From luckydogxf at gmail.com Thu Jun 18 01:32:32 2020
Content-Type: multipart/mixed; boundary="===============8774100807775439522=="
MIME-Version: 1.0
From: luckydog xf <luckydogxf at gmail.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: pki-tomcat fails to start after I update CA for
 dirsrv and httpd.
Date: Thu, 18 Jun 2020 09:31:55 +0800
Message-ID: <CAAoCYOx3JeLtw-DFQA8UHgodKwWXn+fhEq4gnDOVg7otg0GDEg@mail.gmail.com>
In-Reply-To: 59061a2f-69c0-de16-749e-026c390d277b@redhat.com

--===============8774100807775439522==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

The sad thing is that CA is expired on May 30, 2020. My IPA cannot login
in.

So I used certutil to remove old CAs. Here are steps I used. Unfortunately,
I didn't try the step you mentioned.

1. certutil -d /etc/http/alias -D -n Server-Cert
    certutil -d /etc/http/alias -D -n  < Other CAs of Comodo>

2. Do the same thing against /etc/dirsrv/slapd-xxx

3. Add new certs and CAs by:

cat server.key server.crt > server.all

openssl pkcs12 -export -chain -CAfile ca-bundle.crt -in server.all -out
Server-Cert.p12 -name "Server-Cert"

pk12util -i Server-Cert.p12 -d /etc/httpd/alias/ -n Server-Cert

4. iptacl restart -f -d shows pki-tomcatd cannot start.
---------
Internal Database Error encountered:* Could not connect to LDAP server host
wocfreeipa.sap.wingon.hk <http://wocfreeipa.sap.wingon.hk> port 636 *Error
netscape.ldap.LDAPException: Unable to create socket:
org.mozilla.jss.ssl.SSLSocketException:
org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed:
(-8172) *Peer's
certificate issuer has been marked as not trusted by the user.* (-1)

So what's wrong ?


-------------



On Wed, Jun 17, 2020 at 10:34 PM Florence Blanc-Renaud <flo(a)redhat.com>
wrote:

> On 6/17/20 11:32 AM, luckydog xf via FreeIPA-users wrote:
> > Hi, As state in
> https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-=
CA-Root-Expiring-May-30-2020
> >
> > I cannot login in FreeIPA web page.
> >
> > So I update CA by :
> >
> > # delete everything except IPA CA  of httpd and dirsrv
> >
> > certutil -d /etc/http/alias -D -n 'xxx'
> >
> > # ca-bundle.crt is 3 files named USERTrust, .etc.
> >
> > # server.all is an combination of my certificate signed by Sectigo(
> fomerly named Comodo).
> >
> > openssl pkcs12 -export -chain -CAfile ca-bundle.crt  -in server.all
> -out Server-Cert.p12 -name "Server-Cert"
> >
> > # add to httpd and dirsrv.
> >
> >   pk12util -i Server-Cert.p12 -d /etc/httpd/alias/ -n Server-Cert
> >
> > I restart all services by ipactl restart. But it seems pki-tomcat fails
> to startup.
> >
> > #### log of ipactcl start ####
> >
> > Starting pki-tomcatd Service
> > ipa: DEBUG: Starting external process
> > ipa: DEBUG: args=3D/bin/systemctl start pki-tomcatd.target
> > ipa: DEBUG: Process finished, return code=3D0
> > ipa: DEBUG: request POST
> http://wocfreeipa.sap.wingon.hk:8080/ca/admin/ca/getStatus
> > ipa: DEBUG: request body ''
> > ipa: DEBUG: response status 500
> > ipa: DEBUG: response headers Server: Apache-Coyote/1.1
> > Content-Type: text/html;charset=3Dutf-8
> > Content-Language: en
> > Content-Length: 2208
> > Date: Wed, 17 Jun 2020 09:13:19 GMT
> > Connection: close
> >
> > ipa: DEBUG: response body '<html><head><title>Apache Tomcat/7.0.76 -
> Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-s
> > ......
> >
> > ipa: DEBUG: Failed to check CA status: Retrieving CA status failed with
> status 500
> > ipa: DEBUG: Waiting until the CA is running
> >
> > #### END of log #####
> >
> >
> > Here is log of pki-tomcat
> >
> > ###
> > Internal Database Error encountered: Could not connect to LDAP server
> host wocfreeipa.sap.wingon.hk port 636 Error netscape.ldap.LDAPException:
> Unable to create socket: org.mozilla.jss.ssl.SSLSocketException:
> org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8172)
> Peer's certificate issuer has been marked as not trusted by the user. (-1)
> >
> > ###
> >
> > The point is ' Peer's certificate issuer has been marked as not trusted
> by the user.'   As far as I know pki-tomcat needs a certificate to bind to
> 389 DS and store information.
> >
> > But I didn't touch CA named 'IPA CA',  so basically pki-tomcatd could
> use its own certificate named 'substemCert cert-pki-ca' to bind to 389 DS.
> >
> > Please help.
> Hi,
>
> the new CA certs from Sectigo need to be installed with
> ipa-cacert-manage install (the command uploads the certs in the LDAP
> database). For more information, please refer to "Installing a CA
> Certificate Manually" [1].
> As the chain contains multiple certs, you need to start from the root
> cert then go down the chain. When all the certs have been added, don't
> forget to run ipa-certupdate on all the IPA hosts (the command downloads
> the certs from LDAP and puts them in all the NSSDBs that need them).
>
> HTH,
> flo
>
> [1]
>
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/=
html/linux_domain_identity_authentication_and_policy_guide/manual-cert-inst=
all
>
> >
> > Thanks a lot.
> >
> >
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> > Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users(a)lists.fedora=
hosted.org
> >
>
>

--===============8774100807775439522==
Content-Type: text/html
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.html"

PGRpdiBkaXI9Imx0ciI+VGhlIHNhZCB0aGluZyBpcyB0aGF0IENBIGlzIGV4cGlyZWQgb24gTWF5
IDMwLCAyMDIwLiBNeSBJUEEgY2Fubm90IGxvZ2luIGluLsKgPGRpdj48YnI+PGRpdj5TbyBJIHVz
ZWQgY2VydHV0aWwgdG8gcmVtb3ZlIG9sZCBDQXMuIEhlcmUgYXJlIHN0ZXBzIEkgdXNlZC4gVW5m
b3J0dW5hdGVseSwgSSBkaWRuJiMzOTt0IHRyeSB0aGUgc3RlcCB5b3UgbWVudGlvbmVkLjxkaXY+
PGJyPjxkaXY+MS4gY2VydHV0aWwgLWQgL2V0Yy9odHRwL2FsaWFzIC1EIC1uIFNlcnZlci1DZXJ0
wqA8L2Rpdj48L2Rpdj48ZGl2PsKgIMKgIGNlcnR1dGlsIC1kIC9ldGMvaHR0cC9hbGlhcyAtRCAt
bsKgICZsdDsgT3RoZXIgQ0FzIG9mIENvbW9kbyZndDs8L2Rpdj48ZGl2Pjxicj48L2Rpdj48ZGl2
PjIuIERvIHRoZSBzYW1lIHRoaW5nIGFnYWluc3QgL2V0Yy9kaXJzcnYvc2xhcGQteHh4wqA8L2Rp
dj48ZGl2Pjxicj48L2Rpdj48ZGl2PjMuIEFkZCBuZXcgY2VydHMgYW5kIENBcyBieTo8L2Rpdj48
ZGl2Pjxicj48L2Rpdj48ZGl2PjxkaXYgc3R5bGU9IndoaXRlLXNwYWNlOnByZS13cmFwO2xpbmUt
aGVpZ2h0OjEuNzU7Zm9udC1zaXplOjE0cHgiPmNhdCBzZXJ2ZXIua2V5IHNlcnZlci5jcnQgJmd0
OyBzZXJ2ZXIuYWxsPC9kaXY+PGRpdiBzdHlsZT0id2hpdGUtc3BhY2U6cHJlLXdyYXA7bGluZS1o
ZWlnaHQ6MS41Mzg0Njtmb250LXNpemU6MTRweCI+PGJyPjwvZGl2PjxkaXYgc3R5bGU9IndoaXRl
LXNwYWNlOnByZS13cmFwO2xpbmUtaGVpZ2h0OjEuNTM4NDY7Zm9udC1zaXplOjE0cHgiPm9wZW5z
c2wgcGtjczEyIC1leHBvcnQgPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxM3B4O2ZvbnQtZmFtaWx5
OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOnJnYigyMjMsNjQsNDIpO2JhY2tncm91bmQt
Y29sb3I6cmdiKDI0NSwyNDUsMjQ1KSI+LWNoYWluIC1DQWZpbGUgY2EtYnVuZGxlLmNydCA8L3Nw
YW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxM3B4O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIg
TmV3JnF1b3Q7O2NvbG9yOnJnYig1MSw1MSw1MSk7YmFja2dyb3VuZC1jb2xvcjpyZ2IoMjQ1LDI0
NSwyNDUpIj4gPC9zcGFuPi1pbiBzZXJ2ZXIuYWxsICAtb3V0IFNlcnZlci1DZXJ0LnAxMiAtbmFt
ZSAmcXVvdDtTZXJ2ZXItQ2VydCZxdW90OzwvZGl2PjxkaXYgc3R5bGU9IndoaXRlLXNwYWNlOnBy
ZS13cmFwO2xpbmUtaGVpZ2h0OjEuNTM4NDY7Zm9udC1zaXplOjE0cHgiPjxicj48L2Rpdj48ZGl2
IHN0eWxlPSJ3aGl0ZS1zcGFjZTpwcmUtd3JhcDtsaW5lLWhlaWdodDoxLjc1O2ZvbnQtc2l6ZTox
NHB4Ij4gcGsxMnV0aWwgLWkgU2VydmVyLUNlcnQucDEyIC1kIC9ldGMvaHR0cGQvYWxpYXMvIC1u
IDxzcGFuIHN0eWxlPSJjb2xvcjpyZ2IoMjIzLDY0LDQyKSI+U2VydmVyLUNlcnQ8L3NwYW4+PC9k
aXY+PC9kaXY+PGRpdiBzdHlsZT0id2hpdGUtc3BhY2U6cHJlLXdyYXA7bGluZS1oZWlnaHQ6MS43
NTtmb250LXNpemU6MTRweCI+PGJyPjwvZGl2PjxkaXYgc3R5bGU9IndoaXRlLXNwYWNlOnByZS13
cmFwO2xpbmUtaGVpZ2h0OjEuNzU7Zm9udC1zaXplOjE0cHgiPjQuIGlwdGFjbCByZXN0YXJ0IC1m
IC1kICBzaG93cyBwa2ktdG9tY2F0ZCBjYW5ub3Qgc3RhcnQuPC9kaXY+PGRpdiBzdHlsZT0id2hp
dGUtc3BhY2U6cHJlLXdyYXA7bGluZS1oZWlnaHQ6MS43NTtmb250LXNpemU6MTRweCI+LS0tLS0t
LS0tPC9kaXY+PGRpdiBzdHlsZT0id2hpdGUtc3BhY2U6cHJlLXdyYXA7bGluZS1oZWlnaHQ6MS43
NTtmb250LXNpemU6MTRweCI+SW50ZXJuYWwgRGF0YWJhc2UgRXJyb3IgZW5jb3VudGVyZWQ6PHUg
c3R5bGU9ImJhY2tncm91bmQtY29sb3I6cmdiKDAsMjU1LDApIj4gQ291bGQgbm90IGNvbm5lY3Qg
dG8gTERBUCBzZXJ2ZXIgaG9zdCA8YSBocmVmPSJodHRwOi8vd29jZnJlZWlwYS5zYXAud2luZ29u
LmhrIj53b2NmcmVlaXBhLnNhcC53aW5nb24uaGs8L2E+IHBvcnQgNjM2IDwvdT5FcnJvciBuZXRz
Y2FwZS5sZGFwLkxEQVBFeGNlcHRpb246IFVuYWJsZSB0byBjcmVhdGUgc29ja2V0OiBvcmcubW96
aWxsYS5qc3Muc3NsLlNTTFNvY2tldEV4Y2VwdGlvbjogb3JnLm1vemlsbGEuanNzLnNzbC5TU0xT
b2NrZXRFeGNlcHRpb246IFNTTF9Gb3JjZUhhbmRzaGFrZSBmYWlsZWQ6ICgtODE3MikgPGI+PGk+
UGVlciYjMzk7cyBjZXJ0aWZpY2F0ZSBpc3N1ZXIgaGFzIGJlZW4gbWFya2VkIGFzIG5vdCB0cnVz
dGVkIGJ5IHRoZSB1c2VyLjwvaT48L2I+ICgtMSk8YnI+PC9kaXY+PGRpdiBzdHlsZT0id2hpdGUt
c3BhY2U6cHJlLXdyYXA7bGluZS1oZWlnaHQ6MS43NTtmb250LXNpemU6MTRweCI+PGJyPjwvZGl2
PjxkaXYgc3R5bGU9IndoaXRlLXNwYWNlOnByZS13cmFwO2xpbmUtaGVpZ2h0OjEuNzU7Zm9udC1z
aXplOjE0cHgiPlNvIHdoYXQmIzM5O3Mgd3JvbmcgPzwvZGl2PjxkaXYgc3R5bGU9IndoaXRlLXNw
YWNlOnByZS13cmFwO2xpbmUtaGVpZ2h0OjEuNzU7Zm9udC1zaXplOjE0cHgiPjxicj48L2Rpdj48
ZGl2IHN0eWxlPSJ3aGl0ZS1zcGFjZTpwcmUtd3JhcDtsaW5lLWhlaWdodDoxLjc1O2ZvbnQtc2l6
ZToxNHB4Ij48YnI+PC9kaXY+PGRpdiBzdHlsZT0id2hpdGUtc3BhY2U6cHJlLXdyYXA7bGluZS1o
ZWlnaHQ6MS43NTtmb250LXNpemU6MTRweCI+LS0tLS0tLS0tLS0tLTwvZGl2PjxkaXYgc3R5bGU9
IndoaXRlLXNwYWNlOnByZS13cmFwO2xpbmUtaGVpZ2h0OjEuNzU7Zm9udC1zaXplOjE0cHgiPjxi
cj48L2Rpdj48ZGl2IHN0eWxlPSJ3aGl0ZS1zcGFjZTpwcmUtd3JhcDtsaW5lLWhlaWdodDoxLjc1
O2ZvbnQtc2l6ZToxNHB4Ij48YnI+PC9kaXY+PC9kaXY+PC9kaXY+PC9kaXY+PGJyPjxkaXYgY2xh
c3M9ImdtYWlsX3F1b3RlIj48ZGl2IGRpcj0ibHRyIiBjbGFzcz0iZ21haWxfYXR0ciI+T24gV2Vk
LCBKdW4gMTcsIDIwMjAgYXQgMTA6MzQgUE0gRmxvcmVuY2UgQmxhbmMtUmVuYXVkICZsdDs8YSBo
cmVmPSJtYWlsdG86ZmxvQHJlZGhhdC5jb20iPmZsb0ByZWRoYXQuY29tPC9hPiZndDsgd3JvdGU6
PGJyPjwvZGl2PjxibG9ja3F1b3RlIGNsYXNzPSJnbWFpbF9xdW90ZSIgc3R5bGU9Im1hcmdpbjow
cHggMHB4IDBweCAwLjhleDtib3JkZXItbGVmdDoxcHggc29saWQgcmdiKDIwNCwyMDQsMjA0KTtw
YWRkaW5nLWxlZnQ6MWV4Ij5PbiA2LzE3LzIwIDExOjMyIEFNLCBsdWNreWRvZyB4ZiB2aWEgRnJl
ZUlQQS11c2VycyB3cm90ZTo8YnI+CiZndDsgSGksIEFzIHN0YXRlIGluIDxhIGhyZWY9Imh0dHBz
Oi8vc3VwcG9ydC5zZWN0aWdvLmNvbS9hcnRpY2xlcy9Lbm93bGVkZ2UvU2VjdGlnby1BZGRUcnVz
dC1FeHRlcm5hbC1DQS1Sb290LUV4cGlyaW5nLU1heS0zMC0yMDIwIiByZWw9Im5vcmVmZXJyZXIi
IHRhcmdldD0iX2JsYW5rIj5odHRwczovL3N1cHBvcnQuc2VjdGlnby5jb20vYXJ0aWNsZXMvS25v
d2xlZGdlL1NlY3RpZ28tQWRkVHJ1c3QtRXh0ZXJuYWwtQ0EtUm9vdC1FeHBpcmluZy1NYXktMzAt
MjAyMDwvYT48YnI+CiZndDsgPGJyPgomZ3Q7IEkgY2Fubm90IGxvZ2luIGluIEZyZWVJUEEgd2Vi
IHBhZ2UuPGJyPgomZ3Q7IDxicj4KJmd0OyBTbyBJIHVwZGF0ZSBDQSBieSA6PGJyPgomZ3Q7IDxi
cj4KJmd0OyAjIGRlbGV0ZSBldmVyeXRoaW5nIGV4Y2VwdCBJUEEgQ0HCoCBvZiBodHRwZCBhbmQg
ZGlyc3J2PGJyPgomZ3Q7IDxicj4KJmd0OyBjZXJ0dXRpbCAtZCAvZXRjL2h0dHAvYWxpYXMgLUQg
LW4gJiMzOTt4eHgmIzM5Ozxicj4KJmd0OyA8YnI+CiZndDsgIyBjYS1idW5kbGUuY3J0IGlzIDMg
ZmlsZXMgbmFtZWQgVVNFUlRydXN0LCAuZXRjLjxicj4KJmd0OyA8YnI+CiZndDsgIyBzZXJ2ZXIu
YWxsIGlzIGFuIGNvbWJpbmF0aW9uIG9mIG15IGNlcnRpZmljYXRlIHNpZ25lZCBieSBTZWN0aWdv
KCBmb21lcmx5IG5hbWVkIENvbW9kbykuPGJyPgomZ3Q7IDxicj4KJmd0OyBvcGVuc3NsIHBrY3Mx
MiAtZXhwb3J0IC1jaGFpbiAtQ0FmaWxlIGNhLWJ1bmRsZS5jcnTCoCAtaW4gc2VydmVyLmFsbMKg
IC1vdXQgU2VydmVyLUNlcnQucDEyIC1uYW1lICZxdW90O1NlcnZlci1DZXJ0JnF1b3Q7PGJyPgom
Z3Q7IDxicj4KJmd0OyAjIGFkZCB0byBodHRwZCBhbmQgZGlyc3J2Ljxicj4KJmd0OyA8YnI+CiZn
dDvCoCDCoHBrMTJ1dGlsIC1pIFNlcnZlci1DZXJ0LnAxMiAtZCAvZXRjL2h0dHBkL2FsaWFzLyAt
biBTZXJ2ZXItQ2VydDxicj4KJmd0OyA8YnI+CiZndDsgSSByZXN0YXJ0IGFsbCBzZXJ2aWNlcyBi
eSBpcGFjdGwgcmVzdGFydC4gQnV0IGl0IHNlZW1zIHBraS10b21jYXQgZmFpbHMgdG8gc3RhcnR1
cC48YnI+CiZndDsgPGJyPgomZ3Q7ICMjIyMgbG9nIG9mIGlwYWN0Y2wgc3RhcnQgIyMjIzxicj4K
Jmd0OyA8YnI+CiZndDsgU3RhcnRpbmcgcGtpLXRvbWNhdGQgU2VydmljZTxicj4KJmd0OyBpcGE6
IERFQlVHOiBTdGFydGluZyBleHRlcm5hbCBwcm9jZXNzPGJyPgomZ3Q7IGlwYTogREVCVUc6IGFy
Z3M9L2Jpbi9zeXN0ZW1jdGwgc3RhcnQgcGtpLXRvbWNhdGQudGFyZ2V0PGJyPgomZ3Q7IGlwYTog
REVCVUc6IFByb2Nlc3MgZmluaXNoZWQsIHJldHVybiBjb2RlPTA8YnI+CiZndDsgaXBhOiBERUJV
RzogcmVxdWVzdCBQT1NUIDxhIGhyZWY9Imh0dHA6Ly93b2NmcmVlaXBhLnNhcC53aW5nb24uaGs6
ODA4MC9jYS9hZG1pbi9jYS9nZXRTdGF0dXMiIHJlbD0ibm9yZWZlcnJlciIgdGFyZ2V0PSJfYmxh
bmsiPmh0dHA6Ly93b2NmcmVlaXBhLnNhcC53aW5nb24uaGs6ODA4MC9jYS9hZG1pbi9jYS9nZXRT
dGF0dXM8L2E+PGJyPgomZ3Q7IGlwYTogREVCVUc6IHJlcXVlc3QgYm9keSAmIzM5OyYjMzk7PGJy
PgomZ3Q7IGlwYTogREVCVUc6IHJlc3BvbnNlIHN0YXR1cyA1MDA8YnI+CiZndDsgaXBhOiBERUJV
RzogcmVzcG9uc2UgaGVhZGVycyBTZXJ2ZXI6IEFwYWNoZS1Db3lvdGUvMS4xPGJyPgomZ3Q7IENv
bnRlbnQtVHlwZTogdGV4dC9odG1sO2NoYXJzZXQ9dXRmLTg8YnI+CiZndDsgQ29udGVudC1MYW5n
dWFnZTogZW48YnI+CiZndDsgQ29udGVudC1MZW5ndGg6IDIyMDg8YnI+CiZndDsgRGF0ZTogV2Vk
LCAxNyBKdW4gMjAyMCAwOToxMzoxOSBHTVQ8YnI+CiZndDsgQ29ubmVjdGlvbjogY2xvc2U8YnI+
CiZndDsgPGJyPgomZ3Q7IGlwYTogREVCVUc6IHJlc3BvbnNlIGJvZHkgJiMzOTsmbHQ7aHRtbCZn
dDsmbHQ7aGVhZCZndDsmbHQ7dGl0bGUmZ3Q7QXBhY2hlIFRvbWNhdC83LjAuNzYgLSBFcnJvciBy
ZXBvcnQmbHQ7L3RpdGxlJmd0OyZsdDtzdHlsZSZndDsmbHQ7IS0tSDEge2ZvbnQtZmFtaWx5OlRh
aG9tYSxBcmlhbCxzYW5zLXM8YnI+CiZndDsgLi4uLi4uPGJyPgomZ3Q7IDxicj4KJmd0OyBpcGE6
IERFQlVHOiBGYWlsZWQgdG8gY2hlY2sgQ0Egc3RhdHVzOiBSZXRyaWV2aW5nIENBIHN0YXR1cyBm
YWlsZWQgd2l0aCBzdGF0dXMgNTAwPGJyPgomZ3Q7IGlwYTogREVCVUc6IFdhaXRpbmcgdW50aWwg
dGhlIENBIGlzIHJ1bm5pbmc8YnI+CiZndDsgPGJyPgomZ3Q7ICMjIyMgRU5EIG9mIGxvZyAjIyMj
Izxicj4KJmd0OyA8YnI+CiZndDsgPGJyPgomZ3Q7IEhlcmUgaXMgbG9nIG9mIHBraS10b21jYXQ8
YnI+CiZndDsgPGJyPgomZ3Q7ICMjIzxicj4KJmd0OyBJbnRlcm5hbCBEYXRhYmFzZSBFcnJvciBl
bmNvdW50ZXJlZDogQ291bGQgbm90IGNvbm5lY3QgdG8gTERBUCBzZXJ2ZXIgaG9zdCA8YSBocmVm
PSJodHRwOi8vd29jZnJlZWlwYS5zYXAud2luZ29uLmhrIiByZWw9Im5vcmVmZXJyZXIiIHRhcmdl
dD0iX2JsYW5rIj53b2NmcmVlaXBhLnNhcC53aW5nb24uaGs8L2E+IHBvcnQgNjM2IEVycm9yIG5l
dHNjYXBlLmxkYXAuTERBUEV4Y2VwdGlvbjogVW5hYmxlIHRvIGNyZWF0ZSBzb2NrZXQ6IG9yZy5t
b3ppbGxhLmpzcy5zc2wuU1NMU29ja2V0RXhjZXB0aW9uOiBvcmcubW96aWxsYS5qc3Muc3NsLlNT
TFNvY2tldEV4Y2VwdGlvbjogU1NMX0ZvcmNlSGFuZHNoYWtlIGZhaWxlZDogKC04MTcyKSBQZWVy
JiMzOTtzIGNlcnRpZmljYXRlIGlzc3VlciBoYXMgYmVlbiBtYXJrZWQgYXMgbm90IHRydXN0ZWQg
YnkgdGhlIHVzZXIuICgtMSk8YnI+CiZndDsgPGJyPgomZ3Q7ICMjIzxicj4KJmd0OyA8YnI+CiZn
dDsgVGhlIHBvaW50IGlzICYjMzk7IFBlZXImIzM5O3MgY2VydGlmaWNhdGUgaXNzdWVyIGhhcyBi
ZWVuIG1hcmtlZCBhcyBub3QgdHJ1c3RlZCBieSB0aGUgdXNlci4mIzM5O8KgIMKgQXMgZmFyIGFz
IEkga25vdyBwa2ktdG9tY2F0IG5lZWRzIGEgY2VydGlmaWNhdGUgdG8gYmluZCB0byAzODkgRFMg
YW5kIHN0b3JlIGluZm9ybWF0aW9uLjxicj4KJmd0OyA8YnI+CiZndDsgQnV0IEkgZGlkbiYjMzk7
dCB0b3VjaCBDQSBuYW1lZCAmIzM5O0lQQSBDQSYjMzk7LMKgIHNvIGJhc2ljYWxseSBwa2ktdG9t
Y2F0ZCBjb3VsZCB1c2UgaXRzIG93biBjZXJ0aWZpY2F0ZSBuYW1lZCAmIzM5O3N1YnN0ZW1DZXJ0
IGNlcnQtcGtpLWNhJiMzOTsgdG8gYmluZCB0byAzODkgRFMuPGJyPgomZ3Q7IDxicj4KJmd0OyBQ
bGVhc2UgaGVscC48YnI+CkhpLDxicj4KPGJyPgp0aGUgbmV3IENBIGNlcnRzIGZyb20gU2VjdGln
byBuZWVkIHRvIGJlIGluc3RhbGxlZCB3aXRoIDxicj4KaXBhLWNhY2VydC1tYW5hZ2UgaW5zdGFs
bCAodGhlIGNvbW1hbmQgdXBsb2FkcyB0aGUgY2VydHMgaW4gdGhlIExEQVAgPGJyPgpkYXRhYmFz
ZSkuIEZvciBtb3JlIGluZm9ybWF0aW9uLCBwbGVhc2UgcmVmZXIgdG8gJnF1b3Q7SW5zdGFsbGlu
ZyBhIENBIDxicj4KQ2VydGlmaWNhdGUgTWFudWFsbHkmcXVvdDsgWzFdLjxicj4KQXMgdGhlIGNo
YWluIGNvbnRhaW5zIG11bHRpcGxlIGNlcnRzLCB5b3UgbmVlZCB0byBzdGFydCBmcm9tIHRoZSBy
b290IDxicj4KY2VydCB0aGVuIGdvIGRvd24gdGhlIGNoYWluLiBXaGVuIGFsbCB0aGUgY2VydHMg
aGF2ZSBiZWVuIGFkZGVkLCBkb24mIzM5O3QgPGJyPgpmb3JnZXQgdG8gcnVuIGlwYS1jZXJ0dXBk
YXRlIG9uIGFsbCB0aGUgSVBBIGhvc3RzICh0aGUgY29tbWFuZCBkb3dubG9hZHMgPGJyPgp0aGUg
Y2VydHMgZnJvbSBMREFQIGFuZCBwdXRzIHRoZW0gaW4gYWxsIHRoZSBOU1NEQnMgdGhhdCBuZWVk
IHRoZW0pLjxicj4KPGJyPgpIVEgsPGJyPgpmbG88YnI+Cjxicj4KWzFdIDxicj4KPGEgaHJlZj0i
aHR0cHM6Ly9hY2Nlc3MucmVkaGF0LmNvbS9kb2N1bWVudGF0aW9uL2VuLXVzL3JlZF9oYXRfZW50
ZXJwcmlzZV9saW51eC83L2h0bWwvbGludXhfZG9tYWluX2lkZW50aXR5X2F1dGhlbnRpY2F0aW9u
X2FuZF9wb2xpY3lfZ3VpZGUvbWFudWFsLWNlcnQtaW5zdGFsbCIgcmVsPSJub3JlZmVycmVyIiB0
YXJnZXQ9Il9ibGFuayI+aHR0cHM6Ly9hY2Nlc3MucmVkaGF0LmNvbS9kb2N1bWVudGF0aW9uL2Vu
LXVzL3JlZF9oYXRfZW50ZXJwcmlzZV9saW51eC83L2h0bWwvbGludXhfZG9tYWluX2lkZW50aXR5
X2F1dGhlbnRpY2F0aW9uX2FuZF9wb2xpY3lfZ3VpZGUvbWFudWFsLWNlcnQtaW5zdGFsbDwvYT48
YnI+Cjxicj4KJmd0OyA8YnI+CiZndDsgVGhhbmtzIGEgbG90Ljxicj4KJmd0OyA8YnI+CiZndDsg
PGJyPgomZ3Q7IF9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
PGJyPgomZ3Q7IEZyZWVJUEEtdXNlcnMgbWFpbGluZyBsaXN0IC0tIDxhIGhyZWY9Im1haWx0bzpm
cmVlaXBhLXVzZXJzQGxpc3RzLmZlZG9yYWhvc3RlZC5vcmciIHRhcmdldD0iX2JsYW5rIj5mcmVl
aXBhLXVzZXJzQGxpc3RzLmZlZG9yYWhvc3RlZC5vcmc8L2E+PGJyPgomZ3Q7IFRvIHVuc3Vic2Ny
aWJlIHNlbmQgYW4gZW1haWwgdG8gPGEgaHJlZj0ibWFpbHRvOmZyZWVpcGEtdXNlcnMtbGVhdmVA
bGlzdHMuZmVkb3JhaG9zdGVkLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPmZyZWVpcGEtdXNlcnMtbGVh
dmVAbGlzdHMuZmVkb3JhaG9zdGVkLm9yZzwvYT48YnI+CiZndDsgRmVkb3JhIENvZGUgb2YgQ29u
ZHVjdDogPGEgaHJlZj0iaHR0cHM6Ly9kb2NzLmZlZG9yYXByb2plY3Qub3JnL2VuLVVTL3Byb2pl
Y3QvY29kZS1vZi1jb25kdWN0LyIgcmVsPSJub3JlZmVycmVyIiB0YXJnZXQ9Il9ibGFuayI+aHR0
cHM6Ly9kb2NzLmZlZG9yYXByb2plY3Qub3JnL2VuLVVTL3Byb2plY3QvY29kZS1vZi1jb25kdWN0
LzwvYT48YnI+CiZndDsgTGlzdCBHdWlkZWxpbmVzOiA8YSBocmVmPSJodHRwczovL2ZlZG9yYXBy
b2plY3Qub3JnL3dpa2kvTWFpbGluZ19saXN0X2d1aWRlbGluZXMiIHJlbD0ibm9yZWZlcnJlciIg
dGFyZ2V0PSJfYmxhbmsiPmh0dHBzOi8vZmVkb3JhcHJvamVjdC5vcmcvd2lraS9NYWlsaW5nX2xp
c3RfZ3VpZGVsaW5lczwvYT48YnI+CiZndDsgTGlzdCBBcmNoaXZlczogPGEgaHJlZj0iaHR0cHM6
Ly9saXN0cy5mZWRvcmFob3N0ZWQub3JnL2FyY2hpdmVzL2xpc3QvZnJlZWlwYS11c2Vyc0BsaXN0
cy5mZWRvcmFob3N0ZWQub3JnIiByZWw9Im5vcmVmZXJyZXIiIHRhcmdldD0iX2JsYW5rIj5odHRw
czovL2xpc3RzLmZlZG9yYWhvc3RlZC5vcmcvYXJjaGl2ZXMvbGlzdC9mcmVlaXBhLXVzZXJzQGxp
c3RzLmZlZG9yYWhvc3RlZC5vcmc8L2E+PGJyPgomZ3Q7IDxicj4KPGJyPgo8L2Jsb2NrcXVvdGU+
PC9kaXY+Cg==

--===============8774100807775439522==--