Failed to update database txt db error number 2 openvpn

Hi all,

thece

OpenVpn Newbie
Posts: 4
Joined: Thu Jan 26, 2017 10:37 pm

[Solved] easy-rsa/build-key = TXT_DB error number 2

Hi all,

I’m trying to install OpenVPN server (2.4.0) on Windows Server 2008 R2.
Every time I submit the command «build-key» to make the client certificate I get the the error «TXT_DB error number 2».
Somebody can help me?

This is what I done

Code: Select all

C:Program FilesOpenVPNeasy-rsa>vars

C:Program FilesOpenVPNeasy-rsa>clean-all
        1 file(s) copied.
        1 file(s) copied.

C:Program FilesOpenVPNeasy-rsa>build-ca
WARNING: can't open config file: /etc/ssl/openssl.cnf
Generating a 2048 bit RSA private key
.............................................+++
...........................................+++
writing new private key to 'keysca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [OpenVPN]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [changeme]:
Name [changeme]:
Email Address [mail@host.domain]:

C:Program FilesOpenVPNeasy-rsa>build-key-server server
WARNING: can't open config file: /etc/ssl/openssl.cnf
Generating a 2048 bit RSA private key
.........................................+++
........................................................+++
writing new private key to 'keysserver.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [OpenVPN]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [changeme]:
Name [changeme]:
Email Address [mail@host.domain]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
WARNING: can't open config file: /etc/ssl/openssl.cnf
Using configuration from openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'CA'
localityName          :PRINTABLE:'SanFrancisco'
organizationName      :PRINTABLE:'OpenVPN'
organizationalUnitName:PRINTABLE:'changeme'
commonName            :PRINTABLE:'changeme'
name                  :PRINTABLE:'changeme'
emailAddress          :IA5STRING:'mail@host.domain'
Certificate is to be certified until Jan 24 22:30:06 2027 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

C:Program FilesOpenVPNeasy-rsa>build-key client
WARNING: can't open config file: /etc/ssl/openssl.cnf
Generating a 2048 bit RSA private key
....................................................+++
.........................................................................................................................+++
writing new private key to 'keysclient.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [OpenVPN]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [changeme]:
Name [changeme]:
Email Address [mail@host.domain]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
WARNING: can't open config file: /etc/ssl/openssl.cnf
Using configuration from openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'CA'
localityName          :PRINTABLE:'SanFrancisco'
organizationName      :PRINTABLE:'OpenVPN'
organizationalUnitName:PRINTABLE:'changeme'
commonName            :PRINTABLE:'changeme'
name                  :PRINTABLE:'changeme'
emailAddress          :IA5STRING:'mail@host.domain'
Certificate is to be certified until Jan 24 22:30:25 2027 GMT (3650 days)
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2
Could Not Find C:Program FilesOpenVPNeasy-rsakeys*.old

C:Program FilesOpenVPNeasy-rsa>

Thanks


thece

OpenVpn Newbie
Posts: 4
Joined: Thu Jan 26, 2017 10:37 pm

Re: [build-key] TXT_DB error number 2

Post

by thece » Fri Jan 27, 2017 10:20 am

Other details:

— all commands above are submitted by Administrator

— the only alteration in var.bat file, respect to the sample provided, is:


TinCanTech

OpenVPN Protagonist
Posts: 11142
Joined: Fri Jun 03, 2016 1:17 pm

Re: [build-key] TXT_DB error number 2

Post

by TinCanTech » Fri Jan 27, 2017 12:48 pm

Common Name must be unique:

thece wrote:C:Program FilesOpenVPNeasy-rsa>build-key client
WARNING: can’t open config file: /etc/ssl/openssl.cnf
Generating a 2048 bit RSA private key
…………………………………………….+++
………………………………………………………………………………………………………….+++
writing new private key to ‘keysclient.key’
——
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
——
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [OpenVPN]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server’s hostname) [changeme]: Unique Common Name


thece

OpenVpn Newbie
Posts: 4
Joined: Thu Jan 26, 2017 10:37 pm

Re: [build-key] TXT_DB error number 2

Post

by thece » Fri Jan 27, 2017 1:40 pm

Yes, I feel so stupid :-( … solved!

Many thanks @TinCanTech


OpenVPN Failed To Update Database txt_db Error Number 2 causing trouble? We are here to help.

At Bobcares, we offer solutions for every query, big and small, as a part of our Server Management Service.

Let’s take a look at how our Support Team recently helped out a customer with OpenVPN Failed To Update Database txt_db Error Number 2.

All About OpenVPN Failed To Update Database txt_db Error Number 2

OpenVPN is a stable interface for VPN applications. Moreover, it works flawlessly and enhances the user’s experience as well. However, it still throws up an error every now and then. The following error is one such error:

“OpenVPN failed to update database txt_db error number 2”

This error causes OpenVPN to stop working by crashing the application. According to our Support Engineers, this error is due to a bug in OpenVPN. It prevents access to resource files which are crucial to the smooth functioning of OpenVPN.

How to resolve OpenVPN Failed To Update Database Error

Our Support Engineers offer three different options to resolve this specific error:

  • Restarting the application
  • Checking files
  • Reinstalling OpenVPN

Restarting the application is done by accessing the task manager and terminating the application normally. In some cases, we may have to force close it. Once this is done, we can start the application again. Interestingly, this approach frees up resources, allowing OpenVPN to work seamlessly in certain scenarios.

The next option is to make sure that all of the files we need for OpenVPN to function normally have not been deleted or damaged. Deleting or damaging any of the files will result in the error, preventing OpenVPN from updating the database.

If the above two options did not help resolve the error, the last option is to reinstall the application. Our Support Techs would like to point out that we need to ensure we remove the registry files as well. Reinstalling OpenVPN will replace all files, thereby helping us overcome the error.

[Looking for a solution to another query? We are just a click away.]

Conclusion

At the end of the day, our skilled Support Engineers at Bobcares demonstrated how to deal with OpenVPN Failed To Update Database errors.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

openvpn failed to update database txt_db error number 2
openvpn failed to update database txt_db error number 2

OpenVPN is one of the most stable interfaces out there for VPN applications and it works flawlessly. You will not have to face any major errors while using the OpenVPN and that will enhance the experience great for you. However, once in a blue moon an error is inevitable like it is with all the technical products out there so you need to be prepared to deal with them if any such issue occurs. “OpenVPN failed to update database txt_db error number 2” is one such error that is confusing and it will stop your OpenVPN application to work. Here is all you need to know about it.

What Does It Mean?

The error will occur out of nowhere if you are already using OpenVPN and not only the application will crash but it will also be unable to start again. The error is caused by a bug when the OpenVPN application is unable to access some resource files and that file is crucial to the functioning of OpenVPN. So, you need to work on it and make sure that you find the right fix for the problem to make it work.

1. Restart the Application

Restarting the application is the first thing you need to try, but it will not be easy for you to close OpenVPN easily. You will not only need to close the application from the interface, but you will also need to close it from the taskbar where it is minimized, but also from the task manager to be certain. So, access the task manager and then terminate the application normally, or you might need to force close it. Whatever you need, close the application completely and then start it over. This will access the file again and you will be able to make it work without getting the error message again.

If that doesn’t work for you, you can take a step further and try restarting the PC as well. Restarting the PC will clear out all the possible bugs and errors that might be causing you to have the problem. Once you restart the PC, you will be able to open the software again.

2. Be mindful about the files

You will find lots of files in the drive and folder where you have installed the OpenVPN and that is where all the important files are. These files are important for OpenVPN to work, and if any of the files are deleted or damaged, you can get this error message on your screen. Make sure to not delete or damage any such files and that is how it will work out flawlessly for you.

3. Reinstall the application

You will need to reinstall the application if nothing so far has worked for you because the file might be damaged beyond repair or it might have been deleted. Uninstall the application, make sure to delete all the registry files as well, and then restart your device once. After that, install the application again and it will fix it for you.

Содержание

  1. unixforum.org
  2. Решено: OpenVPN 2.2.0 (failed to update database TXT_DB error number 2)
  3. Решено: OpenVPN 2.2.0
  4. Re: Решено: OpenVPN 2.2.0
  5. OpenVPN Support Forum
  6. [SOLVED] «TXT_DB error number 2» on build-key.bat
  7. [SOLVED] «TXT_DB error number 2» on build-key.bat
  8. Re: «TXT_DB error number 2» on build-key.bat client cert
  9. Re: «TXT_DB error number 2» on build-key.bat client cert
  10. OpenVPN Support Forum
  11. TXT_DB error number 2
  12. TXT_DB error number 2
  13. Re: TXT_DB error number 2
  14. Re: TXT_DB error number 2
  15. Re: TXT_DB error number 2
  16. Re: TXT_DB error number 2
  17. Re: TXT_DB error number 2
  18. Tips & tricks
  19. TXT_DB error number 2 failed to update database
  20. Comments
  21. Can’t generate client-side certificate after becoming my own Certificate Authority
  22. 2 Answers 2

unixforum.org

Форум для пользователей UNIX-подобных систем

  • Темы без ответов
  • Активные темы
  • Поиск
  • Статус форума

Решено: OpenVPN 2.2.0 (failed to update database TXT_DB error number 2)

Модератор: SLEDopit

Решено: OpenVPN 2.2.0

Сообщение leksstav » 13.06.2011 18:37

При попытке поднять OpenVPN, на последнем шаге создания сертификата клиента выпадает такая вот ошибка

failed to update database
TXT_DB error number 2

Вот весь процесс создания сервера.

Файл adm.crt создался, но он пустой

Re: Решено: OpenVPN 2.2.0

Сообщение leksstav » 13.06.2011 19:22

Ларчик, как всегда просто открылся.

И делаем как здесь написано

Allowing non-unique subjects

By default the openssl database configuration disallows duplicate subject entries. This is to ensure that no certificates are issued more than once with the same Subject as this could lead to confusion if the wrong certificate is used. Unfortunately this also prevents the issuing of a new certificate before the existing certificate has expired which is often required so that a seam-less transition can be effected between one certificate and the other.

When an attempt is made to certify a CSR which would result in a duplicate entry being written to the database the following error will be displayed.

failed to update database

TXT_DB error number 2

If you wish to be able to insert duplicate subject keys into the database then the change shown below will allow this.
/etc/certauth/hacking/database/index.txt.attr

unique_subject = yes
unique_subject = no

В файле index.txt.attr

Строчку
unique_subject = yes
меняем на unique_subject = no

Источник

OpenVPN Support Forum

Community Support Forum

[SOLVED] «TXT_DB error number 2» on build-key.bat

[SOLVED] «TXT_DB error number 2» on build-key.bat

Post by wyoelect » Fri Jan 21, 2011 2:55 pm

Everything builds fine until we hit the client cert. build. Signatures match. and I’ve tried adding/removing/changing various values with no luck. The client name is a solid alpha string (no dashes, spaces or underscores).
Has anyone seen this pesky critter? Running 2.1.3 on Server 2000.

Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:’US’
stateOrProvinceName :PRINTABLE:’**’
localityName :PRINTABLE:’**’
organizationName :PRINTABLE:’**’
commonName :PRINTABLE:’**’
emailAddress :IA5STRING:’**’
Certificate is to be certified until Jan 18 14:37:53 2021 GMT (3650 days)
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2
Could Not Find C:Program FilesOpenVPNeasy-rsakeys*.old

** = commented out local values

Re: «TXT_DB error number 2» on build-key.bat client cert

Post by gladiatr72 » Fri Jan 21, 2011 3:18 pm

The TXT_DB error indicates some kind of duplication in index.txt. If this is your first certificate, index.txt should be empty (I’m assuming this to be so because of the warning indicating index.txt.old doesn’t exist).

Re: «TXT_DB error number 2» on build-key.bat client cert

Post by wyoelect » Fri Jan 21, 2011 3:26 pm

Источник

OpenVPN Support Forum

Community Support Forum

TXT_DB error number 2

TXT_DB error number 2

Post by adis763 » Fri Apr 22, 2011 7:56 am

I have this error when i try to make a new client key.
After confiramtion of questions.
Sign the certificate?

I get this error
faild to update database
TXT_DB error number 2
Could not find C:Program FilesOpenVPNeasy-rsakeys*old

Could someone help me with that?

Re: TXT_DB error number 2

Post by janjust » Fri Apr 22, 2011 6:05 pm

Re: TXT_DB error number 2

Post by adis763 » Mon Apr 25, 2011 12:45 pm

Re: TXT_DB error number 2

Post by janjust » Tue Apr 26, 2011 9:17 am

Re: TXT_DB error number 2

Post by alkmie » Fri Feb 22, 2013 8:20 pm

I’m having the same problem but when I try and build the server.crt. I get this error and my server.crt is blank when I open it

here is my index.txt

V 230220200746Z 01 unknown /C=US/ST=OK/L=OklahomaCity/O=OpenVPN/OU=changeme/CN=Mike/name=changeme/emailAddress=#####@yahoo.com

I hashed out my email

Ok this appears to happen after I build the next crt. Has I tried building the server.crt first and it worked but then I was unable to create the client.crt

if I save my keys can I mix and match crt or are they unique to each build as I copied my keys folder before clean-all. I wouldn’t think so but I thought I might ask as I’m not sure

Re: TXT_DB error number 2

Post by alkmie » Fri Feb 22, 2013 8:57 pm

I made a backup off my crt and server.crt then ran clean-all. Then copy the ca.crt, server.crt everything but the index.txt and was able to make them this way

however when I try to connect with my android

Источник

Tips & tricks

TXT_DB error number 2 failed to update database

  • Get link
  • Facebook
  • Twitter
  • Pinterest
  • Email
  • Other Apps

As I m completly unaware of the openssl use, I only write here some observations I made :

If after the command :
you got the following error message :
This is probably because you have generated your own signing certificate with the same Common Name (CN) information that the CA certificate that you’ve generated before.

Simply input a different Common Name each time you are asked should do the trick.

  • Get link
  • Facebook
  • Twitter
  • Pinterest
  • Email
  • Other Apps

ERROR Messages
===================
failed to update database TXT_DB error number 2
Solution 1:
Here’s the line I added to the openssl.conf file:
[ CA_default ]
unique_subject = no
This may or may not work

Solution 2 :
Change the attribute to /etc/ssl/index.txt.attr «unique_subject = no»
Refer: http://rt.openssl.org/Ticket/Display.html?id=502&user=guest&pass=guest

Solution 3: Remove entry from etc/ssl/index.txt and etc/ssl/serial
Very less likely you need to do that.

Solution 4: Always create Certs with new subject , COMMAN NAME.

I don’t want to create a new common name because I’m just «renewing» (creating a new one) for an expired certificate.

What is the correct procedure in this case?

Источник

Can’t generate client-side certificate after becoming my own Certificate Authority

I created a root pair, created an intermediate pair, and signed a server certificate, which I installed on squid like this:

in squid3.conf

Squid starts up just fine with this. Still not sure if it’s actually working or not.

When I try to generate a client-side certificate to install in a browser that will be accessing the internet through the proxy I end up with an error:

It states that if I’m going to create a client certificate for authentication, I’ll need to use the ‘usr_crt’ extension and so I run:

I don’t understand why I am getting the TXT_DB error number 2 message when I am running the command as root (on another machine of course).

According to the tutorial, I should be able to change the Common Name during this process.

2 Answers 2

TXT_DB error number 2 means DB_ERROR_INDEX_CLASH.

You’ve tried to submit a certificate into the OpenSSL CA database with the same index twice.

The cause of this is usually submitting a certificate to the database that contains the same Serial Number or same Common Name. For the latter, check for the unique_subject option in the intermediate/openssl.conf file, which you can read about in man ca .

The Common Name for a client certificate can be anything — your name, for example.

The Common Name will be specified in the intermediate/openssl.conf file. It can be configured to either prompt for values or read values from the config file. This is controlled by the prompt option, which you can read about in man req .

According to the tutorial, I should be able to change the Common Name during this process

That tutorial tells you to generate a new key with openssl genrsa AND new CSR with openssl req -new AND create the cert from the CSR with openssl ca . (Although like too many people it wrongly says a cert is created by ‘sign[ing] the CSR’. The CA does not sign the CSR. The CA signs the cert, which is creates partly based on the CSR, but is different from the CSR. /rant)

When you generate a new CSR you specify the subject name, including but not limited to the Common Name, which as it says must differ from the CA certs above it, and should differ from other EE certs to avoid confusion.

openssl ca can actually override the subject name for an issued cert (the whole name, not Common Name individually), but this will lead to certs with different names for the same key which is at best unnecessarily confusing and typically less secure (although you don’t care about that part, others do, so it isn’t made easy).

Error Loading extension in section usr-crt
. no value . name=email_in_dn
Could this be coming from an upstream defaults file .

Not directly. openssl ca -config xxx uses xxx, and only xxx, as its config file. If your file is derived from upstream, the section name you want is usr_cert as you have apparently discovered, but you don’t need to specify usr_cert because it’s the default. The error message about email_in_dn is just leftover in the error stack and the only real error was usr-crt ; once you fix that -noemailDN isn’t needed although you may want it anyway.

Does this have something to do with subjectNameAlt?

Assuming you mean unique_subject , no. subjectAltName (not subjectNameAlt ) aka SAN is a common extension which specifies alternate names for the subject, but unique_subject relates only the basic Subject field not any SAN.

client-side certificate to install in a browser that will be accessing the internet through the proxy

To be clear, a client cert like this is only useful in authenticating yourself to the proxy. You cannot use a cert in the client/browser to authenticate to something on the Internet through ANY HTTPS MitM, and you cannot use a client cert you issue yourself to authenticate to anybody else’s system(s) on the Internet.

Источник

Решено: OpenVPN 2.2.0 (failed to update database TXT_DB error number 2)

Модератор: SLEDopit

leksstav

Сообщения: 329

Решено: OpenVPN 2.2.0

При попытке поднять OpenVPN, на последнем шаге создания сертификата клиента выпадает такая вот ошибка

failed to update database
TXT_DB error number 2

Вот весь процесс создания сервера.

Код: Выделить всё

$this_var = suseguru:/etc/openvpn/easy-rsa/1.0 # source ./vars
suseguru:/etc/openvpn/easy-rsa/1.0 # ./clean-all
suseguru:/etc/openvpn/easy-rsa/1.0 # ./build-ca
Generating a 1024 bit RSA private key
.........++++++
........++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [RU]:
State or Province Name (full name) [NA]:
Locality Name (eg, city) [Stavropol]:
Organization Name (eg, company) [trust]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:suseguru
Email Address [root@localhost]:
suseguru:/etc/openvpn/easy-rsa/1.0 # ./build-key-server trust
Generating a 1024 bit RSA private key
.............++++++
...........++++++
writing new private key to 'trust.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [RU]:
State or Province Name (full name) [NA]:
Locality Name (eg, city) [Stavropol]:
Organization Name (eg, company) [trust]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:suseguru
Email Address [root@localhost]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/1.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'RU'
stateOrProvinceName   :PRINTABLE:'NA'
localityName          :PRINTABLE:'Stavropol'
organizationName      :PRINTABLE:'trust'
commonName            :PRINTABLE:'suseguru'
emailAddress          :IA5STRING:'root@localhost'
Certificate is to be certified until Jun 10 14:29:13 2021 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
suseguru:/etc/openvpn/easy-rsa/1.0 # ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
................................................................................
.......+.........+..................................................+...........
.
............................................+...................................
.
......+.........................................................................
.
............+..............+.....................................+..............
.
..+..............................+..........+............++*++*++*
suseguru:/etc/openvpn/easy-rsa/1.0 # ./build-key adm
Generating a 1024 bit RSA private key
.....................++++++
..............................++++++
writing new private key to 'adm.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [RU]:
State or Province Name (full name) [NA]:
Locality Name (eg, city) [Stavropol]:
Organization Name (eg, company) [trust]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:suseguru
Email Address [root@localhost]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/1.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'RU'
stateOrProvinceName   :PRINTABLE:'NA'
localityName          :PRINTABLE:'Stavropol'
organizationName      :PRINTABLE:'trust'
commonName            :PRINTABLE:'suseguru'
emailAddress          :IA5STRING:'root@localhost'
Certificate is to be certified until Jun 10 14:30:24 2021 GMT (3650 days)
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2

Файл adm.crt создался, но он пустой

leksstav

Сообщения: 329

Re: Решено: OpenVPN 2.2.0

Сообщение

leksstav » 13.06.2011 19:22

Ларчик, как всегда просто открылся.

Заходим сюда
http://www.mad-hacking.net/documentation/l…signing-csr.xml

И делаем как здесь написано

Allowing non-unique subjects

By default the openssl database configuration disallows duplicate subject entries. This is to ensure that no certificates are issued more than once with the same Subject as this could lead to confusion if the wrong certificate is used. Unfortunately this also prevents the issuing of a new certificate before the existing certificate has expired which is often required so that a seam-less transition can be effected between one certificate and the other.

When an attempt is made to certify a CSR which would result in a duplicate entry being written to the database the following error will be displayed.

failed to update database

TXT_DB error number 2

If you wish to be able to insert duplicate subject keys into the database then the change shown below will allow this.
/etc/certauth/hacking/database/index.txt.attr

unique_subject = yes
unique_subject = no

В файле index.txt.attr

Строчку
unique_subject = yes
меняем на unique_subject = no

Revoke Easy-RSA certificate without .crt file

При попыт­ке выпу­стить сер­ти­фи­кат скрипт выда­ет следующее:

Certificate is to be certified until Jul 13 11:57:53 2016 GMT (365 days)

failed to update database

TXT_DB error number 2

Easy-RSA error:

signing failed (openssl output above may have more detail)

Ошиб­ка свя­за­на с уже име­ю­щим­ся CommonName сер­ти­фи­ка­та и создать одно­имен­ный нель­зя пока ста­рый не будет ото­зван. Тут два вари­ан­та — или исполь­зо­вать дру­гое имя, или отзы­вать ста­рый сер­ти­фи­кат. По поли­ти­ке свер­ху, имя клю­ча (поль­зо­ва­те­ля) менять нель­зя, поэто­му надо отзывать.
Обыч­но ото­звать про­блем нет, дела­ет­ся это коман­дой ./easyrsa revoke UserName, но при ее выпол­не­нии сам файл сер­ти­фи­ка­та не най­ден или поврежден:

./easyrsa revoke UserName

Note: using Easy-RSA configuration from: ./vars

Easy-RSA error:

Unable to revoke as the input file is not a valid certificate. Unexpected

input in file: /home/ca/easy-rsa-master/easyrsa3/pki/issued/UserName.crt

В моем слу­чае по какой-то при­чине фай­ла сер­ти­фи­ка­та не было. Сред­ства­ми само­го easyrsa ото­звать сер­ти­фи­кат невозможно.

Выхо­да из поло­же­ния два:
1. Толь­ко в каче­стве вре­мен­но­го вари­ан­та — поз­во­лить созда­вать сер­ти­фи­ка­ты с оди­на­ко­вы­ми CommonName. Для это­го отре­дак­ти­ро­вать файл index.txt.attr, заме­нив зна­че­ние уни­каль­но­сти име­ни с yes на no:

mcedit /home/ca/easy-rsa-master/easyrsa3/pki/index.txt.attr

unique_subject = no

Реше­ние рабо­чее, но поль­зо­вать­ся им посто­ян­но не без­опас­но. К тому же, будет лег­ко запу­тать­ся в выдан­ных сер­ти­фи­ка­тах, если их коли­че­ство велико.

2. Более пред­по­чти­тель­ным реше­ни­ем явля­ет­ся редак­ти­ро­ва­ние фай­ла базы сер­ти­фи­ка­тов index.txt, кото­рый выгля­дит сле­ду­ю­щим образом:

V       141203091049Z                   03      unknown /CN=UserName

R       150301095139Z   141202085814Z   04      unknown /CN=UserName2

Где пер­вый стол­бец гово­рит о валид­но­сти сер­ти­фи­ка­та (V-valid, R-revoked), вто­рой о дате его исте­че­ния, тре­тий о дате отзы­ва (если был ото­зван), чет­вер­тый — серий­ный номер сер­ти­фи­ка­та. 150301095139Z чита­ет­ся как 15- год, 03- месяц, 01- день, 09- час, 51- мину­та, 39- секун­да, Z- хрен его зна­ет что она зна­чит, но при­сут­ству­ет в каж­дом ука­за­нии даты.

Для отзы­ва необ­хо­ди­мо отре­дак­ти­ро­вать стро­ку с нуж­ным поль­зо­ва­те­лем. Вид­но, что изме­нил­ся ста­тус валид­но­сти и доба­ви­лась дата отзыва:

R       141203091049Z   150714010101Z   03      unknown /CN=UserName

На вся­кий слу­чай обно­вить базу ключей:

Теперь мож­но созда­вать сер­ти­фи­ка­ты для поль­зо­ва­те­ля UserName.

https://github.com/midnight47/

Понравилась статья? Поделить с друзьями:
  • Failed to uninstall java xpc connection error
  • Failed to transfer the file completely because of network connection error tftp huawei
  • Failed to transfer logged messages to the event log with status 50 как исправить
  • Failed to synchronize registry data from server minecraft как исправить
  • Failed to store acl rollback information with error 0x80070002