opendkim-genkey: openssl exited with status %d

[dereks]

I get this error:

root@mail:/etc/postfix# sudo opendkim-genkey -b 2048 -d $MY_EMAIL_DOMAIN_NAME -D /etc/opendkim/keys/$MY_EMAIL_DOMAIN_NAME -s default -v
opendkim-genkey: generating private key
opendkim-genkey: openssl exited with status %d
1root@mail:/etc/postfix#

I do have openssl installed at the normal location:

root@mail:/etc/opendkim# dpkg -l | grep openssl
ii  libcrypt-openssl-bignum-perl 0.09-1build1                        armhf        Perl module to access OpenSSL multiprecision integer arithmetic libraries
ii  libcrypt-openssl-rsa-perl    0.28-5build2                        armhf        module for RSA encryption using OpenSSL
ii  openssl                      1.1.1-1ubuntu2.1~18.04.6            armhf        Secure Sockets Layer toolkit - cryptographic utility
ii  perl-openssl-defaults:armhf  3build1                             armhf        version compatibility baseline for Perl OpenSSL packages
ii  python3-openssl              17.5.0-1ubuntu1                     all          Python 3 wrapper around the OpenSSL library
root@mail:/etc/opendkim# which openssl
/usr/bin/openssl
root@mail:/etc/opendkim# 

As you see above I am running this as root.

Google shows that this is an old error dating back to 2013. These pages recommend checking your "path":

https://helperbyte.com/questions/250376/howtogeneratedkim https://superuser.com/questions/1470054/opendkim-not-working-opendkim-genkey-openssl-exited-with-status-d https://ask.puppet.com/question/1596/opendkim-genkey-openssl-exited-with-status-d/

But I don't know what file I'm supposed to look in for this "path" variable. It seems to be a Python array with brackets, not a shell environment PATH.

root@mail:/etc/opendkim# echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
root@mail:/etc/opendkim# 

This seems like a bug in the package. This is on a clean install of Ubuntu, with everything installed using apt-get, so the openssl path should be well known.

[dereks]

It's not a path issue. I edited /usr/bin/opendkim-genkey directly to troubleshoot this.

I can see that it is running this command:

openssl genrsa -out default.private 2048 > /dev/null 2>&1

The > /dev/null 2>&1 silences all output, which is extremely unhelpful. I'd remove that "feature".

When I change that to print out stuff:

openssl genrsa -out default.private 2048

Then I get the real error:

genrsa: Can't open "default.private" for writing, Is a directory
opendkim-genkey: openssl exited with status %d

So it was just PEBKAC. I was following this excellent tutorial

https://www.linuxbabe.com/mail-server/setting-up-dkim-and-spf

I accidentally ran

sudo mkdir -p /etc/opendkim/keys/$MY_EMAIL_DOMAIN_NAME/default.private

which is incorrect.

This is now a bugfix request to apply this patch:

--- opendkim-genkey-dist    2018-02-05 23:24:29.000000000 +0000
+++ opendkim-genkey 2020-08-19 18:01:06.110425566 +0000
@@ -138,7 +138,7 @@
    print STDERR "$progname: WARNING: RFC6376 advises minimum 1024-bit keys\n";
 }

-$status = system("openssl genrsa -out " . $selector . ".private " . $bits . " > /dev/null 2>&1");
+$status = system("openssl genrsa -out " . $selector . ".private " . $bits);
 if ($status != 0)
 {
    if ($? & 127

That way people can see the error the openssl is reporting to them.

[martinbogo]

I think the best thing to do with this issue is submit a PR against the "develop" branch. We'll test it and merge it into the "next" branch for release with the beta.