Skip Menu |
 
Ticket metadata
The Basics
Id: 502
Status: resolved
Priority: 0/
Queue: OpenSSL-Bugs

Custom Fields
Milestone: 0.9.7e
Subsystem: (no value)
Severity: (no value)
Broken in: (no value)

People
Owner: Nobody in particular
Requestors: Maciej Bobrowski
Cc:
AdminCc:

More about the requestors

Maciej Bobrowski

Comments about this user: No comment entered about this user
Groups this user belongs to
  • Everyone
  • Unprivileged

New reminder:
Subject:
Owner:
Due:

Dates
Created: Fri Feb 14 09:17:53 2003
Starts: Not set
Started: Mon Jun 30 05:17:46 2014
Last Contact: Not set
Due: Fri Feb 14 09:17:53 2003
Closed: Mon Jun 30 05:17:46 2014
Updated: Mon Jun 30 05:17:46 2014 by Rich Salz



Date: Fri, 14 Feb 2003 08:26:54 +0100 (MET)
From: Maciej Bobrowski <mate@julia.univ.gda.pl>
To: rt@openssl.org
Subject: TXT_DB error number 2
Download (untitled) / with headers
text/plain 1.5k

Hi,

I am a newbe to the SSL. I need to use the MySQL server together with the
SSL. In the documentation of the mysql v. 4.0.10 there is written a
procedure for building up the mysql with the support from openssl and also
about setting up SSL certificates for MySQL:

DIR=`pwd`/openssl
PRIV=$DIR/private

mkdir $DIR $PRIV $DIR/newcerts
cp /usr/share/ssl/openssl.cnf $DIR
replace ./demoCA $DIR -- $DIR/openssl.cnf

touch $DIR/index.txt
echo "01" > $DIR/serial

openssl req -new -x509 -keyout $PRIV/cakey.pem -out $DIR/cacert.pem \
-config $DIR/openssl.cnf

openssl req -new -keyout $DIR/server-key.pem -out \
$DIR/server-req.pem -days 3600 -config $DIR/openssl.cnf

openssl rsa -in $DIR/server-key.pem -out $DIR/server-key.pem

openssl ca -policy policy_anything -out $DIR/server-cert.pem \
-config $DIR/openssl.cnf -infiles $DIR/server-req.pem

openssl req -new -keyout $DIR/client-key.pem -out \
$DIR/client-req.pem -days 3600 -config $DIR/openssl.cnf

openssl rsa -in $DIR/client-key.pem -out $DIR/client-key.pem

openssl ca -policy policy_anything -out $DIR/client-cert.pem \
-config $DIR/openssl.cnf -infiles $DIR/client-req.pem


and aftre the last command I obtain (actually it was the last command to
do):

....
Certificate is to be certified until Feb 14 06:46:00 2004 GMT (365 days)
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2

Can You help me with the problem? How can I manage with it?

Best regards,

Maciej Bobrowski
Download (untitled) / with headers
text/plain 512b
[mate@julia.univ.gda.pl - Fri Feb 14 09:17:53 2003]:


Show quoted text
> and aftre the last command I obtain (actually it was the last command
to
Show quoted text
> do):
>
> ....
> Certificate is to be certified until Feb 14 06:46:00 2004 GMT (365
days)
Show quoted text
> Sign the certificate? [y/n]:y
> failed to update database
> TXT_DB error number 2

TXT_DB error number 2 is a DB_ERROR_INDEX_CLASH.
This occurs, if the same serial number shall be used twice.

Did you solve your problem in the meantime?

Best regards,
Lutz


Download (untitled) / with headers
text/plain 228b
I ran into the same problem. I got it to occur though by setting the
-subj argument on req. If I leave that off, the key goes fine. But if I
try and use ca to sign a req that I make using -subj, it bombs with this
error message.
Download (untitled) / with headers
text/plain 147b
Same MySql script, same reason - To solve the problem I ran the last
line through an older version of openssl I had (0.9.6b) which worked
fine.
Download (untitled) / with headers
text/plain 2.7k
same problem, but i am not using -sub

i make and sign two certs successfully, and die on the third

Show quoted text
% openssl req -new -nodes -newkey rsa:1024 -sha1 -keyform PEM -keyout
privkey.pem -outform PEM -out newreq.pem
Generating a 1024 bit RSA private key
...........................++++++
..++++++
writing new private key to 'privkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Washington
Locality Name (eg, city) []:Seattle
Organization Name (eg, company) [Internet Widgits Pty Ltd]:RGnet, LLC
Organizational Unit Name (eg, section) []:PSGnet
Common Name (eg, YOUR name) []:Randy Bush
Email Address []:randy@psg.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <hidden>
An optional company name []:

Show quoted text
% CA.pl -sign
Using configuration from /usr/home/randy/.openssl.cnf
Enter pass phrase for ./private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 3 (0x3)
Validity
Not Before: Jun 22 13:35:33 2003 GMT
Not After : Jun 21 13:35:33 2004 GMT
Subject:
countryName = US
stateOrProvinceName = Washington
localityName = Seattle
organizationName = RGnet, LLC
organizationalUnitName = PSGnet
commonName = Randy Bush
emailAddress = randy@psg.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C0:52:5B:EA:3B:DB:29:DD:F9:E8:C4:2B:59:04:34:5C:90:CC:85:EF
X509v3 Authority Key Identifier:

keyid:54:9A:46:AD:16:8E:E8:01:49:79:48:9A:94:09:F0:02:D0:BA:64:80
DirName:/C=US/ST=Washingron/L=Bainbridge
Island/O=RGnet/PSGnet/OU=Engineering/CN=RGnet Root
CA/emailAddress=randy@psg.com
serial:00

Certificate is to be certified until Jun 21 13:35:33 2004 GMT (365 days)
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2
Signed certificate is in newcert.pem

Show quoted text
% cat serial
03

Show quoted text
% ls -l newcerts/
total 8
-rw------- 1 randy staff 3737 Jun 22 06:03 01.pem
-rw------- 1 randy staff 3715 Jun 22 06:12 02.pem

randy <randy@psg.com>
Subject: TXT_DB error number 2 - WORKAROUND
Download (untitled) / with headers
text/plain 104b
if i use a different commonName for each cert, then the bug is NOT revealed.

Randy Bush <randy@psg.com>
Download (untitled) / with headers
text/plain 298b
This thing happens when certificates share common data. You cannot have two
certificates that look otherwise the same. Either remove them by hand from the
database, or properly revoke them using 'openssl ca -revoke xyz.crt'

Why it fails with MySQL example, though, escapes me.

Cheers, Kuba
Download (untitled) / with headers
text/plain 189b
By any chance -- you didn't repeat this procedure? If you generated the
certificate at least once, you need to revoke it before generating the same
certificate again.

Cheers, Kuba


Download (untitled) / with headers
text/plain 391b
[jaenicke - Thu Mar 27 23:28:28 2003]:

Show quoted text
> TXT_DB error number 2 is a DB_ERROR_INDEX_CLASH.
> This occurs, if the same serial number shall be used twice.

Or the same subject (there's a change in 0.9.8-dev where you can make
'openssl ca' accept multiple certificates with the same subject)...

Is this still an issue, or should we resolve this ticket?

--
Richard Levitte
levitte@openssl.org
Download (untitled) / with headers
text/plain 376b

there is a file 'index.txt.attr' that contains this:

"unique_subject = yes"

I changed it to:

"unique_subject = no"

and it worked fine later...but I'm a newbe...there were another kind
of messages but they seemed to be warnings...like this:

"unable to rename ./demoCA/serial to ./demoCA/serial.old"
"reason: File exists"

by the way, I'm in a Win/XP (sorry for this...)
In 2003: "Is this still an issue, or should we resolve this ticket?"

After thinking long and hard for ten long years:  resolve it.