Document debugging an issue with generating fedora-messaging certificates

Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>

fedora_messaging_certificates.md

@@ -44,3 +44,47 @@ git push
 
 
 Source: https://pagure.io/fedora-infrastructure/issue/8638
+
+
+## Debugging
+
+If when generating the certificates, you run into the following error:
+```
+failed to update database
+TXT_DB error number 2
+```
+
+The full output looking something like
+```
+
+Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
+Generating a 2048 bit RSA private key
+.+++
+.....+++
+writing new private key to '/..../files/rabbitmq/staging/pki/private/monitor-gating.stg.key.PhSK949Ny8'
+-----
+Using configuration from /..../files/rabbitmq/staging/pki/safessl-easyrsa.cnf
+Check that the request matches the signature
+Signature ok
+The Subject's Distinguished Name is as follows
+commonName            :ASN.1 12:'monitor-gating.stg'
+Certificate is to be certified until Feb  9 14:52:07 2023 GMT (1080 days)
+failed to update database
+TXT_DB error number 2
+
+Easy-RSA error:
+
+signing failed (openssl output above may have more detail)
+```
+
+This is because you're trying to generate a certificate for a name that already
+exists in the database (as explained in:
+https://zeldor.biz/2013/11/txt_db-error-number-2-failed-to-update-database/)
+
+The easiest way around this is to simply to a ``git grep <name of your cert>``.
+It should tell you that the name can be found in ``index.txt`` (and potentially
+``index.txt.old`` if another certificate was generated since the first attempt
+and yours).
+
+Edit this/these file(s) and remove the line concerning your certificate, then
+re-run the `easyrsa` command as above.