Hi, I just re-tried this again hoping to show you what fails in openssl:
> Hi, > I am trying to generate some client certificates for openvpn and I found > openssl breaks with a cryptic message "TXT_DB error number 2" if I enter a > _comma_ into the Organization Name string. > > First of all I do not understand why I get an error from openssl so late > in the process (while signing of a broken request). Why was that broken > string accepted during client.csr creation? Please compare the two approaches > below. > Thanks, > Martin > > > > BROKEN > > > easy-rsa # ./build-req client > Generating a 2048 bit RSA private key > ....................................................+++ > .........................+++ > writing new private key to 'client.key' > ----- > You are about to be asked to enter information that will be incorporated > into your certificate request. > What you are about to enter is what is called a Distinguished Name or a DN. > There are quite a few fields but you can leave some blank > For some fields there will be a default value, > If you enter '.', the field will be left blank. > ----- > Country Name (2 letter code) [CZ]: > State or Province Name (full name) [CZ]: > Locality Name (eg, city) [Prague]: > Organization Name (eg, company) [Organization, Some dept]: > ---------------------------------------------^ > Organizational Unit Name (eg, section) []: > Common Name (eg, your name or your server's hostname) [client]: > Name []: > Email Address [[email protected]]: > > Please enter the following 'extra' attributes > to be sent with your certificate request > A challenge password []: > An optional company name []: > easy-rsa # ./sign-req client > Using configuration from /etc/openvpn/iresite/easy-rsa/openssl.cnf > Check that the request matches the signature > Signature ok > The Subject's Distinguished Name is as follows > countryName :PRINTABLE:'CZ' > stateOrProvinceName :PRINTABLE:'CZ' > localityName :PRINTABLE:'Prague' > organizationName :PRINTABLE:'Organization, Some dept' > ----------------------------------------------^ > commonName :PRINTABLE:'client' > emailAddress :IA5STRING:'[email protected]' > Certificate is to be certified until May 14 11:04:09 2020 GMT (3650 days) > Sign the certificate? [y/n]:y > failed to update database > TXT_DB error number 2 > easy-rsa # If I run strace I see: [pid 4348] geteuid32() = 0 [pid 4348] getegid32() = 0 [pid 4348] getuid32() = 0 [pid 4348] getgid32() = 0 [pid 4348] access("/usr/bin/openssl", R_OK) = 0 [pid 4348] rt_sigprocmask(SIG_BLOCK, [INT CHLD], [], 8) = 0 [pid 4348] clone(Process 4349 attached child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0xb76c0b88) = 4349 [pid 4349] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 4349] rt_sigaction(SIGTSTP, {SIG_DFL, [], 0}, {SIG_DFL, [], 0}, 8) = 0 [pid 4349] rt_sigaction(SIGTTIN, {SIG_DFL, [], 0}, {SIG_DFL, [], 0}, 8) = 0 [pid 4349] rt_sigaction(SIGTTOU, {SIG_DFL, [], 0}, {SIG_DFL, [], 0}, 8) = 0 [pid 4349] rt_sigaction(SIGINT, {SIG_DFL, [], 0}, {0x8095297, [], 0}, 8) = 0 [pid 4349] rt_sigaction(SIGQUIT, {SIG_DFL, [], 0}, {SIG_DFL, [], 0}, 8) = 0 [pid 4349] rt_sigaction(SIGCHLD, {SIG_DFL, [], 0}, {0x8083859, [], 0}, 8) = 0 [pid 4349] execve("/usr/bin/openssl", ["openssl", "ca", "-days", "3650", "-out", "client.crt", "-in", "client.csr", "-md", "sha1", "-config", "/usr/share/openvpn/easy-rsa/open"...], ["GREP=grep", "PKCS11TOOL=pkcs11-tool", "MANPATH=/etc/java-config-2/curre"..., "NCBI=/etc/ncbi", "PYMOL_PATH=//usr/lib/python2.6/s"..., "KEY_EXPIRE=3650", "SHELL=/bin/bash", "TERM=xterm", "LIBRARY_PATH=/opt/intel/Compiler"..., "bash4=4.1.7(2)-release", "RNAVIEW=/usr/share/rnaview", "PKCS11_PIN=dummy", "OLDPWD=/usr/share/openvpn/easy-r"..., "GMXMAN=/usr/share/man", "DISTCC_HOSTS=192.168.251.1,lzo 1"..., "ANT_HOME=/usr/share/ant", "SBCL_HOME=/usr/lib/sbcl", "IA32ROOT=/opt/intel/compiler91", "USER=root", "LS_COLORS=rs=0:di=01;34:ln=01;36"..., "PHRED_PARAMETER_FILE=/usr/share/"..., "INTEL_FLEXLM_LICENSE=/opt/intel/"..., "GUILE_LOAD_PATH=/usr/share/guile"..., "GDK_USE_XFT=1", "PKCS11_MODULE_PATH=dummy", "KEY_CN=client", "PYTHONDOCS=/usr/share/doc/python"..., "[email protected]", "GMXDATA=/u sr/share", "PAGER=/usr/bin/less", "VMHANDLE=blackdown-jdk-1.4.2", "PLPLOT_LIB=/usr/share/EMBOSS/", "CONFIG_PROTECT_MASK=/etc/gentoo-"..., "XDG_CONFIG_DIRS=/etc/xdg", "PDB_EXTRACT_ROOT=/usr/", "FLTK_DOCDIR=/usr/share/doc/fltk-"..., "NLSPATH=/opt/intel/Compiler/11.1"..., "SBCL_SOURCE_ROOT=/usr/lib/sbcl/s"..., "PATH=/root/bin:/usr/lib/ccache/b"..., "PYMOL_DATA=/usr/share/pymol/data", "HG=/usr/bin/hg", "DISTCC_LOG=", "PWD=/usr/share/openvpn/easy-rsa/"..., "LIBXCB_ALLOW_SLOPPY_LOCK=1", "JAVA_HOME=/etc/java-config-2/cur"..., "GENERATION=2", "EDITOR=/bin/nano", "JAVAC=/etc/java-config-2/current"..., "CA_EXPIRE=3650", "KEY_OU=", "BLASTDB=/usr/share/ncbi/formatdb", "PYTHONDOCS_3_1=/usr/share/doc/py"..., "DISTCC_VERBOSE=0", "DCCC_PATH=/usr/lib/distcc/bin", "KEY_SIZE=1024", "TEXINPUTS=/usr/lib/hevea:", "EMBOSS_ACDROOT=/usr/share/EMBOSS"..., "KEY_DIR=/usr/share/openvpn/easy-"..., "LESSCHARSET=utf-8", "JDK_HOME=/etc/java-config-2/curr"..., "SHLVL=3", "HOME=/root", "CONSED_HOME=${EPREFIX}/ usr", "JAVACC_HOME=/usr/share/javacc/", "KEY_NAME=", "PYMOL_SCRIPTS=/usr/share/pymol/s"..., "R3D_LIB=/usr/share//materials", "QMAIL_CONTROLDIR=/var/qmail/cont"..., "LESS=-R -M --shift 5", "GMXBIN=/usr/bin", "LOGNAME=root", "PYTHONDOCS_2_5=/usr/share/doc/py"..., "PDB_EXTRACT=/usr/lib/rcsb/", "GCC_SPECS=", "CVS_RSH=ssh", "KEY_CITY=Prague", "XDG_DATA_DIRS=/usr/local/share:/"..., "LC_CTYPE=cs_CZ.UTF-8", "GMXLDLIB=/usr/lib", "CLASSPATH=.", "HISTSIZ=E40000", "PYTHONDOCS_2_6=/usr/share/doc/py"..., "LESSOPEN=|lesspipe.sh %s", "KEY_PROVINCE=", "R_HOME=/usr/lib/R", "BLASTMAT=/usr/share/ncbi/data", "EASY_RSA=/usr/share/openvpn/easy"..., "INFOPATH=/usr/share/info:/usr/sh"..., "KEY_ORG=Charles University, Facu"..., "KEY_CONFIG=/usr/share/openvpn/ea"..., "OPENSSL=openssl", "DISPLAY=:0.0", "USB_DEVFS_PATH=/dev/bus/usb", "OPENGL_PROFILE=xorg-x11", "LADSPA_PATH=/usr/lib/ladspa", "XSESSION=fvwm2", "SANE_CONFIG_DIR=/etc/sane.d", "KEY_COUNTRY=CZ", "CONFIG_PROTECT=/var/bind /usr/sh"..., "XAUTHORI TY=/root/.xauthcMjrN9", "_=/usr/bin/openssl"]) = 0 [pid 4349] brk(0) = 0x80b3000 [pid 4349] mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb78a1000 [pid 4349] access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) [pid 4349] open("/usr/lib/tls/i686/sse2/libssl.so.0.9.8", O_RDONLY) = -1 ENOENT (No such file or directory) [pid 4349] stat64("/usr/lib/tls/i686/sse2", 0xbff9121c) = -1 ENOENT (No such file or directory) [pid 4349] open("/usr/lib/tls/i686/libssl.so.0.9.8", O_RDONLY) = -1 ENOENT (No such file or directory) [pid 4349] stat64("/usr/lib/tls/i686", 0xbff9121c) = -1 ENOENT (No such file or directory) [pid 4349] open("/usr/lib/tls/sse2/libssl.so.0.9.8", O_RDONLY) = -1 ENOENT (No such file or directory) [pid 4349] stat64("/usr/lib/tls/sse2", 0xbff9121c) = -1 ENOENT (No such file or directory) [pid 4349] open("/usr/lib/tls/libssl.so.0.9.8", O_RDONLY) = -1 ENOENT (No such file or directory) [pid 4349] stat64("/usr/lib/tls", {st_dev=makedev(8, 3), st_ino=14895122, st_mode=S_IFDIR|0755, st_nlink=2, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=8, st_size=4096, st_atime=2009/10/10-00:10:38, st_mtime=2004/11/08-10:42:02, st_ctime=2007/04/30-17:25:06}) = 0 [pid 4349] open("/usr/lib/i686/sse2/libssl.so.0.9.8", O_RDONLY) = -1 ENOENT (No such file or directory) [pid 4349] stat64("/usr/lib/i686/sse2", 0xbff9121c) = -1 ENOENT (No such file or directory) [pid 4349] open("/usr/lib/i686/libssl.so.0.9.8", O_RDONLY) = -1 ENOENT (No such file or directory) [pid 4349] stat64("/usr/lib/i686", 0xbff9121c) = -1 ENOENT (No such file or directory) [pid 4349] open("/usr/lib/sse2/libssl.so.0.9.8", O_RDONLY) = -1 ENOENT (No such file or directory) [pid 4349] stat64("/usr/lib/sse2", 0xbff9121c) = -1 ENOENT (No such file or directory) [pid 4349] open("/usr/lib/libssl.so.0.9.8", O_RDONLY) = 3 [pid 4349] read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\340\336\0\0004\0\0\0"..., 512) = 512 [pid 4349] fstat64(3, {st_dev=makedev(8, 3), st_ino=22659560, st_mode=S_IFREG|0555, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=2672, st_size=1360289, st_atime=2010/05/17-03:29:54, st_mtime=2010/05/17-03:29:54, st_ctime=2010/05/17-03:33:00}) = 0 [pid 4349] mmap2(NULL, 289912, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb785a000 [pid 4349] mprotect(0xb789c000, 4096, PROT_NONE) = 0 [pid 4349] mmap2(0xb789d000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x42) = 0xb789d000 [pid 4349] close(3) = 0 [pid 4349] open("/usr/lib/tls/libcrypto.so.0.9.8", O_RDONLY) = -1 ENOENT (No such file or directory) [pid 4349] open("/usr/lib/libcrypto.so.0.9.8", O_RDONLY) = 3 --cut-- [pid 4349] time(NULL) = 1276014501 [pid 4349] open("/etc/localtime", O_RDONLY) = 5 [pid 4349] fstat64(5, {st_dev=makedev(8, 3), st_ino=4704161, st_mode=S_IFREG|0644, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=8, st_size=2246, st_atime=2010/01/02-22:10:39, st_mtime=2010/05/16-03:11:15, st_ctime=2010/05/16-03:11:15}) = 0 [pid 4349] fstat64(5, {st_dev=makedev(8, 3), st_ino=4704161, st_mode=S_IFREG|0644, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=8, st_size=2246, st_atime=2010/01/02-22:10:39, st_mtime=2010/05/16-03:11:15, st_ctime=2010/05/16-03:11:15}) = 0 [pid 4349] mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb76c7000 [pid 4349] read(5, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\6\0\0\0\0"..., 4096) = 2246 [pid 4349] _llseek(5, -28, [2218], SEEK_CUR) = 0 [pid 4349] read(5, "\nCET-1CEST,M3.5.0,M10.5.0/3\n", 4096) = 28 [pid 4349] close(5) = 0 [pid 4349] munmap(0xb76c7000, 4096) = 0 [pid 4349] time(NULL) = 1276014501 [pid 4349] write(2, "Certificate is to be certified u"..., 37Certificate is to be certified until ) = 37 [pid 4349] write(2, "Jun 5 16:28:21 2020 GMT", 24Jun 5 16:28:21 2020 GMT) = 24 [pid 4349] write(2, " (3650 days)", 12 (3650 days)) = 12 [pid 4349] write(2, "\n", 1 ) = 1 [pid 4349] write(2, "Sign the certificate? [y/n]:", 28Sign the certificate? [y/n]:) = 28 [pid 4349] fstat64(0, {st_dev=makedev(0, 10), st_ino=3, st_mode=S_IFCHR|0620, st_nlink=1, st_uid=1000, st_gid=5, st_blksize=1024, st_blocks=0, st_rdev=makedev(136, 0), st_atime=2010/06/08-18:28:20, st_mtime=2010/06/08-18:28:21, st_ctime=2010/06/08-11:49:59}) = 0 [pid 4349] mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb76c7000 [pid 4349] read(0, y "y\n", 1024) = 2 [pid 4349] open("/dev/urandom", O_RDONLY|O_NOCTTY|O_NONBLOCK) = 5 [pid 4349] fstat64(5, {st_dev=makedev(0, 14), st_ino=689, st_mode=S_IFCHR|0666, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=0, st_rdev=makedev(1, 9), st_atime=2010/06/08-13:48:00, st_mtime=2010/06/08-11:48:09, st_ctime=2010/06/08-13:48:00}) = 0 [pid 4349] poll([{fd=5, events=POLLIN}], 1, 10) = 1 ([{fd=5, revents=POLLIN}]) [pid 4349] read(5, ")\1x\254\335\7\356\335b\247w1\342\26`\342!\3731\3163X\30\267\275\253%m\203+\224\270", 32) = 32 [pid 4349] close(5) = 0 [pid 4349] getuid32() = 0 [pid 4349] time(NULL) = 1276014503 [pid 4349] time(NULL) = 1276014503 [pid 4349] write(2, "failed to update database\n", 26failed to update database ) = 26 [pid 4349] write(2, "TXT_DB error number 2\n", 22TXT_DB error number 2 ) = 22 [pid 4349] close(4) = 0 [pid 4349] munmap(0xb76c8000, 4096) = 0 [pid 4349] close(3) = 0 [pid 4349] stat64("/root/.rnd", {st_dev=makedev(8, 3), st_ino=14975035, st_mode=S_IFREG|0600, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=8, st_size=1024, st_atime=2009/10/09-23:39:08, st_mtime=2010/06/08-18:28:09, st_ctime=2010/06/08-18:28:09}) = 0 [pid 4349] open("/root/.rnd", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3 [pid 4349] chmod("/root/.rnd", 0600) = 0 [pid 4349] fstat64(3, {st_dev=makedev(8, 3), st_ino=14975035, st_mode=S_IFREG|0600, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=0, st_size=0, st_atime=2009/10/09-23:39:08, st_mtime=2010/06/08-18:28:23, st_ctime=2010/06/08-18:28:23}) = 0 [pid 4349] mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb76c8000 [pid 4349] write(3, "\234\21\r\203>\245\26\33t\323N\f\360m\303\26\250#r33\320\337\17\221\220Z\213.\226\273M"..., 1024) = 1024 [pid 4349] close(3) = 0 [pid 4349] munmap(0xb76c8000, 4096) = 0 [pid 4349] exit_group(1) = ? Process 4348 resumed Process 4349 detached --cut-- As you can see, /usr/bin/openssl exits with the message. Is that because of the time(NULL) calls? Regards, Martin > > > GOOD > > easy-rsa # > > easy-rsa # ./build-req client > Generating a 2048 bit RSA private key > ....+++ > ...............+++ > writing new private key to 'client.key' > ----- > You are about to be asked to enter information that will be incorporated > into your certificate request. > What you are about to enter is what is called a Distinguished Name or a DN. > There are quite a few fields but you can leave some blank > For some fields there will be a default value, > If you enter '.', the field will be left blank. > ----- > Country Name (2 letter code) [CZ]: > State or Province Name (full name) [CZ]: > Locality Name (eg, city) [Prague]: > Organization Name (eg, company) [Organization, Some dept]:Organization > ----------------------------------------------------------^^^^^^^^^^^^ > Organizational Unit Name (eg, section) []: > Common Name (eg, your name or your server's hostname) [client]: > Name []: > Email Address [[email protected]]: > > Please enter the following 'extra' attributes > to be sent with your certificate request > A challenge password []: > An optional company name []: > easy-rsa # ./sign-req client > Using configuration from /etc/openvpn/iresite/easy-rsa/openssl.cnf > Check that the request matches the signature > Signature ok > The Subject's Distinguished Name is as follows > countryName :PRINTABLE:'CZ' > stateOrProvinceName :PRINTABLE:'CZ' > localityName :PRINTABLE:'Prague' > organizationName :PRINTABLE:'Organization' > ----------------------------------^^^^^^^^^^^^ > commonName :PRINTABLE:'client' > emailAddress :IA5STRING:'[email protected]' > Certificate is to be certified until May 14 11:04:55 2020 GMT (3650 days) > Sign the certificate? [y/n]:y > > > 1 out of 1 certificate requests certified, commit? [y/n]y > Write out database with 1 new entries > Data Base Updated > easy-rsa # ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
