Thursday 12 July 2012

TXT_DB error number 2 when generating openvpn client certificates

You may have followed the openvpn quick start instructions either from the online tutorial or using the README file in easy-rsa where it asks you to go through these steps:

[edit vars with your site-specific info]
source ./vars
./clean-all
./build-dh
./pkitool --initca
./pkitool --server myserver
./pkitool client1
 and then you get
failed to update database TXT_DB error number 2
at the last step. I did and a web search mostly turned up suggestions to run ./clean-all again. But this article was the key. It's about openssl, but openvpn's easy-rsa is just a front-end to openssl. The important observation is that every certificate must have a unique CN in the database. In the file vars, this is controlled by KEY_CN. You left the settings read in from vars unchanged between generating the server cert and the client cert. You could edit vars before generating the client certificate and re-source vars, or you could do this before generating each client key.
KEY_CN=someuniqueclientcn ./pkitool client1
and you will stop getting that TXT_DB error.


I'm a bit surprised that the documentation for openvpn hasn't been updated to make this clear.


NB: It is also affected by the setting unique_subject = yes in the file keys/index.txt.attr, but I prefer not to go against the default setting.


At 10 comments:
Labels: , , ,

Thursday 5 July 2012

How to get a list of installed software on RPM based systems

You might want to do this to know what packages to restore, or to discover the difference between two installations.


In this article, the suggested command is rpm -qa. That is correct, but it has a problem. It will list the package names without the architecture. If you are on an x86_64 system, there may be both x86_64 and i386 packages. If you use the generated list to (re-)install the software you may end up getting both architectures. You would get extra packages or worse, there may be a conflict due to common pathnames in the two architectures.


Therefore we need to also output the architecture with the package name. For this we use the --queryformat option of rpm, or the shorter form --qf.


rpm -qa --qf '%{NAME}.%{ARCH}\n' > listofpackages
At No comments:
Labels: , , ,
Subscribe to: Posts (Atom)