Thursday 12 July 2012

TXT_DB error number 2 when generating openvpn client certificates

You may have followed the openvpn quick start instructions either from the online tutorial or using the README file in easy-rsa where it asks you to go through these steps:

[edit vars with your site-specific info]
source ./vars
./clean-all
./build-dh
./pkitool --initca
./pkitool --server myserver
./pkitool client1
 and then you get
failed to update database TXT_DB error number 2
at the last step. I did and a web search mostly turned up suggestions to run ./clean-all again. But this article was the key. It's about openssl, but openvpn's easy-rsa is just a front-end to openssl. The important observation is that every certificate must have a unique CN in the database. In the file vars, this is controlled by KEY_CN. You left the settings read in from vars unchanged between generating the server cert and the client cert. You could edit vars before generating the client certificate and re-source vars, or you could do this before generating each client key.
KEY_CN=someuniqueclientcn ./pkitool client1
and you will stop getting that TXT_DB error.


I'm a bit surprised that the documentation for openvpn hasn't been updated to make this clear.


NB: It is also affected by the setting unique_subject = yes in the file keys/index.txt.attr, but I prefer not to go against the default setting.


10 comments:

  1. I find that I can use ./pkitool --interact to choose the different name during generating the ceritficate.

    ReplyDelete
  2. Thank you for the usefull tip!

    ReplyDelete
  3. hello, i want to ask you a question.

    when i generate "./pkitool client", the client ca successfully created. then i generate "./pkitool --pcks12 client", and it produce error " failed to update database TXT_DB error number 2".

    Does pcks12 and client have to be in different Common Name?

    Thanks Before

    ReplyDelete
    Replies
    1. The KEY_CN has to be unique so if you just want two different formats for the same certificate, then generate one format and convert to the other format.

      Delete
  4. Wow. Great tip.
    KEY_CN=someuniqueclientcn did the trick.

    ReplyDelete
  5. Thanks! This solved my problem too.

    ReplyDelete
  6. This was most helpful!! You stated the problem clearly and you provided the solution just as clearly.

    ReplyDelete
  7. Hi,

    I have the same problem, but I don't understand it, What files Do I have to modify? I am new in linux..

    Please, could somebody tell me ?

    Thanks a lot.

    ReplyDelete
    Replies
    1. You don't have to modify anything. Just prepend KEY_CN=someuniquestring in front of the command ./pkitool client1.

      Naturally substitute meaningful names for someuniquestring and client1.

      Delete