Opened 7 years ago

Closed 5 years ago

#229 closed Bug / Defect (wontfix)

easy-rsa: failed to update database > TXT_DB error number 2

Reported by: SiB Owned by: Eric Crist
Priority: major Milestone:
Component: easy-rsa Version: OpenVPN 2.2.2 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

Hello,
OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Dec 15 2011
Windows XP 32bit, Windows 7 32bit, Windows 7 64bit

I try create a certs using included "easy-rsa", I do all correct with README.txt and OpenVPN.org>HOWTO.

Three bat scripts create a something in index.txt who generate errors.
I attach one process who show the problem as perfect as I can do it.

When I do official Howto way, I receive error:
rem sign the cert request with our ca, creating a cert/key pair
openssl ca -days 3650 -out c:\PROGRA~2\OpenVPN\easy-rsa\keys\client1.crt -in c:\PROGRA~2\OpenVPN\easy-rsa\key \client1.csr -config openssl-1.0.0.cnf
...
Certificate is to be certified until Oct 5 21:19:18 2022 GMT (3650 days)
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2

To solve this I must do "echo. 2>keys\index.txt" to do empty file every I use one of them: build-key.bat, build-key-server.bat, revoke-full.bat . I understand it's not good method - I cannot what problems I do by this then write this case.

Please correct this easy-rsa scripts.
Best Regards
Marcin Przysowa

Attachments (1)

bug_gen_cert.txt (4.8 KB) - added by SiB 7 years ago.
my todo to show the error.

Download all attachments as: .zip

Change History (7)

Changed 7 years ago by SiB

Attachment: bug_gen_cert.txt added

my todo to show the error.

comment:1 Changed 7 years ago by SiB

I still think that README.txt have error. In README.txt haven't any WARNING that easy-rsa are working good ONLY when you input (for ALL CLIENT certification (build-key.bat)) DIFFERENT Common Name! value for each build client cert.

I found not solution but workaround this situation by adding this:
echo unique_subject = no >%d%\index.txt.attr
at the end of 'clean-all.bat'.
Now, clean-all.bat create a file index.txt.attr with information about Common Name can be repeat (no unique) and now I can working with this easy-rsa addon.

Please add any information/warning to README.txt file for new people who will be try generate certs from this README.txt file and they will be used the same CN and others entry.

Best Regards
Marcin Przysowa

comment:2 Changed 7 years ago by clint

I've had this error with recent version of easy-rsa (2.2.0 works). These differ from older versions in that the following lines are included in easy-rsa/2.0/vars:

export KEY_CN=changeme
export KEY_NAME=changeme
export KEY_OU=changeme
export PKCS11_MODULE_PATH=changeme
export PKCS11_PIN=1234

Commenting these lines out leads to the old behavior, which allows you to create keys correctly with a unique CN.

comment:3 Changed 7 years ago by David Sommerseth

Owner: set to Eric Crist
Status: newassigned

comment:4 Changed 7 years ago by David Sommerseth

Component: Generic / unclassifiedeasy-rsa

comment:5 Changed 6 years ago by Samuli Seppänen

Milestone: release 2.2.2

There is now a new version of easy-rsa out, which AFAIK is a complete rewrite. Still, it might make sense to fix this in the easy-rsa 2.2 branch. Pekster or ecrist can have a look...

comment:6 Changed 5 years ago by Samuli Seppänen

Resolution: wontfix
Status: assignedclosed

easy-rsa 2.x is effectively unmaintained -> closing as "wontfix". Please use easy-rsa 3.x instead:

If you absolute want this bug fixed, please send a patch to the easy-rsa developers.

Note: See TracTickets for help on using tickets.