zeldor.biz

Linux, programming and more

TXT_DB error number 2 failed to update database

by 17 Comments

OpenVPN Logo

While signing a certificate for a new OpenVPN user, I received the following error message which stops the whole process (exit code 1)

Certificate is to be certified until Nov 6 08:53:05 2023 GMT (3650 days)
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2

Problem:
Because you have generated your own self signed certificate with the same CN (Common Name) information that the CA certificate that you’ve generated before.

Enter another Common Name.

Categories

Archives

Tags

apache2 Apple arduino ARM Automation backup bash Cisco Cluster Corosync Database Debian Debian squeeze DIY DNS Fedora FTP Fun Icinga Ipv6 KVM Linux LVM MAC OS X Monitoring MySQL Nagios Nginx openSUSE OpenVPN PHP Proxy Python python3 qemu RAID rsync Samba security ssh Ubuntu virtualization Windows Windows 7 Wordpress

Comments

  2. Thanks, changing the ‘unique_subject = no in index.txt.attr’, fixed the issue for me.

  3. You can also edit the file “index.txt.attr” and set “unique_subject” to “no”. Then you’d get duplicated CN in your DB, but it’s usefull when you want to renew a certificate =).

  8. Besides this is an older article, I came here via Google. The suggestions are more or less incomplete.

    In your index.txt every cert you generated is listed. As long as a valid (not expired) cert with the same DN is already available, you cannot create a new one with the same DN. There are multiple solutions:

    1) Set unique_subject = no in index.txt.attr so you are allowed to generate as many certs with the same DN as you want. This is a bad solution since the D in DN means “distinguished”. If you generate multiple certs with the same DN, you can no longer easily distinguish them.

    2) Delete the entry from the index. OpenSSL has no longer the knowledge about the already existing cert and will generate a new one. This is a quick and very dirty solution since the former generated cert is still valid and can be used. Same problem as in 1).

    3) Revoke the already existing cert: openssl ca -revoke . The index.txt will be changed and the cert is marked as revoked/invalid. Now you can generate a new one with the same DN.

  13. In case you need to sign two certificate with the same CM you can modify your database attr with unique_subject = no

Leave a Reply

Your email address will not be published. Required fields are marked *