ubuntu 22.04 Server installation, also with ispconfig nightly.
    Thank you, Nicolas
     
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    Pyte explained what you can do to check this, the issue is not reproducible on a clean Ubuntu 22.04 install here. You must take into account that there have been thousands of successful installs between the first report and your report now, so the likeliness that someone who is not using your exact system experiences this is very very low. The issue means that the system you use prevents openssl commands from being executed via exec or similar PHP commands.

    it's not uncommon that people think they start from a clean system but in fact, they use a system image from an ISP or a virtual machine from a vendor that did not mention to him that the 'clean' system is in fact not a standard install but modified by the vendor in certain ways that prevents applications to work properly. or they use a virtualisation system which prevents certail applications from running properly.
     
    pyte likes this.
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    I did a fresh install and I can generate Dkim keys there. But I found the issue you have, there is no problem with the installation, you just have to save the email domain first before creating a dkim key. I'll add a issue report to further investigate why you have to save the email domain first.
     
    pyte likes this.
  15. Nicolas Attingo

    Nicolas Attingo New Member

    Hey Till, thank you for your quick reply and debugging.
    I found out now exactly the same. I did some debugging last hours, yes, that is exactly the problem. If I save the Mail Domain and redo "generate dkim" -> working.
    If I do it directly with the new domain, openssl is called with $rnd_val = 0, and this fails because at
    $rec = $app->db->queryOneRecord("SELECT server_id, domain FROM mail_domain WHERE domain = ?", $domain);
    the domain does not exists yet.
    Thank you!
     
  16. muhamad

    muhamad New Member

    I got the same problem. ISPConfig failed to create DKIM private-key.
    My sistem: Debian 12, latest ISPConfig, setup Perfect Server for Bookworm, but replace Apache with Nginx.
    Solution: create Email Domain using ISPConfig without clicking DKIM. Save. And then edit the email domain, click DKIM. DKIM private-key is created.
     
    CSupi74 likes this.
  17. Yasin Karabulak

    Yasin Karabulak New Member

    2nd.
    After it stuck again and couldn't generate dkim keys until site creation. It might not be the ram issue...
    1. DNS record create
    2. Site create (with ssl)
    3. Mailbox Domain create
    This way it can generate dkim.
    ---
    1st. Same problem solved, funny but main cause is "Low RAM" increase the ram or add swap area to the server.

    fallocate -l 4G /swapfile
    dd if=/dev/zero of=/swapfile bs=1M count=4096 status=progress
    chmod 600 /swapfile
    mkswap /swapfile
    swapon /swapfile
    echo "/swapfile swap swap defaults 0 0" >> /etc/fstab
    swapon --show

    --- optional---
    echo "vm.swappiness = 10" >> /etc/sysctl.conf
    sysctl -p
     
    Last edited: Oct 12, 2023
  18. ggallo

    ggallo New Member

    I'm sorry for resurrecting such an old topic, but we're recently run into this same problem.

    We upgraded out ISPconfig multi-server system a few weeks ago, and I think this not happened before the upgrade (we can add a new e-mail domain with a new DKIM key in one step).

    The original systems were: Debian 10 (default PHP 7.3, MariaDB 10.3), ISPconfig 3.2.11p1
    After the upgrade (in 2 steps of course): Debian 12 (default PHP 8.2, MariaDB 10.11), ISPconfig 3.2.11p2
    The upgrade done with the upgrade howtos here on HowToForge (ISPconfig upgrade Debian 10->11 and 11->12).

    Everything works perfectly, except this 2-step DKIM creation. Of course, it's not a big deal doing 2-step, I'm only interested in why it works differently now.
     

Share This Page