DKIM Signature Inactive after updating Easy Apache 4 components

jdpuglisi

Active Member
Apr 24, 2020
29
5
3
NYC USA
cPanel Access Level
Root Administrator
Everytime my Easy Apache 4 updates (manually or automatically), the DKIM signature goes inactive until I go into the default user cPanel and click on Email Deliverability. The link loads and I get a dialog box stating the DKIM signature was inactive and the system has reactivated it. Wasn't a big deal when I was manually updating EA4 but I've got it set to do point upgrades to php, WHM and cPanel so there no tickle to check the to see if the DKIM signature is active. Would be nice if there was a command line that hits the same script that runs the Email Deliverability link in cPanel so it could be configured automatically.

Set up:
Centos 7.7 WHM/cPanel 86.0.18 DNS server is at Cloudflare. Domain registrar is register.com. Host is inmotionhosting.com (vps).
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,297
1,251
313
Houston
That's not normal behavior, in fact that's not something I've heard of before. Is anything noted in the cPanel error logs when this happens? You can find them at /usr/local/cpanel/logs/error_log
 

jdpuglisi

Active Member
Apr 24, 2020
29
5
3
NYC USA
cPanel Access Level
Root Administrator
Hi! Looking through the logs, when my php version upgraded from 7.4.2 to 7.4.5 last night, there was a timeout doing the DNS query for the DKIM entry at Cloudflare. the warning was [refresh-dkim-validity-cache] running /usr/local/cpanel/Cpanel/DNS.Unbound.pm line 442. Looks like that was where the DKIM signature went invalid. This past morning when I went into cPanel and hit Email Deliverability, there was a log entry "Unable to read /etc/exim.conf.localopts". The page loaded normally and when I clicked "manage" all entries were properly configured.

About half the time I go into Email Deliverability, the PTR query times out. I'm not sure how quick the script times out but it happens quite a bit.

I'm not a pro at reading these logs but the timestamps do correspond to the individual events pretty well. If I had to guess, when your DNS zone isn't hosted locally, queries fired in the upgrade process may timeout.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,297
1,251
313
Houston
That still really shouldn't be the case as far as I know. I believe this warrants some further/more in-depth investigation.

Can you please open a ticket using the link in my signature? Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved.


Thanks!
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,297
1,251
313
Houston
Generally speaking the recommended action if you purchased your license through a reseller is to go through your hosting provider first. Because I don't have a way to know this and as such can tell you only to open a support ticket. But yes you should go through them first.
 

jdpuglisi

Active Member
Apr 24, 2020
29
5
3
NYC USA
cPanel Access Level
Root Administrator
OK. Thanks. I did look through the cPanel error logs and what looked the the error thrown during my point upgrade from 7.4.2 to 7.4.5 as follows:

[2020-04-23 22:06:09 -0400] warn [refresh-dkim-validity-cache] DNS query failure (default._domainkey.MYDOMAIN.com/TXT): Timeout! at /usr/local/cpanel/Cpanel/DNS/Unbound.pm line 442.
Cpanel::DNS::Unbound::_warn_query_failure(__CPANEL_HIDDEN__, __CPANEL_HIDDEN__, __CPANEL_HIDDEN__) called at /usr/local/cpanel/Cpanel/DNS/Unbound.pm line 841
Cpanel::DNS::Unbound::_recursive_queries_with_warn(Cpanel::DNS::Unbound=HASH(0x23bd9f8), ARRAY(0x28f4350)) called at /usr/local/cpanel/Cpanel/DNS/Unbound.pm line 332
Cpanel::DNS::Unbound::get_records_by_domains(Cpanel::DNS::Unbound=HASH(0x23bd9f8), "TXT", "default._domainkey.MYDOMAIN.com") called at /usr/local/cpanel/Cpanel/DnsUtils/MailRecords.pm line 445
Cpanel::DnsUtils::MailRecords::_get_txt_records_by_domains("default._domainkey.MYDOMAIN.com") called at /usr/local/cpanel/Cpanel/DnsUtils/MailRecords.pm line 175
Cpanel::DnsUtils::MailRecords::validate_dkim_records_for_domains(ARRAY(0x22f9a98)) called at /usr/local/cpanel/scripts/refresh-dkim-validity-cache line 220
scripts::refresh_dkim_validity_cache::_domain_has_valid_dkim("MYDOMAIN.com") called at /usr/local/cpanel/scripts/refresh-dkim-validity-cache line 150
scripts::refresh_dkim_validity_cache::__ANON__() called at /usr/local/cpanel/3rdparty/perl/530/lib/perl5/cpanel_lib/Try/Tiny.pm line 97
eval {...} called at /usr/local/cpanel/3rdparty/perl/530/lib/perl5/cpanel_lib/Try/Tiny.pm line 88
Try::Tiny::try(CODE(0x21dc0d8), Try::Tiny::Catch=REF(0x20bad90)) called at /usr/local/cpanel/scripts/refresh-dkim-validity-cache line 172
scripts::refresh_dkim_validity_cache::run(scripts::refresh_dkim_validity_cache=HASH(0x208bee8)) called at /usr/local/cpanel/scripts/refresh-dkim-validity-cache line 70
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,297
1,251
313
Houston
This indicates that there was an issue with the DNS lookup performed for the DKIM but not necessarily why. I would still advise opening a ticket with your hosting provider and if they're unable to provide assistance one with us.
 

jdpuglisi

Active Member
Apr 24, 2020
29
5
3
NYC USA
cPanel Access Level
Root Administrator
Hi! Looking through the logs, when my php version upgraded from 7.4.2 to 7.4.5 last night, there was a timeout doing the DNS query for the DKIM entry at Cloudflare. the warning was [refresh-dkim-validity-cache] running /usr/local/cpanel/Cpanel/DNS.Unbound.pm line 442. Looks like that was where the DKIM signature went invalid. This past morning when I went into cPanel and hit Email Deliverability, there was a log entry "Unable to read /etc/exim.conf.localopts". The page loaded normally and when I clicked "manage" all entries were properly configured.

About half the time I go into Email Deliverability, the PTR query times out. I'm not sure how quick the script times out but it happens quite a bit.

I'm not a pro at reading these logs but the timestamps do correspond to the individual events pretty well. If I had to guess, when your DNS zone isn't hosted locally, queries fired in the upgrade process may timeout.
As an interim step and without hosting support, I decided to check on the permissions of /etc/exim.conf.localopts. For whatever reason, the permissions were 0600 so there was no way apache could read the file so I changed the permissions to 0644. Server isn't throwing that warning every night anymore so fingers crossed that will solve the DKIM signature going inactive after updates.
 

jdpuglisi

Active Member
Apr 24, 2020
29
5
3
NYC USA
cPanel Access Level
Root Administrator
The technical support and customer service experience at cPanel was exceptional. I've enjoyed pretty solid support at my host (inmotionhosting) but it seems like they were a bit out of their depth on this issue. The problem was one of the more difficult to trace because it truly was transient in nature. Instead of the "well....everything seems to be working just fine" response I was getting from the provider, the cPanel crew dove in and isolated the issue to IPv6 networking issues on the DNS lookup.
 
  • Like
Reactions: cPanelLauren

jdpuglisi

Active Member
Apr 24, 2020
29
5
3
NYC USA
cPanel Access Level
Root Administrator
I've disabled IPv6 on the server. The host apparently blocks port 53 which may have contributed to the problem but wasn't the most likely root of the problem. A future patch from cPanel will likely better address DNS lookups when IPv6 networking issues are present. Case CPANEL-30878. Link above.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,297
1,251
313
Houston
Awesome! I just checked in on this as well and see what was done. Thanks for following up here and linking the support article! I'm really glad our analysts were able to help you.
 

jdpuglisi

Active Member
Apr 24, 2020
29
5
3
NYC USA
cPanel Access Level
Root Administrator
I've disabled IPv6 on the server. The host apparently blocks port 53 which may have contributed to the problem but wasn't the most likely root of the problem. A future patch from cPanel will likely better address DNS lookups when IPv6 networking issues are present. Case CPANEL-30878. Link above.
Actually port 53 isn't blocked. The cPanel email deliverability page is much more responsive with IPv6 disabled.
 
  • Like
Reactions: cPanelLauren

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,297
1,251
313
Houston
Actually port 53 isn't blocked. The cPanel email deliverability page is much more responsive with IPv6 disabled.
Yea based on your response they thought it might have contributed but the end result of opening the case was due to the way the DNS lookup was occurring over IPv6