Thursday, 12 July 2012

TXT_DB error number 2 when generating openvpn client certificates

You may have followed the openvpn quick start instructions either from the online tutorial or using the README file in easy-rsa where it asks you to go through these steps:

[edit vars with your site-specific info]
source ./vars
./clean-all
./build-dh
./pkitool --initca
./pkitool --server myserver
./pkitool client1
 and then you get
failed to update database TXT_DB error number 2
at the last step. I did and a web search mostly turned up suggestions to run ./clean-all again. But this article was the key. It's about openssl, but openvpn's easy-rsa is just a front-end to openssl. The important observation is that every certificate must have a unique CN in the database. In the file vars, this is controlled by KEY_CN. You left the settings read in from vars unchanged between generating the server cert and the client cert. You could edit vars before generating the client certificate and re-source vars, or you could do this before generating each client key.
KEY_CN=someuniqueclientcn ./pkitool client1
and you will stop getting that TXT_DB error.


I'm a bit surprised that the documentation for openvpn hasn't been updated to make this clear.


NB: It is also affected by the setting unique_subject = yes in the file keys/index.txt.attr, but I prefer not to go against the default setting.


At
Labels: , , ,

10 comments:

  1. Unknown28 January 2013 at 19:07

    I find that I can use ./pkitool --interact to choose the different name during generating the ceritficate.

    ReplyDelete
  2. Unknown26 February 2013 at 04:38

    Thank you for the usefull tip!

    ReplyDelete
  3. Raden Rheza15 March 2013 at 17:13

    hello, i want to ask you a question.

    when i generate "./pkitool client", the client ca successfully created. then i generate "./pkitool --pcks12 client", and it produce error " failed to update database TXT_DB error number 2".

    Does pcks12 and client have to be in different Common Name?

    Thanks Before

    ReplyDelete
    Replies
    1. Retiredfeline28 July 2013 at 18:59

      The KEY_CN has to be unique so if you just want two different formats for the same certificate, then generate one format and convert to the other format.

      Delete
  4. Unknown16 March 2013 at 05:56

    Wow. Great tip.
    KEY_CN=someuniqueclientcn did the trick.

    ReplyDelete
  5. Unknown30 April 2013 at 01:03

    Thanks! This solved my problem too.

    ReplyDelete
  6. Vitor Nunes30 May 2013 at 08:27

    Thanks! That's it

    ReplyDelete
  7. Apuleius Platonicus12 June 2013 at 00:32

    This was most helpful!! You stated the problem clearly and you provided the solution just as clearly.

    ReplyDelete
  8. Unknown17 July 2013 at 22:33

    Hi,

    I have the same problem, but I don't understand it, What files Do I have to modify? I am new in linux..

    Please, could somebody tell me ?

    Thanks a lot.

    ReplyDelete
    Replies
    1. Retiredfeline28 July 2013 at 18:58

      You don't have to modify anything. Just prepend KEY_CN=someuniquestring in front of the command ./pkitool client1.

      Naturally substitute meaningful names for someuniquestring and client1.

      Delete

Subscribe to: Post Comments (Atom)