Baffling things that can happen

If openssl ca tells you this:

failed to update database
TXT_DB error number 2

it means that you have it configured not to sign a certificate for the same user multiple times, but you've gone ahead and asked it to do so anyway. Add this line to the section for your default CA in openssl.conf:

unique_subject = no

If you've already been signing some keys and you want to keep what you've done so far, you may also need to make similar changes in index.attr and possibly index.attr.old.