Jump to content
Froxlor Forum


  • Posts

  • Joined

  • Last visited

  • Days Won


Posts posted by llucps

  1. I also encountered this problem a couple of weeks ago, suddenly acme.sh was trying to renew one of my domains using ZeroSSL, when in all my settings I explicitly had Letsencrypt as CA.

    I managed to fix the problem by registering and account with ZeroSSL, it's just a command which registers an account bu using an email, as it's explained here https://stackoverflow.com/questions/68538044/why-cant-write-certificate-crt-with-acme

    acme.sh --register-account -m yyyy@yahoo.com

    Once I did that then I was be able to create a new certificate with ZeroSSL, then because I didn't want to change Letsencrypt I forced a new certificate renewal by specifying

    /root/.acme.sh/acme.sh --home "/root/.acme.sh" --renew-all --debug 2 --log --server letsencrypt --force

    I still have no idea why acme.sh was trying to use ZeroSSL to issue new certificates, but it's been working fine since then.

  2. Hi,

    Since yesterday, I've been suddenly receiving these messages from cron

    /usr/sbin/apticron; then /usr/sbin/apticron --cron;
    E: The repository 'http://debian.froxlor.org bullseye Release' no longer has a Release file.

    and with apt-get update it complains about not finding the Release file:

    Err:10 https://deb.froxlor.org/debian bullseye Release
      404  Not Found [IP: 443]
    Reading package lists... Done
    E: The repository 'http://debian.froxlor.org bullseye Release' no longer has a Release file.
    N: Updating from such a repository can't be done securely, and is therefore disabled by default.
    N: See apt-secure(8) manpage for repository creation and user configuration details.

    I see the Release file for Bullseye on http://debian.froxlor.log..

    Is anyone else having this problem? Or is it just me?




  3. This also happened to me. What I did was first create the domain without SSL, and once done, this will add a A record for the new domain to the DNS and then I was able to create the certificate SSL with Let's encrypt.

    So basically I have to do it in two steps, this behavior I think is different when Froxlor was using certbot, I remember creating my previous domains and SSL certificates in one step. It's not a big deal but I just thought it was worth to mention.

    Is it also your case @d00p?



  4. Hi @d00p,

    I just updated my server to Bullseye and although I had to reinstall mariadb, and also froxlor and some php7.4 packages it seems all is ok except with one thing bind9.

    After the upgrade the /etc/init.d/bind9 was missing.. the bind9 service is running fine because I can use service bind9 status and I see it running

    The problem is in DNS server reload command settings in Froxlor I had /etc/init.d/bind9 reload and obviously since it's not there it fails to reload the service.

    What I did was change the command to service bind9 reload and it seems to be working fine.

    My question is whether there should be really a bind9 in /etc/init.d

    When I installed bind9 again I get this message:

    Setting up bind9 (1:9.16.15-1) ...
    named-resolvconf.service is a disabled or a static unit not running, not starting it.
    Processing triggers for man-db (2.9.4-2) ...

    /etc/init.d/resolvconf status is working fine

    ● resolvconf.service - Nameserver information manager
         Loaded: loaded (/lib/systemd/system/resolvconf.service; enabled; vendor preset: enabled)
         Active: active (exited) since Sun 2021-08-22 08:03:27 CEST; 27min ago
           Docs: man:resolvconf(8)
       Main PID: 1774 (code=exited, status=0/SUCCESS)
          Tasks: 0 (limit: 4559)
         Memory: 0B
            CPU: 0
         CGroup: /system.slice/resolvconf.service


    Do you have any idea whether there should be bind9 in /etc/init.d/? or just using service bind9 reload/restart/start is fine?



  5. 1 minute ago, d00p said:

    Seems to be necessary for dkim-milter which to be fank noone i know uses anymore...you might want to consider switching to something like rspamd or amavsid. As almost noone runs their own nameserver this is sadly something where not much work is put into - sorry. If this works for you for now, patching the filename could be a solution.

    What I could do to satisfy both needs is make adding the extension a setting so you can chose

    I understand.. I would change to openkdim, but since it's not supported and I'm a bit afraid to make the change in case I screw up my email setup.

    I'll leave the change I did to remove .priv from lib/Froxlor/Cron/Dns/DnsBase.php for the moment.

    I would really appreciate if you can add the option the chose both options on the dkim Froxlor settings so I can continue it to use it with dkim-keys for the moment. eventually I'll have to make the change.. I know.

    Thanks @d00p

  6. 4 minutes ago, d00p said:

    I think the problem is "Selector will be derived from the key's filename." ... so the key name is dkim1 and not dkim1.priv 

    umm. sorry I'm not sure I quite follow you.. Do you mean that commit should be revert it? and leave the key name as it was:

    $privkey_filename = \Froxlor\FileDir::makeCorrectFile(Settings::Get('dkim.dkim_prefix') . '/dkim' . $domain['dkim_id']);


  7. 7 minutes ago, d00p said:

    Shouldnt the public key be in that reference file?

    Both .priv and .public files are inside /etc/postfix/dkim directory.. but I don't recall at all the the public keys were referenced on the dkim-config.keys file, I'm pretty sure only the private keys are referenced.


    I just removed the .priv extension that was added to the commit https://github.com/Froxlor/Froxlor/commit/15a13a7783d85f77efe1619ed85bd46e9ad3935b

    so the dkim-config.keys looks for:


    and it WORKS

    Authentication-Results: mx.google.com;
           dkim=pass header.i=@xxxxxxxxx.com header.s=dkim1 header.b=MAWt7cPM;

    I don't know what to do now... :(

  8. Yes I posted the dkim-keys.conf on my previous post, which every line is for every domain I have on my system


    What I could try is to undo the .priv change on the commit you did on october the revert it how it was and see if it's working.

  9. Since according to DomainKeys settings in Froxlor, only dkim-filter is supported, I'm using dkim-filter with this following config:

    # Log to syslog
    Syslog                  yes
    # Required to use local socket with MTAs that access the socket as a non-
    # privileged user (e.g. Postfix)
    UMask                   002
    # Sign for example.com with key in /etc/mail/dkim.key using
    # selector '2007' (e.g. 2007._domainkey.example.com)
    Domain                  /etc/postfix/dkim/domains
    #KeyFile                /etc/mail/dkim.key
    #Selector               2007
    # Common settings. See dkim-filter.conf(5) for more information.
    #AutoRestart            no
    #Background             yes
    #Canonicalization       simple
    #DNSTimeout             5
    #Mode                   sv
    #SignatureAlgorithm     rsa-sha256
    #SubDomains             no
    #ADSPDiscard            no
    #Version                rfc4871
    #X-Header               no
    # Other (less-standard) configuration options #
    # If enabled, log verification stats here
    #Statistics             /var/run/dkim-filter/dkim-stats
    # KeyList is a file containing tuples of key information. Requires
    # KeyFile to be unset. Each line of the file should be of the format:
    #    sender glob:signing domain:signing key file
    # Blank lines and lines beginning with # are ignored. Selector will be
    # derived from the key's filename.
    KeyList         /etc/postfix/dkim/dkim-keys.conf
    # If enabled, will generate verification failure reports for any messages
    # that fail signature verification. These will be sent to the r= address
    # in the policy record, if any.
    #SendReports            yes
    # If enabled, will issue a Sendmail QUARANTINE for any messages that fail
    # signature verification, allowing them to be inspected later.
    #Quarantine             yes
    # If enabled, will check for required headers when processing messages.
    # At a minimum, that means From: and Date: will be required. Messages not
    # containing the required headers will not be signed or verified, but will
    # be passed through
    #RequiredHeaders        yes
    Socket          inet:8891@localhost
    On-Default accept
    On-BadSignature accept
    On-DNSError accept
    On-InternalError accept
    On-NoSignature accept
    On-Security accept

    and frolxor settings:


  10. Hi,

    I just found out the that starting on the 8th of November which I believe is when I updated to the latest 0.10.22 froxlor the DKIM fails to send the public key. Looking at the email message source:

     dkim=temperror (no key for signature) header.i=@xxxxxxxxx.com header.s=dkim1.priv header.b=kWkNNAzJ;

    I just checked the froxlor database and the public and private keys are there. I also check the /etc/postfix/dkim/ and all the keys are also there, including dkim-keys.conf which lists all domains and its keys

    In fact I haven't changed or modified anything related to this, not at that I'm aware of anyway.

    I found this post

    But I don't know if it's related to my problem,

    I also restart postfix, dkim-filter, dovecot and the same dkim=temperror (no key for signature)

    Are you aware if there is change on the latest froxlor update that could cause this? or any idea how else to debug this? It's really strange since nothing seems to be changed from my side.



    P.D. Could it be a permissions problem? I checked the /etc/postfix/dkim/ directory and the owner is root:root. Is this correct? I don't recall changing this neither. Just in case rings a bell.

    OK.. could it be this change? I suspect is coming from this change.. maybe?


    More things:

    On my /etc/postfix/dkim/ I have:

    drwxr-xr-x 2 root root 4096 Nov  7 11:32 .
    drwxr-xr-x 7 root root 4096 Aug 20 11:39 ..
    -rw-r----- 1 root root  887 Aug  9 10:58 dkim1
    -rw-r----- 1 root root  887 Nov  7 11:32 dkim1.priv
    -rw-r--r-- 1 root root  272 Aug  9 10:58 dkim1.public
    -rw-r----- 1 root root  887 Aug  9 10:58 dkim2
    -rw-r----- 1 root root  887 Nov  7 11:32 dkim2.priv
    -rw-r--r-- 1 root root  272 Aug  9 10:58 dkim2.public
    -rw-r----- 1 root root  887 Aug  9 10:58 dkim3
    -rw-r----- 1 root root  887 Nov  7 11:32 dkim3.priv
    -rw-r--r-- 1 root root  272 Aug  9 10:58 dkim3.public
    -rw-r----- 1 root root  887 Aug  9 10:58 dkim4
    -rw-r----- 1 root root  887 Nov  7 11:32 dkim4.priv
    -rw-r--r-- 1 root root  272 Aug  9 10:58 dkim4.public
    -rw-r----- 1 root root  887 Aug  9 10:58 dkim6
    -rw-r----- 1 root root  887 Nov  7 11:32 dkim6.priv
    -rw-r--r-- 1 root root  272 Aug  9 10:58 dkim6.public
    -rw-r----- 1 root root  887 Aug  9 10:58 dkim7
    -rw-r----- 1 root root  887 Nov  7 11:32 dkim7.priv
    -rw-r--r-- 1 root root  272 Aug  9 10:58 dkim7.public

    which the dkim1, dkim2 etc.. are the "old" private files, and the dkim1.priv dkim2.priv etc. are the new private keys file created with the latest commit I just published above.

    In the dkim-keys.conf I have:


    Although it looks ok to me... it's pointing the the dkim*.priv files

  11. Hi,

    I've upgraded to 0.10.20 and I noticed the removal of underscore in the DKIM selector.

    I know it's old but I've been using dkim-filter perfectly for 6 years, I don't know if it's coincidence but after the upgrade Google and Outook give a:

    Authentication-Results: mx.google.com;
        dkim=temperror (no key for signature) header.i=@xxxxxxxx.com header.s=dkim_1 header.b=gJgMgR3B;
    DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=xxxxxxx.com;
    	s=dkim_1; t=1596958620;

    See that the tag s=dkim_1 still has the underscore in it.. I suspect the error comes from this.. Could it be that there is a cache on Google and Outlook servers?

    I tested the record with "dig" and it seems to be fine.

    dig dkim1._domainkey.xxxxxxxx.com IN TXT
    ; <<>> DiG 9.10.6 <<>> dkim1._domainkey.xxxxxxxx.com IN TXT
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47910
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
    ; EDNS: version: 0, flags:; udp: 512
    ;dkim1._domainkey.xxxxxxxxx.com. IN	TXT
    dkim1._domainkey.xxxxxxxxx.com. 41008 IN TXT "v=DKIM1;k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDNM1lxpivQagMjp2KAk0wVUw+OeXFKYyzZ1qbTCUQbvWsFmKPasIOq6dK7F+BMYihelr+T4FP5/GFzwcYEZbA9GxOjpW87iVF7qXgOiYndEpu7ELz9sCrx4AQaXwdGMn/4sAIvTtK6hzqehgulWlTAw59grv4WBOx76ss/m0Ui/wIDAQAB;t=s"

    I also manually  deleted the dkim keys from /etc/postfix/dkim and run /usr/bin/php /var/www/froxlor/scripts/froxlor_master_cronjob.php --force --debug to regenerate all the files which it did.

    And I did also send an  email to auth-results@verifier.port25.com and the result is still showing the underscore on DKIM selector:

    DKIM check details:
    Result:         permerror (syntax error in s= tag: Error in "dkim_1": invalid character U+005F ('_') in domain label)
    ID(s) verified: 
    DNS record(s):
    NOTE: DKIM checking has been performed based on the latest DKIM specs
    (RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for
    older versions.  If you are using Port25's PowerMTA, you need to use
    version 3.2r11 or later to get a compatible version of DKIM.

    The TXT record is due to 43200 seconds (7 hours) so maybe I have to wait those hours for all the servers to replicate the dkim selector change?

    Any idea where else could i look?



  12. Hi,

    I forgot to attached the log I when the cron job failed:

    [Sat 18 Jul 2020 12:04:02 AM CEST] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 6
    [Sat 18 Jul 2020 12:04:02 AM CEST] Can not init api.
    [Sat 18 Jul 2020 12:04:03 AM CEST] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 6
    [Sat 18 Jul 2020 12:04:03 AM CEST] Can not init api.
    [Sat 18 Jul 2020 12:04:03 AM CEST] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 6
    [Sat 18 Jul 2020 12:04:45 AM CEST] Can not get domain new authz.
    [Sat 18 Jul 2020 12:04:45 AM CEST] Please add '--debug' or '--log' to check more details.
    [Sat 18 Jul 2020 12:04:45 AM CEST] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
    [Sat 18 Jul 2020 12:04:45 AM CEST] Error renew subdomain.maindomain.com.

    According to the documentation error code 6 is "Couldn't resolve host. The given remote host was not resolved.", so it might well be a one-time problem. I have other domains and another server with Froxlor with the latest 0.10.19 and I haven't had any problems, all domains have been renewed eventually with no issues.

    I also saw this other post, I don't know if it could be related.

    Thanks anyway!

  13. Hi,

    Yesterday I got an error when renewing two domains (they are subdomains, the parent domain is not managed or hosted by me)

    [information] apache::createVirtualHosts: creating vhost container for domain 17, customer xxxxx
    [error] Given SSL private key for xxxxx.xxxxx.com does not seem to match the certificate. Cannot create ssl-directives
    [information] apache::createVirtualHosts: creating vhost container for domain 18, customer xxxxx
    [error] Given SSL private key for xxxxx.xxxxx.com does not seem to match the certificate. Cannot create ssl-directives

    It's just worth to mention that I don't manage those subdomains, the company who has the maindmoain.com just created those two subdomains and pointed the DNS to my server IP. Then I just created a the maindomain.com on my froxlor installation and then the subdomains which are the ones with a SSL certificate, those certificates were generated by Froxlor without any problem.

    The maindomain.com points to another IP on another server and hosts a different website.

    I tried to force the renewal with:

    /usr/bin/php /var/www/froxlor/scripts/froxlor_master_cronjob.php --force --debug

    and I get those errors from above and the renewal doesn't happen making the website unavailable.. well it points my server's domain (the main domain where froxlor is installed).

    Any idea of what could I do?




    I just manually ran:

    /root/.acme.sh/acme.sh --renew -d subdomain1.maindomain.com
    /root/.acme.sh/acme.sh --renew -d subdomain2.maindomain.com

    and it worked perfectly.!.. it's really strange..

    [Sat 18 Jul 2020 11:21:58 AM CEST] Renew: 'subdomain1.maindomain.com'
    [Sat 18 Jul 2020 11:21:59 AM CEST] Creating domain key
    [Sat 18 Jul 2020 11:21:59 AM CEST] The domain key is here: /root/.acme.sh/subdomain1.maindomain.com/subdomain1.maindomain.com.key
    [Sat 18 Jul 2020 11:21:59 AM CEST] Single domain='subdomain1.maindomain.com'
    [Sat 18 Jul 2020 11:21:59 AM CEST] Getting domain auth token for each domain
    [Sat 18 Jul 2020 11:22:01 AM CEST] Getting webroot for domain='subdomain1.maindomain.com'
    [Sat 18 Jul 2020 11:22:01 AM CEST] Verifying: subdomain1.maindomain.com
    [Sat 18 Jul 2020 11:22:06 AM CEST] Success
    [Sat 18 Jul 2020 11:22:06 AM CEST] Verify finished, start to sign.
    [Sat 18 Jul 2020 11:22:06 AM CEST] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/70093857/4260200176
    [Sat 18 Jul 2020 11:22:07 AM CEST] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/asfh923846frgt1cd480a3aefd0344e8409
    [Sat 18 Jul 2020 11:22:08 AM CEST] Cert success.

    I would like to find out whether it was my fault (although I didn't do anything it was the cronjob that failed yesterday I get emails when something goes wrong) or it is a bug..


  14. 44 minutes ago, d00p said:

    That's what I meant, you've clicked on finish the process and not "integrity check" which is on the admins left side menu ;)

    Very weird though, as said the updater should've removed any duplicates prior to setting the unique key. I even added fake duplicates to my database to test that and it went through smoothly. 

    I can't remember off the top of my head the screen immediately you login to finish the update.. :D  I just remember clicking on the green button..

    Anyway, yes it's weird that the update didn't remove those duplicates.. Just worth to mention that on another server the update went through without any problem.

    Thanks for everything!.

  • Create New...