TXT_DB error number 2 when generating openvpn client certificates
You may have followed the openvpn quick start instructions either from the online tutorial or using the README file in easy-rsa where it asks you to go through these steps:
[edit vars with your site-specific info]and then you get
source ./vars
./clean-all
./build-dh
./pkitool --initca
./pkitool --server myserver
./pkitool client1
failed to update database TXT_DB error number 2
at the last step. I did and a web search mostly turned up suggestions to run ./clean-all again. But this article was the key. It's about openssl, but openvpn's easy-rsa is just a front-end to openssl. The important observation is that every certificate must have a unique CN in the database. In the file vars, this is controlled by KEY_CN. You left the settings read in from vars unchanged between generating the server cert and the client cert. You could edit vars before generating the client certificate and re-source vars, or you could do this before generating each client key.
I'm a bit surprised that the documentation for openvpn hasn't been updated to make this clear.
NB: It is also affected by the setting unique_subject = yes in the file keys/index.txt.attr, but I prefer not to go against the default setting.
KEY_CN=someuniqueclientcn ./pkitool client1and you will stop getting that TXT_DB error.
I'm a bit surprised that the documentation for openvpn hasn't been updated to make this clear.
NB: It is also affected by the setting unique_subject = yes in the file keys/index.txt.attr, but I prefer not to go against the default setting.
http://blog.kenyap.com.au/2012/07/txtdb-error-number-2-when-generating.html
![[FSF Associate Member]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vEXV8bTL0_Uv9PkKHqkb7B6O8uBS520lrMkm3Gg1xeZ4w_R-gmEdY_5WkH3kGS-G73kLB1ICXL6VrmpeQOlE0EifK_bOCW4W-iFzc1MXnJ3jtJit-6YQ=s0-d)
Posts
0 comments:
Post a Comment