Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

removeDomain doesn't remove entry from index.txt resulting in "TXT_DB error number 2" when trying to generate certificates for same host in the future #18

Open
wessberg opened this issue May 5, 2018 · 4 comments

Comments

@wessberg
Copy link

wessberg commented May 5, 2018

Hello there. First, this is a super awesome project!

I'm on mac OS High Sierra.

I've found that when removeDomain is called, only the certificates will be removed. However, since the domain name isn't removed from the index.txt file inside ~/Library/Application Support/devcert/certificate-authority, OpenSSL gives the following error when certificateFor is invoked again in the future with the same hostname:

failed to update database
TXT_DB error number 2

Removing the entry from the index.txt file resolves the issue

@davewasmer
Copy link
Owner

Good catch! I'm thinking the proper way to do this is probably to actually revoke the cert, which is not what we do now.

@shivekkhurana
Copy link

@davewasmer What is the correct way to do it ?

I'm building a ui around this module and want to fix this issue. Ideally I want to do three things to happen automatically :

  • Fix index.txt (easy)
  • Revoke the cert (don't know how to do this)
  • Remove the entry from /etc/host file (easy)

@daniel-crouch
Copy link

Is there a fix for this pending at all?

@llwt
Copy link

llwt commented Feb 9, 2022

I know this is an old issue, but is there any reason not to setup the ca with unique_subject = no instead of yes to avoid this issue?

If the value yes is given, the valid certificate entries in the database must have unique subjects. if the value no is given, several valid certificate entries may have the exact same subject. The default value is yes, to be compatible with older (pre 0.9.8) versions of OpenSSL. However, to make CA certificate roll-over easier, it's recommended to use the value no, especially if combined with the -selfsign command line option.

This would allow issuing multiple certs for the same domain and be a bit simpler then adding revocation in.

As a, hopefully temporary, fix in our project we modify the generated ~/Application Support/devcert/certificate-authority/index.txt.attr to change the value from no to yes and our tooling begins to work as expected.

alias-mac pushed a commit to alias-mac/devcert that referenced this issue Feb 8, 2024
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Mike North <michael.l.north@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants