OpenDKIM
OpenDKIM copied to clipboard
trusteddomainproject
opendkim-genkey: openssl exited with status %d
I get this error:
root@mail:/etc/postfix# sudo opendkim-genkey -b 2048 -d $MY_EMAIL_DOMAIN_NAME -D /etc/opendkim/keys/$MY_EMAIL_DOMAIN_NAME -s default -v
opendkim-genkey: generating private key
opendkim-genkey: openssl exited with status %d
1root@mail:/etc/postfix#
I do have openssl installed at the normal location:
root@mail:/etc/opendkim# dpkg -l | grep openssl
ii libcrypt-openssl-bignum-perl 0.09-1build1 armhf Perl module to access OpenSSL multiprecision integer arithmetic libraries
ii libcrypt-openssl-rsa-perl 0.28-5build2 armhf module for RSA encryption using OpenSSL
ii openssl 1.1.1-1ubuntu2.1~18.04.6 armhf Secure Sockets Layer toolkit - cryptographic utility
ii perl-openssl-defaults:armhf 3build1 armhf version compatibility baseline for Perl OpenSSL packages
ii python3-openssl 17.5.0-1ubuntu1 all Python 3 wrapper around the OpenSSL library
root@mail:/etc/opendkim# which openssl
/usr/bin/openssl
root@mail:/etc/opendkim#
As you see above I am running this as root.
Google shows that this is an old error dating back to 2013. These pages recommend checking your "path":
https://helperbyte.com/questions/250376/howtogeneratedkim https://superuser.com/questions/1470054/opendkim-not-working-opendkim-genkey-openssl-exited-with-status-d https://ask.puppet.com/question/1596/opendkim-genkey-openssl-exited-with-status-d/
But I don't know what file I'm supposed to look in for this "path" variable. It seems to be a Python array with brackets, not a shell environment PATH.
root@mail:/etc/opendkim# echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
root@mail:/etc/opendkim#
This seems like a bug in the package. This is on a clean install of Ubuntu, with everything installed using apt-get, so the openssl path should be well known.
It's not a path issue. I edited /usr/bin/opendkim-genkey directly to troubleshoot this.
I can see that it is running this command:
openssl genrsa -out default.private 2048 > /dev/null 2>&1
The > /dev/null 2>&1 silences all output, which is extremely unhelpful. I'd remove that "feature".
When I change that to print out stuff:
openssl genrsa -out default.private 2048
Then I get the real error:
genrsa: Can't open "default.private" for writing, Is a directory
opendkim-genkey: openssl exited with status %d
So it was just PEBKAC. I was following this excellent tutorial
https://www.linuxbabe.com/mail-server/setting-up-dkim-and-spf
I accidentally ran
sudo mkdir -p /etc/opendkim/keys/$MY_EMAIL_DOMAIN_NAME/default.private
which is incorrect.
This is now a bugfix request to apply this patch:
--- opendkim-genkey-dist 2018-02-05 23:24:29.000000000 +0000
+++ opendkim-genkey 2020-08-19 18:01:06.110425566 +0000
@@ -138,7 +138,7 @@
print STDERR "$progname: WARNING: RFC6376 advises minimum 1024-bit keys\n";
}
-$status = system("openssl genrsa -out " . $selector . ".private " . $bits . " > /dev/null 2>&1");
+$status = system("openssl genrsa -out " . $selector . ".private " . $bits);
if ($status != 0)
{
if ($? & 127
That way people can see the error the openssl is reporting to them.
I think the best thing to do with this issue is submit a PR against the "develop" branch. We'll test it and merge it into the "next" branch for release with the beta.
