From antoine.gatineau at infra-monkey.com Thu Mar 28 10:39:00 2024
Content-Type: multipart/mixed; boundary="===============7161636205315646802=="
MIME-Version: 1.0
From: Antoine Gatineau <antoine.gatineau at infra-monkey.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] ACME certs fail to renew
Date: Thu, 28 Mar 2024 11:38:37 +0100
Message-ID: <3ef3c740-c208-4413-b121-a74205203f7b@infra-monkey.com>

--===============7161636205315646802==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Hello,

I have a strange issue regarding acme service.
My acme certificates fail to renew. `ipa-acme-manage status`fails with =

error:
Failed to authenticate to CA REST API
The ipa-acme-manage command failed.

certbot client fails with error "Failed to renew certificate =

office.empire.lan with error: <Response [404]>"

$ ipa cert-show 49
 =C2=A0Issuing CA: ipa
 =C2=A0Certificate: "The certificate content"
 =C2=A0Subject: CN=3Doffice.empire.lan
 =C2=A0Subject DNS name: office.empire.lan
 =C2=A0Issuer: CN=3DCertificate Authority,O=3DEMPIRE.LAN
 =C2=A0Not Before: Sun Dec 24 14:05:50 2023 UTC
 =C2=A0Not After: Sat Mar 23 14:05:50 2024 UTC
 =C2=A0Serial number: 49
 =C2=A0Serial number (hex): 0x31
 =C2=A0Revoked: False

So last successful renewal was on Dec 24th. Since then I have not really =

done anything appart updating.
I don't see any issue in ipaupgrade.log


I am running on centos stream 9
idm-jss.x86_64 5.5.0-1.el9
idm-jss-tomcat.x86_64 5.5.0-1.el9
idm-ldapjdk.noarch 5.5.0-1.el9
idm-pki-acme.noarch 11.5.0-1.el9
idm-pki-base.noarch 11.5.0-1.el9
idm-pki-ca.noarch 11.5.0-1.el9
idm-pki-java.noarch 11.5.0-1.el9
idm-pki-kra.noarch 11.5.0-1.el9
idm-pki-server.noarch 11.5.0-1.el9
idm-pki-tools.x86_64 11.5.0-1.el9
ipa-client.x86_64 4.11.0-9.el9
ipa-client-common.noarch 4.11.0-9.el9
ipa-common.noarch 4.11.0-9.el9
ipa-healthcheck.noarch 0.16-2.el9
ipa-healthcheck-core.noarch 0.16-2.el9
ipa-selinux.noarch 4.11.0-9.el9
ipa-server.x86_64 4.11.0-9.el9
ipa-server-common.noarch 4.11.0-9.el9
ipa-server-dns.noarch 4.11.0-9.el9

I have followed closely the update on centos stream 9

Running=C2=A0 `ipa-acme-manage status` with the -d switch gives me
ipapython.ipaldap: DEBUG: retrieving schema for SchemaCache =

url=3Dldapi://%2fvar%2frun%2fslapd-EMPIRE-LAN.socket =

conn=3D<ldap.ldapobject.SimpleLDAPObject object at 0x7f123c07e2e0>
ipaserver.masters: DEBUG: Discovery: available servers for service 'CA' =

are ipa-server-01.empire.lan, ipa-server-02.empire.lan
ipaserver.masters: DEBUG: Discovery: using ipa-server-01.empire.lan for =

'CA' service
ipapython.dogtag: DEBUG: request POST =

https://ipa-server-01.empire.lan:8443/acme/login
ipapython.dogtag: DEBUG: request body ''
ipapython.dogtag: DEBUG: response status 404
ipapython.dogtag: DEBUG: response headers Content-Type: =

text/html;charset=3Dutf-8
Content-Language: en
Content-Length: 765
Date: Thu, 28 Mar 2024 10:00:59 GMT


ipapython.dogtag: DEBUG: response body (decoded): b'<!doctype html><html =

lang=3D"en"><head><title>HTTP Status 404 \xe2\x80\x93 Not =

Found</title><style type=3D"text/css">body =

{font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b =

{color:white;background-color:#525D76;} h1 {font-size:22px;} h2 =

{font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a =

{color:black;} .line =

{height:1px;background-color:#525D76;border:none;}</style></head><body><h1>=
HTTP =

Status 404 \xe2\x80\x93 Not Found</h1><hr class=3D"line" /><p><b>Type</b> =

Status Report</p><p><b>Message</b> The requested resource =

[&#47;acme&#47;login] is not available</p><p><b>Description</b> The =

origin server did not find a current representation for the target =

resource or is not willing to disclose that one exists.</p><hr =

class=3D"line" /><h3>Apache Tomcat/9.0.62</h3></body></html>'
ipapython.admintool: DEBUG:=C2=A0=C2=A0 File =

"/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 180, in =

execute
 =C2=A0=C2=A0=C2=A0 return_value =3D self.run()
 =C2=A0 File =

"/usr/lib/python3.9/site-packages/ipaserver/install/ipa_acme_manage.py", =

line 403, in run
 =C2=A0=C2=A0=C2=A0 with state as ca_api:
 =C2=A0 File =

"/usr/lib/python3.9/site-packages/ipaserver/install/ipa_acme_manage.py", =

line 103, in __enter__
 =C2=A0=C2=A0=C2=A0 raise errors.RemoteRetrieveError(

ipapython.admintool: DEBUG: The ipa-acme-manage command failed, =

exception: RemoteRetrieveError: Failed to authenticate to CA REST API
ipapython.admintool: ERROR: Failed to authenticate to CA REST API
ipapython.admintool: ERROR: The ipa-acme-manage command failed.


So it looks like the acme subsystem is not started. But logs for the =

acme subsystem in /var/log/pki/pki-tomcat/acme/debug.2024-03-28.log =

don't show any issue. (see attached log)

How can I go further in troubleshooting/fixing this issue?

Thanks

--===============7161636205315646802==
Content-Type: text/html
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.html"

PCFET0NUWVBFIGh0bWw+CjxodG1sPgogIDxoZWFkPgoKICAgIDxtZXRhIGh0dHAtZXF1aXY9ImNv
bnRlbnQtdHlwZSIgY29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PVVURi04Ij4KICA8L2hlYWQ+
CiAgPGJvZHk+CiAgICBIZWxsbyw8YnI+CiAgICA8YnI+CiAgICBJIGhhdmUgYSBzdHJhbmdlIGlz
c3VlIHJlZ2FyZGluZyBhY21lIHNlcnZpY2UuPGJyPgogICAgTXkgYWNtZSBjZXJ0aWZpY2F0ZXMg
ZmFpbCB0byByZW5ldy4gYGlwYS1hY21lLW1hbmFnZSBzdGF0dXNgZmFpbHMKICAgIHdpdGggZXJy
b3I6PGJyPgogICAgRmFpbGVkIHRvIGF1dGhlbnRpY2F0ZSB0byBDQSBSRVNUIEFQSTxicj4KICAg
IFRoZSBpcGEtYWNtZS1tYW5hZ2UgY29tbWFuZCBmYWlsZWQuPGJyPgogICAgPGJyPgogICAgPHA+
Y2VydGJvdCBjbGllbnQgZmFpbHMgd2l0aCBlcnJvciAiRmFpbGVkIHRvIHJlbmV3IGNlcnRpZmlj
YXRlCiAgICAgIG9mZmljZS5lbXBpcmUubGFuIHdpdGggZXJyb3I6ICZsdDtSZXNwb25zZSBbNDA0
XSZndDsiPC9wPgogICAgPHA+PHNwYW4gc3R5bGU9ImNvbG9yOiMwMDAwMDA7YmFja2dyb3VuZC1j
b2xvcjojZmZmZmZmOyI+JCBpcGEKICAgICAgICBjZXJ0LXNob3cgNDkKICAgICAgPC9zcGFuPjxi
cj4KICAgICAgwqBJc3N1aW5nIENBOiBpcGEKICAgICAgPGJyPgogICAgICDCoENlcnRpZmljYXRl
OiAiVGhlIGNlcnRpZmljYXRlIGNvbnRlbnQiPGJyPgogICAgICDCoFN1YmplY3Q6IENOPW9mZmlj
ZS5lbXBpcmUubGFuCiAgICAgIDxicj4KICAgICAgwqBTdWJqZWN0IEROUyBuYW1lOiBvZmZpY2Uu
ZW1waXJlLmxhbgogICAgICA8YnI+CiAgICAgIMKgSXNzdWVyOiBDTj1DZXJ0aWZpY2F0ZSBBdXRo
b3JpdHksTz1FTVBJUkUuTEFOCiAgICAgIDxicj4KICAgICAgwqBOb3QgQmVmb3JlOiBTdW4gRGVj
IDI0IDE0OjA1OjUwIDIwMjMgVVRDCiAgICAgIDxicj4KICAgICAgwqBOb3QgQWZ0ZXI6IFNhdCBN
YXIgMjMgMTQ6MDU6NTAgMjAyNCBVVEMKICAgICAgPGJyPgogICAgICDCoFNlcmlhbCBudW1iZXI6
IDQ5CiAgICAgIDxicj4KICAgICAgwqBTZXJpYWwgbnVtYmVyIChoZXgpOiAweDMxCiAgICAgIDxi
cj4KICAgICAgwqBSZXZva2VkOiBGYWxzZTwvcD4KICAgIDxwPlNvIGxhc3Qgc3VjY2Vzc2Z1bCBy
ZW5ld2FsIHdhcyBvbiBEZWMgMjR0aC4gU2luY2UgdGhlbiBJIGhhdmUgbm90CiAgICAgIHJlYWxs
eSBkb25lIGFueXRoaW5nIGFwcGFydCB1cGRhdGluZy48c3BhbgogICAgICAgIHN0eWxlPSJmb250
LWZhbWlseTptb25vc3BhY2UiPjxicj4KICAgICAgPC9zcGFuPkkgZG9uJ3Qgc2VlIGFueSBpc3N1
ZSBpbiBpcGF1cGdyYWRlLmxvZyA8c3BhbgogICAgICAgIHN0eWxlPSJmb250LWZhbWlseTptb25v
c3BhY2UiPjxicj4KICAgICAgPC9zcGFuPjwvcD4KICAgIDxicj4KICAgIEkgYW0gcnVubmluZyBv
biBjZW50b3Mgc3RyZWFtIDk8YnI+CmlkbS1qc3MueDg2XzY0wqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgCiAgICA1LjUuMC0xLmVsOTxicj4KaWRtLWpzcy10b21jYXQueDg2XzY0wqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoAogICAgNS41LjAtMS5lbDk8YnI+CmlkbS1sZGFwamRrLm5vYXJjaMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqAKICAgIDUuNS4wLTEuZWw5PGJyPgppZG0tcGtpLWFjbWUu
bm9hcmNowqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqAKICAgIDExLjUuMC0xLmVsOSA8YnI+CmlkbS1w
a2ktYmFzZS5ub2FyY2jCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoAogICAgMTEuNS4wLTEuZWw5IDxi
cj4KaWRtLXBraS1jYS5ub2FyY2jCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqAKICAgIDExLjUu
MC0xLmVsOTxicj4KaWRtLXBraS1qYXZhLm5vYXJjaMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgCiAg
ICAxMS41LjAtMS5lbDk8YnI+CmlkbS1wa2kta3JhLm5vYXJjaMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqAKICAgIDExLjUuMC0xLmVsOTxicj4KaWRtLXBraS1zZXJ2ZXIubm9hcmNowqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoAogICAgMTEuNS4wLTEuZWw5PGJyPgppZG0tcGtpLXRvb2xzLng4Nl82NMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoAogICAgMTEuNS4wLTEuZWw5PGJyPgppcGEtY2xpZW50Lng4Nl82NMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoAogICAgNC4xMS4wLTkuZWw5PGJyPgppcGEtY2xpZW50
LWNvbW1vbi5ub2FyY2jCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgCiAgICA0LjExLjAtOS5lbDk8YnI+CmlwYS1jb21t
b24ubm9hcmNowqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgCiAgICA0LjExLjAtOS5lbDk8YnI+
CmlwYS1oZWFsdGhjaGVjay5ub2FyY2jCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoAogICAgMC4xNi0yLmVsOTxi
cj4KaXBhLWhlYWx0aGNoZWNrLWNvcmUubm9hcmNowqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoAogICAgMC4xNi0yLmVsOTxicj4K
aXBhLXNlbGludXgubm9hcmNowqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoAogICAgNC4xMS4wLTku
ZWw5PGJyPgppcGEtc2VydmVyLng4Nl82NMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoAogICAg
NC4xMS4wLTkuZWw5PGJyPgppcGEtc2VydmVyLWNvbW1vbi5ub2FyY2jCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgCiAg
ICA0LjExLjAtOS5lbDk8YnI+CmlwYS1zZXJ2ZXItZG5zLm5vYXJjaMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqAKICAgIDQuMTEuMC05LmVsOTxicj4KICAgIDxicj4KICAgIEkgaGF2ZSBmb2xsb3dlZCBjbG9z
ZWx5IHRoZSB1cGRhdGUgb24gY2VudG9zIHN0cmVhbSA5PGJyPgogICAgPGJyPgogICAgUnVubmlu
Z8KgIGBpcGEtYWNtZS1tYW5hZ2Ugc3RhdHVzYCB3aXRoIHRoZSAtZCBzd2l0Y2ggZ2l2ZXMgbWU8
YnI+CiAgICBpcGFweXRob24uaXBhbGRhcDogREVCVUc6IHJldHJpZXZpbmcgc2NoZW1hIGZvciBT
Y2hlbWFDYWNoZQogICAgdXJsPTxhIGNsYXNzPSJtb3otdHh0LWxpbmstZnJlZXRleHQiIGhyZWY9
ImxkYXBpOi8vJTJmdmFyJTJmcnVuJTJmc2xhcGQtRU1QSVJFLUxBTi5zb2NrZXQiPmxkYXBpOi8v
JTJmdmFyJTJmcnVuJTJmc2xhcGQtRU1QSVJFLUxBTi5zb2NrZXQ8L2E+CiAgICBjb25uPSZsdDts
ZGFwLmxkYXBvYmplY3QuU2ltcGxlTERBUE9iamVjdCBvYmplY3QgYXQKICAgIDB4N2YxMjNjMDdl
MmUwJmd0Ozxicj4KICAgIGlwYXNlcnZlci5tYXN0ZXJzOiBERUJVRzogRGlzY292ZXJ5OiBhdmFp
bGFibGUgc2VydmVycyBmb3Igc2VydmljZQogICAgJ0NBJyBhcmUgaXBhLXNlcnZlci0wMS5lbXBp
cmUubGFuLCBpcGEtc2VydmVyLTAyLmVtcGlyZS5sYW48YnI+CiAgICBpcGFzZXJ2ZXIubWFzdGVy
czogREVCVUc6IERpc2NvdmVyeTogdXNpbmcgaXBhLXNlcnZlci0wMS5lbXBpcmUubGFuCiAgICBm
b3IgJ0NBJyBzZXJ2aWNlPGJyPgogICAgaXBhcHl0aG9uLmRvZ3RhZzogREVCVUc6IHJlcXVlc3Qg
UE9TVAogICAgPGEgY2xhc3M9Im1vei10eHQtbGluay1mcmVldGV4dCIgaHJlZj0iaHR0cHM6Ly9p
cGEtc2VydmVyLTAxLmVtcGlyZS5sYW46ODQ0My9hY21lL2xvZ2luIj5odHRwczovL2lwYS1zZXJ2
ZXItMDEuZW1waXJlLmxhbjo4NDQzL2FjbWUvbG9naW48L2E+PGJyPgogICAgaXBhcHl0aG9uLmRv
Z3RhZzogREVCVUc6IHJlcXVlc3QgYm9keSAnJzxicj4KICAgIGlwYXB5dGhvbi5kb2d0YWc6IERF
QlVHOiByZXNwb25zZSBzdGF0dXMgNDA0PGJyPgogICAgaXBhcHl0aG9uLmRvZ3RhZzogREVCVUc6
IHJlc3BvbnNlIGhlYWRlcnMgQ29udGVudC1UeXBlOgogICAgdGV4dC9odG1sO2NoYXJzZXQ9dXRm
LTg8YnI+CiAgICBDb250ZW50LUxhbmd1YWdlOiBlbjxicj4KICAgIENvbnRlbnQtTGVuZ3RoOiA3
NjU8YnI+CiAgICBEYXRlOiBUaHUsIDI4IE1hciAyMDI0IDEwOjAwOjU5IEdNVDxicj4KICAgIDxi
cj4KICAgIDxicj4KICAgIGlwYXB5dGhvbi5kb2d0YWc6IERFQlVHOiByZXNwb25zZSBib2R5IChk
ZWNvZGVkKTogYicmbHQ7IWRvY3R5cGUKICAgIGh0bWwmZ3Q7Jmx0O2h0bWwgbGFuZz0iZW4iJmd0
OyZsdDtoZWFkJmd0OyZsdDt0aXRsZSZndDtIVFRQIFN0YXR1cwogICAgNDA0IFx4ZTJceDgwXHg5
MyBOb3QgRm91bmQmbHQ7L3RpdGxlJmd0OyZsdDtzdHlsZQogICAgdHlwZT0idGV4dC9jc3MiJmd0
O2JvZHkgezxhIGNsYXNzPSJtb3otdHh0LWxpbmstZnJlZXRleHQiIGhyZWY9ImZvbnQtZmFtaWx5
OlRhaG9tYSxBcmlhbCxzYW5zLXNlcmlmIj5mb250LWZhbWlseTpUYWhvbWEsQXJpYWwsc2Fucy1z
ZXJpZjwvYT47fSBoMSwKICAgIGgyLCBoMywgYiB7PGEgY2xhc3M9Im1vei10eHQtbGluay1mcmVl
dGV4dCIgaHJlZj0iY29sb3I6d2hpdGU7YmFja2dyb3VuZC1jb2xvcjojNTI1RDc2Ij5jb2xvcjp3
aGl0ZTtiYWNrZ3JvdW5kLWNvbG9yOiM1MjVENzY8L2E+O30gaDEKICAgIHs8YSBjbGFzcz0ibW96
LXR4dC1saW5rLWZyZWV0ZXh0IiBocmVmPSJmb250LXNpemU6MjJweCI+Zm9udC1zaXplOjIycHg8
L2E+O30gaDIgezxhIGNsYXNzPSJtb3otdHh0LWxpbmstZnJlZXRleHQiIGhyZWY9ImZvbnQtc2l6
ZToxNnB4Ij5mb250LXNpemU6MTZweDwvYT47fSBoMyB7PGEgY2xhc3M9Im1vei10eHQtbGluay1m
cmVldGV4dCIgaHJlZj0iZm9udC1zaXplOjE0cHgiPmZvbnQtc2l6ZToxNHB4PC9hPjt9IHAKICAg
IHs8YSBjbGFzcz0ibW96LXR4dC1saW5rLWZyZWV0ZXh0IiBocmVmPSJmb250LXNpemU6MTJweCI+
Zm9udC1zaXplOjEycHg8L2E+O30gYSB7PGEgY2xhc3M9Im1vei10eHQtbGluay1mcmVldGV4dCIg
aHJlZj0iY29sb3I6YmxhY2siPmNvbG9yOmJsYWNrPC9hPjt9IC5saW5lCns8YSBjbGFzcz0ibW96
LXR4dC1saW5rLWZyZWV0ZXh0IiBocmVmPSJoZWlnaHQ6MXB4O2JhY2tncm91bmQtY29sb3I6IzUy
NUQ3Njtib3JkZXI6bm9uZSI+aGVpZ2h0OjFweDtiYWNrZ3JvdW5kLWNvbG9yOiM1MjVENzY7Ym9y
ZGVyOm5vbmU8L2E+O30mbHQ7L3N0eWxlJmd0OyZsdDsvaGVhZCZndDsmbHQ7Ym9keSZndDsmbHQ7
aDEmZ3Q7SFRUUAogICAgU3RhdHVzIDQwNCBceGUyXHg4MFx4OTMgTm90IEZvdW5kJmx0Oy9oMSZn
dDsmbHQ7aHIgY2xhc3M9ImxpbmUiCiAgICAvJmd0OyZsdDtwJmd0OyZsdDtiJmd0O1R5cGUmbHQ7
L2ImZ3Q7IFN0YXR1cwogICAgUmVwb3J0Jmx0Oy9wJmd0OyZsdDtwJmd0OyZsdDtiJmd0O01lc3Nh
Z2UmbHQ7L2ImZ3Q7IFRoZSByZXF1ZXN0ZWQKICAgIHJlc291cmNlIFsmYW1wOyM0NzthY21lJmFt
cDsjNDc7bG9naW5dIGlzIG5vdAogICAgYXZhaWxhYmxlJmx0Oy9wJmd0OyZsdDtwJmd0OyZsdDti
Jmd0O0Rlc2NyaXB0aW9uJmx0Oy9iJmd0OyBUaGUKICAgIG9yaWdpbiBzZXJ2ZXIgZGlkIG5vdCBm
aW5kIGEgY3VycmVudCByZXByZXNlbnRhdGlvbiBmb3IgdGhlIHRhcmdldAogICAgcmVzb3VyY2Ug
b3IgaXMgbm90IHdpbGxpbmcgdG8gZGlzY2xvc2UgdGhhdCBvbmUKICAgIGV4aXN0cy4mbHQ7L3Am
Z3Q7Jmx0O2hyIGNsYXNzPSJsaW5lIiAvJmd0OyZsdDtoMyZndDtBcGFjaGUKICAgIFRvbWNhdC85
LjAuNjImbHQ7L2gzJmd0OyZsdDsvYm9keSZndDsmbHQ7L2h0bWwmZ3Q7Jzxicj4KICAgIGlwYXB5
dGhvbi5hZG1pbnRvb2w6IERFQlVHOsKgwqAgRmlsZQogICAgIi91c3IvbGliL3B5dGhvbjMuOS9z
aXRlLXBhY2thZ2VzL2lwYXB5dGhvbi9hZG1pbnRvb2wucHkiLCBsaW5lIDE4MCwKICAgIGluIGV4
ZWN1dGU8YnI+CiAgICDCoMKgwqAgcmV0dXJuX3ZhbHVlID0gc2VsZi5ydW4oKTxicj4KICAgIMKg
IEZpbGUKICAgICIvdXNyL2xpYi9weXRob24zLjkvc2l0ZS1wYWNrYWdlcy9pcGFzZXJ2ZXIvaW5z
dGFsbC9pcGFfYWNtZV9tYW5hZ2UucHkiLAogICAgbGluZSA0MDMsIGluIHJ1bjxicj4KICAgIMKg
wqDCoCB3aXRoIHN0YXRlIGFzIGNhX2FwaTo8YnI+CiAgICDCoCBGaWxlCiAgICAiL3Vzci9saWIv
cHl0aG9uMy45L3NpdGUtcGFja2FnZXMvaXBhc2VydmVyL2luc3RhbGwvaXBhX2FjbWVfbWFuYWdl
LnB5IiwKICAgIGxpbmUgMTAzLCBpbiBfX2VudGVyX188YnI+CiAgICDCoMKgwqAgcmFpc2UgZXJy
b3JzLlJlbW90ZVJldHJpZXZlRXJyb3IoPGJyPgogICAgPGJyPgogICAgaXBhcHl0aG9uLmFkbWlu
dG9vbDogREVCVUc6IFRoZSBpcGEtYWNtZS1tYW5hZ2UgY29tbWFuZCBmYWlsZWQsCiAgICBleGNl
cHRpb246IFJlbW90ZVJldHJpZXZlRXJyb3I6IEZhaWxlZCB0byBhdXRoZW50aWNhdGUgdG8gQ0Eg
UkVTVAogICAgQVBJPGJyPgogICAgaXBhcHl0aG9uLmFkbWludG9vbDogRVJST1I6IEZhaWxlZCB0
byBhdXRoZW50aWNhdGUgdG8gQ0EgUkVTVCBBUEk8YnI+CiAgICBpcGFweXRob24uYWRtaW50b29s
OiBFUlJPUjogVGhlIGlwYS1hY21lLW1hbmFnZSBjb21tYW5kIGZhaWxlZC48YnI+CiAgICA8YnI+
CiAgICA8YnI+CiAgICBTbyBpdCBsb29rcyBsaWtlIHRoZSBhY21lIHN1YnN5c3RlbSBpcyBub3Qg
c3RhcnRlZC4gQnV0IGxvZ3MgZm9yIHRoZQogICAgYWNtZSBzdWJzeXN0ZW0gaW4gL3Zhci9sb2cv
cGtpL3BraS10b21jYXQvYWNtZS9kZWJ1Zy4yMDI0LTAzLTI4LmxvZwogICAgZG9uJ3Qgc2hvdyBh
bnkgaXNzdWUuIChzZWUgYXR0YWNoZWQgbG9nKTxicj4KICAgIDxicj4KICAgIEhvdyBjYW4gSSBn
byBmdXJ0aGVyIGluIHRyb3VibGVzaG9vdGluZy9maXhpbmcgdGhpcyBpc3N1ZT88YnI+CiAgICA8
YnI+CiAgICBUaGFua3M8YnI+CiAgICA8YnI+CiAgPC9ib2R5Pgo8L2h0bWw+Cg==

--===============7161636205315646802==
Content-Type: text/plain
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="pki-acme-debug-log.txt"

MjAyNC0wMy0yOCAxMTowNjoxMiBbbWFpbl0gSU5GTzogU3RhcnRpbmcgQUNNRSBlbmdpbmUKMjAy
NC0wMy0yOCAxMTowNjoxMiBbbWFpbl0gSU5GTzogQUNNRSBjb25maWd1cmF0aW9uIGRpcmVjdG9y
eTogL3Zhci9saWIvcGtpL3BraS10b21jYXQvY29uZi9hY21lCjIwMjQtMDMtMjggMTE6MDY6MTIg
W21haW5dIElORk86IExvYWRpbmcgQUNNRSBlbmdpbmUgY29uZmlnIGZyb20gL3Zhci9saWIvcGtp
L3BraS10b21jYXQvY29uZi9hY21lL2VuZ2luZS5jb25mCjIwMjQtMDMtMjggMTE6MDY6MTIgW21h
aW5dIElORk86IC0gZW5hYmxlZDogZmFsc2UKMjAyNC0wMy0yOCAxMTowNjoxMiBbbWFpbl0gSU5G
TzogLSBiYXNlIFVSTDogaHR0cHM6Ly9pcGEtc2VydmVyLTAxLmVtcGlyZS5sYW4vYWNtZQoyMDI0
LTAzLTI4IDExOjA2OjEyIFttYWluXSBJTkZPOiAtIG5vbmNlcyBwZXJzaXN0ZW50OiBudWxsCjIw
MjQtMDMtMjggMTE6MDY6MTIgW21haW5dIElORk86IC0gd2lsZGNhcmQ6IGZhbHNlCjIwMjQtMDMt
MjggMTE6MDY6MTIgW21haW5dIElORk86IC0gbm9uY2UgcmV0ZW50aW9uOiB7CiAgImxlbmd0aCIg
OiAzMCwKICAidW5pdCIgOiAiTUlOVVRFUyIKfQoyMDI0LTAzLTI4IDExOjA2OjEyIFttYWluXSBJ
TkZPOiAtIGF1dGhvcml6YXRpb24gcmV0ZW50aW9uOgoyMDI0LTAzLTI4IDExOjA2OjEyIFttYWlu
XSBJTkZPOiAgIC0gcGVuZGluZzogewogICJsZW5ndGgiIDogMzAsCiAgInVuaXQiIDogIk1JTlVU
RVMiCn0KMjAyNC0wMy0yOCAxMTowNjoxMiBbbWFpbl0gSU5GTzogICAtIGludmFsaWQ6IHsKICAi
bGVuZ3RoIiA6IDMwLAogICJ1bml0IiA6ICJNSU5VVEVTIgp9CjIwMjQtMDMtMjggMTE6MDY6MTIg
W21haW5dIElORk86ICAgLSB2YWxpZDogewogICJsZW5ndGgiIDogMzAsCiAgInVuaXQiIDogIk1J
TlVURVMiCn0KMjAyNC0wMy0yOCAxMTowNjoxMiBbbWFpbl0gSU5GTzogLSBvcmRlciByZXRlbnRp
b246CjIwMjQtMDMtMjggMTE6MDY6MTIgW21haW5dIElORk86ICAgLSBwZW5kaW5nOiB7CiAgImxl
bmd0aCIgOiAzMCwKICAidW5pdCIgOiAiTUlOVVRFUyIKfQoyMDI0LTAzLTI4IDExOjA2OjEyIFtt
YWluXSBJTkZPOiAgIC0gaW52YWxpZDogewogICJsZW5ndGgiIDogMzAsCiAgInVuaXQiIDogIk1J
TlVURVMiCn0KMjAyNC0wMy0yOCAxMTowNjoxMiBbbWFpbl0gSU5GTzogICAtIHJlYWR5OiB7CiAg
Imxlbmd0aCIgOiAzMCwKICAidW5pdCIgOiAiTUlOVVRFUyIKfQoyMDI0LTAzLTI4IDExOjA2OjEy
IFttYWluXSBJTkZPOiAgIC0gcHJvY2Vzc2luZzogewogICJsZW5ndGgiIDogMzAsCiAgInVuaXQi
IDogIk1JTlVURVMiCn0KMjAyNC0wMy0yOCAxMTowNjoxMiBbbWFpbl0gSU5GTzogICAtIHZhbGlk
OiB7CiAgImxlbmd0aCIgOiAzMCwKICAidW5pdCIgOiAiTUlOVVRFUyIKfQoyMDI0LTAzLTI4IDEx
OjA2OjEyIFttYWluXSBJTkZPOiAtIGNlcnRpZmljYXRlIHJldGVudGlvbjogewogICJsZW5ndGgi
IDogMzAsCiAgInVuaXQiIDogIkRBWVMiCn0KMjAyNC0wMy0yOCAxMTowNjoxMiBbbWFpbl0gSU5G
TzogTG9hZGluZyBBQ01FIG1ldGFkYXRhIGZyb20gL3Vzci9zaGFyZS9wa2kvYWNtZS9jb25mL21l
dGFkYXRhLmNvbmYKMjAyNC0wMy0yOCAxMTowNjoxMiBbbWFpbl0gSU5GTzogTG9hZGluZyBBQ01F
IGRhdGFiYXNlIGNvbmZpZyBmcm9tIC92YXIvbGliL3BraS9wa2ktdG9tY2F0L2NvbmYvYWNtZS9k
YXRhYmFzZS5jb25mCjIwMjQtMDMtMjggMTE6MDY6MTIgW21haW5dIElORk86IEluaXRpYWxpemlu
ZyBBQ01FIGRhdGFiYXNlCjIwMjQtMDMtMjggMTE6MDY6MTIgW21haW5dIElORk86IExvYWRpbmcg
TERBUCBkYXRhYmFzZSBjb25maWd1cmF0aW9uIGZyb20gL2V0Yy9wa2kvcGtpLXRvbWNhdC9jYS9D
Uy5jZmcKMjAyNC0wMy0yOCAxMTowNjoxMiBbbWFpbl0gV0FSTklORzogVGhlIGJhc2VkbiBwYXJh
bWV0ZXIgaGFzIGJlZW4gZGVwcmVjYXRlZC4gVXNlIGJhc2VETiBpbnN0ZWFkLgoyMDI0LTAzLTI4
IDExOjA2OjEyIFttYWluXSBJTkZPOiAtIGJhc2UgRE46IG91PWFjbWUsbz1pcGFjYQoyMDI0LTAz
LTI4IDExOjA2OjEyIFttYWluXSBJTkZPOiBQS0lTb2NrZXRGYWN0b3J5OiBJbml0aWFsaXppbmcg
UEtJU29ja2V0RmFjdG9yeQoyMDI0LTAzLTI4IDExOjA2OjEyIFttYWluXSBJTkZPOiBQS0lTb2Nr
ZXRGYWN0b3J5OiBDcmVhdGluZyBTU0wgc29ja2V0IGZvciBpcGEtc2VydmVyLTAxLmVtcGlyZS5s
YW46NjM2CjIwMjQtMDMtMjggMTE6MDY6MTMgW21haW5dIElORk86IC0gbW9uaXRvciBlbmFibGVk
OiBudWxsCjIwMjQtMDMtMjggMTE6MDY6MTMgW21haW5dIElORk86IExvYWRpbmcgQUNNRSB2YWxp
ZGF0b3JzIGNvbmZpZyBmcm9tIC91c3Ivc2hhcmUvcGtpL2FjbWUvY29uZi92YWxpZGF0b3JzLmNv
bmYKMjAyNC0wMy0yOCAxMTowNjoxMyBbbWFpbl0gSU5GTzogSW5pdGlhbGl6aW5nIEFDTUUgdmFs
aWRhdG9ycwoyMDI0LTAzLTI4IDExOjA2OjEzIFttYWluXSBJTkZPOiBJbml0aWFsaXppbmcgZG5z
LTAxIHZhbGlkYXRvcgoyMDI0LTAzLTI4IDExOjA2OjEzIFttYWluXSBJTkZPOiBJbml0aWFsaXpp
bmcgaHR0cC0wMSB2YWxpZGF0b3IKMjAyNC0wMy0yOCAxMTowNjoxMyBbbWFpbl0gSU5GTzogTG9h
ZGluZyBBQ01FIGlzc3VlciBjb25maWcgZnJvbSAvdmFyL2xpYi9wa2kvcGtpLXRvbWNhdC9jb25m
L2FjbWUvaXNzdWVyLmNvbmYKMjAyNC0wMy0yOCAxMTowNjoxMyBbbWFpbl0gSU5GTzogSW5pdGlh
bGl6aW5nIEFDTUUgaXNzdWVyCjIwMjQtMDMtMjggMTE6MDY6MTMgW21haW5dIElORk86IEluaXRp
YWxpemluZyBQS0kgaXNzdWVyCjIwMjQtMDMtMjggMTE6MDY6MTMgW21haW5dIElORk86IC0gVVJM
OiBodHRwczovL2lwYS1zZXJ2ZXItMDEuZW1waXJlLmxhbjo4NDQzCjIwMjQtMDMtMjggMTE6MDY6
MTMgW21haW5dIElORk86IC0gdXNlcm5hbWU6IGFjbWUtaXBhLXNlcnZlci0wMS5lbXBpcmUubGFu
CjIwMjQtMDMtMjggMTE6MDY6MTMgW21haW5dIElORk86IC0gcHJvZmlsZTogYWNtZUlQQVNlcnZl
ckNlcnQKMjAyNC0wMy0yOCAxMTowNjoxMyBbbWFpbl0gSU5GTzogTG9hZGluZyBBQ01FIHNjaGVk
dWxlciBjb25maWcgZnJvbSAvdXNyL3NoYXJlL3BraS9hY21lL2NvbmYvc2NoZWR1bGVyLmNvbmYK
MjAyNC0wMy0yOCAxMTowNjoxMyBbbWFpbl0gSU5GTzogSW5pdGlhbGl6aW5nIEFDTUUgc2NoZWR1
bGVyCjIwMjQtMDMtMjggMTE6MDY6MTMgW21haW5dIElORk86IEluaXRpYWxpemluZyBBQ01FIHNj
aGVkdWxlcgoyMDI0LTAzLTI4IDExOjA2OjEzIFttYWluXSBJTkZPOiAtIHRocmVhZHM6IDEKMjAy
NC0wMy0yOCAxMTowNjoxMyBbbWFpbl0gSU5GTzogSW5pdGlhbGl6aW5nIG1haW50ZW5hbmNlIHRh
c2sKMjAyNC0wMy0yOCAxMTowNjoxMyBbbWFpbl0gSU5GTzogLSBpbml0aWFsIGRlbGF5OiA1CjIw
MjQtMDMtMjggMTE6MDY6MTMgW21haW5dIElORk86IC0gZGVsYXk6IDUKMjAyNC0wMy0yOCAxMTow
NjoxMyBbbWFpbl0gSU5GTzogLSBpbnRlcnZhbDogbnVsbAoyMDI0LTAzLTI4IDExOjA2OjEzIFtt
YWluXSBJTkZPOiAtIHVuaXQ6IE1JTlVURVMKMjAyNC0wMy0yOCAxMTowNjoxMyBbbWFpbl0gSU5G
TzogTG9hZGluZyBBQ01FIG1vbml0b3JzIGNvbmZpZyBmcm9tIC92YXIvbGliL3BraS9wa2ktdG9t
Y2F0L2NvbmYvYWNtZS9jb25maWdzb3VyY2VzLmNvbmYKMjAyNC0wMy0yOCAxMTowNjoxMyBbbWFp
bl0gSU5GTzogQUNNRSBzZXJ2aWNlIGlzIERJU0FCTEVEIGJ5IGNvbmZpZ3VyYXRpb24KMjAyNC0w
My0yOCAxMTowNjoxMyBbbWFpbl0gSU5GTzogQUNNRSB3aWxkY2FyZCBpc3N1YW5jZSBpcyBESVNB
QkxFRCBieSBjb25maWd1cmF0aW9uCjIwMjQtMDMtMjggMTE6MDY6MTMgW21haW5dIElORk86IExv
YWRpbmcgQUNNRSByZWFsbSBjb25maWcgZnJvbSAvdmFyL2xpYi9wa2kvcGtpLXRvbWNhdC9jb25m
L2FjbWUvcmVhbG0uY29uZgoyMDI0LTAzLTI4IDExOjA2OjEzIFttYWluXSBJTkZPOiBJbml0aWFs
aXppbmcgQUNNRSByZWFsbQoyMDI0LTAzLTI4IDExOjA2OjEzIFtBQ01FRW5naW5lQ29uZmlnRmls
ZVNvdXJjZV0gSU5GTzogQUNNRUVuZ2luZUNvbmZpZ1NvdXJjZTogd2F0Y2hpbmcgL2V0Yy9wa2kv
cGtpLXRvbWNhdC9hY21lL2VuZ2luZS5jb25mCjIwMjQtMDMtMjggMTE6MDY6MTMgW21haW5dIElO
Rk86IEluaXRpYWxpemluZyBMREFQIHJlYWxtCjIwMjQtMDMtMjggMTE6MDY6MTMgW21haW5dIElO
Rk86IExvYWRpbmcgTERBUCByZWFsbSBjb25maWcgZnJvbSAvZXRjL3BraS9wa2ktdG9tY2F0L2Nh
L0NTLmNmZwoyMDI0LTAzLTI4IDExOjA2OjEzIFttYWluXSBJTkZPOiAtIHVzZXJzIEROOiBvdT1w
ZW9wbGUsbz1pcGFjYQoyMDI0LTAzLTI4IDExOjA2OjEzIFttYWluXSBJTkZPOiAtIGdyb3VwcyBE
Tjogb3U9Z3JvdXBzLG89aXBhY2EKMjAyNC0wMy0yOCAxMTowNjoxMyBbbWFpbl0gSU5GTzogUEtJ
U29ja2V0RmFjdG9yeTogSW5pdGlhbGl6aW5nIFBLSVNvY2tldEZhY3RvcnkKMjAyNC0wMy0yOCAx
MTowNjoxMyBbbWFpbl0gSU5GTzogUEtJU29ja2V0RmFjdG9yeTogQ3JlYXRpbmcgU1NMIHNvY2tl
dCBmb3IgaXBhLXNlcnZlci0wMS5lbXBpcmUubGFuOjYzNgoyMDI0LTAzLTI4IDExOjA2OjEzIFtt
YWluXSBJTkZPOiBBQ01FIGVuZ2luZSBzdGFydGVkCjIwMjQtMDMtMjggMTE6MDY6MTMgW21haW5d
IElORk86IEluaXRpYWxpemluZyBBQ01FQXBwbGljYXRpb24K

--===============7161636205315646802==
Content-Type: text/plain
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="ipa-healthcheck.txt"

WwogIHsKICAgICJzb3VyY2UiOiAiaXBhaGVhbHRoY2hlY2suZG9ndGFnLmNhIiwKICAgICJjaGVj
ayI6ICJEb2d0YWdDZXJ0c0NvbmZpZ0NoZWNrIiwKICAgICJyZXN1bHQiOiAiRVJST1IiLAogICAg
InV1aWQiOiAiOWM0YjI1ZDAtOTlhMi00NDIzLWIwMTktMWNlNmNjOWFlYmUxIiwKICAgICJ3aGVu
IjogIjIwMjQwMzI4MTAzNjM4WiIsCiAgICAiZHVyYXRpb24iOiAiMC4zNzI4NDgiLAogICAgImt3
IjogewogICAgICAia2V5IjogImNhU2lnbmluZ0NlcnQgY2VydC1wa2ktY2EiLAogICAgICAiY29u
ZmlnZmlsZSI6ICIvdmFyL2xpYi9wa2kvcGtpLXRvbWNhdC9jb25mL2NhL0NTLmNmZyIsCiAgICAg
ICJtc2ciOiAiQ2VydGlmaWNhdGUgY2Euc2lnbmluZy5jZXJ0IG5vdCBmb3VuZCBpbiAvdmFyL2xp
Yi9wa2kvcGtpLXRvbWNhdC9jb25mL2NhL0NTLmNmZyIKICAgIH0KICB9LAogIHsKICAgICJzb3Vy
Y2UiOiAiaXBhaGVhbHRoY2hlY2suZG9ndGFnLmNhIiwKICAgICJjaGVjayI6ICJEb2d0YWdDZXJ0
c0NvbmZpZ0NoZWNrIiwKICAgICJyZXN1bHQiOiAiRVJST1IiLAogICAgInV1aWQiOiAiZjZmOTZh
ZmYtNWNhYi00MmNjLTgxNDYtOGE5NzdlNDE0ZmY3IiwKICAgICJ3aGVuIjogIjIwMjQwMzI4MTAz
NjM4WiIsCiAgICAiZHVyYXRpb24iOiAiMC4zNzQxMzEiLAogICAgImt3IjogewogICAgICAia2V5
IjogIm9jc3BTaWduaW5nQ2VydCBjZXJ0LXBraS1jYSIsCiAgICAgICJjb25maWdmaWxlIjogIi92
YXIvbGliL3BraS9wa2ktdG9tY2F0L2NvbmYvY2EvQ1MuY2ZnIiwKICAgICAgIm1zZyI6ICJDZXJ0
aWZpY2F0ZSBjYS5vY3NwX3NpZ25pbmcuY2VydCBub3QgZm91bmQgaW4gL3Zhci9saWIvcGtpL3Br
aS10b21jYXQvY29uZi9jYS9DUy5jZmciCiAgICB9CiAgfSwKICB7CiAgICAic291cmNlIjogImlw
YWhlYWx0aGNoZWNrLmRvZ3RhZy5jYSIsCiAgICAiY2hlY2siOiAiRG9ndGFnQ2VydHNDb25maWdD
aGVjayIsCiAgICAicmVzdWx0IjogIkVSUk9SIiwKICAgICJ1dWlkIjogIjhjZGNiYTgwLTYxODYt
NDU3NS04YTVmLWU3Y2Q1MGJhYWRkYSIsCiAgICAid2hlbiI6ICIyMDI0MDMyODEwMzYzOFoiLAog
ICAgImR1cmF0aW9uIjogIjAuMzc0OTkxIiwKICAgICJrdyI6IHsKICAgICAgImtleSI6ICJzdWJz
eXN0ZW1DZXJ0IGNlcnQtcGtpLWNhIiwKICAgICAgImNvbmZpZ2ZpbGUiOiAiL3Zhci9saWIvcGtp
L3BraS10b21jYXQvY29uZi9jYS9DUy5jZmciLAogICAgICAibXNnIjogIkNlcnRpZmljYXRlIGNh
LnN1YnN5c3RlbS5jZXJ0IG5vdCBmb3VuZCBpbiAvdmFyL2xpYi9wa2kvcGtpLXRvbWNhdC9jb25m
L2NhL0NTLmNmZyIKICAgIH0KICB9LAogIHsKICAgICJzb3VyY2UiOiAiaXBhaGVhbHRoY2hlY2su
ZG9ndGFnLmNhIiwKICAgICJjaGVjayI6ICJEb2d0YWdDZXJ0c0NvbmZpZ0NoZWNrIiwKICAgICJy
ZXN1bHQiOiAiRVJST1IiLAogICAgInV1aWQiOiAiYjc1NjE0NGYtZGI5NS00MzEzLWJjYTItY2Rl
NWRlYjM4NDdhIiwKICAgICJ3aGVuIjogIjIwMjQwMzI4MTAzNjM4WiIsCiAgICAiZHVyYXRpb24i
OiAiMC4zNzU4MDQiLAogICAgImt3IjogewogICAgICAia2V5IjogImF1ZGl0U2lnbmluZ0NlcnQg
Y2VydC1wa2ktY2EiLAogICAgICAiY29uZmlnZmlsZSI6ICIvdmFyL2xpYi9wa2kvcGtpLXRvbWNh
dC9jb25mL2NhL0NTLmNmZyIsCiAgICAgICJtc2ciOiAiQ2VydGlmaWNhdGUgY2EuYXVkaXRfc2ln
bmluZy5jZXJ0IG5vdCBmb3VuZCBpbiAvdmFyL2xpYi9wa2kvcGtpLXRvbWNhdC9jb25mL2NhL0NT
LmNmZyIKICAgIH0KICB9LAogIHsKICAgICJzb3VyY2UiOiAiaXBhaGVhbHRoY2hlY2suZG9ndGFn
LmNhIiwKICAgICJjaGVjayI6ICJEb2d0YWdDZXJ0c0NvbmZpZ0NoZWNrIiwKICAgICJyZXN1bHQi
OiAiRVJST1IiLAogICAgInV1aWQiOiAiYmQzMDNkMTMtZjk3MS00YjMxLWJiYmEtODRiYjI0YTFj
ODEzIiwKICAgICJ3aGVuIjogIjIwMjQwMzI4MTAzNjM4WiIsCiAgICAiZHVyYXRpb24iOiAiMC4z
NzY2NDEiLAogICAgImt3IjogewogICAgICAia2V5IjogIlNlcnZlci1DZXJ0IGNlcnQtcGtpLWNh
IiwKICAgICAgImNvbmZpZ2ZpbGUiOiAiL3Zhci9saWIvcGtpL3BraS10b21jYXQvY29uZi9jYS9D
Uy5jZmciLAogICAgICAibXNnIjogIkNlcnRpZmljYXRlIGNhLnNzbHNlcnZlci5jZXJ0IG5vdCBm
b3VuZCBpbiAvdmFyL2xpYi9wa2kvcGtpLXRvbWNhdC9jb25mL2NhL0NTLmNmZyIKICAgIH0KICB9
Cl0K

--===============7161636205315646802==--

From hakofo8273 at azduan.com Thu Mar 28 10:48:09 2024
Content-Type: multipart/mixed; boundary="===============8861200062527534773=="
MIME-Version: 1.0
From: D S <hakofo8273 at azduan.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] One freeipa replica install fails,
 while other is going through
Date: Thu, 28 Mar 2024 10:47:57 +0000
Message-ID: <20240328104757.1603.48278@mailman01.iad2.fedoraproject.org>

--===============8861200062527534773==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Hello, =

I am trying to install 3 replicas agains the same master. Two out of 3 inst=
alls succeed, while the other one fails with =


On replica:
Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
Check RPC connection to remote master
Execute check on remote master
ERROR: Remote master check failed with following error message(s):
an internal error has occurred

2024-03-28T09:09:28Z DEBUG Starting external process
2024-03-28T09:09:28Z DEBUG args=3D['/usr/sbin/ipa-client-install', '--unatt=
ended', '--uninstall']
2024-03-28T09:09:31Z DEBUG Process finished, return code=3D0
2024-03-28T09:09:31Z DEBUG   File "/usr/lib/python3.6/site-packages/ipapyth=
on/admintool.py", line 180, in execute
    return_value =3D self.run()
  File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 34=
4, in run
    return cfgr.run()
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 3=
58, in run
    self.validate()
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 3=
68, in validate
    for _nothing in self._validator():
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 4=
31, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 4=
55, in _handle_validate_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 4=
50, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 4=
21, in __runner
    step()
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 4=
18, in <lambda>
    step =3D lambda: next(self.__gen)
  File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 8=
1, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 5=
9, in run_generator_with_yield_from
    value =3D gen.send(prev_value)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 6=
33, in _configure
    next(validator)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 4=
31, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 4=
55, in _handle_validate_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 5=
18, in _handle_exception
    self.__parent._handle_exception(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 4=
50, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 5=
15, in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 4=
50, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 4=
21, in __runner
    step()
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 4=
18, in <lambda>
    step =3D lambda: next(self.__gen)
  File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 8=
1, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 5=
9, in run_generator_with_yield_from
    value =3D gen.send(prev_value)
  File "/usr/lib/python3.6/site-packages/ipapython/install/common.py", line=
 65, in _install
    for unused in self._installer(self.parent):
  File "/usr/lib/python3.6/site-packages/ipaserver/install/server/__init__.=
py", line 597, in main
    replica_promote_check(self)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/server/replicain=
stall.py", line 401, in decorated
    func(installer)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/server/replicain=
stall.py", line 423, in decorated
    func(installer)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/server/replicain=
stall.py", line 1196, in promote_check
    ca_cert_file=3Dcafile)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/replication.py",=
 line 129, in replica_conn_check
    "Connection check failed!"

2024-03-28T09:09:31Z DEBUG The ipa-replica-install command failed, exceptio=
n: ScriptError: Connection check failed!
See /var/log/ipareplica-conncheck.log for more information.
If the check results are not valid it can be skipped with --skip-conncheck =
parameter.
2024-03-28T09:09:31Z ERROR Connection check failed!
See /var/log/ipareplica-conncheck.log for more information.
If the check results are not valid it can be skipped with --skip-conncheck =
parameter.
2024-03-28T09:09:31Z ERROR The ipa-replica-install command failed. See /var=
/log/ipareplica-install.log for more information

On master:
[Thu Mar 28 09:09:27.891561 2024] [:error] [pid 22098] ipa: ERROR: non-publ=
ic: DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a re=
ply. Possible causes include: the remote application did not send a reply, =
the message bus security policy blocked the reply, the reply timeout expire=
d, or the network connection was broken.
[Thu Mar 28 09:09:27.891666 2024] [:error] [pid 22098] Traceback (most rece=
nt call last):
[Thu Mar 28 09:09:27.891683 2024] [:error] [pid 22098]   File "/usr/lib/pyt=
hon2.7/site-packages/ipaserver/rpcserver.py", line 369, in wsgi_execute
[Thu Mar 28 09:09:27.891694 2024] [:error] [pid 22098]     result =3D comma=
nd(*args, **options)
[Thu Mar 28 09:09:27.891705 2024] [:error] [pid 22098]   File "/usr/lib/pyt=
hon2.7/site-packages/ipalib/frontend.py", line 450, in __call__
[Thu Mar 28 09:09:27.891717 2024] [:error] [pid 22098]     return self.__do=
_call(*args, **options)
[Thu Mar 28 09:09:27.891727 2024] [:error] [pid 22098]   File "/usr/lib/pyt=
hon2.7/site-packages/ipalib/frontend.py", line 478, in __do_call
[Thu Mar 28 09:09:27.891737 2024] [:error] [pid 22098]     ret =3D self.run=
(*args, **options)
[Thu Mar 28 09:09:27.891748 2024] [:error] [pid 22098]   File "/usr/lib/pyt=
hon2.7/site-packages/ipalib/frontend.py", line 800, in run
[Thu Mar 28 09:09:27.891928 2024] [:error] [pid 22098]     return self.exec=
ute(*args, **options)
[Thu Mar 28 09:09:27.891951 2024] [:error] [pid 22098]   File "/usr/lib/pyt=
hon2.7/site-packages/ipaserver/plugins/server.py", line 933, in execute
[Thu Mar 28 09:09:27.891962 2024] [:error] [pid 22098]     ret, stdout, _st=
derr =3D server.conncheck(keys[-1])
[Thu Mar 28 09:09:27.891973 2024] [:error] [pid 22098]   File "/usr/lib64/p=
ython2.7/site-packages/dbus/proxies.py", line 70, in __call__
[Thu Mar 28 09:09:27.891983 2024] [:error] [pid 22098]     return self._pro=
xy_method(*args, **keywords)
[Thu Mar 28 09:09:27.891994 2024] [:error] [pid 22098]   File "/usr/lib64/p=
ython2.7/site-packages/dbus/proxies.py", line 145, in __call__
[Thu Mar 28 09:09:27.892005 2024] [:error] [pid 22098]     **keywords)
[Thu Mar 28 09:09:27.892016 2024] [:error] [pid 22098]   File "/usr/lib64/p=
ython2.7/site-packages/dbus/connection.py", line 651, in call_blocking
[Thu Mar 28 09:09:27.892026 2024] [:error] [pid 22098]     message, timeout)
[Thu Mar 28 09:09:27.892037 2024] [:error] [pid 22098] DBusException: org.f=
reedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes inc=
lude: the remote application did not send a reply, the message bus security=
 policy blocked the reply, the reply timeout expired, or the network connec=
tion was broken.
[Thu Mar 28 09:09:27.892955 2024] [:error] [pid 22098] ipa: INFO: [jsonserv=
er_kerb] local_admin(a)EXAMPLE.COM: server_conncheck(u'ipamaster01.example.=
com', u'ipa-replica03.example.com', version=3Du'2.162'): InternalError
[Thu Mar 28 09:09:30.121019 2024] [:error] [pid 20997] ipa: INFO: [jsonserv=
er_kerb] host/ipa-replica03.example.com(a)EXAMPLE.COM: host_disable(u'ipa-r=
eplica03.example.com'): SUCCESS
--===============8861200062527534773==--

From riccardospurinisi at halley.it Thu Mar 28 12:25:26 2024
Content-Type: multipart/mixed; boundary="===============0063427315098321438=="
MIME-Version: 1.0
From: Richard Halley <riccardospurinisi at halley.it>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] problem with configuration replication in ipa server
Date: Thu, 28 Mar 2024 12:25:13 +0000
Message-ID: <20240328122513.14567.62901@mailman01.iad2.fedoraproject.org>

--===============0063427315098321438==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Hi everyone, I'm configuring the freeipa replication as follows:

1) ipa-client-install --domain=3Dpippo.internal --realm=3DPIPPO.INTERNAL -N

2) I add the client to the ipaserver host group

3) ipa-replica-install -N --setup-dns --forwarder 8.8.8.8 --forwarder 8.8.4=
.4 --forwarder 1.1.1.1 --setup-ca

After running ipa-replica-install I get the following error:

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipapython.admintool: ERROR A replication agreement for this host already ex=
ists. It needs to be removed.
Run this command:
    %% ipa-replica-manage del pluto.pippo.internal --force
ipapython.admintool: ERROR The ipa-replica-install command failed. See /var=
/log/ipareplica-install.log for more information

I would like to point out that I have attempted the configuration several t=
imes without success.
Before proceeding with the uninstall commands of the client and the replica=
 on the replica server, I delete the replica on the server (which fails bec=
ause it does not find any replica) and then proceed with deleting the clien=
t.

In the replication log file I have the following error:

2024-03-28T12:05:10Z DEBUG The ipa-replica-install command failed, exceptio=
n: ScriptError: A replication agreement for this host already exists. It ne=
eds to be removed.
Run this command:
    %% ipa-replica-manage del pluto.pippo.internal --force
2024-03-28T12:05:10Z ERROR A replication agreement for this host already ex=
ists. It needs to be removed.
Run this command:
    %% ipa-replica-manage del pluto.pippo.internal --force
2024-03-28T12:05:10Z ERROR The ipa-replica-install command failed. See /var=
/log/ipareplica-install.log for more information

I can't understand where the problem is.
Could it be something dirty in LDAP?

Thank you very much
--===============0063427315098321438==--

From twest at cherryroad.com Thu Mar 28 15:01:08 2024
Content-Type: multipart/mixed; boundary="===============3778949546678663090=="
MIME-Version: 1.0
From: Travis West <twest at cherryroad.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: CA Subsystem certificate
Date: Thu, 28 Mar 2024 15:00:45 +0000
Message-ID: <20240328150045.5965.72904@mailman01.iad2.fedoraproject.org>
In-Reply-To: da9a1790-7d28-5084-1366-4147f58f100d@redhat.com

--===============3778949546678663090==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

I've just found an old p12 file from 2019.  I was able to extract the key f=
rom that and it does match the CA Subystem cert that expired 8 March that i=
s listed in LDAP.
So if I could somehow generate a new certificate with this and import into =
the NSS DB for /etc/pki/pki-tomcat/alias would that at least get the CA sta=
rted?
--===============3778949546678663090==--

From hakofo8273 at azduan.com Fri Mar 29 08:58:46 2024
Content-Type: multipart/mixed; boundary="===============1591921863345952834=="
MIME-Version: 1.0
From: D S <hakofo8273 at azduan.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: One freeipa replica install fails,
 while other is going through
Date: Fri, 29 Mar 2024 08:58:35 +0000
Message-ID: <20240329085835.7865.627@mailman01.iad2.fedoraproject.org>
In-Reply-To: 20240328104757.1603.48278@mailman01.iad2.fedoraproject.org

--===============1591921863345952834==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Any ideas on where to look next?=20
--===============1591921863345952834==--

From raubvogel at gmail.com Fri Mar 29 11:46:23 2024
Content-Type: multipart/mixed; boundary="===============8843129287012207186=="
MIME-Version: 1.0
From: Mauricio Tavares <raubvogel at gmail.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: One freeipa replica install fails,
 while  other is going through
Date: Fri, 29 Mar 2024 07:45:07 -0400
Message-ID: <CAHEKYV5gPdpaYQ+gUgEMaKbpfp7nROF6urMWxWC8ryzPM7nPTw@mail.gmail.com>
In-Reply-To: 20240329085835.7865.627@mailman01.iad2.fedoraproject.org

--===============8843129287012207186==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

On Fri, Mar 29, 2024 at 4:58=E2=80=AFAM D S via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
>
> Any ideas on where to look next?
> --
      Replica-to-be log says connection check failed. Master seems to
say its replies are being ignored. Could the replica-to-be's firewall
be blocking things?
--===============8843129287012207186==--

From slekkus75 at proton.me Fri Mar 29 12:14:04 2024
Content-Type: multipart/mixed; boundary="===============1222141422725427484=="
MIME-Version: 1.0
From: slek kus <slekkus75 at proton.me>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Client install fails with: "Joining realm failed:
 JSON-RPC call failed: Timeout was reached"
Date: Fri, 29 Mar 2024 12:13:31 +0000
Message-ID: <20240329121331.1761.22415@mailman01.iad2.fedoraproject.org>

--===============1222141422725427484==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Hi, not sure what might be an issue. Clients in the same network join just =
fine. =

The failing client is on another network. The following ports have been all=
owed: 53, 389, 636, 88, 464
Saw a list somewhere, mentioning 123, 80 and 443. Are these porst nessecary=
 for the client/idm communication?

--===============1222141422725427484==--

From antoine.gatineau at infra-monkey.com Sun Mar 31 11:15:12 2024
Content-Type: multipart/mixed; boundary="===============8648383229911465437=="
MIME-Version: 1.0
From: Antoine Gatineau <antoine.gatineau at infra-monkey.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: Client install fails with: "Joining realm failed:
 JSON-RPC call failed: Timeout was reached"
Date: Sun, 31 Mar 2024 13:14:56 +0200
Message-ID: <0774df2b-9301-4417-8c60-57de97cb4d62@infra-monkey.com>
In-Reply-To: 20240329121331.1761.22415@mailman01.iad2.fedoraproject.org

--===============8648383229911465437==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

iirc port 80 and 443 are needed. 123 is for ntp so if you don't sync =

time from the ipa servers you woudl not need that port.

https://access.redhat.com/solutions/357673

On 3/29/24 13:13, slek kus via FreeIPA-users wrote:
> Hi, not sure what might be an issue. Clients in the same network join jus=
t fine.
> The failing client is on another network. The following ports have been a=
llowed: 53, 389, 636, 88, 464
> Saw a list somewhere, mentioning 123, 80 and 443. Are these porst nesseca=
ry for the client/idm communication?
> --
> _______________________________________________
> FreeIPA-users mailing list --freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email tofreeipa-users-leave(a)lists.fedorahosted.o=
rg
> Fedora Code of Conduct:https://docs.fedoraproject.org/en-US/project/code-=
of-conduct/
> List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:https://lists.fedorahosted.org/archives/list/freeipa-users(=
a)lists.fedorahosted.org
> Do not reply to spam, report it:https://pagure.io/fedora-infrastructure/n=
ew_issue

--===============8648383229911465437==
Content-Type: text/html
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.html"

PCFET0NUWVBFIGh0bWw+CjxodG1sPgogIDxoZWFkPgogICAgPG1ldGEgaHR0cC1lcXVpdj0iQ29u
dGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9VVRGLTgiPgogIDwvaGVhZD4K
ICA8Ym9keT4KICAgIDxwPmlpcmMgcG9ydCA4MCBhbmQgNDQzIGFyZSBuZWVkZWQuIDEyMyBpcyBm
b3IgbnRwIHNvIGlmIHlvdSBkb24ndAogICAgICBzeW5jIHRpbWUgZnJvbSB0aGUgaXBhIHNlcnZl
cnMgeW91IHdvdWRsIG5vdCBuZWVkIHRoYXQgcG9ydC48L3A+CiAgICA8cD48YSBjbGFzcz0ibW96
LXR4dC1saW5rLWZyZWV0ZXh0IiBocmVmPSJodHRwczovL2FjY2Vzcy5yZWRoYXQuY29tL3NvbHV0
aW9ucy8zNTc2NzMiPmh0dHBzOi8vYWNjZXNzLnJlZGhhdC5jb20vc29sdXRpb25zLzM1NzY3Mzwv
YT4gPGJyPgogICAgICA8YnI+CiAgICA8L3A+CiAgICA8ZGl2IGNsYXNzPSJtb3otY2l0ZS1wcmVm
aXgiPk9uIDMvMjkvMjQgMTM6MTMsIHNsZWsga3VzIHZpYQogICAgICBGcmVlSVBBLXVzZXJzIHdy
b3RlOjxicj4KICAgIDwvZGl2PgogICAgPGJsb2NrcXVvdGUgdHlwZT0iY2l0ZSIKY2l0ZT0ibWlk
OjIwMjQwMzI5MTIxMzMxLjE3NjEuMjI0MTVAbWFpbG1hbjAxLmlhZDIuZmVkb3JhcHJvamVjdC5v
cmciPgogICAgICA8cHJlIGNsYXNzPSJtb3otcXVvdGUtcHJlIiB3cmFwPSIiPkhpLCBub3Qgc3Vy
ZSB3aGF0IG1pZ2h0IGJlIGFuIGlzc3VlLiBDbGllbnRzIGluIHRoZSBzYW1lIG5ldHdvcmsgam9p
biBqdXN0IGZpbmUuIApUaGUgZmFpbGluZyBjbGllbnQgaXMgb24gYW5vdGhlciBuZXR3b3JrLiBU
aGUgZm9sbG93aW5nIHBvcnRzIGhhdmUgYmVlbiBhbGxvd2VkOiA1MywgMzg5LCA2MzYsIDg4LCA0
NjQKU2F3IGEgbGlzdCBzb21ld2hlcmUsIG1lbnRpb25pbmcgMTIzLCA4MCBhbmQgNDQzLiBBcmUg
dGhlc2UgcG9yc3QgbmVzc2VjYXJ5IGZvciB0aGUgY2xpZW50L2lkbSBjb21tdW5pY2F0aW9uPwot
LQpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXwpGcmVlSVBB
LXVzZXJzIG1haWxpbmcgbGlzdCAtLSA8YSBjbGFzcz0ibW96LXR4dC1saW5rLWFiYnJldmlhdGVk
IiBocmVmPSJtYWlsdG86ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3JnIj5mcmVl
aXBhLXVzZXJzQGxpc3RzLmZlZG9yYWhvc3RlZC5vcmc8L2E+ClRvIHVuc3Vic2NyaWJlIHNlbmQg
YW4gZW1haWwgdG8gPGEgY2xhc3M9Im1vei10eHQtbGluay1hYmJyZXZpYXRlZCIgaHJlZj0ibWFp
bHRvOmZyZWVpcGEtdXNlcnMtbGVhdmVAbGlzdHMuZmVkb3JhaG9zdGVkLm9yZyI+ZnJlZWlwYS11
c2Vycy1sZWF2ZUBsaXN0cy5mZWRvcmFob3N0ZWQub3JnPC9hPgpGZWRvcmEgQ29kZSBvZiBDb25k
dWN0OiA8YSBjbGFzcz0ibW96LXR4dC1saW5rLWZyZWV0ZXh0IiBocmVmPSJodHRwczovL2RvY3Mu
ZmVkb3JhcHJvamVjdC5vcmcvZW4tVVMvcHJvamVjdC9jb2RlLW9mLWNvbmR1Y3QvIj5odHRwczov
L2RvY3MuZmVkb3JhcHJvamVjdC5vcmcvZW4tVVMvcHJvamVjdC9jb2RlLW9mLWNvbmR1Y3QvPC9h
PgpMaXN0IEd1aWRlbGluZXM6IDxhIGNsYXNzPSJtb3otdHh0LWxpbmstZnJlZXRleHQiIGhyZWY9
Imh0dHBzOi8vZmVkb3JhcHJvamVjdC5vcmcvd2lraS9NYWlsaW5nX2xpc3RfZ3VpZGVsaW5lcyI+
aHR0cHM6Ly9mZWRvcmFwcm9qZWN0Lm9yZy93aWtpL01haWxpbmdfbGlzdF9ndWlkZWxpbmVzPC9h
PgpMaXN0IEFyY2hpdmVzOiA8YSBjbGFzcz0ibW96LXR4dC1saW5rLWZyZWV0ZXh0IiBocmVmPSJo
dHRwczovL2xpc3RzLmZlZG9yYWhvc3RlZC5vcmcvYXJjaGl2ZXMvbGlzdC9mcmVlaXBhLXVzZXJz
QGxpc3RzLmZlZG9yYWhvc3RlZC5vcmciPmh0dHBzOi8vbGlzdHMuZmVkb3JhaG9zdGVkLm9yZy9h
cmNoaXZlcy9saXN0L2ZyZWVpcGEtdXNlcnNAbGlzdHMuZmVkb3JhaG9zdGVkLm9yZzwvYT4KRG8g
bm90IHJlcGx5IHRvIHNwYW0sIHJlcG9ydCBpdDogPGEgY2xhc3M9Im1vei10eHQtbGluay1mcmVl
dGV4dCIgaHJlZj0iaHR0cHM6Ly9wYWd1cmUuaW8vZmVkb3JhLWluZnJhc3RydWN0dXJlL25ld19p
c3N1ZSI+aHR0cHM6Ly9wYWd1cmUuaW8vZmVkb3JhLWluZnJhc3RydWN0dXJlL25ld19pc3N1ZTwv
YT4KPC9wcmU+CiAgICA8L2Jsb2NrcXVvdGU+CiAgPC9ib2R5Pgo8L2h0bWw+Cg==

--===============8648383229911465437==--

From abokovoy at redhat.com Sun Mar 31 14:45:15 2024
Content-Type: multipart/mixed; boundary="===============7112583523669218601=="
MIME-Version: 1.0
From: Alexander Bokovoy <abokovoy at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: Client install fails with: "Joining realm failed:
 JSON-RPC call failed: Timeout was reached"
Date: Sun, 31 Mar 2024 17:48:31 +0300
Message-ID: <Zgl3v6k178mF8Rfe@redhat.com>
In-Reply-To: 0774df2b-9301-4417-8c60-57de97cb4d62@infra-monkey.com

--===============7112583523669218601==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

On Sun, 31 Mar 2024, Antoine Gatineau via FreeIPA-users wrote:
>iirc port 80 and 443 are needed. 123 is for ntp so if you don't sync =

>time from the ipa servers you woudl not need that port.
>
>https://access.redhat.com/solutions/357673

Everything is covered in the documentation:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/ht=
ml/installing_identity_management/preparing-the-system-for-ipa-server-insta=
llation_installing-identity-management#port-requirements-for-idm_preparing-=
the-system-for-ipa-server-installation

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/ht=
ml/installing_identity_management/preparing-the-system-for-ipa-client-insta=
llation_installing-identity-management#port-requirements-for-ipa-clients_pr=
eparing-the-system-for-ipa-client-installation

It is best to follow the documentation -- take
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9
and check the box 'Identity management' on the left side to limit amount
of books to the topics relevant to identity management. Unfortunately,
currently this documentation site does not allow pre-select the topics.

Another place to look is this old draft I never managed to turn into a
blog or documentation article myself:
https://vda.li/drafts/firewall-considerations.txt

It is still valid.

>
>On 3/29/24 13:13, slek kus via FreeIPA-users wrote:
>>Hi, not sure what might be an issue. Clients in the same network join jus=
t fine.
>>The failing client is on another network. The following ports have been a=
llowed: 53, 389, 636, 88, 464
>>Saw a list somewhere, mentioning 123, 80 and 443. Are these porst nesseca=
ry for the client/idm communication?
>>--
>>_______________________________________________
>>FreeIPA-users mailing list --freeipa-users(a)lists.fedorahosted.org
>>To unsubscribe send an email tofreeipa-users-leave(a)lists.fedorahosted.o=
rg
>>Fedora Code of Conduct:https://docs.fedoraproject.org/en-US/project/code-=
of-conduct/
>>List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
>>List Archives:https://lists.fedorahosted.org/archives/list/freeipa-users(=
a)lists.fedorahosted.org
>>Do not reply to spam, report it:https://pagure.io/fedora-infrastructure/n=
ew_issue




-- =

/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

--===============7112583523669218601==--

From manideep.sai at onmobile.com Mon Apr  1 10:27:52 2024
Content-Type: multipart/mixed; boundary="===============3792701881326314654=="
MIME-Version: 1.0
From: Polavarapu Manideep Sai <manideep.sai at onmobile.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] IPA replica installation failed-SEVERE: Unable to
 start CA engine: Selftest failed: Invalid certificate Server-Cert
 cert-pki-ca: NotBefore: Mon Apr 01 03:41:49 CST 2024
Date: Mon, 01 Apr 2024 10:27:30 +0000
Message-ID: <b966ab35ecd6491c93693475deb8e0a3@onmobile.com>

--===============3792701881326314654==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Hi Team,

Any one faced this issue during replica installation

I have third party SSL certificate installed on master server


IPA Version:

[root(a)dir02-mex ~]# ipa --version
VERSION: 4.10.2, API_VERSION: 2.252


Certificate Expiry:

[root(a)dir02-mex ~]# certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'Server-=
Cert cert-pki-ca' | egrep -i 'befor|after'
            Not Before: Mon Apr 01 09:41:49 2024
            Not After : Sun Mar 22 09:41:49 2026



  [1/4]: Generating ipa-custodia config file
  [2/4]: Generating ipa-custodia keys
  [3/4]: starting ipa-custodia
  [4/4]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/30]: creating certificate server db
  [2/30]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 12 seconds elapsed
Update succeeded

  [3/30]: creating ACIs for admin
  [4/30]: creating installation admin user
  [5/30]: configuring certificate server instance
Failed to configure CA instance
See the installation logs and the following files/directories for more info=
rmation:
  /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

CA configuration failed.
The ipa-replica-install command failed. See /var/log/ipareplica-install.log=
 for more information



Cat /var/log/ipareplica-install.log:


DEBUG: https://dir02-mexommx.ipa.com:8443 "GET / HTTP/1.1" 302 0
DEBUG: https://dir02-mexommx.ipa.com:8443 "GET /pki HTTP/1.1" 302 None
DEBUG: https://dir02-mexommx.ipa.com:8443 "GET /pki/ HTTP/1.1" 200 3500
INFO: PKI server started
INFO: Waiting for CA subsystem
DEBUG: Starting new HTTPS connection (1): dir02-mexommx.ipa.com:8443
DEBUG: https://dir02-mexommx.ipa.com:8443 "GET /ca/admin/ca/getStatus HTTP/=
1.1" 404 784

2024-04-01T09:41:34Z CRITICAL Failed to configure CA instance
2024-04-01T09:41:34Z CRITICAL See the installation logs and the following f=
iles/directories for more information:
2024-04-01T09:41:34Z CRITICAL   /var/log/pki/pki-tomcat
2024-04-01T09:41:34Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", lin=
e 686, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", lin=
e 672, in run_step
    method()
  File "/usr/lib/python3.9/site-packages/ipaserver/install/cainstance.py", =
line 651, in __spawn_instance
    DogtagInstance.spawn_instance(
  File "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.p=
y", line 227, in spawn_instance
    self.handle_setup_error(e)
  File "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.p=
y", line 604, in handle_setup_error
    raise RuntimeError(
RuntimeError: CA configuration failed.

2024-04-01T09:41:34Z DEBUG   [error] RuntimeError: CA configuration failed.
2024-04-01T09:41:34Z DEBUG Removing /root/.dogtag/pki-tomcat/ca
2024-04-01T09:41:34Z DEBUG   File "/usr/lib/python3.9/site-packages/ipapyth=
on/admintool.py", line 180, in execute
    return_value =3D self.run()
  File "/usr/lib/python3.9/site-packages/ipapython/install/cli.py", line 34=
4, in run
    return cfgr.run()
  File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 3=
60, in run
    return self.execute()
  File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 3=
86, in execute
    for rval in self._executor():
  File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 4=
35, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 4=
68, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 4=
58, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
    raise value
  File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 4=
25, in __runner
    step()
  File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 4=
19, in step_next
    return next(self.__gen)
  File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 8=
1, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
    raise value
  File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 5=
9, in run_generator_with_yield_from
    value =3D gen.send(prev_value)
  File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 6=
63, in _configure
    next(executor)
  File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 4=
35, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 4=
68, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 5=
26, in _handle_exception
    self.__parent._handle_exception(exc_info)
  File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 4=
58, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
    raise value
  File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 5=
23, in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 4=
58, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
    raise value
  File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 4=
25, in __runner
    step()
  File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 4=
19, in step_next
    return next(self.__gen)
  File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 8=
1, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
    raise value
  File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 5=
9, in run_generator_with_yield_from
    value =3D gen.send(prev_value)
  File "/usr/lib/python3.9/site-packages/ipapython/install/common.py", line=
 65, in _install
    for unused in self._installer(self.parent):
  File "/usr/lib/python3.9/site-packages/ipaserver/install/server/__init__.=
py", line 599, in main
    replica_install(self)
  File "/usr/lib/python3.9/site-packages/ipaserver/install/server/replicain=
stall.py", line 401, in decorated
    func(installer)
  File "/usr/lib/python3.9/site-packages/ipaserver/install/server/replicain=
stall.py", line 1345, in install
    ca.install(False, config, options, custodia=3Dcustodia)
  File "/usr/lib/python3.9/site-packages/ipaserver/install/ca.py", line 354=
, in install
    install_step_0(standalone, replica_config, options, custodia=3Dcustodia)
  File "/usr/lib/python3.9/site-packages/ipaserver/install/ca.py", line 422=
, in install_step_0
    ca.configure_instance(
  File "/usr/lib/python3.9/site-packages/ipaserver/install/cainstance.py", =
line 506, in configure_instance
    self.start_creation(runtime=3Druntime)
  File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", lin=
e 686, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", lin=
e 672, in run_step
    method()
  File "/usr/lib/python3.9/site-packages/ipaserver/install/cainstance.py", =
line 651, in __spawn_instance
    DogtagInstance.spawn_instance(
  File "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.p=
y", line 227, in spawn_instance
    self.handle_setup_error(e)
  File "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.p=
y", line 604, in handle_setup_error
    raise RuntimeError(

2024-04-01T09:41:34Z DEBUG The ipa-replica-install command failed, exceptio=
n: RuntimeError: CA configuration failed.
2024-04-01T09:41:34Z ERROR CA configuration failed.
2024-04-01T09:41:34Z ERROR The ipa-replica-install command failed. See /var=
/log/ipareplica-install.log for more information


Cat /var/log/pki/pki-tomcat/ca/debug.2024-04-01.log



2024-04-01 03:41:32 [main] INFO: CMSEngine: Disabling CA subsystem
2024-04-01 03:41:32 [main] SEVERE: Unable to start CA engine: Selftest fail=
ed: Invalid certificate Server-Cert cert-pki-ca: NotBefore: Mon Apr 01 03:4=
1:49 CST 2024
Selftest failed: Invalid certificate Server-Cert cert-pki-ca: NotBefore: Mo=
n Apr 01 03:41:49 CST 2024
        at com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTes=
tSubsystem.java:1759)
        at com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.=
java:1167)
        at org.dogtagpki.server.ca.CAEngine.startupSubsystems(CAEngine.java=
:972)



2024-04-01 03:41:32 [main] SEVERE: SelfTestSubsystem: selftest failed: Inva=
lid certificate Server-Cert cert-pki-ca: NotBefore: Mon Apr 01 03:41:49 CST=
 2024
java.lang.Exception: Invalid certificate Server-Cert cert-pki-ca: NotBefore=
: Mon Apr 01 03:41:49 CST 2024
        at com.netscape.cmscore.cert.CertUtils.verifySystemCertValidityByNi=
ckname(CertUtils.java:844)
        at com.netscape.cmscore.apps.CMSEngine.verifySystemCertByTag(CMSEng=
ine.java:1895)
        at com.netscape.cmscore.apps.CMSEngine.verifySystemCerts(CMSEngine.=
java:1823)
        at com.netscape.cms.selftests.common.SystemCertsVerification.runSel=
fTest(SystemCertsVerification.java:211)
        at com.netscape.cmscore.selftests.SelfTestSubsystem.runSelfTestsAtS=
tartup(SelfTestSubsystem.java:818)
        at com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTes=
tSubsystem.java:1722)
        at com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.=
java:1167)
        at org.dogtagpki.server.ca.CAEngine.startupSubsystems(CAEngine.java=
:972)
        at com.netscape.cmscore.apps.CMSEngine.start(CMSEngine.java:1223)
        at com.netscape.cmscore.apps.PKIWebListener.contextInitialized(PKIW=
ebListener.java:43)
        at org.apache.catalina.core.StandardContext.listenerStart(StandardC=
ontext.java:4768)
        at org.apache.catalina.core.StandardContext.startInternal(StandardC=
ontext.java:5230)
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:=
183)
        at org.apache.catalina.core.ContainerBase.addChildInternal(Containe=
rBase.java:726)
        at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.=
java:129)
        at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(Co=
ntainerBase.java:149)
        at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(Co=
ntainerBase.java:139)
        at java.base/java.security.AccessController.doPrivileged(AccessCont=
roller.java:318)
        at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.ja=
va:696)
        at org.apache.catalina.core.StandardHost.addChild(StandardHost.java=
:696)
        at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConf=
ig.java:690)
        at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(Host=
Config.java:1889)
        at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Ex=
ecutors.java:539)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:26=
4)
        at org.apache.tomcat.util.threads.InlineExecutorService.execute(Inl=
ineExecutorService.java:75)
        at java.base/java.util.concurrent.AbstractExecutorService.submit(Ab=
stractExecutorService.java:123)
        at org.apache.catalina.startup.HostConfig.deployDescriptors(HostCon=
fig.java:583)
        at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.jav=
a:473)
        at org.apache.catalina.startup.HostConfig.start(HostConfig.java:161=
8)
        at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig=
.java:319)
        at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(Lifecy=
cleBase.java:123)
        at org.apache.catalina.util.LifecycleBase.setStateInternal(Lifecycl=
eBase.java:423)
        at org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.ja=
va:366)
        at org.apache.catalina.core.ContainerBase.startInternal(ContainerBa=
se.java:946)
        at org.apache.catalina.core.StandardHost.startInternal(StandardHost=
.java:835)
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:=
183)
        at org.apache.catalina.core.ContainerBase$StartChild.call(Container=
Base.java:1396)
        at org.apache.catalina.core.ContainerBase$StartChild.call(Container=
Base.java:1386)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:26=
4)
        at org.apache.tomcat.util.threads.InlineExecutorService.execute(Inl=
ineExecutorService.java:75)
        at java.base/java.util.concurrent.AbstractExecutorService.submit(Ab=
stractExecutorService.java:145)
        at org.apache.catalina.core.ContainerBase.startInternal(ContainerBa=
se.java:919)
        at org.apache.catalina.core.StandardEngine.startInternal(StandardEn=
gine.java:263)
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:=
183)
        at org.apache.catalina.core.StandardService.startInternal(StandardS=
ervice.java:432)
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:=
183)
        at org.apache.catalina.core.StandardServer.startInternal(StandardSe=
rver.java:927)
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:=
183)
        at org.apache.catalina.startup.Catalina.start(Catalina.java:772)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(=
Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(N=
ativeMethodAccessorImpl.java:77)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invo=
ke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:568)
        at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:345)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:476)
Caused by: java.security.cert.CertificateNotYetValidException: NotBefore: M=
on Apr 01 03:41:49 CST 2024
        at org.mozilla.jss.netscape.security.x509.CertificateValidity.valid=
(CertificateValidity.java:302)
        at org.mozilla.jss.netscape.security.x509.X509CertImpl.checkValidit=
y(X509CertImpl.java:494)
        at org.mozilla.jss.netscape.security.x509.X509CertImpl.checkValidit=
y(X509CertImpl.java:466)
        at com.netscape.cmscore.cert.CertUtils.verifySystemCertValidityByNi=
ckname(CertUtils.java:839)
        ... 54 more

2024-04-01 03:41:32 [main] SEVERE: SelfTestSubsystem: Disabling subsystem d=
ue to selftest failure: Invalid certificate Server-Cert cert-pki-ca: NotBef=
ore: Mon Apr 01 03:41:49 CST 2024
java.lang.Exception: Invalid certificate Server-Cert cert-pki-ca: NotBefore=
: Mon Apr 01 03:41:49 CST 2024




cat /var/log/pki/pki-tomcat/ca/selftests.log:

0.main - [29/Mar/2024:03:28:24 GMT-06:00] [20] [1] CAPresence:  CA is prese=
nt
0.main - [29/Mar/2024:03:28:24 GMT-06:00] [20] [1] SystemCertsVerification:=
 system certs verification failure: Invalid certificate Server-Cert cert-pk=
i-ca: NotBefore: Fri Mar 29 03:28:37 CST 2024
0.main - [29/Mar/2024:03:28:24 GMT-06:00] [20] [1] SelfTestSubsystem: The C=
RITICAL self test plugin called selftests.container.instance.SystemCertsVer=
ification running at startup FAILED!
0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem: Initi=
alizing self test plugins:
0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem:  load=
ing all self test plugin logger parameters
0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem:  load=
ing all self test plugin instances
0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem:  load=
ing all self test plugin instance parameters
0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem:  load=
ing self test plugins in on-demand order
0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem:  load=
ing self test plugins in startup order
0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem: Self =
test plugins have been successfully loaded!
0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem: Runni=
ng self test plugins specified to be executed at startup:
0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] CAPresence:  CA is prese=
nt
0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SystemCertsVerification:=
 system certs verification failure: Invalid certificate Server-Cert cert-pk=
i-ca: NotBefore: Fri Mar 29 04:03:27 CST 2024
0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem: The C=
RITICAL self test plugin called selftests.container.instance.SystemCertsVer=
ification running at startup FAILED!
0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem: Initi=
alizing self test plugins:
0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem:  load=
ing all self test plugin logger parameters
0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem:  load=
ing all self test plugin instances
0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem:  load=
ing all self test plugin instance parameters
0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem:  load=
ing self test plugins in on-demand order
0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem:  load=
ing self test plugins in startup order
0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem: Self =
test plugins have been successfully loaded!
0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem: Runni=
ng self test plugins specified to be executed at startup:
0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] CAPresence:  CA is prese=
nt
0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SystemCertsVerification:=
 system certs verification failure: Invalid certificate Server-Cert cert-pk=
i-ca: NotBefore: Mon Apr 01 03:41:49 CST 2024
0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem: The C=
RITICAL self test plugin called selftests.container.instance.SystemCertsVer=
ification running at startup FAILED!





________________________________

DISCLAIMER: The information in this message is confidential and may be lega=
lly privileged. It is intended solely for the addressee. Access to this mes=
sage by anyone else is unauthorized. If you are not the intended recipient,=
 any disclosure, copying, or distribution of the message, or any action or =
omission taken by you in reliance on it, is prohibited and may be unlawful.=
 Please immediately contact the sender if you have received this message in=
 error. Further, this e-mail may contain viruses and all reasonable precaut=
ion to minimize the risk arising there from is taken by OnMobile. OnMobile =
is not liable for any damage sustained by you as a result of any virus in t=
his e-mail. All applicable virus checks should be carried out by you before=
 opening this e-mail or any attachment thereto.
Thank you - OnMobile Global Limited.

--===============3792701881326314654==
Content-Type: text/html
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.html"

PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy
bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt
YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj
cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
VFIvUkVDLWh0bWw0MCI+CjxoZWFkPgo8bWV0YSBodHRwLWVxdWl2PSJDb250ZW50LVR5cGUiIGNv
bnRlbnQ9InRleHQvaHRtbDsgY2hhcnNldD11cy1hc2NpaSI+CjxtZXRhIG5hbWU9IkdlbmVyYXRv
ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPgo8c3R5bGU+
PCEtLQovKiBGb250IERlZmluaXRpb25zICovCkBmb250LWZhY2UKCXtmb250LWZhbWlseToiQ2Ft
YnJpYSBNYXRoIjsKCXBhbm9zZS0xOjIgNCA1IDMgNSA0IDYgMyAyIDQ7fQpAZm9udC1mYWNlCgl7
Zm9udC1mYW1pbHk6Q2FsaWJyaTsKCXBhbm9zZS0xOjIgMTUgNSAyIDIgMiA0IDMgMiA0O30KLyog
U3R5bGUgRGVmaW5pdGlvbnMgKi8KcC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1zb05v
cm1hbAoJe21hcmdpbjowY207CgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7Cglmb250LXNpemU6MTEu
MHB0OwoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7Cgltc28tZmFyZWFzdC1sYW5n
dWFnZTpFTi1VUzt9CmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsKCXttc28tc3R5bGUtcHJpb3Jp
dHk6OTk7Cgljb2xvcjojMDU2M0MxOwoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9CmE6dmlz
aXRlZCwgc3Bhbi5Nc29IeXBlcmxpbmtGb2xsb3dlZAoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsK
CWNvbG9yOiM5NTRGNzI7Cgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30KcC5tc29ub3JtYWww
LCBsaS5tc29ub3JtYWwwLCBkaXYubXNvbm9ybWFsMAoJe21zby1zdHlsZS1uYW1lOm1zb25vcm1h
bDsKCW1zby1tYXJnaW4tdG9wLWFsdDphdXRvOwoJbWFyZ2luLXJpZ2h0OjBjbTsKCW1zby1tYXJn
aW4tYm90dG9tLWFsdDphdXRvOwoJbWFyZ2luLWxlZnQ6MGNtOwoJZm9udC1zaXplOjExLjBwdDsK
CWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmO30Kc3Bhbi5FbWFpbFN0eWxlMTgKCXtt
c28tc3R5bGUtdHlwZTpwZXJzb25hbC1jb21wb3NlOwoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNh
bnMtc2VyaWY7Cgljb2xvcjp3aW5kb3d0ZXh0O30KLk1zb0NocERlZmF1bHQKCXttc28tc3R5bGUt
dHlwZTpleHBvcnQtb25seTsKCWZvbnQtc2l6ZToxMC4wcHQ7Cglmb250LWZhbWlseToiQ2FsaWJy
aSIsc2Fucy1zZXJpZjsKCW1zby1mYXJlYXN0LWxhbmd1YWdlOkVOLVVTO30KQHBhZ2UgV29yZFNl
Y3Rpb24xCgl7c2l6ZTo2MTIuMHB0IDc5Mi4wcHQ7CgltYXJnaW46NzIuMHB0IDcyLjBwdCA3Mi4w
cHQgNzIuMHB0O30KZGl2LldvcmRTZWN0aW9uMQoJe3BhZ2U6V29yZFNlY3Rpb24xO30KLS0+PC9z
dHlsZT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4KPG86c2hhcGVkZWZhdWx0cyB2OmV4dD0iZWRp
dCIgc3BpZG1heD0iMTAyNiIgLz4KPC94bWw+PCFbZW5kaWZdLS0+PCEtLVtpZiBndGUgbXNvIDld
Pjx4bWw+CjxvOnNoYXBlbGF5b3V0IHY6ZXh0PSJlZGl0Ij4KPG86aWRtYXAgdjpleHQ9ImVkaXQi
IGRhdGE9IjEiIC8+CjwvbzpzaGFwZWxheW91dD48L3htbD48IVtlbmRpZl0tLT4KPC9oZWFkPgo8
Ym9keSBsYW5nPSJFTi1JTiIgbGluaz0iIzA1NjNDMSIgdmxpbms9IiM5NTRGNzIiPgo8ZGl2IGNs
YXNzPSJXb3JkU2VjdGlvbjEiPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj5IaSBUZWFtLDxvOnA+PC9v
OnA+PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4KPHAgY2xh
c3M9Ik1zb05vcm1hbCI+QW55IG9uZSBmYWNlZCB0aGlzIGlzc3VlIGR1cmluZyByZXBsaWNhIGlu
c3RhbGxhdGlvbiA8bzpwPjwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJz
cDs8L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPkkgaGF2ZSB0aGlyZCBwYXJ0eSBTU0wg
Y2VydGlmaWNhdGUgaW5zdGFsbGVkIG9uIG1hc3RlciBzZXJ2ZXIKPG86cD48L286cD48L3A+Cjxw
IGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPgo8cCBjbGFzcz0iTXNvTm9y
bWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGI+SVBBIFZl
cnNpb246PG86cD48L286cD48L2I+PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNw
OzwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+W3Jvb3RAZGlyMDItbWV4IH5dIyBpcGEg
LS12ZXJzaW9uPG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxiPlZFUlNJT046
IDQuMTAuMiwgQVBJX1ZFUlNJT046IDIuMjUyPG86cD48L286cD48L2I+PC9wPgo8cCBjbGFzcz0i
TXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGI+
PG86cD4mbmJzcDs8L286cD48L2I+PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj48Yj5DZXJ0aWZp
Y2F0ZSBFeHBpcnk6PG86cD48L286cD48L2I+PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpw
PiZuYnNwOzwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+W3Jvb3RAZGlyMDItbWV4IH5d
IyBjZXJ0dXRpbCAtTCAtZCAvZXRjL3BraS9wa2ktdG9tY2F0L2FsaWFzLyAtbiAnU2VydmVyLUNl
cnQgY2VydC1wa2ktY2EnIHwgZWdyZXAgLWkgJ2JlZm9yfGFmdGVyJzxvOnA+PC9vOnA+PC9wPgo8
cCBjbGFzcz0iTXNvTm9ybWFsIj48Yj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgTm90IEJlZm9yZTogTW9uIEFwciAwMSAw
OTo0MTo0OSAyMDI0PG86cD48L286cD48L2I+PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj48Yj4m
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsgTm90IEFmdGVyIDogU3VuIE1hciAyMiAwOTo0MTo0OSAyMDI2PG86cD48L286cD48
L2I+PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4KPGRpdiBz
dHlsZT0ibXNvLWVsZW1lbnQ6cGFyYS1ib3JkZXItZGl2O2JvcmRlcjpub25lO2JvcmRlci1ib3R0
b206c29saWQgd2luZG93dGV4dCAxLjBwdDtwYWRkaW5nOjBjbSAwY20gMS4wcHQgMGNtIj4KPHAg
Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImJvcmRlcjpub25lO3BhZGRpbmc6MGNtIj48bzpwPiZu
YnNwOzwvbzpwPjwvcD4KPC9kaXY+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9v
OnA+PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDsgWzEvNF06IEdlbmVyYXRpbmcgaXBh
LWN1c3RvZGlhIGNvbmZpZyBmaWxlPG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwi
PiZuYnNwOyBbMi80XTogR2VuZXJhdGluZyBpcGEtY3VzdG9kaWEga2V5czxvOnA+PC9vOnA+PC9w
Pgo8cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDsgWzMvNF06IHN0YXJ0aW5nIGlwYS1jdXN0b2Rp
YTxvOnA+PC9vOnA+PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDsgWzQvNF06IGNvbmZp
Z3VyaW5nIGlwYS1jdXN0b2RpYSB0byBzdGFydCBvbiBib290PG86cD48L286cD48L3A+CjxwIGNs
YXNzPSJNc29Ob3JtYWwiPkRvbmUgY29uZmlndXJpbmcgaXBhLWN1c3RvZGlhLjxvOnA+PC9vOnA+
PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj5Db25maWd1cmluZyBjZXJ0aWZpY2F0ZSBzZXJ2ZXIg
KHBraS10b21jYXRkKS4gRXN0aW1hdGVkIHRpbWU6IDMgbWludXRlczxvOnA+PC9vOnA+PC9wPgo8
cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDsgWzEvMzBdOiBjcmVhdGluZyBjZXJ0aWZpY2F0ZSBz
ZXJ2ZXIgZGI8bzpwPjwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7IFsyLzMw
XTogc2V0dGluZyB1cCBpbml0aWFsIHJlcGxpY2F0aW9uPG86cD48L286cD48L3A+CjxwIGNsYXNz
PSJNc29Ob3JtYWwiPlN0YXJ0aW5nIHJlcGxpY2F0aW9uLCBwbGVhc2Ugd2FpdCB1bnRpbCB0aGlz
IGhhcyBjb21wbGV0ZWQuPG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPlVwZGF0
ZSBpbiBwcm9ncmVzcywgMTIgc2Vjb25kcyBlbGFwc2VkPG86cD48L286cD48L3A+CjxwIGNsYXNz
PSJNc29Ob3JtYWwiPlVwZGF0ZSBzdWNjZWVkZWQ8bzpwPjwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1z
b05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNw
OyBbMy8zMF06IGNyZWF0aW5nIEFDSXMgZm9yIGFkbWluPG86cD48L286cD48L3A+CjxwIGNsYXNz
PSJNc29Ob3JtYWwiPiZuYnNwOyBbNC8zMF06IGNyZWF0aW5nIGluc3RhbGxhdGlvbiBhZG1pbiB1
c2VyPG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOyBbNS8zMF06IGNv
bmZpZ3VyaW5nIGNlcnRpZmljYXRlIHNlcnZlciBpbnN0YW5jZTxvOnA+PC9vOnA+PC9wPgo8cCBj
bGFzcz0iTXNvTm9ybWFsIj5GYWlsZWQgdG8gY29uZmlndXJlIENBIGluc3RhbmNlPG86cD48L286
cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPlNlZSB0aGUgaW5zdGFsbGF0aW9uIGxvZ3MgYW5k
IHRoZSBmb2xsb3dpbmcgZmlsZXMvZGlyZWN0b3JpZXMgZm9yIG1vcmUgaW5mb3JtYXRpb246PG86
cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOyAvdmFyL2xvZy9wa2kvcGtp
LXRvbWNhdDxvOnA+PC9vOnA+PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDsgW2Vycm9y
XSBSdW50aW1lRXJyb3I6IENBIGNvbmZpZ3VyYXRpb24gZmFpbGVkLjxvOnA+PC9vOnA+PC9wPgo8
cCBjbGFzcz0iTXNvTm9ybWFsIj5Zb3VyIHN5c3RlbSBtYXkgYmUgcGFydGx5IGNvbmZpZ3VyZWQu
PG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPlJ1biAvdXNyL3NiaW4vaXBhLXNl
cnZlci1pbnN0YWxsIC0tdW5pbnN0YWxsIHRvIGNsZWFuIHVwLjxvOnA+PC9vOnA+PC9wPgo8cCBj
bGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1h
bCI+Q0EgY29uZmlndXJhdGlvbiBmYWlsZWQuPG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29O
b3JtYWwiPlRoZSBpcGEtcmVwbGljYS1pbnN0YWxsIGNvbW1hbmQgZmFpbGVkLiBTZWUgL3Zhci9s
b2cvaXBhcmVwbGljYS1pbnN0YWxsLmxvZyBmb3IgbW9yZSBpbmZvcm1hdGlvbjxvOnA+PC9vOnA+
PC9wPgo8ZGl2IHN0eWxlPSJtc28tZWxlbWVudDpwYXJhLWJvcmRlci1kaXY7Ym9yZGVyOm5vbmU7
Ym9yZGVyLWJvdHRvbTpzb2xpZCB3aW5kb3d0ZXh0IDEuMHB0O3BhZGRpbmc6MGNtIDBjbSAxLjBw
dCAwY20iPgo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iYm9yZGVyOm5vbmU7cGFkZGluZzow
Y20iPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPgo8L2Rpdj4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86
cD4mbmJzcDs8L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+
PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj48Yj5DYXQgL3Zhci9sb2cvaXBhcmVwbGljYS1pbnN0
YWxsLmxvZzo8bzpwPjwvbzpwPjwvYj48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5i
c3A7PC9vOnA+PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4K
PHAgY2xhc3M9Ik1zb05vcm1hbCI+REVCVUc6IGh0dHBzOi8vZGlyMDItbWV4b21teC5pcGEuY29t
Ojg0NDMgJnF1b3Q7R0VUIC8gSFRUUC8xLjEmcXVvdDsgMzAyIDA8bzpwPjwvbzpwPjwvcD4KPHAg
Y2xhc3M9Ik1zb05vcm1hbCI+REVCVUc6IGh0dHBzOi8vZGlyMDItbWV4b21teC5pcGEuY29tOjg0
NDMgJnF1b3Q7R0VUIC9wa2kgSFRUUC8xLjEmcXVvdDsgMzAyIE5vbmU8bzpwPjwvbzpwPjwvcD4K
PHAgY2xhc3M9Ik1zb05vcm1hbCI+REVCVUc6IGh0dHBzOi8vZGlyMDItbWV4b21teC5pcGEuY29t
Ojg0NDMgJnF1b3Q7R0VUIC9wa2kvIEhUVFAvMS4xJnF1b3Q7IDIwMCAzNTAwPG86cD48L286cD48
L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPklORk86IFBLSSBzZXJ2ZXIgc3RhcnRlZDxvOnA+PC9v
OnA+PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj5JTkZPOiBXYWl0aW5nIGZvciBDQSBzdWJzeXN0
ZW08bzpwPjwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+REVCVUc6IFN0YXJ0aW5nIG5l
dyBIVFRQUyBjb25uZWN0aW9uICgxKTogZGlyMDItbWV4b21teC5pcGEuY29tOjg0NDM8bzpwPjwv
bzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+REVCVUc6IGh0dHBzOi8vZGlyMDItbWV4b21t
eC5pcGEuY29tOjg0NDMgJnF1b3Q7R0VUIC9jYS9hZG1pbi9jYS9nZXRTdGF0dXMgSFRUUC8xLjEm
cXVvdDsgNDA0IDc4NDxvOnA+PC9vOnA+PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZu
YnNwOzwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+MjAyNC0wNC0wMVQwOTo0MTozNFog
Q1JJVElDQUwgRmFpbGVkIHRvIGNvbmZpZ3VyZSBDQSBpbnN0YW5jZTxvOnA+PC9vOnA+PC9wPgo8
cCBjbGFzcz0iTXNvTm9ybWFsIj4yMDI0LTA0LTAxVDA5OjQxOjM0WiBDUklUSUNBTCBTZWUgdGhl
IGluc3RhbGxhdGlvbiBsb2dzIGFuZCB0aGUgZm9sbG93aW5nIGZpbGVzL2RpcmVjdG9yaWVzIGZv
ciBtb3JlIGluZm9ybWF0aW9uOjxvOnA+PC9vOnA+PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj4y
MDI0LTA0LTAxVDA5OjQxOjM0WiBDUklUSUNBTCZuYnNwOyZuYnNwOyAvdmFyL2xvZy9wa2kvcGtp
LXRvbWNhdDxvOnA+PC9vOnA+PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj4yMDI0LTA0LTAxVDA5
OjQxOjM0WiBERUJVRyBUcmFjZWJhY2sgKG1vc3QgcmVjZW50IGNhbGwgbGFzdCk6PG86cD48L286
cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOyBGaWxlICZxdW90Oy91c3IvbGliL3B5
dGhvbjMuOS9zaXRlLXBhY2thZ2VzL2lwYXNlcnZlci9pbnN0YWxsL3NlcnZpY2UucHkmcXVvdDss
IGxpbmUgNjg2LCBpbiBzdGFydF9jcmVhdGlvbjxvOnA+PC9vOnA+PC9wPgo8cCBjbGFzcz0iTXNv
Tm9ybWFsIj4mbmJzcDsmbmJzcDsmbmJzcDsgcnVuX3N0ZXAoZnVsbF9tc2csIG1ldGhvZCk8bzpw
PjwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7IEZpbGUgJnF1b3Q7L3Vzci9s
aWIvcHl0aG9uMy45L3NpdGUtcGFja2FnZXMvaXBhc2VydmVyL2luc3RhbGwvc2VydmljZS5weSZx
dW90OywgbGluZSA2NzIsIGluIHJ1bl9zdGVwPG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29O
b3JtYWwiPiZuYnNwOyZuYnNwOyZuYnNwOyBtZXRob2QoKTxvOnA+PC9vOnA+PC9wPgo8cCBjbGFz
cz0iTXNvTm9ybWFsIj4mbmJzcDsgRmlsZSAmcXVvdDsvdXNyL2xpYi9weXRob24zLjkvc2l0ZS1w
YWNrYWdlcy9pcGFzZXJ2ZXIvaW5zdGFsbC9jYWluc3RhbmNlLnB5JnF1b3Q7LCBsaW5lIDY1MSwg
aW4gX19zcGF3bl9pbnN0YW5jZTxvOnA+PC9vOnA+PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj4m
bmJzcDsmbmJzcDsmbmJzcDsgRG9ndGFnSW5zdGFuY2Uuc3Bhd25faW5zdGFuY2UoPG86cD48L286
cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOyBGaWxlICZxdW90Oy91c3IvbGliL3B5
dGhvbjMuOS9zaXRlLXBhY2thZ2VzL2lwYXNlcnZlci9pbnN0YWxsL2RvZ3RhZ2luc3RhbmNlLnB5
JnF1b3Q7LCBsaW5lIDIyNywgaW4gc3Bhd25faW5zdGFuY2U8bzpwPjwvbzpwPjwvcD4KPHAgY2xh
c3M9Ik1zb05vcm1hbCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7IHNlbGYuaGFuZGxlX3NldHVwX2Vycm9y
KGUpPG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOyBGaWxlICZxdW90
Oy91c3IvbGliL3B5dGhvbjMuOS9zaXRlLXBhY2thZ2VzL2lwYXNlcnZlci9pbnN0YWxsL2RvZ3Rh
Z2luc3RhbmNlLnB5JnF1b3Q7LCBsaW5lIDYwNCwgaW4gaGFuZGxlX3NldHVwX2Vycm9yPG86cD48
L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOyZuYnNwOyZuYnNwOyByYWlzZSBS
dW50aW1lRXJyb3IoPG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPlJ1bnRpbWVF
cnJvcjogQ0EgY29uZmlndXJhdGlvbiBmYWlsZWQuPG86cD48L286cD48L3A+CjxwIGNsYXNzPSJN
c29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj4yMDI0
LTA0LTAxVDA5OjQxOjM0WiBERUJVRyZuYnNwOyZuYnNwOyBbZXJyb3JdIFJ1bnRpbWVFcnJvcjog
Q0EgY29uZmlndXJhdGlvbiBmYWlsZWQuPG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3Jt
YWwiPjIwMjQtMDQtMDFUMDk6NDE6MzRaIERFQlVHIFJlbW92aW5nIC9yb290Ly5kb2d0YWcvcGtp
LXRvbWNhdC9jYTxvOnA+PC9vOnA+PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj4yMDI0LTA0LTAx
VDA5OjQxOjM0WiBERUJVRyZuYnNwOyZuYnNwOyBGaWxlICZxdW90Oy91c3IvbGliL3B5dGhvbjMu
OS9zaXRlLXBhY2thZ2VzL2lwYXB5dGhvbi9hZG1pbnRvb2wucHkmcXVvdDssIGxpbmUgMTgwLCBp
biBleGVjdXRlPG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOyZuYnNw
OyZuYnNwOyByZXR1cm5fdmFsdWUgPSBzZWxmLnJ1bigpPG86cD48L286cD48L3A+CjxwIGNsYXNz
PSJNc29Ob3JtYWwiPiZuYnNwOyBGaWxlICZxdW90Oy91c3IvbGliL3B5dGhvbjMuOS9zaXRlLXBh
Y2thZ2VzL2lwYXB5dGhvbi9pbnN0YWxsL2NsaS5weSZxdW90OywgbGluZSAzNDQsIGluIHJ1bjxv
OnA+PC9vOnA+PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDsmbmJzcDsmbmJzcDsgcmV0
dXJuIGNmZ3IucnVuKCk8bzpwPjwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7
IEZpbGUgJnF1b3Q7L3Vzci9saWIvcHl0aG9uMy45L3NpdGUtcGFja2FnZXMvaXBhcHl0aG9uL2lu
c3RhbGwvY29yZS5weSZxdW90OywgbGluZSAzNjAsIGluIHJ1bjxvOnA+PC9vOnA+PC9wPgo8cCBj
bGFzcz0iTXNvTm9ybWFsIj4mbmJzcDsmbmJzcDsmbmJzcDsgcmV0dXJuIHNlbGYuZXhlY3V0ZSgp
PG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOyBGaWxlICZxdW90Oy91
c3IvbGliL3B5dGhvbjMuOS9zaXRlLXBhY2thZ2VzL2lwYXB5dGhvbi9pbnN0YWxsL2NvcmUucHkm
cXVvdDssIGxpbmUgMzg2LCBpbiBleGVjdXRlPG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29O
b3JtYWwiPiZuYnNwOyZuYnNwOyZuYnNwOyBmb3IgcnZhbCBpbiBzZWxmLl9leGVjdXRvcigpOjxv
OnA+PC9vOnA+PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDsgRmlsZSAmcXVvdDsvdXNy
L2xpYi9weXRob24zLjkvc2l0ZS1wYWNrYWdlcy9pcGFweXRob24vaW5zdGFsbC9jb3JlLnB5JnF1
b3Q7LCBsaW5lIDQzNSwgaW4gX19ydW5uZXI8bzpwPjwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05v
cm1hbCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7IGV4Y19oYW5kbGVyKGV4Y19pbmZvKTxvOnA+PC9vOnA+
PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDsgRmlsZSAmcXVvdDsvdXNyL2xpYi9weXRo
b24zLjkvc2l0ZS1wYWNrYWdlcy9pcGFweXRob24vaW5zdGFsbC9jb3JlLnB5JnF1b3Q7LCBsaW5l
IDQ2OCwgaW4gX2hhbmRsZV9leGVjdXRlX2V4Y2VwdGlvbjxvOnA+PC9vOnA+PC9wPgo8cCBjbGFz
cz0iTXNvTm9ybWFsIj4mbmJzcDsmbmJzcDsmbmJzcDsgc2VsZi5faGFuZGxlX2V4Y2VwdGlvbihl
eGNfaW5mbyk8bzpwPjwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7IEZpbGUg
JnF1b3Q7L3Vzci9saWIvcHl0aG9uMy45L3NpdGUtcGFja2FnZXMvaXBhcHl0aG9uL2luc3RhbGwv
Y29yZS5weSZxdW90OywgbGluZSA0NTgsIGluIF9oYW5kbGVfZXhjZXB0aW9uPG86cD48L286cD48
L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOyZuYnNwOyZuYnNwOyBzaXgucmVyYWlzZSgq
ZXhjX2luZm8pPG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOyBGaWxl
ICZxdW90Oy91c3IvbGliL3B5dGhvbjMuOS9zaXRlLXBhY2thZ2VzL3NpeC5weSZxdW90OywgbGlu
ZSA3MDksIGluIHJlcmFpc2U8bzpwPjwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5i
c3A7Jm5ic3A7Jm5ic3A7IHJhaXNlIHZhbHVlPG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29O
b3JtYWwiPiZuYnNwOyBGaWxlICZxdW90Oy91c3IvbGliL3B5dGhvbjMuOS9zaXRlLXBhY2thZ2Vz
L2lwYXB5dGhvbi9pbnN0YWxsL2NvcmUucHkmcXVvdDssIGxpbmUgNDI1LCBpbiBfX3J1bm5lcjxv
OnA+PC9vOnA+PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDsmbmJzcDsmbmJzcDsgc3Rl
cCgpPG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOyBGaWxlICZxdW90
Oy91c3IvbGliL3B5dGhvbjMuOS9zaXRlLXBhY2thZ2VzL2lwYXB5dGhvbi9pbnN0YWxsL2NvcmUu
cHkmcXVvdDssIGxpbmUgNDE5LCBpbiBzdGVwX25leHQ8bzpwPjwvbzpwPjwvcD4KPHAgY2xhc3M9
Ik1zb05vcm1hbCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7IHJldHVybiBuZXh0KHNlbGYuX19nZW4pPG86
cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOyBGaWxlICZxdW90Oy91c3Iv
bGliL3B5dGhvbjMuOS9zaXRlLXBhY2thZ2VzL2lwYXB5dGhvbi9pbnN0YWxsL3V0aWwucHkmcXVv
dDssIGxpbmUgODEsIGluIHJ1bl9nZW5lcmF0b3Jfd2l0aF95aWVsZF9mcm9tPG86cD48L286cD48
L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOyZuYnNwOyZuYnNwOyBzaXgucmVyYWlzZSgq
ZXhjX2luZm8pPG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOyBGaWxl
ICZxdW90Oy91c3IvbGliL3B5dGhvbjMuOS9zaXRlLXBhY2thZ2VzL3NpeC5weSZxdW90OywgbGlu
ZSA3MDksIGluIHJlcmFpc2U8bzpwPjwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5i
c3A7Jm5ic3A7Jm5ic3A7IHJhaXNlIHZhbHVlPG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29O
b3JtYWwiPiZuYnNwOyBGaWxlICZxdW90Oy91c3IvbGliL3B5dGhvbjMuOS9zaXRlLXBhY2thZ2Vz
L2lwYXB5dGhvbi9pbnN0YWxsL3V0aWwucHkmcXVvdDssIGxpbmUgNTksIGluIHJ1bl9nZW5lcmF0
b3Jfd2l0aF95aWVsZF9mcm9tPG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZu
YnNwOyAmbmJzcDsmbmJzcDt2YWx1ZSA9IGdlbi5zZW5kKHByZXZfdmFsdWUpPG86cD48L286cD48
L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOyBGaWxlICZxdW90Oy91c3IvbGliL3B5dGhv
bjMuOS9zaXRlLXBhY2thZ2VzL2lwYXB5dGhvbi9pbnN0YWxsL2NvcmUucHkmcXVvdDssIGxpbmUg
NjYzLCBpbiBfY29uZmlndXJlPG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZu
YnNwOyZuYnNwOyZuYnNwOyBuZXh0KGV4ZWN1dG9yKTxvOnA+PC9vOnA+PC9wPgo8cCBjbGFzcz0i
TXNvTm9ybWFsIj4mbmJzcDsgRmlsZSAmcXVvdDsvdXNyL2xpYi9weXRob24zLjkvc2l0ZS1wYWNr
YWdlcy9pcGFweXRob24vaW5zdGFsbC9jb3JlLnB5JnF1b3Q7LCBsaW5lIDQzNSwgaW4gX19ydW5u
ZXI8bzpwPjwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7
IGV4Y19oYW5kbGVyKGV4Y19pbmZvKTxvOnA+PC9vOnA+PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFs
Ij4mbmJzcDsgRmlsZSAmcXVvdDsvdXNyL2xpYi9weXRob24zLjkvc2l0ZS1wYWNrYWdlcy9pcGFw
eXRob24vaW5zdGFsbC9jb3JlLnB5JnF1b3Q7LCBsaW5lIDQ2OCwgaW4gX2hhbmRsZV9leGVjdXRl
X2V4Y2VwdGlvbjxvOnA+PC9vOnA+PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDsmbmJz
cDsmbmJzcDsgc2VsZi5faGFuZGxlX2V4Y2VwdGlvbihleGNfaW5mbyk8bzpwPjwvbzpwPjwvcD4K
PHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7IEZpbGUgJnF1b3Q7L3Vzci9saWIvcHl0aG9uMy45
L3NpdGUtcGFja2FnZXMvaXBhcHl0aG9uL2luc3RhbGwvY29yZS5weSZxdW90OywgbGluZSA1MjYs
IGluIF9oYW5kbGVfZXhjZXB0aW9uPG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwi
PiZuYnNwOyZuYnNwOyZuYnNwOyBzZWxmLl9fcGFyZW50Ll9oYW5kbGVfZXhjZXB0aW9uKGV4Y19p
bmZvKTxvOnA+PC9vOnA+PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDsgRmlsZSAmcXVv
dDsvdXNyL2xpYi9weXRob24zLjkvc2l0ZS1wYWNrYWdlcy9pcGFweXRob24vaW5zdGFsbC9jb3Jl
LnB5JnF1b3Q7LCBsaW5lIDQ1OCwgaW4gX2hhbmRsZV9leGNlcHRpb248bzpwPjwvbzpwPjwvcD4K
PHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7IHNpeC5yZXJhaXNlKCpleGNf
aW5mbyk8bzpwPjwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7IEZpbGUgJnF1
b3Q7L3Vzci9saWIvcHl0aG9uMy45L3NpdGUtcGFja2FnZXMvc2l4LnB5JnF1b3Q7LCBsaW5lIDcw
OSwgaW4gcmVyYWlzZTxvOnA+PC9vOnA+PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDsm
bmJzcDsmbmJzcDsgcmFpc2UgdmFsdWU8bzpwPjwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1h
bCI+Jm5ic3A7IEZpbGUgJnF1b3Q7L3Vzci9saWIvcHl0aG9uMy45L3NpdGUtcGFja2FnZXMvaXBh
cHl0aG9uL2luc3RhbGwvY29yZS5weSZxdW90OywgbGluZSA1MjMsIGluIF9oYW5kbGVfZXhjZXB0
aW9uPG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOyZuYnNwOyZuYnNw
OyBzdXBlcihDb21wb25lbnRCYXNlLCBzZWxmKS5faGFuZGxlX2V4Y2VwdGlvbihleGNfaW5mbyk8
bzpwPjwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7IEZpbGUgJnF1b3Q7L3Vz
ci9saWIvcHl0aG9uMy45L3NpdGUtcGFja2FnZXMvaXBhcHl0aG9uL2luc3RhbGwvY29yZS5weSZx
dW90OywgbGluZSA0NTgsIGluIF9oYW5kbGVfZXhjZXB0aW9uPG86cD48L286cD48L3A+CjxwIGNs
YXNzPSJNc29Ob3JtYWwiPiZuYnNwOyZuYnNwOyZuYnNwOyBzaXgucmVyYWlzZSgqZXhjX2luZm8p
PG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOyBGaWxlICZxdW90Oy91
c3IvbGliL3B5dGhvbjMuOS9zaXRlLXBhY2thZ2VzL3NpeC5weSZxdW90OywgbGluZSA3MDksIGlu
IHJlcmFpc2U8bzpwPjwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7Jm5ic3A7
Jm5ic3A7IHJhaXNlIHZhbHVlPG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZu
YnNwOyBGaWxlICZxdW90Oy91c3IvbGliL3B5dGhvbjMuOS9zaXRlLXBhY2thZ2VzL2lwYXB5dGhv
bi9pbnN0YWxsL2NvcmUucHkmcXVvdDssIGxpbmUgNDI1LCBpbiBfX3J1bm5lcjxvOnA+PC9vOnA+
PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDsmbmJzcDsmbmJzcDsgc3RlcCgpPG86cD48
L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOyBGaWxlICZxdW90Oy91c3IvbGli
L3B5dGhvbjMuOS9zaXRlLXBhY2thZ2VzL2lwYXB5dGhvbi9pbnN0YWxsL2NvcmUucHkmcXVvdDss
IGxpbmUgNDE5LCBpbiBzdGVwX25leHQ8bzpwPjwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1h
bCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7IHJldHVybiBuZXh0KHNlbGYuX19nZW4pPG86cD48L286cD48
L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOyBGaWxlICZxdW90Oy91c3IvbGliL3B5dGhv
bjMuOS9zaXRlLXBhY2thZ2VzL2lwYXB5dGhvbi9pbnN0YWxsL3V0aWwucHkmcXVvdDssIGxpbmUg
ODEsIGluIHJ1bl9nZW5lcmF0b3Jfd2l0aF95aWVsZF9mcm9tPG86cD48L286cD48L3A+CjxwIGNs
YXNzPSJNc29Ob3JtYWwiPiZuYnNwOyZuYnNwOyZuYnNwOyBzaXgucmVyYWlzZSgqZXhjX2luZm8p
PG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOyBGaWxlICZxdW90Oy91
c3IvbGliL3B5dGhvbjMuOS9zaXRlLXBhY2thZ2VzL3NpeC5weSZxdW90OywgbGluZSA3MDksIGlu
IHJlcmFpc2U8bzpwPjwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7Jm5ic3A7
Jm5ic3A7IHJhaXNlIHZhbHVlPG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZu
YnNwOyBGaWxlICZxdW90Oy91c3IvbGliL3B5dGhvbjMuOS9zaXRlLXBhY2thZ2VzL2lwYXB5dGhv
bi9pbnN0YWxsL3V0aWwucHkmcXVvdDssIGxpbmUgNTksIGluIHJ1bl9nZW5lcmF0b3Jfd2l0aF95
aWVsZF9mcm9tPG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOyZuYnNw
OyZuYnNwOyB2YWx1ZSA9IGdlbi5zZW5kKHByZXZfdmFsdWUpPG86cD48L286cD48L3A+CjxwIGNs
YXNzPSJNc29Ob3JtYWwiPiZuYnNwOyBGaWxlICZxdW90Oy91c3IvbGliL3B5dGhvbjMuOS9zaXRl
LXBhY2thZ2VzL2lwYXB5dGhvbi9pbnN0YWxsL2NvbW1vbi5weSZxdW90OywgbGluZSA2NSwgaW4g
X2luc3RhbGw8bzpwPjwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7Jm5ic3A7
Jm5ic3A7IGZvciB1bnVzZWQgaW4gc2VsZi5faW5zdGFsbGVyKHNlbGYucGFyZW50KTo8bzpwPjwv
bzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7IEZpbGUgJnF1b3Q7L3Vzci9saWIv
cHl0aG9uMy45L3NpdGUtcGFja2FnZXMvaXBhc2VydmVyL2luc3RhbGwvc2VydmVyL19faW5pdF9f
LnB5JnF1b3Q7LCBsaW5lIDU5OSwgaW4gbWFpbjxvOnA+PC9vOnA+PC9wPgo8cCBjbGFzcz0iTXNv
Tm9ybWFsIj4mbmJzcDsmbmJzcDsmbmJzcDsgcmVwbGljYV9pbnN0YWxsKHNlbGYpPG86cD48L286
cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOyBGaWxlICZxdW90Oy91c3IvbGliL3B5
dGhvbjMuOS9zaXRlLXBhY2thZ2VzL2lwYXNlcnZlci9pbnN0YWxsL3NlcnZlci9yZXBsaWNhaW5z
dGFsbC5weSZxdW90OywgbGluZSA0MDEsIGluIGRlY29yYXRlZDxvOnA+PC9vOnA+PC9wPgo8cCBj
bGFzcz0iTXNvTm9ybWFsIj4mbmJzcDsmbmJzcDsmbmJzcDsgZnVuYyhpbnN0YWxsZXIpPG86cD48
L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOyBGaWxlICZxdW90Oy91c3IvbGli
L3B5dGhvbjMuOS9zaXRlLXBhY2thZ2VzL2lwYXNlcnZlci9pbnN0YWxsL3NlcnZlci9yZXBsaWNh
aW5zdGFsbC5weSZxdW90OywgbGluZSAxMzQ1LCBpbiBpbnN0YWxsPG86cD48L286cD48L3A+Cjxw
IGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOyZuYnNwOyZuYnNwOyBjYS5pbnN0YWxsKEZhbHNlLCBj
b25maWcsIG9wdGlvbnMsIGN1c3RvZGlhPWN1c3RvZGlhKTxvOnA+PC9vOnA+PC9wPgo8cCBjbGFz
cz0iTXNvTm9ybWFsIj4mbmJzcDsgRmlsZSAmcXVvdDsvdXNyL2xpYi9weXRob24zLjkvc2l0ZS1w
YWNrYWdlcy9pcGFzZXJ2ZXIvaW5zdGFsbC9jYS5weSZxdW90OywgbGluZSAzNTQsIGluIGluc3Rh
bGw8bzpwPjwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7
IGluc3RhbGxfc3RlcF8wKHN0YW5kYWxvbmUsIHJlcGxpY2FfY29uZmlnLCBvcHRpb25zLCBjdXN0
b2RpYT1jdXN0b2RpYSk8bzpwPjwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7
IEZpbGUgJnF1b3Q7L3Vzci9saWIvcHl0aG9uMy45L3NpdGUtcGFja2FnZXMvaXBhc2VydmVyL2lu
c3RhbGwvY2EucHkmcXVvdDssIGxpbmUgNDIyLCBpbiBpbnN0YWxsX3N0ZXBfMDxvOnA+PC9vOnA+
PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDsmbmJzcDsmbmJzcDsgY2EuY29uZmlndXJl
X2luc3RhbmNlKDxvOnA+PC9vOnA+PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDsgRmls
ZSAmcXVvdDsvdXNyL2xpYi9weXRob24zLjkvc2l0ZS1wYWNrYWdlcy9pcGFzZXJ2ZXIvaW5zdGFs
bC9jYWluc3RhbmNlLnB5JnF1b3Q7LCBsaW5lIDUwNiwgaW4gY29uZmlndXJlX2luc3RhbmNlPG86
cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOyZuYnNwOyZuYnNwOyBzZWxm
LnN0YXJ0X2NyZWF0aW9uKHJ1bnRpbWU9cnVudGltZSk8bzpwPjwvbzpwPjwvcD4KPHAgY2xhc3M9
Ik1zb05vcm1hbCI+Jm5ic3A7IEZpbGUgJnF1b3Q7L3Vzci9saWIvcHl0aG9uMy45L3NpdGUtcGFj
a2FnZXMvaXBhc2VydmVyL2luc3RhbGwvc2VydmljZS5weSZxdW90OywgbGluZSA2ODYsIGluIHN0
YXJ0X2NyZWF0aW9uPG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOyZu
YnNwOyZuYnNwOyBydW5fc3RlcChmdWxsX21zZywgbWV0aG9kKTxvOnA+PC9vOnA+PC9wPgo8cCBj
bGFzcz0iTXNvTm9ybWFsIj4mbmJzcDsgRmlsZSAmcXVvdDsvdXNyL2xpYi9weXRob24zLjkvc2l0
ZS1wYWNrYWdlcy9pcGFzZXJ2ZXIvaW5zdGFsbC9zZXJ2aWNlLnB5JnF1b3Q7LCBsaW5lIDY3Miwg
aW4gcnVuX3N0ZXA8bzpwPjwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7Jm5i
c3A7Jm5ic3A7IG1ldGhvZCgpPG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZu
YnNwOyBGaWxlICZxdW90Oy91c3IvbGliL3B5dGhvbjMuOS9zaXRlLXBhY2thZ2VzL2lwYXNlcnZl
ci9pbnN0YWxsL2NhaW5zdGFuY2UucHkmcXVvdDssIGxpbmUgNjUxLCBpbiBfX3NwYXduX2luc3Rh
bmNlPG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOyZuYnNwOyZuYnNw
OyBEb2d0YWdJbnN0YW5jZS5zcGF3bl9pbnN0YW5jZSg8bzpwPjwvbzpwPjwvcD4KPHAgY2xhc3M9
Ik1zb05vcm1hbCI+Jm5ic3A7IEZpbGUgJnF1b3Q7L3Vzci9saWIvcHl0aG9uMy45L3NpdGUtcGFj
a2FnZXMvaXBhc2VydmVyL2luc3RhbGwvZG9ndGFnaW5zdGFuY2UucHkmcXVvdDssIGxpbmUgMjI3
LCBpbiBzcGF3bl9pbnN0YW5jZTxvOnA+PC9vOnA+PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj4m
bmJzcDsmbmJzcDsmbmJzcDsgc2VsZi5oYW5kbGVfc2V0dXBfZXJyb3IoZSk8bzpwPjwvbzpwPjwv
cD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7IEZpbGUgJnF1b3Q7L3Vzci9saWIvcHl0aG9u
My45L3NpdGUtcGFja2FnZXMvaXBhc2VydmVyL2luc3RhbGwvZG9ndGFnaW5zdGFuY2UucHkmcXVv
dDssIGxpbmUgNjA0LCBpbiBoYW5kbGVfc2V0dXBfZXJyb3I8bzpwPjwvbzpwPjwvcD4KPHAgY2xh
c3M9Ik1zb05vcm1hbCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7IHJhaXNlIFJ1bnRpbWVFcnJvcig8bzpw
PjwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+Cjxw
IGNsYXNzPSJNc29Ob3JtYWwiPjIwMjQtMDQtMDFUMDk6NDE6MzRaIERFQlVHIFRoZSBpcGEtcmVw
bGljYS1pbnN0YWxsIGNvbW1hbmQgZmFpbGVkLCBleGNlcHRpb246IFJ1bnRpbWVFcnJvcjogQ0Eg
Y29uZmlndXJhdGlvbiBmYWlsZWQuPG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwi
PjIwMjQtMDQtMDFUMDk6NDE6MzRaIEVSUk9SIENBIGNvbmZpZ3VyYXRpb24gZmFpbGVkLjxvOnA+
PC9vOnA+PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj4yMDI0LTA0LTAxVDA5OjQxOjM0WiBFUlJP
UiBUaGUgaXBhLXJlcGxpY2EtaW5zdGFsbCBjb21tYW5kIGZhaWxlZC4gU2VlIC92YXIvbG9nL2lw
YXJlcGxpY2EtaW5zdGFsbC5sb2cgZm9yIG1vcmUgaW5mb3JtYXRpb248bzpwPjwvbzpwPjwvcD4K
PGRpdiBzdHlsZT0ibXNvLWVsZW1lbnQ6cGFyYS1ib3JkZXItZGl2O2JvcmRlcjpub25lO2JvcmRl
ci1ib3R0b206c29saWQgd2luZG93dGV4dCAxLjBwdDtwYWRkaW5nOjBjbSAwY20gMS4wcHQgMGNt
Ij4KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImJvcmRlcjpub25lO3BhZGRpbmc6MGNtIj48
bzpwPiZuYnNwOzwvbzpwPjwvcD4KPC9kaXY+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5i
c3A7PC9vOnA+PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj48Yj5DYXQgL3Zhci9sb2cvcGtpL3Br
aS10b21jYXQvY2EvZGVidWcuMjAyNC0wNC0wMS5sb2c8bzpwPjwvbzpwPjwvYj48L3A+CjxwIGNs
YXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFs
Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8
L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjIwMjQtMDQtMDEgMDM6NDE6MzIgW21haW5d
IElORk86IENNU0VuZ2luZTogRGlzYWJsaW5nIENBIHN1YnN5c3RlbTxvOnA+PC9vOnA+PC9wPgo8
cCBjbGFzcz0iTXNvTm9ybWFsIj4yMDI0LTA0LTAxIDAzOjQxOjMyIFttYWluXSBTRVZFUkU6IFVu
YWJsZSB0byBzdGFydCBDQSBlbmdpbmU6IFNlbGZ0ZXN0IGZhaWxlZDogSW52YWxpZCBjZXJ0aWZp
Y2F0ZSBTZXJ2ZXItQ2VydCBjZXJ0LXBraS1jYTogTm90QmVmb3JlOiBNb24gQXByIDAxIDAzOjQx
OjQ5IENTVCAyMDI0PG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPlNlbGZ0ZXN0
IGZhaWxlZDogSW52YWxpZCBjZXJ0aWZpY2F0ZSBTZXJ2ZXItQ2VydCBjZXJ0LXBraS1jYTogTm90
QmVmb3JlOiBNb24gQXByIDAxIDAzOjQxOjQ5IENTVCAyMDI0PG86cD48L286cD48L3A+CjxwIGNs
YXNzPSJNc29Ob3JtYWwiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyBhdCBjb20ubmV0c2NhcGUuY21zY29yZS5zZWxmdGVzdHMuU2VsZlRlc3RTdWJzeXN0ZW0uc3Rh
cnR1cChTZWxmVGVzdFN1YnN5c3RlbS5qYXZhOjE3NTkpPG86cD48L286cD48L3A+CjxwIGNsYXNz
PSJNc29Ob3JtYWwiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBh
dCBjb20ubmV0c2NhcGUuY21zY29yZS5hcHBzLkNNU0VuZ2luZS5zdGFydHVwU3Vic3lzdGVtcyhD
TVNFbmdpbmUuamF2YToxMTY3KTxvOnA+PC9vOnA+PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj4m
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgYXQgb3JnLmRvZ3RhZ3Br
aS5zZXJ2ZXIuY2EuQ0FFbmdpbmUuc3RhcnR1cFN1YnN5c3RlbXMoQ0FFbmdpbmUuamF2YTo5NzIp
PG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9w
Pgo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1z
b05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjIwMjQt
MDQtMDEgMDM6NDE6MzIgW21haW5dIFNFVkVSRTogU2VsZlRlc3RTdWJzeXN0ZW06IHNlbGZ0ZXN0
IGZhaWxlZDogSW52YWxpZCBjZXJ0aWZpY2F0ZSBTZXJ2ZXItQ2VydCBjZXJ0LXBraS1jYTogTm90
QmVmb3JlOiBNb24gQXByIDAxIDAzOjQxOjQ5IENTVCAyMDI0PG86cD48L286cD48L3A+CjxwIGNs
YXNzPSJNc29Ob3JtYWwiPmphdmEubGFuZy5FeGNlcHRpb246IEludmFsaWQgY2VydGlmaWNhdGUg
U2VydmVyLUNlcnQgY2VydC1wa2ktY2E6IE5vdEJlZm9yZTogTW9uIEFwciAwMSAwMzo0MTo0OSBD
U1QgMjAyNDxvOnA+PC9vOnA+PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgYXQgY29tLm5ldHNjYXBlLmNtc2NvcmUuY2Vy
dC5DZXJ0VXRpbHMudmVyaWZ5U3lzdGVtQ2VydFZhbGlkaXR5QnlOaWNrbmFtZShDZXJ0VXRpbHMu
amF2YTo4NDQpPG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBhdCBjb20ubmV0c2NhcGUuY21zY29yZS5h
cHBzLkNNU0VuZ2luZS52ZXJpZnlTeXN0ZW1DZXJ0QnlUYWcoQ01TRW5naW5lLmphdmE6MTg5NSk8
bzpwPjwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IGF0IGNvbS5uZXRzY2FwZS5jbXNjb3JlLmFwcHMuQ01TRW5n
aW5lLnZlcmlmeVN5c3RlbUNlcnRzKENNU0VuZ2luZS5qYXZhOjE4MjMpPG86cD48L286cD48L3A+
CjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyBhdCBjb20ubmV0c2NhcGUuY21zLnNlbGZ0ZXN0cy5jb21tb24uU3lzdGVtQ2VydHNW
ZXJpZmljYXRpb24ucnVuU2VsZlRlc3QoU3lzdGVtQ2VydHNWZXJpZmljYXRpb24uamF2YToyMTEp
PG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBhdCBjb20ubmV0c2NhcGUuY21zY29yZS5zZWxmdGVzdHMu
U2VsZlRlc3RTdWJzeXN0ZW0ucnVuU2VsZlRlc3RzQXRTdGFydHVwKFNlbGZUZXN0U3Vic3lzdGVt
LmphdmE6ODE4KTxvOnA+PC9vOnA+PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDsmbmJz
cDsgJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7YXQgY29tLm5ldHNjYXBlLmNtc2NvcmUu
c2VsZnRlc3RzLlNlbGZUZXN0U3Vic3lzdGVtLnN0YXJ0dXAoU2VsZlRlc3RTdWJzeXN0ZW0uamF2
YToxNzIyKTxvOnA+PC9vOnA+PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgYXQgY29tLm5ldHNjYXBlLmNtc2NvcmUuYXBw
cy5DTVNFbmdpbmUuc3RhcnR1cFN1YnN5c3RlbXMoQ01TRW5naW5lLmphdmE6MTE2Nyk8bzpwPjwv
bzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7IGF0IG9yZy5kb2d0YWdwa2kuc2VydmVyLmNhLkNBRW5naW5lLnN0YXJ0
dXBTdWJzeXN0ZW1zKENBRW5naW5lLmphdmE6OTcyKTxvOnA+PC9vOnA+PC9wPgo8cCBjbGFzcz0i
TXNvTm9ybWFsIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgYXQg
Y29tLm5ldHNjYXBlLmNtc2NvcmUuYXBwcy5DTVNFbmdpbmUuc3RhcnQoQ01TRW5naW5lLmphdmE6
MTIyMyk8bzpwPjwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IGF0IGNvbS5uZXRzY2FwZS5jbXNjb3JlLmFwcHMu
UEtJV2ViTGlzdGVuZXIuY29udGV4dEluaXRpYWxpemVkKFBLSVdlYkxpc3RlbmVyLmphdmE6NDMp
PG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBhdCBvcmcuYXBhY2hlLmNhdGFsaW5hLmNvcmUuU3RhbmRh
cmRDb250ZXh0Lmxpc3RlbmVyU3RhcnQoU3RhbmRhcmRDb250ZXh0LmphdmE6NDc2OCk8bzpwPjwv
bzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7IGF0IG9yZy5hcGFjaGUuY2F0YWxpbmEuY29yZS5TdGFuZGFyZENvbnRl
eHQuc3RhcnRJbnRlcm5hbChTdGFuZGFyZENvbnRleHQuamF2YTo1MjMwKTxvOnA+PC9vOnA+PC9w
Pgo8cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsgYXQgb3JnLmFwYWNoZS5jYXRhbGluYS51dGlsLkxpZmVjeWNsZUJhc2Uuc3RhcnQo
TGlmZWN5Y2xlQmFzZS5qYXZhOjE4Myk8bzpwPjwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1h
bCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IGF0IG9yZy5hcGFj
aGUuY2F0YWxpbmEuY29yZS5Db250YWluZXJCYXNlLmFkZENoaWxkSW50ZXJuYWwoQ29udGFpbmVy
QmFzZS5qYXZhOjcyNik8bzpwPjwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IGF0IG9yZy5hcGFjaGUuY2F0YWxp
bmEuY29yZS5Db250YWluZXJCYXNlLmFjY2VzcyQwMDAoQ29udGFpbmVyQmFzZS5qYXZhOjEyOSk8
bzpwPjwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IGF0IG9yZy5hcGFjaGUuY2F0YWxpbmEuY29yZS5Db250YWlu
ZXJCYXNlJFByaXZpbGVnZWRBZGRDaGlsZC5ydW4oQ29udGFpbmVyQmFzZS5qYXZhOjE0OSk8bzpw
PjwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7IGF0IG9yZy5hcGFjaGUuY2F0YWxpbmEuY29yZS5Db250YWluZXJC
YXNlJFByaXZpbGVnZWRBZGRDaGlsZC5ydW4oQ29udGFpbmVyQmFzZS5qYXZhOjEzOSk8bzpwPjwv
bzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7IGF0IGphdmEuYmFzZS9qYXZhLnNlY3VyaXR5LkFjY2Vzc0NvbnRyb2xs
ZXIuZG9Qcml2aWxlZ2VkKEFjY2Vzc0NvbnRyb2xsZXIuamF2YTozMTgpPG86cD48L286cD48L3A+
CjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyBhdCBvcmcuYXBhY2hlLmNhdGFsaW5hLmNvcmUuQ29udGFpbmVyQmFzZS5hZGRDaGls
ZChDb250YWluZXJCYXNlLmphdmE6Njk2KTxvOnA+PC9vOnA+PC9wPgo8cCBjbGFzcz0iTXNvTm9y
bWFsIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgYXQgb3JnLmFw
YWNoZS5jYXRhbGluYS5jb3JlLlN0YW5kYXJkSG9zdC5hZGRDaGlsZChTdGFuZGFyZEhvc3QuamF2
YTo2OTYpPG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBhdCBvcmcuYXBhY2hlLmNhdGFsaW5hLnN0YXJ0
dXAuSG9zdENvbmZpZy5kZXBsb3lEZXNjcmlwdG9yKEhvc3RDb25maWcuamF2YTo2OTApPG86cD48
L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyBhdCBvcmcuYXBhY2hlLmNhdGFsaW5hLnN0YXJ0dXAuSG9zdENvbmZp
ZyREZXBsb3lEZXNjcmlwdG9yLnJ1bihIb3N0Q29uZmlnLmphdmE6MTg4OSk8bzpwPjwvbzpwPjwv
cD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7IGF0IGphdmEuYmFzZS9qYXZhLnV0aWwuY29uY3VycmVudC5FeGVjdXRvcnMkUnVu
bmFibGVBZGFwdGVyLmNhbGwoRXhlY3V0b3JzLmphdmE6NTM5KTxvOnA+PC9vOnA+PC9wPgo8cCBj
bGFzcz0iTXNvTm9ybWFsIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsgYXQgamF2YS5iYXNlL2phdmEudXRpbC5jb25jdXJyZW50LkZ1dHVyZVRhc2sucnVuKEZ1dHVy
ZVRhc2suamF2YToyNjQpPG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBhdCBvcmcuYXBhY2hlLnRvbWNh
dC51dGlsLnRocmVhZHMuSW5saW5lRXhlY3V0b3JTZXJ2aWNlLmV4ZWN1dGUoSW5saW5lRXhlY3V0
b3JTZXJ2aWNlLmphdmE6NzUpPG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBhdCBqYXZhLmJhc2UvamF2
YS51dGlsLmNvbmN1cnJlbnQuQWJzdHJhY3RFeGVjdXRvclNlcnZpY2Uuc3VibWl0KEFic3RyYWN0
RXhlY3V0b3JTZXJ2aWNlLmphdmE6MTIzKTxvOnA+PC9vOnA+PC9wPgo8cCBjbGFzcz0iTXNvTm9y
bWFsIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgYXQgb3JnLmFw
YWNoZS5jYXRhbGluYS5zdGFydHVwLkhvc3RDb25maWcuZGVwbG95RGVzY3JpcHRvcnMoSG9zdENv
bmZpZy5qYXZhOjU4Myk8bzpwPjwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IGF0IG9yZy5hcGFjaGUuY2F0YWxp
bmEuc3RhcnR1cC5Ib3N0Q29uZmlnLmRlcGxveUFwcHMoSG9zdENvbmZpZy5qYXZhOjQ3Myk8bzpw
PjwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7IGF0IG9yZy5hcGFjaGUuY2F0YWxpbmEuc3RhcnR1cC5Ib3N0Q29u
ZmlnLnN0YXJ0KEhvc3RDb25maWcuamF2YToxNjE4KTxvOnA+PC9vOnA+PC9wPgo8cCBjbGFzcz0i
TXNvTm9ybWFsIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgYXQg
b3JnLmFwYWNoZS5jYXRhbGluYS5zdGFydHVwLkhvc3RDb25maWcubGlmZWN5Y2xlRXZlbnQoSG9z
dENvbmZpZy5qYXZhOjMxOSk8bzpwPjwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IGF0IG9yZy5hcGFjaGUuY2F0
YWxpbmEudXRpbC5MaWZlY3ljbGVCYXNlLmZpcmVMaWZlY3ljbGVFdmVudChMaWZlY3ljbGVCYXNl
LmphdmE6MTIzKTxvOnA+PC9vOnA+PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgYXQgb3JnLmFwYWNoZS5jYXRhbGluYS51
dGlsLkxpZmVjeWNsZUJhc2Uuc2V0U3RhdGVJbnRlcm5hbChMaWZlY3ljbGVCYXNlLmphdmE6NDIz
KTxvOnA+PC9vOnA+PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgYXQgb3JnLmFwYWNoZS5jYXRhbGluYS51dGlsLkxpZmVj
eWNsZUJhc2Uuc2V0U3RhdGUoTGlmZWN5Y2xlQmFzZS5qYXZhOjM2Nik8bzpwPjwvbzpwPjwvcD4K
PHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7IGF0IG9yZy5hcGFjaGUuY2F0YWxpbmEuY29yZS5Db250YWluZXJCYXNlLnN0YXJ0SW50
ZXJuYWwoQ29udGFpbmVyQmFzZS5qYXZhOjk0Nik8bzpwPjwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1z
b05vcm1hbCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IGF0IG9y
Zy5hcGFjaGUuY2F0YWxpbmEuY29yZS5TdGFuZGFyZEhvc3Quc3RhcnRJbnRlcm5hbChTdGFuZGFy
ZEhvc3QuamF2YTo4MzUpPG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBhdCBvcmcuYXBhY2hlLmNhdGFs
aW5hLnV0aWwuTGlmZWN5Y2xlQmFzZS5zdGFydChMaWZlY3ljbGVCYXNlLmphdmE6MTgzKTxvOnA+
PC9vOnA+PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsgYXQgb3JnLmFwYWNoZS5jYXRhbGluYS5jb3JlLkNvbnRhaW5lckJh
c2UkU3RhcnRDaGlsZC5jYWxsKENvbnRhaW5lckJhc2UuamF2YToxMzk2KTxvOnA+PC9vOnA+PC9w
Pgo8cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsgYXQgb3JnLmFwYWNoZS5jYXRhbGluYS5jb3JlLkNvbnRhaW5lckJhc2UkU3RhcnRD
aGlsZC5jYWxsKENvbnRhaW5lckJhc2UuamF2YToxMzg2KTxvOnA+PC9vOnA+PC9wPgo8cCBjbGFz
cz0iTXNvTm9ybWFsIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsg
YXQgamF2YS5iYXNlL2phdmEudXRpbC5jb25jdXJyZW50LkZ1dHVyZVRhc2sucnVuKEZ1dHVyZVRh
c2suamF2YToyNjQpPG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBhdCBvcmcuYXBhY2hlLnRvbWNhdC51
dGlsLnRocmVhZHMuSW5saW5lRXhlY3V0b3JTZXJ2aWNlLmV4ZWN1dGUoSW5saW5lRXhlY3V0b3JT
ZXJ2aWNlLmphdmE6NzUpPG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBhdCBqYXZhLmJhc2UvamF2YS51
dGlsLmNvbmN1cnJlbnQuQWJzdHJhY3RFeGVjdXRvclNlcnZpY2Uuc3VibWl0KEFic3RyYWN0RXhl
Y3V0b3JTZXJ2aWNlLmphdmE6MTQ1KTxvOnA+PC9vOnA+PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFs
Ij4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgYXQgb3JnLmFwYWNo
ZS5jYXRhbGluYS5jb3JlLkNvbnRhaW5lckJhc2Uuc3RhcnRJbnRlcm5hbChDb250YWluZXJCYXNl
LmphdmE6OTE5KTxvOnA+PC9vOnA+PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgYXQgb3JnLmFwYWNoZS5jYXRhbGluYS5j
b3JlLlN0YW5kYXJkRW5naW5lLnN0YXJ0SW50ZXJuYWwoU3RhbmRhcmRFbmdpbmUuamF2YToyNjMp
PG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBhdCBvcmcuYXBhY2hlLmNhdGFsaW5hLnV0aWwuTGlmZWN5
Y2xlQmFzZS5zdGFydChMaWZlY3ljbGVCYXNlLmphdmE6MTgzKTxvOnA+PC9vOnA+PC9wPgo8cCBj
bGFzcz0iTXNvTm9ybWFsIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsgYXQgb3JnLmFwYWNoZS5jYXRhbGluYS5jb3JlLlN0YW5kYXJkU2VydmljZS5zdGFydEludGVy
bmFsKFN0YW5kYXJkU2VydmljZS5qYXZhOjQzMik8bzpwPjwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1z
b05vcm1hbCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IGF0IG9y
Zy5hcGFjaGUuY2F0YWxpbmEudXRpbC5MaWZlY3ljbGVCYXNlLnN0YXJ0KExpZmVjeWNsZUJhc2Uu
amF2YToxODMpPG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBhdCBvcmcuYXBhY2hlLmNhdGFsaW5hLmNv
cmUuU3RhbmRhcmRTZXJ2ZXIuc3RhcnRJbnRlcm5hbChTdGFuZGFyZFNlcnZlci5qYXZhOjkyNyk8
bzpwPjwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IGF0IG9yZy5hcGFjaGUuY2F0YWxpbmEudXRpbC5MaWZlY3lj
bGVCYXNlLnN0YXJ0KExpZmVjeWNsZUJhc2UuamF2YToxODMpPG86cD48L286cD48L3A+CjxwIGNs
YXNzPSJNc29Ob3JtYWwiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyBhdCBvcmcuYXBhY2hlLmNhdGFsaW5hLnN0YXJ0dXAuQ2F0YWxpbmEuc3RhcnQoQ2F0YWxpbmEu
amF2YTo3NzIpPG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBhdCBqYXZhLmJhc2UvamRrLmludGVybmFs
LnJlZmxlY3QuTmF0aXZlTWV0aG9kQWNjZXNzb3JJbXBsLmludm9rZTAoTmF0aXZlIE1ldGhvZCk8
bzpwPjwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IGF0IGphdmEuYmFzZS9qZGsuaW50ZXJuYWwucmVmbGVjdC5O
YXRpdmVNZXRob2RBY2Nlc3NvckltcGwuaW52b2tlKE5hdGl2ZU1ldGhvZEFjY2Vzc29ySW1wbC5q
YXZhOjc3KTxvOnA+PC9vOnA+PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgYXQgamF2YS5iYXNlL2pkay5pbnRlcm5hbC5y
ZWZsZWN0LkRlbGVnYXRpbmdNZXRob2RBY2Nlc3NvckltcGwuaW52b2tlKERlbGVnYXRpbmdNZXRo
b2RBY2Nlc3NvckltcGwuamF2YTo0Myk8bzpwPjwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1h
bCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IGF0IGphdmEuYmFz
ZS9qYXZhLmxhbmcucmVmbGVjdC5NZXRob2QuaW52b2tlKE1ldGhvZC5qYXZhOjU2OCk8bzpwPjwv
bzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7IGF0IG9yZy5hcGFjaGUuY2F0YWxpbmEuc3RhcnR1cC5Cb290c3RyYXAu
c3RhcnQoQm9vdHN0cmFwLmphdmE6MzQ1KTxvOnA+PC9vOnA+PC9wPgo8cCBjbGFzcz0iTXNvTm9y
bWFsIj4mbmJzcDsmbmJzcDsgJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7YXQgb3JnLmFw
YWNoZS5jYXRhbGluYS5zdGFydHVwLkJvb3RzdHJhcC5tYWluKEJvb3RzdHJhcC5qYXZhOjQ3Nik8
bzpwPjwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Q2F1c2VkIGJ5OiBqYXZhLnNlY3Vy
aXR5LmNlcnQuQ2VydGlmaWNhdGVOb3RZZXRWYWxpZEV4Y2VwdGlvbjogTm90QmVmb3JlOiBNb24g
QXByIDAxIDAzOjQxOjQ5IENTVCAyMDI0PG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3Jt
YWwiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBhdCBvcmcubW96
aWxsYS5qc3MubmV0c2NhcGUuc2VjdXJpdHkueDUwOS5DZXJ0aWZpY2F0ZVZhbGlkaXR5LnZhbGlk
KENlcnRpZmljYXRlVmFsaWRpdHkuamF2YTozMDIpPG86cD48L286cD48L3A+CjxwIGNsYXNzPSJN
c29Ob3JtYWwiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBhdCBv
cmcubW96aWxsYS5qc3MubmV0c2NhcGUuc2VjdXJpdHkueDUwOS5YNTA5Q2VydEltcGwuY2hlY2tW
YWxpZGl0eShYNTA5Q2VydEltcGwuamF2YTo0OTQpPG86cD48L286cD48L3A+CjxwIGNsYXNzPSJN
c29Ob3JtYWwiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBhdCBv
cmcubW96aWxsYS5qc3MubmV0c2NhcGUuc2VjdXJpdHkueDUwOS5YNTA5Q2VydEltcGwuY2hlY2tW
YWxpZGl0eShYNTA5Q2VydEltcGwuamF2YTo0NjYpPG86cD48L286cD48L3A+CjxwIGNsYXNzPSJN
c29Ob3JtYWwiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBhdCBj
b20ubmV0c2NhcGUuY21zY29yZS5jZXJ0LkNlcnRVdGlscy52ZXJpZnlTeXN0ZW1DZXJ0VmFsaWRp
dHlCeU5pY2tuYW1lKENlcnRVdGlscy5qYXZhOjgzOSk8bzpwPjwvbzpwPjwvcD4KPHAgY2xhc3M9
Ik1zb05vcm1hbCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IC4u
LiA1NCBtb3JlPG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7
PC9vOnA+PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj4yMDI0LTA0LTAxIDAzOjQxOjMyIFttYWlu
XSBTRVZFUkU6IFNlbGZUZXN0U3Vic3lzdGVtOiBEaXNhYmxpbmcgc3Vic3lzdGVtIGR1ZSB0byBz
ZWxmdGVzdCBmYWlsdXJlOiBJbnZhbGlkIGNlcnRpZmljYXRlIFNlcnZlci1DZXJ0IGNlcnQtcGtp
LWNhOiBOb3RCZWZvcmU6IE1vbiBBcHIgMDEgMDM6NDE6NDkgQ1NUIDIwMjQ8bzpwPjwvbzpwPjwv
cD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+amF2YS5sYW5nLkV4Y2VwdGlvbjogSW52YWxpZCBjZXJ0
aWZpY2F0ZSBTZXJ2ZXItQ2VydCBjZXJ0LXBraS1jYTogTm90QmVmb3JlOiBNb24gQXByIDAxIDAz
OjQxOjQ5IENTVCAyMDI0PG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOwo8bzpw
PjwvbzpwPjwvcD4KPGRpdiBzdHlsZT0ibXNvLWVsZW1lbnQ6cGFyYS1ib3JkZXItZGl2O2JvcmRl
cjpub25lO2JvcmRlci1ib3R0b206c29saWQgd2luZG93dGV4dCAxLjBwdDtwYWRkaW5nOjBjbSAw
Y20gMS4wcHQgMGNtIj4KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImJvcmRlcjpub25lO3Bh
ZGRpbmc6MGNtIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4KPC9kaXY+CjxwIGNsYXNzPSJNc29Ob3Jt
YWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNw
OzwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGI+Y2F0IC92YXIvbG9nL3BraS9wa2kt
dG9tY2F0L2NhL3NlbGZ0ZXN0cy5sb2c6PG86cD48L286cD48L2I+PC9wPgo8cCBjbGFzcz0iTXNv
Tm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+MC5tYWlu
IC0gWzI5L01hci8yMDI0OjAzOjI4OjI0IEdNVC0wNjowMF0gWzIwXSBbMV0gQ0FQcmVzZW5jZTom
bmJzcDsgQ0EgaXMgcHJlc2VudDxvOnA+PC9vOnA+PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj4w
Lm1haW4gLSBbMjkvTWFyLzIwMjQ6MDM6Mjg6MjQgR01ULTA2OjAwXSBbMjBdIFsxXSBTeXN0ZW1D
ZXJ0c1ZlcmlmaWNhdGlvbjogc3lzdGVtIGNlcnRzIHZlcmlmaWNhdGlvbiBmYWlsdXJlOiBJbnZh
bGlkIGNlcnRpZmljYXRlIFNlcnZlci1DZXJ0IGNlcnQtcGtpLWNhOiBOb3RCZWZvcmU6IEZyaSBN
YXIgMjkgMDM6Mjg6MzcgQ1NUIDIwMjQ8bzpwPjwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1h
bCI+MC5tYWluIC0gWzI5L01hci8yMDI0OjAzOjI4OjI0IEdNVC0wNjowMF0gWzIwXSBbMV0gU2Vs
ZlRlc3RTdWJzeXN0ZW06IFRoZSBDUklUSUNBTCBzZWxmIHRlc3QgcGx1Z2luIGNhbGxlZCBzZWxm
dGVzdHMuY29udGFpbmVyLmluc3RhbmNlLlN5c3RlbUNlcnRzVmVyaWZpY2F0aW9uIHJ1bm5pbmcg
YXQgc3RhcnR1cCBGQUlMRUQhPG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjAu
bWFpbiAtIFsyOS9NYXIvMjAyNDowNDowMzoxMyBHTVQtMDY6MDBdIFsyMF0gWzFdIFNlbGZUZXN0
U3Vic3lzdGVtOiBJbml0aWFsaXppbmcgc2VsZiB0ZXN0IHBsdWdpbnM6PG86cD48L286cD48L3A+
CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjAubWFpbiAtIFsyOS9NYXIvMjAyNDowNDowMzoxMyBHTVQt
MDY6MDBdIFsyMF0gWzFdIFNlbGZUZXN0U3Vic3lzdGVtOiZuYnNwOyBsb2FkaW5nIGFsbCBzZWxm
IHRlc3QgcGx1Z2luIGxvZ2dlciBwYXJhbWV0ZXJzPG86cD48L286cD48L3A+CjxwIGNsYXNzPSJN
c29Ob3JtYWwiPjAubWFpbiAtIFsyOS9NYXIvMjAyNDowNDowMzoxMyBHTVQtMDY6MDBdIFsyMF0g
WzFdIFNlbGZUZXN0U3Vic3lzdGVtOiZuYnNwOyBsb2FkaW5nIGFsbCBzZWxmIHRlc3QgcGx1Z2lu
IGluc3RhbmNlczxvOnA+PC9vOnA+PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj4wLm1haW4gLSBb
MjkvTWFyLzIwMjQ6MDQ6MDM6MTMgR01ULTA2OjAwXSBbMjBdIFsxXSBTZWxmVGVzdFN1YnN5c3Rl
bTombmJzcDsgbG9hZGluZyBhbGwgc2VsZiB0ZXN0IHBsdWdpbiBpbnN0YW5jZSBwYXJhbWV0ZXJz
PG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjAubWFpbiAtIFsyOS9NYXIvMjAy
NDowNDowMzoxMyBHTVQtMDY6MDBdIFsyMF0gWzFdIFNlbGZUZXN0U3Vic3lzdGVtOiZuYnNwOyBs
b2FkaW5nIHNlbGYgdGVzdCBwbHVnaW5zIGluIG9uLWRlbWFuZCBvcmRlcjxvOnA+PC9vOnA+PC9w
Pgo8cCBjbGFzcz0iTXNvTm9ybWFsIj4wLm1haW4gLSBbMjkvTWFyLzIwMjQ6MDQ6MDM6MTMgR01U
LTA2OjAwXSBbMjBdIFsxXSBTZWxmVGVzdFN1YnN5c3RlbTombmJzcDsgbG9hZGluZyBzZWxmIHRl
c3QgcGx1Z2lucyBpbiBzdGFydHVwIG9yZGVyPG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29O
b3JtYWwiPjAubWFpbiAtIFsyOS9NYXIvMjAyNDowNDowMzoxMyBHTVQtMDY6MDBdIFsyMF0gWzFd
IFNlbGZUZXN0U3Vic3lzdGVtOiBTZWxmIHRlc3QgcGx1Z2lucyBoYXZlIGJlZW4gc3VjY2Vzc2Z1
bGx5IGxvYWRlZCE8bzpwPjwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+MC5tYWluIC0g
WzI5L01hci8yMDI0OjA0OjAzOjEzIEdNVC0wNjowMF0gWzIwXSBbMV0gU2VsZlRlc3RTdWJzeXN0
ZW06IFJ1bm5pbmcgc2VsZiB0ZXN0IHBsdWdpbnMgc3BlY2lmaWVkIHRvIGJlIGV4ZWN1dGVkIGF0
IHN0YXJ0dXA6PG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjAubWFpbiAtIFsy
OS9NYXIvMjAyNDowNDowMzoxMyBHTVQtMDY6MDBdIFsyMF0gWzFdIENBUHJlc2VuY2U6Jm5ic3A7
IENBIGlzIHByZXNlbnQ8bzpwPjwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+MC5tYWlu
IC0gWzI5L01hci8yMDI0OjA0OjAzOjEzIEdNVC0wNjowMF0gWzIwXSBbMV0gU3lzdGVtQ2VydHNW
ZXJpZmljYXRpb246IHN5c3RlbSBjZXJ0cyB2ZXJpZmljYXRpb24gZmFpbHVyZTogSW52YWxpZCBj
ZXJ0aWZpY2F0ZSBTZXJ2ZXItQ2VydCBjZXJ0LXBraS1jYTogTm90QmVmb3JlOiBGcmkgTWFyIDI5
IDA0OjAzOjI3IENTVCAyMDI0PG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjAu
bWFpbiAtIFsyOS9NYXIvMjAyNDowNDowMzoxMyBHTVQtMDY6MDBdIFsyMF0gWzFdIFNlbGZUZXN0
U3Vic3lzdGVtOiBUaGUgQ1JJVElDQUwgc2VsZiB0ZXN0IHBsdWdpbiBjYWxsZWQgc2VsZnRlc3Rz
LmNvbnRhaW5lci5pbnN0YW5jZS5TeXN0ZW1DZXJ0c1ZlcmlmaWNhdGlvbiBydW5uaW5nIGF0IHN0
YXJ0dXAgRkFJTEVEITxvOnA+PC9vOnA+PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj4wLm1haW4g
LSBbMDEvQXByLzIwMjQ6MDM6NDE6MzIgR01ULTA2OjAwXSBbMjBdIFsxXSBTZWxmVGVzdFN1YnN5
c3RlbTogSW5pdGlhbGl6aW5nIHNlbGYgdGVzdCBwbHVnaW5zOjxvOnA+PC9vOnA+PC9wPgo8cCBj
bGFzcz0iTXNvTm9ybWFsIj4wLm1haW4gLSBbMDEvQXByLzIwMjQ6MDM6NDE6MzIgR01ULTA2OjAw
XSBbMjBdIFsxXSBTZWxmVGVzdFN1YnN5c3RlbTombmJzcDsgbG9hZGluZyBhbGwgc2VsZiB0ZXN0
IHBsdWdpbiBsb2dnZXIgcGFyYW1ldGVyczxvOnA+PC9vOnA+PC9wPgo8cCBjbGFzcz0iTXNvTm9y
bWFsIj4wLm1haW4gLSBbMDEvQXByLzIwMjQ6MDM6NDE6MzIgR01ULTA2OjAwXSBbMjBdIFsxXSBT
ZWxmVGVzdFN1YnN5c3RlbTombmJzcDsgbG9hZGluZyBhbGwgc2VsZiB0ZXN0IHBsdWdpbiBpbnN0
YW5jZXM8bzpwPjwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+MC5tYWluIC0gWzAxL0Fw
ci8yMDI0OjAzOjQxOjMyIEdNVC0wNjowMF0gWzIwXSBbMV0gU2VsZlRlc3RTdWJzeXN0ZW06Jm5i
c3A7IGxvYWRpbmcgYWxsIHNlbGYgdGVzdCBwbHVnaW4gaW5zdGFuY2UgcGFyYW1ldGVyczxvOnA+
PC9vOnA+PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj4wLm1haW4gLSBbMDEvQXByLzIwMjQ6MDM6
NDE6MzIgR01ULTA2OjAwXSBbMjBdIFsxXSBTZWxmVGVzdFN1YnN5c3RlbTombmJzcDsgbG9hZGlu
ZyBzZWxmIHRlc3QgcGx1Z2lucyBpbiBvbi1kZW1hbmQgb3JkZXI8bzpwPjwvbzpwPjwvcD4KPHAg
Y2xhc3M9Ik1zb05vcm1hbCI+MC5tYWluIC0gWzAxL0Fwci8yMDI0OjAzOjQxOjMyIEdNVC0wNjow
MF0gWzIwXSBbMV0gU2VsZlRlc3RTdWJzeXN0ZW06Jm5ic3A7IGxvYWRpbmcgc2VsZiB0ZXN0IHBs
dWdpbnMgaW4gc3RhcnR1cCBvcmRlcjxvOnA+PC9vOnA+PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFs
Ij4wLm1haW4gLSBbMDEvQXByLzIwMjQ6MDM6NDE6MzIgR01ULTA2OjAwXSBbMjBdIFsxXSBTZWxm
VGVzdFN1YnN5c3RlbTogU2VsZiB0ZXN0IHBsdWdpbnMgaGF2ZSBiZWVuIHN1Y2Nlc3NmdWxseSBs
b2FkZWQhPG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjAubWFpbiAtIFswMS9B
cHIvMjAyNDowMzo0MTozMiBHTVQtMDY6MDBdIFsyMF0gWzFdIFNlbGZUZXN0U3Vic3lzdGVtOiBS
dW5uaW5nIHNlbGYgdGVzdCBwbHVnaW5zIHNwZWNpZmllZCB0byBiZSBleGVjdXRlZCBhdCBzdGFy
dHVwOjxvOnA+PC9vOnA+PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj4wLm1haW4gLSBbMDEvQXBy
LzIwMjQ6MDM6NDE6MzIgR01ULTA2OjAwXSBbMjBdIFsxXSBDQVByZXNlbmNlOiZuYnNwOyBDQSBp
cyBwcmVzZW50PG86cD48L286cD48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjAubWFpbiAtIFsw
MS9BcHIvMjAyNDowMzo0MTozMiBHTVQtMDY6MDBdIFsyMF0gWzFdIFN5c3RlbUNlcnRzVmVyaWZp
Y2F0aW9uOiBzeXN0ZW0gY2VydHMgdmVyaWZpY2F0aW9uIGZhaWx1cmU6IEludmFsaWQgY2VydGlm
aWNhdGUgU2VydmVyLUNlcnQgY2VydC1wa2ktY2E6IE5vdEJlZm9yZTogTW9uIEFwciAwMSAwMzo0
MTo0OSBDU1QgMjAyNDxvOnA+PC9vOnA+PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj4wLm1haW4g
LSBbMDEvQXByLzIwMjQ6MDM6NDE6MzIgR01ULTA2OjAwXSBbMjBdIFsxXSBTZWxmVGVzdFN1YnN5
c3RlbTogVGhlIENSSVRJQ0FMIHNlbGYgdGVzdCBwbHVnaW4gY2FsbGVkIHNlbGZ0ZXN0cy5jb250
YWluZXIuaW5zdGFuY2UuU3lzdGVtQ2VydHNWZXJpZmljYXRpb24gcnVubmluZyBhdCBzdGFydHVw
IEZBSUxFRCE8bzpwPjwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7IDxvOnA+PC9vOnA+PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpw
PiZuYnNwOzwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IDxvOnA+PC9vOnA+PC9wPgo8cCBjbGFzcz0i
TXNvTm9ybWFsIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDs8bzpwPjwvbzpwPjwvcD4KPC9kaXY+Cjxicj4KPGhyPgo8
Zm9udCBmYWNlPSJBcmlhbCIgY29sb3I9IkdyYXkiIHNpemU9IjEiPjxicj4KRElTQ0xBSU1FUjog
VGhlIGluZm9ybWF0aW9uIGluIHRoaXMgbWVzc2FnZSBpcyBjb25maWRlbnRpYWwgYW5kIG1heSBi
ZSBsZWdhbGx5IHByaXZpbGVnZWQuIEl0IGlzIGludGVuZGVkIHNvbGVseSBmb3IgdGhlIGFkZHJl
c3NlZS4gQWNjZXNzIHRvIHRoaXMgbWVzc2FnZSBieSBhbnlvbmUgZWxzZSBpcyB1bmF1dGhvcml6
ZWQuIElmIHlvdSBhcmUgbm90IHRoZSBpbnRlbmRlZCByZWNpcGllbnQsIGFueSBkaXNjbG9zdXJl
LCBjb3B5aW5nLCBvciBkaXN0cmlidXRpb24KIG9mIHRoZSBtZXNzYWdlLCBvciBhbnkgYWN0aW9u
IG9yIG9taXNzaW9uIHRha2VuIGJ5IHlvdSBpbiByZWxpYW5jZSBvbiBpdCwgaXMgcHJvaGliaXRl
ZCBhbmQgbWF5IGJlIHVubGF3ZnVsLiBQbGVhc2UgaW1tZWRpYXRlbHkgY29udGFjdCB0aGUgc2Vu
ZGVyIGlmIHlvdSBoYXZlIHJlY2VpdmVkIHRoaXMgbWVzc2FnZSBpbiBlcnJvci4gRnVydGhlciwg
dGhpcyBlLW1haWwgbWF5IGNvbnRhaW4gdmlydXNlcyBhbmQgYWxsIHJlYXNvbmFibGUgcHJlY2F1
dGlvbgogdG8gbWluaW1pemUgdGhlIHJpc2sgYXJpc2luZyB0aGVyZSBmcm9tIGlzIHRha2VuIGJ5
IE9uTW9iaWxlLiBPbk1vYmlsZSBpcyBub3QgbGlhYmxlIGZvciBhbnkgZGFtYWdlIHN1c3RhaW5l
ZCBieSB5b3UgYXMgYSByZXN1bHQgb2YgYW55IHZpcnVzIGluIHRoaXMgZS1tYWlsLiBBbGwgYXBw
bGljYWJsZSB2aXJ1cyBjaGVja3Mgc2hvdWxkIGJlIGNhcnJpZWQgb3V0IGJ5IHlvdSBiZWZvcmUg
b3BlbmluZyB0aGlzIGUtbWFpbCBvciBhbnkgYXR0YWNobWVudAogdGhlcmV0by48YnI+ClRoYW5r
IHlvdSAtIE9uTW9iaWxlIEdsb2JhbCBMaW1pdGVkLjxicj4KPC9mb250Pgo8L2JvZHk+CjwvaHRt
bD4K

--===============3792701881326314654==--

From rcritten at redhat.com Mon Apr  1 14:47:16 2024
Content-Type: multipart/mixed; boundary="===============8526865454316647732=="
MIME-Version: 1.0
From: Rob Crittenden <rcritten at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: ACME certs fail to renew
Date: Mon, 01 Apr 2024 10:46:58 -0400
Message-ID: <2e47af52-bfd8-251a-4739-5918abff075c@redhat.com>
In-Reply-To: 3ef3c740-c208-4413-b121-a74205203f7b@infra-monkey.com

--===============8526865454316647732==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Antoine Gatineau via FreeIPA-users wrote:
> Hello,
> =

> I have a strange issue regarding acme service.
> My acme certificates fail to renew. `ipa-acme-manage status`fails with
> error:
> Failed to authenticate to CA REST API
> The ipa-acme-manage command failed.
> =

> certbot client fails with error "Failed to renew certificate
> office.empire.lan with error: <Response [404]>"
> =

> $ ipa cert-show 49
> =C2=A0Issuing CA: ipa
> =C2=A0Certificate: "The certificate content"
> =C2=A0Subject: CN=3Doffice.empire.lan
> =C2=A0Subject DNS name: office.empire.lan
> =C2=A0Issuer: CN=3DCertificate Authority,O=3DEMPIRE.LAN
> =C2=A0Not Before: Sun Dec 24 14:05:50 2023 UTC
> =C2=A0Not After: Sat Mar 23 14:05:50 2024 UTC
> =C2=A0Serial number: 49
> =C2=A0Serial number (hex): 0x31
> =C2=A0Revoked: False
> =

> So last successful renewal was on Dec 24th. Since then I have not really
> done anything appart updating.
> I don't see any issue in ipaupgrade.log
> =

> =

> I am running on centos stream 9
> idm-jss.x86_64=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0
> 5.5.0-1.el9
> idm-jss-tomcat.x86_64=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0
> 5.5.0-1.el9
> idm-ldapjdk.noarch=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0
> 5.5.0-1.el9
> idm-pki-acme.noarch=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0
> 11.5.0-1.el9
> idm-pki-base.noarch=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0
> 11.5.0-1.el9
> idm-pki-ca.noarch=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0
> 11.5.0-1.el9
> idm-pki-java.noarch=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0
> 11.5.0-1.el9
> idm-pki-kra.noarch=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0
> 11.5.0-1.el9
> idm-pki-server.noarch=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0
> 11.5.0-1.el9
> idm-pki-tools.x86_64=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0
> 11.5.0-1.el9
> ipa-client.x86_64=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0
> 4.11.0-9.el9
> ipa-client-common.noarch=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0
> 4.11.0-9.el9
> ipa-common.noarch=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0
> 4.11.0-9.el9
> ipa-healthcheck.noarch=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0
> 0.16-2.el9
> ipa-healthcheck-core.noarch=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0
> 0.16-2.el9
> ipa-selinux.noarch=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0
> 4.11.0-9.el9
> ipa-server.x86_64=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0
> 4.11.0-9.el9
> ipa-server-common.noarch=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0
> 4.11.0-9.el9
> ipa-server-dns.noarch=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0
> 4.11.0-9.el9
> =

> I have followed closely the update on centos stream 9
> =

> Running=C2=A0 `ipa-acme-manage status` with the -d switch gives me
> ipapython.ipaldap: DEBUG: retrieving schema for SchemaCache
> url=3Dldapi://%2fvar%2frun%2fslapd-EMPIRE-LAN.socket
> conn=3D<ldap.ldapobject.SimpleLDAPObject object at 0x7f123c07e2e0>
> ipaserver.masters: DEBUG: Discovery: available servers for service 'CA'
> are ipa-server-01.empire.lan, ipa-server-02.empire.lan
> ipaserver.masters: DEBUG: Discovery: using ipa-server-01.empire.lan for
> 'CA' service
> ipapython.dogtag: DEBUG: request POST
> https://ipa-server-01.empire.lan:8443/acme/login
> ipapython.dogtag: DEBUG: request body ''
> ipapython.dogtag: DEBUG: response status 404
> ipapython.dogtag: DEBUG: response headers Content-Type:
> text/html;charset=3Dutf-8
> Content-Language: en
> Content-Length: 765
> Date: Thu, 28 Mar 2024 10:00:59 GMT
> =

> =

> ipapython.dogtag: DEBUG: response body (decoded): b'<!doctype html><html
> lang=3D"en"><head><title>HTTP Status 404 \xe2\x80\x93 Not
> Found</title><style type=3D"text/css">body
> {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b
> {color:white;background-color:#525D76;} h1 {font-size:22px;} h2
> {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a
> {color:black;} .line
> {height:1px;background-color:#525D76;border:none;}</style></head><body><h=
1>HTTP
> Status 404 \xe2\x80\x93 Not Found</h1><hr class=3D"line" /><p><b>Type</b>
> Status Report</p><p><b>Message</b> The requested resource
> [&#47;acme&#47;login] is not available</p><p><b>Description</b> The
> origin server did not find a current representation for the target
> resource or is not willing to disclose that one exists.</p><hr
> class=3D"line" /><h3>Apache Tomcat/9.0.62</h3></body></html>'
> ipapython.admintool: DEBUG:=C2=A0=C2=A0 File
> "/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 180, in
> execute
> =C2=A0=C2=A0=C2=A0 return_value =3D self.run()
> =C2=A0 File
> "/usr/lib/python3.9/site-packages/ipaserver/install/ipa_acme_manage.py",
> line 403, in run
> =C2=A0=C2=A0=C2=A0 with state as ca_api:
> =C2=A0 File
> "/usr/lib/python3.9/site-packages/ipaserver/install/ipa_acme_manage.py",
> line 103, in __enter__
> =C2=A0=C2=A0=C2=A0 raise errors.RemoteRetrieveError(
> =

> ipapython.admintool: DEBUG: The ipa-acme-manage command failed,
> exception: RemoteRetrieveError: Failed to authenticate to CA REST API
> ipapython.admintool: ERROR: Failed to authenticate to CA REST API
> ipapython.admintool: ERROR: The ipa-acme-manage command failed.
> =

> =

> So it looks like the acme subsystem is not started. But logs for the
> acme subsystem in /var/log/pki/pki-tomcat/acme/debug.2024-03-28.log
> don't show any issue. (see attached log)
> =

> How can I go further in troubleshooting/fixing this issue?

I'd start by verifying that your CA is functioning. Something like ipa
cert-find.

Since you got a 404 (not found) I'd make sure that
/etc/httpd/conf.d/ipa-pki-proxy.conf contains:

<LocationMatch "^/acme">
...

rob

--===============8526865454316647732==--

From rcritten at redhat.com Mon Apr  1 14:54:22 2024
Content-Type: multipart/mixed; boundary="===============3491906302983359183=="
MIME-Version: 1.0
From: Rob Crittenden <rcritten at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: problem with configuration replication in ipa
 server
Date: Mon, 01 Apr 2024 10:54:04 -0400
Message-ID: <d4ed7b59-7a09-4dcf-7c7e-7b4c6c48bec8@redhat.com>
In-Reply-To: 20240328122513.14567.62901@mailman01.iad2.fedoraproject.org

--===============3491906302983359183==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Richard Halley via FreeIPA-users wrote:
> Hi everyone, I'm configuring the freeipa replication as follows:
> =

> 1) ipa-client-install --domain=3Dpippo.internal --realm=3DPIPPO.INTERNAL =
-N
> =

> 2) I add the client to the ipaserver host group
> =

> 3) ipa-replica-install -N --setup-dns --forwarder 8.8.8.8 --forwarder 8.8=
.4.4 --forwarder 1.1.1.1 --setup-ca
> =

> After running ipa-replica-install I get the following error:
> =

> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
> =

> ipapython.admintool: ERROR A replication agreement for this host already =
exists. It needs to be removed.
> Run this command:
>     %% ipa-replica-manage del pluto.pippo.internal --force
> ipapython.admintool: ERROR The ipa-replica-install command failed. See /v=
ar/log/ipareplica-install.log for more information
> =

> I would like to point out that I have attempted the configuration several=
 times without success.
> Before proceeding with the uninstall commands of the client and the repli=
ca on the replica server, I delete the replica on the server (which fails b=
ecause it does not find any replica) and then proceed with deleting the cli=
ent.
> =

> In the replication log file I have the following error:
> =

> 2024-03-28T12:05:10Z DEBUG The ipa-replica-install command failed, except=
ion: ScriptError: A replication agreement for this host already exists. It =
needs to be removed.
> Run this command:
>     %% ipa-replica-manage del pluto.pippo.internal --force
> 2024-03-28T12:05:10Z ERROR A replication agreement for this host already =
exists. It needs to be removed.
> Run this command:
>     %% ipa-replica-manage del pluto.pippo.internal --force
> 2024-03-28T12:05:10Z ERROR The ipa-replica-install command failed. See /v=
ar/log/ipareplica-install.log for more information
> =

> I can't understand where the problem is.
> Could it be something dirty in LDAP?

Yes, exactly. Try `ipa server-del pluto.pippo.internal` instead.

rob

--===============3491906302983359183==--

From rcritten at redhat.com Mon Apr  1 14:55:47 2024
Content-Type: multipart/mixed; boundary="===============6172186409228049979=="
MIME-Version: 1.0
From: Rob Crittenden <rcritten at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: CA Subsystem certificate
Date: Mon, 01 Apr 2024 10:55:35 -0400
Message-ID: <d8211363-9aaf-fb92-34b1-ab53e1706c38@redhat.com>
In-Reply-To: 20240328150045.5965.72904@mailman01.iad2.fedoraproject.org

--===============6172186409228049979==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Travis West via FreeIPA-users wrote:
> I've just found an old p12 file from 2019.  I was able to extract the key=
 from that and it does match the CA Subystem cert that expired 8 March that=
 is listed in LDAP.
> So if I could somehow generate a new certificate with this and import int=
o the NSS DB for /etc/pki/pki-tomcat/alias would that at least get the CA s=
tarted?
Perhaps. It will be complicated because you'll need to move time
multiple times (e.g. start in 2019, renew, move to 2021-ish, renew, move
to 2023-ish, renew).

First you need to fix your certmonger tracking or its likely to fail
again. Back in 2019 when things are running then executing
ipa-server-upgrade should repair the bad tracking.

rob

--===============6172186409228049979==--

From rcritten at redhat.com Mon Apr  1 15:03:42 2024
Content-Type: multipart/mixed; boundary="===============0931297888045915668=="
MIME-Version: 1.0
From: Rob Crittenden <rcritten at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: One freeipa replica install fails,
 while  other is going through
Date: Mon, 01 Apr 2024 11:03:25 -0400
Message-ID: <7d210de0-7e74-0e17-ed39-c3f1534d448b@redhat.com>
In-Reply-To: 20240329085835.7865.627@mailman01.iad2.fedoraproject.org

--===============0931297888045915668==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

D S via FreeIPA-users wrote:
> Any ideas on where to look next? =


I believe you posed the same question on the freeipa-container package.

It might have helped if you'd posted here that you were using
containers, what underlying OS's were being used and the version of IPA.

Did you try pointing the 3rd replica to one of the other two?

Did you try with --skip-conncheck? The connection checking isn't always
perfect which is why the option exists.

rob

--===============0931297888045915668==--

From twest at cherryroad.com Mon Apr  1 15:11:01 2024
Content-Type: multipart/mixed; boundary="===============3150707029933349180=="
MIME-Version: 1.0
From: Travis West <twest at cherryroad.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: CA Subsystem certificate
Date: Mon, 01 Apr 2024 15:10:41 +0000
Message-ID: <20240401151041.11710.80771@mailman01.iad2.fedoraproject.org>
In-Reply-To: d8211363-9aaf-fb92-34b1-ab53e1706c38@redhat.com

--===============3150707029933349180==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Over the weekend I was able to find the CA cert and matching key.  So I was=
 able to generate a new certificate using these have them signed correctly.=
  Here is how I did that (subsystem cert as an example)

CSR gen
openssl req -new -sha256 -key subsystem.key -subj "/CN=3DCA Subsystem /O=3D=
IPA.***.NET" -out subsystem.csr

Cert gen
openssl x509 -req  -in subsystem.csr -CA ca.crt -CAkey ca.key -set_serial 4=
 -out subsystem.crt -days 3650 -sha256 -extfile openssl.cnf

create p12
openssl pkcs12  -export -out subsystem.p12 -inkey subsystem.key -in subsyst=
em.crt -certfile ca.crt -name subsystemCert cert-pki-ca
import p12 to NSS DB
pk12util -d . -i subsystem.p12 -n "subsystemCert cert-pki-ca"

The 'extfile' contains some of the v3 attributes

$ cat openssl.cnf
subjectKeyIdentifier=3Dhash
authorityKeyIdentifier=3Dkeyid,issuer

keyUsage =3D critical, nonRepudiation, digitalSignature


This morning I imported the auditSigningCert, subsystemCert, and ocpsSignin=
g certs to /etc/pki/pki-tomcat/alias and the trust attributes are correct.

Then I tried adding them back to certmonger for tracking, and they are now =
being tracked.
Request ID '20240401141044':
        status: MONITORING
        stuck: no
        key pair storage: type=3DNSSDB,location=3D'/etc/pki/pki-tomcat/alia=
s',nickname=3D'subsystemCert cert-pki-ca',token=3D'NSS Certificate DB',pin =
set
        certificate: type=3DNSSDB,location=3D'/etc/pki/pki-tomcat/alias',ni=
ckname=3D'subsystemCert cert-pki-ca',token=3D'NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=3DCertificate Authority,O=3DIPA.****.NET
        subject: O=3D"IPA.****.NET ",CN=3D"CA Subsystem "
        expires: 2034-03-30 11:10:54 UTC
        key usage: digitalSignature,nonRepudiation
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsy=
stemCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20240401141327':
        status: MONITORING
        stuck: no
        key pair storage: type=3DNSSDB,location=3D'/etc/pki/pki-tomcat/alia=
s',nickname=3D'ocspSigningCert cert-pki-ca',token=3D'NSS Certificate DB',pi=
n set
        certificate: type=3DNSSDB,location=3D'/etc/pki/pki-tomcat/alias',ni=
ckname=3D'ocspSigningCert cert-pki-ca',token=3D'NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=3DCertificate Authority,O=3DIPA.****.NET
        subject: O=3D"IPA.****.NET ",CN=3D"OCSP Subsystem "
        expires: 2034-03-30 10:59:25 UTC
        key usage: digitalSignature,nonRepudiation
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspS=
igningCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20240401145826':
        status: MONITORING
        stuck: no
        key pair storage: type=3DNSSDB,location=3D'/etc/pki/pki-tomcat/alia=
s',nickname=3D'auditSigningCert cert-pki-ca',token=3D'NSS Certificate DB',p=
in set
        certificate: type=3DNSSDB,location=3D'/etc/pki/pki-tomcat/alias',ni=
ckname=3D'auditSigningCert cert-pki-ca',token=3D'NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=3DCertificate Authority,O=3DIPA.****.NET
        subject: O=3D"IPA.****.NET ",CN=3D"CA Audit "
        expires: 2034-03-30 11:05:14 UTC
        key usage: digitalSignature,nonRepudiation
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "audit=
SigningCert cert-pki-ca"
        track: yes
        auto-renew: yes

However, after getting them tracked again, the NSS DB appears to have two c=
opies (?)

# certutil -K -d .
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key=
 and Certificate Services"
Enter Password or Pin for "NSS Certificate DB":
< 0> rsa      d326b4d65770485d4e0652590101cb7327be0835   caSigningCert cert=
-pki-ca
< 1> rsa      f5544801e45007862e7593febbeba32c6931b100   subsystemCert cert=
-pki-ca
< 2> rsa      c13cdf1ff7588fbf7b8a25f7ce3e56d5ae0450cd   ocspSigningCert ce=
rt-pki-ca
< 3> rsa      99fffc1c7d251e95374aa15db210aa994c9452ef   NSS Certificate DB=
:Server-Cert cert-pki-ca
< 4> rsa      75ff858e34df66b838167a31c4d4e12ef76b0044   auditSigningCert c=
ert-pki-ca
< 5> rsa      623e08407bf1fbace5146c7413e343935a987243   subsystemCert cert=
-pki-ca
< 6> rsa      2c62bcd9a61f0db2288c0e85c9c4f316793df98a   ocspSigningCert ce=
rt-pki-ca

But here only shows one, with correct trust attributes

# certutil -L -d .

Certificate Nickname                                         Trust Attribut=
es
                                                             SSL,S/MIME,JAR=
/XPI

subsystemCert cert-pki-ca                                    u,u,u
ocspSigningCert cert-pki-ca                                  u,u,u
caSigningCert cert-pki-ca                                    CTu,Cu,Cu
Server-Cert cert-pki-ca                                      u,u,u
auditSigningCert cert-pki-ca                                 u,u,Pu

I also updated the subsystemCert in LDAP so that matches (both cert and ser=
ial)

I am still unable to get pki-tomcat to start when I run 'ipactl start'  but=
 if I check the service using systemctl it appears to be running

Clearly there is still something I'm missing.
--===============3150707029933349180==--

From rcritten at redhat.com Mon Apr  1 15:27:58 2024
Content-Type: multipart/mixed; boundary="===============8750061368106694558=="
MIME-Version: 1.0
From: Rob Crittenden <rcritten at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: IPA replica installation failed-SEVERE: Unable to
 start CA engine: Selftest failed: Invalid certificate Server-Cert
 cert-pki-ca: NotBefore: Mon Apr 01 03:41:49 CST 2024
Date: Mon, 01 Apr 2024 11:27:35 -0400
Message-ID: <f8e4c281-0965-ff9d-2727-ee8f97698b78@redhat.com>
In-Reply-To: b966ab35ecd6491c93693475deb8e0a3@onmobile.com

--===============8750061368106694558==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Polavarapu Manideep Sai via FreeIPA-users wrote:
> Hi Team,
> =

> =C2=A0
> =

> Any one faced this issue during replica installation
> =

> =C2=A0
> =

> I have third party SSL certificate installed on master server
> =

> =C2=A0
> =

> =C2=A0
> =

> *IPA Version:*
> =

> =C2=A0
> =

> [root(a)dir02-mex ~]# ipa --version
> =

> *VERSION: 4.10.2, API_VERSION: 2.252*
> =

> =C2=A0
> =

> *=C2=A0*
> =

> *Certificate Expiry:*
> =

> =C2=A0
> =

> [root(a)dir02-mex ~]# certutil -L -d /etc/pki/pki-tomcat/alias/ -n
> 'Server-Cert cert-pki-ca' | egrep -i 'befor|after'
> =

> *=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Not B=
efore: Mon Apr 01 09:41:49 2024*
> =

> *=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Not A=
fter : Sun Mar 22 09:41:49 2026*

The time reported by certutil is in UTC.

The time in the error is reported in local time, CST. Central Standard
Time? The US has been in DST for a few weeks.

In CDT the cert would have been issued at 04:41:49 and with a 5hr offset
to UTC would be 09:41:49 so valid.

So I'd check your system clock and timezone.

rob

> =

> =C2=A0
> =

> =C2=A0
> =

> =C2=A0
> =

> =C2=A0 [1/4]: Generating ipa-custodia config file
> =

> =C2=A0 [2/4]: Generating ipa-custodia keys
> =

> =C2=A0 [3/4]: starting ipa-custodia
> =

> =C2=A0 [4/4]: configuring ipa-custodia to start on boot
> =

> Done configuring ipa-custodia.
> =

> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
> =

> =C2=A0 [1/30]: creating certificate server db
> =

> =C2=A0 [2/30]: setting up initial replication
> =

> Starting replication, please wait until this has completed.
> =

> Update in progress, 12 seconds elapsed
> =

> Update succeeded
> =

> =C2=A0
> =

> =C2=A0 [3/30]: creating ACIs for admin
> =

> =C2=A0 [4/30]: creating installation admin user
> =

> =C2=A0 [5/30]: configuring certificate server instance
> =

> Failed to configure CA instance
> =

> See the installation logs and the following files/directories for more
> information:
> =

> =C2=A0 /var/log/pki/pki-tomcat
> =

> =C2=A0 [error] RuntimeError: CA configuration failed.
> =

> Your system may be partly configured.
> =

> Run /usr/sbin/ipa-server-install --uninstall to clean up.
> =

> =C2=A0
> =

> CA configuration failed.
> =

> The ipa-replica-install command failed. See
> /var/log/ipareplica-install.log for more information
> =

> =C2=A0
> =

> =C2=A0
> =

> =C2=A0
> =

> *Cat /var/log/ipareplica-install.log:*
> =

> =C2=A0
> =

> =C2=A0
> =

> DEBUG: https://dir02-mexommx.ipa.com:8443 "GET / HTTP/1.1" 302 0
> =

> DEBUG: https://dir02-mexommx.ipa.com:8443 "GET /pki HTTP/1.1" 302 None
> =

> DEBUG: https://dir02-mexommx.ipa.com:8443 "GET /pki/ HTTP/1.1" 200 3500
> =

> INFO: PKI server started
> =

> INFO: Waiting for CA subsystem
> =

> DEBUG: Starting new HTTPS connection (1): dir02-mexommx.ipa.com:8443
> =

> DEBUG: https://dir02-mexommx.ipa.com:8443 "GET /ca/admin/ca/getStatus
> HTTP/1.1" 404 784
> =

> =C2=A0
> =

> 2024-04-01T09:41:34Z CRITICAL Failed to configure CA instance
> =

> 2024-04-01T09:41:34Z CRITICAL See the installation logs and the
> following files/directories for more information:
> =

> 2024-04-01T09:41:34Z CRITICAL=C2=A0=C2=A0 /var/log/pki/pki-tomcat
> =

> 2024-04-01T09:41:34Z DEBUG Traceback (most recent call last):
> =

> =C2=A0 File "/usr/lib/python3.9/site-packages/ipaserver/install/service.p=
y",
> line 686, in start_creation
> =

> =C2=A0=C2=A0=C2=A0 run_step(full_msg, method)
> =

> =C2=A0 File "/usr/lib/python3.9/site-packages/ipaserver/install/service.p=
y",
> line 672, in run_step
> =

> =C2=A0=C2=A0=C2=A0 method()
> =

> =C2=A0 File
> "/usr/lib/python3.9/site-packages/ipaserver/install/cainstance.py", line
> 651, in __spawn_instance
> =

> =C2=A0=C2=A0=C2=A0 DogtagInstance.spawn_instance(
> =

> =C2=A0 File
> "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py",
> line 227, in spawn_instance
> =

> =C2=A0=C2=A0=C2=A0 self.handle_setup_error(e)
> =

> =C2=A0 File
> "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py",
> line 604, in handle_setup_error
> =

> =C2=A0=C2=A0=C2=A0 raise RuntimeError(
> =

> RuntimeError: CA configuration failed.
> =

> =C2=A0
> =

> 2024-04-01T09:41:34Z DEBUG=C2=A0=C2=A0 [error] RuntimeError: CA configura=
tion failed.
> =

> 2024-04-01T09:41:34Z DEBUG Removing /root/.dogtag/pki-tomcat/ca
> =

> 2024-04-01T09:41:34Z DEBUG=C2=A0=C2=A0 File
> "/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 180, in
> execute
> =

> =C2=A0=C2=A0=C2=A0 return_value =3D self.run()
> =

> =C2=A0 File "/usr/lib/python3.9/site-packages/ipapython/install/cli.py", =
line
> 344, in run
> =

> =C2=A0=C2=A0=C2=A0 return cfgr.run()
> =

> =C2=A0 File "/usr/lib/python3.9/site-packages/ipapython/install/core.py",
> line 360, in run
> =

> =C2=A0=C2=A0=C2=A0 return self.execute()
> =

> =C2=A0 File "/usr/lib/python3.9/site-packages/ipapython/install/core.py",
> line 386, in execute
> =

> =C2=A0=C2=A0=C2=A0 for rval in self._executor():
> =

> =C2=A0 File "/usr/lib/python3.9/site-packages/ipapython/install/core.py",
> line 435, in __runner
> =

> =C2=A0=C2=A0=C2=A0 exc_handler(exc_info)
> =

> =C2=A0 File "/usr/lib/python3.9/site-packages/ipapython/install/core.py",
> line 468, in _handle_execute_exception
> =

> =C2=A0=C2=A0=C2=A0 self._handle_exception(exc_info)
> =

> =C2=A0 File "/usr/lib/python3.9/site-packages/ipapython/install/core.py",
> line 458, in _handle_exception
> =

> =C2=A0=C2=A0=C2=A0 six.reraise(*exc_info)
> =

> =C2=A0 File "/usr/lib/python3.9/site-packages/six.py", line 709, in rerai=
se
> =

> =C2=A0=C2=A0=C2=A0 raise value
> =

> =C2=A0 File "/usr/lib/python3.9/site-packages/ipapython/install/core.py",
> line 425, in __runner
> =

> =C2=A0=C2=A0=C2=A0 step()
> =

> =C2=A0 File "/usr/lib/python3.9/site-packages/ipapython/install/core.py",
> line 419, in step_next
> =

> =C2=A0=C2=A0=C2=A0 return next(self.__gen)
> =

> =C2=A0 File "/usr/lib/python3.9/site-packages/ipapython/install/util.py",
> line 81, in run_generator_with_yield_from
> =

> =C2=A0=C2=A0=C2=A0 six.reraise(*exc_info)
> =

> =C2=A0 File "/usr/lib/python3.9/site-packages/six.py", line 709, in rerai=
se
> =

> =C2=A0=C2=A0=C2=A0 raise value
> =

> =C2=A0 File "/usr/lib/python3.9/site-packages/ipapython/install/util.py",
> line 59, in run_generator_with_yield_from
> =

> =C2=A0 =C2=A0=C2=A0value =3D gen.send(prev_value)
> =

> =C2=A0 File "/usr/lib/python3.9/site-packages/ipapython/install/core.py",
> line 663, in _configure
> =

> =C2=A0=C2=A0=C2=A0 next(executor)
> =

> =C2=A0 File "/usr/lib/python3.9/site-packages/ipapython/install/core.py",
> line 435, in __runner
> =

> =C2=A0=C2=A0=C2=A0 exc_handler(exc_info)
> =

> =C2=A0 File "/usr/lib/python3.9/site-packages/ipapython/install/core.py",
> line 468, in _handle_execute_exception
> =

> =C2=A0=C2=A0=C2=A0 self._handle_exception(exc_info)
> =

> =C2=A0 File "/usr/lib/python3.9/site-packages/ipapython/install/core.py",
> line 526, in _handle_exception
> =

> =C2=A0=C2=A0=C2=A0 self.__parent._handle_exception(exc_info)
> =

> =C2=A0 File "/usr/lib/python3.9/site-packages/ipapython/install/core.py",
> line 458, in _handle_exception
> =

> =C2=A0=C2=A0=C2=A0 six.reraise(*exc_info)
> =

> =C2=A0 File "/usr/lib/python3.9/site-packages/six.py", line 709, in rerai=
se
> =

> =C2=A0=C2=A0=C2=A0 raise value
> =

> =C2=A0 File "/usr/lib/python3.9/site-packages/ipapython/install/core.py",
> line 523, in _handle_exception
> =

> =C2=A0=C2=A0=C2=A0 super(ComponentBase, self)._handle_exception(exc_info)
> =

> =C2=A0 File "/usr/lib/python3.9/site-packages/ipapython/install/core.py",
> line 458, in _handle_exception
> =

> =C2=A0=C2=A0=C2=A0 six.reraise(*exc_info)
> =

> =C2=A0 File "/usr/lib/python3.9/site-packages/six.py", line 709, in rerai=
se
> =

> =C2=A0=C2=A0=C2=A0 raise value
> =

> =C2=A0 File "/usr/lib/python3.9/site-packages/ipapython/install/core.py",
> line 425, in __runner
> =

> =C2=A0=C2=A0=C2=A0 step()
> =

> =C2=A0 File "/usr/lib/python3.9/site-packages/ipapython/install/core.py",
> line 419, in step_next
> =

> =C2=A0=C2=A0=C2=A0 return next(self.__gen)
> =

> =C2=A0 File "/usr/lib/python3.9/site-packages/ipapython/install/util.py",
> line 81, in run_generator_with_yield_from
> =

> =C2=A0=C2=A0=C2=A0 six.reraise(*exc_info)
> =

> =C2=A0 File "/usr/lib/python3.9/site-packages/six.py", line 709, in rerai=
se
> =

> =C2=A0=C2=A0=C2=A0 raise value
> =

> =C2=A0 File "/usr/lib/python3.9/site-packages/ipapython/install/util.py",
> line 59, in run_generator_with_yield_from
> =

> =C2=A0=C2=A0=C2=A0 value =3D gen.send(prev_value)
> =

> =C2=A0 File "/usr/lib/python3.9/site-packages/ipapython/install/common.py=
",
> line 65, in _install
> =

> =C2=A0=C2=A0=C2=A0 for unused in self._installer(self.parent):
> =

> =C2=A0 File
> "/usr/lib/python3.9/site-packages/ipaserver/install/server/__init__.py",
> line 599, in main
> =

> =C2=A0=C2=A0=C2=A0 replica_install(self)
> =

> =C2=A0 File
> "/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall=
.py",
> line 401, in decorated
> =

> =C2=A0=C2=A0=C2=A0 func(installer)
> =

> =C2=A0 File
> "/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall=
.py",
> line 1345, in install
> =

> =C2=A0=C2=A0=C2=A0 ca.install(False, config, options, custodia=3Dcustodia)
> =

> =C2=A0 File "/usr/lib/python3.9/site-packages/ipaserver/install/ca.py", l=
ine
> 354, in install
> =

> =C2=A0=C2=A0=C2=A0 install_step_0(standalone, replica_config, options, cu=
stodia=3Dcustodia)
> =

> =C2=A0 File "/usr/lib/python3.9/site-packages/ipaserver/install/ca.py", l=
ine
> 422, in install_step_0
> =

> =C2=A0=C2=A0=C2=A0 ca.configure_instance(
> =

> =C2=A0 File
> "/usr/lib/python3.9/site-packages/ipaserver/install/cainstance.py", line
> 506, in configure_instance
> =

> =C2=A0=C2=A0=C2=A0 self.start_creation(runtime=3Druntime)
> =

> =C2=A0 File "/usr/lib/python3.9/site-packages/ipaserver/install/service.p=
y",
> line 686, in start_creation
> =

> =C2=A0=C2=A0=C2=A0 run_step(full_msg, method)
> =

> =C2=A0 File "/usr/lib/python3.9/site-packages/ipaserver/install/service.p=
y",
> line 672, in run_step
> =

> =C2=A0=C2=A0=C2=A0 method()
> =

> =C2=A0 File
> "/usr/lib/python3.9/site-packages/ipaserver/install/cainstance.py", line
> 651, in __spawn_instance
> =

> =C2=A0=C2=A0=C2=A0 DogtagInstance.spawn_instance(
> =

> =C2=A0 File
> "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py",
> line 227, in spawn_instance
> =

> =C2=A0=C2=A0=C2=A0 self.handle_setup_error(e)
> =

> =C2=A0 File
> "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py",
> line 604, in handle_setup_error
> =

> =C2=A0=C2=A0=C2=A0 raise RuntimeError(
> =

> =C2=A0
> =

> 2024-04-01T09:41:34Z DEBUG The ipa-replica-install command failed,
> exception: RuntimeError: CA configuration failed.
> =

> 2024-04-01T09:41:34Z ERROR CA configuration failed.
> =

> 2024-04-01T09:41:34Z ERROR The ipa-replica-install command failed. See
> /var/log/ipareplica-install.log for more information
> =

> =C2=A0
> =

> =C2=A0
> =

> *Cat /var/log/pki/pki-tomcat/ca/debug.2024-04-01.log*
> =

> =C2=A0
> =

> =C2=A0
> =

> =C2=A0
> =

> 2024-04-01 03:41:32 [main] INFO: CMSEngine: Disabling CA subsystem
> =

> 2024-04-01 03:41:32 [main] SEVERE: Unable to start CA engine: Selftest
> failed: Invalid certificate Server-Cert cert-pki-ca: NotBefore: Mon Apr
> 01 03:41:49 CST 2024
> =

> Selftest failed: Invalid certificate Server-Cert cert-pki-ca: NotBefore:
> Mon Apr 01 03:41:49 CST 2024
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsyste=
m.java:1759)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1167)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> org.dogtagpki.server.ca.CAEngine.startupSubsystems(CAEngine.java:972)
> =

> =C2=A0
> =

> =C2=A0
> =

> =C2=A0
> =

> 2024-04-01 03:41:32 [main] SEVERE: SelfTestSubsystem: selftest failed:
> Invalid certificate Server-Cert cert-pki-ca: NotBefore: Mon Apr 01
> 03:41:49 CST 2024
> =

> java.lang.Exception: Invalid certificate Server-Cert cert-pki-ca:
> NotBefore: Mon Apr 01 03:41:49 CST 2024
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> com.netscape.cmscore.cert.CertUtils.verifySystemCertValidityByNickname(Ce=
rtUtils.java:844)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> com.netscape.cmscore.apps.CMSEngine.verifySystemCertByTag(CMSEngine.java:=
1895)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> com.netscape.cmscore.apps.CMSEngine.verifySystemCerts(CMSEngine.java:1823)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> com.netscape.cms.selftests.common.SystemCertsVerification.runSelfTest(Sys=
temCertsVerification.java:211)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> com.netscape.cmscore.selftests.SelfTestSubsystem.runSelfTestsAtStartup(Se=
lfTestSubsystem.java:818)
> =

> =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0at
> com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsyste=
m.java:1722)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1167)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> org.dogtagpki.server.ca.CAEngine.startupSubsystems(CAEngine.java:972)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at com.netscape.cmscore.apps.C=
MSEngine.start(CMSEngine.java:1223)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> com.netscape.cmscore.apps.PKIWebListener.contextInitialized(PKIWebListene=
r.java:43)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> org.apache.catalina.core.StandardContext.listenerStart(StandardContext.ja=
va:4768)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> org.apache.catalina.core.StandardContext.startInternal(StandardContext.ja=
va:5230)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.jav=
a:726)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:129)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBa=
se.java:149)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBa=
se.java:139)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> java.base/java.security.AccessController.doPrivileged(AccessController.ja=
va:318)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:696)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:696)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:6=
90)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.ja=
va:1889)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.j=
ava:539)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecut=
orService.java:75)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> java.base/java.util.concurrent.AbstractExecutorService.submit(AbstractExe=
cutorService.java:123)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:=
583)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:473)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> org.apache.catalina.startup.HostConfig.start(HostConfig.java:1618)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:319)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.j=
ava:123)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.jav=
a:423)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:366)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:9=
46)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:835)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java=
:1396)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java=
:1386)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecut=
orService.java:75)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> java.base/java.util.concurrent.AbstractExecutorService.submit(AbstractExe=
cutorService.java:145)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:9=
19)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java=
:263)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> org.apache.catalina.core.StandardService.startInternal(StandardService.ja=
va:432)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> org.apache.catalina.core.StandardServer.startInternal(StandardServer.java=
:927)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at org.apache.catalina.startup=
.Catalina.start(Catalina.java:772)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMeth=
odAccessorImpl.java:77)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Delega=
tingMethodAccessorImpl.java:43)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at java.base/java.lang.reflect=
.Method.invoke(Method.java:568)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at org.apache.catalina.startup=
.Bootstrap.start(Bootstrap.java:345)
> =

> =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0at org.apache.catalina.startup=
.Bootstrap.main(Bootstrap.java:476)
> =

> Caused by: java.security.cert.CertificateNotYetValidException:
> NotBefore: Mon Apr 01 03:41:49 CST 2024
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> org.mozilla.jss.netscape.security.x509.CertificateValidity.valid(Certific=
ateValidity.java:302)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> org.mozilla.jss.netscape.security.x509.X509CertImpl.checkValidity(X509Cer=
tImpl.java:494)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> org.mozilla.jss.netscape.security.x509.X509CertImpl.checkValidity(X509Cer=
tImpl.java:466)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at
> com.netscape.cmscore.cert.CertUtils.verifySystemCertValidityByNickname(Ce=
rtUtils.java:839)
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ... 54 more
> =

> =C2=A0
> =

> 2024-04-01 03:41:32 [main] SEVERE: SelfTestSubsystem: Disabling
> subsystem due to selftest failure: Invalid certificate Server-Cert
> cert-pki-ca: NotBefore: Mon Apr 01 03:41:49 CST 2024
> =

> java.lang.Exception: Invalid certificate Server-Cert cert-pki-ca:
> NotBefore: Mon Apr 01 03:41:49 CST 2024
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0
> =

> =

> =C2=A0
> =

> =C2=A0
> =

> =C2=A0
> =

> *cat /var/log/pki/pki-tomcat/ca/selftests.log:*
> =

> =C2=A0
> =

> 0.main - [29/Mar/2024:03:28:24 GMT-06:00] [20] [1] CAPresence:=C2=A0 CA is
> present
> =

> 0.main - [29/Mar/2024:03:28:24 GMT-06:00] [20] [1]
> SystemCertsVerification: system certs verification failure: Invalid
> certificate Server-Cert cert-pki-ca: NotBefore: Fri Mar 29 03:28:37 CST 2=
024
> =

> 0.main - [29/Mar/2024:03:28:24 GMT-06:00] [20] [1] SelfTestSubsystem:
> The CRITICAL self test plugin called
> selftests.container.instance.SystemCertsVerification running at startup
> FAILED!
> =

> 0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem:
> Initializing self test plugins:
> =

> 0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem:=C2=
=A0
> loading all self test plugin logger parameters
> =

> 0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem:=C2=
=A0
> loading all self test plugin instances
> =

> 0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem:=C2=
=A0
> loading all self test plugin instance parameters
> =

> 0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem:=C2=
=A0
> loading self test plugins in on-demand order
> =

> 0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem:=C2=
=A0
> loading self test plugins in startup order
> =

> 0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem:
> Self test plugins have been successfully loaded!
> =

> 0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem:
> Running self test plugins specified to be executed at startup:
> =

> 0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] CAPresence:=C2=A0 CA is
> present
> =

> 0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1]
> SystemCertsVerification: system certs verification failure: Invalid
> certificate Server-Cert cert-pki-ca: NotBefore: Fri Mar 29 04:03:27 CST 2=
024
> =

> 0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem:
> The CRITICAL self test plugin called
> selftests.container.instance.SystemCertsVerification running at startup
> FAILED!
> =

> 0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem:
> Initializing self test plugins:
> =

> 0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem:=C2=
=A0
> loading all self test plugin logger parameters
> =

> 0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem:=C2=
=A0
> loading all self test plugin instances
> =

> 0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem:=C2=
=A0
> loading all self test plugin instance parameters
> =

> 0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem:=C2=
=A0
> loading self test plugins in on-demand order
> =

> 0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem:=C2=
=A0
> loading self test plugins in startup order
> =

> 0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem:
> Self test plugins have been successfully loaded!
> =

> 0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem:
> Running self test plugins specified to be executed at startup:
> =

> 0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] CAPresence:=C2=A0 CA is
> present
> =

> 0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1]
> SystemCertsVerification: system certs verification failure: Invalid
> certificate Server-Cert cert-pki-ca: NotBefore: Mon Apr 01 03:41:49 CST 2=
024
> =

> 0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem:
> The CRITICAL self test plugin called
> selftests.container.instance.SystemCertsVerification running at startup
> FAILED!
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0
> =

> =C2=A0
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0
> =

> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0
> =

> =

> ------------------------------------------------------------------------
> =

> DISCLAIMER: The information in this message is confidential and may be
> legally privileged. It is intended solely for the addressee. Access to
> this message by anyone else is unauthorized. If you are not the intended
> recipient, any disclosure, copying, or distribution of the message, or
> any action or omission taken by you in reliance on it, is prohibited and
> may be unlawful. Please immediately contact the sender if you have
> received this message in error. Further, this e-mail may contain viruses
> and all reasonable precaution to minimize the risk arising there from is
> taken by OnMobile. OnMobile is not liable for any damage sustained by
> you as a result of any virus in this e-mail. All applicable virus checks
> should be carried out by you before opening this e-mail or any
> attachment thereto.
> Thank you - OnMobile Global Limited.
> =

> --
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.=
org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code=
-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users=
(a)lists.fedorahosted.org
> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/=
new_issue
>=20

--===============8750061368106694558==--

From manideep.sai at onmobile.com Mon Apr  1 18:55:31 2024
Content-Type: multipart/mixed; boundary="===============7193989110349146529=="
MIME-Version: 1.0
From: Polavarapu Manideep Sai <manideep.sai at onmobile.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: IPA replica installation failed-SEVERE: Unable to
 start CA engine: Selftest failed: Invalid certificate Server-Cert
 cert-pki-ca: NotBefore: Mon Apr 01 03:41:49 CST 2024
Date: Mon, 01 Apr 2024 18:55:09 +0000
Message-ID: <bd624ff42f9640a59681ea9311d8ca77@onmobile.com>
In-Reply-To: f8e4c281-0965-ff9d-2727-ee8f97698b78@redhat.com

--===============7193989110349146529==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Hi Rob,

Thanks for the reply, Here is the clock and time zone

[root(a)dir02-mex ~]#
[root(a)dir02-mex ~]# clock
2024-04-01 12:48:38.496030-06:00
[root(a)dir02-mex ~]#
[root(a)dir02-mex ~]#
[root(a)dir02-mex ~]#
[root(a)dir02-mex ~]# hwclock
2024-04-01 12:48:42.902341-06:00
[root(a)dir02-mex ~]#
[root(a)dir02-mex ~]#
[root(a)dir02-mex ~]# date
Mon 01 Apr 2024 12:48:12 CST
[root(a)dir02-mex ~]#
[root(a)dir02-mex ~]# timedatectl
               Local time: Mon 2024-04-01 12:48:21 CST
           Universal time: Mon 2024-04-01 18:48:21 UTC
                 RTC time: Mon 2024-04-01 18:49:02
                Time zone: America/Mexico_City (CST, -0600)
System clock synchronized: no
              NTP service: active
          RTC in local TZ: no
[root(a)dir02-mex ~]#



[root(a)dir02-mex ~]# certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'Server-=
Cert cert-pki-ca'
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 47 (0x2f)
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=3DCertificate Authority,O=3DIPA.COM"
        Validity:
            Not Before: Mon Apr 01 09:41:49 2024
            Not After : Sun Mar 22 09:41:49 2026



---------------------------------------------------------------------------=
---------------------
-----Original Message-----
From: Rob Crittenden <rcritten(a)redhat.com>
Sent: 01 April 2024 20:58
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Cc: Polavarapu Manideep Sai <manideep.sai(a)onmobile.com>
Subject: Re: [Freeipa-users] IPA replica installation failed-SEVERE: Unable=
 to start CA engine: Selftest failed: Invalid certificate Server-Cert cert-=
pki-ca: NotBefore: Mon Apr 01 03:41:49 CST 2024


CAUTION. This email originated from outside the organization. Please exerci=
se caution before clicking on links or attachments in case of suspicion or =
unknown senders.




Polavarapu Manideep Sai via FreeIPA-users wrote:
> Hi Team,
>
>
>
> Any one faced this issue during replica installation
>
>
>
> I have third party SSL certificate installed on master server
>
>
>
>
>
> *IPA Version:*
>
>
>
> [root(a)dir02-mex ~]# ipa --version
>
> *VERSION: 4.10.2, API_VERSION: 2.252*
>
>
>
> * *
>
> *Certificate Expiry:*
>
>
>
> [root(a)dir02-mex ~]# certutil -L -d /etc/pki/pki-tomcat/alias/ -n
> 'Server-Cert cert-pki-ca' | egrep -i 'befor|after'
>
> *            Not Before: Mon Apr 01 09:41:49 2024*
>
> *            Not After : Sun Mar 22 09:41:49 2026*

The time reported by certutil is in UTC.

The time in the error is reported in local time, CST. Central Standard
Time? The US has been in DST for a few weeks.

In CDT the cert would have been issued at 04:41:49 and with a 5hr offset
to UTC would be 09:41:49 so valid.

So I'd check your system clock and timezone.

rob

>
>
>
>
>
>
>
>   [1/4]: Generating ipa-custodia config file
>
>   [2/4]: Generating ipa-custodia keys
>
>   [3/4]: starting ipa-custodia
>
>   [4/4]: configuring ipa-custodia to start on boot
>
> Done configuring ipa-custodia.
>
> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
>
>   [1/30]: creating certificate server db
>
>   [2/30]: setting up initial replication
>
> Starting replication, please wait until this has completed.
>
> Update in progress, 12 seconds elapsed
>
> Update succeeded
>
>
>
>   [3/30]: creating ACIs for admin
>
>   [4/30]: creating installation admin user
>
>   [5/30]: configuring certificate server instance
>
> Failed to configure CA instance
>
> See the installation logs and the following files/directories for more
> information:
>
>   /var/log/pki/pki-tomcat
>
>   [error] RuntimeError: CA configuration failed.
>
> Your system may be partly configured.
>
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
>
>
> CA configuration failed.
>
> The ipa-replica-install command failed. See
> /var/log/ipareplica-install.log for more information
>
>
>
>
>
>
>
> *Cat /var/log/ipareplica-install.log:*
>
>
>
>
>
> DEBUG: https://dir02-mexommx.ipa.com:8443 "GET / HTTP/1.1" 302 0
>
> DEBUG: https://dir02-mexommx.ipa.com:8443 "GET /pki HTTP/1.1" 302 None
>
> DEBUG: https://dir02-mexommx.ipa.com:8443 "GET /pki/ HTTP/1.1" 200 3500
>
> INFO: PKI server started
>
> INFO: Waiting for CA subsystem
>
> DEBUG: Starting new HTTPS connection (1): dir02-mexommx.ipa.com:8443
>
> DEBUG: https://dir02-mexommx.ipa.com:8443 "GET /ca/admin/ca/getStatus
> HTTP/1.1" 404 784
>
>
>
> 2024-04-01T09:41:34Z CRITICAL Failed to configure CA instance
>
> 2024-04-01T09:41:34Z CRITICAL See the installation logs and the
> following files/directories for more information:
>
> 2024-04-01T09:41:34Z CRITICAL   /var/log/pki/pki-tomcat
>
> 2024-04-01T09:41:34Z DEBUG Traceback (most recent call last):
>
>   File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py",
> line 686, in start_creation
>
>     run_step(full_msg, method)
>
>   File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py",
> line 672, in run_step
>
>     method()
>
>   File
> "/usr/lib/python3.9/site-packages/ipaserver/install/cainstance.py", line
> 651, in __spawn_instance
>
>     DogtagInstance.spawn_instance(
>
>   File
> "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py",
> line 227, in spawn_instance
>
>     self.handle_setup_error(e)
>
>   File
> "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py",
> line 604, in handle_setup_error
>
>     raise RuntimeError(
>
> RuntimeError: CA configuration failed.
>
>
>
> 2024-04-01T09:41:34Z DEBUG   [error] RuntimeError: CA configuration faile=
d.
>
> 2024-04-01T09:41:34Z DEBUG Removing /root/.dogtag/pki-tomcat/ca
>
> 2024-04-01T09:41:34Z DEBUG   File
> "/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 180, in
> execute
>
>     return_value =3D self.run()
>
>   File "/usr/lib/python3.9/site-packages/ipapython/install/cli.py", line
> 344, in run
>
>     return cfgr.run()
>
>   File "/usr/lib/python3.9/site-packages/ipapython/install/core.py",
> line 360, in run
>
>     return self.execute()
>
>   File "/usr/lib/python3.9/site-packages/ipapython/install/core.py",
> line 386, in execute
>
>     for rval in self._executor():
>
>   File "/usr/lib/python3.9/site-packages/ipapython/install/core.py",
> line 435, in __runner
>
>     exc_handler(exc_info)
>
>   File "/usr/lib/python3.9/site-packages/ipapython/install/core.py",
> line 468, in _handle_execute_exception
>
>     self._handle_exception(exc_info)
>
>   File "/usr/lib/python3.9/site-packages/ipapython/install/core.py",
> line 458, in _handle_exception
>
>     six.reraise(*exc_info)
>
>   File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
>
>     raise value
>
>   File "/usr/lib/python3.9/site-packages/ipapython/install/core.py",
> line 425, in __runner
>
>     step()
>
>   File "/usr/lib/python3.9/site-packages/ipapython/install/core.py",
> line 419, in step_next
>
>     return next(self.__gen)
>
>   File "/usr/lib/python3.9/site-packages/ipapython/install/util.py",
> line 81, in run_generator_with_yield_from
>
>     six.reraise(*exc_info)
>
>   File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
>
>     raise value
>
>   File "/usr/lib/python3.9/site-packages/ipapython/install/util.py",
> line 59, in run_generator_with_yield_from
>
>     value =3D gen.send(prev_value)
>
>   File "/usr/lib/python3.9/site-packages/ipapython/install/core.py",
> line 663, in _configure
>
>     next(executor)
>
>   File "/usr/lib/python3.9/site-packages/ipapython/install/core.py",
> line 435, in __runner
>
>     exc_handler(exc_info)
>
>   File "/usr/lib/python3.9/site-packages/ipapython/install/core.py",
> line 468, in _handle_execute_exception
>
>     self._handle_exception(exc_info)
>
>   File "/usr/lib/python3.9/site-packages/ipapython/install/core.py",
> line 526, in _handle_exception
>
>     self.__parent._handle_exception(exc_info)
>
>   File "/usr/lib/python3.9/site-packages/ipapython/install/core.py",
> line 458, in _handle_exception
>
>     six.reraise(*exc_info)
>
>   File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
>
>     raise value
>
>   File "/usr/lib/python3.9/site-packages/ipapython/install/core.py",
> line 523, in _handle_exception
>
>     super(ComponentBase, self)._handle_exception(exc_info)
>
>   File "/usr/lib/python3.9/site-packages/ipapython/install/core.py",
> line 458, in _handle_exception
>
>     six.reraise(*exc_info)
>
>   File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
>
>     raise value
>
>   File "/usr/lib/python3.9/site-packages/ipapython/install/core.py",
> line 425, in __runner
>
>     step()
>
>   File "/usr/lib/python3.9/site-packages/ipapython/install/core.py",
> line 419, in step_next
>
>     return next(self.__gen)
>
>   File "/usr/lib/python3.9/site-packages/ipapython/install/util.py",
> line 81, in run_generator_with_yield_from
>
>     six.reraise(*exc_info)
>
>   File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
>
>     raise value
>
>   File "/usr/lib/python3.9/site-packages/ipapython/install/util.py",
> line 59, in run_generator_with_yield_from
>
>     value =3D gen.send(prev_value)
>
>   File "/usr/lib/python3.9/site-packages/ipapython/install/common.py",
> line 65, in _install
>
>     for unused in self._installer(self.parent):
>
>   File
> "/usr/lib/python3.9/site-packages/ipaserver/install/server/__init__.py",
> line 599, in main
>
>     replica_install(self)
>
>   File
> "/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall=
.py",
> line 401, in decorated
>
>     func(installer)
>
>   File
> "/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall=
.py",
> line 1345, in install
>
>     ca.install(False, config, options, custodia=3Dcustodia)
>
>   File "/usr/lib/python3.9/site-packages/ipaserver/install/ca.py", line
> 354, in install
>
>     install_step_0(standalone, replica_config, options, custodia=3Dcustod=
ia)
>
>   File "/usr/lib/python3.9/site-packages/ipaserver/install/ca.py", line
> 422, in install_step_0
>
>     ca.configure_instance(
>
>   File
> "/usr/lib/python3.9/site-packages/ipaserver/install/cainstance.py", line
> 506, in configure_instance
>
>     self.start_creation(runtime=3Druntime)
>
>   File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py",
> line 686, in start_creation
>
>     run_step(full_msg, method)
>
>   File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py",
> line 672, in run_step
>
>     method()
>
>   File
> "/usr/lib/python3.9/site-packages/ipaserver/install/cainstance.py", line
> 651, in __spawn_instance
>
>     DogtagInstance.spawn_instance(
>
>   File
> "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py",
> line 227, in spawn_instance
>
>     self.handle_setup_error(e)
>
>   File
> "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py",
> line 604, in handle_setup_error
>
>     raise RuntimeError(
>
>
>
> 2024-04-01T09:41:34Z DEBUG The ipa-replica-install command failed,
> exception: RuntimeError: CA configuration failed.
>
> 2024-04-01T09:41:34Z ERROR CA configuration failed.
>
> 2024-04-01T09:41:34Z ERROR The ipa-replica-install command failed. See
> /var/log/ipareplica-install.log for more information
>
>
>
>
>
> *Cat /var/log/pki/pki-tomcat/ca/debug.2024-04-01.log*
>
>
>
>
>
>
>
> 2024-04-01 03:41:32 [main] INFO: CMSEngine: Disabling CA subsystem
>
> 2024-04-01 03:41:32 [main] SEVERE: Unable to start CA engine: Selftest
> failed: Invalid certificate Server-Cert cert-pki-ca: NotBefore: Mon Apr
> 01 03:41:49 CST 2024
>
> Selftest failed: Invalid certificate Server-Cert cert-pki-ca: NotBefore:
> Mon Apr 01 03:41:49 CST 2024
>
>         at
> com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsyste=
m.java:1759)
>
>         at
> com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1167)
>
>         at
> org.dogtagpki.server.ca.CAEngine.startupSubsystems(CAEngine.java:972)
>
>
>
>
>
>
>
> 2024-04-01 03:41:32 [main] SEVERE: SelfTestSubsystem: selftest failed:
> Invalid certificate Server-Cert cert-pki-ca: NotBefore: Mon Apr 01
> 03:41:49 CST 2024
>
> java.lang.Exception: Invalid certificate Server-Cert cert-pki-ca:
> NotBefore: Mon Apr 01 03:41:49 CST 2024
>
>         at
> com.netscape.cmscore.cert.CertUtils.verifySystemCertValidityByNickname(Ce=
rtUtils.java:844)
>
>         at
> com.netscape.cmscore.apps.CMSEngine.verifySystemCertByTag(CMSEngine.java:=
1895)
>
>         at
> com.netscape.cmscore.apps.CMSEngine.verifySystemCerts(CMSEngine.java:1823)
>
>         at
> com.netscape.cms.selftests.common.SystemCertsVerification.runSelfTest(Sys=
temCertsVerification.java:211)
>
>         at
> com.netscape.cmscore.selftests.SelfTestSubsystem.runSelfTestsAtStartup(Se=
lfTestSubsystem.java:818)
>
>         at
> com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsyste=
m.java:1722)
>
>         at
> com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1167)
>
>         at
> org.dogtagpki.server.ca.CAEngine.startupSubsystems(CAEngine.java:972)
>
>         at com.netscape.cmscore.apps.CMSEngine.start(CMSEngine.java:1223)
>
>         at
> com.netscape.cmscore.apps.PKIWebListener.contextInitialized(PKIWebListene=
r.java:43)
>
>         at
> org.apache.catalina.core.StandardContext.listenerStart(StandardContext.ja=
va:4768)
>
>         at
> org.apache.catalina.core.StandardContext.startInternal(StandardContext.ja=
va:5230)
>
>         at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
>
>         at
> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.jav=
a:726)
>
>         at
> org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:129)
>
>         at
> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBa=
se.java:149)
>
>         at
> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBa=
se.java:139)
>
>         at
> java.base/java.security.AccessController.doPrivileged(AccessController.ja=
va:318)
>
>         at
> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:696)
>
>         at
> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:696)
>
>         at
> org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:6=
90)
>
>         at
> org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.ja=
va:1889)
>
>         at
> java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.j=
ava:539)
>
>         at
> java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
>
>         at
> org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecut=
orService.java:75)
>
>         at
> java.base/java.util.concurrent.AbstractExecutorService.submit(AbstractExe=
cutorService.java:123)
>
>         at
> org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:=
583)
>
>         at
> org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:473)
>
>         at
> org.apache.catalina.startup.HostConfig.start(HostConfig.java:1618)
>
>         at
> org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:319)
>
>         at
> org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.j=
ava:123)
>
>         at
> org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.jav=
a:423)
>
>         at
> org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:366)
>
>         at
> org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:9=
46)
>
>         at
> org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:835)
>
>         at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
>
>         at
> org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java=
:1396)
>
>         at
> org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java=
:1386)
>
>         at
> java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
>
>         at
> org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecut=
orService.java:75)
>
>         at
> java.base/java.util.concurrent.AbstractExecutorService.submit(AbstractExe=
cutorService.java:145)
>
>         at
> org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:9=
19)
>
>         at
> org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java=
:263)
>
>         at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
>
>         at
> org.apache.catalina.core.StandardService.startInternal(StandardService.ja=
va:432)
>
>         at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
>
>         at
> org.apache.catalina.core.StandardServer.startInternal(StandardServer.java=
:927)
>
>         at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
>
>         at org.apache.catalina.startup.Catalina.start(Catalina.java:772)
>
>         at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method)
>
>         at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMeth=
odAccessorImpl.java:77)
>
>         at
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Delega=
tingMethodAccessorImpl.java:43)
>
>         at java.base/java.lang.reflect.Method.invoke(Method.java:568)
>
>         at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:345)
>
>         at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:476)
>
> Caused by: java.security.cert.CertificateNotYetValidException:
> NotBefore: Mon Apr 01 03:41:49 CST 2024
>
>         at
> org.mozilla.jss.netscape.security.x509.CertificateValidity.valid(Certific=
ateValidity.java:302)
>
>         at
> org.mozilla.jss.netscape.security.x509.X509CertImpl.checkValidity(X509Cer=
tImpl.java:494)
>
>         at
> org.mozilla.jss.netscape.security.x509.X509CertImpl.checkValidity(X509Cer=
tImpl.java:466)
>
>         at
> com.netscape.cmscore.cert.CertUtils.verifySystemCertValidityByNickname(Ce=
rtUtils.java:839)
>
>         ... 54 more
>
>
>
> 2024-04-01 03:41:32 [main] SEVERE: SelfTestSubsystem: Disabling
> subsystem due to selftest failure: Invalid certificate Server-Cert
> cert-pki-ca: NotBefore: Mon Apr 01 03:41:49 CST 2024
>
> java.lang.Exception: Invalid certificate Server-Cert cert-pki-ca:
> NotBefore: Mon Apr 01 03:41:49 CST 2024
>
>
>
>
>
>
>
>
>
>
> *cat /var/log/pki/pki-tomcat/ca/selftests.log:*
>
>
>
> 0.main - [29/Mar/2024:03:28:24 GMT-06:00] [20] [1] CAPresence:  CA is
> present
>
> 0.main - [29/Mar/2024:03:28:24 GMT-06:00] [20] [1]
> SystemCertsVerification: system certs verification failure: Invalid
> certificate Server-Cert cert-pki-ca: NotBefore: Fri Mar 29 03:28:37 CST 2=
024
>
> 0.main - [29/Mar/2024:03:28:24 GMT-06:00] [20] [1] SelfTestSubsystem:
> The CRITICAL self test plugin called
> selftests.container.instance.SystemCertsVerification running at startup
> FAILED!
>
> 0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem:
> Initializing self test plugins:
>
> 0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem:
> loading all self test plugin logger parameters
>
> 0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem:
> loading all self test plugin instances
>
> 0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem:
> loading all self test plugin instance parameters
>
> 0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem:
> loading self test plugins in on-demand order
>
> 0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem:
> loading self test plugins in startup order
>
> 0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem:
> Self test plugins have been successfully loaded!
>
> 0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem:
> Running self test plugins specified to be executed at startup:
>
> 0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] CAPresence:  CA is
> present
>
> 0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1]
> SystemCertsVerification: system certs verification failure: Invalid
> certificate Server-Cert cert-pki-ca: NotBefore: Fri Mar 29 04:03:27 CST 2=
024
>
> 0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem:
> The CRITICAL self test plugin called
> selftests.container.instance.SystemCertsVerification running at startup
> FAILED!
>
> 0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem:
> Initializing self test plugins:
>
> 0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem:
> loading all self test plugin logger parameters
>
> 0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem:
> loading all self test plugin instances
>
> 0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem:
> loading all self test plugin instance parameters
>
> 0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem:
> loading self test plugins in on-demand order
>
> 0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem:
> loading self test plugins in startup order
>
> 0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem:
> Self test plugins have been successfully loaded!
>
> 0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem:
> Running self test plugins specified to be executed at startup:
>
> 0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] CAPresence:  CA is
> present
>
> 0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1]
> SystemCertsVerification: system certs verification failure: Invalid
> certificate Server-Cert cert-pki-ca: NotBefore: Mon Apr 01 03:41:49 CST 2=
024
>
> 0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem:
> The CRITICAL self test plugin called
> selftests.container.instance.SystemCertsVerification running at startup
> FAILED!
>
>
>
>
>
>
>
>
>
>
> ------------------------------------------------------------------------
>
> DISCLAIMER: The information in this message is confidential and may be
> legally privileged. It is intended solely for the addressee. Access to
> this message by anyone else is unauthorized. If you are not the intended
> recipient, any disclosure, copying, or distribution of the message, or
> any action or omission taken by you in reliance on it, is prohibited and
> may be unlawful. Please immediately contact the sender if you have
> received this message in error. Further, this e-mail may contain viruses
> and all reasonable precaution to minimize the risk arising there from is
> taken by OnMobile. OnMobile is not liable for any damage sustained by
> you as a result of any virus in this e-mail. All applicable virus checks
> should be carried out by you before opening this e-mail or any
> attachment thereto.
> Thank you - OnMobile Global Limited.
>
> --
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.=
org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code=
-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users=
(a)lists.fedorahosted.org
> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/=
new_issue
>


________________________________

DISCLAIMER: The information in this message is confidential and may be lega=
lly privileged. It is intended solely for the addressee. Access to this mes=
sage by anyone else is unauthorized. If you are not the intended recipient,=
 any disclosure, copying, or distribution of the message, or any action or =
omission taken by you in reliance on it, is prohibited and may be unlawful.=
 Please immediately contact the sender if you have received this message in=
 error. Further, this e-mail may contain viruses and all reasonable precaut=
ion to minimize the risk arising there from is taken by OnMobile. OnMobile =
is not liable for any damage sustained by you as a result of any virus in t=
his e-mail. All applicable virus checks should be carried out by you before=
 opening this e-mail or any attachment thereto.
Thank you - OnMobile Global Limited.
--===============7193989110349146529==--

From antoine.gatineau at infra-monkey.com Tue Apr  2 09:42:35 2024
Content-Type: multipart/mixed; boundary="===============0132619415277158581=="
MIME-Version: 1.0
From: Antoine Gatineau <antoine.gatineau at infra-monkey.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: ACME certs fail to renew
Date: Tue, 02 Apr 2024 11:42:18 +0200
Message-ID: <a642f913-a8d7-4b2f-b79e-13f391e5d8c2@infra-monkey.com>
In-Reply-To: 2e47af52-bfd8-251a-4739-5918abff075c@redhat.com

--===============0132619415277158581==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Hello Rob,

Thank you for replying quickly.

As far as I could see, the apache config is good.
All the 'ipa cert-*' and 'ipa ca-*' were working properly.

This only command not working was ipa-acme-manage (and the certbot renew =

obviously).

I tried adding a replica and acme was available and working on the new =

replica which rules out the ldap content I guess.
I then reinstalled my replicas and everything is working properly now.

So fixed, but I still don't know what happened :/

Best regards

On 4/1/24 16:46, Rob Crittenden via FreeIPA-users wrote:
> Antoine Gatineau via FreeIPA-users wrote:
>> Hello,
>>
>> I have a strange issue regarding acme service.
>> My acme certificates fail to renew. `ipa-acme-manage status`fails with
>> error:
>> Failed to authenticate to CA REST API
>> The ipa-acme-manage command failed.
>>
>> certbot client fails with error "Failed to renew certificate
>> office.empire.lan with error: <Response [404]>"
>>
>> $ ipa cert-show 49
>>  =C2=A0Issuing CA: ipa
>>  =C2=A0Certificate: "The certificate content"
>>  =C2=A0Subject: CN=3Doffice.empire.lan
>>  =C2=A0Subject DNS name: office.empire.lan
>>  =C2=A0Issuer: CN=3DCertificate Authority,O=3DEMPIRE.LAN
>>  =C2=A0Not Before: Sun Dec 24 14:05:50 2023 UTC
>>  =C2=A0Not After: Sat Mar 23 14:05:50 2024 UTC
>>  =C2=A0Serial number: 49
>>  =C2=A0Serial number (hex): 0x31
>>  =C2=A0Revoked: False
>>
>> So last successful renewal was on Dec 24th. Since then I have not really
>> done anything appart updating.
>> I don't see any issue in ipaupgrade.log
>>
>>
>> I am running on centos stream 9
>> idm-jss.x86_64
>> 5.5.0-1.el9
>> idm-jss-tomcat.x86_64
>> 5.5.0-1.el9
>> idm-ldapjdk.noarch
>> 5.5.0-1.el9
>> idm-pki-acme.noarch
>> 11.5.0-1.el9
>> idm-pki-base.noarch
>> 11.5.0-1.el9
>> idm-pki-ca.noarch
>> 11.5.0-1.el9
>> idm-pki-java.noarch
>> 11.5.0-1.el9
>> idm-pki-kra.noarch
>> 11.5.0-1.el9
>> idm-pki-server.noarch
>> 11.5.0-1.el9
>> idm-pki-tools.x86_64
>> 11.5.0-1.el9
>> ipa-client.x86_64
>> 4.11.0-9.el9
>> ipa-client-common.noarch
>> 4.11.0-9.el9
>> ipa-common.noarch
>> 4.11.0-9.el9
>> ipa-healthcheck.noarch
>> 0.16-2.el9
>> ipa-healthcheck-core.noarch
>> 0.16-2.el9
>> ipa-selinux.noarch
>> 4.11.0-9.el9
>> ipa-server.x86_64
>> 4.11.0-9.el9
>> ipa-server-common.noarch
>> 4.11.0-9.el9
>> ipa-server-dns.noarch
>> 4.11.0-9.el9
>>
>> I have followed closely the update on centos stream 9
>>
>> Running=C2=A0 `ipa-acme-manage status` with the -d switch gives me
>> ipapython.ipaldap: DEBUG: retrieving schema for SchemaCache
>> url=3Dldapi://%2fvar%2frun%2fslapd-EMPIRE-LAN.socket
>> conn=3D<ldap.ldapobject.SimpleLDAPObject object at 0x7f123c07e2e0>
>> ipaserver.masters: DEBUG: Discovery: available servers for service 'CA'
>> are ipa-server-01.empire.lan, ipa-server-02.empire.lan
>> ipaserver.masters: DEBUG: Discovery: using ipa-server-01.empire.lan for
>> 'CA' service
>> ipapython.dogtag: DEBUG: request POST
>> https://ipa-server-01.empire.lan:8443/acme/login
>> ipapython.dogtag: DEBUG: request body ''
>> ipapython.dogtag: DEBUG: response status 404
>> ipapython.dogtag: DEBUG: response headers Content-Type:
>> text/html;charset=3Dutf-8
>> Content-Language: en
>> Content-Length: 765
>> Date: Thu, 28 Mar 2024 10:00:59 GMT
>>
>>
>> ipapython.dogtag: DEBUG: response body (decoded): b'<!doctype html><html
>> lang=3D"en"><head><title>HTTP Status 404 \xe2\x80\x93 Not
>> Found</title><style type=3D"text/css">body
>> {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b
>> {color:white;background-color:#525D76;} h1 {font-size:22px;} h2
>> {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a
>> {color:black;} .line
>> {height:1px;background-color:#525D76;border:none;}</style></head><body><=
h1>HTTP
>> Status 404 \xe2\x80\x93 Not Found</h1><hr class=3D"line" /><p><b>Type</b>
>> Status Report</p><p><b>Message</b> The requested resource
>> [&#47;acme&#47;login] is not available</p><p><b>Description</b> The
>> origin server did not find a current representation for the target
>> resource or is not willing to disclose that one exists.</p><hr
>> class=3D"line" /><h3>Apache Tomcat/9.0.62</h3></body></html>'
>> ipapython.admintool: DEBUG:=C2=A0=C2=A0 File
>> "/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 180, in
>> execute
>>  =C2=A0=C2=A0=C2=A0 return_value =3D self.run()
>>  =C2=A0 File
>> "/usr/lib/python3.9/site-packages/ipaserver/install/ipa_acme_manage.py",
>> line 403, in run
>>  =C2=A0=C2=A0=C2=A0 with state as ca_api:
>>  =C2=A0 File
>> "/usr/lib/python3.9/site-packages/ipaserver/install/ipa_acme_manage.py",
>> line 103, in __enter__
>>  =C2=A0=C2=A0=C2=A0 raise errors.RemoteRetrieveError(
>>
>> ipapython.admintool: DEBUG: The ipa-acme-manage command failed,
>> exception: RemoteRetrieveError: Failed to authenticate to CA REST API
>> ipapython.admintool: ERROR: Failed to authenticate to CA REST API
>> ipapython.admintool: ERROR: The ipa-acme-manage command failed.
>>
>>
>> So it looks like the acme subsystem is not started. But logs for the
>> acme subsystem in /var/log/pki/pki-tomcat/acme/debug.2024-03-28.log
>> don't show any issue. (see attached log)
>>
>> How can I go further in troubleshooting/fixing this issue?
> I'd start by verifying that your CA is functioning. Something like ipa
> cert-find.
>
> Since you got a 404 (not found) I'd make sure that
> /etc/httpd/conf.d/ipa-pki-proxy.conf contains:
>
> <LocationMatch "^/acme">
> ...
>
> rob
> --
> _______________________________________________
> FreeIPA-users mailing list --freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email tofreeipa-users-leave(a)lists.fedorahosted.o=
rg
> Fedora Code of Conduct:https://docs.fedoraproject.org/en-US/project/code-=
of-conduct/
> List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:https://lists.fedorahosted.org/archives/list/freeipa-users(=
a)lists.fedorahosted.org
> Do not reply to spam, report it:https://pagure.io/fedora-infrastructure/n=
ew_issue

--===============0132619415277158581==
Content-Type: text/html
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.html"

PCFET0NUWVBFIGh0bWw+CjxodG1sPgogIDxoZWFkPgogICAgPG1ldGEgaHR0cC1lcXVpdj0iQ29u
dGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9VVRGLTgiPgogIDwvaGVhZD4K
ICA8Ym9keT4KICAgIDxwPkhlbGxvIFJvYiw8YnI+CiAgICAgIDxicj4KICAgICAgVGhhbmsgeW91
IGZvciByZXBseWluZyBxdWlja2x5LjwvcD4KICAgIDxwPkFzIGZhciBhcyBJIGNvdWxkIHNlZSwg
dGhlIGFwYWNoZSBjb25maWcgaXMgZ29vZC48YnI+CiAgICAgIEFsbCB0aGUgJ2lwYSBjZXJ0LSon
IGFuZCAnaXBhIGNhLSonIHdlcmUgd29ya2luZyBwcm9wZXJseS48YnI+CiAgICAgIDxicj4KICAg
ICAgVGhpcyBvbmx5IGNvbW1hbmQgbm90IHdvcmtpbmcgd2FzIGlwYS1hY21lLW1hbmFnZSAoYW5k
IHRoZSBjZXJ0Ym90CiAgICAgIHJlbmV3IG9idmlvdXNseSkuPGJyPgogICAgICA8YnI+CiAgICAg
IEkgdHJpZWQgYWRkaW5nIGEgcmVwbGljYSBhbmQgYWNtZSB3YXMgYXZhaWxhYmxlIGFuZCB3b3Jr
aW5nIG9uIHRoZQogICAgICBuZXcgcmVwbGljYSB3aGljaCBydWxlcyBvdXQgdGhlIGxkYXAgY29u
dGVudCBJIGd1ZXNzLjxicj4KICAgICAgSSB0aGVuIHJlaW5zdGFsbGVkIG15IHJlcGxpY2FzIGFu
ZCBldmVyeXRoaW5nIGlzIHdvcmtpbmcgcHJvcGVybHkKICAgICAgbm93Ljxicj4KICAgICAgPGJy
PgogICAgICBTbyBmaXhlZCwgYnV0IEkgc3RpbGwgZG9uJ3Qga25vdyB3aGF0IGhhcHBlbmVkIDov
PC9wPgogICAgPHA+QmVzdCByZWdhcmRzPGJyPgogICAgPC9wPgogICAgPGRpdiBjbGFzcz0ibW96
LWNpdGUtcHJlZml4Ij5PbiA0LzEvMjQgMTY6NDYsIFJvYiBDcml0dGVuZGVuIHZpYQogICAgICBG
cmVlSVBBLXVzZXJzIHdyb3RlOjxicj4KICAgIDwvZGl2PgogICAgPGJsb2NrcXVvdGUgdHlwZT0i
Y2l0ZSIKICAgICAgY2l0ZT0ibWlkOjJlNDdhZjUyLWJmZDgtMjUxYS00NzM5LTU5MThhYmZmMDc1
Y0ByZWRoYXQuY29tIj4KICAgICAgPHByZSBjbGFzcz0ibW96LXF1b3RlLXByZSIgd3JhcD0iIj5B
bnRvaW5lIEdhdGluZWF1IHZpYSBGcmVlSVBBLXVzZXJzIHdyb3RlOgo8L3ByZT4KICAgICAgPGJs
b2NrcXVvdGUgdHlwZT0iY2l0ZSI+CiAgICAgICAgPHByZSBjbGFzcz0ibW96LXF1b3RlLXByZSIg
d3JhcD0iIj5IZWxsbywKCkkgaGF2ZSBhIHN0cmFuZ2UgaXNzdWUgcmVnYXJkaW5nIGFjbWUgc2Vy
dmljZS4KTXkgYWNtZSBjZXJ0aWZpY2F0ZXMgZmFpbCB0byByZW5ldy4gYGlwYS1hY21lLW1hbmFn
ZSBzdGF0dXNgZmFpbHMgd2l0aAplcnJvcjoKRmFpbGVkIHRvIGF1dGhlbnRpY2F0ZSB0byBDQSBS
RVNUIEFQSQpUaGUgaXBhLWFjbWUtbWFuYWdlIGNvbW1hbmQgZmFpbGVkLgoKY2VydGJvdCBjbGll
bnQgZmFpbHMgd2l0aCBlcnJvciAiRmFpbGVkIHRvIHJlbmV3IGNlcnRpZmljYXRlCm9mZmljZS5l
bXBpcmUubGFuIHdpdGggZXJyb3I6ICZsdDtSZXNwb25zZSBbNDA0XSZndDsiCgokIGlwYSBjZXJ0
LXNob3cgNDkKwqBJc3N1aW5nIENBOiBpcGEKwqBDZXJ0aWZpY2F0ZTogIlRoZSBjZXJ0aWZpY2F0
ZSBjb250ZW50IgrCoFN1YmplY3Q6IENOPW9mZmljZS5lbXBpcmUubGFuCsKgU3ViamVjdCBETlMg
bmFtZTogb2ZmaWNlLmVtcGlyZS5sYW4KwqBJc3N1ZXI6IENOPUNlcnRpZmljYXRlIEF1dGhvcml0
eSxPPUVNUElSRS5MQU4KwqBOb3QgQmVmb3JlOiBTdW4gRGVjIDI0IDE0OjA1OjUwIDIwMjMgVVRD
CsKgTm90IEFmdGVyOiBTYXQgTWFyIDIzIDE0OjA1OjUwIDIwMjQgVVRDCsKgU2VyaWFsIG51bWJl
cjogNDkKwqBTZXJpYWwgbnVtYmVyIChoZXgpOiAweDMxCsKgUmV2b2tlZDogRmFsc2UKClNvIGxh
c3Qgc3VjY2Vzc2Z1bCByZW5ld2FsIHdhcyBvbiBEZWMgMjR0aC4gU2luY2UgdGhlbiBJIGhhdmUg
bm90IHJlYWxseQpkb25lIGFueXRoaW5nIGFwcGFydCB1cGRhdGluZy4KSSBkb24ndCBzZWUgYW55
IGlzc3VlIGluIGlwYXVwZ3JhZGUubG9nCgoKSSBhbSBydW5uaW5nIG9uIGNlbnRvcyBzdHJlYW0g
OQppZG0tanNzLng4Nl82NMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoAo1LjUuMC0x
LmVsOQppZG0tanNzLXRvbWNhdC54ODZfNjTCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgCjUuNS4wLTEuZWw5
CmlkbS1sZGFwamRrLm5vYXJjaMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqAKNS41LjAtMS5lbDkK
aWRtLXBraS1hY21lLm5vYXJjaMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgCjExLjUuMC0xLmVsOQpp
ZG0tcGtpLWJhc2Uubm9hcmNowqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqAKMTEuNS4wLTEuZWw5Cmlk
bS1wa2ktY2Eubm9hcmNowqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgCjExLjUuMC0xLmVsOQpp
ZG0tcGtpLWphdmEubm9hcmNowqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqAKMTEuNS4wLTEuZWw5Cmlk
bS1wa2kta3JhLm5vYXJjaMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqAKMTEuNS4wLTEuZWw5Cmlk
bS1wa2ktc2VydmVyLm5vYXJjaMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqAKMTEuNS4wLTEuZWw5CmlkbS1w
a2ktdG9vbHMueDg2XzY0wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgCjExLjUuMC0xLmVsOQppcGEtY2xp
ZW50Lng4Nl82NMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoAo0LjExLjAtOS5lbDkKaXBhLWNs
aWVudC1jb21tb24ubm9hcmNowqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoAo0LjExLjAtOS5lbDkKaXBhLWNvbW1vbi5u
b2FyY2jCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqAKNC4xMS4wLTkuZWw5CmlwYS1oZWFsdGhj
aGVjay5ub2FyY2jCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoAowLjE2LTIuZWw5CmlwYS1oZWFsdGhjaGVjay1j
b3JlLm5vYXJjaMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqAKMC4xNi0yLmVsOQppcGEtc2VsaW51eC5ub2FyY2jCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgCjQuMTEuMC05LmVsOQppcGEtc2VydmVyLng4Nl82NMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoAo0LjExLjAtOS5lbDkKaXBhLXNlcnZlci1jb21tb24ubm9hcmNowqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoAo0LjExLjAtOS5lbDkKaXBhLXNlcnZlci1kbnMubm9hcmNowqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoAo0LjExLjAtOS5lbDkKCkkgaGF2ZSBmb2xsb3dlZCBjbG9zZWx5IHRoZSB1cGRhdGUg
b24gY2VudG9zIHN0cmVhbSA5CgpSdW5uaW5nwqAgYGlwYS1hY21lLW1hbmFnZSBzdGF0dXNgIHdp
dGggdGhlIC1kIHN3aXRjaCBnaXZlcyBtZQppcGFweXRob24uaXBhbGRhcDogREVCVUc6IHJldHJp
ZXZpbmcgc2NoZW1hIGZvciBTY2hlbWFDYWNoZQp1cmw9PGEgY2xhc3M9Im1vei10eHQtbGluay1m
cmVldGV4dCIgaHJlZj0ibGRhcGk6Ly8lMmZ2YXIlMmZydW4lMmZzbGFwZC1FTVBJUkUtTEFOLnNv
Y2tldCI+bGRhcGk6Ly8lMmZ2YXIlMmZydW4lMmZzbGFwZC1FTVBJUkUtTEFOLnNvY2tldDwvYT4K
Y29ubj0mbHQ7bGRhcC5sZGFwb2JqZWN0LlNpbXBsZUxEQVBPYmplY3Qgb2JqZWN0IGF0IDB4N2Yx
MjNjMDdlMmUwJmd0OwppcGFzZXJ2ZXIubWFzdGVyczogREVCVUc6IERpc2NvdmVyeTogYXZhaWxh
YmxlIHNlcnZlcnMgZm9yIHNlcnZpY2UgJ0NBJwphcmUgaXBhLXNlcnZlci0wMS5lbXBpcmUubGFu
LCBpcGEtc2VydmVyLTAyLmVtcGlyZS5sYW4KaXBhc2VydmVyLm1hc3RlcnM6IERFQlVHOiBEaXNj
b3Zlcnk6IHVzaW5nIGlwYS1zZXJ2ZXItMDEuZW1waXJlLmxhbiBmb3IKJ0NBJyBzZXJ2aWNlCmlw
YXB5dGhvbi5kb2d0YWc6IERFQlVHOiByZXF1ZXN0IFBPU1QKPGEgY2xhc3M9Im1vei10eHQtbGlu
ay1mcmVldGV4dCIgaHJlZj0iaHR0cHM6Ly9pcGEtc2VydmVyLTAxLmVtcGlyZS5sYW46ODQ0My9h
Y21lL2xvZ2luIj5odHRwczovL2lwYS1zZXJ2ZXItMDEuZW1waXJlLmxhbjo4NDQzL2FjbWUvbG9n
aW48L2E+CmlwYXB5dGhvbi5kb2d0YWc6IERFQlVHOiByZXF1ZXN0IGJvZHkgJycKaXBhcHl0aG9u
LmRvZ3RhZzogREVCVUc6IHJlc3BvbnNlIHN0YXR1cyA0MDQKaXBhcHl0aG9uLmRvZ3RhZzogREVC
VUc6IHJlc3BvbnNlIGhlYWRlcnMgQ29udGVudC1UeXBlOgp0ZXh0L2h0bWw7Y2hhcnNldD11dGYt
OApDb250ZW50LUxhbmd1YWdlOiBlbgpDb250ZW50LUxlbmd0aDogNzY1CkRhdGU6IFRodSwgMjgg
TWFyIDIwMjQgMTA6MDA6NTkgR01UCgoKaXBhcHl0aG9uLmRvZ3RhZzogREVCVUc6IHJlc3BvbnNl
IGJvZHkgKGRlY29kZWQpOiBiJyZsdDshZG9jdHlwZSBodG1sJmd0OyZsdDtodG1sCmxhbmc9ImVu
IiZndDsmbHQ7aGVhZCZndDsmbHQ7dGl0bGUmZ3Q7SFRUUCBTdGF0dXMgNDA0IFx4ZTJceDgwXHg5
MyBOb3QKRm91bmQmbHQ7L3RpdGxlJmd0OyZsdDtzdHlsZSB0eXBlPSJ0ZXh0L2NzcyImZ3Q7Ym9k
eQp7PGEgY2xhc3M9Im1vei10eHQtbGluay1mcmVldGV4dCIgaHJlZj0iZm9udC1mYW1pbHk6VGFo
b21hLEFyaWFsLHNhbnMtc2VyaWYiPmZvbnQtZmFtaWx5OlRhaG9tYSxBcmlhbCxzYW5zLXNlcmlm
PC9hPjt9IGgxLCBoMiwgaDMsIGIKezxhIGNsYXNzPSJtb3otdHh0LWxpbmstZnJlZXRleHQiIGhy
ZWY9ImNvbG9yOndoaXRlO2JhY2tncm91bmQtY29sb3I6IzUyNUQ3NiI+Y29sb3I6d2hpdGU7YmFj
a2dyb3VuZC1jb2xvcjojNTI1RDc2PC9hPjt9IGgxIHs8YSBjbGFzcz0ibW96LXR4dC1saW5rLWZy
ZWV0ZXh0IiBocmVmPSJmb250LXNpemU6MjJweCI+Zm9udC1zaXplOjIycHg8L2E+O30gaDIKezxh
IGNsYXNzPSJtb3otdHh0LWxpbmstZnJlZXRleHQiIGhyZWY9ImZvbnQtc2l6ZToxNnB4Ij5mb250
LXNpemU6MTZweDwvYT47fSBoMyB7PGEgY2xhc3M9Im1vei10eHQtbGluay1mcmVldGV4dCIgaHJl
Zj0iZm9udC1zaXplOjE0cHgiPmZvbnQtc2l6ZToxNHB4PC9hPjt9IHAgezxhIGNsYXNzPSJtb3ot
dHh0LWxpbmstZnJlZXRleHQiIGhyZWY9ImZvbnQtc2l6ZToxMnB4Ij5mb250LXNpemU6MTJweDwv
YT47fSBhCns8YSBjbGFzcz0ibW96LXR4dC1saW5rLWZyZWV0ZXh0IiBocmVmPSJjb2xvcjpibGFj
ayI+Y29sb3I6YmxhY2s8L2E+O30gLmxpbmUKezxhIGNsYXNzPSJtb3otdHh0LWxpbmstZnJlZXRl
eHQiIGhyZWY9ImhlaWdodDoxcHg7YmFja2dyb3VuZC1jb2xvcjojNTI1RDc2O2JvcmRlcjpub25l
Ij5oZWlnaHQ6MXB4O2JhY2tncm91bmQtY29sb3I6IzUyNUQ3Njtib3JkZXI6bm9uZTwvYT47fSZs
dDsvc3R5bGUmZ3Q7Jmx0Oy9oZWFkJmd0OyZsdDtib2R5Jmd0OyZsdDtoMSZndDtIVFRQClN0YXR1
cyA0MDQgXHhlMlx4ODBceDkzIE5vdCBGb3VuZCZsdDsvaDEmZ3Q7Jmx0O2hyIGNsYXNzPSJsaW5l
IiAvJmd0OyZsdDtwJmd0OyZsdDtiJmd0O1R5cGUmbHQ7L2ImZ3Q7ClN0YXR1cyBSZXBvcnQmbHQ7
L3AmZ3Q7Jmx0O3AmZ3Q7Jmx0O2ImZ3Q7TWVzc2FnZSZsdDsvYiZndDsgVGhlIHJlcXVlc3RlZCBy
ZXNvdXJjZQpbJmFtcDsjNDc7YWNtZSZhbXA7IzQ3O2xvZ2luXSBpcyBub3QgYXZhaWxhYmxlJmx0
Oy9wJmd0OyZsdDtwJmd0OyZsdDtiJmd0O0Rlc2NyaXB0aW9uJmx0Oy9iJmd0OyBUaGUKb3JpZ2lu
IHNlcnZlciBkaWQgbm90IGZpbmQgYSBjdXJyZW50IHJlcHJlc2VudGF0aW9uIGZvciB0aGUgdGFy
Z2V0CnJlc291cmNlIG9yIGlzIG5vdCB3aWxsaW5nIHRvIGRpc2Nsb3NlIHRoYXQgb25lIGV4aXN0
cy4mbHQ7L3AmZ3Q7Jmx0O2hyCmNsYXNzPSJsaW5lIiAvJmd0OyZsdDtoMyZndDtBcGFjaGUgVG9t
Y2F0LzkuMC42MiZsdDsvaDMmZ3Q7Jmx0Oy9ib2R5Jmd0OyZsdDsvaHRtbCZndDsnCmlwYXB5dGhv
bi5hZG1pbnRvb2w6IERFQlVHOsKgwqAgRmlsZQoiL3Vzci9saWIvcHl0aG9uMy45L3NpdGUtcGFj
a2FnZXMvaXBhcHl0aG9uL2FkbWludG9vbC5weSIsIGxpbmUgMTgwLCBpbgpleGVjdXRlCsKgwqDC
oCByZXR1cm5fdmFsdWUgPSBzZWxmLnJ1bigpCsKgIEZpbGUKIi91c3IvbGliL3B5dGhvbjMuOS9z
aXRlLXBhY2thZ2VzL2lwYXNlcnZlci9pbnN0YWxsL2lwYV9hY21lX21hbmFnZS5weSIsCmxpbmUg
NDAzLCBpbiBydW4KwqDCoMKgIHdpdGggc3RhdGUgYXMgY2FfYXBpOgrCoCBGaWxlCiIvdXNyL2xp
Yi9weXRob24zLjkvc2l0ZS1wYWNrYWdlcy9pcGFzZXJ2ZXIvaW5zdGFsbC9pcGFfYWNtZV9tYW5h
Z2UucHkiLApsaW5lIDEwMywgaW4gX19lbnRlcl9fCsKgwqDCoCByYWlzZSBlcnJvcnMuUmVtb3Rl
UmV0cmlldmVFcnJvcigKCmlwYXB5dGhvbi5hZG1pbnRvb2w6IERFQlVHOiBUaGUgaXBhLWFjbWUt
bWFuYWdlIGNvbW1hbmQgZmFpbGVkLApleGNlcHRpb246IFJlbW90ZVJldHJpZXZlRXJyb3I6IEZh
aWxlZCB0byBhdXRoZW50aWNhdGUgdG8gQ0EgUkVTVCBBUEkKaXBhcHl0aG9uLmFkbWludG9vbDog
RVJST1I6IEZhaWxlZCB0byBhdXRoZW50aWNhdGUgdG8gQ0EgUkVTVCBBUEkKaXBhcHl0aG9uLmFk
bWludG9vbDogRVJST1I6IFRoZSBpcGEtYWNtZS1tYW5hZ2UgY29tbWFuZCBmYWlsZWQuCgoKU28g
aXQgbG9va3MgbGlrZSB0aGUgYWNtZSBzdWJzeXN0ZW0gaXMgbm90IHN0YXJ0ZWQuIEJ1dCBsb2dz
IGZvciB0aGUKYWNtZSBzdWJzeXN0ZW0gaW4gL3Zhci9sb2cvcGtpL3BraS10b21jYXQvYWNtZS9k
ZWJ1Zy4yMDI0LTAzLTI4LmxvZwpkb24ndCBzaG93IGFueSBpc3N1ZS4gKHNlZSBhdHRhY2hlZCBs
b2cpCgpIb3cgY2FuIEkgZ28gZnVydGhlciBpbiB0cm91Ymxlc2hvb3RpbmcvZml4aW5nIHRoaXMg
aXNzdWU/CjwvcHJlPgogICAgICA8L2Jsb2NrcXVvdGU+CiAgICAgIDxwcmUgY2xhc3M9Im1vei1x
dW90ZS1wcmUiIHdyYXA9IiI+CkknZCBzdGFydCBieSB2ZXJpZnlpbmcgdGhhdCB5b3VyIENBIGlz
IGZ1bmN0aW9uaW5nLiBTb21ldGhpbmcgbGlrZSBpcGEKY2VydC1maW5kLgoKU2luY2UgeW91IGdv
dCBhIDQwNCAobm90IGZvdW5kKSBJJ2QgbWFrZSBzdXJlIHRoYXQKL2V0Yy9odHRwZC9jb25mLmQv
aXBhLXBraS1wcm94eS5jb25mIGNvbnRhaW5zOgoKJmx0O0xvY2F0aW9uTWF0Y2ggIl4vYWNtZSIm
Z3Q7Ci4uLgoKcm9iCi0tCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fCkZyZWVJUEEtdXNlcnMgbWFpbGluZyBsaXN0IC0tIDxhIGNsYXNzPSJtb3otdHh0LWxp
bmstYWJicmV2aWF0ZWQiIGhyZWY9Im1haWx0bzpmcmVlaXBhLXVzZXJzQGxpc3RzLmZlZG9yYWhv
c3RlZC5vcmciPmZyZWVpcGEtdXNlcnNAbGlzdHMuZmVkb3JhaG9zdGVkLm9yZzwvYT4KVG8gdW5z
dWJzY3JpYmUgc2VuZCBhbiBlbWFpbCB0byA8YSBjbGFzcz0ibW96LXR4dC1saW5rLWFiYnJldmlh
dGVkIiBocmVmPSJtYWlsdG86ZnJlZWlwYS11c2Vycy1sZWF2ZUBsaXN0cy5mZWRvcmFob3N0ZWQu
b3JnIj5mcmVlaXBhLXVzZXJzLWxlYXZlQGxpc3RzLmZlZG9yYWhvc3RlZC5vcmc8L2E+CkZlZG9y
YSBDb2RlIG9mIENvbmR1Y3Q6IDxhIGNsYXNzPSJtb3otdHh0LWxpbmstZnJlZXRleHQiIGhyZWY9
Imh0dHBzOi8vZG9jcy5mZWRvcmFwcm9qZWN0Lm9yZy9lbi1VUy9wcm9qZWN0L2NvZGUtb2YtY29u
ZHVjdC8iPmh0dHBzOi8vZG9jcy5mZWRvcmFwcm9qZWN0Lm9yZy9lbi1VUy9wcm9qZWN0L2NvZGUt
b2YtY29uZHVjdC88L2E+Ckxpc3QgR3VpZGVsaW5lczogPGEgY2xhc3M9Im1vei10eHQtbGluay1m
cmVldGV4dCIgaHJlZj0iaHR0cHM6Ly9mZWRvcmFwcm9qZWN0Lm9yZy93aWtpL01haWxpbmdfbGlz
dF9ndWlkZWxpbmVzIj5odHRwczovL2ZlZG9yYXByb2plY3Qub3JnL3dpa2kvTWFpbGluZ19saXN0
X2d1aWRlbGluZXM8L2E+Ckxpc3QgQXJjaGl2ZXM6IDxhIGNsYXNzPSJtb3otdHh0LWxpbmstZnJl
ZXRleHQiIGhyZWY9Imh0dHBzOi8vbGlzdHMuZmVkb3JhaG9zdGVkLm9yZy9hcmNoaXZlcy9saXN0
L2ZyZWVpcGEtdXNlcnNAbGlzdHMuZmVkb3JhaG9zdGVkLm9yZyI+aHR0cHM6Ly9saXN0cy5mZWRv
cmFob3N0ZWQub3JnL2FyY2hpdmVzL2xpc3QvZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0
ZWQub3JnPC9hPgpEbyBub3QgcmVwbHkgdG8gc3BhbSwgcmVwb3J0IGl0OiA8YSBjbGFzcz0ibW96
LXR4dC1saW5rLWZyZWV0ZXh0IiBocmVmPSJodHRwczovL3BhZ3VyZS5pby9mZWRvcmEtaW5mcmFz
dHJ1Y3R1cmUvbmV3X2lzc3VlIj5odHRwczovL3BhZ3VyZS5pby9mZWRvcmEtaW5mcmFzdHJ1Y3R1
cmUvbmV3X2lzc3VlPC9hPgo8L3ByZT4KICAgIDwvYmxvY2txdW90ZT4KICA8L2JvZHk+CjwvaHRt
bD4K

--===============0132619415277158581==--

From natxo.asenjo at gmail.com Tue Apr  2 11:53:58 2024
Content-Type: multipart/mixed; boundary="===============7684751959741233397=="
MIME-Version: 1.0
From: Natxo Asenjo <natxo.asenjo at gmail.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: upgrade idm servers rhel 7 to 8 problems
Date: Tue, 02 Apr 2024 13:53:57 +0200
Message-ID: <CAHBEJzU1iiHHKxMC_BteGhn+P1tZf5dBzQU99PwRTwZV9KXt5A@mail.gmail.com>
In-Reply-To: CAHBEJzVurZhcJ0xKWxSh6ByfV1Dq_xBkYFB2tELruUQ4XA1=6Q@mail.gmail.com

--===============7684751959741233397==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

hi,



On Tue, Mar 26, 2024 at 2:47=E2=80=AFPM Natxo Asenjo <natxo.asenjo(a)gmail.=
com> wrote:

> hi,
>
> posting back to the list.
>
> Apparently the idm server cannot find a SID of a domain when trying to
> resolve the user account. It does find the user account, but  there are
> sids coupled to the account correspondig to a domain wich cannot be
> resolved.
>
> It took me a while but the sid of that child domain is not the one not
> resolved.
>
> It turns out, the sid of the domain not resolving is the one of the idm
> realm itself., we have  some idm groups mapped to the AD groups we allow =
in
> idm for rbac, and if I look at the ipaNTSecurityIdentifier attributes of
> the id groups, those are the not resolved groups.
>
> This is unexpected (to me at least).
>
> so we have this trust (verified on two different idm servers, same value):
>
>  ipa trust-find
> ---------------
> 1 trust matched
> ---------------
>   Realm name: domain.local
>   Domain NetBIOS name: DOMAIN
>   Domain Security Identifier: S-1-5-21-1416133915-1866970209-3316290679
>   Trust type: Active Directory domain
> ----------------------------
> Number of entries returned 1
>
> but inside this idm domain, we have some idm posix groups with the
> ipantsecurityidentifier of the not resolvable domain, for instance:
> S-1-5-21-1214650608-3976977395-3073169311-101072
>
> So basically, it is not matching because of this ipantsecurityidentifier,
> I think.
>
> I do not know how to fix this at this moment, or why it has happened. Any
> ideas?
>
>

I wonder if somebody with more sssd knowlegde than me could push me in the
right direction. Is it maybe better to ask in the sssd mailing list?

Regards,

Natxo Asenjo

-- =

--
Groeten,
natxo

--===============7684751959741233397==
Content-Type: text/html
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.html"

PGRpdiBkaXI9Imx0ciI+PGRpdiBkaXI9Imx0ciI+PGRpdj5oaSw8L2Rpdj48ZGl2Pjxicj48L2Rp
dj48ZGl2Pjxicj48L2Rpdj48L2Rpdj48YnI+PGRpdiBjbGFzcz0iZ21haWxfcXVvdGUiPjxkaXYg
ZGlyPSJsdHIiIGNsYXNzPSJnbWFpbF9hdHRyIj5PbiBUdWUsIE1hciAyNiwgMjAyNCBhdCAyOjQ3
4oCvUE0gTmF0eG8gQXNlbmpvICZsdDs8YSBocmVmPSJtYWlsdG86bmF0eG8uYXNlbmpvQGdtYWls
LmNvbSI+bmF0eG8uYXNlbmpvQGdtYWlsLmNvbTwvYT4mZ3Q7IHdyb3RlOjxicj48L2Rpdj48Ymxv
Y2txdW90ZSBjbGFzcz0iZ21haWxfcXVvdGUiIHN0eWxlPSJtYXJnaW46MHB4IDBweCAwcHggMC44
ZXg7Ym9yZGVyLWxlZnQ6MXB4IHNvbGlkIHJnYigyMDQsMjA0LDIwNCk7cGFkZGluZy1sZWZ0OjFl
eCI+PGRpdiBkaXI9Imx0ciI+PGRpdj5oaSw8L2Rpdj48ZGl2Pjxicj48L2Rpdj48ZGl2PnBvc3Rp
bmcgYmFjayB0byB0aGUgbGlzdC48L2Rpdj48ZGl2Pjxicj48L2Rpdj48ZGl2PkFwcGFyZW50bHkg
dGhlIGlkbSBzZXJ2ZXIgY2Fubm90IGZpbmQgYSBTSUQgb2YgYSBkb21haW4gd2hlbiB0cnlpbmcg
dG8gcmVzb2x2ZSB0aGUgdXNlciBhY2NvdW50LiBJdCBkb2VzIGZpbmQgdGhlIHVzZXIgYWNjb3Vu
dCwgYnV0wqAgdGhlcmUgYXJlIHNpZHMgY291cGxlZCB0byB0aGUgYWNjb3VudCBjb3JyZXNwb25k
aWcgdG8gYSBkb21haW4gd2ljaCBjYW5ub3QgYmUgcmVzb2x2ZWQuPC9kaXY+PGRpdj48YnI+PC9k
aXY+PGRpdj5JdCB0b29rIG1lIGEgd2hpbGUgYnV0IHRoZSBzaWQgb2YgdGhhdCBjaGlsZCBkb21h
aW4gaXMgbm90IHRoZSBvbmUgbm90IHJlc29sdmVkLjwvZGl2PjxkaXY+PGJyPjwvZGl2PjxkaXY+
SXQgdHVybnMgb3V0LCB0aGUgc2lkIG9mIHRoZSBkb21haW4gbm90IHJlc29sdmluZyBpcyB0aGUg
b25lIG9mIHRoZSBpZG0gcmVhbG0gaXRzZWxmLiwgd2UgaGF2ZcKgIHNvbWUgaWRtIGdyb3VwcyBt
YXBwZWQgdG8gdGhlIEFEIGdyb3VwcyB3ZSBhbGxvdyBpbiBpZG0gZm9yIHJiYWMsIGFuZCBpZiBJ
IGxvb2sgYXQgdGhlIGlwYU5UU2VjdXJpdHlJZGVudGlmaWVyIGF0dHJpYnV0ZXMgb2YgdGhlIGlk
IGdyb3VwcywgdGhvc2UgYXJlIHRoZSBub3QgcmVzb2x2ZWQgZ3JvdXBzLjwvZGl2PjxkaXY+PGJy
PjwvZGl2PjxkaXY+VGhpcyBpcyB1bmV4cGVjdGVkICh0byBtZSBhdCBsZWFzdCkuIDxicj48L2Rp
dj48ZGl2Pjxicj48L2Rpdj48ZGl2PnNvIHdlIGhhdmUgdGhpcyB0cnVzdCAodmVyaWZpZWQgb24g
dHdvIGRpZmZlcmVudCBpZG0gc2VydmVycywgc2FtZSB2YWx1ZSk6PC9kaXY+PGRpdj48YnI+PC9k
aXY+PGRpdj7CoGlwYSB0cnVzdC1maW5kPGJyPi0tLS0tLS0tLS0tLS0tLTxicj4xIHRydXN0IG1h
dGNoZWQ8YnI+LS0tLS0tLS0tLS0tLS0tPGJyPsKgIFJlYWxtIG5hbWU6IGRvbWFpbi5sb2NhbDxi
cj7CoCBEb21haW4gTmV0QklPUyBuYW1lOiBET01BSU48YnI+wqAgRG9tYWluIFNlY3VyaXR5IElk
ZW50aWZpZXI6IFMtMS01LTIxLTE0MTYxMzM5MTUtMTg2Njk3MDIwOS0zMzE2MjkwNjc5PGJyPsKg
IFRydXN0IHR5cGU6IEFjdGl2ZSBEaXJlY3RvcnkgZG9tYWluPGJyPi0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS08YnI+TnVtYmVyIG9mIGVudHJpZXMgcmV0dXJuZWQgMTwvZGl2PjxkaXY+PGJy
PjwvZGl2PjxkaXY+YnV0IGluc2lkZSB0aGlzIGlkbSBkb21haW4sIHdlIGhhdmUgc29tZSBpZG0g
cG9zaXggZ3JvdXBzIHdpdGggdGhlIGlwYW50c2VjdXJpdHlpZGVudGlmaWVyIG9mIHRoZSBub3Qg
cmVzb2x2YWJsZSBkb21haW4sIGZvciBpbnN0YW5jZTogUy0xLTUtMjEtMTIxNDY1MDYwOC0zOTc2
OTc3Mzk1LTMwNzMxNjkzMTEtMTAxMDcyPC9kaXY+PGRpdj48YnI+PC9kaXY+PGRpdj5TbyBiYXNp
Y2FsbHksIGl0IGlzIG5vdCBtYXRjaGluZyBiZWNhdXNlIG9mIHRoaXMgaXBhbnRzZWN1cml0eWlk
ZW50aWZpZXIsIEkgdGhpbmsuIDxicj48L2Rpdj48ZGl2Pjxicj48L2Rpdj48ZGl2PkkgZG8gbm90
IGtub3cgaG93IHRvIGZpeCB0aGlzIGF0IHRoaXMgbW9tZW50LCBvciB3aHkgaXQgaGFzIGhhcHBl
bmVkLiBBbnkgaWRlYXM/PGJyPjwvZGl2PjxkaXY+PGJyPjwvZGl2PjwvZGl2Pgo8L2Jsb2NrcXVv
dGU+PC9kaXY+PGRpdj48YnI+PC9kaXY+PGRpdj48YnI+PC9kaXY+PGRpdj5JIHdvbmRlciBpZiBz
b21lYm9keSB3aXRoIG1vcmUgc3NzZCBrbm93bGVnZGUgdGhhbiBtZSBjb3VsZCBwdXNoIG1lIGlu
IHRoZSByaWdodCBkaXJlY3Rpb24uIElzIGl0IG1heWJlIGJldHRlciB0byBhc2sgaW4gdGhlIHNz
c2QgbWFpbGluZyBsaXN0PzwvZGl2PjxkaXY+PGJyPjwvZGl2PjxkaXY+UmVnYXJkcyw8L2Rpdj48
ZGl2Pjxicj48L2Rpdj48ZGl2Pk5hdHhvIEFzZW5qbzxicj48L2Rpdj48YnI+PHNwYW4gY2xhc3M9
ImdtYWlsX3NpZ25hdHVyZV9wcmVmaXgiPi0tIDwvc3Bhbj48YnI+PGRpdiBkaXI9Imx0ciIgY2xh
c3M9ImdtYWlsX3NpZ25hdHVyZSI+LS08YnI+R3JvZXRlbiw8YnI+bmF0eG88L2Rpdj48L2Rpdj4K

--===============7684751959741233397==--

From twest at cherryroad.com Tue Apr  2 14:46:30 2024
Content-Type: multipart/mixed; boundary="===============2347200955789866149=="
MIME-Version: 1.0
From: Travis West <twest at cherryroad.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: CA Subsystem certificate
Date: Tue, 02 Apr 2024 14:46:08 +0000
Message-ID: <20240402144608.27639.62976@mailman01.iad2.fedoraproject.org>
In-Reply-To: d8211363-9aaf-fb92-34b1-ab53e1706c38@redhat.com

--===============2347200955789866149==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

I noticed some issues with the newly generated certs in my previous update.=
  I have again generated new certs that this time have the Subject correct.
I can delete the bad certs that contain errant Principal from /etc/pki/pki-=
tomcat/alias and import the new ones.  Then update the CA Subsystem Certifi=
cate in LDAP using ldapmodify and an updatecert.ldif, as well as update the=
 cert and certreq values in /etc/pki/pki-tomcat/ca/CS.cfg.

What I am unclear on is how to fix the certmonger tracking so it isn't trac=
king the certs with the errant Principal.
--===============2347200955789866149==--

From rcritten at redhat.com Tue Apr  2 15:13:44 2024
Content-Type: multipart/mixed; boundary="===============8481345720656655802=="
MIME-Version: 1.0
From: Rob Crittenden <rcritten at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: ACME certs fail to renew
Date: Tue, 02 Apr 2024 11:13:31 -0400
Message-ID: <6227664c-26a4-0128-5273-895135609bda@redhat.com>
In-Reply-To: a642f913-a8d7-4b2f-b79e-13f391e5d8c2@infra-monkey.com

--===============8481345720656655802==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Antoine Gatineau via FreeIPA-users wrote:
> Hello Rob,
> =

> Thank you for replying quickly.
> =

> As far as I could see, the apache config is good.
> All the 'ipa cert-*' and 'ipa ca-*' were working properly.
> =

> This only command not working was ipa-acme-manage (and the certbot renew
> obviously).
> =

> I tried adding a replica and acme was available and working on the new
> replica which rules out the ldap content I guess.
> I then reinstalled my replicas and everything is working properly now.
> =

> So fixed, but I still don't know what happened :/

Yes, rather unsatisfying. But on the other hand I'm glad its working
again for you.

ipa-healthcheck might be something to look into. I think it would have
alerted you to the issue earlier since ipa-acme-manage was failing.

Thanks for following up.

rob

> =

> Best regards
> =

> On 4/1/24 16:46, Rob Crittenden via FreeIPA-users wrote:
>> Antoine Gatineau via FreeIPA-users wrote:
>>> Hello,
>>>
>>> I have a strange issue regarding acme service.
>>> My acme certificates fail to renew. `ipa-acme-manage status`fails with
>>> error:
>>> Failed to authenticate to CA REST API
>>> The ipa-acme-manage command failed.
>>>
>>> certbot client fails with error "Failed to renew certificate
>>> office.empire.lan with error: <Response [404]>"
>>>
>>> $ ipa cert-show 49
>>> =C2=A0Issuing CA: ipa
>>> =C2=A0Certificate: "The certificate content"
>>> =C2=A0Subject: CN=3Doffice.empire.lan
>>> =C2=A0Subject DNS name: office.empire.lan
>>> =C2=A0Issuer: CN=3DCertificate Authority,O=3DEMPIRE.LAN
>>> =C2=A0Not Before: Sun Dec 24 14:05:50 2023 UTC
>>> =C2=A0Not After: Sat Mar 23 14:05:50 2024 UTC
>>> =C2=A0Serial number: 49
>>> =C2=A0Serial number (hex): 0x31
>>> =C2=A0Revoked: False
>>>
>>> So last successful renewal was on Dec 24th. Since then I have not really
>>> done anything appart updating.
>>> I don't see any issue in ipaupgrade.log
>>>
>>>
>>> I am running on centos stream 9
>>> idm-jss.x86_64=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0
>>> 5.5.0-1.el9
>>> idm-jss-tomcat.x86_64=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0
>>> 5.5.0-1.el9
>>> idm-ldapjdk.noarch=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0
>>> 5.5.0-1.el9
>>> idm-pki-acme.noarch=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0
>>> 11.5.0-1.el9
>>> idm-pki-base.noarch=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0
>>> 11.5.0-1.el9
>>> idm-pki-ca.noarch=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0
>>> 11.5.0-1.el9
>>> idm-pki-java.noarch=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0
>>> 11.5.0-1.el9
>>> idm-pki-kra.noarch=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0
>>> 11.5.0-1.el9
>>> idm-pki-server.noarch=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0
>>> 11.5.0-1.el9
>>> idm-pki-tools.x86_64=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0
>>> 11.5.0-1.el9
>>> ipa-client.x86_64=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0
>>> 4.11.0-9.el9
>>> ipa-client-common.noarch=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0
>>> 4.11.0-9.el9
>>> ipa-common.noarch=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0
>>> 4.11.0-9.el9
>>> ipa-healthcheck.noarch=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0
>>> 0.16-2.el9
>>> ipa-healthcheck-core.noarch=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0
>>> 0.16-2.el9
>>> ipa-selinux.noarch=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0
>>> 4.11.0-9.el9
>>> ipa-server.x86_64=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0
>>> 4.11.0-9.el9
>>> ipa-server-common.noarch=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0
>>> 4.11.0-9.el9
>>> ipa-server-dns.noarch=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0
>>> 4.11.0-9.el9
>>>
>>> I have followed closely the update on centos stream 9
>>>
>>> Running=C2=A0 `ipa-acme-manage status` with the -d switch gives me
>>> ipapython.ipaldap: DEBUG: retrieving schema for SchemaCache
>>> url=3Dldapi://%2fvar%2frun%2fslapd-EMPIRE-LAN.socket
>>> conn=3D<ldap.ldapobject.SimpleLDAPObject object at 0x7f123c07e2e0>
>>> ipaserver.masters: DEBUG: Discovery: available servers for service 'CA'
>>> are ipa-server-01.empire.lan, ipa-server-02.empire.lan
>>> ipaserver.masters: DEBUG: Discovery: using ipa-server-01.empire.lan for
>>> 'CA' service
>>> ipapython.dogtag: DEBUG: request POST
>>> https://ipa-server-01.empire.lan:8443/acme/login
>>> ipapython.dogtag: DEBUG: request body ''
>>> ipapython.dogtag: DEBUG: response status 404
>>> ipapython.dogtag: DEBUG: response headers Content-Type:
>>> text/html;charset=3Dutf-8
>>> Content-Language: en
>>> Content-Length: 765
>>> Date: Thu, 28 Mar 2024 10:00:59 GMT
>>>
>>>
>>> ipapython.dogtag: DEBUG: response body (decoded): b'<!doctype html><html
>>> lang=3D"en"><head><title>HTTP Status 404 \xe2\x80\x93 Not
>>> Found</title><style type=3D"text/css">body
>>> {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b
>>> {color:white;background-color:#525D76;} h1 {font-size:22px;} h2
>>> {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a
>>> {color:black;} .line
>>> {height:1px;background-color:#525D76;border:none;}</style></head><body>=
<h1>HTTP
>>> Status 404 \xe2\x80\x93 Not Found</h1><hr class=3D"line" /><p><b>Type</=
b>
>>> Status Report</p><p><b>Message</b> The requested resource
>>> [&#47;acme&#47;login] is not available</p><p><b>Description</b> The
>>> origin server did not find a current representation for the target
>>> resource or is not willing to disclose that one exists.</p><hr
>>> class=3D"line" /><h3>Apache Tomcat/9.0.62</h3></body></html>'
>>> ipapython.admintool: DEBUG:=C2=A0=C2=A0 File
>>> "/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 180, in
>>> execute
>>> =C2=A0=C2=A0=C2=A0 return_value =3D self.run()
>>> =C2=A0 File
>>> "/usr/lib/python3.9/site-packages/ipaserver/install/ipa_acme_manage.py",
>>> line 403, in run
>>> =C2=A0=C2=A0=C2=A0 with state as ca_api:
>>> =C2=A0 File
>>> "/usr/lib/python3.9/site-packages/ipaserver/install/ipa_acme_manage.py",
>>> line 103, in __enter__
>>> =C2=A0=C2=A0=C2=A0 raise errors.RemoteRetrieveError(
>>>
>>> ipapython.admintool: DEBUG: The ipa-acme-manage command failed,
>>> exception: RemoteRetrieveError: Failed to authenticate to CA REST API
>>> ipapython.admintool: ERROR: Failed to authenticate to CA REST API
>>> ipapython.admintool: ERROR: The ipa-acme-manage command failed.
>>>
>>>
>>> So it looks like the acme subsystem is not started. But logs for the
>>> acme subsystem in /var/log/pki/pki-tomcat/acme/debug.2024-03-28.log
>>> don't show any issue. (see attached log)
>>>
>>> How can I go further in troubleshooting/fixing this issue?
>> I'd start by verifying that your CA is functioning. Something like ipa
>> cert-find.
>>
>> Since you got a 404 (not found) I'd make sure that
>> /etc/httpd/conf.d/ipa-pki-proxy.conf contains:
>>
>> <LocationMatch "^/acme">
>> ...
>>
>> rob
>> --
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted=
.org
>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/cod=
e-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-user=
s(a)lists.fedorahosted.org
>> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure=
/new_issue
> =

> --
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.=
org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code=
-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users=
(a)lists.fedorahosted.org
> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/=
new_issue
>=20

--===============8481345720656655802==--

From twest at cherryroad.com Tue Apr  2 17:01:05 2024
Content-Type: multipart/mixed; boundary="===============2777939498898176192=="
MIME-Version: 1.0
From: Travis West <twest at cherryroad.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: CA Subsystem certificate
Date: Tue, 02 Apr 2024 17:00:43 +0000
Message-ID: <20240402170043.24503.79818@mailman01.iad2.fedoraproject.org>
In-Reply-To: d8211363-9aaf-fb92-34b1-ab53e1706c38@redhat.com

--===============2777939498898176192==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Okay, I've sort of fixed the tracking, but there is still an issue I can't =
seem to solve.  Here is the tracking now for the Audit, OCSP, and Subsystem=
 certificates

Number of certificates and requests being tracked: 9.
Request ID '20190322032029':
        status: MONITORING
        stuck: no
        key pair storage: type=3DNSSDB,location=3D'/etc/pki/pki-tomcat/alia=
s',nickname=3D'auditSigningCert cert-pki-ca',token=3D'NSS Certificate DB',p=
in set
        certificate: type=3DNSSDB,location=3D'/etc/pki/pki-tomcat/alias',ni=
ckname=3D'auditSigningCert cert-pki-ca',token=3D'NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=3DCertificate Authority,O=3DIPA.****.NET
        subject: O=3DIPA.****.NET,CN=3D"CA Audit "
        expires: 2034-03-31 14:24:53 UTC
        key usage: digitalSignature,nonRepudiation
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "audit=
SigningCert cert-pki-ca"
        track: yes
        auto-renew: yes
[root(a)ipa1-sea2 ~]# getcert list -i 20190322032030
Number of certificates and requests being tracked: 9.
Request ID '20190322032030':
        status: MONITORING
        stuck: no
        key pair storage: type=3DNSSDB,location=3D'/etc/pki/pki-tomcat/alia=
s',nickname=3D'ocspSigningCert cert-pki-ca',token=3D'NSS Certificate DB',pi=
n set
        certificate: type=3DNSSDB,location=3D'/etc/pki/pki-tomcat/alias',ni=
ckname=3D'ocspSigningCert cert-pki-ca',token=3D'NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=3DCertificate Authority,O=3DIPA.****.NET
        subject: O=3DIPA.****.NET,CN=3D"OCSP Subsystem "
        expires: 2034-03-31 14:15:41 UTC
        key usage: digitalSignature,nonRepudiation
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspS=
igningCert cert-pki-ca"
        track: yes
        auto-renew: yes
[root(a)ipa1-sea2 ~]# getcert list -i 20190322032031
Number of certificates and requests being tracked: 9.
Request ID '20190322032031':
        status: MONITORING
        stuck: no
        key pair storage: type=3DNSSDB,location=3D'/etc/pki/pki-tomcat/alia=
s',nickname=3D'subsystemCert cert-pki-ca',token=3D'NSS Certificate DB',pin =
set
        certificate: type=3DNSSDB,location=3D'/etc/pki/pki-tomcat/alias',ni=
ckname=3D'subsystemCert cert-pki-ca',token=3D'NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=3DCertificate Authority,O=3DIPA.****.NET
        subject: O=3DIPA.****.NET,CN=3D"CA Subsystem "
        expires: 2034-03-31 14:40:33 UTC
        key usage: digitalSignature,nonRepudiation
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsy=
stemCert cert-pki-ca"
        track: yes

In each of these the Subject line has the CN and O backwards.  If I look at=
 the certificates themselves, they have it listed correctly

# openssl pkcs12 -info -in audit.p12
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
    localKeyID: A8 74 8A 94 58 C0 9E 28 3F 55 B9 F7 AC 9D 78 33 8E D3 C6 E3
    friendlyName: auditSigningCert cert-pki-ca
subject=3D/CN=3DCA Audit /O=3DIPA.****.NET
issuer=3D/O=3DIPA.****.NET/CN=3DCertificate Authority

So I'm confused as to how the 'getcert' output has the items in Subject rev=
ersed.
--===============2777939498898176192==--

From rcritten at redhat.com Tue Apr  2 17:43:41 2024
Content-Type: multipart/mixed; boundary="===============0450599058800764293=="
MIME-Version: 1.0
From: Rob Crittenden <rcritten at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: CA Subsystem certificate
Date: Tue, 02 Apr 2024 13:43:27 -0400
Message-ID: <57e61cbc-946b-1fcf-5cc0-bb403d2e2dba@redhat.com>
In-Reply-To: 20240402170043.24503.79818@mailman01.iad2.fedoraproject.org

--===============0450599058800764293==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Travis West via FreeIPA-users wrote:
> Okay, I've sort of fixed the tracking, but there is still an issue I can'=
t seem to solve.  Here is the tracking now for the Audit, OCSP, and Subsyst=
em certificates
> =

> Number of certificates and requests being tracked: 9.
> Request ID '20190322032029':
>         status: MONITORING
>         stuck: no
>         key pair storage: type=3DNSSDB,location=3D'/etc/pki/pki-tomcat/al=
ias',nickname=3D'auditSigningCert cert-pki-ca',token=3D'NSS Certificate DB'=
,pin set
>         certificate: type=3DNSSDB,location=3D'/etc/pki/pki-tomcat/alias',=
nickname=3D'auditSigningCert cert-pki-ca',token=3D'NSS Certificate DB'
>         CA: dogtag-ipa-ca-renew-agent
>         issuer: CN=3DCertificate Authority,O=3DIPA.****.NET
>         subject: O=3DIPA.****.NET,CN=3D"CA Audit "
>         expires: 2034-03-31 14:24:53 UTC
>         key usage: digitalSignature,nonRepudiation
>         pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>         post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "aud=
itSigningCert cert-pki-ca"
>         track: yes
>         auto-renew: yes
> [root(a)ipa1-sea2 ~]# getcert list -i 20190322032030
> Number of certificates and requests being tracked: 9.
> Request ID '20190322032030':
>         status: MONITORING
>         stuck: no
>         key pair storage: type=3DNSSDB,location=3D'/etc/pki/pki-tomcat/al=
ias',nickname=3D'ocspSigningCert cert-pki-ca',token=3D'NSS Certificate DB',=
pin set
>         certificate: type=3DNSSDB,location=3D'/etc/pki/pki-tomcat/alias',=
nickname=3D'ocspSigningCert cert-pki-ca',token=3D'NSS Certificate DB'
>         CA: dogtag-ipa-ca-renew-agent
>         issuer: CN=3DCertificate Authority,O=3DIPA.****.NET
>         subject: O=3DIPA.****.NET,CN=3D"OCSP Subsystem "
>         expires: 2034-03-31 14:15:41 UTC
>         key usage: digitalSignature,nonRepudiation
>         pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>         post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocs=
pSigningCert cert-pki-ca"
>         track: yes
>         auto-renew: yes
> [root(a)ipa1-sea2 ~]# getcert list -i 20190322032031
> Number of certificates and requests being tracked: 9.
> Request ID '20190322032031':
>         status: MONITORING
>         stuck: no
>         key pair storage: type=3DNSSDB,location=3D'/etc/pki/pki-tomcat/al=
ias',nickname=3D'subsystemCert cert-pki-ca',token=3D'NSS Certificate DB',pi=
n set
>         certificate: type=3DNSSDB,location=3D'/etc/pki/pki-tomcat/alias',=
nickname=3D'subsystemCert cert-pki-ca',token=3D'NSS Certificate DB'
>         CA: dogtag-ipa-ca-renew-agent
>         issuer: CN=3DCertificate Authority,O=3DIPA.****.NET
>         subject: O=3DIPA.****.NET,CN=3D"CA Subsystem "
>         expires: 2034-03-31 14:40:33 UTC
>         key usage: digitalSignature,nonRepudiation
>         pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>         post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "sub=
systemCert cert-pki-ca"
>         track: yes
> =

> In each of these the Subject line has the CN and O backwards.  If I look =
at the certificates themselves, they have it listed correctly
> =

> # openssl pkcs12 -info -in audit.p12
> MAC Iteration 2048
> MAC verified OK
> PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
> Certificate bag
> Bag Attributes
>     localKeyID: A8 74 8A 94 58 C0 9E 28 3F 55 B9 F7 AC 9D 78 33 8E D3 C6 =
E3
>     friendlyName: auditSigningCert cert-pki-ca
> subject=3D/CN=3DCA Audit /O=3DIPA.****.NET
> issuer=3D/O=3DIPA.****.NET/CN=3DCertificate Authority
> =

> So I'm confused as to how the 'getcert' output has the items in Subject r=
eversed.

The OpenSSL and NSS libraries merely display the data differently. It's
fine.

But you still have an issue with the certificates. You have a trailing
space after at least the audit, subsystem and OCSP certs. I think you
tried to quote only that when generating the subject rather than the
entire thing.

So

O=3DIPA.****.NET,"CN=3DCA Audit "

rather than

"O=3DIPA.****.NET,CN=3DCA Audit"

Once the certificates are valid you can try running ipa-server-upgrade.
It should repair bad tracking.

But with the strange subjects I'm not sure what will happen. What I do
know is that "CA Audit " !=3D "CA Audit" in a subject.

rob

--===============0450599058800764293==--

From twest at cherryroad.com Tue Apr  2 17:49:31 2024
Content-Type: multipart/mixed; boundary="===============4794598822245335276=="
MIME-Version: 1.0
From: Travis West <twest at cherryroad.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: CA Subsystem certificate
Date: Tue, 02 Apr 2024 17:49:11 +0000
Message-ID: <20240402174911.32543.79418@mailman01.iad2.fedoraproject.org>
In-Reply-To: 57e61cbc-946b-1fcf-5cc0-bb403d2e2dba@redhat.com

--===============4794598822245335276==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

This was the command I used to generate the CSRs

openssl req -new -sha256 -key subsystem.key -subj "/CN=3DCA Subsystem /O=3D=
IPA.****.NET" -out subsystem.csr

But I guess that results in the extra space.  So perhaps it should be

openssl req -new -sha256 -key subsystem.key -subj "/CN=3DCA Subsystem,/O=3D=
IPA.***.NET" -out subsystem.csr  (?)

Apologies for all the questions that might seem pretty basic.  Just trying =
to get this figured out.
--===============4794598822245335276==--

From twest at cherryroad.com Tue Apr  2 18:50:26 2024
Content-Type: multipart/mixed; boundary="===============5841305817446791003=="
MIME-Version: 1.0
From: Travis West <twest at cherryroad.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: CA Subsystem certificate
Date: Tue, 02 Apr 2024 18:50:02 +0000
Message-ID: <20240402185002.11469.96367@mailman01.iad2.fedoraproject.org>
In-Reply-To: 57e61cbc-946b-1fcf-5cc0-bb403d2e2dba@redhat.com

--===============5841305817446791003==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Okay, I've generated new certs that don't have the extra space.  Once those=
 were imported to the NSS DB I also updated the CS.cfg with the new cert an=
d certreq vaules for OCSP, Audit, and Subsystem.
I also did an ldapsearch for the Subsystem certificate to make sure it matc=
hes.  I then tried to run ipa-server-upgrade, but it failed.

Tracking Requests:

Request ID '20190322032031':
        status: MONITORING
        stuck: no
        key pair storage: type=3DNSSDB,location=3D'/etc/pki/pki-tomcat/alia=
s',nickname=3D'subsystemCert cert-pki-ca',token=3D'NSS Certificate DB',pin =
set
        certificate: type=3DNSSDB,location=3D'/etc/pki/pki-tomcat/alias',ni=
ckname=3D'subsystemCert cert-pki-ca',token=3D'NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=3DCertificate Authority,O=3DIPA.****.NET
        subject: O=3DIPA.****.NET,CN=3DCA Subsystem
        expires: 2034-03-31 17:57:15 UTC
        key usage: digitalSignature,nonRepudiation
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsy=
stemCert cert-pki-ca"
        track: yes
        auto-renew: yes

Request ID '20190322032030':
        status: MONITORING
        stuck: no
        key pair storage: type=3DNSSDB,location=3D'/etc/pki/pki-tomcat/alia=
s',nickname=3D'ocspSigningCert cert-pki-ca',token=3D'NSS Certificate DB',pi=
n set
        certificate: type=3DNSSDB,location=3D'/etc/pki/pki-tomcat/alias',ni=
ckname=3D'ocspSigningCert cert-pki-ca',token=3D'NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=3DCertificate Authority,O=3DIPA.****.NET
        subject: O=3DIPA.****.NET,CN=3DOCSP Subsystem
        expires: 2034-03-31 18:02:29 UTC
        key usage: digitalSignature,nonRepudiation
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspS=
igningCert cert-pki-ca"
        track: yes
        auto-renew: yes

Request ID '20190322032029':
        status: MONITORING
        stuck: no
        key pair storage: type=3DNSSDB,location=3D'/etc/pki/pki-tomcat/alia=
s',nickname=3D'auditSigningCert cert-pki-ca',token=3D'NSS Certificate DB',p=
in set
        certificate: type=3DNSSDB,location=3D'/etc/pki/pki-tomcat/alias',ni=
ckname=3D'auditSigningCert cert-pki-ca',token=3D'NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=3DCertificate Authority,O=3DIPA.****.NET
        subject: O=3DIPA.****.NET,CN=3DCA Audit
        expires: 2034-03-31 18:00:11 UTC
        key usage: digitalSignature,nonRepudiation
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "audit=
SigningCert cert-pki-ca"
        track: yes
        auto-renew: yes

Subsystem in LDAP matches the NSS DB

# ldapsearch -LLL -D 'cn=3Ddirectory manager' -W -b uid=3Dpkidbuser,ou=3Dpe=
ople,o=3Dipaca userCertificate description seeAlso
Enter LDAP Password:
dn: uid=3Dpkidbuser,ou=3Dpeople,o=3Dipaca
userCertificate:: MIIDNjCCA...EyISxo3w=3D=3D
description: 2;4;CN=3DCertificate Authority,O=3DIPA.****.NET;CN=3DCA Subsys=
tem,O=3DIPA.***.NET
seeAlso: CN=3DCA Subsystem,O=3DIPA****.NET

[root(a)ipa1-sea2 log]# certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsys=
temCert cert-pki-ca' -a
-----BEGIN CERTIFICATE-----
MIIDNjCCA...EyISxo3w=3D=3D
-----END CERTIFICATE-----
[root(a)ipa1-sea2 log]# certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsys=
temCert cert-pki-ca' | grep Serial
        Serial Number: 4 (0x4)

*note the Serial in LDAP is '4' while in NSS DB it shows as 4 (0x4)  not su=
re if this is the issue.

Output of ipa-server-upgrade

# ipa-server-upgrade
Upgrading IPA:. Estimated time: 1 minute 30 seconds
  [1/11]: stopping directory server
  [2/11]: saving configuration
  [3/11]: disabling listeners
  [4/11]: enabling DS global lock
  [5/11]: disabling Schema Compat
  [6/11]: starting directory server
  [7/11]: updating schema
  [8/11]: upgrading server
  [9/11]: stopping directory server
  [10/11]: restoring configuration
  [11/11]: starting directory server
Done.
Update complete
Upgrading IPA services
Upgrading the configuration of the IPA services
[Verifying that root certificate is published]
[Migrate CRL publish directory]
Publish directory already set to new location
[Verifying that CA proxy configuration is correct]
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command =
ipa-server-upgrade manually.
CA did not start in 300.0s

Output in the /var/log/pki/pki-tomcat/ca/system log while the ugprade was r=
unning

2024-04-02T18:30:11Z DEBUG response body '<html><head><title>Apache Tomcat/=
7.0.76 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-s=
erif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:=
Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px=
;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#52=
5D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black=
;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:whit=
e;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;backgro=
und:white;color:black;font-size:12px;}A {color : black;}A.name {color : bla=
ck;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 500 - Sub=
system unavailable</h1><HR size=3D"1" noshade=3D"noshade"><p><b>type</b> Ex=
ception report</p><p><b>message</b> <u>Subsystem unavailable</u></p><p><b>d=
escription</b> <u>The server encountered an internal error that prevented i=
t from fulfilling this requ
 est.</u></p><p><b>exception</b> <pre>javax.ws.rs.ServiceUnavailableExcepti=
on: Subsystem unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurit=
yConstraints(ProxyRealm.java:145)\n\torg.apache.catalina.authenticator.Auth=
enticatorBase.invoke(AuthenticatorBase.java:500)\n\torg.apache.catalina.val=
ves.ErrorReportValve.invoke(ErrorReportValve.java:103)\n\torg.apache.catali=
na.valves.AccessLogValve.invoke(AccessLogValve.java:962)\n\torg.apache.cata=
lina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)\n\torg.apache.=
coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:=
1087)\n\torg.apache.coyote.AbstractProtocol$AbstractConnectionHandler.proce=
ss(AbstractProtocol.java:637)\n\torg.apache.tomcat.util.net.JIoEndpoint$Soc=
ketProcessor.run(JIoEndpoint.java:316)\n\tjava.util.concurrent.ThreadPoolEx=
ecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.Thre=
adPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat=
.util.threads.TaskThrea
 d$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.=
java:748)\n</pre></p><p><b>note</b> <u>The full stack trace of the root cau=
se is available in the Apache Tomcat/7.0.76 logs.</u></p><HR size=3D"1" nos=
hade=3D"noshade"><h3>Apache Tomcat/7.0.76</h3></body></html>'
2024-04-02T18:30:11Z DEBUG The CA status is: check interrupted due to error=
: Retrieving CA status failed with status 500
2024-04-02T18:30:11Z DEBUG Waiting for CA to start...
2024-04-02T18:30:12Z DEBUG request POST http://ipa1-sea2.ipa.****.net:8080/=
ca/admin/ca/getStatus
2024-04-02T18:30:12Z DEBUG request body ''
2024-04-02T18:30:12Z DEBUG response status 500
2024-04-02T18:30:12Z DEBUG response headers Server: Apache-Coyote/1.1
Content-Type: text/html;charset=3Dutf-8
Content-Language: en
Content-Length: 2208
Date: Tue, 02 Apr 2024 18:30:12 GMT
Connection: close

2024-04-02T18:30:12Z DEBUG response body '<html><head><title>Apache Tomcat/=
7.0.76 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-s=
erif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:=
Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px=
;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#52=
5D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black=
;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:whit=
e;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;backgro=
und:white;color:black;font-size:12px;}A {color : black;}A.name {color : bla=
ck;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 500 - Sub=
system unavailable</h1><HR size=3D"1" noshade=3D"noshade"><p><b>type</b> Ex=
ception report</p><p><b>message</b> <u>Subsystem unavailable</u></p><p><b>d=
escription</b> <u>The server encountered an internal error that prevented i=
t from fulfilling this requ
 est.</u></p><p><b>exception</b> <pre>javax.ws.rs.ServiceUnavailableExcepti=
on: Subsystem unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurit=
yConstraints(ProxyRealm.java:145)\n\torg.apache.catalina.authenticator.Auth=
enticatorBase.invoke(AuthenticatorBase.java:500)\n\torg.apache.catalina.val=
ves.ErrorReportValve.invoke(ErrorReportValve.java:103)\n\torg.apache.catali=
na.valves.AccessLogValve.invoke(AccessLogValve.java:962)\n\torg.apache.cata=
lina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)\n\torg.apache.=
coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:=
1087)\n\torg.apache.coyote.AbstractProtocol$AbstractConnectionHandler.proce=
ss(AbstractProtocol.java:637)\n\torg.apache.tomcat.util.net.JIoEndpoint$Soc=
ketProcessor.run(JIoEndpoint.java:316)\n\tjava.util.concurrent.ThreadPoolEx=
ecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.Thre=
adPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat=
.util.threads.TaskThrea
 d$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.=
java:748)\n</pre></p><p><b>note</b> <u>The full stack trace of the root cau=
se is available in the Apache Tomcat/7.0.76 logs.</u></p><HR size=3D"1" nos=
hade=3D"noshade"><h3>Apache Tomcat/7.0.76</h3></body></html>'
2024-04-02T18:30:12Z DEBUG The CA status is: check interrupted due to error=
: Retrieving CA status failed with status 500
2024-04-02T18:30:12Z DEBUG Waiting for CA to start...


--===============5841305817446791003==--

From djerkg at gmail.com Tue Apr  2 19:21:28 2024
Content-Type: multipart/mixed; boundary="===============2005170388216019969=="
MIME-Version: 1.0
From: Djerk Geurts <djerkg at gmail.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] CA_UNREACHABLE when requesting from Ubuntu 20.04 to
 FreeIPA v4.11.1
Date: Tue, 02 Apr 2024 21:20:30 +0200
Message-ID: <C00BAEEA-A8BE-4810-8516-DB1C9A058057@gmail.com>

--===============2005170388216019969==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Hi,

A month or so ago we upgraded from Fedora 37 to 39. I guess this is the fir=
st time I=E2=80=99m getting round to requesting a new certificate, and it=
=E2=80=99s failing from a server we use to manage several certificates for =
non-IPA client hosts.

Output of ipa-getcert list:

Request ID '20240402190326':
        status: CA_UNREACHABLE
        ca-error: Server at https://ipa.domain.com/ipa/xml failed request, =
will retry: 903 (RPC failed at server.  an internal error has occurred).
        stuck: no
        key pair storage: type=3DFILE,location=3D'/etc/ssl/private/host.dom=
ain.com.key'
        certificate: type=3DFILE,location=3D'/etc/ssl/certs/host.domain.com=
.crt'
        CA: IPA
        issuer:
        subject:
        expires: unknown
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes

The httpd log on the IPA server:

[Tue Apr 02 21:03:26.989287 2024] [wsgi:error] [pid 1606:tid 1957] [remote =
10.2.0.92:50078] ipa: ERROR: non-public: ValueError: Only single-valued att=
ributes are supported
[Tue Apr 02 21:03:26.989320 2024] [wsgi:error] [pid 1606:tid 1957] [remote =
10.2.0.92:50078] Traceback (most recent call last):
[Tue Apr 02 21:03:26.989326 2024] [wsgi:error] [pid 1606:tid 1957] [remote =
10.2.0.92:50078]   File "/usr/lib/python3.12/site-packages/ipaserver/rpcser=
ver.py", line 417, in wsgi_execute
[Tue Apr 02 21:03:26.989330 2024] [wsgi:error] [pid 1606:tid 1957] [remote =
10.2.0.92:50078]     result =3D command(*args, **options)
[Tue Apr 02 21:03:26.989333 2024] [wsgi:error] [pid 1606:tid 1957] [remote =
10.2.0.92:50078]              ^^^^^^^^^^^^^^^^^^^^^^^^^
[Tue Apr 02 21:03:26.989337 2024] [wsgi:error] [pid 1606:tid 1957] [remote =
10.2.0.92:50078]   File "/usr/lib/python3.12/site-packages/ipalib/frontend.=
py", line 471, in __call__
[Tue Apr 02 21:03:26.989341 2024] [wsgi:error] [pid 1606:tid 1957] [remote =
10.2.0.92:50078]     return self.__do_call(*args, **options)
[Tue Apr 02 21:03:26.989345 2024] [wsgi:error] [pid 1606:tid 1957] [remote =
10.2.0.92:50078]            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[Tue Apr 02 21:03:26.989348 2024] [wsgi:error] [pid 1606:tid 1957] [remote =
10.2.0.92:50078]   File "/usr/lib/python3.12/site-packages/ipalib/frontend.=
py", line 499, in __do_call
[Tue Apr 02 21:03:26.989353 2024] [wsgi:error] [pid 1606:tid 1957] [remote =
10.2.0.92:50078]     ret =3D self.run(*args, **options)
[Tue Apr 02 21:03:26.989358 2024] [wsgi:error] [pid 1606:tid 1957] [remote =
10.2.0.92:50078]           ^^^^^^^^^^^^^^^^^^^^^^^^^^
[Tue Apr 02 21:03:26.989371 2024] [wsgi:error] [pid 1606:tid 1957] [remote =
10.2.0.92:50078]   File "/usr/lib/python3.12/site-packages/ipalib/frontend.=
py", line 816, in run
[Tue Apr 02 21:03:26.989376 2024] [wsgi:error] [pid 1606:tid 1957] [remote =
10.2.0.92:50078]     return self.execute(*args, **options)
[Tue Apr 02 21:03:26.989381 2024] [wsgi:error] [pid 1606:tid 1957] [remote =
10.2.0.92:50078]            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[Tue Apr 02 21:03:26.989385 2024] [wsgi:error] [pid 1606:tid 1957] [remote =
10.2.0.92:50078]   File "/usr/lib/python3.12/site-packages/ipaserver/plugin=
s/cert.py", line 716, in execute
[Tue Apr 02 21:03:26.989389 2024] [wsgi:error] [pid 1606:tid 1957] [remote =
10.2.0.92:50078]     ext_san =3D csr.extensions.get_extension_for_oid(
[Tue Apr 02 21:03:26.989392 2024] [wsgi:error] [pid 1606:tid 1957] [remote =
10.2.0.92:50078]               ^^^^^^^^^^^^^^
[Tue Apr 02 21:03:26.989396 2024] [wsgi:error] [pid 1606:tid 1957] [remote =
10.2.0.92:50078] ValueError: Only single-valued attributes are supported
[Tue Apr 02 21:03:26.989527 2024] [wsgi:error] [pid 1606:tid 1957] [remote =
10.2.0.92:50078] ipa: INFO: [xmlserver] host/jump.domain.com(a)DOMAIN.COM: =
cert_request(=E2=80=98MIID**********d1A=3D=3D', principal=3D'HTTP/host.doma=
in.com(a)DOMAIN.COM', add=3DTrue, version=3D'2.51'): InternalError

The requesting machine is allowed to manage both the host and the service. =
Requesting the certificate on the IPA server itself works fine. I=E2=80=99v=
e read elsewhere that this could be an incompatibility between the client a=
nd the server.

Client: Ubuntu 20.04 LTS, ipa-client: v4.8.6
Server: Fedora 39, ipa-server: v4.11.1

Thanks,
Djerk Geurts

--===============2005170388216019969==
Content-Type: text/html
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.html"

PGh0bWw+PGhlYWQ+PG1ldGEgaHR0cC1lcXVpdj0iY29udGVudC10eXBlIiBjb250ZW50PSJ0ZXh0
L2h0bWw7IGNoYXJzZXQ9dXRmLTgiPjwvaGVhZD48Ym9keSBzdHlsZT0ib3ZlcmZsb3ctd3JhcDog
YnJlYWstd29yZDsgLXdlYmtpdC1uYnNwLW1vZGU6IHNwYWNlOyBsaW5lLWJyZWFrOiBhZnRlci13
aGl0ZS1zcGFjZTsiPkhpLDxkaXY+PGJyPjwvZGl2PjxkaXY+QSBtb250aCBvciBzbyBhZ28gd2Ug
dXBncmFkZWQgZnJvbSBGZWRvcmEgMzcgdG8gMzkuIEkgZ3Vlc3MgdGhpcyBpcyB0aGUgZmlyc3Qg
dGltZSBJ4oCZbSBnZXR0aW5nIHJvdW5kIHRvIHJlcXVlc3RpbmcgYSBuZXcgY2VydGlmaWNhdGUs
IGFuZCBpdOKAmXMgZmFpbGluZyBmcm9tIGEgc2VydmVyIHdlIHVzZSB0byBtYW5hZ2Ugc2V2ZXJh
bCBjZXJ0aWZpY2F0ZXMgZm9yIG5vbi1JUEEgY2xpZW50IGhvc3RzLjwvZGl2PjxkaXY+PGJyPjwv
ZGl2PjxkaXY+T3V0cHV0IG9mIGlwYS1nZXRjZXJ0IGxpc3Q6PC9kaXY+PGRpdj48YnI+PC9kaXY+
PGRpdj48ZGl2Pjxmb250IGZhY2U9IkNvdXJpZXIgTmV3Ij5SZXF1ZXN0IElEICcyMDI0MDQwMjE5
MDMyNic6PC9mb250PjwvZGl2PjxkaXY+PGZvbnQgZmFjZT0iQ291cmllciBOZXciPiZuYnNwOyAm
bmJzcDsgJm5ic3A7ICZuYnNwOyBzdGF0dXM6IENBX1VOUkVBQ0hBQkxFPC9mb250PjwvZGl2Pjxk
aXY+PGZvbnQgZmFjZT0iQ291cmllciBOZXciPiZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyBj
YS1lcnJvcjogU2VydmVyIGF0IGh0dHBzOi8vaXBhLmRvbWFpbi5jb20vaXBhL3htbCBmYWlsZWQg
cmVxdWVzdCwgd2lsbCByZXRyeTogOTAzIChSUEMgZmFpbGVkIGF0IHNlcnZlci4gJm5ic3A7YW4g
aW50ZXJuYWwgZXJyb3IgaGFzIG9jY3VycmVkKS48L2ZvbnQ+PC9kaXY+PGRpdj48Zm9udCBmYWNl
PSJDb3VyaWVyIE5ldyI+Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7IHN0dWNrOiBubzwvZm9u
dD48L2Rpdj48ZGl2Pjxmb250IGZhY2U9IkNvdXJpZXIgTmV3Ij4mbmJzcDsgJm5ic3A7ICZuYnNw
OyAmbmJzcDsga2V5IHBhaXIgc3RvcmFnZTogdHlwZT1GSUxFLGxvY2F0aW9uPScvZXRjL3NzbC9w
cml2YXRlL2hvc3QuZG9tYWluLmNvbS5rZXknPC9mb250PjwvZGl2PjxkaXY+PGZvbnQgZmFjZT0i
Q291cmllciBOZXciPiZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyBjZXJ0aWZpY2F0ZTogdHlw
ZT1GSUxFLGxvY2F0aW9uPScvZXRjL3NzbC9jZXJ0cy88c3BhbiBzdHlsZT0iY2FyZXQtY29sb3I6
IHJnYigwLCAwLCAwKTsgY29sb3I6IHJnYigwLCAwLCAwKTsiPmhvc3QuZG9tYWluPC9zcGFuPi5j
b20uY3J0JzwvZm9udD48L2Rpdj48ZGl2Pjxmb250IGZhY2U9IkNvdXJpZXIgTmV3Ij4mbmJzcDsg
Jm5ic3A7ICZuYnNwOyAmbmJzcDsgQ0E6IElQQTwvZm9udD48L2Rpdj48ZGl2Pjxmb250IGZhY2U9
IkNvdXJpZXIgTmV3Ij4mbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgaXNzdWVyOjwvZm9udD48
L2Rpdj48ZGl2Pjxmb250IGZhY2U9IkNvdXJpZXIgTmV3Ij4mbmJzcDsgJm5ic3A7ICZuYnNwOyAm
bmJzcDsgc3ViamVjdDo8L2ZvbnQ+PC9kaXY+PGRpdj48Zm9udCBmYWNlPSJDb3VyaWVyIE5ldyI+
Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7IGV4cGlyZXM6IHVua25vd248L2ZvbnQ+PC9kaXY+
PGRpdj48Zm9udCBmYWNlPSJDb3VyaWVyIE5ldyI+Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7
IHByZS1zYXZlIGNvbW1hbmQ6PC9mb250PjwvZGl2PjxkaXY+PGZvbnQgZmFjZT0iQ291cmllciBO
ZXciPiZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyBwb3N0LXNhdmUgY29tbWFuZDo8L2ZvbnQ+
PC9kaXY+PGRpdj48Zm9udCBmYWNlPSJDb3VyaWVyIE5ldyI+Jm5ic3A7ICZuYnNwOyAmbmJzcDsg
Jm5ic3A7IHRyYWNrOiB5ZXM8L2ZvbnQ+PC9kaXY+PGRpdj48Zm9udCBmYWNlPSJDb3VyaWVyIE5l
dyI+Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7IGF1dG8tcmVuZXc6IHllczwvZm9udD48L2Rp
dj48L2Rpdj48ZGl2Pjxicj48L2Rpdj48ZGl2PlRoZSBodHRwZCBsb2cgb24gdGhlIElQQSBzZXJ2
ZXI6PC9kaXY+PGRpdj48YnI+PC9kaXY+PGRpdj48ZGl2Pjxmb250IGZhY2U9IkNvdXJpZXIgTmV3
Ij5bVHVlIEFwciAwMiAyMTowMzoyNi45ODkyODcgMjAyNF0gW3dzZ2k6ZXJyb3JdIFtwaWQgMTYw
Njp0aWQgMTk1N10gW3JlbW90ZSAxMC4yLjAuOTI6NTAwNzhdIGlwYTogRVJST1I6IG5vbi1wdWJs
aWM6IFZhbHVlRXJyb3I6IE9ubHkgc2luZ2xlLXZhbHVlZCBhdHRyaWJ1dGVzIGFyZSBzdXBwb3J0
ZWQ8L2ZvbnQ+PC9kaXY+PGRpdj48Zm9udCBmYWNlPSJDb3VyaWVyIE5ldyI+W1R1ZSBBcHIgMDIg
MjE6MDM6MjYuOTg5MzIwIDIwMjRdIFt3c2dpOmVycm9yXSBbcGlkIDE2MDY6dGlkIDE5NTddIFty
ZW1vdGUgMTAuMi4wLjkyOjUwMDc4XSBUcmFjZWJhY2sgKG1vc3QgcmVjZW50IGNhbGwgbGFzdCk6
PC9mb250PjwvZGl2PjxkaXY+PGZvbnQgZmFjZT0iQ291cmllciBOZXciPltUdWUgQXByIDAyIDIx
OjAzOjI2Ljk4OTMyNiAyMDI0XSBbd3NnaTplcnJvcl0gW3BpZCAxNjA2OnRpZCAxOTU3XSBbcmVt
b3RlIDEwLjIuMC45Mjo1MDA3OF0gJm5ic3A7IEZpbGUgIi91c3IvbGliL3B5dGhvbjMuMTIvc2l0
ZS1wYWNrYWdlcy9pcGFzZXJ2ZXIvcnBjc2VydmVyLnB5IiwgbGluZSA0MTcsIGluIHdzZ2lfZXhl
Y3V0ZTwvZm9udD48L2Rpdj48ZGl2Pjxmb250IGZhY2U9IkNvdXJpZXIgTmV3Ij5bVHVlIEFwciAw
MiAyMTowMzoyNi45ODkzMzAgMjAyNF0gW3dzZ2k6ZXJyb3JdIFtwaWQgMTYwNjp0aWQgMTk1N10g
W3JlbW90ZSAxMC4yLjAuOTI6NTAwNzhdICZuYnNwOyAmbmJzcDsgcmVzdWx0ID0gY29tbWFuZCgq
YXJncywgKipvcHRpb25zKTwvZm9udD48L2Rpdj48ZGl2Pjxmb250IGZhY2U9IkNvdXJpZXIgTmV3
Ij5bVHVlIEFwciAwMiAyMTowMzoyNi45ODkzMzMgMjAyNF0gW3dzZ2k6ZXJyb3JdIFtwaWQgMTYw
Njp0aWQgMTk1N10gW3JlbW90ZSAxMC4yLjAuOTI6NTAwNzhdICZuYnNwOyAmbmJzcDsgJm5ic3A7
ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwO15eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl48L2Zv
bnQ+PC9kaXY+PGRpdj48Zm9udCBmYWNlPSJDb3VyaWVyIE5ldyI+W1R1ZSBBcHIgMDIgMjE6MDM6
MjYuOTg5MzM3IDIwMjRdIFt3c2dpOmVycm9yXSBbcGlkIDE2MDY6dGlkIDE5NTddIFtyZW1vdGUg
MTAuMi4wLjkyOjUwMDc4XSAmbmJzcDsgRmlsZSAiL3Vzci9saWIvcHl0aG9uMy4xMi9zaXRlLXBh
Y2thZ2VzL2lwYWxpYi9mcm9udGVuZC5weSIsIGxpbmUgNDcxLCBpbiBfX2NhbGxfXzwvZm9udD48
L2Rpdj48ZGl2Pjxmb250IGZhY2U9IkNvdXJpZXIgTmV3Ij5bVHVlIEFwciAwMiAyMTowMzoyNi45
ODkzNDEgMjAyNF0gW3dzZ2k6ZXJyb3JdIFtwaWQgMTYwNjp0aWQgMTk1N10gW3JlbW90ZSAxMC4y
LjAuOTI6NTAwNzhdICZuYnNwOyAmbmJzcDsgcmV0dXJuIHNlbGYuX19kb19jYWxsKCphcmdzLCAq
Km9wdGlvbnMpPC9mb250PjwvZGl2PjxkaXY+PGZvbnQgZmFjZT0iQ291cmllciBOZXciPltUdWUg
QXByIDAyIDIxOjAzOjI2Ljk4OTM0NSAyMDI0XSBbd3NnaTplcnJvcl0gW3BpZCAxNjA2OnRpZCAx
OTU3XSBbcmVtb3RlIDEwLjIuMC45Mjo1MDA3OF0gJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7
ICZuYnNwOyAmbmJzcDteXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXjwvZm9udD48L2Rp
dj48ZGl2Pjxmb250IGZhY2U9IkNvdXJpZXIgTmV3Ij5bVHVlIEFwciAwMiAyMTowMzoyNi45ODkz
NDggMjAyNF0gW3dzZ2k6ZXJyb3JdIFtwaWQgMTYwNjp0aWQgMTk1N10gW3JlbW90ZSAxMC4yLjAu
OTI6NTAwNzhdICZuYnNwOyBGaWxlICIvdXNyL2xpYi9weXRob24zLjEyL3NpdGUtcGFja2FnZXMv
aXBhbGliL2Zyb250ZW5kLnB5IiwgbGluZSA0OTksIGluIF9fZG9fY2FsbDwvZm9udD48L2Rpdj48
ZGl2Pjxmb250IGZhY2U9IkNvdXJpZXIgTmV3Ij5bVHVlIEFwciAwMiAyMTowMzoyNi45ODkzNTMg
MjAyNF0gW3dzZ2k6ZXJyb3JdIFtwaWQgMTYwNjp0aWQgMTk1N10gW3JlbW90ZSAxMC4yLjAuOTI6
NTAwNzhdICZuYnNwOyAmbmJzcDsgcmV0ID0gc2VsZi5ydW4oKmFyZ3MsICoqb3B0aW9ucyk8L2Zv
bnQ+PC9kaXY+PGRpdj48Zm9udCBmYWNlPSJDb3VyaWVyIE5ldyI+W1R1ZSBBcHIgMDIgMjE6MDM6
MjYuOTg5MzU4IDIwMjRdIFt3c2dpOmVycm9yXSBbcGlkIDE2MDY6dGlkIDE5NTddIFtyZW1vdGUg
MTAuMi4wLjkyOjUwMDc4XSAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7IF5eXl5e
Xl5eXl5eXl5eXl5eXl5eXl5eXl5ePC9mb250PjwvZGl2PjxkaXY+PGZvbnQgZmFjZT0iQ291cmll
ciBOZXciPltUdWUgQXByIDAyIDIxOjAzOjI2Ljk4OTM3MSAyMDI0XSBbd3NnaTplcnJvcl0gW3Bp
ZCAxNjA2OnRpZCAxOTU3XSBbcmVtb3RlIDEwLjIuMC45Mjo1MDA3OF0gJm5ic3A7IEZpbGUgIi91
c3IvbGliL3B5dGhvbjMuMTIvc2l0ZS1wYWNrYWdlcy9pcGFsaWIvZnJvbnRlbmQucHkiLCBsaW5l
IDgxNiwgaW4gcnVuPC9mb250PjwvZGl2PjxkaXY+PGZvbnQgZmFjZT0iQ291cmllciBOZXciPltU
dWUgQXByIDAyIDIxOjAzOjI2Ljk4OTM3NiAyMDI0XSBbd3NnaTplcnJvcl0gW3BpZCAxNjA2OnRp
ZCAxOTU3XSBbcmVtb3RlIDEwLjIuMC45Mjo1MDA3OF0gJm5ic3A7ICZuYnNwOyByZXR1cm4gc2Vs
Zi5leGVjdXRlKCphcmdzLCAqKm9wdGlvbnMpPC9mb250PjwvZGl2PjxkaXY+PGZvbnQgZmFjZT0i
Q291cmllciBOZXciPltUdWUgQXByIDAyIDIxOjAzOjI2Ljk4OTM4MSAyMDI0XSBbd3NnaTplcnJv
cl0gW3BpZCAxNjA2OnRpZCAxOTU3XSBbcmVtb3RlIDEwLjIuMC45Mjo1MDA3OF0gJm5ic3A7ICZu
YnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDteXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5e
Xl5eXl48L2ZvbnQ+PC9kaXY+PGRpdj48Zm9udCBmYWNlPSJDb3VyaWVyIE5ldyI+W1R1ZSBBcHIg
MDIgMjE6MDM6MjYuOTg5Mzg1IDIwMjRdIFt3c2dpOmVycm9yXSBbcGlkIDE2MDY6dGlkIDE5NTdd
IFtyZW1vdGUgMTAuMi4wLjkyOjUwMDc4XSAmbmJzcDsgRmlsZSAiL3Vzci9saWIvcHl0aG9uMy4x
Mi9zaXRlLXBhY2thZ2VzL2lwYXNlcnZlci9wbHVnaW5zL2NlcnQucHkiLCBsaW5lIDcxNiwgaW4g
ZXhlY3V0ZTwvZm9udD48L2Rpdj48ZGl2Pjxmb250IGZhY2U9IkNvdXJpZXIgTmV3Ij5bVHVlIEFw
ciAwMiAyMTowMzoyNi45ODkzODkgMjAyNF0gW3dzZ2k6ZXJyb3JdIFtwaWQgMTYwNjp0aWQgMTk1
N10gW3JlbW90ZSAxMC4yLjAuOTI6NTAwNzhdICZuYnNwOyAmbmJzcDsgZXh0X3NhbiA9IGNzci5l
eHRlbnNpb25zLmdldF9leHRlbnNpb25fZm9yX29pZCg8L2ZvbnQ+PC9kaXY+PGRpdj48Zm9udCBm
YWNlPSJDb3VyaWVyIE5ldyI+W1R1ZSBBcHIgMDIgMjE6MDM6MjYuOTg5MzkyIDIwMjRdIFt3c2dp
OmVycm9yXSBbcGlkIDE2MDY6dGlkIDE5NTddIFtyZW1vdGUgMTAuMi4wLjkyOjUwMDc4XSAmbmJz
cDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgXl5eXl5eXl5eXl5e
Xl48L2ZvbnQ+PC9kaXY+PGRpdj48Zm9udCBmYWNlPSJDb3VyaWVyIE5ldyI+W1R1ZSBBcHIgMDIg
MjE6MDM6MjYuOTg5Mzk2IDIwMjRdIFt3c2dpOmVycm9yXSBbcGlkIDE2MDY6dGlkIDE5NTddIFty
ZW1vdGUgMTAuMi4wLjkyOjUwMDc4XSBWYWx1ZUVycm9yOiBPbmx5IHNpbmdsZS12YWx1ZWQgYXR0
cmlidXRlcyBhcmUgc3VwcG9ydGVkPC9mb250PjwvZGl2PjxkaXY+PGZvbnQgZmFjZT0iQ291cmll
ciBOZXciPltUdWUgQXByIDAyIDIxOjAzOjI2Ljk4OTUyNyAyMDI0XSBbd3NnaTplcnJvcl0gW3Bp
ZCAxNjA2OnRpZCAxOTU3XSBbcmVtb3RlIDEwLjIuMC45Mjo1MDA3OF0gaXBhOiBJTkZPOiBbeG1s
c2VydmVyXSBob3N0L2p1bXAuZG9tYWluLmNvbUBET01BSU4uQ09NOiBjZXJ0X3JlcXVlc3Qo4oCY
TUlJRCoqKioqKioqKipkMUE9PScsIHByaW5jaXBhbD0nSFRUUC9ob3N0LmRvbWFpbi5jb21ARE9N
QUlOLkNPTScsIGFkZD1UcnVlLCB2ZXJzaW9uPScyLjUxJyk6IEludGVybmFsRXJyb3I8L2ZvbnQ+
PC9kaXY+PC9kaXY+PGRpdj48YnI+PC9kaXY+PGRpdj5UaGUgcmVxdWVzdGluZyBtYWNoaW5lIGlz
IGFsbG93ZWQgdG8gbWFuYWdlIGJvdGggdGhlIGhvc3QgYW5kIHRoZSBzZXJ2aWNlLiBSZXF1ZXN0
aW5nIHRoZSBjZXJ0aWZpY2F0ZSBvbiB0aGUgSVBBIHNlcnZlciBpdHNlbGYgd29ya3MgZmluZS4g
SeKAmXZlIHJlYWQgZWxzZXdoZXJlIHRoYXQgdGhpcyBjb3VsZCBiZSBhbiBpbmNvbXBhdGliaWxp
dHkgYmV0d2VlbiB0aGUgY2xpZW50IGFuZCB0aGUgc2VydmVyLjwvZGl2PjxkaXY+PGJyPjwvZGl2
PjxkaXY+Q2xpZW50OiBVYnVudHUgMjAuMDQgTFRTLCBpcGEtY2xpZW50OiB2NC44LjY8L2Rpdj48
ZGl2PlNlcnZlcjogRmVkb3JhIDM5LCBpcGEtc2VydmVyOiB2NC4xMS4xPC9kaXY+PGRpdj48YnI+
PC9kaXY+PGRpdj5UaGFua3MsPC9kaXY+PGRpdj5EamVyayBHZXVydHM8L2Rpdj48L2JvZHk+PC9o
dG1sPg==
--===============2005170388216019969==--

From rcritten at redhat.com Tue Apr  2 20:29:45 2024
Content-Type: multipart/mixed; boundary="===============1476138008628651452=="
MIME-Version: 1.0
From: Rob Crittenden <rcritten at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: CA_UNREACHABLE when requesting from Ubuntu 20.04
 to FreeIPA v4.11.1
Date: Tue, 02 Apr 2024 16:29:16 -0400
Message-ID: <4fc2d325-c935-293a-38c2-bd2c89e20a80@redhat.com>
In-Reply-To: C00BAEEA-A8BE-4810-8516-DB1C9A058057@gmail.com

--===============1476138008628651452==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Djerk Geurts via FreeIPA-users wrote:
> Hi,
> =

> A month or so ago we upgraded from Fedora 37 to 39. I guess this is the
> first time I=E2=80=99m getting round to requesting a new certificate, and=
 it=E2=80=99s
> failing from a server we use to manage several certificates for non-IPA
> client hosts.
> =

> Output of ipa-getcert list:
> =

> Request ID '20240402190326':
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 status: CA_UNREACHABLE
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 ca-error: Server at https://ipa.domain.com/ip=
a/xml failed
> request, will retry: 903 (RPC failed at server. =C2=A0an internal error h=
as
> occurred).
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 stuck: no
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 key pair storage:
> type=3DFILE,location=3D'/etc/ssl/private/host.domain.com.key'
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 certificate: type=3DFILE,location=3D'/etc/ssl=
/certs/host.domain.com.crt'
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 CA: IPA
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 issuer:
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 subject:
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 expires: unknown
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 pre-save command:
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 post-save command:
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 track: yes
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 auto-renew: yes
> =

> The httpd log on the IPA server:
> =

> [Tue Apr 02 21:03:26.989287 2024] [wsgi:error] [pid 1606:tid 1957]
> [remote 10.2.0.92:50078] ipa: ERROR: non-public: ValueError: Only
> single-valued attributes are supported
> [Tue Apr 02 21:03:26.989320 2024] [wsgi:error] [pid 1606:tid 1957]
> [remote 10.2.0.92:50078] Traceback (most recent call last):
> [Tue Apr 02 21:03:26.989326 2024] [wsgi:error] [pid 1606:tid 1957]
> [remote 10.2.0.92:50078] =C2=A0 File
> "/usr/lib/python3.12/site-packages/ipaserver/rpcserver.py", line 417, in
> wsgi_execute
> [Tue Apr 02 21:03:26.989330 2024] [wsgi:error] [pid 1606:tid 1957]
> [remote 10.2.0.92:50078] =C2=A0 =C2=A0 result =3D command(*args, **option=
s)
> [Tue Apr 02 21:03:26.989333 2024] [wsgi:error] [pid 1606:tid 1957]
> [remote 10.2.0.92:50078] =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=
^^^^^^^^^^^^^^^^^^^^^^^^^
> [Tue Apr 02 21:03:26.989337 2024] [wsgi:error] [pid 1606:tid 1957]
> [remote 10.2.0.92:50078] =C2=A0 File
> "/usr/lib/python3.12/site-packages/ipalib/frontend.py", line 471, in
> __call__
> [Tue Apr 02 21:03:26.989341 2024] [wsgi:error] [pid 1606:tid 1957]
> [remote 10.2.0.92:50078] =C2=A0 =C2=A0 return self.__do_call(*args, **opt=
ions)
> [Tue Apr 02 21:03:26.989345 2024] [wsgi:error] [pid 1606:tid 1957]
> [remote 10.2.0.92:50078] =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0^^^^^^^=
^^^^^^^^^^^^^^^^^^^^^^^^^
> [Tue Apr 02 21:03:26.989348 2024] [wsgi:error] [pid 1606:tid 1957]
> [remote 10.2.0.92:50078] =C2=A0 File
> "/usr/lib/python3.12/site-packages/ipalib/frontend.py", line 499, in
> __do_call
> [Tue Apr 02 21:03:26.989353 2024] [wsgi:error] [pid 1606:tid 1957]
> [remote 10.2.0.92:50078] =C2=A0 =C2=A0 ret =3D self.run(*args, **options)
> [Tue Apr 02 21:03:26.989358 2024] [wsgi:error] [pid 1606:tid 1957]
> [remote 10.2.0.92:50078] =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ^^^^^^^^^^^^^=
^^^^^^^^^^^^^
> [Tue Apr 02 21:03:26.989371 2024] [wsgi:error] [pid 1606:tid 1957]
> [remote 10.2.0.92:50078] =C2=A0 File
> "/usr/lib/python3.12/site-packages/ipalib/frontend.py", line 816, in run
> [Tue Apr 02 21:03:26.989376 2024] [wsgi:error] [pid 1606:tid 1957]
> [remote 10.2.0.92:50078] =C2=A0 =C2=A0 return self.execute(*args, **optio=
ns)
> [Tue Apr 02 21:03:26.989381 2024] [wsgi:error] [pid 1606:tid 1957]
> [remote 10.2.0.92:50078] =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0^^^^^^^=
^^^^^^^^^^^^^^^^^^^^^^^
> [Tue Apr 02 21:03:26.989385 2024] [wsgi:error] [pid 1606:tid 1957]
> [remote 10.2.0.92:50078] =C2=A0 File
> "/usr/lib/python3.12/site-packages/ipaserver/plugins/cert.py", line 716,
> in execute
> [Tue Apr 02 21:03:26.989389 2024] [wsgi:error] [pid 1606:tid 1957]
> [remote 10.2.0.92:50078] =C2=A0 =C2=A0 ext_san =3D csr.extensions.get_ext=
ension_for_oid(
> [Tue Apr 02 21:03:26.989392 2024] [wsgi:error] [pid 1606:tid 1957]
> [remote 10.2.0.92:50078] =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=
 ^^^^^^^^^^^^^^
> [Tue Apr 02 21:03:26.989396 2024] [wsgi:error] [pid 1606:tid 1957]
> [remote 10.2.0.92:50078] ValueError: Only single-valued attributes are
> supported
> [Tue Apr 02 21:03:26.989527 2024] [wsgi:error] [pid 1606:tid 1957]
> [remote 10.2.0.92:50078] ipa: INFO: [xmlserver]
> host/jump.domain.com(a)DOMAIN.COM: cert_request(=E2=80=98MIID**********d1=
A=3D=3D',
> principal=3D'HTTP/host.domain.com(a)DOMAIN.COM', add=3DTrue, version=3D'2=
.51'):
> InternalError
> =

> The requesting machine is allowed to manage both the host and the
> service. Requesting the certificate on the IPA server itself works fine.
> I=E2=80=99ve read elsewhere that this could be an incompatibility between=
 the
> client and the server.
> =

> Client: Ubuntu 20.04 LTS, ipa-client: v4.8.6
> Server: Fedora 39, ipa-server: v4.11.1

Can we see the whole CSR? You should be able to find it in the
certmonger request file in /var/lib/certmonger/requests/<some value>
Sometimes the value matches the Request ID but not always.

It is the parsing of the CSR where it blew up, getting multiple values
where only one was expected.

rob

--===============1476138008628651452==--

From djerkg at gmail.com Tue Apr  2 21:19:26 2024
Content-Type: multipart/mixed; boundary="===============3755633632377654232=="
MIME-Version: 1.0
From: Djerk Geurts <djerkg at gmail.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: CA_UNREACHABLE when requesting from Ubuntu 20.04
 to FreeIPA v4.11.1
Date: Tue, 02 Apr 2024 23:18:58 +0200
Message-ID: <54F27E16-870F-446D-8C84-312C2CDE632A@gmail.com>
In-Reply-To: 4fc2d325-c935-293a-38c2-bd2c89e20a80@redhat.com

--===============3755633632377654232==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Hi Rob,

Here=E2=80=99s the content of the CSR:

-----BEGIN NEW CERTIFICATE REQUEST-----
 MIIDjTCCAnUCAQAwIjEgMB4GA1UEAxMXbGluMDEuaXhicnUuaXBuZXhpYS5jb20w
 ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5co5U1FjtghUjNCUIwWBO
 +5b5cPGOR8Z3n6+MrUFmawrJmSS0MBkZJMRfxE2MQnNTm8zo0ASTQr2fyFqOLqdV
 PBCEcGBpNR0eaUKkqfo0ZatKVDJiYRSb+3/Nu2jyLOgHctGYzjXQ5DEgqnoHpUF8
 QTgv1n19zh3Fa7Oc1E7ZANtkaA6lXHCb+a+Vgp7d/TYrMPOVoLrnJywFC0fIOCvP
 5Yuf8hE+ayMqhJqvYzYa3rrdcKWQkreCYr2Jjgtbpe/RN6XvHXAWz2GsttXk3CsI
 yLLtR6xSCCXR5m8QSobU1HJG+ztqaSVUaFWqzjhqLdwGQledPY3oH60r/UneQ6Lj
 AgMBAAGgggEkMCsGCSqGSIb3DQEJFDEeHhwAMgAwADIANAAwADQAMAAyADEANwAz
 ADUAMgAwMIH0BgkqhkiG9w0BCQ4xgeYwgeMwgbAGA1UdEQEBAASBpTCBooIXbGlu
 MDEuaXhicnUuaXBuZXhpYS5jb22gOAYKKwYBBAGCNxQCA6AqDChIVFRQL2xpbjAx
 Lml4YnJ1LmlwbmV4aWEuY29tQElQTkVYSUEuQ09NoEcGBisGAQUCAqA9MDugDRsL
 SVBORVhJQS5DT02hKjAooAMCAQGhITAfGwRIVFRQGxdsaW4wMS5peGJydS5pcG5l
 eGlhLmNvbYcECv8OBTAMBgNVHRMBAf8EAjAAMCAGA1UdDgEBAAQWBBQ4324k861U
 Od3oR01IY2KjHEaxQjANBgkqhkiG9w0BAQsFAAOCAQEAVatcK3DB/WU5gEcNOkbd
 lHYB9CiyT32ylgZY1Q8W8qsT60Z9PXzsvTkNl/d5ttuAiWxQm26dpij6NzEz1RW0
 cmvMmVQxFhX+fzptlEZWu56B44uoBidEcAisSHIoAyPVmYvKEkzRCyjtGAR0boIW
 iV6+wEno9Xz84IaQhpoRYqsbfIRnbJ2IoV2DgjjyhsCappzZ4Ste39zwbhnh65Bv
 cQDkpPu3YmBCiX3f6Ml2ZKwkjo3o0sT8CH40agaonp7MR/Yecnf4Jsx6gOZYzr6m
 Of+35h3ncaQOr430Eqr2VzrsoizHwittMo3mKp1RRZgrYaHBnV9Z9+O+ifM8Jsjx
 4g=3D=3D
 -----END NEW CERTIFICATE REQUEST-----

I can=E2=80=99t see any difference between this CSR and others that worked =
before. Could it be an issue with an updated version of ipa-client or opens=
sl? I tested issuing a new certificate from a Ubuntu 22.04 host and that wo=
rked just fine. Openssl on Ubuntu 20.04 is 1.1.1f while Ubuntu 22.04 have v=
3.0.2.

The certificate ws requested with: sudo ipa-getcert request -N ${service} -=
K HTTP/${service} -k /etc/ssl/private/${service}.key -f /etc/ssl/certs/${se=
rvice}.crt -D ${service} -A $(host -t A ${service} | awk 'NF>1{print $NF}=
=E2=80=99)

Which has worked fine for us for over two years.

Thanks,
Djerk Geurts

> On 2 Apr 2024, at 22:29, Rob Crittenden <rcritten(a)redhat.com> wrote:
> =

> Djerk Geurts via FreeIPA-users wrote:
>> Hi,
>> =

>> A month or so ago we upgraded from Fedora 37 to 39. I guess this is the
>> first time I=E2=80=99m getting round to requesting a new certificate, an=
d it=E2=80=99s
>> failing from a server we use to manage several certificates for non-IPA
>> client hosts.
>> =

>> Output of ipa-getcert list:
>> =

>> Request ID '20240402190326':
>>         status: CA_UNREACHABLE
>>         ca-error: Server at https://ipa.domain.com/ipa/xml failed
>> request, will retry: 903 (RPC failed at server.  an internal error has
>> occurred).
>>         stuck: no
>>         key pair storage:
>> type=3DFILE,location=3D'/etc/ssl/private/host.domain.com.key'
>>         certificate: type=3DFILE,location=3D'/etc/ssl/certs/host.domain.=
com.crt'
>>         CA: IPA
>>         issuer:
>>         subject:
>>         expires: unknown
>>         pre-save command:
>>         post-save command:
>>         track: yes
>>         auto-renew: yes
>> =

>> The httpd log on the IPA server:
>> =

>> [Tue Apr 02 21:03:26.989287 2024] [wsgi:error] [pid 1606:tid 1957]
>> [remote 10.2.0.92:50078] ipa: ERROR: non-public: ValueError: Only
>> single-valued attributes are supported
>> [Tue Apr 02 21:03:26.989320 2024] [wsgi:error] [pid 1606:tid 1957]
>> [remote 10.2.0.92:50078] Traceback (most recent call last):
>> [Tue Apr 02 21:03:26.989326 2024] [wsgi:error] [pid 1606:tid 1957]
>> [remote 10.2.0.92:50078]   File
>> "/usr/lib/python3.12/site-packages/ipaserver/rpcserver.py", line 417, in
>> wsgi_execute
>> [Tue Apr 02 21:03:26.989330 2024] [wsgi:error] [pid 1606:tid 1957]
>> [remote 10.2.0.92:50078]     result =3D command(*args, **options)
>> [Tue Apr 02 21:03:26.989333 2024] [wsgi:error] [pid 1606:tid 1957]
>> [remote 10.2.0.92:50078]              ^^^^^^^^^^^^^^^^^^^^^^^^^
>> [Tue Apr 02 21:03:26.989337 2024] [wsgi:error] [pid 1606:tid 1957]
>> [remote 10.2.0.92:50078]   File
>> "/usr/lib/python3.12/site-packages/ipalib/frontend.py", line 471, in
>> __call__
>> [Tue Apr 02 21:03:26.989341 2024] [wsgi:error] [pid 1606:tid 1957]
>> [remote 10.2.0.92:50078]     return self.__do_call(*args, **options)
>> [Tue Apr 02 21:03:26.989345 2024] [wsgi:error] [pid 1606:tid 1957]
>> [remote 10.2.0.92:50078]            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>> [Tue Apr 02 21:03:26.989348 2024] [wsgi:error] [pid 1606:tid 1957]
>> [remote 10.2.0.92:50078]   File
>> "/usr/lib/python3.12/site-packages/ipalib/frontend.py", line 499, in
>> __do_call
>> [Tue Apr 02 21:03:26.989353 2024] [wsgi:error] [pid 1606:tid 1957]
>> [remote 10.2.0.92:50078]     ret =3D self.run(*args, **options)
>> [Tue Apr 02 21:03:26.989358 2024] [wsgi:error] [pid 1606:tid 1957]
>> [remote 10.2.0.92:50078]           ^^^^^^^^^^^^^^^^^^^^^^^^^^
>> [Tue Apr 02 21:03:26.989371 2024] [wsgi:error] [pid 1606:tid 1957]
>> [remote 10.2.0.92:50078]   File
>> "/usr/lib/python3.12/site-packages/ipalib/frontend.py", line 816, in run
>> [Tue Apr 02 21:03:26.989376 2024] [wsgi:error] [pid 1606:tid 1957]
>> [remote 10.2.0.92:50078]     return self.execute(*args, **options)
>> [Tue Apr 02 21:03:26.989381 2024] [wsgi:error] [pid 1606:tid 1957]
>> [remote 10.2.0.92:50078]            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>> [Tue Apr 02 21:03:26.989385 2024] [wsgi:error] [pid 1606:tid 1957]
>> [remote 10.2.0.92:50078]   File
>> "/usr/lib/python3.12/site-packages/ipaserver/plugins/cert.py", line 716,
>> in execute
>> [Tue Apr 02 21:03:26.989389 2024] [wsgi:error] [pid 1606:tid 1957]
>> [remote 10.2.0.92:50078]     ext_san =3D csr.extensions.get_extension_fo=
r_oid(
>> [Tue Apr 02 21:03:26.989392 2024] [wsgi:error] [pid 1606:tid 1957]
>> [remote 10.2.0.92:50078]               ^^^^^^^^^^^^^^
>> [Tue Apr 02 21:03:26.989396 2024] [wsgi:error] [pid 1606:tid 1957]
>> [remote 10.2.0.92:50078] ValueError: Only single-valued attributes are
>> supported
>> [Tue Apr 02 21:03:26.989527 2024] [wsgi:error] [pid 1606:tid 1957]
>> [remote 10.2.0.92:50078] ipa: INFO: [xmlserver]
>> host/jump.domain.com(a)DOMAIN.COM: cert_request(=E2=80=98MIID**********d=
1A=3D=3D',
>> principal=3D'HTTP/host.domain.com(a)DOMAIN.COM', add=3DTrue, version=3D'=
2.51'):
>> InternalError
>> =

>> The requesting machine is allowed to manage both the host and the
>> service. Requesting the certificate on the IPA server itself works fine.
>> I=E2=80=99ve read elsewhere that this could be an incompatibility betwee=
n the
>> client and the server.
>> =

>> Client: Ubuntu 20.04 LTS, ipa-client: v4.8.6
>> Server: Fedora 39, ipa-server: v4.11.1
> =

> Can we see the whole CSR? You should be able to find it in the
> certmonger request file in /var/lib/certmonger/requests/<some value>
> Sometimes the value matches the Request ID but not always.
> =

> It is the parsing of the CSR where it blew up, getting multiple values
> where only one was expected.
> =

> rob


--===============3755633632377654232==
Content-Type: text/html
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.html"

PGh0bWw+PGhlYWQ+PG1ldGEgaHR0cC1lcXVpdj0iY29udGVudC10eXBlIiBjb250ZW50PSJ0ZXh0
L2h0bWw7IGNoYXJzZXQ9dXRmLTgiPjwvaGVhZD48Ym9keSBzdHlsZT0ib3ZlcmZsb3ctd3JhcDog
YnJlYWstd29yZDsgLXdlYmtpdC1uYnNwLW1vZGU6IHNwYWNlOyBsaW5lLWJyZWFrOiBhZnRlci13
aGl0ZS1zcGFjZTsiPkhpIFJvYiw8ZGl2Pjxicj48L2Rpdj48ZGl2PkhlcmXigJlzIHRoZSBjb250
ZW50IG9mIHRoZSBDU1I6PC9kaXY+PGRpdj48YnI+PC9kaXY+PGRpdj48ZGl2PjxzcGFuIHN0eWxl
PSJmb250LWZhbWlseTogJnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Ij4tLS0tLUJFR0lOIE5FVyBD
RVJUSUZJQ0FURSBSRVFVRVNULS0tLS08L3NwYW4+PC9kaXY+PGRpdj48Zm9udCBmYWNlPSJDb3Vy
aWVyIE5ldyI+Jm5ic3A7TUlJRGpUQ0NBblVDQVFBd0lqRWdNQjRHQTFVRUF4TVhiR2x1TURFdWFY
aGljblV1YVhCdVpYaHBZUzVqYjIwdzwvZm9udD48L2Rpdj48ZGl2Pjxmb250IGZhY2U9IkNvdXJp
ZXIgTmV3Ij4mbmJzcDtnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFD
NWNvNVUxRmp0Z2hVak5DVUl3V0JPPC9mb250PjwvZGl2PjxkaXY+PGZvbnQgZmFjZT0iQ291cmll
ciBOZXciPiZuYnNwOys1YjVjUEdPUjhaM242K01yVUZtYXdySm1TUzBNQmtaSk1SZnhFMk1Rbk5U
bTh6bzBBU1RRcjJmeUZxT0xxZFY8L2ZvbnQ+PC9kaXY+PGRpdj48Zm9udCBmYWNlPSJDb3VyaWVy
IE5ldyI+Jm5ic3A7UEJDRWNHQnBOUjBlYVVLa3FmbzBaYXRLVkRKaVlSU2IrMy9OdTJqeUxPZ0hj
dEdZempYUTVERWdxbm9IcFVGODwvZm9udD48L2Rpdj48ZGl2Pjxmb250IGZhY2U9IkNvdXJpZXIg
TmV3Ij4mbmJzcDtRVGd2MW4xOXpoM0ZhN09jMUU3WkFOdGthQTZsWEhDYithK1ZncDdkL1RZck1Q
T1ZvTHJuSnl3RkMwZklPQ3ZQPC9mb250PjwvZGl2PjxkaXY+PGZvbnQgZmFjZT0iQ291cmllciBO
ZXciPiZuYnNwOzVZdWY4aEUrYXlNcWhKcXZZellhM3JyZGNLV1FrcmVDWXIySmpndGJwZS9STjZY
dkhYQVd6MkdzdHRYazNDc0k8L2ZvbnQ+PC9kaXY+PGRpdj48Zm9udCBmYWNlPSJDb3VyaWVyIE5l
dyI+Jm5ic3A7eUxMdFI2eFNDQ1hSNW04UVNvYlUxSEpHK3p0cWFTVlVhRldxempocUxkd0dRbGVk
UFkzb0g2MHIvVW5lUTZMajwvZm9udD48L2Rpdj48ZGl2Pjxmb250IGZhY2U9IkNvdXJpZXIgTmV3
Ij4mbmJzcDtBZ01CQUFHZ2dnRWtNQ3NHQ1NxR1NJYjNEUUVKRkRFZUhod0FNZ0F3QURJQU5BQXdB
RFFBTUFBeUFERUFOd0F6PC9mb250PjwvZGl2PjxkaXY+PGZvbnQgZmFjZT0iQ291cmllciBOZXci
PiZuYnNwO0FEVUFNZ0F3TUlIMEJna3Foa2lHOXcwQkNRNHhnZVl3Z2VNd2diQUdBMVVkRVFFQkFB
U0JwVENCb29JWGJHbHU8L2ZvbnQ+PC9kaXY+PGRpdj48Zm9udCBmYWNlPSJDb3VyaWVyIE5ldyI+
Jm5ic3A7TURFdWFYaGljblV1YVhCdVpYaHBZUzVqYjIyZ09BWUtLd1lCQkFHQ054UUNBNkFxRENo
SVZGUlFMMnhwYmpBeDwvZm9udD48L2Rpdj48ZGl2Pjxmb250IGZhY2U9IkNvdXJpZXIgTmV3Ij4m
bmJzcDtMbWw0WW5KMUxtbHdibVY0YVdFdVkyOXRRRWxRVGtWWVNVRXVRMDlOb0VjR0Jpc0dBUVVD
QXFBOU1EdWdEUnNMPC9mb250PjwvZGl2PjxkaXY+PGZvbnQgZmFjZT0iQ291cmllciBOZXciPiZu
YnNwO1NWQk9SVmhKUVM1RFQwMmhLakFvb0FNQ0FRR2hJVEFmR3dSSVZGUlFHeGRzYVc0d01TNXBl
R0p5ZFM1cGNHNWw8L2ZvbnQ+PC9kaXY+PGRpdj48Zm9udCBmYWNlPSJDb3VyaWVyIE5ldyI+Jm5i
c3A7ZUdsaExtTnZiWWNFQ3Y4T0JUQU1CZ05WSFJNQkFmOEVBakFBTUNBR0ExVWREZ0VCQUFRV0JC
UTQzMjRrODYxVTwvZm9udD48L2Rpdj48ZGl2Pjxmb250IGZhY2U9IkNvdXJpZXIgTmV3Ij4mbmJz
cDtPZDNvUjAxSVkyS2pIRWF4UWpBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQVZhdGNLM0RCL1dV
NWdFY05Pa2JkPC9mb250PjwvZGl2PjxkaXY+PGZvbnQgZmFjZT0iQ291cmllciBOZXciPiZuYnNw
O2xIWUI5Q2l5VDMyeWxnWlkxUThXOHFzVDYwWjlQWHpzdlRrTmwvZDV0dHVBaVd4UW0yNmRwaWo2
TnpFejFSVzA8L2ZvbnQ+PC9kaXY+PGRpdj48Zm9udCBmYWNlPSJDb3VyaWVyIE5ldyI+Jm5ic3A7
Y212TW1WUXhGaFgrZnpwdGxFWld1NTZCNDR1b0JpZEVjQWlzU0hJb0F5UFZtWXZLRWt6UkN5anRH
QVIwYm9JVzwvZm9udD48L2Rpdj48ZGl2Pjxmb250IGZhY2U9IkNvdXJpZXIgTmV3Ij4mbmJzcDtp
VjYrd0VubzlYejg0SWFRaHBvUllxc2JmSVJuYkoySW9WMkRnamp5aHNDYXBwelo0U3RlMzl6d2Jo
bmg2NUJ2PC9mb250PjwvZGl2PjxkaXY+PGZvbnQgZmFjZT0iQ291cmllciBOZXciPiZuYnNwO2NR
RGtwUHUzWW1CQ2lYM2Y2TWwyWkt3a2pvM28wc1Q4Q0g0MGFnYW9ucDdNUi9ZZWNuZjRKc3g2Z09a
WXpyNm08L2ZvbnQ+PC9kaXY+PGRpdj48Zm9udCBmYWNlPSJDb3VyaWVyIE5ldyI+Jm5ic3A7T2Yr
MzVoM25jYVFPcjQzMEVxcjJWenJzb2l6SHdpdHRNbzNtS3AxUlJaZ3JZYUhCblY5WjkrTytpZk04
SnNqeDwvZm9udD48L2Rpdj48ZGl2Pjxmb250IGZhY2U9IkNvdXJpZXIgTmV3Ij4mbmJzcDs0Zz09
PC9mb250PjwvZGl2PjxkaXY+PGZvbnQgZmFjZT0iQ291cmllciBOZXciPiZuYnNwOy0tLS0tRU5E
IE5FVyBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS08L2ZvbnQ+PC9kaXY+PGRpdj48YnI+PC9kaXY+
PGRpdj5JIGNhbuKAmXQgc2VlIGFueSBkaWZmZXJlbmNlIGJldHdlZW4gdGhpcyBDU1IgYW5kIG90
aGVycyB0aGF0IHdvcmtlZCBiZWZvcmUuIENvdWxkIGl0IGJlIGFuIGlzc3VlIHdpdGggYW4gdXBk
YXRlZCB2ZXJzaW9uIG9mIGlwYS1jbGllbnQgb3Igb3BlbnNzbD8gSSB0ZXN0ZWQgaXNzdWluZyBh
IG5ldyBjZXJ0aWZpY2F0ZSBmcm9tIGEgVWJ1bnR1IDIyLjA0IGhvc3QgYW5kIHRoYXQgd29ya2Vk
IGp1c3QgZmluZS4gT3BlbnNzbCBvbiBVYnVudHUgMjAuMDQgaXMgMS4xLjFmIHdoaWxlIFVidW50
dSAyMi4wNCBoYXZlIHYzLjAuMi48L2Rpdj48ZGl2Pjxicj48L2Rpdj48ZGl2PlRoZSBjZXJ0aWZp
Y2F0ZSB3cyByZXF1ZXN0ZWQgd2l0aDombmJzcDs8Zm9udCBmYWNlPSJDb3VyaWVyIE5ldyI+c3Vk
byBpcGEtZ2V0Y2VydCByZXF1ZXN0IC1OICR7c2VydmljZX0gLUsgSFRUUC8ke3NlcnZpY2V9IC1r
IC9ldGMvc3NsL3ByaXZhdGUvJHtzZXJ2aWNlfS5rZXkgLWYgL2V0Yy9zc2wvY2VydHMvJHtzZXJ2
aWNlfS5jcnQgLUQgJHtzZXJ2aWNlfSAtQSAkKGhvc3QgLXQgQSAke3NlcnZpY2V9IHwgYXdrICdO
RiZndDsxe3ByaW50ICRORn3igJkpPC9mb250PjwvZGl2PjxkaXY+PGJyPjwvZGl2PjxkaXY+V2hp
Y2ggaGFzIHdvcmtlZCBmaW5lIGZvciB1cyBmb3Igb3ZlciB0d28geWVhcnMuPC9kaXY+PGRpdj48
YnI+PC9kaXY+PGRpdj5UaGFua3MsPC9kaXY+PGRpdj5EamVyayBHZXVydHM8L2Rpdj48ZGl2Pjxi
cj48YmxvY2txdW90ZSB0eXBlPSJjaXRlIj48ZGl2Pk9uIDIgQXByIDIwMjQsIGF0IDIyOjI5LCBS
b2IgQ3JpdHRlbmRlbiAmbHQ7cmNyaXR0ZW5AcmVkaGF0LmNvbSZndDsgd3JvdGU6PC9kaXY+PGJy
IGNsYXNzPSJBcHBsZS1pbnRlcmNoYW5nZS1uZXdsaW5lIj48ZGl2PjxtZXRhIGNoYXJzZXQ9IlVU
Ri04Ij48c3BhbiBzdHlsZT0iY2FyZXQtY29sb3I6IHJnYigwLCAwLCAwKTsgZm9udC1mYW1pbHk6
IEhlbHZldGljYTsgZm9udC1zaXplOiAxMnB4OyBmb250LXN0eWxlOiBub3JtYWw7IGZvbnQtdmFy
aWFudC1jYXBzOiBub3JtYWw7IGZvbnQtd2VpZ2h0OiA0MDA7IGxldHRlci1zcGFjaW5nOiBub3Jt
YWw7IHRleHQtYWxpZ246IHN0YXJ0OyB0ZXh0LWluZGVudDogMHB4OyB0ZXh0LXRyYW5zZm9ybTog
bm9uZTsgd2hpdGUtc3BhY2U6IG5vcm1hbDsgd29yZC1zcGFjaW5nOiAwcHg7IC13ZWJraXQtdGV4
dC1zdHJva2Utd2lkdGg6IDBweDsgdGV4dC1kZWNvcmF0aW9uOiBub25lOyBmbG9hdDogbm9uZTsg
ZGlzcGxheTogaW5saW5lICFpbXBvcnRhbnQ7Ij5EamVyayBHZXVydHMgdmlhIEZyZWVJUEEtdXNl
cnMgd3JvdGU6PC9zcGFuPjxiciBzdHlsZT0iY2FyZXQtY29sb3I6IHJnYigwLCAwLCAwKTsgZm9u
dC1mYW1pbHk6IEhlbHZldGljYTsgZm9udC1zaXplOiAxMnB4OyBmb250LXN0eWxlOiBub3JtYWw7
IGZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7IGZvbnQtd2VpZ2h0OiA0MDA7IGxldHRlci1zcGFj
aW5nOiBub3JtYWw7IHRleHQtYWxpZ246IHN0YXJ0OyB0ZXh0LWluZGVudDogMHB4OyB0ZXh0LXRy
YW5zZm9ybTogbm9uZTsgd2hpdGUtc3BhY2U6IG5vcm1hbDsgd29yZC1zcGFjaW5nOiAwcHg7IC13
ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDsgdGV4dC1kZWNvcmF0aW9uOiBub25lOyI+PGJs
b2NrcXVvdGUgdHlwZT0iY2l0ZSIgc3R5bGU9ImZvbnQtZmFtaWx5OiBIZWx2ZXRpY2E7IGZvbnQt
c2l6ZTogMTJweDsgZm9udC1zdHlsZTogbm9ybWFsOyBmb250LXZhcmlhbnQtY2Fwczogbm9ybWFs
OyBmb250LXdlaWdodDogNDAwOyBsZXR0ZXItc3BhY2luZzogbm9ybWFsOyBvcnBoYW5zOiBhdXRv
OyB0ZXh0LWFsaWduOiBzdGFydDsgdGV4dC1pbmRlbnQ6IDBweDsgdGV4dC10cmFuc2Zvcm06IG5v
bmU7IHdoaXRlLXNwYWNlOiBub3JtYWw7IHdpZG93czogYXV0bzsgd29yZC1zcGFjaW5nOiAwcHg7
IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDsgdGV4dC1kZWNvcmF0aW9uOiBub25lOyI+
SGksPGJyPjxicj5BIG1vbnRoIG9yIHNvIGFnbyB3ZSB1cGdyYWRlZCBmcm9tIEZlZG9yYSAzNyB0
byAzOS4gSSBndWVzcyB0aGlzIGlzIHRoZTxicj5maXJzdCB0aW1lIEnigJltIGdldHRpbmcgcm91
bmQgdG8gcmVxdWVzdGluZyBhIG5ldyBjZXJ0aWZpY2F0ZSwgYW5kIGl04oCZczxicj5mYWlsaW5n
IGZyb20gYSBzZXJ2ZXIgd2UgdXNlIHRvIG1hbmFnZSBzZXZlcmFsIGNlcnRpZmljYXRlcyBmb3Ig
bm9uLUlQQTxicj5jbGllbnQgaG9zdHMuPGJyPjxicj5PdXRwdXQgb2YgaXBhLWdldGNlcnQgbGlz
dDo8YnI+PGJyPlJlcXVlc3QgSUQgJzIwMjQwNDAyMTkwMzI2Jzo8YnI+Jm5ic3A7ICZuYnNwOyAm
bmJzcDsgJm5ic3A7PHNwYW4gY2xhc3M9IkFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+Jm5ic3A7PC9z
cGFuPnN0YXR1czogQ0FfVU5SRUFDSEFCTEU8YnI+Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7
PHNwYW4gY2xhc3M9IkFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+Jm5ic3A7PC9zcGFuPmNhLWVycm9y
OiBTZXJ2ZXIgYXQgaHR0cHM6Ly9pcGEuZG9tYWluLmNvbS9pcGEveG1sIGZhaWxlZDxicj5yZXF1
ZXN0LCB3aWxsIHJldHJ5OiA5MDMgKFJQQyBmYWlsZWQgYXQgc2VydmVyLiAmbmJzcDthbiBpbnRl
cm5hbCBlcnJvciBoYXM8YnI+b2NjdXJyZWQpLjxicj4mbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJz
cDs8c3BhbiBjbGFzcz0iQXBwbGUtY29udmVydGVkLXNwYWNlIj4mbmJzcDs8L3NwYW4+c3R1Y2s6
IG5vPGJyPiZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOzxzcGFuIGNsYXNzPSJBcHBsZS1jb252
ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj5rZXkgcGFpciBzdG9yYWdlOjxicj50eXBlPUZJTEUs
bG9jYXRpb249Jy9ldGMvc3NsL3ByaXZhdGUvaG9zdC5kb21haW4uY29tLmtleSc8YnI+Jm5ic3A7
ICZuYnNwOyAmbmJzcDsgJm5ic3A7PHNwYW4gY2xhc3M9IkFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+
Jm5ic3A7PC9zcGFuPmNlcnRpZmljYXRlOiB0eXBlPUZJTEUsbG9jYXRpb249Jy9ldGMvc3NsL2Nl
cnRzL2hvc3QuZG9tYWluLmNvbS5jcnQnPGJyPiZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOzxz
cGFuIGNsYXNzPSJBcHBsZS1jb252ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj5DQTogSVBBPGJy
PiZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOzxzcGFuIGNsYXNzPSJBcHBsZS1jb252ZXJ0ZWQt
c3BhY2UiPiZuYnNwOzwvc3Bhbj5pc3N1ZXI6PGJyPiZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNw
OzxzcGFuIGNsYXNzPSJBcHBsZS1jb252ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj5zdWJqZWN0
Ojxicj4mbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDs8c3BhbiBjbGFzcz0iQXBwbGUtY29udmVy
dGVkLXNwYWNlIj4mbmJzcDs8L3NwYW4+ZXhwaXJlczogdW5rbm93bjxicj4mbmJzcDsgJm5ic3A7
ICZuYnNwOyAmbmJzcDs8c3BhbiBjbGFzcz0iQXBwbGUtY29udmVydGVkLXNwYWNlIj4mbmJzcDs8
L3NwYW4+cHJlLXNhdmUgY29tbWFuZDo8YnI+Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7PHNw
YW4gY2xhc3M9IkFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+Jm5ic3A7PC9zcGFuPnBvc3Qtc2F2ZSBj
b21tYW5kOjxicj4mbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDs8c3BhbiBjbGFzcz0iQXBwbGUt
Y29udmVydGVkLXNwYWNlIj4mbmJzcDs8L3NwYW4+dHJhY2s6IHllczxicj4mbmJzcDsgJm5ic3A7
ICZuYnNwOyAmbmJzcDs8c3BhbiBjbGFzcz0iQXBwbGUtY29udmVydGVkLXNwYWNlIj4mbmJzcDs8
L3NwYW4+YXV0by1yZW5ldzogeWVzPGJyPjxicj5UaGUgaHR0cGQgbG9nIG9uIHRoZSBJUEEgc2Vy
dmVyOjxicj48YnI+W1R1ZSBBcHIgMDIgMjE6MDM6MjYuOTg5Mjg3IDIwMjRdIFt3c2dpOmVycm9y
XSBbcGlkIDE2MDY6dGlkIDE5NTddPGJyPltyZW1vdGUgMTAuMi4wLjkyOjUwMDc4XSBpcGE6IEVS
Uk9SOiBub24tcHVibGljOiBWYWx1ZUVycm9yOiBPbmx5PGJyPnNpbmdsZS12YWx1ZWQgYXR0cmli
dXRlcyBhcmUgc3VwcG9ydGVkPGJyPltUdWUgQXByIDAyIDIxOjAzOjI2Ljk4OTMyMCAyMDI0XSBb
d3NnaTplcnJvcl0gW3BpZCAxNjA2OnRpZCAxOTU3XTxicj5bcmVtb3RlIDEwLjIuMC45Mjo1MDA3
OF0gVHJhY2ViYWNrIChtb3N0IHJlY2VudCBjYWxsIGxhc3QpOjxicj5bVHVlIEFwciAwMiAyMTow
MzoyNi45ODkzMjYgMjAyNF0gW3dzZ2k6ZXJyb3JdIFtwaWQgMTYwNjp0aWQgMTk1N108YnI+W3Jl
bW90ZSAxMC4yLjAuOTI6NTAwNzhdICZuYnNwOyBGaWxlPGJyPiIvdXNyL2xpYi9weXRob24zLjEy
L3NpdGUtcGFja2FnZXMvaXBhc2VydmVyL3JwY3NlcnZlci5weSIsIGxpbmUgNDE3LCBpbjxicj53
c2dpX2V4ZWN1dGU8YnI+W1R1ZSBBcHIgMDIgMjE6MDM6MjYuOTg5MzMwIDIwMjRdIFt3c2dpOmVy
cm9yXSBbcGlkIDE2MDY6dGlkIDE5NTddPGJyPltyZW1vdGUgMTAuMi4wLjkyOjUwMDc4XSAmbmJz
cDsgJm5ic3A7IHJlc3VsdCA9IGNvbW1hbmQoKmFyZ3MsICoqb3B0aW9ucyk8YnI+W1R1ZSBBcHIg
MDIgMjE6MDM6MjYuOTg5MzMzIDIwMjRdIFt3c2dpOmVycm9yXSBbcGlkIDE2MDY6dGlkIDE5NTdd
PGJyPltyZW1vdGUgMTAuMi4wLjkyOjUwMDc4XSAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsg
Jm5ic3A7ICZuYnNwOyAmbmJzcDteXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5ePGJyPltUdWUgQXBy
IDAyIDIxOjAzOjI2Ljk4OTMzNyAyMDI0XSBbd3NnaTplcnJvcl0gW3BpZCAxNjA2OnRpZCAxOTU3
XTxicj5bcmVtb3RlIDEwLjIuMC45Mjo1MDA3OF0gJm5ic3A7IEZpbGU8YnI+Ii91c3IvbGliL3B5
dGhvbjMuMTIvc2l0ZS1wYWNrYWdlcy9pcGFsaWIvZnJvbnRlbmQucHkiLCBsaW5lIDQ3MSwgaW48
YnI+X19jYWxsX188YnI+W1R1ZSBBcHIgMDIgMjE6MDM6MjYuOTg5MzQxIDIwMjRdIFt3c2dpOmVy
cm9yXSBbcGlkIDE2MDY6dGlkIDE5NTddPGJyPltyZW1vdGUgMTAuMi4wLjkyOjUwMDc4XSAmbmJz
cDsgJm5ic3A7IHJldHVybiBzZWxmLl9fZG9fY2FsbCgqYXJncywgKipvcHRpb25zKTxicj5bVHVl
IEFwciAwMiAyMTowMzoyNi45ODkzNDUgMjAyNF0gW3dzZ2k6ZXJyb3JdIFtwaWQgMTYwNjp0aWQg
MTk1N108YnI+W3JlbW90ZSAxMC4yLjAuOTI6NTAwNzhdICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZu
YnNwOyAmbmJzcDsgJm5ic3A7Xl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl48YnI+W1R1
ZSBBcHIgMDIgMjE6MDM6MjYuOTg5MzQ4IDIwMjRdIFt3c2dpOmVycm9yXSBbcGlkIDE2MDY6dGlk
IDE5NTddPGJyPltyZW1vdGUgMTAuMi4wLjkyOjUwMDc4XSAmbmJzcDsgRmlsZTxicj4iL3Vzci9s
aWIvcHl0aG9uMy4xMi9zaXRlLXBhY2thZ2VzL2lwYWxpYi9mcm9udGVuZC5weSIsIGxpbmUgNDk5
LCBpbjxicj5fX2RvX2NhbGw8YnI+W1R1ZSBBcHIgMDIgMjE6MDM6MjYuOTg5MzUzIDIwMjRdIFt3
c2dpOmVycm9yXSBbcGlkIDE2MDY6dGlkIDE5NTddPGJyPltyZW1vdGUgMTAuMi4wLjkyOjUwMDc4
XSAmbmJzcDsgJm5ic3A7IHJldCA9IHNlbGYucnVuKCphcmdzLCAqKm9wdGlvbnMpPGJyPltUdWUg
QXByIDAyIDIxOjAzOjI2Ljk4OTM1OCAyMDI0XSBbd3NnaTplcnJvcl0gW3BpZCAxNjA2OnRpZCAx
OTU3XTxicj5bcmVtb3RlIDEwLjIuMC45Mjo1MDA3OF0gJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5i
c3A7ICZuYnNwOyBeXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXjxicj5bVHVlIEFwciAwMiAyMTow
MzoyNi45ODkzNzEgMjAyNF0gW3dzZ2k6ZXJyb3JdIFtwaWQgMTYwNjp0aWQgMTk1N108YnI+W3Jl
bW90ZSAxMC4yLjAuOTI6NTAwNzhdICZuYnNwOyBGaWxlPGJyPiIvdXNyL2xpYi9weXRob24zLjEy
L3NpdGUtcGFja2FnZXMvaXBhbGliL2Zyb250ZW5kLnB5IiwgbGluZSA4MTYsIGluIHJ1bjxicj5b
VHVlIEFwciAwMiAyMTowMzoyNi45ODkzNzYgMjAyNF0gW3dzZ2k6ZXJyb3JdIFtwaWQgMTYwNjp0
aWQgMTk1N108YnI+W3JlbW90ZSAxMC4yLjAuOTI6NTAwNzhdICZuYnNwOyAmbmJzcDsgcmV0dXJu
IHNlbGYuZXhlY3V0ZSgqYXJncywgKipvcHRpb25zKTxicj5bVHVlIEFwciAwMiAyMTowMzoyNi45
ODkzODEgMjAyNF0gW3dzZ2k6ZXJyb3JdIFtwaWQgMTYwNjp0aWQgMTk1N108YnI+W3JlbW90ZSAx
MC4yLjAuOTI6NTAwNzhdICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7
Xl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5ePGJyPltUdWUgQXByIDAyIDIxOjAzOjI2Ljk4
OTM4NSAyMDI0XSBbd3NnaTplcnJvcl0gW3BpZCAxNjA2OnRpZCAxOTU3XTxicj5bcmVtb3RlIDEw
LjIuMC45Mjo1MDA3OF0gJm5ic3A7IEZpbGU8YnI+Ii91c3IvbGliL3B5dGhvbjMuMTIvc2l0ZS1w
YWNrYWdlcy9pcGFzZXJ2ZXIvcGx1Z2lucy9jZXJ0LnB5IiwgbGluZSA3MTYsPGJyPmluIGV4ZWN1
dGU8YnI+W1R1ZSBBcHIgMDIgMjE6MDM6MjYuOTg5Mzg5IDIwMjRdIFt3c2dpOmVycm9yXSBbcGlk
IDE2MDY6dGlkIDE5NTddPGJyPltyZW1vdGUgMTAuMi4wLjkyOjUwMDc4XSAmbmJzcDsgJm5ic3A7
IGV4dF9zYW4gPSBjc3IuZXh0ZW5zaW9ucy5nZXRfZXh0ZW5zaW9uX2Zvcl9vaWQoPGJyPltUdWUg
QXByIDAyIDIxOjAzOjI2Ljk4OTM5MiAyMDI0XSBbd3NnaTplcnJvcl0gW3BpZCAxNjA2OnRpZCAx
OTU3XTxicj5bcmVtb3RlIDEwLjIuMC45Mjo1MDA3OF0gJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5i
c3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7IF5eXl5eXl5eXl5eXl5ePGJyPltUdWUgQXByIDAyIDIx
OjAzOjI2Ljk4OTM5NiAyMDI0XSBbd3NnaTplcnJvcl0gW3BpZCAxNjA2OnRpZCAxOTU3XTxicj5b
cmVtb3RlIDEwLjIuMC45Mjo1MDA3OF0gVmFsdWVFcnJvcjogT25seSBzaW5nbGUtdmFsdWVkIGF0
dHJpYnV0ZXMgYXJlPGJyPnN1cHBvcnRlZDxicj5bVHVlIEFwciAwMiAyMTowMzoyNi45ODk1Mjcg
MjAyNF0gW3dzZ2k6ZXJyb3JdIFtwaWQgMTYwNjp0aWQgMTk1N108YnI+W3JlbW90ZSAxMC4yLjAu
OTI6NTAwNzhdIGlwYTogSU5GTzogW3htbHNlcnZlcl08YnI+aG9zdC9qdW1wLmRvbWFpbi5jb21A
RE9NQUlOLkNPTTogY2VydF9yZXF1ZXN0KOKAmE1JSUQqKioqKioqKioqZDFBPT0nLDxicj5wcmlu
Y2lwYWw9J0hUVFAvaG9zdC5kb21haW4uY29tQERPTUFJTi5DT00nLCBhZGQ9VHJ1ZSwgdmVyc2lv
bj0nMi41MScpOjxicj5JbnRlcm5hbEVycm9yPGJyPjxicj5UaGUgcmVxdWVzdGluZyBtYWNoaW5l
IGlzIGFsbG93ZWQgdG8gbWFuYWdlIGJvdGggdGhlIGhvc3QgYW5kIHRoZTxicj5zZXJ2aWNlLiBS
ZXF1ZXN0aW5nIHRoZSBjZXJ0aWZpY2F0ZSBvbiB0aGUgSVBBIHNlcnZlciBpdHNlbGYgd29ya3Mg
ZmluZS48YnI+SeKAmXZlIHJlYWQgZWxzZXdoZXJlIHRoYXQgdGhpcyBjb3VsZCBiZSBhbiBpbmNv
bXBhdGliaWxpdHkgYmV0d2VlbiB0aGU8YnI+Y2xpZW50IGFuZCB0aGUgc2VydmVyLjxicj48YnI+
Q2xpZW50OiBVYnVudHUgMjAuMDQgTFRTLCBpcGEtY2xpZW50OiB2NC44LjY8YnI+U2VydmVyOiBG
ZWRvcmEgMzksIGlwYS1zZXJ2ZXI6IHY0LjExLjE8YnI+PC9ibG9ja3F1b3RlPjxiciBzdHlsZT0i
Y2FyZXQtY29sb3I6IHJnYigwLCAwLCAwKTsgZm9udC1mYW1pbHk6IEhlbHZldGljYTsgZm9udC1z
aXplOiAxMnB4OyBmb250LXN0eWxlOiBub3JtYWw7IGZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7
IGZvbnQtd2VpZ2h0OiA0MDA7IGxldHRlci1zcGFjaW5nOiBub3JtYWw7IHRleHQtYWxpZ246IHN0
YXJ0OyB0ZXh0LWluZGVudDogMHB4OyB0ZXh0LXRyYW5zZm9ybTogbm9uZTsgd2hpdGUtc3BhY2U6
IG5vcm1hbDsgd29yZC1zcGFjaW5nOiAwcHg7IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBw
eDsgdGV4dC1kZWNvcmF0aW9uOiBub25lOyI+PHNwYW4gc3R5bGU9ImNhcmV0LWNvbG9yOiByZ2Io
MCwgMCwgMCk7IGZvbnQtZmFtaWx5OiBIZWx2ZXRpY2E7IGZvbnQtc2l6ZTogMTJweDsgZm9udC1z
dHlsZTogbm9ybWFsOyBmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsOyBmb250LXdlaWdodDogNDAw
OyBsZXR0ZXItc3BhY2luZzogbm9ybWFsOyB0ZXh0LWFsaWduOiBzdGFydDsgdGV4dC1pbmRlbnQ6
IDBweDsgdGV4dC10cmFuc2Zvcm06IG5vbmU7IHdoaXRlLXNwYWNlOiBub3JtYWw7IHdvcmQtc3Bh
Y2luZzogMHB4OyAtd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7IHRleHQtZGVjb3JhdGlv
bjogbm9uZTsgZmxvYXQ6IG5vbmU7IGRpc3BsYXk6IGlubGluZSAhaW1wb3J0YW50OyI+Q2FuIHdl
IHNlZSB0aGUgd2hvbGUgQ1NSPyBZb3Ugc2hvdWxkIGJlIGFibGUgdG8gZmluZCBpdCBpbiB0aGU8
L3NwYW4+PGJyIHN0eWxlPSJjYXJldC1jb2xvcjogcmdiKDAsIDAsIDApOyBmb250LWZhbWlseTog
SGVsdmV0aWNhOyBmb250LXNpemU6IDEycHg7IGZvbnQtc3R5bGU6IG5vcm1hbDsgZm9udC12YXJp
YW50LWNhcHM6IG5vcm1hbDsgZm9udC13ZWlnaHQ6IDQwMDsgbGV0dGVyLXNwYWNpbmc6IG5vcm1h
bDsgdGV4dC1hbGlnbjogc3RhcnQ7IHRleHQtaW5kZW50OiAwcHg7IHRleHQtdHJhbnNmb3JtOiBu
b25lOyB3aGl0ZS1zcGFjZTogbm9ybWFsOyB3b3JkLXNwYWNpbmc6IDBweDsgLXdlYmtpdC10ZXh0
LXN0cm9rZS13aWR0aDogMHB4OyB0ZXh0LWRlY29yYXRpb246IG5vbmU7Ij48c3BhbiBzdHlsZT0i
Y2FyZXQtY29sb3I6IHJnYigwLCAwLCAwKTsgZm9udC1mYW1pbHk6IEhlbHZldGljYTsgZm9udC1z
aXplOiAxMnB4OyBmb250LXN0eWxlOiBub3JtYWw7IGZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7
IGZvbnQtd2VpZ2h0OiA0MDA7IGxldHRlci1zcGFjaW5nOiBub3JtYWw7IHRleHQtYWxpZ246IHN0
YXJ0OyB0ZXh0LWluZGVudDogMHB4OyB0ZXh0LXRyYW5zZm9ybTogbm9uZTsgd2hpdGUtc3BhY2U6
IG5vcm1hbDsgd29yZC1zcGFjaW5nOiAwcHg7IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBw
eDsgdGV4dC1kZWNvcmF0aW9uOiBub25lOyBmbG9hdDogbm9uZTsgZGlzcGxheTogaW5saW5lICFp
bXBvcnRhbnQ7Ij5jZXJ0bW9uZ2VyIHJlcXVlc3QgZmlsZSBpbiAvdmFyL2xpYi9jZXJ0bW9uZ2Vy
L3JlcXVlc3RzLyZsdDtzb21lIHZhbHVlJmd0Ozwvc3Bhbj48YnIgc3R5bGU9ImNhcmV0LWNvbG9y
OiByZ2IoMCwgMCwgMCk7IGZvbnQtZmFtaWx5OiBIZWx2ZXRpY2E7IGZvbnQtc2l6ZTogMTJweDsg
Zm9udC1zdHlsZTogbm9ybWFsOyBmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsOyBmb250LXdlaWdo
dDogNDAwOyBsZXR0ZXItc3BhY2luZzogbm9ybWFsOyB0ZXh0LWFsaWduOiBzdGFydDsgdGV4dC1p
bmRlbnQ6IDBweDsgdGV4dC10cmFuc2Zvcm06IG5vbmU7IHdoaXRlLXNwYWNlOiBub3JtYWw7IHdv
cmQtc3BhY2luZzogMHB4OyAtd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7IHRleHQtZGVj
b3JhdGlvbjogbm9uZTsiPjxzcGFuIHN0eWxlPSJjYXJldC1jb2xvcjogcmdiKDAsIDAsIDApOyBm
b250LWZhbWlseTogSGVsdmV0aWNhOyBmb250LXNpemU6IDEycHg7IGZvbnQtc3R5bGU6IG5vcm1h
bDsgZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDsgZm9udC13ZWlnaHQ6IDQwMDsgbGV0dGVyLXNw
YWNpbmc6IG5vcm1hbDsgdGV4dC1hbGlnbjogc3RhcnQ7IHRleHQtaW5kZW50OiAwcHg7IHRleHQt
dHJhbnNmb3JtOiBub25lOyB3aGl0ZS1zcGFjZTogbm9ybWFsOyB3b3JkLXNwYWNpbmc6IDBweDsg
LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4OyB0ZXh0LWRlY29yYXRpb246IG5vbmU7IGZs
b2F0OiBub25lOyBkaXNwbGF5OiBpbmxpbmUgIWltcG9ydGFudDsiPlNvbWV0aW1lcyB0aGUgdmFs
dWUgbWF0Y2hlcyB0aGUgUmVxdWVzdCBJRCBidXQgbm90IGFsd2F5cy48L3NwYW4+PGJyIHN0eWxl
PSJjYXJldC1jb2xvcjogcmdiKDAsIDAsIDApOyBmb250LWZhbWlseTogSGVsdmV0aWNhOyBmb250
LXNpemU6IDEycHg7IGZvbnQtc3R5bGU6IG5vcm1hbDsgZm9udC12YXJpYW50LWNhcHM6IG5vcm1h
bDsgZm9udC13ZWlnaHQ6IDQwMDsgbGV0dGVyLXNwYWNpbmc6IG5vcm1hbDsgdGV4dC1hbGlnbjog
c3RhcnQ7IHRleHQtaW5kZW50OiAwcHg7IHRleHQtdHJhbnNmb3JtOiBub25lOyB3aGl0ZS1zcGFj
ZTogbm9ybWFsOyB3b3JkLXNwYWNpbmc6IDBweDsgLXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDog
MHB4OyB0ZXh0LWRlY29yYXRpb246IG5vbmU7Ij48YnIgc3R5bGU9ImNhcmV0LWNvbG9yOiByZ2Io
MCwgMCwgMCk7IGZvbnQtZmFtaWx5OiBIZWx2ZXRpY2E7IGZvbnQtc2l6ZTogMTJweDsgZm9udC1z
dHlsZTogbm9ybWFsOyBmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsOyBmb250LXdlaWdodDogNDAw
OyBsZXR0ZXItc3BhY2luZzogbm9ybWFsOyB0ZXh0LWFsaWduOiBzdGFydDsgdGV4dC1pbmRlbnQ6
IDBweDsgdGV4dC10cmFuc2Zvcm06IG5vbmU7IHdoaXRlLXNwYWNlOiBub3JtYWw7IHdvcmQtc3Bh
Y2luZzogMHB4OyAtd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7IHRleHQtZGVjb3JhdGlv
bjogbm9uZTsiPjxzcGFuIHN0eWxlPSJjYXJldC1jb2xvcjogcmdiKDAsIDAsIDApOyBmb250LWZh
bWlseTogSGVsdmV0aWNhOyBmb250LXNpemU6IDEycHg7IGZvbnQtc3R5bGU6IG5vcm1hbDsgZm9u
dC12YXJpYW50LWNhcHM6IG5vcm1hbDsgZm9udC13ZWlnaHQ6IDQwMDsgbGV0dGVyLXNwYWNpbmc6
IG5vcm1hbDsgdGV4dC1hbGlnbjogc3RhcnQ7IHRleHQtaW5kZW50OiAwcHg7IHRleHQtdHJhbnNm
b3JtOiBub25lOyB3aGl0ZS1zcGFjZTogbm9ybWFsOyB3b3JkLXNwYWNpbmc6IDBweDsgLXdlYmtp
dC10ZXh0LXN0cm9rZS13aWR0aDogMHB4OyB0ZXh0LWRlY29yYXRpb246IG5vbmU7IGZsb2F0OiBu
b25lOyBkaXNwbGF5OiBpbmxpbmUgIWltcG9ydGFudDsiPkl0IGlzIHRoZSBwYXJzaW5nIG9mIHRo
ZSBDU1Igd2hlcmUgaXQgYmxldyB1cCwgZ2V0dGluZyBtdWx0aXBsZSB2YWx1ZXM8L3NwYW4+PGJy
IHN0eWxlPSJjYXJldC1jb2xvcjogcmdiKDAsIDAsIDApOyBmb250LWZhbWlseTogSGVsdmV0aWNh
OyBmb250LXNpemU6IDEycHg7IGZvbnQtc3R5bGU6IG5vcm1hbDsgZm9udC12YXJpYW50LWNhcHM6
IG5vcm1hbDsgZm9udC13ZWlnaHQ6IDQwMDsgbGV0dGVyLXNwYWNpbmc6IG5vcm1hbDsgdGV4dC1h
bGlnbjogc3RhcnQ7IHRleHQtaW5kZW50OiAwcHg7IHRleHQtdHJhbnNmb3JtOiBub25lOyB3aGl0
ZS1zcGFjZTogbm9ybWFsOyB3b3JkLXNwYWNpbmc6IDBweDsgLXdlYmtpdC10ZXh0LXN0cm9rZS13
aWR0aDogMHB4OyB0ZXh0LWRlY29yYXRpb246IG5vbmU7Ij48c3BhbiBzdHlsZT0iY2FyZXQtY29s
b3I6IHJnYigwLCAwLCAwKTsgZm9udC1mYW1pbHk6IEhlbHZldGljYTsgZm9udC1zaXplOiAxMnB4
OyBmb250LXN0eWxlOiBub3JtYWw7IGZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7IGZvbnQtd2Vp
Z2h0OiA0MDA7IGxldHRlci1zcGFjaW5nOiBub3JtYWw7IHRleHQtYWxpZ246IHN0YXJ0OyB0ZXh0
LWluZGVudDogMHB4OyB0ZXh0LXRyYW5zZm9ybTogbm9uZTsgd2hpdGUtc3BhY2U6IG5vcm1hbDsg
d29yZC1zcGFjaW5nOiAwcHg7IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDsgdGV4dC1k
ZWNvcmF0aW9uOiBub25lOyBmbG9hdDogbm9uZTsgZGlzcGxheTogaW5saW5lICFpbXBvcnRhbnQ7
Ij53aGVyZSBvbmx5IG9uZSB3YXMgZXhwZWN0ZWQuPC9zcGFuPjxiciBzdHlsZT0iY2FyZXQtY29s
b3I6IHJnYigwLCAwLCAwKTsgZm9udC1mYW1pbHk6IEhlbHZldGljYTsgZm9udC1zaXplOiAxMnB4
OyBmb250LXN0eWxlOiBub3JtYWw7IGZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7IGZvbnQtd2Vp
Z2h0OiA0MDA7IGxldHRlci1zcGFjaW5nOiBub3JtYWw7IHRleHQtYWxpZ246IHN0YXJ0OyB0ZXh0
LWluZGVudDogMHB4OyB0ZXh0LXRyYW5zZm9ybTogbm9uZTsgd2hpdGUtc3BhY2U6IG5vcm1hbDsg
d29yZC1zcGFjaW5nOiAwcHg7IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDsgdGV4dC1k
ZWNvcmF0aW9uOiBub25lOyI+PGJyIHN0eWxlPSJjYXJldC1jb2xvcjogcmdiKDAsIDAsIDApOyBm
b250LWZhbWlseTogSGVsdmV0aWNhOyBmb250LXNpemU6IDEycHg7IGZvbnQtc3R5bGU6IG5vcm1h
bDsgZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDsgZm9udC13ZWlnaHQ6IDQwMDsgbGV0dGVyLXNw
YWNpbmc6IG5vcm1hbDsgdGV4dC1hbGlnbjogc3RhcnQ7IHRleHQtaW5kZW50OiAwcHg7IHRleHQt
dHJhbnNmb3JtOiBub25lOyB3aGl0ZS1zcGFjZTogbm9ybWFsOyB3b3JkLXNwYWNpbmc6IDBweDsg
LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4OyB0ZXh0LWRlY29yYXRpb246IG5vbmU7Ij48
c3BhbiBzdHlsZT0iY2FyZXQtY29sb3I6IHJnYigwLCAwLCAwKTsgZm9udC1mYW1pbHk6IEhlbHZl
dGljYTsgZm9udC1zaXplOiAxMnB4OyBmb250LXN0eWxlOiBub3JtYWw7IGZvbnQtdmFyaWFudC1j
YXBzOiBub3JtYWw7IGZvbnQtd2VpZ2h0OiA0MDA7IGxldHRlci1zcGFjaW5nOiBub3JtYWw7IHRl
eHQtYWxpZ246IHN0YXJ0OyB0ZXh0LWluZGVudDogMHB4OyB0ZXh0LXRyYW5zZm9ybTogbm9uZTsg
d2hpdGUtc3BhY2U6IG5vcm1hbDsgd29yZC1zcGFjaW5nOiAwcHg7IC13ZWJraXQtdGV4dC1zdHJv
a2Utd2lkdGg6IDBweDsgdGV4dC1kZWNvcmF0aW9uOiBub25lOyBmbG9hdDogbm9uZTsgZGlzcGxh
eTogaW5saW5lICFpbXBvcnRhbnQ7Ij5yb2I8L3NwYW4+PC9kaXY+PC9ibG9ja3F1b3RlPjwvZGl2
Pjxicj48L2Rpdj48L2JvZHk+PC9odG1sPg==
--===============3755633632377654232==--

From flo at redhat.com Tue Apr  2 21:45:54 2024
Content-Type: multipart/mixed; boundary="===============4798691185936436901=="
MIME-Version: 1.0
From: Florence Blanc-Renaud <flo at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: CA Subsystem certificate
Date: Tue, 02 Apr 2024 23:45:26 +0200
Message-ID: <CAFDg7JzCXND87O5PFoeMC2Ua_ROKg5b4eY8H-kj+_ApP7a5wHw@mail.gmail.com>
In-Reply-To: 20240402185002.11469.96367@mailman01.iad2.fedoraproject.org

--===============4798691185936436901==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Hi,

On Tue, Apr 2, 2024 at 8:50=E2=80=AFPM Travis West via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:

> Okay, I've generated new certs that don't have the extra space.  Once
> those were imported to the NSS DB I also updated the CS.cfg with the new
> cert and certreq vaules for OCSP, Audit, and Subsystem.
> I also did an ldapsearch for the Subsystem certificate to make sure it
> matches.  I then tried to run ipa-server-upgrade, but it failed.
>
> Tracking Requests:
>
> Request ID '20190322032031':
>         status: MONITORING
>         stuck: no
>         key pair storage:
> type=3DNSSDB,location=3D'/etc/pki/pki-tomcat/alias',nickname=3D'subsystem=
Cert
> cert-pki-ca',token=3D'NSS Certificate DB',pin set
>         certificate:
> type=3DNSSDB,location=3D'/etc/pki/pki-tomcat/alias',nickname=3D'subsystem=
Cert
> cert-pki-ca',token=3D'NSS Certificate DB'
>         CA: dogtag-ipa-ca-renew-agent
>         issuer: CN=3DCertificate Authority,O=3DIPA.****.NET
>         subject: O=3DIPA.****.NET,CN=3DCA Subsystem
>
As Rob wrote, it's not a problem that getcert list, OpenssL and NSS
libraries show the subject in a DN order (RFC2253) or DN reverse order, but
I find it suspect that issuer and subject have picked inconsistent order.
In my f35 instance, getcert list shows the following:
issuer: CN=3DCertificate Authority,O=3DIPA.TEST
subject: CN=3DCA Subsystem,O=3DIPA.TEST

flo


        expires: 2034-03-31 17:57:15 UTC
>         key usage: digitalSignature,nonRepudiation
>         pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>         post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> "subsystemCert cert-pki-ca"
>         track: yes
>         auto-renew: yes
>
> Request ID '20190322032030':
>         status: MONITORING
>         stuck: no
>         key pair storage:
> type=3DNSSDB,location=3D'/etc/pki/pki-tomcat/alias',nickname=3D'ocspSigni=
ngCert
> cert-pki-ca',token=3D'NSS Certificate DB',pin set
>         certificate:
> type=3DNSSDB,location=3D'/etc/pki/pki-tomcat/alias',nickname=3D'ocspSigni=
ngCert
> cert-pki-ca',token=3D'NSS Certificate DB'
>         CA: dogtag-ipa-ca-renew-agent
>         issuer: CN=3DCertificate Authority,O=3DIPA.****.NET
>         subject: O=3DIPA.****.NET,CN=3DOCSP Subsystem
>         expires: 2034-03-31 18:02:29 UTC
>         key usage: digitalSignature,nonRepudiation
>         pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>         post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> "ocspSigningCert cert-pki-ca"
>         track: yes
>         auto-renew: yes
>
> Request ID '20190322032029':
>         status: MONITORING
>         stuck: no
>         key pair storage:
> type=3DNSSDB,location=3D'/etc/pki/pki-tomcat/alias',nickname=3D'auditSign=
ingCert
> cert-pki-ca',token=3D'NSS Certificate DB',pin set
>         certificate:
> type=3DNSSDB,location=3D'/etc/pki/pki-tomcat/alias',nickname=3D'auditSign=
ingCert
> cert-pki-ca',token=3D'NSS Certificate DB'
>         CA: dogtag-ipa-ca-renew-agent
>         issuer: CN=3DCertificate Authority,O=3DIPA.****.NET
>         subject: O=3DIPA.****.NET,CN=3DCA Audit
>         expires: 2034-03-31 18:00:11 UTC
>         key usage: digitalSignature,nonRepudiation
>         pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>         post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> "auditSigningCert cert-pki-ca"
>         track: yes
>         auto-renew: yes
>
> Subsystem in LDAP matches the NSS DB
>
> # ldapsearch -LLL -D 'cn=3Ddirectory manager' -W -b
> uid=3Dpkidbuser,ou=3Dpeople,o=3Dipaca userCertificate description seeAlso
> Enter LDAP Password:
> dn: uid=3Dpkidbuser,ou=3Dpeople,o=3Dipaca
> userCertificate:: MIIDNjCCA...EyISxo3w=3D=3D
> description: 2;4;CN=3DCertificate Authority,O=3DIPA.****.NET;CN=3DCA
> Subsystem,O=3DIPA.***.NET
> seeAlso: CN=3DCA Subsystem,O=3DIPA****.NET
>
> [root(a)ipa1-sea2 log]# certutil -L -d /etc/pki/pki-tomcat/alias -n
> 'subsystemCert cert-pki-ca' -a
> -----BEGIN CERTIFICATE-----
> MIIDNjCCA...EyISxo3w=3D=3D
> -----END CERTIFICATE-----
> [root(a)ipa1-sea2 log]# certutil -L -d /etc/pki/pki-tomcat/alias -n
> 'subsystemCert cert-pki-ca' | grep Serial
>         Serial Number: 4 (0x4)
>
> *note the Serial in LDAP is '4' while in NSS DB it shows as 4 (0x4)  not
> sure if this is the issue.
>
> Output of ipa-server-upgrade
>
> # ipa-server-upgrade
> Upgrading IPA:. Estimated time: 1 minute 30 seconds
>   [1/11]: stopping directory server
>   [2/11]: saving configuration
>   [3/11]: disabling listeners
>   [4/11]: enabling DS global lock
>   [5/11]: disabling Schema Compat
>   [6/11]: starting directory server
>   [7/11]: updating schema
>   [8/11]: upgrading server
>   [9/11]: stopping directory server
>   [10/11]: restoring configuration
>   [11/11]: starting directory server
> Done.
> Update complete
> Upgrading IPA services
> Upgrading the configuration of the IPA services
> [Verifying that root certificate is published]
> [Migrate CRL publish directory]
> Publish directory already set to new location
> [Verifying that CA proxy configuration is correct]
> IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command
> ipa-server-upgrade manually.
> CA did not start in 300.0s
>
> Output in the /var/log/pki/pki-tomcat/ca/system log while the ugprade was
> running
>
> 2024-04-02T18:30:11Z DEBUG response body '<html><head><title>Apache
> Tomcat/7.0.76 - Error report</title><style><!--H1
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76=
;font-size:22px;}
> H2
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76=
;font-size:16px;}
> H3
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76=
;font-size:14px;}
> BODY
> {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;}=
 B
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76=
;}
> P
> {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-si=
ze:12px;}A
> {color : black;}A.name {color : black;}HR {color : #525D76;}--></style>
> </head><body><h1>HTTP Status 500 - Subsystem unavailable</h1><HR size=3D"=
1"
> noshade=3D"noshade"><p><b>type</b> Exception report</p><p><b>message</b>
> <u>Subsystem unavailable</u></p><p><b>description</b> <u>The server
> encountered an internal error that prevented it from fulfilling this requ
>  est.</u></p><p><b>exception</b> <pre>javax.ws.rs.ServiceUnavailableExcep=
tion:
> Subsystem
> unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints=
(ProxyRealm.java:145)\n\torg.apache.catalina.authenticator.AuthenticatorBas=
e.invoke(AuthenticatorBase.java:500)\n\torg.apache.catalina.valves.ErrorRep=
ortValve.invoke(ErrorReportValve.java:103)\n\torg.apache.catalina.valves.Ac=
cessLogValve.invoke(AccessLogValve.java:962)\n\torg.apache.catalina.connect=
or.CoyoteAdapter.service(CoyoteAdapter.java:445)\n\torg.apache.coyote.http1=
1.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1087)\n\torg=
.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractP=
rotocol.java:637)\n\torg.apache.tomcat.util.net.JIoEndpoint$SocketProcessor=
.run(JIoEndpoint.java:316)\n\tjava.util.concurrent.ThreadPoolExecutor.runWo=
rker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.ThreadPoolExecut=
or$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat.util.thread=
s.TaskThrea
>  d$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Threa=
d.java:748)\n</pre></p><p><b>note</b>
> <u>The full stack trace of the root cause is available in the Apache
> Tomcat/7.0.76 logs.</u></p><HR size=3D"1" noshade=3D"noshade"><h3>Apache
> Tomcat/7.0.76</h3></body></html>'
> 2024-04-02T18:30:11Z DEBUG The CA status is: check interrupted due to
> error: Retrieving CA status failed with status 500
> 2024-04-02T18:30:11Z DEBUG Waiting for CA to start...
> 2024-04-02T18:30:12Z DEBUG request POST http://ipa1-sea2.ipa.
> ****.net:8080/ca/admin/ca/getStatus
> 2024-04-02T18:30:12Z DEBUG request body ''
> 2024-04-02T18:30:12Z DEBUG response status 500
> 2024-04-02T18:30:12Z DEBUG response headers Server: Apache-Coyote/1.1
> Content-Type: text/html;charset=3Dutf-8
> Content-Language: en
> Content-Length: 2208
> Date: Tue, 02 Apr 2024 18:30:12 GMT
> Connection: close
>
> 2024-04-02T18:30:12Z DEBUG response body '<html><head><title>Apache
> Tomcat/7.0.76 - Error report</title><style><!--H1
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76=
;font-size:22px;}
> H2
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76=
;font-size:16px;}
> H3
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76=
;font-size:14px;}
> BODY
> {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;}=
 B
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76=
;}
> P
> {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-si=
ze:12px;}A
> {color : black;}A.name {color : black;}HR {color : #525D76;}--></style>
> </head><body><h1>HTTP Status 500 - Subsystem unavailable</h1><HR size=3D"=
1"
> noshade=3D"noshade"><p><b>type</b> Exception report</p><p><b>message</b>
> <u>Subsystem unavailable</u></p><p><b>description</b> <u>The server
> encountered an internal error that prevented it from fulfilling this requ
>  est.</u></p><p><b>exception</b> <pre>javax.ws.rs.ServiceUnavailableExcep=
tion:
> Subsystem
> unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints=
(ProxyRealm.java:145)\n\torg.apache.catalina.authenticator.AuthenticatorBas=
e.invoke(AuthenticatorBase.java:500)\n\torg.apache.catalina.valves.ErrorRep=
ortValve.invoke(ErrorReportValve.java:103)\n\torg.apache.catalina.valves.Ac=
cessLogValve.invoke(AccessLogValve.java:962)\n\torg.apache.catalina.connect=
or.CoyoteAdapter.service(CoyoteAdapter.java:445)\n\torg.apache.coyote.http1=
1.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1087)\n\torg=
.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractP=
rotocol.java:637)\n\torg.apache.tomcat.util.net.JIoEndpoint$SocketProcessor=
.run(JIoEndpoint.java:316)\n\tjava.util.concurrent.ThreadPoolExecutor.runWo=
rker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.ThreadPoolExecut=
or$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat.util.thread=
s.TaskThrea
>  d$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Threa=
d.java:748)\n</pre></p><p><b>note</b>
> <u>The full stack trace of the root cause is available in the Apache
> Tomcat/7.0.76 logs.</u></p><HR size=3D"1" noshade=3D"noshade"><h3>Apache
> Tomcat/7.0.76</h3></body></html>'
> 2024-04-02T18:30:12Z DEBUG The CA status is: check interrupted due to
> error: Retrieving CA status failed with status 500
> 2024-04-02T18:30:12Z DEBUG Waiting for CA to start...
>
> --
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.=
org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users(a)lists.fedora=
hosted.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>

--===============4798691185936436901==
Content-Type: text/html
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.html"

PGRpdiBkaXI9Imx0ciI+PGRpdiBkaXI9Imx0ciI+PGRpdiBjbGFzcz0iZ21haWxfZGVmYXVsdCIg
c3R5bGU9ImZvbnQtZmFtaWx5OmFyaWFsLHNhbnMtc2VyaWYiPkhpLDxicj48L2Rpdj48L2Rpdj48
YnI+PGRpdiBjbGFzcz0iZ21haWxfcXVvdGUiPjxkaXYgZGlyPSJsdHIiIGNsYXNzPSJnbWFpbF9h
dHRyIj5PbiBUdWUsIEFwciAyLCAyMDI0IGF0IDg6NTDigK9QTSBUcmF2aXMgV2VzdCB2aWEgRnJl
ZUlQQS11c2VycyAmbHQ7PGEgaHJlZj0ibWFpbHRvOmZyZWVpcGEtdXNlcnNAbGlzdHMuZmVkb3Jh
aG9zdGVkLm9yZyI+ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3JnPC9hPiZndDsg
d3JvdGU6PGJyPjwvZGl2PjxibG9ja3F1b3RlIGNsYXNzPSJnbWFpbF9xdW90ZSIgc3R5bGU9Im1h
cmdpbjowcHggMHB4IDBweCAwLjhleDtib3JkZXItbGVmdDoxcHggc29saWQgcmdiKDIwNCwyMDQs
MjA0KTtwYWRkaW5nLWxlZnQ6MWV4Ij5Pa2F5LCBJJiMzOTt2ZSBnZW5lcmF0ZWQgbmV3IGNlcnRz
IHRoYXQgZG9uJiMzOTt0IGhhdmUgdGhlIGV4dHJhIHNwYWNlLsKgIE9uY2UgdGhvc2Ugd2VyZSBp
bXBvcnRlZCB0byB0aGUgTlNTIERCIEkgYWxzbyB1cGRhdGVkIHRoZSBDUy5jZmcgd2l0aCB0aGUg
bmV3IGNlcnQgYW5kIGNlcnRyZXEgdmF1bGVzIGZvciBPQ1NQLCBBdWRpdCwgYW5kIFN1YnN5c3Rl
bS48YnI+CkkgYWxzbyBkaWQgYW4gbGRhcHNlYXJjaCBmb3IgdGhlIFN1YnN5c3RlbSBjZXJ0aWZp
Y2F0ZSB0byBtYWtlIHN1cmUgaXQgbWF0Y2hlcy7CoCBJIHRoZW4gdHJpZWQgdG8gcnVuIGlwYS1z
ZXJ2ZXItdXBncmFkZSwgYnV0IGl0IGZhaWxlZC48YnI+Cjxicj4KVHJhY2tpbmcgUmVxdWVzdHM6
PGJyPgo8YnI+ClJlcXVlc3QgSUQgJiMzOTsyMDE5MDMyMjAzMjAzMSYjMzk7Ojxicj4KwqAgwqAg
wqAgwqAgc3RhdHVzOiBNT05JVE9SSU5HPGJyPgrCoCDCoCDCoCDCoCBzdHVjazogbm88YnI+CsKg
IMKgIMKgIMKgIGtleSBwYWlyIHN0b3JhZ2U6IHR5cGU9TlNTREIsbG9jYXRpb249JiMzOTsvZXRj
L3BraS9wa2ktdG9tY2F0L2FsaWFzJiMzOTssbmlja25hbWU9JiMzOTtzdWJzeXN0ZW1DZXJ0IGNl
cnQtcGtpLWNhJiMzOTssdG9rZW49JiMzOTtOU1MgQ2VydGlmaWNhdGUgREImIzM5OyxwaW4gc2V0
PGJyPgrCoCDCoCDCoCDCoCBjZXJ0aWZpY2F0ZTogdHlwZT1OU1NEQixsb2NhdGlvbj0mIzM5Oy9l
dGMvcGtpL3BraS10b21jYXQvYWxpYXMmIzM5OyxuaWNrbmFtZT0mIzM5O3N1YnN5c3RlbUNlcnQg
Y2VydC1wa2ktY2EmIzM5Oyx0b2tlbj0mIzM5O05TUyBDZXJ0aWZpY2F0ZSBEQiYjMzk7PGJyPgrC
oCDCoCDCoCDCoCBDQTogZG9ndGFnLWlwYS1jYS1yZW5ldy1hZ2VudDxicj4KwqAgwqAgwqAgwqAg
aXNzdWVyOiBDTj1DZXJ0aWZpY2F0ZSBBdXRob3JpdHksTz1JUEEuKioqKi5ORVQ8YnI+CsKgIMKg
IMKgIMKgIHN1YmplY3Q6IE89SVBBLioqKiouTkVULENOPUNBIFN1YnN5c3RlbTxicj48L2Jsb2Nr
cXVvdGU+PGRpdj48c3BhbiBjbGFzcz0iZ21haWxfZGVmYXVsdCIgc3R5bGU9ImZvbnQtZmFtaWx5
OmFyaWFsLHNhbnMtc2VyaWYiPkFzIFJvYiB3cm90ZSwgaXQmIzM5O3Mgbm90IGEgcHJvYmxlbSB0
aGF0IGdldGNlcnQgbGlzdCwgT3BlbnNzTCBhbmQgTlNTIGxpYnJhcmllcyBzaG93IHRoZSBzdWJq
ZWN0IGluIGEgRE4gb3JkZXIgKFJGQzIyNTMpIG9yIEROIHJldmVyc2Ugb3JkZXIsIGJ1dCBJIGZp
bmQgaXQgc3VzcGVjdCB0aGF0IGlzc3VlciBhbmQgc3ViamVjdCBoYXZlIHBpY2tlZCBpbmNvbnNp
c3RlbnQgb3JkZXIuIEluIG15IGYzNSBpbnN0YW5jZSwgZ2V0Y2VydCBsaXN0IHNob3dzIHRoZSBm
b2xsb3dpbmc6PC9zcGFuPjwvZGl2PjxkaXY+CWlzc3VlcjogQ049Q2VydGlmaWNhdGUgQXV0aG9y
aXR5LE89SVBBLlRFU1Q8YnI+CXN1YmplY3Q6IENOPUNBIFN1YnN5c3RlbSxPPUlQQS5URVNUPC9k
aXY+PGRpdj48YnI+PC9kaXY+PGRpdj48ZGl2IHN0eWxlPSJmb250LWZhbWlseTphcmlhbCxzYW5z
LXNlcmlmIiBjbGFzcz0iZ21haWxfZGVmYXVsdCI+ZmxvPC9kaXY+PGJyPjwvZGl2PjxkaXY+PHNw
YW4gY2xhc3M9ImdtYWlsX2RlZmF1bHQiIHN0eWxlPSJmb250LWZhbWlseTphcmlhbCxzYW5zLXNl
cmlmIj48YnI+PC9zcGFuPiA8L2Rpdj48YmxvY2txdW90ZSBjbGFzcz0iZ21haWxfcXVvdGUiIHN0
eWxlPSJtYXJnaW46MHB4IDBweCAwcHggMC44ZXg7Ym9yZGVyLWxlZnQ6MXB4IHNvbGlkIHJnYigy
MDQsMjA0LDIwNCk7cGFkZGluZy1sZWZ0OjFleCI+CsKgIMKgIMKgIMKgIGV4cGlyZXM6IDIwMzQt
MDMtMzEgMTc6NTc6MTUgVVRDPGJyPgrCoCDCoCDCoCDCoCBrZXkgdXNhZ2U6IGRpZ2l0YWxTaWdu
YXR1cmUsbm9uUmVwdWRpYXRpb248YnI+CsKgIMKgIMKgIMKgIHByZS1zYXZlIGNvbW1hbmQ6IC91
c3IvbGliZXhlYy9pcGEvY2VydG1vbmdlci9zdG9wX3BraWNhZDxicj4KwqAgwqAgwqAgwqAgcG9z
dC1zYXZlIGNvbW1hbmQ6IC91c3IvbGliZXhlYy9pcGEvY2VydG1vbmdlci9yZW5ld19jYV9jZXJ0
ICZxdW90O3N1YnN5c3RlbUNlcnQgY2VydC1wa2ktY2EmcXVvdDs8YnI+CsKgIMKgIMKgIMKgIHRy
YWNrOiB5ZXM8YnI+CsKgIMKgIMKgIMKgIGF1dG8tcmVuZXc6IHllczxicj4KPGJyPgpSZXF1ZXN0
IElEICYjMzk7MjAxOTAzMjIwMzIwMzAmIzM5Ozo8YnI+CsKgIMKgIMKgIMKgIHN0YXR1czogTU9O
SVRPUklORzxicj4KwqAgwqAgwqAgwqAgc3R1Y2s6IG5vPGJyPgrCoCDCoCDCoCDCoCBrZXkgcGFp
ciBzdG9yYWdlOiB0eXBlPU5TU0RCLGxvY2F0aW9uPSYjMzk7L2V0Yy9wa2kvcGtpLXRvbWNhdC9h
bGlhcyYjMzk7LG5pY2tuYW1lPSYjMzk7b2NzcFNpZ25pbmdDZXJ0IGNlcnQtcGtpLWNhJiMzOTss
dG9rZW49JiMzOTtOU1MgQ2VydGlmaWNhdGUgREImIzM5OyxwaW4gc2V0PGJyPgrCoCDCoCDCoCDC
oCBjZXJ0aWZpY2F0ZTogdHlwZT1OU1NEQixsb2NhdGlvbj0mIzM5Oy9ldGMvcGtpL3BraS10b21j
YXQvYWxpYXMmIzM5OyxuaWNrbmFtZT0mIzM5O29jc3BTaWduaW5nQ2VydCBjZXJ0LXBraS1jYSYj
Mzk7LHRva2VuPSYjMzk7TlNTIENlcnRpZmljYXRlIERCJiMzOTs8YnI+CsKgIMKgIMKgIMKgIENB
OiBkb2d0YWctaXBhLWNhLXJlbmV3LWFnZW50PGJyPgrCoCDCoCDCoCDCoCBpc3N1ZXI6IENOPUNl
cnRpZmljYXRlIEF1dGhvcml0eSxPPUlQQS4qKioqLk5FVDxicj4KwqAgwqAgwqAgwqAgc3ViamVj
dDogTz1JUEEuKioqKi5ORVQsQ049T0NTUCBTdWJzeXN0ZW08YnI+CsKgIMKgIMKgIMKgIGV4cGly
ZXM6IDIwMzQtMDMtMzEgMTg6MDI6MjkgVVRDPGJyPgrCoCDCoCDCoCDCoCBrZXkgdXNhZ2U6IGRp
Z2l0YWxTaWduYXR1cmUsbm9uUmVwdWRpYXRpb248YnI+CsKgIMKgIMKgIMKgIHByZS1zYXZlIGNv
bW1hbmQ6IC91c3IvbGliZXhlYy9pcGEvY2VydG1vbmdlci9zdG9wX3BraWNhZDxicj4KwqAgwqAg
wqAgwqAgcG9zdC1zYXZlIGNvbW1hbmQ6IC91c3IvbGliZXhlYy9pcGEvY2VydG1vbmdlci9yZW5l
d19jYV9jZXJ0ICZxdW90O29jc3BTaWduaW5nQ2VydCBjZXJ0LXBraS1jYSZxdW90Ozxicj4KwqAg
wqAgwqAgwqAgdHJhY2s6IHllczxicj4KwqAgwqAgwqAgwqAgYXV0by1yZW5ldzogeWVzPGJyPgo8
YnI+ClJlcXVlc3QgSUQgJiMzOTsyMDE5MDMyMjAzMjAyOSYjMzk7Ojxicj4KwqAgwqAgwqAgwqAg
c3RhdHVzOiBNT05JVE9SSU5HPGJyPgrCoCDCoCDCoCDCoCBzdHVjazogbm88YnI+CsKgIMKgIMKg
IMKgIGtleSBwYWlyIHN0b3JhZ2U6IHR5cGU9TlNTREIsbG9jYXRpb249JiMzOTsvZXRjL3BraS9w
a2ktdG9tY2F0L2FsaWFzJiMzOTssbmlja25hbWU9JiMzOTthdWRpdFNpZ25pbmdDZXJ0IGNlcnQt
cGtpLWNhJiMzOTssdG9rZW49JiMzOTtOU1MgQ2VydGlmaWNhdGUgREImIzM5OyxwaW4gc2V0PGJy
PgrCoCDCoCDCoCDCoCBjZXJ0aWZpY2F0ZTogdHlwZT1OU1NEQixsb2NhdGlvbj0mIzM5Oy9ldGMv
cGtpL3BraS10b21jYXQvYWxpYXMmIzM5OyxuaWNrbmFtZT0mIzM5O2F1ZGl0U2lnbmluZ0NlcnQg
Y2VydC1wa2ktY2EmIzM5Oyx0b2tlbj0mIzM5O05TUyBDZXJ0aWZpY2F0ZSBEQiYjMzk7PGJyPgrC
oCDCoCDCoCDCoCBDQTogZG9ndGFnLWlwYS1jYS1yZW5ldy1hZ2VudDxicj4KwqAgwqAgwqAgwqAg
aXNzdWVyOiBDTj1DZXJ0aWZpY2F0ZSBBdXRob3JpdHksTz1JUEEuKioqKi5ORVQ8YnI+CsKgIMKg
IMKgIMKgIHN1YmplY3Q6IE89SVBBLioqKiouTkVULENOPUNBIEF1ZGl0PGJyPgrCoCDCoCDCoCDC
oCBleHBpcmVzOiAyMDM0LTAzLTMxIDE4OjAwOjExIFVUQzxicj4KwqAgwqAgwqAgwqAga2V5IHVz
YWdlOiBkaWdpdGFsU2lnbmF0dXJlLG5vblJlcHVkaWF0aW9uPGJyPgrCoCDCoCDCoCDCoCBwcmUt
c2F2ZSBjb21tYW5kOiAvdXNyL2xpYmV4ZWMvaXBhL2NlcnRtb25nZXIvc3RvcF9wa2ljYWQ8YnI+
CsKgIMKgIMKgIMKgIHBvc3Qtc2F2ZSBjb21tYW5kOiAvdXNyL2xpYmV4ZWMvaXBhL2NlcnRtb25n
ZXIvcmVuZXdfY2FfY2VydCAmcXVvdDthdWRpdFNpZ25pbmdDZXJ0IGNlcnQtcGtpLWNhJnF1b3Q7
PGJyPgrCoCDCoCDCoCDCoCB0cmFjazogeWVzPGJyPgrCoCDCoCDCoCDCoCBhdXRvLXJlbmV3OiB5
ZXM8YnI+Cjxicj4KU3Vic3lzdGVtIGluIExEQVAgbWF0Y2hlcyB0aGUgTlNTIERCPGJyPgo8YnI+
CiMgbGRhcHNlYXJjaCAtTExMIC1EICYjMzk7Y249ZGlyZWN0b3J5IG1hbmFnZXImIzM5OyAtVyAt
YiB1aWQ9cGtpZGJ1c2VyLG91PXBlb3BsZSxvPWlwYWNhIHVzZXJDZXJ0aWZpY2F0ZSBkZXNjcmlw
dGlvbiBzZWVBbHNvPGJyPgpFbnRlciBMREFQIFBhc3N3b3JkOjxicj4KZG46IHVpZD1wa2lkYnVz
ZXIsb3U9cGVvcGxlLG89aXBhY2E8YnI+CnVzZXJDZXJ0aWZpY2F0ZTo6IE1JSUROakNDQS4uLkV5
SVN4bzN3PT08YnI+CmRlc2NyaXB0aW9uOiAyOzQ7Q049Q2VydGlmaWNhdGUgQXV0aG9yaXR5LE89
SVBBLioqKiouTkVUO0NOPUNBIFN1YnN5c3RlbSxPPUlQQS4qKiouTkVUPGJyPgpzZWVBbHNvOiBD
Tj1DQSBTdWJzeXN0ZW0sTz1JUEEqKioqLk5FVDxicj4KPGJyPgpbcm9vdEBpcGExLXNlYTIgbG9n
XSMgY2VydHV0aWwgLUwgLWQgL2V0Yy9wa2kvcGtpLXRvbWNhdC9hbGlhcyAtbiAmIzM5O3N1YnN5
c3RlbUNlcnQgY2VydC1wa2ktY2EmIzM5OyAtYTxicj4KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0t
LS0tPGJyPgpNSUlETmpDQ0EuLi5FeUlTeG8zdz09PGJyPgotLS0tLUVORCBDRVJUSUZJQ0FURS0t
LS0tPGJyPgpbcm9vdEBpcGExLXNlYTIgbG9nXSMgY2VydHV0aWwgLUwgLWQgL2V0Yy9wa2kvcGtp
LXRvbWNhdC9hbGlhcyAtbiAmIzM5O3N1YnN5c3RlbUNlcnQgY2VydC1wa2ktY2EmIzM5OyB8IGdy
ZXAgU2VyaWFsPGJyPgrCoCDCoCDCoCDCoCBTZXJpYWwgTnVtYmVyOiA0ICgweDQpPGJyPgo8YnI+
Cipub3RlIHRoZSBTZXJpYWwgaW4gTERBUCBpcyAmIzM5OzQmIzM5OyB3aGlsZSBpbiBOU1MgREIg
aXQgc2hvd3MgYXMgNCAoMHg0KcKgIG5vdCBzdXJlIGlmIHRoaXMgaXMgdGhlIGlzc3VlLjxicj4K
PGJyPgpPdXRwdXQgb2YgaXBhLXNlcnZlci11cGdyYWRlPGJyPgo8YnI+CiMgaXBhLXNlcnZlci11
cGdyYWRlPGJyPgpVcGdyYWRpbmcgSVBBOi4gRXN0aW1hdGVkIHRpbWU6IDEgbWludXRlIDMwIHNl
Y29uZHM8YnI+CsKgIFsxLzExXTogc3RvcHBpbmcgZGlyZWN0b3J5IHNlcnZlcjxicj4KwqAgWzIv
MTFdOiBzYXZpbmcgY29uZmlndXJhdGlvbjxicj4KwqAgWzMvMTFdOiBkaXNhYmxpbmcgbGlzdGVu
ZXJzPGJyPgrCoCBbNC8xMV06IGVuYWJsaW5nIERTIGdsb2JhbCBsb2NrPGJyPgrCoCBbNS8xMV06
IGRpc2FibGluZyBTY2hlbWEgQ29tcGF0PGJyPgrCoCBbNi8xMV06IHN0YXJ0aW5nIGRpcmVjdG9y
eSBzZXJ2ZXI8YnI+CsKgIFs3LzExXTogdXBkYXRpbmcgc2NoZW1hPGJyPgrCoCBbOC8xMV06IHVw
Z3JhZGluZyBzZXJ2ZXI8YnI+CsKgIFs5LzExXTogc3RvcHBpbmcgZGlyZWN0b3J5IHNlcnZlcjxi
cj4KwqAgWzEwLzExXTogcmVzdG9yaW5nIGNvbmZpZ3VyYXRpb248YnI+CsKgIFsxMS8xMV06IHN0
YXJ0aW5nIGRpcmVjdG9yeSBzZXJ2ZXI8YnI+CkRvbmUuPGJyPgpVcGRhdGUgY29tcGxldGU8YnI+
ClVwZ3JhZGluZyBJUEEgc2VydmljZXM8YnI+ClVwZ3JhZGluZyB0aGUgY29uZmlndXJhdGlvbiBv
ZiB0aGUgSVBBIHNlcnZpY2VzPGJyPgpbVmVyaWZ5aW5nIHRoYXQgcm9vdCBjZXJ0aWZpY2F0ZSBp
cyBwdWJsaXNoZWRdPGJyPgpbTWlncmF0ZSBDUkwgcHVibGlzaCBkaXJlY3RvcnldPGJyPgpQdWJs
aXNoIGRpcmVjdG9yeSBhbHJlYWR5IHNldCB0byBuZXcgbG9jYXRpb248YnI+CltWZXJpZnlpbmcg
dGhhdCBDQSBwcm94eSBjb25maWd1cmF0aW9uIGlzIGNvcnJlY3RdPGJyPgpJUEEgc2VydmVyIHVw
Z3JhZGUgZmFpbGVkOiBJbnNwZWN0IC92YXIvbG9nL2lwYXVwZ3JhZGUubG9nIGFuZCBydW4gY29t
bWFuZCBpcGEtc2VydmVyLXVwZ3JhZGUgbWFudWFsbHkuPGJyPgpDQSBkaWQgbm90IHN0YXJ0IGlu
IDMwMC4wczxicj4KPGJyPgpPdXRwdXQgaW4gdGhlIC92YXIvbG9nL3BraS9wa2ktdG9tY2F0L2Nh
L3N5c3RlbSBsb2cgd2hpbGUgdGhlIHVncHJhZGUgd2FzIHJ1bm5pbmc8YnI+Cjxicj4KMjAyNC0w
NC0wMlQxODozMDoxMVogREVCVUcgcmVzcG9uc2UgYm9keSAmIzM5OyZsdDtodG1sJmd0OyZsdDto
ZWFkJmd0OyZsdDt0aXRsZSZndDtBcGFjaGUgVG9tY2F0LzcuMC43NiAtIEVycm9yIHJlcG9ydCZs
dDsvdGl0bGUmZ3Q7Jmx0O3N0eWxlJmd0OyZsdDshLS1IMSB7Zm9udC1mYW1pbHk6VGFob21hLEFy
aWFsLHNhbnMtc2VyaWY7Y29sb3I6d2hpdGU7YmFja2dyb3VuZC1jb2xvcjojNTI1RDc2O2ZvbnQt
c2l6ZToyMnB4O30gSDIge2ZvbnQtZmFtaWx5OlRhaG9tYSxBcmlhbCxzYW5zLXNlcmlmO2NvbG9y
OndoaXRlO2JhY2tncm91bmQtY29sb3I6IzUyNUQ3Njtmb250LXNpemU6MTZweDt9IEgzIHtmb250
LWZhbWlseTpUYWhvbWEsQXJpYWwsc2Fucy1zZXJpZjtjb2xvcjp3aGl0ZTtiYWNrZ3JvdW5kLWNv
bG9yOiM1MjVENzY7Zm9udC1zaXplOjE0cHg7fSBCT0RZIHtmb250LWZhbWlseTpUYWhvbWEsQXJp
YWwsc2Fucy1zZXJpZjtjb2xvcjpibGFjaztiYWNrZ3JvdW5kLWNvbG9yOndoaXRlO30gQiB7Zm9u
dC1mYW1pbHk6VGFob21hLEFyaWFsLHNhbnMtc2VyaWY7Y29sb3I6d2hpdGU7YmFja2dyb3VuZC1j
b2xvcjojNTI1RDc2O30gUCB7Zm9udC1mYW1pbHk6VGFob21hLEFyaWFsLHNhbnMtc2VyaWY7YmFj
a2dyb3VuZDp3aGl0ZTtjb2xvcjpibGFjaztmb250LXNpemU6MTJweDt9QSB7Y29sb3IgOiBibGFj
azt9QS5uYW1lIHtjb2xvciA6IGJsYWNrO31IUiB7Y29sb3IgOiAjNTI1RDc2O30tLSZndDsmbHQ7
L3N0eWxlJmd0OyAmbHQ7L2hlYWQmZ3Q7Jmx0O2JvZHkmZ3Q7Jmx0O2gxJmd0O0hUVFAgU3RhdHVz
IDUwMCAtIFN1YnN5c3RlbSB1bmF2YWlsYWJsZSZsdDsvaDEmZ3Q7Jmx0O0hSIHNpemU9JnF1b3Q7
MSZxdW90OyBub3NoYWRlPSZxdW90O25vc2hhZGUmcXVvdDsmZ3Q7Jmx0O3AmZ3Q7Jmx0O2ImZ3Q7
dHlwZSZsdDsvYiZndDsgRXhjZXB0aW9uIHJlcG9ydCZsdDsvcCZndDsmbHQ7cCZndDsmbHQ7YiZn
dDttZXNzYWdlJmx0Oy9iJmd0OyAmbHQ7dSZndDtTdWJzeXN0ZW0gdW5hdmFpbGFibGUmbHQ7L3Um
Z3Q7Jmx0Oy9wJmd0OyZsdDtwJmd0OyZsdDtiJmd0O2Rlc2NyaXB0aW9uJmx0Oy9iJmd0OyAmbHQ7
dSZndDtUaGUgc2VydmVyIGVuY291bnRlcmVkIGFuIGludGVybmFsIGVycm9yIHRoYXQgcHJldmVu
dGVkIGl0IGZyb20gZnVsZmlsbGluZyB0aGlzIHJlcXU8YnI+CsKgZXN0LiZsdDsvdSZndDsmbHQ7
L3AmZ3Q7Jmx0O3AmZ3Q7Jmx0O2ImZ3Q7ZXhjZXB0aW9uJmx0Oy9iJmd0OyAmbHQ7cHJlJmd0Ozxh
IGhyZWY9Imh0dHA6Ly9qYXZheC53cy5ycyIgdGFyZ2V0PSJfYmxhbmsiPmphdmF4LndzLnJzPC9h
Pi5TZXJ2aWNlVW5hdmFpbGFibGVFeGNlcHRpb246IFN1YnN5c3RlbSB1bmF2YWlsYWJsZVxuXHRj
b20ubmV0c2NhcGUuY21zLnRvbWNhdC5Qcm94eVJlYWxtLmZpbmRTZWN1cml0eUNvbnN0cmFpbnRz
KFByb3h5UmVhbG0uamF2YToxNDUpXG5cdG9yZy5hcGFjaGUuY2F0YWxpbmEuYXV0aGVudGljYXRv
ci5BdXRoZW50aWNhdG9yQmFzZS5pbnZva2UoQXV0aGVudGljYXRvckJhc2UuamF2YTo1MDApXG5c
dG9yZy5hcGFjaGUuY2F0YWxpbmEudmFsdmVzLkVycm9yUmVwb3J0VmFsdmUuaW52b2tlKEVycm9y
UmVwb3J0VmFsdmUuamF2YToxMDMpXG5cdG9yZy5hcGFjaGUuY2F0YWxpbmEudmFsdmVzLkFjY2Vz
c0xvZ1ZhbHZlLmludm9rZShBY2Nlc3NMb2dWYWx2ZS5qYXZhOjk2Milcblx0b3JnLmFwYWNoZS5j
YXRhbGluYS5jb25uZWN0b3IuQ295b3RlQWRhcHRlci5zZXJ2aWNlKENveW90ZUFkYXB0ZXIuamF2
YTo0NDUpXG5cdG9yZy5hcGFjaGUuY295b3RlLmh0dHAxMS5BYnN0cmFjdEh0dHAxMVByb2Nlc3Nv
ci5wcm9jZXNzKEFic3RyYWN0SHR0cDExUHJvY2Vzc29yLmphdmE6MTA4Nylcblx0b3JnLmFwYWNo
ZS5jb3lvdGUuQWJzdHJhY3RQcm90b2NvbCRBYnN0cmFjdENvbm5lY3Rpb25IYW5kbGVyLnByb2Nl
c3MoQWJzdHJhY3RQcm90b2NvbC5qYXZhOjYzNylcblx0b3JnLmFwYWNoZS50b21jYXQudXRpbC5u
ZXQuSklvRW5kcG9pbnQkU29ja2V0UHJvY2Vzc29yLnJ1bihKSW9FbmRwb2ludC5qYXZhOjMxNilc
blx0amF2YS51dGlsLmNvbmN1cnJlbnQuVGhyZWFkUG9vbEV4ZWN1dG9yLnJ1bldvcmtlcihUaHJl
YWRQb29sRXhlY3V0b3IuamF2YToxMTQ5KVxuXHRqYXZhLnV0aWwuY29uY3VycmVudC5UaHJlYWRQ
b29sRXhlY3V0b3IkV29ya2VyLnJ1bihUaHJlYWRQb29sRXhlY3V0b3IuamF2YTo2MjQpXG5cdG9y
Zy5hcGFjaGUudG9tY2F0LnV0aWwudGhyZWFkcy5UYXNrVGhyZWE8YnI+CsKgZCRXcmFwcGluZ1J1
bm5hYmxlLnJ1bihUYXNrVGhyZWFkLmphdmE6NjEpXG5cdGphdmEubGFuZy5UaHJlYWQucnVuKFRo
cmVhZC5qYXZhOjc0OClcbiZsdDsvcHJlJmd0OyZsdDsvcCZndDsmbHQ7cCZndDsmbHQ7YiZndDtu
b3RlJmx0Oy9iJmd0OyAmbHQ7dSZndDtUaGUgZnVsbCBzdGFjayB0cmFjZSBvZiB0aGUgcm9vdCBj
YXVzZSBpcyBhdmFpbGFibGUgaW4gdGhlIEFwYWNoZSBUb21jYXQvNy4wLjc2IGxvZ3MuJmx0Oy91
Jmd0OyZsdDsvcCZndDsmbHQ7SFIgc2l6ZT0mcXVvdDsxJnF1b3Q7IG5vc2hhZGU9JnF1b3Q7bm9z
aGFkZSZxdW90OyZndDsmbHQ7aDMmZ3Q7QXBhY2hlIFRvbWNhdC83LjAuNzYmbHQ7L2gzJmd0OyZs
dDsvYm9keSZndDsmbHQ7L2h0bWwmZ3Q7JiMzOTs8YnI+CjIwMjQtMDQtMDJUMTg6MzA6MTFaIERF
QlVHIFRoZSBDQSBzdGF0dXMgaXM6IGNoZWNrIGludGVycnVwdGVkIGR1ZSB0byBlcnJvcjogUmV0
cmlldmluZyBDQSBzdGF0dXMgZmFpbGVkIHdpdGggc3RhdHVzIDUwMDxicj4KMjAyNC0wNC0wMlQx
ODozMDoxMVogREVCVUcgV2FpdGluZyBmb3IgQ0EgdG8gc3RhcnQuLi48YnI+CjIwMjQtMDQtMDJU
MTg6MzA6MTJaIERFQlVHIHJlcXVlc3QgUE9TVCA8YSBocmVmPSJodHRwOi8vaXBhMS1zZWEyLmlw
YS4iIHJlbD0ibm9yZWZlcnJlciIgdGFyZ2V0PSJfYmxhbmsiPmh0dHA6Ly9pcGExLXNlYTIuaXBh
LjwvYT4qKioqLm5ldDo4MDgwL2NhL2FkbWluL2NhL2dldFN0YXR1czxicj4KMjAyNC0wNC0wMlQx
ODozMDoxMlogREVCVUcgcmVxdWVzdCBib2R5ICYjMzk7JiMzOTs8YnI+CjIwMjQtMDQtMDJUMTg6
MzA6MTJaIERFQlVHIHJlc3BvbnNlIHN0YXR1cyA1MDA8YnI+CjIwMjQtMDQtMDJUMTg6MzA6MTJa
IERFQlVHIHJlc3BvbnNlIGhlYWRlcnMgU2VydmVyOiBBcGFjaGUtQ295b3RlLzEuMTxicj4KQ29u
dGVudC1UeXBlOiB0ZXh0L2h0bWw7Y2hhcnNldD11dGYtODxicj4KQ29udGVudC1MYW5ndWFnZTog
ZW48YnI+CkNvbnRlbnQtTGVuZ3RoOiAyMjA4PGJyPgpEYXRlOiBUdWUsIDAyIEFwciAyMDI0IDE4
OjMwOjEyIEdNVDxicj4KQ29ubmVjdGlvbjogY2xvc2U8YnI+Cjxicj4KMjAyNC0wNC0wMlQxODoz
MDoxMlogREVCVUcgcmVzcG9uc2UgYm9keSAmIzM5OyZsdDtodG1sJmd0OyZsdDtoZWFkJmd0OyZs
dDt0aXRsZSZndDtBcGFjaGUgVG9tY2F0LzcuMC43NiAtIEVycm9yIHJlcG9ydCZsdDsvdGl0bGUm
Z3Q7Jmx0O3N0eWxlJmd0OyZsdDshLS1IMSB7Zm9udC1mYW1pbHk6VGFob21hLEFyaWFsLHNhbnMt
c2VyaWY7Y29sb3I6d2hpdGU7YmFja2dyb3VuZC1jb2xvcjojNTI1RDc2O2ZvbnQtc2l6ZToyMnB4
O30gSDIge2ZvbnQtZmFtaWx5OlRhaG9tYSxBcmlhbCxzYW5zLXNlcmlmO2NvbG9yOndoaXRlO2Jh
Y2tncm91bmQtY29sb3I6IzUyNUQ3Njtmb250LXNpemU6MTZweDt9IEgzIHtmb250LWZhbWlseTpU
YWhvbWEsQXJpYWwsc2Fucy1zZXJpZjtjb2xvcjp3aGl0ZTtiYWNrZ3JvdW5kLWNvbG9yOiM1MjVE
NzY7Zm9udC1zaXplOjE0cHg7fSBCT0RZIHtmb250LWZhbWlseTpUYWhvbWEsQXJpYWwsc2Fucy1z
ZXJpZjtjb2xvcjpibGFjaztiYWNrZ3JvdW5kLWNvbG9yOndoaXRlO30gQiB7Zm9udC1mYW1pbHk6
VGFob21hLEFyaWFsLHNhbnMtc2VyaWY7Y29sb3I6d2hpdGU7YmFja2dyb3VuZC1jb2xvcjojNTI1
RDc2O30gUCB7Zm9udC1mYW1pbHk6VGFob21hLEFyaWFsLHNhbnMtc2VyaWY7YmFja2dyb3VuZDp3
aGl0ZTtjb2xvcjpibGFjaztmb250LXNpemU6MTJweDt9QSB7Y29sb3IgOiBibGFjazt9QS5uYW1l
IHtjb2xvciA6IGJsYWNrO31IUiB7Y29sb3IgOiAjNTI1RDc2O30tLSZndDsmbHQ7L3N0eWxlJmd0
OyAmbHQ7L2hlYWQmZ3Q7Jmx0O2JvZHkmZ3Q7Jmx0O2gxJmd0O0hUVFAgU3RhdHVzIDUwMCAtIFN1
YnN5c3RlbSB1bmF2YWlsYWJsZSZsdDsvaDEmZ3Q7Jmx0O0hSIHNpemU9JnF1b3Q7MSZxdW90OyBu
b3NoYWRlPSZxdW90O25vc2hhZGUmcXVvdDsmZ3Q7Jmx0O3AmZ3Q7Jmx0O2ImZ3Q7dHlwZSZsdDsv
YiZndDsgRXhjZXB0aW9uIHJlcG9ydCZsdDsvcCZndDsmbHQ7cCZndDsmbHQ7YiZndDttZXNzYWdl
Jmx0Oy9iJmd0OyAmbHQ7dSZndDtTdWJzeXN0ZW0gdW5hdmFpbGFibGUmbHQ7L3UmZ3Q7Jmx0Oy9w
Jmd0OyZsdDtwJmd0OyZsdDtiJmd0O2Rlc2NyaXB0aW9uJmx0Oy9iJmd0OyAmbHQ7dSZndDtUaGUg
c2VydmVyIGVuY291bnRlcmVkIGFuIGludGVybmFsIGVycm9yIHRoYXQgcHJldmVudGVkIGl0IGZy
b20gZnVsZmlsbGluZyB0aGlzIHJlcXU8YnI+CsKgZXN0LiZsdDsvdSZndDsmbHQ7L3AmZ3Q7Jmx0
O3AmZ3Q7Jmx0O2ImZ3Q7ZXhjZXB0aW9uJmx0Oy9iJmd0OyAmbHQ7cHJlJmd0OzxhIGhyZWY9Imh0
dHA6Ly9qYXZheC53cy5ycyIgdGFyZ2V0PSJfYmxhbmsiPmphdmF4LndzLnJzPC9hPi5TZXJ2aWNl
VW5hdmFpbGFibGVFeGNlcHRpb246IFN1YnN5c3RlbSB1bmF2YWlsYWJsZVxuXHRjb20ubmV0c2Nh
cGUuY21zLnRvbWNhdC5Qcm94eVJlYWxtLmZpbmRTZWN1cml0eUNvbnN0cmFpbnRzKFByb3h5UmVh
bG0uamF2YToxNDUpXG5cdG9yZy5hcGFjaGUuY2F0YWxpbmEuYXV0aGVudGljYXRvci5BdXRoZW50
aWNhdG9yQmFzZS5pbnZva2UoQXV0aGVudGljYXRvckJhc2UuamF2YTo1MDApXG5cdG9yZy5hcGFj
aGUuY2F0YWxpbmEudmFsdmVzLkVycm9yUmVwb3J0VmFsdmUuaW52b2tlKEVycm9yUmVwb3J0VmFs
dmUuamF2YToxMDMpXG5cdG9yZy5hcGFjaGUuY2F0YWxpbmEudmFsdmVzLkFjY2Vzc0xvZ1ZhbHZl
Lmludm9rZShBY2Nlc3NMb2dWYWx2ZS5qYXZhOjk2Milcblx0b3JnLmFwYWNoZS5jYXRhbGluYS5j
b25uZWN0b3IuQ295b3RlQWRhcHRlci5zZXJ2aWNlKENveW90ZUFkYXB0ZXIuamF2YTo0NDUpXG5c
dG9yZy5hcGFjaGUuY295b3RlLmh0dHAxMS5BYnN0cmFjdEh0dHAxMVByb2Nlc3Nvci5wcm9jZXNz
KEFic3RyYWN0SHR0cDExUHJvY2Vzc29yLmphdmE6MTA4Nylcblx0b3JnLmFwYWNoZS5jb3lvdGUu
QWJzdHJhY3RQcm90b2NvbCRBYnN0cmFjdENvbm5lY3Rpb25IYW5kbGVyLnByb2Nlc3MoQWJzdHJh
Y3RQcm90b2NvbC5qYXZhOjYzNylcblx0b3JnLmFwYWNoZS50b21jYXQudXRpbC5uZXQuSklvRW5k
cG9pbnQkU29ja2V0UHJvY2Vzc29yLnJ1bihKSW9FbmRwb2ludC5qYXZhOjMxNilcblx0amF2YS51
dGlsLmNvbmN1cnJlbnQuVGhyZWFkUG9vbEV4ZWN1dG9yLnJ1bldvcmtlcihUaHJlYWRQb29sRXhl
Y3V0b3IuamF2YToxMTQ5KVxuXHRqYXZhLnV0aWwuY29uY3VycmVudC5UaHJlYWRQb29sRXhlY3V0
b3IkV29ya2VyLnJ1bihUaHJlYWRQb29sRXhlY3V0b3IuamF2YTo2MjQpXG5cdG9yZy5hcGFjaGUu
dG9tY2F0LnV0aWwudGhyZWFkcy5UYXNrVGhyZWE8YnI+CsKgZCRXcmFwcGluZ1J1bm5hYmxlLnJ1
bihUYXNrVGhyZWFkLmphdmE6NjEpXG5cdGphdmEubGFuZy5UaHJlYWQucnVuKFRocmVhZC5qYXZh
Ojc0OClcbiZsdDsvcHJlJmd0OyZsdDsvcCZndDsmbHQ7cCZndDsmbHQ7YiZndDtub3RlJmx0Oy9i
Jmd0OyAmbHQ7dSZndDtUaGUgZnVsbCBzdGFjayB0cmFjZSBvZiB0aGUgcm9vdCBjYXVzZSBpcyBh
dmFpbGFibGUgaW4gdGhlIEFwYWNoZSBUb21jYXQvNy4wLjc2IGxvZ3MuJmx0Oy91Jmd0OyZsdDsv
cCZndDsmbHQ7SFIgc2l6ZT0mcXVvdDsxJnF1b3Q7IG5vc2hhZGU9JnF1b3Q7bm9zaGFkZSZxdW90
OyZndDsmbHQ7aDMmZ3Q7QXBhY2hlIFRvbWNhdC83LjAuNzYmbHQ7L2gzJmd0OyZsdDsvYm9keSZn
dDsmbHQ7L2h0bWwmZ3Q7JiMzOTs8YnI+CjIwMjQtMDQtMDJUMTg6MzA6MTJaIERFQlVHIFRoZSBD
QSBzdGF0dXMgaXM6IGNoZWNrIGludGVycnVwdGVkIGR1ZSB0byBlcnJvcjogUmV0cmlldmluZyBD
QSBzdGF0dXMgZmFpbGVkIHdpdGggc3RhdHVzIDUwMDxicj4KMjAyNC0wNC0wMlQxODozMDoxMlog
REVCVUcgV2FpdGluZyBmb3IgQ0EgdG8gc3RhcnQuLi48YnI+Cjxicj4KLS08YnI+Cl9fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fPGJyPgpGcmVlSVBBLXVzZXJz
IG1haWxpbmcgbGlzdCAtLSA8YSBocmVmPSJtYWlsdG86ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRv
cmFob3N0ZWQub3JnIiB0YXJnZXQ9Il9ibGFuayI+ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFo
b3N0ZWQub3JnPC9hPjxicj4KVG8gdW5zdWJzY3JpYmUgc2VuZCBhbiBlbWFpbCB0byA8YSBocmVm
PSJtYWlsdG86ZnJlZWlwYS11c2Vycy1sZWF2ZUBsaXN0cy5mZWRvcmFob3N0ZWQub3JnIiB0YXJn
ZXQ9Il9ibGFuayI+ZnJlZWlwYS11c2Vycy1sZWF2ZUBsaXN0cy5mZWRvcmFob3N0ZWQub3JnPC9h
Pjxicj4KRmVkb3JhIENvZGUgb2YgQ29uZHVjdDogPGEgaHJlZj0iaHR0cHM6Ly9kb2NzLmZlZG9y
YXByb2plY3Qub3JnL2VuLVVTL3Byb2plY3QvY29kZS1vZi1jb25kdWN0LyIgcmVsPSJub3JlZmVy
cmVyIiB0YXJnZXQ9Il9ibGFuayI+aHR0cHM6Ly9kb2NzLmZlZG9yYXByb2plY3Qub3JnL2VuLVVT
L3Byb2plY3QvY29kZS1vZi1jb25kdWN0LzwvYT48YnI+Ckxpc3QgR3VpZGVsaW5lczogPGEgaHJl
Zj0iaHR0cHM6Ly9mZWRvcmFwcm9qZWN0Lm9yZy93aWtpL01haWxpbmdfbGlzdF9ndWlkZWxpbmVz
IiByZWw9Im5vcmVmZXJyZXIiIHRhcmdldD0iX2JsYW5rIj5odHRwczovL2ZlZG9yYXByb2plY3Qu
b3JnL3dpa2kvTWFpbGluZ19saXN0X2d1aWRlbGluZXM8L2E+PGJyPgpMaXN0IEFyY2hpdmVzOiA8
YSBocmVmPSJodHRwczovL2xpc3RzLmZlZG9yYWhvc3RlZC5vcmcvYXJjaGl2ZXMvbGlzdC9mcmVl
aXBhLXVzZXJzQGxpc3RzLmZlZG9yYWhvc3RlZC5vcmciIHJlbD0ibm9yZWZlcnJlciIgdGFyZ2V0
PSJfYmxhbmsiPmh0dHBzOi8vbGlzdHMuZmVkb3JhaG9zdGVkLm9yZy9hcmNoaXZlcy9saXN0L2Zy
ZWVpcGEtdXNlcnNAbGlzdHMuZmVkb3JhaG9zdGVkLm9yZzwvYT48YnI+CkRvIG5vdCByZXBseSB0
byBzcGFtLCByZXBvcnQgaXQ6IDxhIGhyZWY9Imh0dHBzOi8vcGFndXJlLmlvL2ZlZG9yYS1pbmZy
YXN0cnVjdHVyZS9uZXdfaXNzdWUiIHJlbD0ibm9yZWZlcnJlciIgdGFyZ2V0PSJfYmxhbmsiPmh0
dHBzOi8vcGFndXJlLmlvL2ZlZG9yYS1pbmZyYXN0cnVjdHVyZS9uZXdfaXNzdWU8L2E+PGJyPgo8
L2Jsb2NrcXVvdGU+PC9kaXY+PC9kaXY+Cg==

--===============4798691185936436901==--

From rcritten at redhat.com Tue Apr  2 22:28:04 2024
Content-Type: multipart/mixed; boundary="===============9141945912818245001=="
MIME-Version: 1.0
From: Rob Crittenden <rcritten at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: CA_UNREACHABLE when requesting from Ubuntu 20.04
 to FreeIPA v4.11.1
Date: Tue, 02 Apr 2024 18:27:43 -0400
Message-ID: <62ee831c-9f80-2e7d-d7c3-8caf0ab39e87@redhat.com>
In-Reply-To: 54F27E16-870F-446D-8C84-312C2CDE632A@gmail.com

--===============9141945912818245001==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

I can reproduce the issue with your CSR but I don't know yet what
python-cryptography doesn't like about it.

Older versions of python-cryptography yield different errors but the
issue is still elusive. I'm looking at the ASN1 encoding.

What version of certmonger is installed on the machine that made the
request?

rob

Djerk Geurts via FreeIPA-users wrote:
> Hi Rob,
> =

> =

> I can=E2=80=99t see any difference between this CSR and others that worked
> before. Could it be an issue with an updated version of ipa-client or
> openssl? I tested issuing a new certificate from a Ubuntu 22.04 host and
> that worked just fine. Openssl on Ubuntu 20.04 is 1.1.1f while Ubuntu
> 22.04 have v3.0.2.
> =

> The certificate ws requested with:=C2=A0sudo ipa-getcert request -N
> ${service} -K HTTP/${service} -k /etc/ssl/private/${service}.key -f
> /etc/ssl/certs/${service}.crt -D ${service} -A $(host -t A ${service} |
> awk 'NF>1{print $NF}=E2=80=99)
> =

> Which has worked fine for us for over two years.
> =

> Thanks,
> Djerk Geurts
> =

>> On 2 Apr 2024, at 22:29, Rob Crittenden <rcritten(a)redhat.com> wrote:
>>
>> Djerk Geurts via FreeIPA-users wrote:
>>> Hi,
>>>
>>> A month or so ago we upgraded from Fedora 37 to 39. I guess this is the
>>> first time I=E2=80=99m getting round to requesting a new certificate, a=
nd it=E2=80=99s
>>> failing from a server we use to manage several certificates for non-IPA
>>> client hosts.
>>>
>>> Output of ipa-getcert list:
>>>
>>> Request ID '20240402190326':
>>> =C2=A0 =C2=A0 =C2=A0 =C2=A0=C2=A0status: CA_UNREACHABLE
>>> =C2=A0 =C2=A0 =C2=A0 =C2=A0=C2=A0ca-error: Server at https://ipa.domain=
.com/ipa/xml failed
>>> request, will retry: 903 (RPC failed at server. =C2=A0an internal error=
 has
>>> occurred).
>>> =C2=A0 =C2=A0 =C2=A0 =C2=A0=C2=A0stuck: no
>>> =C2=A0 =C2=A0 =C2=A0 =C2=A0=C2=A0key pair storage:
>>> type=3DFILE,location=3D'/etc/ssl/private/host.domain.com.key'
>>> =C2=A0 =C2=A0 =C2=A0 =C2=A0=C2=A0certificate:
>>> type=3DFILE,location=3D'/etc/ssl/certs/host.domain.com.crt'
>>> =C2=A0 =C2=A0 =C2=A0 =C2=A0=C2=A0CA: IPA
>>> =C2=A0 =C2=A0 =C2=A0 =C2=A0=C2=A0issuer:
>>> =C2=A0 =C2=A0 =C2=A0 =C2=A0=C2=A0subject:
>>> =C2=A0 =C2=A0 =C2=A0 =C2=A0=C2=A0expires: unknown
>>> =C2=A0 =C2=A0 =C2=A0 =C2=A0=C2=A0pre-save command:
>>> =C2=A0 =C2=A0 =C2=A0 =C2=A0=C2=A0post-save command:
>>> =C2=A0 =C2=A0 =C2=A0 =C2=A0=C2=A0track: yes
>>> =C2=A0 =C2=A0 =C2=A0 =C2=A0=C2=A0auto-renew: yes
>>>
>>> The httpd log on the IPA server:
>>>
>>> [Tue Apr 02 21:03:26.989287 2024] [wsgi:error] [pid 1606:tid 1957]
>>> [remote 10.2.0.92:50078] ipa: ERROR: non-public: ValueError: Only
>>> single-valued attributes are supported
>>> [Tue Apr 02 21:03:26.989320 2024] [wsgi:error] [pid 1606:tid 1957]
>>> [remote 10.2.0.92:50078] Traceback (most recent call last):
>>> [Tue Apr 02 21:03:26.989326 2024] [wsgi:error] [pid 1606:tid 1957]
>>> [remote 10.2.0.92:50078] =C2=A0 File
>>> "/usr/lib/python3.12/site-packages/ipaserver/rpcserver.py", line 417, in
>>> wsgi_execute
>>> [Tue Apr 02 21:03:26.989330 2024] [wsgi:error] [pid 1606:tid 1957]
>>> [remote 10.2.0.92:50078] =C2=A0 =C2=A0 result =3D command(*args, **opti=
ons)
>>> [Tue Apr 02 21:03:26.989333 2024] [wsgi:error] [pid 1606:tid 1957]
>>> [remote 10.2.0.92:50078] =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0^^^^^^^^^^^^^^^^^^^^^^^^^
>>> [Tue Apr 02 21:03:26.989337 2024] [wsgi:error] [pid 1606:tid 1957]
>>> [remote 10.2.0.92:50078] =C2=A0 File
>>> "/usr/lib/python3.12/site-packages/ipalib/frontend.py", line 471, in
>>> __call__
>>> [Tue Apr 02 21:03:26.989341 2024] [wsgi:error] [pid 1606:tid 1957]
>>> [remote 10.2.0.92:50078] =C2=A0 =C2=A0 return self.__do_call(*args, **o=
ptions)
>>> [Tue Apr 02 21:03:26.989345 2024] [wsgi:error] [pid 1606:tid 1957]
>>> [remote 10.2.0.92:50078] =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0^^^^^=
^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>> [Tue Apr 02 21:03:26.989348 2024] [wsgi:error] [pid 1606:tid 1957]
>>> [remote 10.2.0.92:50078] =C2=A0 File
>>> "/usr/lib/python3.12/site-packages/ipalib/frontend.py", line 499, in
>>> __do_call
>>> [Tue Apr 02 21:03:26.989353 2024] [wsgi:error] [pid 1606:tid 1957]
>>> [remote 10.2.0.92:50078] =C2=A0 =C2=A0 ret =3D self.run(*args, **option=
s)
>>> [Tue Apr 02 21:03:26.989358 2024] [wsgi:error] [pid 1606:tid 1957]
>>> [remote 10.2.0.92:50078] =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ^^^^^^^^^^^=
^^^^^^^^^^^^^^^
>>> [Tue Apr 02 21:03:26.989371 2024] [wsgi:error] [pid 1606:tid 1957]
>>> [remote 10.2.0.92:50078] =C2=A0 File
>>> "/usr/lib/python3.12/site-packages/ipalib/frontend.py", line 816, in run
>>> [Tue Apr 02 21:03:26.989376 2024] [wsgi:error] [pid 1606:tid 1957]
>>> [remote 10.2.0.92:50078] =C2=A0 =C2=A0 return self.execute(*args, **opt=
ions)
>>> [Tue Apr 02 21:03:26.989381 2024] [wsgi:error] [pid 1606:tid 1957]
>>> [remote 10.2.0.92:50078] =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0^^^^^=
^^^^^^^^^^^^^^^^^^^^^^^^^
>>> [Tue Apr 02 21:03:26.989385 2024] [wsgi:error] [pid 1606:tid 1957]
>>> [remote 10.2.0.92:50078] =C2=A0 File
>>> "/usr/lib/python3.12/site-packages/ipaserver/plugins/cert.py", line 716,
>>> in execute
>>> [Tue Apr 02 21:03:26.989389 2024] [wsgi:error] [pid 1606:tid 1957]
>>> [remote 10.2.0.92:50078] =C2=A0 =C2=A0 ext_san =3D
>>> csr.extensions.get_extension_for_oid(
>>> [Tue Apr 02 21:03:26.989392 2024] [wsgi:error] [pid 1606:tid 1957]
>>> [remote 10.2.0.92:50078] =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 ^^^^^^^^^^^^^^
>>> [Tue Apr 02 21:03:26.989396 2024] [wsgi:error] [pid 1606:tid 1957]
>>> [remote 10.2.0.92:50078] ValueError: Only single-valued attributes are
>>> supported
>>> [Tue Apr 02 21:03:26.989527 2024] [wsgi:error] [pid 1606:tid 1957]
>>> [remote 10.2.0.92:50078] ipa: INFO: [xmlserver]
>>> host/jump.domain.com(a)DOMAIN.COM: cert_request(=E2=80=98MIID**********=
d1A=3D=3D',
>>> principal=3D'HTTP/host.domain.com(a)DOMAIN.COM', add=3DTrue, version=3D=
'2.51'):
>>> InternalError
>>>
>>> The requesting machine is allowed to manage both the host and the
>>> service. Requesting the certificate on the IPA server itself works fine.
>>> I=E2=80=99ve read elsewhere that this could be an incompatibility betwe=
en the
>>> client and the server.
>>>
>>> Client: Ubuntu 20.04 LTS, ipa-client: v4.8.6
>>> Server: Fedora 39, ipa-server: v4.11.1
>>
>> Can we see the whole CSR? You should be able to find it in the
>> certmonger request file in /var/lib/certmonger/requests/<some value>
>> Sometimes the value matches the Request ID but not always.
>>
>> It is the parsing of the CSR where it blew up, getting multiple values
>> where only one was expected.
>>
>> rob
> =

> =

> --
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.=
org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code=
-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users=
(a)lists.fedorahosted.org
> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/=
new_issue
>=20

--===============9141945912818245001==--

From twest at cherryroad.com Wed Apr  3 03:23:49 2024
Content-Type: multipart/mixed; boundary="===============4128324371830386572=="
MIME-Version: 1.0
From: Travis West <twest at cherryroad.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: CA Subsystem certificate
Date: Wed, 03 Apr 2024 03:23:27 +0000
Message-ID: <20240403032327.21964.27303@mailman01.iad2.fedoraproject.org>
In-Reply-To: CAFDg7JzCXND87O5PFoeMC2Ua_ROKg5b4eY8H-kj+_ApP7a5wHw@mail.gmail.com

--===============4128324371830386572==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

> Hi,
> =

> On Tue, Apr 2, 2024 at 8:50=E2=80=AFPM Travis West via FreeIPA-users <
> freeipa-users(a)lists.fedorahosted.org&gt; wrote:
> =

> As Rob wrote, it's not a problem that getcert list, OpenssL and NSS
> libraries show the subject in a DN order (RFC2253) or DN reverse order, b=
ut
> I find it suspect that issuer and subject have picked inconsistent order.
> In my f35 instance, getcert list shows the following:
> issuer: CN=3DCertificate Authority,O=3DIPA.TEST
> subject: CN=3DCA Subsystem,O=3DIPA.TEST
> =


I'm not sure I follow.  My getcert list output looks like that, except the =
CN and O are reversed in the Subject line

issuer: CN=3DCertificate Authority,O=3DIPA.****.NET
subject: O=3DIPA.****.NET,CN=3DOCSP Subsystem

issuer: CN=3DCertificate Authority,O=3DIPA.****.NET
subject: O=3DIPA.****.NET,CN=3DCA Subsystem

issuer: CN=3DCertificate Authority,O=3DIPA.****.NET
subject: O=3DIPA.****.NET,CN=3DCA Audit
--===============4128324371830386572==--

From djerkg at gmail.com Wed Apr  3 07:30:12 2024
Content-Type: multipart/mixed; boundary="===============9032177438007512768=="
MIME-Version: 1.0
From: Djerk Geurts <djerkg at gmail.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: CA_UNREACHABLE when requesting from Ubuntu 20.04
 to FreeIPA v4.11.1
Date: Wed, 03 Apr 2024 09:29:45 +0200
Message-ID: <BDEA1E29-511F-4274-AEDC-6EAD7D4660F4@gmail.com>
In-Reply-To: 62ee831c-9f80-2e7d-d7c3-8caf0ab39e87@redhat.com

--===============9032177438007512768==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Ubuntu 20.04: Certmonger v0.79.9 << fails
Ubuntu 22.04: Certmonger v0.79.14 << works

> On 3 Apr 2024, at 00:27, Rob Crittenden <rcritten(a)redhat.com> wrote:
> =

> I can reproduce the issue with your CSR but I don't know yet what
> python-cryptography doesn't like about it.
> =

> Older versions of python-cryptography yield different errors but the
> issue is still elusive. I'm looking at the ASN1 encoding.
> =

> What version of certmonger is installed on the machine that made the
> request?
> =

> rob
> =

> Djerk Geurts via FreeIPA-users wrote:
>> Hi Rob,
>> =

>> =

>> I can=E2=80=99t see any difference between this CSR and others that work=
ed
>> before. Could it be an issue with an updated version of ipa-client or
>> openssl? I tested issuing a new certificate from a Ubuntu 22.04 host and
>> that worked just fine. Openssl on Ubuntu 20.04 is 1.1.1f while Ubuntu
>> 22.04 have v3.0.2.
>> =

>> The certificate ws requested with: sudo ipa-getcert request -N
>> ${service} -K HTTP/${service} -k /etc/ssl/private/${service}.key -f
>> /etc/ssl/certs/${service}.crt -D ${service} -A $(host -t A ${service} |
>> awk 'NF>1{print $NF}=E2=80=99)
>> =

>> Which has worked fine for us for over two years.
>> =

>> Thanks,
>> Djerk Geurts
>> =

>>> On 2 Apr 2024, at 22:29, Rob Crittenden <rcritten(a)redhat.com> wrote:
>>> =

>>> Djerk Geurts via FreeIPA-users wrote:
>>>> Hi,
>>>> =

>>>> A month or so ago we upgraded from Fedora 37 to 39. I guess this is the
>>>> first time I=E2=80=99m getting round to requesting a new certificate, =
and it=E2=80=99s
>>>> failing from a server we use to manage several certificates for non-IPA
>>>> client hosts.
>>>> =

>>>> Output of ipa-getcert list:
>>>> =

>>>> Request ID '20240402190326':
>>>>         status: CA_UNREACHABLE
>>>>         ca-error: Server at https://ipa.domain.com/ipa/xml failed
>>>> request, will retry: 903 (RPC failed at server.  an internal error has
>>>> occurred).
>>>>         stuck: no
>>>>         key pair storage:
>>>> type=3DFILE,location=3D'/etc/ssl/private/host.domain.com.key'
>>>>         certificate:
>>>> type=3DFILE,location=3D'/etc/ssl/certs/host.domain.com.crt'
>>>>         CA: IPA
>>>>         issuer:
>>>>         subject:
>>>>         expires: unknown
>>>>         pre-save command:
>>>>         post-save command:
>>>>         track: yes
>>>>         auto-renew: yes
>>>> =

>>>> The httpd log on the IPA server:
>>>> =

>>>> [Tue Apr 02 21:03:26.989287 2024] [wsgi:error] [pid 1606:tid 1957]
>>>> [remote 10.2.0.92:50078] ipa: ERROR: non-public: ValueError: Only
>>>> single-valued attributes are supported
>>>> [Tue Apr 02 21:03:26.989320 2024] [wsgi:error] [pid 1606:tid 1957]
>>>> [remote 10.2.0.92:50078] Traceback (most recent call last):
>>>> [Tue Apr 02 21:03:26.989326 2024] [wsgi:error] [pid 1606:tid 1957]
>>>> [remote 10.2.0.92:50078]   File
>>>> "/usr/lib/python3.12/site-packages/ipaserver/rpcserver.py", line 417, =
in
>>>> wsgi_execute
>>>> [Tue Apr 02 21:03:26.989330 2024] [wsgi:error] [pid 1606:tid 1957]
>>>> [remote 10.2.0.92:50078]     result =3D command(*args, **options)
>>>> [Tue Apr 02 21:03:26.989333 2024] [wsgi:error] [pid 1606:tid 1957]
>>>> [remote 10.2.0.92:50078]              ^^^^^^^^^^^^^^^^^^^^^^^^^
>>>> [Tue Apr 02 21:03:26.989337 2024] [wsgi:error] [pid 1606:tid 1957]
>>>> [remote 10.2.0.92:50078]   File
>>>> "/usr/lib/python3.12/site-packages/ipalib/frontend.py", line 471, in
>>>> __call__
>>>> [Tue Apr 02 21:03:26.989341 2024] [wsgi:error] [pid 1606:tid 1957]
>>>> [remote 10.2.0.92:50078]     return self.__do_call(*args, **options)
>>>> [Tue Apr 02 21:03:26.989345 2024] [wsgi:error] [pid 1606:tid 1957]
>>>> [remote 10.2.0.92:50078]            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>>> [Tue Apr 02 21:03:26.989348 2024] [wsgi:error] [pid 1606:tid 1957]
>>>> [remote 10.2.0.92:50078]   File
>>>> "/usr/lib/python3.12/site-packages/ipalib/frontend.py", line 499, in
>>>> __do_call
>>>> [Tue Apr 02 21:03:26.989353 2024] [wsgi:error] [pid 1606:tid 1957]
>>>> [remote 10.2.0.92:50078]     ret =3D self.run(*args, **options)
>>>> [Tue Apr 02 21:03:26.989358 2024] [wsgi:error] [pid 1606:tid 1957]
>>>> [remote 10.2.0.92:50078]           ^^^^^^^^^^^^^^^^^^^^^^^^^^
>>>> [Tue Apr 02 21:03:26.989371 2024] [wsgi:error] [pid 1606:tid 1957]
>>>> [remote 10.2.0.92:50078]   File
>>>> "/usr/lib/python3.12/site-packages/ipalib/frontend.py", line 816, in r=
un
>>>> [Tue Apr 02 21:03:26.989376 2024] [wsgi:error] [pid 1606:tid 1957]
>>>> [remote 10.2.0.92:50078]     return self.execute(*args, **options)
>>>> [Tue Apr 02 21:03:26.989381 2024] [wsgi:error] [pid 1606:tid 1957]
>>>> [remote 10.2.0.92:50078]            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>>> [Tue Apr 02 21:03:26.989385 2024] [wsgi:error] [pid 1606:tid 1957]
>>>> [remote 10.2.0.92:50078]   File
>>>> "/usr/lib/python3.12/site-packages/ipaserver/plugins/cert.py", line 71=
6,
>>>> in execute
>>>> [Tue Apr 02 21:03:26.989389 2024] [wsgi:error] [pid 1606:tid 1957]
>>>> [remote 10.2.0.92:50078]     ext_san =3D
>>>> csr.extensions.get_extension_for_oid(
>>>> [Tue Apr 02 21:03:26.989392 2024] [wsgi:error] [pid 1606:tid 1957]
>>>> [remote 10.2.0.92:50078]               ^^^^^^^^^^^^^^
>>>> [Tue Apr 02 21:03:26.989396 2024] [wsgi:error] [pid 1606:tid 1957]
>>>> [remote 10.2.0.92:50078] ValueError: Only single-valued attributes are
>>>> supported
>>>> [Tue Apr 02 21:03:26.989527 2024] [wsgi:error] [pid 1606:tid 1957]
>>>> [remote 10.2.0.92:50078] ipa: INFO: [xmlserver]
>>>> host/jump.domain.com(a)DOMAIN.COM: cert_request(=E2=80=98MIID*********=
*d1A=3D=3D',
>>>> principal=3D'HTTP/host.domain.com(a)DOMAIN.COM', add=3DTrue, version=
=3D'2.51'):
>>>> InternalError
>>>> =

>>>> The requesting machine is allowed to manage both the host and the
>>>> service. Requesting the certificate on the IPA server itself works fin=
e.
>>>> I=E2=80=99ve read elsewhere that this could be an incompatibility betw=
een the
>>>> client and the server.
>>>> =

>>>> Client: Ubuntu 20.04 LTS, ipa-client: v4.8.6
>>>> Server: Fedora 39, ipa-server: v4.11.1
>>> =

>>> Can we see the whole CSR? You should be able to find it in the
>>> certmonger request file in /var/lib/certmonger/requests/<some value>
>>> Sometimes the value matches the Request ID but not always.
>>> =

>>> It is the parsing of the CSR where it blew up, getting multiple values
>>> where only one was expected.
>>> =

>>> rob
>> =

>> =

>> --
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted=
.org
>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/cod=
e-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-user=
s(a)lists.fedorahosted.org
>> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure=
/new_issue
>> =

>=20

--===============9032177438007512768==--

From flo at redhat.com Wed Apr  3 11:00:56 2024
Content-Type: multipart/mixed; boundary="===============0332809820129392350=="
MIME-Version: 1.0
From: Florence Blanc-Renaud <flo at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: CA Subsystem certificate
Date: Wed, 03 Apr 2024 13:00:29 +0200
Message-ID: <CAFDg7JwyS=pu6S3otZVDygQrz7Wpkf=x8cNegQPm4tx7njB66Q@mail.gmail.com>
In-Reply-To: 20240403032327.21964.27303@mailman01.iad2.fedoraproject.org

--===============0332809820129392350==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

On Wed, Apr 3, 2024 at 5:24=E2=80=AFAM Travis West via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:

> > Hi,
> >
> > On Tue, Apr 2, 2024 at 8:50=E2=80=AFPM Travis West via FreeIPA-users <
> > freeipa-users(a)lists.fedorahosted.org&gt; wrote:
> >
> > As Rob wrote, it's not a problem that getcert list, OpenssL and NSS
> > libraries show the subject in a DN order (RFC2253) or DN reverse order,
> but
> > I find it suspect that issuer and subject have picked inconsistent orde=
r.
> > In my f35 instance, getcert list shows the following:
> > issuer: CN=3DCertificate Authority,O=3DIPA.TEST
> > subject: CN=3DCA Subsystem,O=3DIPA.TEST
> >
>
> I'm not sure I follow.  My getcert list output looks like that, except the
> CN and O are reversed in the Subject line
>
That's exactly my point. I would expect subject and issuer to display the
components in the same order (ending with O=3DIPA.****.NET). The subject was
provided to openssl req command, you can try to provide it in the reverse
order.

flo

>
> issuer: CN=3DCertificate Authority,O=3DIPA.****.NET
> subject: O=3DIPA.****.NET,CN=3DOCSP Subsystem
>
> issuer: CN=3DCertificate Authority,O=3DIPA.****.NET
> subject: O=3DIPA.****.NET,CN=3DCA Subsystem
>
> issuer: CN=3DCertificate Authority,O=3DIPA.****.NET
> subject: O=3DIPA.****.NET,CN=3DCA Audit
> --
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.=
org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users(a)lists.fedora=
hosted.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>

--===============0332809820129392350==
Content-Type: text/html
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.html"

PGRpdiBkaXI9Imx0ciI+PGRpdiBkaXI9Imx0ciI+PGRpdiBjbGFzcz0iZ21haWxfZGVmYXVsdCIg
c3R5bGU9ImZvbnQtZmFtaWx5OmFyaWFsLHNhbnMtc2VyaWYiPjxicj48L2Rpdj48L2Rpdj48YnI+
PGRpdiBjbGFzcz0iZ21haWxfcXVvdGUiPjxkaXYgZGlyPSJsdHIiIGNsYXNzPSJnbWFpbF9hdHRy
Ij5PbiBXZWQsIEFwciAzLCAyMDI0IGF0IDU6MjTigK9BTSBUcmF2aXMgV2VzdCB2aWEgRnJlZUlQ
QS11c2VycyAmbHQ7PGEgaHJlZj0ibWFpbHRvOmZyZWVpcGEtdXNlcnNAbGlzdHMuZmVkb3JhaG9z
dGVkLm9yZyI+ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3JnPC9hPiZndDsgd3Jv
dGU6PGJyPjwvZGl2PjxibG9ja3F1b3RlIGNsYXNzPSJnbWFpbF9xdW90ZSIgc3R5bGU9Im1hcmdp
bjowcHggMHB4IDBweCAwLjhleDtib3JkZXItbGVmdDoxcHggc29saWQgcmdiKDIwNCwyMDQsMjA0
KTtwYWRkaW5nLWxlZnQ6MWV4Ij4mZ3Q7IEhpLDxicj4KJmd0OyA8YnI+CiZndDsgT24gVHVlLCBB
cHIgMiwgMjAyNCBhdCA4OjUw4oCvUE0gVHJhdmlzIFdlc3QgdmlhIEZyZWVJUEEtdXNlcnMgJmx0
Ozxicj4KJmd0OyBmcmVlaXBhLXVzZXJzKGEpPGEgaHJlZj0iaHR0cDovL2xpc3RzLmZlZG9yYWhv
c3RlZC5vcmciIHJlbD0ibm9yZWZlcnJlciIgdGFyZ2V0PSJfYmxhbmsiPmxpc3RzLmZlZG9yYWhv
c3RlZC5vcmc8L2E+JmFtcDtndDsgd3JvdGU6PGJyPgomZ3Q7IDxicj4KJmd0OyBBcyBSb2Igd3Jv
dGUsIGl0JiMzOTtzIG5vdCBhIHByb2JsZW0gdGhhdCBnZXRjZXJ0IGxpc3QsIE9wZW5zc0wgYW5k
IE5TUzxicj4KJmd0OyBsaWJyYXJpZXMgc2hvdyB0aGUgc3ViamVjdCBpbiBhIEROIG9yZGVyIChS
RkMyMjUzKSBvciBETiByZXZlcnNlIG9yZGVyLCBidXQ8YnI+CiZndDsgSSBmaW5kIGl0IHN1c3Bl
Y3QgdGhhdCBpc3N1ZXIgYW5kIHN1YmplY3QgaGF2ZSBwaWNrZWQgaW5jb25zaXN0ZW50IG9yZGVy
Ljxicj4KJmd0OyBJbiBteSBmMzUgaW5zdGFuY2UsIGdldGNlcnQgbGlzdCBzaG93cyB0aGUgZm9s
bG93aW5nOjxicj4KJmd0OyBpc3N1ZXI6IENOPUNlcnRpZmljYXRlIEF1dGhvcml0eSxPPUlQQS5U
RVNUPGJyPgomZ3Q7IHN1YmplY3Q6IENOPUNBIFN1YnN5c3RlbSxPPUlQQS5URVNUPGJyPgomZ3Q7
IDxicj4KPGJyPgpJJiMzOTttIG5vdCBzdXJlIEkgZm9sbG93LsKgIE15IGdldGNlcnQgbGlzdCBv
dXRwdXQgbG9va3MgbGlrZSB0aGF0LCBleGNlcHQgdGhlIENOIGFuZCBPIGFyZSByZXZlcnNlZCBp
biB0aGUgU3ViamVjdCBsaW5lPGJyPjwvYmxvY2txdW90ZT48ZGl2PjxzcGFuIGNsYXNzPSJnbWFp
bF9kZWZhdWx0IiBzdHlsZT0iZm9udC1mYW1pbHk6YXJpYWwsc2Fucy1zZXJpZiI+VGhhdCYjMzk7
cyBleGFjdGx5IG15IHBvaW50LiBJIHdvdWxkIGV4cGVjdCBzdWJqZWN0IGFuZCBpc3N1ZXIgdG8g
ZGlzcGxheSB0aGUgY29tcG9uZW50cyBpbiB0aGUgc2FtZSBvcmRlciAoZW5kaW5nIHdpdGggTz1J
UEEuKioqKi5ORVQpLiBUaGUgc3ViamVjdCB3YXMgcHJvdmlkZWQgdG8gb3BlbnNzbCByZXEgY29t
bWFuZCwgeW91IGNhbiB0cnkgdG8gcHJvdmlkZSBpdCBpbiB0aGUgcmV2ZXJzZSBvcmRlci48L3Nw
YW4+PC9kaXY+PGRpdj48c3BhbiBjbGFzcz0iZ21haWxfZGVmYXVsdCIgc3R5bGU9ImZvbnQtZmFt
aWx5OmFyaWFsLHNhbnMtc2VyaWYiPjxicj48L3NwYW4+PC9kaXY+PGRpdj48c3BhbiBjbGFzcz0i
Z21haWxfZGVmYXVsdCIgc3R5bGU9ImZvbnQtZmFtaWx5OmFyaWFsLHNhbnMtc2VyaWYiPmZsbzxi
cj48L3NwYW4+IDwvZGl2PjxibG9ja3F1b3RlIGNsYXNzPSJnbWFpbF9xdW90ZSIgc3R5bGU9Im1h
cmdpbjowcHggMHB4IDBweCAwLjhleDtib3JkZXItbGVmdDoxcHggc29saWQgcmdiKDIwNCwyMDQs
MjA0KTtwYWRkaW5nLWxlZnQ6MWV4Ij4KPGJyPgppc3N1ZXI6IENOPUNlcnRpZmljYXRlIEF1dGhv
cml0eSxPPUlQQS4qKioqLk5FVDxicj4Kc3ViamVjdDogTz1JUEEuKioqKi5ORVQsQ049T0NTUCBT
dWJzeXN0ZW08YnI+Cjxicj4KaXNzdWVyOiBDTj1DZXJ0aWZpY2F0ZSBBdXRob3JpdHksTz1JUEEu
KioqKi5ORVQ8YnI+CnN1YmplY3Q6IE89SVBBLioqKiouTkVULENOPUNBIFN1YnN5c3RlbTxicj4K
PGJyPgppc3N1ZXI6IENOPUNlcnRpZmljYXRlIEF1dGhvcml0eSxPPUlQQS4qKioqLk5FVDxicj4K
c3ViamVjdDogTz1JUEEuKioqKi5ORVQsQ049Q0EgQXVkaXQ8YnI+Ci0tPGJyPgpfX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXzxicj4KRnJlZUlQQS11c2VycyBt
YWlsaW5nIGxpc3QgLS0gPGEgaHJlZj0ibWFpbHRvOmZyZWVpcGEtdXNlcnNAbGlzdHMuZmVkb3Jh
aG9zdGVkLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPmZyZWVpcGEtdXNlcnNAbGlzdHMuZmVkb3JhaG9z
dGVkLm9yZzwvYT48YnI+ClRvIHVuc3Vic2NyaWJlIHNlbmQgYW4gZW1haWwgdG8gPGEgaHJlZj0i
bWFpbHRvOmZyZWVpcGEtdXNlcnMtbGVhdmVAbGlzdHMuZmVkb3JhaG9zdGVkLm9yZyIgdGFyZ2V0
PSJfYmxhbmsiPmZyZWVpcGEtdXNlcnMtbGVhdmVAbGlzdHMuZmVkb3JhaG9zdGVkLm9yZzwvYT48
YnI+CkZlZG9yYSBDb2RlIG9mIENvbmR1Y3Q6IDxhIGhyZWY9Imh0dHBzOi8vZG9jcy5mZWRvcmFw
cm9qZWN0Lm9yZy9lbi1VUy9wcm9qZWN0L2NvZGUtb2YtY29uZHVjdC8iIHJlbD0ibm9yZWZlcnJl
ciIgdGFyZ2V0PSJfYmxhbmsiPmh0dHBzOi8vZG9jcy5mZWRvcmFwcm9qZWN0Lm9yZy9lbi1VUy9w
cm9qZWN0L2NvZGUtb2YtY29uZHVjdC88L2E+PGJyPgpMaXN0IEd1aWRlbGluZXM6IDxhIGhyZWY9
Imh0dHBzOi8vZmVkb3JhcHJvamVjdC5vcmcvd2lraS9NYWlsaW5nX2xpc3RfZ3VpZGVsaW5lcyIg
cmVsPSJub3JlZmVycmVyIiB0YXJnZXQ9Il9ibGFuayI+aHR0cHM6Ly9mZWRvcmFwcm9qZWN0Lm9y
Zy93aWtpL01haWxpbmdfbGlzdF9ndWlkZWxpbmVzPC9hPjxicj4KTGlzdCBBcmNoaXZlczogPGEg
aHJlZj0iaHR0cHM6Ly9saXN0cy5mZWRvcmFob3N0ZWQub3JnL2FyY2hpdmVzL2xpc3QvZnJlZWlw
YS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3JnIiByZWw9Im5vcmVmZXJyZXIiIHRhcmdldD0i
X2JsYW5rIj5odHRwczovL2xpc3RzLmZlZG9yYWhvc3RlZC5vcmcvYXJjaGl2ZXMvbGlzdC9mcmVl
aXBhLXVzZXJzQGxpc3RzLmZlZG9yYWhvc3RlZC5vcmc8L2E+PGJyPgpEbyBub3QgcmVwbHkgdG8g
c3BhbSwgcmVwb3J0IGl0OiA8YSBocmVmPSJodHRwczovL3BhZ3VyZS5pby9mZWRvcmEtaW5mcmFz
dHJ1Y3R1cmUvbmV3X2lzc3VlIiByZWw9Im5vcmVmZXJyZXIiIHRhcmdldD0iX2JsYW5rIj5odHRw
czovL3BhZ3VyZS5pby9mZWRvcmEtaW5mcmFzdHJ1Y3R1cmUvbmV3X2lzc3VlPC9hPjxicj4KPC9i
bG9ja3F1b3RlPjwvZGl2PjwvZGl2Pgo=

--===============0332809820129392350==--

From twest at cherryroad.com Wed Apr  3 11:09:45 2024
Content-Type: multipart/mixed; boundary="===============2935393760000884417=="
MIME-Version: 1.0
From: Travis West <twest at cherryroad.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: CA Subsystem certificate
Date: Wed, 03 Apr 2024 11:09:24 +0000
Message-ID: <20240403110924.4294.19567@mailman01.iad2.fedoraproject.org>
In-Reply-To: CAFDg7JwyS=pu6S3otZVDygQrz7Wpkf=x8cNegQPm4tx7njB66Q@mail.gmail.com

--===============2935393760000884417==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

> On Wed, Apr 3, 2024 at 5:24=E2=80=AFAM Travis West via FreeIPA-users <
> freeipa-users(a)lists.fedorahosted.org&gt; wrote:
> =

> That's exactly my point. I would expect subject and issuer to display the
> components in the same order (ending with O=3DIPA.****.NET). The subject =
was
> provided to openssl req command, you can try to provide it in the reverse
> order.

If I look at the p12 file I created from the it has them listed in the corr=
ect order for Subject, but the Issuer line is reversed from what getcert sh=
ows

subject=3D/CN=3DOCSP Subsystem/O=3DIPA.****.NET
issuer=3D/O=3DIPA.****.NET/CN=3DCertificate Authority

subject=3D/CN=3DCA Subsystem/O=3DIPA.****.NET
issuer=3D/O=3DIPA.****.NET/CN=3DCertificate Authority

subject=3D/CN=3DCA Audit/O=3DIPA.****.NET
issuer=3D/O=3DIPA.****.NET/CN=3DCertificate Authority

The CSR was created using this command

openssl req -new -sha256 -key ocsp.key -subj "/CN=3DOCSP Subsystem /O=3DIPA=
.SUPERB.NET" -out ocsp.csr

The certificate was requested using this command

x509 -req -in ocsp.csr -CA ca.crt -CAkey ca.key -set_serial 2 -out ocsp.crt=
 -days 3650 -sha256

So you're saying in that CSR req to swap CN and O for that -subj flag?




--===============2935393760000884417==--

From twest at cherryroad.com Wed Apr  3 12:24:44 2024
Content-Type: multipart/mixed; boundary="===============8456551214670551905=="
MIME-Version: 1.0
From: Travis West <twest at cherryroad.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: CA Subsystem certificate
Date: Wed, 03 Apr 2024 12:24:20 +0000
Message-ID: <20240403122420.16941.71601@mailman01.iad2.fedoraproject.org>
In-Reply-To: CAFDg7JwyS=pu6S3otZVDygQrz7Wpkf=x8cNegQPm4tx7njB66Q@mail.gmail.com

--===============8456551214670551905==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Swapping the O and CN in the req did the trick for the getcert list output

Request ID '20190322032031':
        status: MONITORING
        stuck: no
        key pair storage: type=3DNSSDB,location=3D'/etc/pki/pki-tomcat/alia=
s',nickname=3D'subsystemCert cert-pki-ca',token=3D'NSS Certificate DB',pin =
set
        certificate: type=3DNSSDB,location=3D'/etc/pki/pki-tomcat/alias',ni=
ckname=3D'subsystemCert cert-pki-ca',token=3D'NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=3DCertificate Authority,O=3DIPA.****.NET
        subject: CN=3DCA Subsystem,O=3DIPA.****.NET
        expires: 2034-04-01 11:35:47 UTC
        key usage: digitalSignature,nonRepudiation
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsy=
stemCert cert-pki-ca"
        track: yes
        auto-renew: yes

Request ID '20190322032030':
        status: MONITORING
        stuck: no
        key pair storage: type=3DNSSDB,location=3D'/etc/pki/pki-tomcat/alia=
s',nickname=3D'ocspSigningCert cert-pki-ca',token=3D'NSS Certificate DB',pi=
n set
        certificate: type=3DNSSDB,location=3D'/etc/pki/pki-tomcat/alias',ni=
ckname=3D'ocspSigningCert cert-pki-ca',token=3D'NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=3DCertificate Authority,O=3DIPA.****.NET
        subject: CN=3DOCSP Subsystem,O=3DIPA.****.NET
        expires: 2034-04-01 11:32:48 UTC
        key usage: digitalSignature,nonRepudiation
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspS=
igningCert cert-pki-ca"
        track: yes
        auto-renew: yes

Request ID '20190322032029':
        status: MONITORING
        stuck: no
        key pair storage: type=3DNSSDB,location=3D'/etc/pki/pki-tomcat/alia=
s',nickname=3D'auditSigningCert cert-pki-ca',token=3D'NSS Certificate DB',p=
in set
        certificate: type=3DNSSDB,location=3D'/etc/pki/pki-tomcat/alias',ni=
ckname=3D'auditSigningCert cert-pki-ca',token=3D'NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=3DCertificate Authority,O=3DIPA.****.NET
        subject: CN=3DCA Audit,O=3DIPA.****.NET
        expires: 2034-04-01 11:38:26 UTC
        key usage: digitalSignature,nonRepudiation
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "audit=
SigningCert cert-pki-ca"
        track: yes
        auto-renew: yes

I then updated LDAP with the new CA Subsystem cert, so that and the serial =
for it  match

# ldapsearch -LLL -D 'cn=3Ddirectory manager' -W -b uid=3Dpkidbuser,ou=3Dpe=
ople,o=3Dipaca userCertificate description seeAlso
Enter LDAP Password:
dn: uid=3Dpkidbuser,ou=3Dpeople,o=3Dipaca
userCertificate:: MIIDNj....RXOm8Q=3D=3D
description: 2;4;CN=3DCertificate Authority,O=3DIPA.****.NET;CN=3DCA Subsys=
tem,O=3DIPA.****.NET
seeAlso: CN=3DCA Subsystem,O=3DIPA.****.NET

# certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' -a
-----BEGIN CERTIFICATE-----
MIIDNj....RXOm8Q=3D=3D
-----END CERTIFICATE-----

# certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' |=
 grep Serial
        Serial Number: 4 (0x4)

After this I tried an 'ipactl restart  --ignore-service-failures' but pki-t=
omcat  still failed to start.  So I tried manually stopping that service us=
ing systemctl stop pki-tomcatd(a)pki-tomcat.service then issuing an 'ipactl=
 start  --ignore-service-failures.
This time all services seem to have started

# ipactl start  --ignore-service-failures
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting httpd Service
Starting ipa-custodia Service
Starting pki-tomcatd Service
Starting ipa-otpd Service
Starting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful

If I login to the UI I can now browse to Authentication > Certificates, whe=
re as before I got an error when going here.

So far so good.  Now, I've got 5 other servers in this cluster, all denoted=
 as Master, with this server set as the CA Renewal Master.  Do I need to re=
peat the certificate import steps on the other 5 servers or is there a way =
to replicate over the new certificates to the other hosts?
--===============8456551214670551905==--

From twest at cherryroad.com Wed Apr  3 12:46:04 2024
Content-Type: multipart/mixed; boundary="===============7459351233215846445=="
MIME-Version: 1.0
From: Travis West <twest at cherryroad.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: CA Subsystem certificate
Date: Wed, 03 Apr 2024 12:45:53 +0000
Message-ID: <20240403124553.20581.98833@mailman01.iad2.fedoraproject.org>
In-Reply-To: 20240403122420.16941.71601@mailman01.iad2.fedoraproject.org

--===============7459351233215846445==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Spoke too soon.  If I try to get a new certificate on an enrolled host I ge=
t this

 status: CA_UNREACHABLE
ca-error: Server at https://ipa1-sea2.ipa.****.net/ipa/xml failed request, =
will retry: 907 (RPC failed at server.  cannot connect to 'https://ipa1-sea=
2.ipa.****.net:443/ca/rest/account/login': [SSL: SSL_HANDSHAKE_FAILURE] ssl=
 handshake failure (_ssl.c:1822)).

This reflected in the UI if I go to Authentication > Certificates > Certifi=
cate Authorities where I see the same error.

The IPA server listed there is the one where all services started via ipact=
l start in my previous update.
--===============7459351233215846445==--

From rcritten at redhat.com Wed Apr  3 14:11:36 2024
Content-Type: multipart/mixed; boundary="===============0771660938312810294=="
MIME-Version: 1.0
From: Rob Crittenden <rcritten at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: CA_UNREACHABLE when requesting from Ubuntu 20.04
 to FreeIPA v4.11.1
Date: Wed, 03 Apr 2024 10:11:05 -0400
Message-ID: <cb300428-9beb-efc7-7b12-7ffc0f64062a@redhat.com>
In-Reply-To: BDEA1E29-511F-4274-AEDC-6EAD7D4660F4@gmail.com

--===============0771660938312810294==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

There was a bug in the DER encoding that certmonger used when generating
the CSR. python-cryptography allowed it for a while, then complained
loudly about it and now no longer accepts it. Upgrading certmonger is
the proper fix.

rob

Djerk Geurts wrote:
> Ubuntu 20.04: Certmonger v0.79.9 << fails
> Ubuntu 22.04: Certmonger v0.79.14 << works
> =

>> On 3 Apr 2024, at 00:27, Rob Crittenden <rcritten(a)redhat.com> wrote:
>>
>> I can reproduce the issue with your CSR but I don't know yet what
>> python-cryptography doesn't like about it.
>>
>> Older versions of python-cryptography yield different errors but the
>> issue is still elusive. I'm looking at the ASN1 encoding.
>>
>> What version of certmonger is installed on the machine that made the
>> request?
>>
>> rob
>>
>> Djerk Geurts via FreeIPA-users wrote:
>>> Hi Rob,
>>>
>>>
>>> I can=E2=80=99t see any difference between this CSR and others that wor=
ked
>>> before. Could it be an issue with an updated version of ipa-client or
>>> openssl? I tested issuing a new certificate from a Ubuntu 22.04 host and
>>> that worked just fine. Openssl on Ubuntu 20.04 is 1.1.1f while Ubuntu
>>> 22.04 have v3.0.2.
>>>
>>> The certificate ws requested with: sudo ipa-getcert request -N
>>> ${service} -K HTTP/${service} -k /etc/ssl/private/${service}.key -f
>>> /etc/ssl/certs/${service}.crt -D ${service} -A $(host -t A ${service} |
>>> awk 'NF>1{print $NF}=E2=80=99)
>>>
>>> Which has worked fine for us for over two years.
>>>
>>> Thanks,
>>> Djerk Geurts
>>>
>>>> On 2 Apr 2024, at 22:29, Rob Crittenden <rcritten(a)redhat.com> wrote:
>>>>
>>>> Djerk Geurts via FreeIPA-users wrote:
>>>>> Hi,
>>>>>
>>>>> A month or so ago we upgraded from Fedora 37 to 39. I guess this is t=
he
>>>>> first time I=E2=80=99m getting round to requesting a new certificate,=
 and it=E2=80=99s
>>>>> failing from a server we use to manage several certificates for non-I=
PA
>>>>> client hosts.
>>>>>
>>>>> Output of ipa-getcert list:
>>>>>
>>>>> Request ID '20240402190326':
>>>>>         status: CA_UNREACHABLE
>>>>>         ca-error: Server at https://ipa.domain.com/ipa/xml failed
>>>>> request, will retry: 903 (RPC failed at server.  an internal error has
>>>>> occurred).
>>>>>         stuck: no
>>>>>         key pair storage:
>>>>> type=3DFILE,location=3D'/etc/ssl/private/host.domain.com.key'
>>>>>         certificate:
>>>>> type=3DFILE,location=3D'/etc/ssl/certs/host.domain.com.crt'
>>>>>         CA: IPA
>>>>>         issuer:
>>>>>         subject:
>>>>>         expires: unknown
>>>>>         pre-save command:
>>>>>         post-save command:
>>>>>         track: yes
>>>>>         auto-renew: yes
>>>>>
>>>>> The httpd log on the IPA server:
>>>>>
>>>>> [Tue Apr 02 21:03:26.989287 2024] [wsgi:error] [pid 1606:tid 1957]
>>>>> [remote 10.2.0.92:50078] ipa: ERROR: non-public: ValueError: Only
>>>>> single-valued attributes are supported
>>>>> [Tue Apr 02 21:03:26.989320 2024] [wsgi:error] [pid 1606:tid 1957]
>>>>> [remote 10.2.0.92:50078] Traceback (most recent call last):
>>>>> [Tue Apr 02 21:03:26.989326 2024] [wsgi:error] [pid 1606:tid 1957]
>>>>> [remote 10.2.0.92:50078]   File
>>>>> "/usr/lib/python3.12/site-packages/ipaserver/rpcserver.py", line 417,=
 in
>>>>> wsgi_execute
>>>>> [Tue Apr 02 21:03:26.989330 2024] [wsgi:error] [pid 1606:tid 1957]
>>>>> [remote 10.2.0.92:50078]     result =3D command(*args, **options)
>>>>> [Tue Apr 02 21:03:26.989333 2024] [wsgi:error] [pid 1606:tid 1957]
>>>>> [remote 10.2.0.92:50078]              ^^^^^^^^^^^^^^^^^^^^^^^^^
>>>>> [Tue Apr 02 21:03:26.989337 2024] [wsgi:error] [pid 1606:tid 1957]
>>>>> [remote 10.2.0.92:50078]   File
>>>>> "/usr/lib/python3.12/site-packages/ipalib/frontend.py", line 471, in
>>>>> __call__
>>>>> [Tue Apr 02 21:03:26.989341 2024] [wsgi:error] [pid 1606:tid 1957]
>>>>> [remote 10.2.0.92:50078]     return self.__do_call(*args, **options)
>>>>> [Tue Apr 02 21:03:26.989345 2024] [wsgi:error] [pid 1606:tid 1957]
>>>>> [remote 10.2.0.92:50078]            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>>>> [Tue Apr 02 21:03:26.989348 2024] [wsgi:error] [pid 1606:tid 1957]
>>>>> [remote 10.2.0.92:50078]   File
>>>>> "/usr/lib/python3.12/site-packages/ipalib/frontend.py", line 499, in
>>>>> __do_call
>>>>> [Tue Apr 02 21:03:26.989353 2024] [wsgi:error] [pid 1606:tid 1957]
>>>>> [remote 10.2.0.92:50078]     ret =3D self.run(*args, **options)
>>>>> [Tue Apr 02 21:03:26.989358 2024] [wsgi:error] [pid 1606:tid 1957]
>>>>> [remote 10.2.0.92:50078]           ^^^^^^^^^^^^^^^^^^^^^^^^^^
>>>>> [Tue Apr 02 21:03:26.989371 2024] [wsgi:error] [pid 1606:tid 1957]
>>>>> [remote 10.2.0.92:50078]   File
>>>>> "/usr/lib/python3.12/site-packages/ipalib/frontend.py", line 816, in =
run
>>>>> [Tue Apr 02 21:03:26.989376 2024] [wsgi:error] [pid 1606:tid 1957]
>>>>> [remote 10.2.0.92:50078]     return self.execute(*args, **options)
>>>>> [Tue Apr 02 21:03:26.989381 2024] [wsgi:error] [pid 1606:tid 1957]
>>>>> [remote 10.2.0.92:50078]            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>>>> [Tue Apr 02 21:03:26.989385 2024] [wsgi:error] [pid 1606:tid 1957]
>>>>> [remote 10.2.0.92:50078]   File
>>>>> "/usr/lib/python3.12/site-packages/ipaserver/plugins/cert.py", line 7=
16,
>>>>> in execute
>>>>> [Tue Apr 02 21:03:26.989389 2024] [wsgi:error] [pid 1606:tid 1957]
>>>>> [remote 10.2.0.92:50078]     ext_san =3D
>>>>> csr.extensions.get_extension_for_oid(
>>>>> [Tue Apr 02 21:03:26.989392 2024] [wsgi:error] [pid 1606:tid 1957]
>>>>> [remote 10.2.0.92:50078]               ^^^^^^^^^^^^^^
>>>>> [Tue Apr 02 21:03:26.989396 2024] [wsgi:error] [pid 1606:tid 1957]
>>>>> [remote 10.2.0.92:50078] ValueError: Only single-valued attributes are
>>>>> supported
>>>>> [Tue Apr 02 21:03:26.989527 2024] [wsgi:error] [pid 1606:tid 1957]
>>>>> [remote 10.2.0.92:50078] ipa: INFO: [xmlserver]
>>>>> host/jump.domain.com(a)DOMAIN.COM: cert_request(=E2=80=98MIID********=
**d1A=3D=3D',
>>>>> principal=3D'HTTP/host.domain.com(a)DOMAIN.COM', add=3DTrue, version=
=3D'2.51'):
>>>>> InternalError
>>>>>
>>>>> The requesting machine is allowed to manage both the host and the
>>>>> service. Requesting the certificate on the IPA server itself works fi=
ne.
>>>>> I=E2=80=99ve read elsewhere that this could be an incompatibility bet=
ween the
>>>>> client and the server.
>>>>>
>>>>> Client: Ubuntu 20.04 LTS, ipa-client: v4.8.6
>>>>> Server: Fedora 39, ipa-server: v4.11.1
>>>>
>>>> Can we see the whole CSR? You should be able to find it in the
>>>> certmonger request file in /var/lib/certmonger/requests/<some value>
>>>> Sometimes the value matches the Request ID but not always.
>>>>
>>>> It is the parsing of the CSR where it blew up, getting multiple values
>>>> where only one was expected.
>>>>
>>>> rob
>>>
>>>
>>> --
>>> _______________________________________________
>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahoste=
d.org
>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/co=
de-of-conduct/
>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-use=
rs(a)lists.fedorahosted.org
>>> Do not reply to spam, report it: https://pagure.io/fedora-infrastructur=
e/new_issue
>>>
>>
>=20

--===============0771660938312810294==--

From djerkg at gmail.com Wed Apr  3 14:23:26 2024
Content-Type: multipart/mixed; boundary="===============2369302547836916933=="
MIME-Version: 1.0
From: Djerk Geurts <djerkg at gmail.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: CA_UNREACHABLE when requesting from Ubuntu 20.04
 to FreeIPA v4.11.1
Date: Wed, 03 Apr 2024 16:21:58 +0200
Message-ID: <BA583821-26AF-4719-80C3-5D6B6DC43650@gmail.com>
In-Reply-To: cb300428-9beb-efc7-7b12-7ffc0f64062a@redhat.com

--===============2369302547836916933==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Not sure how long we=E2=80=99ll need to wait for a fix in Ubuntu 20.04, so =
we=E2=80=99re uplifting our jumphosts to Ubuntu 22.04. We were going to wai=
t so we could go from 20.04 to 24.04, but alas=E2=80=A6

Thank you for your time!

> On 3 Apr 2024, at 16:11, Rob Crittenden <rcritten(a)redhat.com> wrote:
> =

> There was a bug in the DER encoding that certmonger used when generating
> the CSR. python-cryptography allowed it for a while, then complained
> loudly about it and now no longer accepts it. Upgrading certmonger is
> the proper fix.
> =

> rob
> =

> Djerk Geurts wrote:
>> Ubuntu 20.04: Certmonger v0.79.9 << fails
>> Ubuntu 22.04: Certmonger v0.79.14 << works
>> =

>>> On 3 Apr 2024, at 00:27, Rob Crittenden <rcritten(a)redhat.com> wrote:
>>> =

>>> I can reproduce the issue with your CSR but I don't know yet what
>>> python-cryptography doesn't like about it.
>>> =

>>> Older versions of python-cryptography yield different errors but the
>>> issue is still elusive. I'm looking at the ASN1 encoding.
>>> =

>>> What version of certmonger is installed on the machine that made the
>>> request?
>>> =

>>> rob
>>> =

>>> Djerk Geurts via FreeIPA-users wrote:
>>>> Hi Rob,
>>>> =

>>>> =

>>>> I can=E2=80=99t see any difference between this CSR and others that wo=
rked
>>>> before. Could it be an issue with an updated version of ipa-client or
>>>> openssl? I tested issuing a new certificate from a Ubuntu 22.04 host a=
nd
>>>> that worked just fine. Openssl on Ubuntu 20.04 is 1.1.1f while Ubuntu
>>>> 22.04 have v3.0.2.
>>>> =

>>>> The certificate ws requested with: sudo ipa-getcert request -N
>>>> ${service} -K HTTP/${service} -k /etc/ssl/private/${service}.key -f
>>>> /etc/ssl/certs/${service}.crt -D ${service} -A $(host -t A ${service} |
>>>> awk 'NF>1{print $NF}=E2=80=99)
>>>> =

>>>> Which has worked fine for us for over two years.
>>>> =

>>>> Thanks,
>>>> Djerk Geurts
>>>> =

>>>>> On 2 Apr 2024, at 22:29, Rob Crittenden <rcritten(a)redhat.com> wrote:
>>>>> =

>>>>> Djerk Geurts via FreeIPA-users wrote:
>>>>>> Hi,
>>>>>> =

>>>>>> A month or so ago we upgraded from Fedora 37 to 39. I guess this is =
the
>>>>>> first time I=E2=80=99m getting round to requesting a new certificate=
, and it=E2=80=99s
>>>>>> failing from a server we use to manage several certificates for non-=
IPA
>>>>>> client hosts.
>>>>>> =

>>>>>> Output of ipa-getcert list:
>>>>>> =

>>>>>> Request ID '20240402190326':
>>>>>>        status: CA_UNREACHABLE
>>>>>>        ca-error: Server at https://ipa.domain.com/ipa/xml failed
>>>>>> request, will retry: 903 (RPC failed at server.  an internal error h=
as
>>>>>> occurred).
>>>>>>        stuck: no
>>>>>>        key pair storage:
>>>>>> type=3DFILE,location=3D'/etc/ssl/private/host.domain.com.key'
>>>>>>        certificate:
>>>>>> type=3DFILE,location=3D'/etc/ssl/certs/host.domain.com.crt'
>>>>>>        CA: IPA
>>>>>>        issuer:
>>>>>>        subject:
>>>>>>        expires: unknown
>>>>>>        pre-save command:
>>>>>>        post-save command:
>>>>>>        track: yes
>>>>>>        auto-renew: yes
>>>>>> =

>>>>>> The httpd log on the IPA server:
>>>>>> =

>>>>>> [Tue Apr 02 21:03:26.989287 2024] [wsgi:error] [pid 1606:tid 1957]
>>>>>> [remote 10.2.0.92:50078] ipa: ERROR: non-public: ValueError: Only
>>>>>> single-valued attributes are supported
>>>>>> [Tue Apr 02 21:03:26.989320 2024] [wsgi:error] [pid 1606:tid 1957]
>>>>>> [remote 10.2.0.92:50078] Traceback (most recent call last):
>>>>>> [Tue Apr 02 21:03:26.989326 2024] [wsgi:error] [pid 1606:tid 1957]
>>>>>> [remote 10.2.0.92:50078]   File
>>>>>> "/usr/lib/python3.12/site-packages/ipaserver/rpcserver.py", line 417=
, in
>>>>>> wsgi_execute
>>>>>> [Tue Apr 02 21:03:26.989330 2024] [wsgi:error] [pid 1606:tid 1957]
>>>>>> [remote 10.2.0.92:50078]     result =3D command(*args, **options)
>>>>>> [Tue Apr 02 21:03:26.989333 2024] [wsgi:error] [pid 1606:tid 1957]
>>>>>> [remote 10.2.0.92:50078]              ^^^^^^^^^^^^^^^^^^^^^^^^^
>>>>>> [Tue Apr 02 21:03:26.989337 2024] [wsgi:error] [pid 1606:tid 1957]
>>>>>> [remote 10.2.0.92:50078]   File
>>>>>> "/usr/lib/python3.12/site-packages/ipalib/frontend.py", line 471, in
>>>>>> __call__
>>>>>> [Tue Apr 02 21:03:26.989341 2024] [wsgi:error] [pid 1606:tid 1957]
>>>>>> [remote 10.2.0.92:50078]     return self.__do_call(*args, **options)
>>>>>> [Tue Apr 02 21:03:26.989345 2024] [wsgi:error] [pid 1606:tid 1957]
>>>>>> [remote 10.2.0.92:50078]            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>>>>> [Tue Apr 02 21:03:26.989348 2024] [wsgi:error] [pid 1606:tid 1957]
>>>>>> [remote 10.2.0.92:50078]   File
>>>>>> "/usr/lib/python3.12/site-packages/ipalib/frontend.py", line 499, in
>>>>>> __do_call
>>>>>> [Tue Apr 02 21:03:26.989353 2024] [wsgi:error] [pid 1606:tid 1957]
>>>>>> [remote 10.2.0.92:50078]     ret =3D self.run(*args, **options)
>>>>>> [Tue Apr 02 21:03:26.989358 2024] [wsgi:error] [pid 1606:tid 1957]
>>>>>> [remote 10.2.0.92:50078]           ^^^^^^^^^^^^^^^^^^^^^^^^^^
>>>>>> [Tue Apr 02 21:03:26.989371 2024] [wsgi:error] [pid 1606:tid 1957]
>>>>>> [remote 10.2.0.92:50078]   File
>>>>>> "/usr/lib/python3.12/site-packages/ipalib/frontend.py", line 816, in=
 run
>>>>>> [Tue Apr 02 21:03:26.989376 2024] [wsgi:error] [pid 1606:tid 1957]
>>>>>> [remote 10.2.0.92:50078]     return self.execute(*args, **options)
>>>>>> [Tue Apr 02 21:03:26.989381 2024] [wsgi:error] [pid 1606:tid 1957]
>>>>>> [remote 10.2.0.92:50078]            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>>>>> [Tue Apr 02 21:03:26.989385 2024] [wsgi:error] [pid 1606:tid 1957]
>>>>>> [remote 10.2.0.92:50078]   File
>>>>>> "/usr/lib/python3.12/site-packages/ipaserver/plugins/cert.py", line =
716,
>>>>>> in execute
>>>>>> [Tue Apr 02 21:03:26.989389 2024] [wsgi:error] [pid 1606:tid 1957]
>>>>>> [remote 10.2.0.92:50078]     ext_san =3D
>>>>>> csr.extensions.get_extension_for_oid(
>>>>>> [Tue Apr 02 21:03:26.989392 2024] [wsgi:error] [pid 1606:tid 1957]
>>>>>> [remote 10.2.0.92:50078]               ^^^^^^^^^^^^^^
>>>>>> [Tue Apr 02 21:03:26.989396 2024] [wsgi:error] [pid 1606:tid 1957]
>>>>>> [remote 10.2.0.92:50078] ValueError: Only single-valued attributes a=
re
>>>>>> supported
>>>>>> [Tue Apr 02 21:03:26.989527 2024] [wsgi:error] [pid 1606:tid 1957]
>>>>>> [remote 10.2.0.92:50078] ipa: INFO: [xmlserver]
>>>>>> host/jump.domain.com(a)DOMAIN.COM: cert_request(=E2=80=98MIID*******=
***d1A=3D=3D',
>>>>>> principal=3D'HTTP/host.domain.com(a)DOMAIN.COM', add=3DTrue, version=
=3D'2.51'):
>>>>>> InternalError
>>>>>> =

>>>>>> The requesting machine is allowed to manage both the host and the
>>>>>> service. Requesting the certificate on the IPA server itself works f=
ine.
>>>>>> I=E2=80=99ve read elsewhere that this could be an incompatibility be=
tween the
>>>>>> client and the server.
>>>>>> =

>>>>>> Client: Ubuntu 20.04 LTS, ipa-client: v4.8.6
>>>>>> Server: Fedora 39, ipa-server: v4.11.1
>>>>> =

>>>>> Can we see the whole CSR? You should be able to find it in the
>>>>> certmonger request file in /var/lib/certmonger/requests/<some value>
>>>>> Sometimes the value matches the Request ID but not always.
>>>>> =

>>>>> It is the parsing of the CSR where it blew up, getting multiple values
>>>>> where only one was expected.
>>>>> =

>>>>> rob
>>>> =

>>>> =

>>>> --
>>>> _______________________________________________
>>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>>>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahost=
ed.org
>>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/c=
ode-of-conduct/
>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-us=
ers(a)lists.fedorahosted.org
>>>> Do not reply to spam, report it: https://pagure.io/fedora-infrastructu=
re/new_issue
>>>> =

>>> =

>> =

>=20

--===============2369302547836916933==--

From slekkus75 at proton.me Wed Apr  3 15:02:15 2024
Content-Type: multipart/mixed; boundary="===============8582548634546483539=="
MIME-Version: 1.0
From: slek kus <slekkus75 at proton.me>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: Client install fails with: "Joining realm failed:
 JSON-RPC call failed: Timeout was reached"
Date: Wed, 03 Apr 2024 15:02:02 +0000
Message-ID: <20240403150202.11983.18124@mailman01.iad2.fedoraproject.org>
In-Reply-To: Zgl3v6k178mF8Rfe@redhat.com

--===============8582548634546483539==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Thanks for the links.. Wasn't sure what was mandatory and what not. Alle wo=
rks now.=20
--===============8582548634546483539==--

From cheimes at redhat.com Wed Apr  3 15:04:30 2024
Content-Type: multipart/mixed; boundary="===============2876812734178443756=="
MIME-Version: 1.0
From: Christian Heimes <cheimes at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: CA_UNREACHABLE when requesting from Ubuntu 20.04
 to FreeIPA v4.11.1
Date: Wed, 03 Apr 2024 17:04:14 +0200
Message-ID: <ba8b2a24-c49e-489f-82bd-334bc0d21279@redhat.com>
In-Reply-To: BA583821-26AF-4719-80C3-5D6B6DC43650@gmail.com

--===============2876812734178443756==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

On 03/04/2024 16.21, Djerk Geurts via FreeIPA-users wrote:
> Not sure how long we=E2=80=99ll need to wait for a fix in Ubuntu 20.04, s=
o we=E2=80=99re uplifting our jumphosts to Ubuntu 22.04. We were going to w=
ait so we could go from 20.04 to 24.04, but alas=E2=80=A6
>
> Thank you for your time!

I'm the downstream maintainer of python-cryptography in RHEL and Fedora. =

I found the problem in October 2021 and reported it to upstream. The =

PyCA cryptography ticket =

https://github.com/pyca/cryptography/issues/6368 has more information =

and links to FreeIPA and Certmonger tickets.

Timeline: cryptography 35.0 was release on 2021-09-29. The problem was =

detected by our tests and reported by me on 2021-10-04. I also wrote a =

fix the same day. Certmonger release 0.79.15 fixed CSR generation and =

was released 24h later. Cryptography added a temporary workaround =

shortly after and removed the workaround in April 2022.

If Ubuntu hasn't fixed the problem as of today, then they probably have =

missed the bug. We don't have control about the Debian/Ubuntu downstream =

channel. The Debian maintainer Timo Aaltonen is responsive and addresses =

problems fast. Could you please open an Ubuntu bug on Launchpad and ping =

him?

Christian

-- =

Christian Heimes
Principal Software Engineer, Identity Management and Platform Security

Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael O'N=
eill

--===============2876812734178443756==--

From rcritten at redhat.com Wed Apr  3 15:12:06 2024
Content-Type: multipart/mixed; boundary="===============7712256837167952596=="
MIME-Version: 1.0
From: Rob Crittenden <rcritten at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: CA Subsystem certificate
Date: Wed, 03 Apr 2024 11:11:49 -0400
Message-ID: <88497baf-aca3-3c21-6cd7-5f8ca8447c57@redhat.com>
In-Reply-To: 20240403124553.20581.98833@mailman01.iad2.fedoraproject.org

--===============7712256837167952596==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Travis West via FreeIPA-users wrote:
> Spoke too soon.  If I try to get a new certificate on an enrolled host I =
get this
> =

>  status: CA_UNREACHABLE
> ca-error: Server at https://ipa1-sea2.ipa.****.net/ipa/xml failed request=
, will retry: 907 (RPC failed at server.  cannot connect to 'https://ipa1-s=
ea2.ipa.****.net:443/ca/rest/account/login': [SSL: SSL_HANDSHAKE_FAILURE] s=
sl handshake failure (_ssl.c:1822)).
> =

> This reflected in the UI if I go to Authentication > Certificates > Certi=
ficate Authorities where I see the same error.
> =

> The IPA server listed there is the one where all services started via ipa=
ctl start in my previous update.

I think you need to take a look at fresh logs to see what failed. It may
point to why.

I assume you went back in time to 2019 and then leaped forward 2 years
at a pop, renewing as you went, and now it's present day?

rob

--===============7712256837167952596==--

From twest at cherryroad.com Wed Apr  3 15:37:28 2024
Content-Type: multipart/mixed; boundary="===============8758749576261233723=="
MIME-Version: 1.0
From: Travis West <twest at cherryroad.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: CA Subsystem certificate
Date: Wed, 03 Apr 2024 15:37:07 +0000
Message-ID: <20240403153707.18451.42346@mailman01.iad2.fedoraproject.org>
In-Reply-To: 88497baf-aca3-3c21-6cd7-5f8ca8447c57@redhat.com

--===============8758749576261233723==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

No I didn't go back in time, I generated new certificates and imported them=
 to NSS DB after deleting the ones that contained Principles that had other=
 hosts listed.
I then updated the CS.cfg with the cert and certreq values, and made sure t=
he CA Subsystem cert in NSS DB matched what is in  LDAP.

I'm not sure what logs to look at.  /etc/pki/pki-tomcat/ca/selftest has no =
errors /etc/pki/pki-tomcat/ca/system has the last error from before I got i=
pa to fully start.  The debug log has a lot of information, but nothing tha=
t looks like an error.

I've got no expired certs

# getcert list | grep expires
        expires: 2025-01-26 11:37:18 UTC
        expires: 2025-01-26 11:37:04 UTC
        expires: 2026-03-12 13:24:44 UTC
        expires: 2034-04-01 11:38:26 UTC
        expires: 2034-04-01 11:32:48 UTC
        expires: 2034-04-01 11:35:47 UTC
        expires: 2037-03-21 04:43:44 UTC
        expires: 2024-12-24 11:37:06 UTC
        expires: 2025-01-26 11:41:35 UTC

Trust attributes all look correct in /etc/pki/pki-tomcat/alias
# certutil -L -d .

Certificate Nickname                                         Trust Attribut=
es
                                                             SSL,S/MIME,JAR=
/XPI

subsystemCert cert-pki-ca                                    u,u,u
ocspSigningCert cert-pki-ca                                  u,u,u
caSigningCert cert-pki-ca                                    CTu,Cu,Cu
Server-Cert cert-pki-ca                                      u,u,u
auditSigningCert cert-pki-ca                                 u,u,Pu

Certmonger tracking shows correct now with the Subject having the CN and O =
in the correct order.
--===============8758749576261233723==--

From natxo.asenjo at gmail.com Wed Apr  3 16:06:37 2024
Content-Type: multipart/mixed; boundary="===============0538678951794157927=="
MIME-Version: 1.0
From: Natxo Asenjo <natxo.asenjo at gmail.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: upgrade idm servers rhel 7 to 8 problems
Date: Wed, 03 Apr 2024 18:05:12 +0200
Message-ID: <CAHBEJzXe0WvHRw=YS0ew4bmN=F9kr8rAqoSjPWJEJUVcmraw=g@mail.gmail.com>
In-Reply-To: CAHBEJzU1iiHHKxMC_BteGhn+P1tZf5dBzQU99PwRTwZV9KXt5A@mail.gmail.com

--===============0538678951794157927==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

anybody?

On Tue, Apr 2, 2024 at 1:53=E2=80=AFPM Natxo Asenjo <natxo.asenjo(a)gmail.c=
om> wrote:

> hi,
>
>
>
> On Tue, Mar 26, 2024 at 2:47=E2=80=AFPM Natxo Asenjo <natxo.asenjo(a)gmai=
l.com>
> wrote:
>
>> hi,
>>
>> posting back to the list.
>>
>> Apparently the idm server cannot find a SID of a domain when trying to
>> resolve the user account. It does find the user account, but  there are
>> sids coupled to the account correspondig to a domain wich cannot be
>> resolved.
>>
>> It took me a while but the sid of that child domain is not the one not
>> resolved.
>>
>> It turns out, the sid of the domain not resolving is the one of the idm
>> realm itself., we have  some idm groups mapped to the AD groups we allow=
 in
>> idm for rbac, and if I look at the ipaNTSecurityIdentifier attributes of
>> the id groups, those are the not resolved groups.
>>
>> This is unexpected (to me at least).
>>
>> so we have this trust (verified on two different idm servers, same value=
):
>>
>>  ipa trust-find
>> ---------------
>> 1 trust matched
>> ---------------
>>   Realm name: domain.local
>>   Domain NetBIOS name: DOMAIN
>>   Domain Security Identifier: S-1-5-21-1416133915-1866970209-3316290679
>>   Trust type: Active Directory domain
>> ----------------------------
>> Number of entries returned 1
>>
>> but inside this idm domain, we have some idm posix groups with the
>> ipantsecurityidentifier of the not resolvable domain, for instance:
>> S-1-5-21-1214650608-3976977395-3073169311-101072
>>
>> So basically, it is not matching because of this ipantsecurityidentifier,
>> I think.
>>
>> I do not know how to fix this at this moment, or why it has happened. Any
>> ideas?
>>
>>
>
> I wonder if somebody with more sssd knowlegde than me could push me in the
> right direction. Is it maybe better to ask in the sssd mailing list?
>
> Regards,
>
> Natxo Asenjo
>
> --
> --
> Groeten,
> natxo
>


-- =

--
Groeten,
natxo

--===============0538678951794157927==
Content-Type: text/html
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.html"

PGRpdiBkaXI9Imx0ciI+YW55Ym9keT88YnI+PC9kaXY+PGJyPjxkaXYgY2xhc3M9ImdtYWlsX3F1
b3RlIj48ZGl2IGRpcj0ibHRyIiBjbGFzcz0iZ21haWxfYXR0ciI+T24gVHVlLCBBcHIgMiwgMjAy
NCBhdCAxOjUz4oCvUE0gTmF0eG8gQXNlbmpvICZsdDs8YSBocmVmPSJtYWlsdG86bmF0eG8uYXNl
bmpvQGdtYWlsLmNvbSI+bmF0eG8uYXNlbmpvQGdtYWlsLmNvbTwvYT4mZ3Q7IHdyb3RlOjxicj48
L2Rpdj48YmxvY2txdW90ZSBjbGFzcz0iZ21haWxfcXVvdGUiIHN0eWxlPSJtYXJnaW46MHB4IDBw
eCAwcHggMC44ZXg7Ym9yZGVyLWxlZnQ6MXB4IHNvbGlkIHJnYigyMDQsMjA0LDIwNCk7cGFkZGlu
Zy1sZWZ0OjFleCI+PGRpdiBkaXI9Imx0ciI+PGRpdiBkaXI9Imx0ciI+PGRpdj5oaSw8L2Rpdj48
ZGl2Pjxicj48L2Rpdj48ZGl2Pjxicj48L2Rpdj48L2Rpdj48YnI+PGRpdiBjbGFzcz0iZ21haWxf
cXVvdGUiPjxkaXYgZGlyPSJsdHIiIGNsYXNzPSJnbWFpbF9hdHRyIj5PbiBUdWUsIE1hciAyNiwg
MjAyNCBhdCAyOjQ34oCvUE0gTmF0eG8gQXNlbmpvICZsdDs8YSBocmVmPSJtYWlsdG86bmF0eG8u
YXNlbmpvQGdtYWlsLmNvbSIgdGFyZ2V0PSJfYmxhbmsiPm5hdHhvLmFzZW5qb0BnbWFpbC5jb208
L2E+Jmd0OyB3cm90ZTo8YnI+PC9kaXY+PGJsb2NrcXVvdGUgY2xhc3M9ImdtYWlsX3F1b3RlIiBz
dHlsZT0ibWFyZ2luOjBweCAwcHggMHB4IDAuOGV4O2JvcmRlci1sZWZ0OjFweCBzb2xpZCByZ2Io
MjA0LDIwNCwyMDQpO3BhZGRpbmctbGVmdDoxZXgiPjxkaXYgZGlyPSJsdHIiPjxkaXY+aGksPC9k
aXY+PGRpdj48YnI+PC9kaXY+PGRpdj5wb3N0aW5nIGJhY2sgdG8gdGhlIGxpc3QuPC9kaXY+PGRp
dj48YnI+PC9kaXY+PGRpdj5BcHBhcmVudGx5IHRoZSBpZG0gc2VydmVyIGNhbm5vdCBmaW5kIGEg
U0lEIG9mIGEgZG9tYWluIHdoZW4gdHJ5aW5nIHRvIHJlc29sdmUgdGhlIHVzZXIgYWNjb3VudC4g
SXQgZG9lcyBmaW5kIHRoZSB1c2VyIGFjY291bnQsIGJ1dMKgIHRoZXJlIGFyZSBzaWRzIGNvdXBs
ZWQgdG8gdGhlIGFjY291bnQgY29ycmVzcG9uZGlnIHRvIGEgZG9tYWluIHdpY2ggY2Fubm90IGJl
IHJlc29sdmVkLjwvZGl2PjxkaXY+PGJyPjwvZGl2PjxkaXY+SXQgdG9vayBtZSBhIHdoaWxlIGJ1
dCB0aGUgc2lkIG9mIHRoYXQgY2hpbGQgZG9tYWluIGlzIG5vdCB0aGUgb25lIG5vdCByZXNvbHZl
ZC48L2Rpdj48ZGl2Pjxicj48L2Rpdj48ZGl2Pkl0IHR1cm5zIG91dCwgdGhlIHNpZCBvZiB0aGUg
ZG9tYWluIG5vdCByZXNvbHZpbmcgaXMgdGhlIG9uZSBvZiB0aGUgaWRtIHJlYWxtIGl0c2VsZi4s
IHdlIGhhdmXCoCBzb21lIGlkbSBncm91cHMgbWFwcGVkIHRvIHRoZSBBRCBncm91cHMgd2UgYWxs
b3cgaW4gaWRtIGZvciByYmFjLCBhbmQgaWYgSSBsb29rIGF0IHRoZSBpcGFOVFNlY3VyaXR5SWRl
bnRpZmllciBhdHRyaWJ1dGVzIG9mIHRoZSBpZCBncm91cHMsIHRob3NlIGFyZSB0aGUgbm90IHJl
c29sdmVkIGdyb3Vwcy48L2Rpdj48ZGl2Pjxicj48L2Rpdj48ZGl2PlRoaXMgaXMgdW5leHBlY3Rl
ZCAodG8gbWUgYXQgbGVhc3QpLiA8YnI+PC9kaXY+PGRpdj48YnI+PC9kaXY+PGRpdj5zbyB3ZSBo
YXZlIHRoaXMgdHJ1c3QgKHZlcmlmaWVkIG9uIHR3byBkaWZmZXJlbnQgaWRtIHNlcnZlcnMsIHNh
bWUgdmFsdWUpOjwvZGl2PjxkaXY+PGJyPjwvZGl2PjxkaXY+wqBpcGEgdHJ1c3QtZmluZDxicj4t
LS0tLS0tLS0tLS0tLS08YnI+MSB0cnVzdCBtYXRjaGVkPGJyPi0tLS0tLS0tLS0tLS0tLTxicj7C
oCBSZWFsbSBuYW1lOiBkb21haW4ubG9jYWw8YnI+wqAgRG9tYWluIE5ldEJJT1MgbmFtZTogRE9N
QUlOPGJyPsKgIERvbWFpbiBTZWN1cml0eSBJZGVudGlmaWVyOiBTLTEtNS0yMS0xNDE2MTMzOTE1
LTE4NjY5NzAyMDktMzMxNjI5MDY3OTxicj7CoCBUcnVzdCB0eXBlOiBBY3RpdmUgRGlyZWN0b3J5
IGRvbWFpbjxicj4tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tPGJyPk51bWJlciBvZiBlbnRy
aWVzIHJldHVybmVkIDE8L2Rpdj48ZGl2Pjxicj48L2Rpdj48ZGl2PmJ1dCBpbnNpZGUgdGhpcyBp
ZG0gZG9tYWluLCB3ZSBoYXZlIHNvbWUgaWRtIHBvc2l4IGdyb3VwcyB3aXRoIHRoZSBpcGFudHNl
Y3VyaXR5aWRlbnRpZmllciBvZiB0aGUgbm90IHJlc29sdmFibGUgZG9tYWluLCBmb3IgaW5zdGFu
Y2U6IFMtMS01LTIxLTEyMTQ2NTA2MDgtMzk3Njk3NzM5NS0zMDczMTY5MzExLTEwMTA3MjwvZGl2
PjxkaXY+PGJyPjwvZGl2PjxkaXY+U28gYmFzaWNhbGx5LCBpdCBpcyBub3QgbWF0Y2hpbmcgYmVj
YXVzZSBvZiB0aGlzIGlwYW50c2VjdXJpdHlpZGVudGlmaWVyLCBJIHRoaW5rLiA8YnI+PC9kaXY+
PGRpdj48YnI+PC9kaXY+PGRpdj5JIGRvIG5vdCBrbm93IGhvdyB0byBmaXggdGhpcyBhdCB0aGlz
IG1vbWVudCwgb3Igd2h5IGl0IGhhcyBoYXBwZW5lZC4gQW55IGlkZWFzPzxicj48L2Rpdj48ZGl2
Pjxicj48L2Rpdj48L2Rpdj4KPC9ibG9ja3F1b3RlPjwvZGl2PjxkaXY+PGJyPjwvZGl2PjxkaXY+
PGJyPjwvZGl2PjxkaXY+SSB3b25kZXIgaWYgc29tZWJvZHkgd2l0aCBtb3JlIHNzc2Qga25vd2xl
Z2RlIHRoYW4gbWUgY291bGQgcHVzaCBtZSBpbiB0aGUgcmlnaHQgZGlyZWN0aW9uLiBJcyBpdCBt
YXliZSBiZXR0ZXIgdG8gYXNrIGluIHRoZSBzc3NkIG1haWxpbmcgbGlzdD88L2Rpdj48ZGl2Pjxi
cj48L2Rpdj48ZGl2PlJlZ2FyZHMsPC9kaXY+PGRpdj48YnI+PC9kaXY+PGRpdj5OYXR4byBBc2Vu
am88YnI+PC9kaXY+PGJyPjxzcGFuIGNsYXNzPSJnbWFpbF9zaWduYXR1cmVfcHJlZml4Ij4tLSA8
L3NwYW4+PGJyPjxkaXYgZGlyPSJsdHIiIGNsYXNzPSJnbWFpbF9zaWduYXR1cmUiPi0tPGJyPkdy
b2V0ZW4sPGJyPm5hdHhvPC9kaXY+PC9kaXY+CjwvYmxvY2txdW90ZT48L2Rpdj48YnIgY2xlYXI9
ImFsbCI+PGJyPjxzcGFuIGNsYXNzPSJnbWFpbF9zaWduYXR1cmVfcHJlZml4Ij4tLSA8L3NwYW4+
PGJyPjxkaXYgZGlyPSJsdHIiIGNsYXNzPSJnbWFpbF9zaWduYXR1cmUiPi0tPGJyPkdyb2V0ZW4s
PGJyPm5hdHhvPC9kaXY+Cg==

--===============0538678951794157927==--

From twest at cherryroad.com Wed Apr  3 16:41:29 2024
Content-Type: multipart/mixed; boundary="===============0352983792269791353=="
MIME-Version: 1.0
From: Travis West <twest at cherryroad.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: CA Subsystem certificate
Date: Wed, 03 Apr 2024 16:41:07 +0000
Message-ID: <20240403164107.31901.31039@mailman01.iad2.fedoraproject.org>
In-Reply-To: 88497baf-aca3-3c21-6cd7-5f8ca8447c57@redhat.com

--===============0352983792269791353==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

In the apache error log I found this that is generated when, in the UI, I t=
ry to access Authentication > Certificates  > Certificate Authorities.

[Wed Apr 03 16:33:28.439180 2024] [:error] [pid 19048] ipa: INFO: [jsonserv=
er_session] twest(a)IPA.****.NET: cert_find(None, version=3Du'2.230'): SUCC=
ESS
[Wed Apr 03 16:33:30.661528 2024] [:warn] [pid 19601] [client IP.ADD.RE.SS:=
61691] failed to set perms (3140) on file (/var/run/ipa/ccaches/twest(a)IPA=
.****.NET)!, referer: https://ipa1-sea2.ipa.****.net/ipa/ui/
[Wed Apr 03 16:33:30.720054 2024] [:error] [pid 19047] ipa: INFO: [jsonserv=
er_session] twest(a)IPA.****.NET: ca_find(u'', sizelimit=3D0, version=3Du'2=
.230', pkey_only=3DTrue): SUCCESS
[Wed Apr 03 16:33:30.731584 2024] [:warn] [pid 19601] [client IP.ADD.RE.SS:=
61691] failed to set perms (3140) on file (/var/run/ipa/ccaches/twest(a)IPA=
.****.NET)!, referer: https://ipa1-sea2.ipa.****.net/ipa/ui/
[Wed Apr 03 16:33:30.831428 2024] [:error] [pid 19055] Bad remote server ce=
rtificate: -8179
[Wed Apr 03 16:33:30.831479 2024] [:error] [pid 19055] SSL Library Error: -=
8179 Certificate is signed by an unknown issuer
[Wed Apr 03 16:33:30.831557 2024] [:error] [pid 19055] Re-negotiation hands=
hake failed: Not accepted by client!?
[Wed Apr 03 16:33:30.831672 2024] [:error] [pid 19055] SSL Library Error: -=
12116 Unknown
[Wed Apr 03 16:33:30.832809 2024] [:error] [pid 19048] ipa: INFO: twest(a)I=
PA.****.NET: batch: ca_show(u'ipa'): NetworkError
[Wed Apr 03 16:33:30.833300 2024] [:error] [pid 19048] ipa: INFO: [jsonserv=
er_session] twest(a)IPA.****.NET: batch(({u'params': ([u'ipa'], {}), u'meth=
od': u'ca_show'},), version=3Du'2.230'): SUCCESS

but no indication of which certificate it is complaining about.  I thought =
maybe the IPA RA cert, but that is definitely signed by this CA and doesn't=
 expires on 2026.
The certs I generated and imported to /etc/pki/pki-tomcat/alias are also si=
gned by the CA.
--===============0352983792269791353==--

From rcritten at redhat.com Wed Apr  3 17:40:57 2024
Content-Type: multipart/mixed; boundary="===============6894659227725814313=="
MIME-Version: 1.0
From: Rob Crittenden <rcritten at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: CA Subsystem certificate
Date: Wed, 03 Apr 2024 13:40:44 -0400
Message-ID: <9bed06e1-2084-d4f8-225f-0ecc95d23edc@redhat.com>
In-Reply-To: 20240403164107.31901.31039@mailman01.iad2.fedoraproject.org

--===============6894659227725814313==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Travis West via FreeIPA-users wrote:
> In the apache error log I found this that is generated when, in the UI, I=
 try to access Authentication > Certificates  > Certificate Authorities.
> =

> [Wed Apr 03 16:33:28.439180 2024] [:error] [pid 19048] ipa: INFO: [jsonse=
rver_session] twest(a)IPA.****.NET: cert_find(None, version=3Du'2.230'): SU=
CCESS
> [Wed Apr 03 16:33:30.661528 2024] [:warn] [pid 19601] [client IP.ADD.RE.S=
S:61691] failed to set perms (3140) on file (/var/run/ipa/ccaches/twest(a)I=
PA.****.NET)!, referer: https://ipa1-sea2.ipa.****.net/ipa/ui/
> [Wed Apr 03 16:33:30.720054 2024] [:error] [pid 19047] ipa: INFO: [jsonse=
rver_session] twest(a)IPA.****.NET: ca_find(u'', sizelimit=3D0, version=3Du=
'2.230', pkey_only=3DTrue): SUCCESS
> [Wed Apr 03 16:33:30.731584 2024] [:warn] [pid 19601] [client IP.ADD.RE.S=
S:61691] failed to set perms (3140) on file (/var/run/ipa/ccaches/twest(a)I=
PA.****.NET)!, referer: https://ipa1-sea2.ipa.****.net/ipa/ui/
> [Wed Apr 03 16:33:30.831428 2024] [:error] [pid 19055] Bad remote server =
certificate: -8179
> [Wed Apr 03 16:33:30.831479 2024] [:error] [pid 19055] SSL Library Error:=
 -8179 Certificate is signed by an unknown issuer
> [Wed Apr 03 16:33:30.831557 2024] [:error] [pid 19055] Re-negotiation han=
dshake failed: Not accepted by client!?
> [Wed Apr 03 16:33:30.831672 2024] [:error] [pid 19055] SSL Library Error:=
 -12116 Unknown
> [Wed Apr 03 16:33:30.832809 2024] [:error] [pid 19048] ipa: INFO: twest(a=
)IPA.****.NET: batch: ca_show(u'ipa'): NetworkError
> [Wed Apr 03 16:33:30.833300 2024] [:error] [pid 19048] ipa: INFO: [jsonse=
rver_session] twest(a)IPA.****.NET: batch(({u'params': ([u'ipa'], {}), u'me=
thod': u'ca_show'},), version=3Du'2.230'): SUCCESS
> =

> but no indication of which certificate it is complaining about.  I though=
t maybe the IPA RA cert, but that is definitely signed by this CA and doesn=
't expires on 2026.
> The certs I generated and imported to /etc/pki/pki-tomcat/alias are also =
signed by the CA.

Apache, via the IPA API, is acting as the client in this case. So Apache
doesn't trust the CA certificate (unlikely), or the Server-Cert cert-pki-ca.

You can validate it directly with:

# certutil -V -u V -d /etc/pki/pki-tomcat/alias -n 'Server-Cert
cert-pki-ca' -e -f /etc/pki/pki-tomcat/alias/pwdfile.txt

Also, given the subject issues you ran into I guess I'd also verify that
the ASN.1 is correct in the issued certificates. This will be easier
since you have them as PEM files already:

# openssl asn1parse -inform pem -in /path/to/cert.pem

In the output you should see each component of the issuer and subject
broken out like:

...
   37:d=3D5  hl=3D2 l=3D   3 prim: OBJECT            :organizationName
   42:d=3D5  hl=3D2 l=3D  12 prim: UTF8STRING        :EXAMPLE.TEST
   56:d=3D3  hl=3D2 l=3D  30 cons: SET
   58:d=3D4  hl=3D2 l=3D  28 cons: SEQUENCE
   60:d=3D5  hl=3D2 l=3D   3 prim: OBJECT            :commonName
   65:d=3D5  hl=3D2 l=3D  21 prim: UTF8STRING        :Certificate Authority
   88:d=3D2  hl=3D2 l=3D  30 cons: SEQUENCE
   90:d=3D3  hl=3D2 l=3D  13 prim: UTCTIME           :240221205457Z
  105:d=3D3  hl=3D2 l=3D  13 prim: UTCTIME           :260221205457Z
  120:d=3D2  hl=3D2 l=3D  50 cons: SEQUENCE
  122:d=3D3  hl=3D2 l=3D  21 cons: SET
  124:d=3D4  hl=3D2 l=3D  19 cons: SEQUENCE
  126:d=3D5  hl=3D2 l=3D   3 prim: OBJECT            :organizationName
  131:d=3D5  hl=3D2 l=3D  12 prim: UTF8STRING        :EXAMPLE.TEST
  145:d=3D3  hl=3D2 l=3D  25 cons: SET
  147:d=3D4  hl=3D2 l=3D  23 cons: SEQUENCE
  149:d=3D5  hl=3D2 l=3D   3 prim: OBJECT            :commonName
  154:d=3D5  hl=3D2 l=3D  16 prim: UTF8STRING        :ipa.example.test
...

And finally, and this might be kinda nutty, but you can use certmonger
to force issue a new certificate using the resubmit command. I'd
snapshot things but that could be a way to get freshly issued certs that
might play more nicely with others.

rob

--===============6894659227725814313==--

From twest at cherryroad.com Wed Apr  3 18:05:49 2024
Content-Type: multipart/mixed; boundary="===============8457569091665490348=="
MIME-Version: 1.0
From: Travis West <twest at cherryroad.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: CA Subsystem certificate
Date: Wed, 03 Apr 2024 18:05:35 +0000
Message-ID: <20240403180535.15891.48136@mailman01.iad2.fedoraproject.org>
In-Reply-To: 9bed06e1-2084-d4f8-225f-0ecc95d23edc@redhat.com

--===============8457569091665490348==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Here is the output of validation

# certutil -V -u V -d /etc/pki/pki-tomcat/alias -n 'Server-Cert cert-pki-ca=
' -e -f /etc/pki/pki-tomcat/alias/pwdfile.txt
certutil: certificate is valid

And for the asn.1 of the Audit, OCSP, Subsystem, and RA certs

$ openssl asn1parse -inform pem -in audit.crt
   37:d=3D5  hl=3D2 l=3D   3 prim: OBJECT            :organizationName
   42:d=3D5  hl=3D2 l=3D  14 prim: UTF8STRING        :IPA.****.NET
   58:d=3D3  hl=3D2 l=3D  30 cons: SET
   60:d=3D4  hl=3D2 l=3D  28 cons: SEQUENCE
   62:d=3D5  hl=3D2 l=3D   3 prim: OBJECT            :commonName
   67:d=3D5  hl=3D2 l=3D  21 prim: UTF8STRING        :Certificate Authority
   90:d=3D2  hl=3D2 l=3D  30 cons: SEQUENCE
   92:d=3D3  hl=3D2 l=3D  13 prim: UTCTIME           :240403113826Z
  107:d=3D3  hl=3D2 l=3D  13 prim: UTCTIME           :340401113826Z
  122:d=3D2  hl=3D2 l=3D  44 cons: SEQUENCE
  124:d=3D3  hl=3D2 l=3D  23 cons: SET
  126:d=3D4  hl=3D2 l=3D  21 cons: SEQUENCE
  128:d=3D5  hl=3D2 l=3D   3 prim: OBJECT            :organizationName
  133:d=3D5  hl=3D2 l=3D  14 prim: UTF8STRING        :IPA.****.NET
  149:d=3D3  hl=3D2 l=3D  17 cons: SET
  151:d=3D4  hl=3D2 l=3D  15 cons: SEQUENCE
  153:d=3D5  hl=3D2 l=3D   3 prim: OBJECT            :commonName
  158:d=3D5  hl=3D2 l=3D   8 prim: UTF8STRING        :CA Audit
  =


$ openssl asn1parse -inform pem -in subsystem.crt
    37:d=3D5  hl=3D2 l=3D   3 prim: OBJECT            :organizationName
   42:d=3D5  hl=3D2 l=3D  14 prim: UTF8STRING        :IPA.****.NET
   58:d=3D3  hl=3D2 l=3D  30 cons: SET
   60:d=3D4  hl=3D2 l=3D  28 cons: SEQUENCE
   62:d=3D5  hl=3D2 l=3D   3 prim: OBJECT            :commonName
   67:d=3D5  hl=3D2 l=3D  21 prim: UTF8STRING        :Certificate Authority
   90:d=3D2  hl=3D2 l=3D  30 cons: SEQUENCE
   92:d=3D3  hl=3D2 l=3D  13 prim: UTCTIME           :240403113547Z
  107:d=3D3  hl=3D2 l=3D  13 prim: UTCTIME           :340401113547Z
  122:d=3D2  hl=3D2 l=3D  48 cons: SEQUENCE
  124:d=3D3  hl=3D2 l=3D  23 cons: SET
  126:d=3D4  hl=3D2 l=3D  21 cons: SEQUENCE
  128:d=3D5  hl=3D2 l=3D   3 prim: OBJECT            :organizationName
  133:d=3D5  hl=3D2 l=3D  14 prim: UTF8STRING        :IPA.****.NET
  149:d=3D3  hl=3D2 l=3D  21 cons: SET
  151:d=3D4  hl=3D2 l=3D  19 cons: SEQUENCE
  153:d=3D5  hl=3D2 l=3D   3 prim: OBJECT            :commonName
  158:d=3D5  hl=3D2 l=3D  12 prim: UTF8STRING        :CA Subsystem
 =

$ openssl asn1parse -inform pem -in ocsp.crt
   37:d=3D5  hl=3D2 l=3D   3 prim: OBJECT            :organizationName
   42:d=3D5  hl=3D2 l=3D  14 prim: UTF8STRING        :IPA.****.NET
   58:d=3D3  hl=3D2 l=3D  30 cons: SET
   60:d=3D4  hl=3D2 l=3D  28 cons: SEQUENCE
   62:d=3D5  hl=3D2 l=3D   3 prim: OBJECT            :commonName
   67:d=3D5  hl=3D2 l=3D  21 prim: UTF8STRING        :Certificate Authority
   90:d=3D2  hl=3D2 l=3D  30 cons: SEQUENCE
   92:d=3D3  hl=3D2 l=3D  13 prim: UTCTIME           :240403113248Z
  107:d=3D3  hl=3D2 l=3D  13 prim: UTCTIME           :340401113248Z
  122:d=3D2  hl=3D2 l=3D  50 cons: SEQUENCE
  124:d=3D3  hl=3D2 l=3D  23 cons: SET
  126:d=3D4  hl=3D2 l=3D  21 cons: SEQUENCE
  128:d=3D5  hl=3D2 l=3D   3 prim: OBJECT            :organizationName
  133:d=3D5  hl=3D2 l=3D  14 prim: UTF8STRING        :IPA.****.NET
  149:d=3D3  hl=3D2 l=3D  23 cons: SET
  151:d=3D4  hl=3D2 l=3D  21 cons: SEQUENCE
  153:d=3D5  hl=3D2 l=3D   3 prim: OBJECT            :commonName
  158:d=3D5  hl=3D2 l=3D  14 prim: UTF8STRING        :OCSP Subsystem

$ openssl asn1parse -inform pem -in ra-agent.pem
   37:d=3D5  hl=3D2 l=3D   3 prim: OBJECT            :organizationName
   42:d=3D5  hl=3D2 l=3D  14 prim: UTF8STRING        :IPA.****.NET
   58:d=3D3  hl=3D2 l=3D  30 cons: SET
   60:d=3D4  hl=3D2 l=3D  28 cons: SEQUENCE
   62:d=3D5  hl=3D2 l=3D   3 prim: OBJECT            :commonName
   67:d=3D5  hl=3D2 l=3D  21 prim: UTF8STRING        :Certificate Authority
   90:d=3D2  hl=3D2 l=3D  30 cons: SEQUENCE
   92:d=3D3  hl=3D2 l=3D  13 prim: UTCTIME           :240322132444Z
  107:d=3D3  hl=3D2 l=3D  13 prim: UTCTIME           :260312132444Z
  122:d=3D2  hl=3D2 l=3D  42 cons: SEQUENCE
  124:d=3D3  hl=3D2 l=3D  23 cons: SET
  126:d=3D4  hl=3D2 l=3D  21 cons: SEQUENCE
  128:d=3D5  hl=3D2 l=3D   3 prim: OBJECT            :organizationName
  133:d=3D5  hl=3D2 l=3D  14 prim: UTF8STRING        :IPA.****.NET
  149:d=3D3  hl=3D2 l=3D  15 cons: SET
  151:d=3D4  hl=3D2 l=3D  13 cons: SEQUENCE
  153:d=3D5  hl=3D2 l=3D   3 prim: OBJECT            :commonName
  158:d=3D5  hl=3D2 l=3D   6 prim: PRINTABLESTRING   :IPA RA

I tried a resubmit on the ra-agent cert with getcert and this was the result

Request ID '20190322032004':
        status: CA_UNREACHABLE
        ca-error: Error 35 connecting to https://ipa1-sea2.ipa.****.net:844=
3/ca/agent/ca/profileReview: SSL connect error.
        stuck: no

--===============8457569091665490348==--

From net.ricky at gmail.com Thu Apr  4 11:24:47 2024
Content-Type: multipart/mixed; boundary="===============5079749790102827758=="
MIME-Version: 1.0
From: Riccardo Rotondo <net.ricky at gmail.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: How to prevent non-admin users of FreeIPA from
 reading the list of users in the web interface?
Date: Thu, 04 Apr 2024 11:24:36 +0000
Message-ID: <20240404112436.23044.55248@mailman01.iad2.fedoraproject.org>
In-Reply-To: ZgFKibyuLyE8WCyf@redhat.com

--===============5079749790102827758==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Hi Alexander, =


Thank you Alexander, this solution probably fits our needs. =

My only problem now is the I configured freeipa with docker, and in that im=
age developer didn't include the Fedora Account System plugin for IPA so in=
 the log I found: =


ERROR in middleware: Uncaught IPA exception: Unknown option: fasgroup

I'll check with them if I can add this plug in post installation. =


Regards, =

Riccardo

--===============5079749790102827758==--

From cheimes at redhat.com Thu Apr  4 11:33:00 2024
Content-Type: multipart/mixed; boundary="===============8833835835129061386=="
MIME-Version: 1.0
From: Christian Heimes <cheimes at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: How to prevent non-admin users of FreeIPA from
 reading the list of users in the web interface?
Date: Thu, 04 Apr 2024 13:32:42 +0200
Message-ID: <02091964-3991-47fc-ac66-6dab4d5ab793@redhat.com>
In-Reply-To: 20240404112436.23044.55248@mailman01.iad2.fedoraproject.org

--===============8833835835129061386==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

On 04/04/2024 13.24, Riccardo Rotondo via FreeIPA-users wrote:
> Hi Alexander,
> =

> Thank you Alexander, this solution probably fits our needs.
> My only problem now is the I configured freeipa with docker, and in that =
image developer didn't include the Fedora Account System plugin for IPA so =
in the log I found:
> =

> ERROR in middleware: Uncaught IPA exception: Unknown option: fasgroup
> =

> I'll check with them if I can add this plug in post installation.

You can add the plugin to an existing installation. For a normal =

installation of FreeIPA, `dnf install freeipa-fas` just works. The =

package runs ipa-server-upgrade and restarts ipa.service in the =

posttrans scriplet.

It appears that does not work for containers. You need to figure out how =

to run ipa-server-upgrade while the container is running.

-- =

Christian Heimes
Principal Software Engineer, Identity Management and Platform Security

Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael =

O'Neill

--===============8833835835129061386==--

From abokovoy at redhat.com Thu Apr  4 11:35:35 2024
Content-Type: multipart/mixed; boundary="===============7411437056610086291=="
MIME-Version: 1.0
From: Alexander Bokovoy <abokovoy at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: How to prevent non-admin users of FreeIPA from
 reading the list of users in the web interface?
Date: Thu, 04 Apr 2024 14:35:16 +0300
Message-ID: <Zg6QdAsDNTiAa9p2@redhat.com>
In-Reply-To: 20240404112436.23044.55248@mailman01.iad2.fedoraproject.org

--===============7411437056610086291==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

On =D0=A7=D1=86=D0=B2, 04 =D0=BA=D1=80=D0=B0 2024, Riccardo Rotondo via Fre=
eIPA-users wrote:
>Hi Alexander,
>
>Thank you Alexander, this solution probably fits our needs.
>My only problem now is the I configured freeipa with docker, and in
>that image developer didn't include the Fedora Account System plugin
>for IPA so in the log I found:
>
>ERROR in middleware: Uncaught IPA exception: Unknown option: fasgroup
>
>I'll check with them if I can add this plug in post installation.

I'd say you need to build your own image on top of
freeipa/freeipa-container. I'd rather do that by cloning git repo and
extending =


RUN yum -y install --setopt=3Dinstall_weak_deps=3DFalse ipa-server ipa-serv=
er-dns ipa-server-trust-ad patch ipa-healthcheck ipa-client-epn && yum clea=
n all

in one of the Dockerfile.* for your target. Or you can derive from
freeipa-container image and explicitly add that in your own Dockerfile.


-- =

/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

--===============7411437056610086291==--

From twest at cherryroad.com Thu Apr  4 11:50:26 2024
Content-Type: multipart/mixed; boundary="===============5620967703570922824=="
MIME-Version: 1.0
From: Travis West <twest at cherryroad.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: CA Subsystem certificate
Date: Thu, 04 Apr 2024 11:50:04 +0000
Message-ID: <20240404115004.27812.24569@mailman01.iad2.fedoraproject.org>
In-Reply-To: 9bed06e1-2084-d4f8-225f-0ecc95d23edc@redhat.com

--===============5620967703570922824==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

This morning I tried running ipa-server-upgrade to see if that would help. =
 It ultimately failed, but in a different spot and with a different error:

2024-04-04T11:36:42Z DEBUG The CA status is: running
2024-04-04T11:36:42Z INFO [Ensuring CA is using LDAPProfileSubsystem]
2024-04-04T11:36:42Z INFO [Migrating certificate profiles to LDAP]
2024-04-04T11:36:42Z DEBUG Created connection context.ldap2_140461768893264
2024-04-04T11:36:42Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-IPA-****-N=
ET.socket from SchemaCache
2024-04-04T11:36:42Z DEBUG retrieving schema for SchemaCache url=3Dldapi://=
%2fvar%2frun%2fslapd-IPA-****-NET.socket conn=3D<ldap.ldapobject.SimpleLDAP=
Object instance at 0x7fbfcdd14098>
2024-04-04T11:36:42Z DEBUG Destroyed connection context.ldap2_1404617688932=
64
2024-04-04T11:36:42Z DEBUG request GET https://ipa1-sea2.ipa.****.net:8443/=
ca/rest/account/login
2024-04-04T11:36:42Z DEBUG request body ''
2024-04-04T11:36:42Z DEBUG httplib request failed:
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipapython/dogtag.py", line 220, in=
 _httplib_request
    conn.request(method, uri, body=3Drequest_body, headers=3Dheaders)
  File "/usr/lib64/python2.7/httplib.py", line 1041, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib64/python2.7/httplib.py", line 1075, in _send_request
    self.endheaders(body)
  File "/usr/lib64/python2.7/httplib.py", line 1037, in endheaders
    self._send_output(message_body)
  File "/usr/lib64/python2.7/httplib.py", line 881, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.7/httplib.py", line 843, in send
    self.connect()
  File "/usr/lib64/python2.7/httplib.py", line 1260, in connect
    server_hostname=3Dsni_hostname)
  File "/usr/lib64/python2.7/ssl.py", line 348, in wrap_socket
    _context=3Dself)
  File "/usr/lib64/python2.7/ssl.py", line 609, in __init__
    self.do_handshake()
  File "/usr/lib64/python2.7/ssl.py", line 831, in do_handshake
    self._sslobj.do_handshake()
SSLError: [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:618)
2024-04-04T11:36:42Z ERROR IPA server upgrade failed: Inspect /var/log/ipau=
pgrade.log and run command ipa-server-upgrade manually.
2024-04-04T11:36:42Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapyth=
on/admintool.py", line 178, in execute
    return_value =3D self.run()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgra=
de.py", line 54, in run
    server.upgrade()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.p=
y", line 2085, in upgrade
    upgrade_configuration()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.p=
y", line 1952, in upgrade_configuration
    ca_enable_ldap_profile_subsystem(ca)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.p=
y", line 396, in ca_enable_ldap_profile_subsystem
    cainstance.migrate_profiles_to_ldap()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", =
line 1814, in migrate_profiles_to_ldap
    _create_dogtag_profile(profile_id, profile_data, overwrite=3DFalse)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", =
line 1820, in _create_dogtag_profile
    with api.Backend.ra_certprofile as profile_api:
  File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line=
 1298, in __enter__
    method=3D'GET'
  File "/usr/lib/python2.7/site-packages/ipapython/dogtag.py", line 167, in=
 https_request
    method=3Dmethod, headers=3Dheaders)
  File "/usr/lib/python2.7/site-packages/ipapython/dogtag.py", line 229, in=
 _httplib_request
    raise NetworkError(uri=3Duri, error=3Dstr(e))

2024-04-04T11:36:42Z DEBUG The ipa-server-upgrade command failed, exception=
: NetworkError: cannot connect to 'https://ipa1-sea2.ipa.****.net:8443/ca/r=
est/account/login': [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_=
ssl.c:618)
2024-04-04T11:36:42Z ERROR Unexpected error - see /var/log/ipaupgrade.log f=
or details:


Again with the 'unknown ca' message.  I've confirmed that the ca.crt is the=
 same that is listed as the caSigngingCert in /etc/pki/pki-tomcat/alias and=
 is the one found at /etc/ipa/ca.crt.
I believe my output of asn.1 for each certificate also shows all the certif=
icates signed by the CA, so I'm not sure what certificate it's complaining =
about coming from an unknown CA.
--===============5620967703570922824==--

From twest at cherryroad.com Thu Apr  4 14:28:11 2024
Content-Type: multipart/mixed; boundary="===============6765852593746840700=="
MIME-Version: 1.0
From: Travis West <twest at cherryroad.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: CA Subsystem certificate
Date: Thu, 04 Apr 2024 14:27:47 +0000
Message-ID: <20240404142747.27192.77018@mailman01.iad2.fedoraproject.org>
In-Reply-To: 9bed06e1-2084-d4f8-225f-0ecc95d23edc@redhat.com

--===============6765852593746840700==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Rob,

I installed the ipa-healthcheck that you got to work on CentOS 7, and run i=
t.  Got a couple of errors regarding the RA Agent cert:

[
  {
    "source": "ipahealthcheck.ipa.certs",
    "kw": {
      "msg": "Certificate validation for /var/lib/ipa/ra-agent.pem failed: =
",
      "reason": "",
      "key": "/var/lib/ipa/ra-agent.pem"
    },
    "uuid": "a855346c-4998-4415-a819-ce83048e174e",
    "duration": "0.100214",
    "when": "20240404141916Z",
    "check": "IPAOpenSSLChainValidation",
    "result": "ERROR"
  },
  {
    "source": "ipahealthcheck.ipa.certs",
    "kw": {
      "msg": "RA agent not found in LDAP"
    },
    "uuid": "b6efdb6c-ca33-4421-bdc5-c449e7d64591",
    "duration": "0.027569",
    "when": "20240404141916Z",
    "check": "IPARAAgent",
    "result": "ERROR"
  }

That first error, I'm not sure about what kind of validation it's performin=
g.  In my asn.1 output earlier I did include the ra-agent.pem and it looks =
like it's correctly signed.
As far as the "RA agent not found in LDAP", it looks to me like it is, and =
it matches the cert in /var/lib/ipa/ra-agent.pem

# ldapsearch -D "cn=3Ddirectory manager" -W -b uid=3Dipara,ou=3Dpeople,o=3D=
ipaca
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <uid=3Dipara,ou=3Dpeople,o=3Dipaca> with scope subtree
# filter: (objectclass=3D*)
# requesting: ALL
#

# ipara, people, ipaca
dn: uid=3Dipara,ou=3Dpeople,o=3Dipaca
description: 2;7;CN=3DCertificate Authority,O=3DIPA.****.NET;CN=3DIPA RA,O=
=3DIPA.****.NET
userCertificate:: MIID6j...ssifAg=3D=3D
uid: ipara
sn: ipara
usertype: agentType
userstate: 1
objectClass: cmsuser
objectClass: top
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: person
cn: ipara

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

# cat ra-agent.pem
-----BEGIN CERTIFICATE-----
MIID6j...ssifAg=3D=3D
-----END CERTIFICATE-----
--===============6765852593746840700==--

From rcritten at redhat.com Thu Apr  4 15:00:58 2024
Content-Type: multipart/mixed; boundary="===============2395213925785423771=="
MIME-Version: 1.0
From: Rob Crittenden <rcritten at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: CA Subsystem certificate
Date: Thu, 04 Apr 2024 11:00:39 -0400
Message-ID: <b0d61789-312c-e1cb-f1fd-34a72827e0bc@redhat.com>
In-Reply-To: 20240404142747.27192.77018@mailman01.iad2.fedoraproject.org

--===============2395213925785423771==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Travis West via FreeIPA-users wrote:
> Rob,
> =

> I installed the ipa-healthcheck that you got to work on CentOS 7, and run=
 it.  Got a couple of errors regarding the RA Agent cert:
> =

> [
>   {
>     "source": "ipahealthcheck.ipa.certs",
>     "kw": {
>       "msg": "Certificate validation for /var/lib/ipa/ra-agent.pem failed=
: ",
>       "reason": "",
>       "key": "/var/lib/ipa/ra-agent.pem"
>     },
>     "uuid": "a855346c-4998-4415-a819-ce83048e174e",
>     "duration": "0.100214",
>     "when": "20240404141916Z",
>     "check": "IPAOpenSSLChainValidation",
>     "result": "ERROR"
>   },
>   {
>     "source": "ipahealthcheck.ipa.certs",
>     "kw": {
>       "msg": "RA agent not found in LDAP"
>     },
>     "uuid": "b6efdb6c-ca33-4421-bdc5-c449e7d64591",
>     "duration": "0.027569",
>     "when": "20240404141916Z",
>     "check": "IPARAAgent",
>     "result": "ERROR"
>   }

It runs: openssl verify -verbose -show_chain -CAfile /etc/ipa/ca.crt
/var/lib/ipa/ra-agent.pem

> That first error, I'm not sure about what kind of validation it's perform=
ing.  In my asn.1 output earlier I did include the ra-agent.pem and it look=
s like it's correctly signed.
> As far as the "RA agent not found in LDAP", it looks to me like it is, an=
d it matches the cert in /var/lib/ipa/ra-agent.pem
> =

> # ldapsearch -D "cn=3Ddirectory manager" -W -b uid=3Dipara,ou=3Dpeople,o=
=3Dipaca
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <uid=3Dipara,ou=3Dpeople,o=3Dipaca> with scope subtree
> # filter: (objectclass=3D*)
> # requesting: ALL
> #
> =

> # ipara, people, ipaca
> dn: uid=3Dipara,ou=3Dpeople,o=3Dipaca
> description: 2;7;CN=3DCertificate Authority,O=3DIPA.****.NET;CN=3DIPA RA,=
O=3DIPA.****.NET
> userCertificate:: MIID6j...ssifAg=3D=3D
> uid: ipara
> sn: ipara
> usertype: agentType
> userstate: 1
> objectClass: cmsuser
> objectClass: top
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: person
> cn: ipara
> =

> # search result
> search: 2
> result: 0 Success
> =

> # numResponses: 2
> # numEntries: 1
> =

> # cat ra-agent.pem
> -----BEGIN CERTIFICATE-----
> MIID6j...ssifAg=3D=3D
> -----END CERTIFICATE-----

Watch the 389-ds access log (buffer) while healthcheck runs. You should
see the failed search and the reason may be enlightening (or not).

You can also add --debug to the command and may be that will help.

rob

--===============2395213925785423771==--

From abokovoy at redhat.com Thu Apr  4 15:21:13 2024
Content-Type: multipart/mixed; boundary="===============1289647115932934240=="
MIME-Version: 1.0
From: Alexander Bokovoy <abokovoy at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: upgrade idm servers rhel 7 to 8 problems
Date: Thu, 04 Apr 2024 18:20:50 +0300
Message-ID: <Zg7FUiBne__IND5i@redhat.com>
In-Reply-To: CAHBEJzU1iiHHKxMC_BteGhn+P1tZf5dBzQU99PwRTwZV9KXt5A@mail.gmail.com

--===============1289647115932934240==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

On =D0=90=D1=9E=D1=82, 02 =D0=BA=D1=80=D0=B0 2024, Natxo Asenjo wrote:
>hi,
>
>
>
>On Tue, Mar 26, 2024 at 2:47=E2=80=AFPM Natxo Asenjo <natxo.asenjo(a)gmail=
.com> wrote:
>
>> hi,
>>
>> posting back to the list.
>>
>> Apparently the idm server cannot find a SID of a domain when trying to
>> resolve the user account. It does find the user account, but  there are
>> sids coupled to the account correspondig to a domain wich cannot be
>> resolved.
>>
>> It took me a while but the sid of that child domain is not the one not
>> resolved.
>>
>> It turns out, the sid of the domain not resolving is the one of the idm
>> realm itself., we have  some idm groups mapped to the AD groups we allow=
 in
>> idm for rbac, and if I look at the ipaNTSecurityIdentifier attributes of
>> the id groups, those are the not resolved groups.
>>
>> This is unexpected (to me at least).
>>
>> so we have this trust (verified on two different idm servers, same value=
):
>>
>>  ipa trust-find
>> ---------------
>> 1 trust matched
>> ---------------
>>   Realm name: domain.local
>>   Domain NetBIOS name: DOMAIN
>>   Domain Security Identifier: S-1-5-21-1416133915-1866970209-3316290679
>>   Trust type: Active Directory domain
>> ----------------------------
>> Number of entries returned 1
>>
>> but inside this idm domain, we have some idm posix groups with the
>> ipantsecurityidentifier of the not resolvable domain, for instance:
>> S-1-5-21-1214650608-3976977395-3073169311-101072
>>
>> So basically, it is not matching because of this ipantsecurityidentifier,
>> I think.
>>
>> I do not know how to fix this at this moment, or why it has happened. Any
>> ideas?
>>
>>
>
>I wonder if somebody with more sssd knowlegde than me could push me in the
>right direction. Is it maybe better to ask in the sssd mailing list?

No idea why is that. Is the SID of IPA domain
S-1-5-21-1214650608-3976977395-3073169311? If not, please replace SIDs
of the IPA groups that have S-1-5-21-1214650608-3976977395-3073169311 in
their ipaNTSecurityIdentifier by the proper IPA domain SID. You probably
need to construct an LDIF file that does this modification.



>
>Regards,
>
>Natxo Asenjo
>
>-- =

>--
>Groeten,
>natxo




-- =

/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

--===============1289647115932934240==--

From twest at cherryroad.com Thu Apr  4 15:26:50 2024
Content-Type: multipart/mixed; boundary="===============6884811754516232225=="
MIME-Version: 1.0
From: Travis West <twest at cherryroad.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: CA Subsystem certificate
Date: Thu, 04 Apr 2024 15:26:31 +0000
Message-ID: <20240404152631.7903.82642@mailman01.iad2.fedoraproject.org>
In-Reply-To: b0d61789-312c-e1cb-f1fd-34a72827e0bc@redhat.com

--===============6884811754516232225==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

If I run that command manually it doesn't appear to do anything except outp=
ut 'recognized usages"
If I try it without the -show_chain flag I get

# openssl verify -verbose -CAfile /etc/ipa/ca.crt /var/lib/ipa/ra-agent.pem
/var/lib/ipa/ra-agent.pem: O =3D IPA.****.NET, CN =3D IPA RA
error 20 at 0 depth lookup:unable to get local issuer certificate

The only information in the access log while healthcheck is running is a nu=
mber of these

[04/Apr/2024:15:09:46 +0000] "POST https://ipa1-sea2.ipa.****.net:443/ca/ag=
ent/ca/displayBySerial HTTP/1.1" 403 229

But those coincide with the healthcheck checking other certificates managed=
 by certmonger where the error shown by healthcheck is
 [SSL: SSL_HANDSHAKE_FAILURE] ssl handshake failure (_ssl.c:1822)",


--===============6884811754516232225==--

From sam at robots.org.uk Thu Apr  4 17:07:10 2024
Content-Type: multipart/mixed; boundary="===============0134138707863028239=="
MIME-Version: 1.0
From: Sam Morris <sam at robots.org.uk>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Can CA system certificates be rekeyed?
Date: Thu, 04 Apr 2024 18:06:41 +0100
Message-ID: <3c3e1989-28a5-423c-958e-3abb267ea484@robots.org.uk>

--===============0134138707863028239==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Hi folks

I make use of certmonger's key_use_count to ensure that I don't use the =

same private key more than once when issuing service certificates. I was =

wondering what would happen if this was set on a FreeIPA server. Having =

done a bit of reading I think this looks like a Very Bad Idea, but I was =

wondering if someone could confirm the following:

1. It's fine to rekey the KDC/dirsrv/httpd service certificates - =

there's nothing particularly special about them.

2. The Dogtag-related certificates are renewed on the CA renewal master, =

and stashed into the directory in entries under =

cn=3Dca_renewal,cn=3Dipa,cn=3Detc,$SUFFIX so that the other servers can =

retrieve them; but the private keys aren't stashed in the directory, so =

transporting the new keys to the other servers would be a manual process.

3. One of these certificates is the CA certificate which you would never =

want to re-key because that would cause absolute mayhem.

4. There's no way to have certmonger re-key the service certificates =

(from the "IPA" CA) when renewing, but not the system certificates (from =

the "dogtag-ipa-ca-renew-agent" CA); so setting key_use_count is a =

really bad idea, never do it on a FreeIPA server.

Cheers,

-- =

Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B  1855 D20B 4202 5CDA 27B9
--===============0134138707863028239==--

From twest at cherryroad.com Thu Apr  4 17:44:21 2024
Content-Type: multipart/mixed; boundary="===============5627248411507019430=="
MIME-Version: 1.0
From: Travis West <twest at cherryroad.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: CA Subsystem certificate
Date: Thu, 04 Apr 2024 17:43:58 +0000
Message-ID: <20240404174358.4041.11134@mailman01.iad2.fedoraproject.org>
In-Reply-To: b0d61789-312c-e1cb-f1fd-34a72827e0bc@redhat.com

--===============5627248411507019430==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

I spun up a new server and did a fresh install of IPA.  On that server if I=
 run the command I get a better result

# openssl verify -verbose -show_chain -CAfile /etc/ipa/ca.crt /var/lib/ipa/=
ra-agent.pem	=

/var/lib/ipa/ra-agent.pem: OK
Chain:
depth=3D0: O =3D AUTH.****.NET, CN =3D IPA RA (untrusted)
depth=3D1: O =3D AUTH.****.NET, CN =3D Certificate Authority

So I must be missing something with the RA cert.  It's definitely in LDAP. =
 I've read that it should also be present in /etc/httpd/alias/ NSS DB, but =
that directory is empty on the fresh install so I cannot confirm.
The ASN.1 appears to be correct on the ra-agent.pem when I check

$ openssl asn1parse -inform pem -in ra-agent.pem
37:d=3D5 hl=3D2 l=3D 3 prim: OBJECT :organizationName
42:d=3D5 hl=3D2 l=3D 14 prim: UTF8STRING :IPA.****.NET
58:d=3D3 hl=3D2 l=3D 30 cons: SET
60:d=3D4 hl=3D2 l=3D 28 cons: SEQUENCE
62:d=3D5 hl=3D2 l=3D 3 prim: OBJECT :commonName
67:d=3D5 hl=3D2 l=3D 21 prim: UTF8STRING :Certificate Authority
90:d=3D2 hl=3D2 l=3D 30 cons: SEQUENCE
92:d=3D3 hl=3D2 l=3D 13 prim: UTCTIME :240322132444Z
107:d=3D3 hl=3D2 l=3D 13 prim: UTCTIME :260312132444Z
122:d=3D2 hl=3D2 l=3D 42 cons: SEQUENCE
124:d=3D3 hl=3D2 l=3D 23 cons: SET
126:d=3D4 hl=3D2 l=3D 21 cons: SEQUENCE
128:d=3D5 hl=3D2 l=3D 3 prim: OBJECT :organizationName
133:d=3D5 hl=3D2 l=3D 14 prim: UTF8STRING :IPA.****.NET
149:d=3D3 hl=3D2 l=3D 15 cons: SET
151:d=3D4 hl=3D2 l=3D 13 cons: SEQUENCE
153:d=3D5 hl=3D2 l=3D 3 prim: OBJECT :commonName
158:d=3D5 hl=3D2 l=3D 6 prim: PRINTABLESTRING :IPA RA


This was another cert that had an incorrect Principle attached and was rege=
nerated.  I may have messed up something there, but I'm not sure what.
I do have a copy of the ra-agent.pem (and matching key) with the correct Pr=
inciple from 2019.  I can put this in place on the broken server, but even =
with rolling the time back I'm not sure it will get renewed.
--===============5627248411507019430==--

From smilehce.heo at samsung.com Fri Apr  5 07:43:34 2024
Content-Type: multipart/mixed; boundary="===============7721932329001268274=="
MIME-Version: 1.0
From: Heo Paul <smilehce.heo at samsung.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Possible to split a toplogy to 2 topologies?
Date: Fri, 05 Apr 2024 07:43:22 +0000
Message-ID: <20240405074322.3753.11915@mailman01.iad2.fedoraproject.org>

--===============7721932329001268274==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Hi. I installed ipa-core servers in a toplogy and the version of those are =
4.9.3.

A topology : 1 <--> 2 <--> 3 <--> 4 <--> 5 <--> 6

And I'd like to disconnect agreements between 3 and 4 replicas, I expect th=
at there should be 2 seperate topologies like the below.

A topology : 1 <--> 2 <--> 3 =

B topology : 4 <--> 5 <--> 6

But when I try to execute the following commands, but those all fails due t=
o "ipa: ERROR: Server is unwilling to perform: Removal of Segment disconnec=
ts topology.Deletion not allowed."
 - ipa-topologysegment-del =

 - ldapdelete cn=3Dxx3.com-to-xx4.com,cn=3Dca,cn=3Dtopology,cn=3Dipa,cn=3De=
tc,dc=3Dsamsungsre,dc=3Dcom

And I also did "ipa-replica-manage del" command but some issues also occurr=
ed.

Could you guide me to disconnect replications between non-leaf replicas?

--===============7721932329001268274==--

From twest at cherryroad.com Fri Apr  5 12:43:28 2024
Content-Type: multipart/mixed; boundary="===============4163444333289306919=="
MIME-Version: 1.0
From: Travis West <twest at cherryroad.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: CA Subsystem certificate
Date: Fri, 05 Apr 2024 12:43:05 +0000
Message-ID: <20240405124305.23569.80746@mailman01.iad2.fedoraproject.org>
In-Reply-To: b0d61789-312c-e1cb-f1fd-34a72827e0bc@redhat.com

--===============4163444333289306919==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

This morning I thought I had found what I was missing, import the new RA ce=
rt to ~/.dogtag/nssdb, which I've done and now all the places I know about =
the RA cert matches.

# certutil -L -d /root/.dogtag/nssdb

Certificate Nickname                                         Trust Attribut=
es
                                                             SSL,S/MIME,JAR=
/XPI

Certificate Authority - IPA.****.NET                       CT,C,C
IPA RA - IPA.****.NET                                      u,u,u

# certutil -L -d /root/.dogtag/nssdb -n "IPA RA - IPA.****.NET" -a
-----BEGIN CERTIFICATE-----
MIID6jCC...ssifAg=3D=3D
-----END CERTIFICATE-----

# certutil -L -d /root/.dogtag/nssdb -n "IPA RA - IPA.****.NET" | grep Seri=
al
        Serial Number: 7 (0x7)

# ldapsearch -D "cn=3Ddirectory manager" -W -b uid=3Dipara,ou=3Dpeople,o=3D=
ipaca
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <uid=3Dipara,ou=3Dpeople,o=3Dipaca> with scope subtree
# filter: (objectclass=3D*)
# requesting: ALL
#

# ipara, people, ipaca
dn: uid=3Dipara,ou=3Dpeople,o=3Dipaca
description: 2;7;CN=3DCertificate Authority,O=3DIPA.****.NET;CN=3DIPA RA,O=
=3DIPA.****.NET
userCertificate:: MIID6jCC...ssifAg=3D=3D
uid: ipara
sn: ipara
usertype: agentType
userstate: 1
objectClass: cmsuser
objectClass: top
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: person
cn: ipara

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

# cat /var/lib/ipa/ra-agent.pem
-----BEGIN CERTIFICATE-----
MIID6jCC...ssifAg=3D=3D
-----END CERTIFICATE-----

but the openssl verify command with the -show_chain flag still seems to fail

]# openssl verify -verbose -show_chain -CAfile /etc/ipa/ca.crt /var/lib/ipa=
/ra-agent.pem
usage: verify [-verbose] [-CApath path] [-CAfile file] [-trusted_first] [-p=
urpose purpose] [-crl_check] [-no_alt_chains] [-attime timestamp] [-engine =
e] cert1 cert2 ...
recognized usages:
        sslclient       SSL client
        sslserver       SSL server
        nssslserver     Netscape SSL server
        smimesign       S/MIME signing
        smimeencrypt    S/MIME encryption
        crlsign         CRL signing
        any             Any Purpose
        ocsphelper      OCSP helper
        timestampsign   Time Stamp signing
--===============4163444333289306919==--

From rcritten at redhat.com Fri Apr  5 12:43:43 2024
Content-Type: multipart/mixed; boundary="===============8864096267214349602=="
MIME-Version: 1.0
From: Rob Crittenden <rcritten at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: Possible to split a toplogy to 2 topologies?
Date: Fri, 05 Apr 2024 08:43:26 -0400
Message-ID: <a56a6bb4-37c9-0bda-c4c8-0fa7c45d488a@redhat.com>
In-Reply-To: 20240405074322.3753.11915@mailman01.iad2.fedoraproject.org

--===============8864096267214349602==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Heo Paul via FreeIPA-users wrote:
> Hi. I installed ipa-core servers in a toplogy and the version of those ar=
e 4.9.3.
> =

> A topology : 1 <--> 2 <--> 3 <--> 4 <--> 5 <--> 6
> =

> And I'd like to disconnect agreements between 3 and 4 replicas, I expect =
that there should be 2 seperate topologies like the below.
> =

> A topology : 1 <--> 2 <--> 3 =

> B topology : 4 <--> 5 <--> 6
> =

> But when I try to execute the following commands, but those all fails due=
 to "ipa: ERROR: Server is unwilling to perform: Removal of Segment disconn=
ects topology.Deletion not allowed."
>  - ipa-topologysegment-del =

>  - ldapdelete cn=3Dxx3.com-to-xx4.com,cn=3Dca,cn=3Dtopology,cn=3Dipa,cn=
=3Detc,dc=3Dsamsungsre,dc=3Dcom
> =

> And I also did "ipa-replica-manage del" command but some issues also occu=
rred.
> =

> Could you guide me to disconnect replications between non-leaf replicas?

Why do you want to split this? It will mean that both claim to be the
same topology but will no longer replicate. As you can see IPA works
hard to prevent this.

rob

--===============8864096267214349602==--

From cheimes at redhat.com Fri Apr  5 14:06:21 2024
Content-Type: multipart/mixed; boundary="===============1911221450474201302=="
MIME-Version: 1.0
From: Christian Heimes <cheimes at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: Possible to split a toplogy to 2 topologies?
Date: Fri, 05 Apr 2024 16:05:57 +0200
Message-ID: <a93c483b-262c-4c69-8805-d883ad24d562@redhat.com>
In-Reply-To: 20240405074322.3753.11915@mailman01.iad2.fedoraproject.org

--===============1911221450474201302==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

On 05/04/2024 09.43, Heo Paul via FreeIPA-users wrote:
> Hi. I installed ipa-core servers in a toplogy and the version of those ar=
e 4.9.3.
>
> A topology : 1 <--> 2 <--> 3 <--> 4 <--> 5 <--> 6

For the record, that is a problematic topology with no fault tolerance =

and slow replication. Each server should have at least two, better three =

replication agreements. I recommend that you aim for a topology mesh =

with maximum two hops between each server.

Christian


-- =

Christian Heimes
Principal Software Engineer, Identity Management and Platform Security

Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael O'N=
eill

--===============1911221450474201302==--

From twest at cherryroad.com Fri Apr  5 14:44:44 2024
Content-Type: multipart/mixed; boundary="===============7667102303924039729=="
MIME-Version: 1.0
From: Travis West <twest at cherryroad.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: CA Subsystem certificate
Date: Fri, 05 Apr 2024 14:44:23 +0000
Message-ID: <20240405144423.15717.2479@mailman01.iad2.fedoraproject.org>
In-Reply-To: b0d61789-312c-e1cb-f1fd-34a72827e0bc@redhat.com

--===============7667102303924039729==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

The problem was definitely the ra-agent.pem.  I generated a new one and imp=
orted it to ~/.dogtag/nssdb, LDAP and placed the pem and key in /var/lib/ip=
a/

Now I can verify the certificate with the openssl verify command.  Addition=
ally the error in the UI is gone and running an 'ipa cert-show 1' works and=
 doesn't return the error I was seeing.

The last piece here is replicating the new certificates to other 5 hosts in=
 the cluster.  Is there a method to do that or should I import the new cert=
s manually on the other hosts?
--===============7667102303924039729==--

From daniel.e.white at nasa.gov Fri Apr  5 16:05:24 2024
Content-Type: multipart/mixed; boundary="===============9195363181717033948=="
MIME-Version: 1.0
From: White, Daniel E. (GSFC-770.0)[AEGIS] <daniel.e.white at nasa.gov>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Old documentation about FreeIPA plus FreeRADIUS
Date: Fri, 05 Apr 2024 16:04:48 +0000
Message-ID: <3DE67258-26B5-47F7-B2E4-8A6E7F18E7CF@contoso.com>

--===============9195363181717033948==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

https://www.freeipa.org/page/Using_FreeIPA_and_FreeRadius_as_a_RADIUS_based=
_software_token_OTP_system_with_CentOS/RedHat_7

It says:

PLEASE NOTE that this set-up uses unencrypted passwords between the client =
and the authentication server, i.e. password will be trasmitted as CLEAR TE=
XT, consider this with respect to your environment.

Would using LDAPS in the RADIUS configuration files fix this ?

--===============9195363181717033948==
Content-Type: text/html
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.html"

PGh0bWwgeG1sbnM6bz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6b2ZmaWNlIiB4
bWxuczp3PSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOm9mZmljZTp3b3JkIiB4bWxuczptPSJo
dHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL29mZmljZS8yMDA0LzEyL29tbWwiIHhtbG5zPSJo
dHRwOi8vd3d3LnczLm9yZy9UUi9SRUMtaHRtbDQwIj4NCjxoZWFkPg0KPG1ldGEgaHR0cC1lcXVp
dj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgiPg0KPG1l
dGEgbmFtZT0iR2VuZXJhdG9yIiBjb250ZW50PSJNaWNyb3NvZnQgV29yZCAxNSAoZmlsdGVyZWQg
bWVkaXVtKSI+DQo8c3R5bGU+PCEtLQ0KLyogRm9udCBEZWZpbml0aW9ucyAqLw0KQGZvbnQtZmFj
ZQ0KCXtmb250LWZhbWlseToiQ2FtYnJpYSBNYXRoIjsNCglwYW5vc2UtMToyIDQgNSAzIDUgNCA2
IDMgMiA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6QXB0b3M7DQoJcGFub3NlLTE6MiAx
MSAwIDQgMiAyIDIgMiAyIDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseTpDb25zb2xhczsN
CglwYW5vc2UtMToyIDExIDYgOSAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFt
aWx5OiJUaW1lcyBOZXcgUm9tYW4gXChCb2R5IENTXCkiOw0KCXBhbm9zZS0xOjIgMTEgNiA0IDIg
MiAyIDIgMiA0O30NCi8qIFN0eWxlIERlZmluaXRpb25zICovDQpwLk1zb05vcm1hbCwgbGkuTXNv
Tm9ybWFsLCBkaXYuTXNvTm9ybWFsDQoJe21hcmdpbjowaW47DQoJZm9udC1zaXplOjEyLjBwdDsN
Cglmb250LWZhbWlseToiQXB0b3MiLHNhbnMtc2VyaWY7DQoJbXNvLWxpZ2F0dXJlczpzdGFuZGFy
ZGNvbnRleHR1YWw7fQ0Kc3Bhbi5FbWFpbFN0eWxlMTcNCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29u
YWwtY29tcG9zZTsNCglmb250LWZhbWlseTpDb25zb2xhczsNCgljb2xvcjp3aW5kb3d0ZXh0O30N
Ci5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHlsZS10eXBlOmV4cG9ydC1vbmx5O30NCkBwYWdlIFdv
cmRTZWN0aW9uMQ0KCXtzaXplOjguNWluIDExLjBpbjsNCgltYXJnaW46MS4waW4gMS4waW4gMS4w
aW4gMS4waW47fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRTZWN0aW9uMTt9DQotLT48
L3N0eWxlPg0KPC9oZWFkPg0KPGJvZHkgbGFuZz0iRU4tVVMiIGxpbms9IiM0Njc4ODYiIHZsaW5r
PSIjOTY2MDdEIiBzdHlsZT0id29yZC13cmFwOmJyZWFrLXdvcmQiPg0KPGRpdiBjbGFzcz0iV29y
ZFNlY3Rpb24xIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6
MTEuMHB0O2ZvbnQtZmFtaWx5OkNvbnNvbGFzIj5odHRwczovL3d3dy5mcmVlaXBhLm9yZy9wYWdl
L1VzaW5nX0ZyZWVJUEFfYW5kX0ZyZWVSYWRpdXNfYXNfYV9SQURJVVNfYmFzZWRfc29mdHdhcmVf
dG9rZW5fT1RQX3N5c3RlbV93aXRoX0NlbnRPUy9SZWRIYXRfNzxvOnA+PC9vOnA+PC9zcGFuPjwv
cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2Zv
bnQtZmFtaWx5OkNvbnNvbGFzIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFz
cz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTpD
b25zb2xhcyI+SXQgc2F5czoNCjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29O
b3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OkNvbnNvbGFz
Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48aT48
c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTpDb25zb2xhcyI+UExFQVNF
IE5PVEUgdGhhdCB0aGlzIHNldC11cCB1c2VzIHVuZW5jcnlwdGVkIHBhc3N3b3JkcyBiZXR3ZWVu
IHRoZSBjbGllbnQgYW5kIHRoZSBhdXRoZW50aWNhdGlvbiBzZXJ2ZXIsIGkuZS4gcGFzc3dvcmQg
d2lsbCBiZSB0cmFzbWl0dGVkIGFzIENMRUFSIFRFWFQsIGNvbnNpZGVyIHRoaXMgd2l0aCByZXNw
ZWN0DQogdG8geW91ciBlbnZpcm9ubWVudC48bzpwPjwvbzpwPjwvc3Bhbj48L2k+PC9wPg0KPHAg
Y2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9Im1zby1saWdhdHVyZXM6bm9uZSI+PG86cD4m
bmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+V291bGQgdXNpbmcg
TERBUFMgaW4gdGhlIFJBRElVUyBjb25maWd1cmF0aW9uIGZpbGVzIGZpeCB0aGlzID88bzpwPjwv
bzpwPjwvcD4NCjwvZGl2Pg0KPC9ib2R5Pg0KPC9odG1sPg0K

--===============9195363181717033948==--

From rcritten at redhat.com Fri Apr  5 16:47:51 2024
Content-Type: multipart/mixed; boundary="===============6628233357395464038=="
MIME-Version: 1.0
From: Rob Crittenden <rcritten at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: CA Subsystem certificate
Date: Fri, 05 Apr 2024 12:47:26 -0400
Message-ID: <5f9263b3-ebbe-60f4-6fba-26dca0ad0b98@redhat.com>
In-Reply-To: 20240405144423.15717.2479@mailman01.iad2.fedoraproject.org

--===============6628233357395464038==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Travis West via FreeIPA-users wrote:
> The problem was definitely the ra-agent.pem.  I generated a new one and i=
mported it to ~/.dogtag/nssdb, LDAP and placed the pem and key in /var/lib/=
ipa/
> =

> Now I can verify the certificate with the openssl verify command.  Additi=
onally the error in the UI is gone and running an 'ipa cert-show 1' works a=
nd doesn't return the error I was seeing.
> =

> The last piece here is replicating the new certificates to other 5 hosts =
in the cluster.  Is there a method to do that or should I import the new ce=
rts manually on the other hosts?

If you put the certificates into
cn=3D<nickname>,cn=3Dca_renewal,cn=3Dipa,cn=3Detc,$SUFFIX then the other se=
rvers
will pick them up assuming that replication is working.

rob

--===============6628233357395464038==--

From twest at cherryroad.com Fri Apr  5 17:06:49 2024
Content-Type: multipart/mixed; boundary="===============0021661001689496412=="
MIME-Version: 1.0
From: Travis West <twest at cherryroad.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: CA Subsystem certificate
Date: Fri, 05 Apr 2024 17:06:27 +0000
Message-ID: <20240405170627.8912.80982@mailman01.iad2.fedoraproject.org>
In-Reply-To: 5f9263b3-ebbe-60f4-6fba-26dca0ad0b98@redhat.com

--===============0021661001689496412==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Thanks Rob!  New certs are all replicated and all IPA services are started =
on all 6 servers.
I can perform 'ipa cert-show 1' on all 6 and get the expected result.

As a sanity check I did run the ipa-healthcheck on all 6 servers.  One of t=
hem came back fine, the other 5 returned

[
  {
    "source": "ipahealthcheck.ipa.dna",
    "kw": {
      "msg": "No DNA range defined. If no masters define a range then users=
 and groups cannot be created.",
      "range_start": 0,
      "next_start": 0,
      "next_max": 0,
      "range_max": 0
    },
    "uuid": "70636197-0b3e-4424-b509-1aa7f8be084d",
    "duration": "0.706384",
    "when": "20240405170045Z",
    "check": "IPADNARangeCheck",
    "result": "WARNING"
  }
]

Now it's just a WARNING, and since the one didn't return it (they're all de=
noted as MASTER) maybe it's okay?
--===============0021661001689496412==--

From rcritten at redhat.com Fri Apr  5 17:38:21 2024
Content-Type: multipart/mixed; boundary="===============5860768893881052062=="
MIME-Version: 1.0
From: Rob Crittenden <rcritten at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: CA Subsystem certificate
Date: Fri, 05 Apr 2024 13:38:05 -0400
Message-ID: <f1bdb9e0-4904-9f6b-3b61-af14d8e1c219@redhat.com>
In-Reply-To: 20240405170627.8912.80982@mailman01.iad2.fedoraproject.org

--===============5860768893881052062==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Travis West via FreeIPA-users wrote:
> Thanks Rob!  New certs are all replicated and all IPA services are starte=
d on all 6 servers.
> I can perform 'ipa cert-show 1' on all 6 and get the expected result.
> =

> As a sanity check I did run the ipa-healthcheck on all 6 servers.  One of=
 them came back fine, the other 5 returned
> =

> [
>   {
>     "source": "ipahealthcheck.ipa.dna",
>     "kw": {
>       "msg": "No DNA range defined. If no masters define a range then use=
rs and groups cannot be created.",
>       "range_start": 0,
>       "next_start": 0,
>       "next_max": 0,
>       "range_max": 0
>     },
>     "uuid": "70636197-0b3e-4424-b509-1aa7f8be084d",
>     "duration": "0.706384",
>     "when": "20240405170045Z",
>     "check": "IPADNARangeCheck",
>     "result": "WARNING"
>   }
> ]
> =

> Now it's just a WARNING, and since the one didn't return it (they're all =
denoted as MASTER) maybe it's okay?

It just means that when you add users or groups you do it against the
same IPA server. If you do it on others then it will split the range
between them as needed. Not a bad thing but it gets complex if you add
and remove a lot of servers, particularly older ones. I made changes a
few years ago to try to capture ranges that would otherwise be lost but
it's sort of a best effort kind of thing.

The purpose if this is to ensure that at least one server has a range.
Currently healthcheck only validates the server it is running on and
doesn't do much cluster-wide checking.

rob

--===============5860768893881052062==--

From twest at cherryroad.com Fri Apr  5 17:45:52 2024
Content-Type: multipart/mixed; boundary="===============9061026692420371255=="
MIME-Version: 1.0
From: Travis West <twest at cherryroad.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: CA Subsystem certificate
Date: Fri, 05 Apr 2024 17:45:31 +0000
Message-ID: <20240405174531.16260.75916@mailman01.iad2.fedoraproject.org>
In-Reply-To: f1bdb9e0-4904-9f6b-3b61-af14d8e1c219@redhat.com

--===============9061026692420371255==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Alright, so 'ipa idrange-find' returns the same values on all 6 servers.

However, ldapsearch -x -D 'cn=3DDirectory Manager' -W -b 'cn=3DPosix IDs,cn=
=3DDistributed Numeric Assignment Plugin,cn=3Dplugins,cn=3Dconfig'

returns different results on 1 (the one where I don't get that warning with=
 the healthcheck)  The other 5 return

dnaMagicRegen: -1
dnaMaxValue: 1100
dnaNextValue: 1101
dnaScope: dc=3Dipa,dc=3Dsuperb,dc=3Dnet
dnaSharedCfgDN: cn=3Dposix-ids,cn=3Ddna,cn=3Dipa,cn=3Detc,dc=3Dipa,dc=3Dsup=
erb,dc=3Dnet
dnaThreshold: 500
dnaType: uidNumber
dnaType: gidNumber
objectClass: top
objectClass: extensibleObject

Which seems to match your blog post from 2015 about this.

Since I cannot be sure which IPA server will be used when enrolling new hos=
ts, would it be best to try to fix this?  I suppose the same can be said fo=
r when new users are added.   If done manually I can be sure it will be don=
e on the same host, but we have an internal system that also creates the us=
er in IPA and I think that would just use whichever one is closest.
--===============9061026692420371255==--

From twest at cherryroad.com Fri Apr  5 17:47:59 2024
Content-Type: multipart/mixed; boundary="===============7104534402651829077=="
MIME-Version: 1.0
From: Travis West <twest at cherryroad.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: CA Subsystem certificate
Date: Fri, 05 Apr 2024 17:47:50 +0000
Message-ID: <20240405174750.16904.32388@mailman01.iad2.fedoraproject.org>
In-Reply-To: f1bdb9e0-4904-9f6b-3b61-af14d8e1c219@redhat.com

--===============7104534402651829077==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

I tried adding a test user on one of the servers that returned that warning=
 and the new user didn't appear on the others.
So maybe replication is broken.
--===============7104534402651829077==--

From twest at cherryroad.com Fri Apr  5 18:44:46 2024
Content-Type: multipart/mixed; boundary="===============3198028164042219620=="
MIME-Version: 1.0
From: Travis West <twest at cherryroad.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: CA Subsystem certificate
Date: Fri, 05 Apr 2024 18:44:24 +0000
Message-ID: <20240405184424.26245.43434@mailman01.iad2.fedoraproject.org>
In-Reply-To: f1bdb9e0-4904-9f6b-3b61-af14d8e1c219@redhat.com

--===============3198028164042219620==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

I take that back.  Replication is working on 4/6 servers.

If I add a user on any of those 4 it shows up on the other 3.  The 2 outlie=
rs don't seem to pick up the new user.  If I check the 2 outliers I get this

Error (18) Replication error acquiring replica: Incremental update transien=
t error.  Backing off, will retry update later. (transient error)

Which seems to be saying that it's just delayed, which can sometimes happen=
 in an MMR setup.  I will recheck these 2 later to see if they eventually p=
ick up the new test user I've created and that is present on 4 of them.
--===============3198028164042219620==--

From hgcoin at gmail.com Sun Apr  7 13:21:00 2024
Content-Type: multipart/mixed; boundary="===============8804765862503956718=="
MIME-Version: 1.0
From: Harry G Coin <hgcoin at gmail.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] 'ipk11id length should not be 0' -- 'restart counter
 at 811' how to correct?
Date: Sun, 07 Apr 2024 08:20:45 -0500
Message-ID: <403fe776-242b-4b7f-b801-c8840cc99fa4@gmail.com>

--===============8804765862503956718==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

What's the correct way to correct the cause of this error message?=C2=A0 =

There is no guidance online I can find.=C2=A0 I first saw it a few years ag=
o, =

it's back. ipa-ods-exporter emits this assertion, then quits.

ipk11id length should not be 0

This system hosts the dnssec master db. There is one replica.=C2=A0 That's =
it.


Apr 07 08:12:08 registry1.1.quietfountain.com systemd[1]: =

ipa-ods-exporter.service: Scheduled restart job, restart counter is at 811.
Apr 07 08:12:08 registry1.1.quietfountain.com systemd[1]: Stopped IPA =

OpenDNSSEC Signer replacement.
Apr 07 08:12:08 registry1.1.quietfountain.com systemd[1]: =

ipa-ods-exporter.service: Consumed 2.876s CPU time.
Apr 07 08:12:08 registry1.1.quietfountain.com systemd[1]: Started IPA =

OpenDNSSEC Signer replacement.
Apr 07 08:12:09 registry1.1.quietfountain.com ipa-ods-exporter[857534]: =

ipa-ods-exporter: INFO=C2=A0=C2=A0=C2=A0=C2=A0 To increase debugging set de=
bug=3DTrue in =

dns.conf See default.conf(5) for details
Apr 07 08:12:10 registry1.1.quietfountain.com python3[857534]: GSSAPI =

client step 1
Apr 07 08:12:10 registry1.1.quietfountain.com python3[857534]: GSSAPI =

client step 1
Apr 07 08:12:10 registry1.1.quietfountain.com python3[857534]: GSSAPI =

client step 1
Apr 07 08:12:10 registry1.1.quietfountain.com python3[857534]: =

Configuration.cpp(96): Missing log.level in configuration. Using default =

value: INFO
Apr 07 08:12:10 registry1.1.quietfountain.com python3[857534]: =

Configuration.cpp(96): Missing slots.mechanisms in configuration. Using =

default value: ALL
Apr 07 08:12:10 registry1.1.quietfountain.com python3[857534]: =

Configuration.cpp(124): Missing slots.removable in configuration. Using =

default value: false
Apr 07 08:12:11 registry1.1.quietfountain.com ipa-ods-exporter[857534]: =

Traceback (most recent call last):
Apr 07 08:12:11 registry1.1.quietfountain.com =

ipa-ods-exporter[857534]:=C2=A0=C2=A0 File "/usr/libexec/ipa/ipa-ods-export=
er", =

line 718, in <module>
Apr 07 08:12:11 registry1.1.quietfountain.com ipa-ods-exporter[857534]: =

ldap2master_replica_keys_sync(ldapkeydb, localhsm)
Apr 07 08:12:11 registry1.1.quietfountain.com =

ipa-ods-exporter[857534]:=C2=A0=C2=A0 File "/usr/libexec/ipa/ipa-ods-export=
er", =

line 295, in ldap2master_replica_keys_sync
Apr 07 08:12:11 registry1.1.quietfountain.com ipa-ods-exporter[857534]: =

hex_set(localhsm.replica_pubkeys_wrap))
Apr 07 08:12:11 registry1.1.quietfountain.com =

ipa-ods-exporter[857534]:=C2=A0=C2=A0 File =

"/usr/lib/python3.9/site-packages/ipaserver/dnssec/localhsm.py", line =

130, in replica_pubkeys_wrap
Apr 07 08:12:11 registry1.1.quietfountain.com ipa-ods-exporter[857534]: =

self.find_keys(objclass=3D_ipap11helper.KEY_CLASS_PUBLIC_KEY,
Apr 07 08:12:11 registry1.1.quietfountain.com =

ipa-ods-exporter[857534]:=C2=A0=C2=A0 File =

"/usr/lib/python3.9/site-packages/ipaserver/dnssec/localhsm.py", line =

114, in find_keys
Apr 07 08:12:11 registry1.1.quietfountain.com =

ipa-ods-exporter[857534]:=C2=A0=C2=A0=C2=A0=C2=A0 key =3D Key(self.p11, h)
Apr 07 08:12:11 registry1.1.quietfountain.com =

ipa-ods-exporter[857534]:=C2=A0=C2=A0 File =

"/usr/lib/python3.9/site-packages/ipaserver/dnssec/localhsm.py", line =

38, in __init__
Apr 07 08:12:11 registry1.1.quietfountain.com =

ipa-ods-exporter[857534]:=C2=A0=C2=A0=C2=A0=C2=A0 assert len(cka_id) !=3D 0=
, 'ipk11id length =

should not be 0'
Apr 07 08:12:11 registry1.1.quietfountain.com ipa-ods-exporter[857534]: =

AssertionError: ipk11id length should not be 0
Apr 07 08:12:11 registry1.1.quietfountain.com systemd[1]: =

ipa-ods-exporter.service: Main process exited, code=3Dexited, status=3D1/FA=
ILURE
Apr 07 08:12:11 registry1.1.quietfountain.com systemd[1]: =

ipa-ods-exporter.service: Failed with result 'exit-code'.
Apr 07 08:12:11 registry1.1.quietfountain.com systemd[1]: =

ipa-ods-exporter.service: Consumed 2.938s CPU time.

on

[root(a)registry1 ~]# dnf info ipa-server
Last metadata expiration check: 3:19:38 ago on Sun 07 Apr 2024 04:55:29 =

AM CDT.
Installed Packages
Name =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0: ipa-server
Version =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0: 4.10.2
Release =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0: 8.el9_3.alma.1
Architecture : x86_64
Size =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0: 1.1 M
Source =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0: ipa-4.10.2-8.el9_3.alma.1.src.=
rpm
Repository =C2=A0=C2=A0: @System
 From repo =C2=A0=C2=A0=C2=A0: appstream
Summary =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0: The IPA authentication server
5.14.0-362.24.1.el9_3.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Mar 20 04:52:13 =

EDT 2024 x86_64 x86_64 x86_64 GNU/Linux

p11 tools has one entry that has no id, no label, RSA of 0 byte length, =

with also the 'wrap' flag.=C2=A0 There's no obvious way to track that back =
to =

a file-- if that's event the right path to explore.

It's pretty much dead until this is solved.


--===============8804765862503956718==
Content-Type: text/html
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.html"

PCFET0NUWVBFIGh0bWw+CjxodG1sPgogIDxoZWFkPgoKICAgIDxtZXRhIGh0dHAtZXF1aXY9ImNv
bnRlbnQtdHlwZSIgY29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PVVURi04Ij4KICA8L2hlYWQ+
CiAgPGJvZHk+CiAgICA8cD48Zm9udCBmYWNlPSJtb25vc3BhY2UiPldoYXQncyB0aGUgY29ycmVj
dCB3YXkgdG8gY29ycmVjdCB0aGUKICAgICAgICBjYXVzZSBvZiB0aGlzIGVycm9yIG1lc3NhZ2U/
wqAgVGhlcmUgaXMgbm8gZ3VpZGFuY2Ugb25saW5lIEkgY2FuCiAgICAgICAgZmluZC7CoCBJIGZp
cnN0IHNhdyBpdCBhIGZldyB5ZWFycyBhZ28sIGl0J3MgYmFjay7CoCA8L2ZvbnQ+PGZvbnQKICAg
ICAgICBmYWNlPSJtb25vc3BhY2UiPmlwYS1vZHMtZXhwb3J0ZXIgZW1pdHMgdGhpcyBhc3NlcnRp
b24sIHRoZW4KICAgICAgICBxdWl0cy7CoCA8YnI+CiAgICAgIDwvZm9udD48L3A+CiAgICA8cD48
Zm9udCBmYWNlPSJtb25vc3BhY2UiPmlwazExaWQgbGVuZ3RoIHNob3VsZCBub3QgYmUgMDwvZm9u
dD48L3A+CiAgICA8cD48Zm9udCBmYWNlPSJtb25vc3BhY2UiPlRoaXMgc3lzdGVtIGhvc3RzIHRo
ZSBkbnNzZWMgbWFzdGVyIGRiLsKgCiAgICAgICAgVGhlcmUgaXMgb25lIHJlcGxpY2EuwqAgVGhh
dCdzIGl0LiA8YnI+CiAgICAgIDwvZm9udD48L3A+CiAgICA8cD48Zm9udCBmYWNlPSJtb25vc3Bh
Y2UiPjxicj4KICAgICAgPC9mb250PjwvcD4KICAgIDxwPjxmb250IGZhY2U9Im1vbm9zcGFjZSI+
QXByIDA3IDA4OjEyOjA4CiAgICAgICAgcmVnaXN0cnkxLjEucXVpZXRmb3VudGFpbi5jb20gc3lz
dGVtZFsxXToKICAgICAgICBpcGEtb2RzLWV4cG9ydGVyLnNlcnZpY2U6IFNjaGVkdWxlZCByZXN0
YXJ0IGpvYiwgcmVzdGFydCBjb3VudGVyCiAgICAgICAgaXMgYXQgODExLjxicj4KICAgICAgICBB
cHIgMDcgMDg6MTI6MDggcmVnaXN0cnkxLjEucXVpZXRmb3VudGFpbi5jb20gc3lzdGVtZFsxXToK
ICAgICAgICBTdG9wcGVkIElQQSBPcGVuRE5TU0VDIFNpZ25lciByZXBsYWNlbWVudC48YnI+CiAg
ICAgICAgQXByIDA3IDA4OjEyOjA4IHJlZ2lzdHJ5MS4xLnF1aWV0Zm91bnRhaW4uY29tIHN5c3Rl
bWRbMV06CiAgICAgICAgaXBhLW9kcy1leHBvcnRlci5zZXJ2aWNlOiBDb25zdW1lZCAyLjg3NnMg
Q1BVIHRpbWUuPGJyPgogICAgICAgIEFwciAwNyAwODoxMjowOCByZWdpc3RyeTEuMS5xdWlldGZv
dW50YWluLmNvbSBzeXN0ZW1kWzFdOgogICAgICAgIFN0YXJ0ZWQgSVBBIE9wZW5ETlNTRUMgU2ln
bmVyIHJlcGxhY2VtZW50Ljxicj4KICAgICAgICBBcHIgMDcgMDg6MTI6MDkgcmVnaXN0cnkxLjEu
cXVpZXRmb3VudGFpbi5jb20KICAgICAgICBpcGEtb2RzLWV4cG9ydGVyWzg1NzUzNF06IGlwYS1v
ZHMtZXhwb3J0ZXI6IElORk/CoMKgwqDCoCBUbyBpbmNyZWFzZQogICAgICAgIGRlYnVnZ2luZyBz
ZXQgZGVidWc9VHJ1ZSBpbiBkbnMuY29uZiBTZWUgZGVmYXVsdC5jb25mKDUpIGZvcgogICAgICAg
IGRldGFpbHM8YnI+CiAgICAgICAgQXByIDA3IDA4OjEyOjEwIHJlZ2lzdHJ5MS4xLnF1aWV0Zm91
bnRhaW4uY29tIHB5dGhvbjNbODU3NTM0XToKICAgICAgICBHU1NBUEkgY2xpZW50IHN0ZXAgMTxi
cj4KICAgICAgICBBcHIgMDcgMDg6MTI6MTAgcmVnaXN0cnkxLjEucXVpZXRmb3VudGFpbi5jb20g
cHl0aG9uM1s4NTc1MzRdOgogICAgICAgIEdTU0FQSSBjbGllbnQgc3RlcCAxPGJyPgogICAgICAg
IEFwciAwNyAwODoxMjoxMCByZWdpc3RyeTEuMS5xdWlldGZvdW50YWluLmNvbSBweXRob24zWzg1
NzUzNF06CiAgICAgICAgR1NTQVBJIGNsaWVudCBzdGVwIDE8YnI+CiAgICAgICAgQXByIDA3IDA4
OjEyOjEwIHJlZ2lzdHJ5MS4xLnF1aWV0Zm91bnRhaW4uY29tIHB5dGhvbjNbODU3NTM0XToKICAg
ICAgICBDb25maWd1cmF0aW9uLmNwcCg5Nik6IE1pc3NpbmcgbG9nLmxldmVsIGluIGNvbmZpZ3Vy
YXRpb24uIFVzaW5nCiAgICAgICAgZGVmYXVsdCB2YWx1ZTogSU5GTzxicj4KICAgICAgICBBcHIg
MDcgMDg6MTI6MTAgcmVnaXN0cnkxLjEucXVpZXRmb3VudGFpbi5jb20gcHl0aG9uM1s4NTc1MzRd
OgogICAgICAgIENvbmZpZ3VyYXRpb24uY3BwKDk2KTogTWlzc2luZyBzbG90cy5tZWNoYW5pc21z
IGluCiAgICAgICAgY29uZmlndXJhdGlvbi4gVXNpbmcgZGVmYXVsdCB2YWx1ZTogQUxMPGJyPgog
ICAgICAgIEFwciAwNyAwODoxMjoxMCByZWdpc3RyeTEuMS5xdWlldGZvdW50YWluLmNvbSBweXRo
b24zWzg1NzUzNF06CiAgICAgICAgQ29uZmlndXJhdGlvbi5jcHAoMTI0KTogTWlzc2luZyBzbG90
cy5yZW1vdmFibGUgaW4KICAgICAgICBjb25maWd1cmF0aW9uLiBVc2luZyBkZWZhdWx0IHZhbHVl
OiBmYWxzZTxicj4KICAgICAgICBBcHIgMDcgMDg6MTI6MTEgcmVnaXN0cnkxLjEucXVpZXRmb3Vu
dGFpbi5jb20KICAgICAgICBpcGEtb2RzLWV4cG9ydGVyWzg1NzUzNF06IFRyYWNlYmFjayAobW9z
dCByZWNlbnQgY2FsbCBsYXN0KTo8YnI+CiAgICAgICAgQXByIDA3IDA4OjEyOjExIHJlZ2lzdHJ5
MS4xLnF1aWV0Zm91bnRhaW4uY29tCiAgICAgICAgaXBhLW9kcy1leHBvcnRlcls4NTc1MzRdOsKg
wqAgRmlsZQogICAgICAgICIvdXNyL2xpYmV4ZWMvaXBhL2lwYS1vZHMtZXhwb3J0ZXIiLCBsaW5l
IDcxOCwgaW4gJmx0O21vZHVsZSZndDs8YnI+CiAgICAgICAgQXByIDA3IDA4OjEyOjExIHJlZ2lz
dHJ5MS4xLnF1aWV0Zm91bnRhaW4uY29tCiAgICAgICAgaXBhLW9kcy1leHBvcnRlcls4NTc1MzRd
OsKgwqDCoMKgCiAgICAgICAgbGRhcDJtYXN0ZXJfcmVwbGljYV9rZXlzX3N5bmMobGRhcGtleWRi
LCBsb2NhbGhzbSk8YnI+CiAgICAgICAgQXByIDA3IDA4OjEyOjExIHJlZ2lzdHJ5MS4xLnF1aWV0
Zm91bnRhaW4uY29tCiAgICAgICAgaXBhLW9kcy1leHBvcnRlcls4NTc1MzRdOsKgwqAgRmlsZQog
ICAgICAgICIvdXNyL2xpYmV4ZWMvaXBhL2lwYS1vZHMtZXhwb3J0ZXIiLCBsaW5lIDI5NSwgaW4K
ICAgICAgICBsZGFwMm1hc3Rlcl9yZXBsaWNhX2tleXNfc3luYzxicj4KICAgICAgICBBcHIgMDcg
MDg6MTI6MTEgcmVnaXN0cnkxLjEucXVpZXRmb3VudGFpbi5jb20KICAgICAgICBpcGEtb2RzLWV4
cG9ydGVyWzg1NzUzNF06wqDCoMKgwqAKICAgICAgICBoZXhfc2V0KGxvY2FsaHNtLnJlcGxpY2Ff
cHVia2V5c193cmFwKSk8YnI+CiAgICAgICAgQXByIDA3IDA4OjEyOjExIHJlZ2lzdHJ5MS4xLnF1
aWV0Zm91bnRhaW4uY29tCiAgICAgICAgaXBhLW9kcy1leHBvcnRlcls4NTc1MzRdOsKgwqAgRmls
ZQogICAgICAgICIvdXNyL2xpYi9weXRob24zLjkvc2l0ZS1wYWNrYWdlcy9pcGFzZXJ2ZXIvZG5z
c2VjL2xvY2FsaHNtLnB5IiwKICAgICAgICBsaW5lIDEzMCwgaW4gcmVwbGljYV9wdWJrZXlzX3dy
YXA8YnI+CiAgICAgICAgQXByIDA3IDA4OjEyOjExIHJlZ2lzdHJ5MS4xLnF1aWV0Zm91bnRhaW4u
Y29tCiAgICAgICAgaXBhLW9kcy1leHBvcnRlcls4NTc1MzRdOsKgwqDCoMKgCiAgICAgICAgc2Vs
Zi5maW5kX2tleXMob2JqY2xhc3M9X2lwYXAxMWhlbHBlci5LRVlfQ0xBU1NfUFVCTElDX0tFWSw8
YnI+CiAgICAgICAgQXByIDA3IDA4OjEyOjExIHJlZ2lzdHJ5MS4xLnF1aWV0Zm91bnRhaW4uY29t
CiAgICAgICAgaXBhLW9kcy1leHBvcnRlcls4NTc1MzRdOsKgwqAgRmlsZQogICAgICAgICIvdXNy
L2xpYi9weXRob24zLjkvc2l0ZS1wYWNrYWdlcy9pcGFzZXJ2ZXIvZG5zc2VjL2xvY2FsaHNtLnB5
IiwKICAgICAgICBsaW5lIDExNCwgaW4gZmluZF9rZXlzPGJyPgogICAgICAgIEFwciAwNyAwODox
MjoxMSByZWdpc3RyeTEuMS5xdWlldGZvdW50YWluLmNvbQogICAgICAgIGlwYS1vZHMtZXhwb3J0
ZXJbODU3NTM0XTrCoMKgwqDCoCBrZXkgPSBLZXkoc2VsZi5wMTEsIGgpPGJyPgogICAgICAgIEFw
ciAwNyAwODoxMjoxMSByZWdpc3RyeTEuMS5xdWlldGZvdW50YWluLmNvbQogICAgICAgIGlwYS1v
ZHMtZXhwb3J0ZXJbODU3NTM0XTrCoMKgIEZpbGUKICAgICAgICAiL3Vzci9saWIvcHl0aG9uMy45
L3NpdGUtcGFja2FnZXMvaXBhc2VydmVyL2Ruc3NlYy9sb2NhbGhzbS5weSIsCiAgICAgICAgbGlu
ZSAzOCwgaW4gX19pbml0X188YnI+CiAgICAgICAgQXByIDA3IDA4OjEyOjExIHJlZ2lzdHJ5MS4x
LnF1aWV0Zm91bnRhaW4uY29tCiAgICAgICAgaXBhLW9kcy1leHBvcnRlcls4NTc1MzRdOsKgwqDC
oMKgIGFzc2VydCBsZW4oY2thX2lkKSAhPSAwLCAnaXBrMTFpZAogICAgICAgIGxlbmd0aCBzaG91
bGQgbm90IGJlIDAnPGJyPgogICAgICAgIEFwciAwNyAwODoxMjoxMSByZWdpc3RyeTEuMS5xdWll
dGZvdW50YWluLmNvbQogICAgICAgIGlwYS1vZHMtZXhwb3J0ZXJbODU3NTM0XTogQXNzZXJ0aW9u
RXJyb3I6IGlwazExaWQgbGVuZ3RoIHNob3VsZAogICAgICAgIG5vdCBiZSAwPGJyPgogICAgICAg
IEFwciAwNyAwODoxMjoxMSByZWdpc3RyeTEuMS5xdWlldGZvdW50YWluLmNvbSBzeXN0ZW1kWzFd
OgogICAgICAgIGlwYS1vZHMtZXhwb3J0ZXIuc2VydmljZTogTWFpbiBwcm9jZXNzIGV4aXRlZCwg
Y29kZT1leGl0ZWQsCiAgICAgICAgc3RhdHVzPTEvRkFJTFVSRTxicj4KICAgICAgICBBcHIgMDcg
MDg6MTI6MTEgcmVnaXN0cnkxLjEucXVpZXRmb3VudGFpbi5jb20gc3lzdGVtZFsxXToKICAgICAg
ICBpcGEtb2RzLWV4cG9ydGVyLnNlcnZpY2U6IEZhaWxlZCB3aXRoIHJlc3VsdCAnZXhpdC1jb2Rl
Jy48YnI+CiAgICAgICAgQXByIDA3IDA4OjEyOjExIHJlZ2lzdHJ5MS4xLnF1aWV0Zm91bnRhaW4u
Y29tIHN5c3RlbWRbMV06CiAgICAgICAgaXBhLW9kcy1leHBvcnRlci5zZXJ2aWNlOiBDb25zdW1l
ZCAyLjkzOHMgQ1BVIHRpbWUuPGJyPgogICAgICA8L2ZvbnQ+PC9wPgogICAgPHA+b248L3A+CiAg
ICA8cD48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6bW9ub3NwYWNlIj48c3BhbgogICAgICAgICAg
c3R5bGU9ImNvbG9yOiMwMDAwMDA7YmFja2dyb3VuZC1jb2xvcjojZmZmZmZmOyI+W3Jvb3RAcmVn
aXN0cnkxCiAgICAgICAgICB+XSMgZG5mIGluZm8gaXBhLXNlcnZlcgogICAgICAgIDwvc3Bhbj48
YnI+CiAgICAgICAgTGFzdCBtZXRhZGF0YSBleHBpcmF0aW9uIGNoZWNrOiAzOjE5OjM4IGFnbyBv
biBTdW4gMDcgQXByIDIwMjQKICAgICAgICAwNDo1NToyOSBBTSBDRFQuCiAgICAgICAgPGJyPgog
ICAgICAgIEluc3RhbGxlZCBQYWNrYWdlcwogICAgICAgIDxicj4KICAgICAgICBOYW1lIMKgwqDC
oMKgwqDCoMKgwqA6IDxzcGFuCiAgICAgICAgICBzdHlsZT0iY29sb3I6IzE4YjJiMjtiYWNrZ3Jv
dW5kLWNvbG9yOiNmZmZmZmY7Ij5pcGEtc2VydmVyPC9zcGFuPjxzcGFuCiAgICAgICAgICBzdHls
ZT0iY29sb3I6IzAwMDAwMDtiYWNrZ3JvdW5kLWNvbG9yOiNmZmZmZmY7Ij4KICAgICAgICA8L3Nw
YW4+PGJyPgogICAgICAgIFZlcnNpb24gwqDCoMKgwqDCoDogNC4xMC4yCiAgICAgICAgPGJyPgog
ICAgICAgIFJlbGVhc2UgwqDCoMKgwqDCoDogOC5lbDlfMy5hbG1hLjEKICAgICAgICA8YnI+CiAg
ICAgICAgQXJjaGl0ZWN0dXJlIDogeDg2XzY0CiAgICAgICAgPGJyPgogICAgICAgIFNpemUgwqDC
oMKgwqDCoMKgwqDCoDogMS4xIE0KICAgICAgICA8YnI+CiAgICAgICAgU291cmNlIMKgwqDCoMKg
wqDCoDogaXBhLTQuMTAuMi04LmVsOV8zLmFsbWEuMS5zcmMucnBtCiAgICAgICAgPGJyPgogICAg
ICAgIFJlcG9zaXRvcnkgwqDCoDogQFN5c3RlbQogICAgICAgIDxicj4KICAgICAgICBGcm9tIHJl
cG8gwqDCoMKgOiBhcHBzdHJlYW0KICAgICAgICA8YnI+CiAgICAgICAgU3VtbWFyeSDCoMKgwqDC
oMKgOiBUaGUgSVBBIGF1dGhlbnRpY2F0aW9uIHNlcnZlcjxicj4KICAgICAgPC9zcGFuPjxzcGFu
IHN0eWxlPSJmb250LWZhbWlseTptb25vc3BhY2UiPjxzcGFuCiAgICAgICAgICBzdHlsZT0iY29s
b3I6IzAwMDAwMDtiYWNrZ3JvdW5kLWNvbG9yOiNmZmZmZmY7Ij41LjE0LjAtMzYyLjI0LjEuZWw5
XzMueDg2XzY0CiAgICAgICAgICAjMSBTTVAgUFJFRU1QVF9EWU5BTUlDIFdlZCBNYXIgMjAgMDQ6
NTI6MTMgRURUIDIwMjQgeDg2XzY0CiAgICAgICAgICB4ODZfNjQgeDg2XzY0IEdOVS9MaW51eDwv
c3Bhbj48YnI+CiAgICAgIDwvc3Bhbj48L3A+CiAgICA8cD5wMTEgdG9vbHMgaGFzIG9uZSBlbnRy
eSB0aGF0IGhhcyBubyBpZCwgbm8gbGFiZWwsIFJTQSBvZiAwIGJ5dGUKICAgICAgbGVuZ3RoLCB3
aXRoIGFsc28gdGhlICd3cmFwJyBmbGFnLsKgIFRoZXJlJ3Mgbm8gb2J2aW91cyB3YXkgdG8KICAg
ICAgdHJhY2sgdGhhdCBiYWNrIHRvIGEgZmlsZS0tIGlmIHRoYXQncyBldmVudCB0aGUgcmlnaHQg
cGF0aCB0bwogICAgICBleHBsb3JlLjwvcD4KICAgIDxwPkl0J3MgcHJldHR5IG11Y2ggZGVhZCB1
bnRpbCB0aGlzIGlzIHNvbHZlZC4gPGJyPgogICAgPC9wPgogICAgPHA+PGJyPgogICAgPC9wPgog
IDwvYm9keT4KPC9odG1sPgo=

--===============8804765862503956718==--

From wdh at dds.nl Wed Apr 10 09:34:30 2024
Content-Type: multipart/mixed; boundary="===============1991240808166781822=="
MIME-Version: 1.0
From: Winfried de Heiden <wdh at dds.nl>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Extra objectClass for new IPA group
Date: Wed, 10 Apr 2024 11:34:11 +0200
Message-ID: <55fadd1d-aded-4ea0-9c8f-aa5fd9f904bb@dds.nl>

--===============1991240808166781822==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Hi all,

Following documentation as provided on:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/ht=
ml/linux_domain_identity_authentication_and_policy_guide/adding-custom-objc=
lasses-groups#doc-wrapper =



adding an extra objectClass (groupOfUniqueNames in this case) to newly =

created groups turned out to be easy.

It seems we depend of this objectClass and its attribute "uniqueMember" =

because of existing applications. Adding the latter attribute will only =

work from the CLI. (ipa group-mod dummy3 =

--addattr=3DuniqueMember=3Duid=3Dsomeuser,cn=3Dusers,cn=3Daccounts,dc=3Dexa=
mple,dc=3Dcom)

OK, this seems to work well, but the objectClass will be added to ALL =

newly created groups since the objectClass is added to the defaults.=C2=A0 =

Now, let's say I want to add an extra objectClass to only one new =

created group; how would that be possible? The command "ipa group-add" =

command does not provide such an option, does it?

FYI, I'm running/testing IPA version: 4.11.0 on RHEL 9.4 Beta :)

The new attributes will not be visible in de webUI, only using the CLI =

(or good-old Apache Directory Studio of ldapsearch). Correct?

-- =

email handtekening priv=C3=A9 Met vriendelijke groet,

Winfried de Heiden
wdh(a)dds.nl

--===============1991240808166781822==
Content-Type: text/html
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.html"

PCFET0NUWVBFIGh0bWw+CjxodG1sPgogIDxoZWFkPgoKICAgIDxtZXRhIGh0dHAtZXF1aXY9ImNv
bnRlbnQtdHlwZSIgY29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PVVURi04Ij4KICA8L2hlYWQ+
CiAgPGJvZHk+CiAgICA8cD5IaSBhbGwsPC9wPgogICAgPHA+Rm9sbG93aW5nIGRvY3VtZW50YXRp
b24gYXMgcHJvdmlkZWQgb246PC9wPgogICAgPHA+PGEgbW96LWRvLW5vdC1zZW5kPSJ0cnVlIgpo
cmVmPSJodHRwczovL2FjY2Vzcy5yZWRoYXQuY29tL2RvY3VtZW50YXRpb24vZW4tdXMvcmVkX2hh
dF9lbnRlcnByaXNlX2xpbnV4LzcvaHRtbC9saW51eF9kb21haW5faWRlbnRpdHlfYXV0aGVudGlj
YXRpb25fYW5kX3BvbGljeV9ndWlkZS9hZGRpbmctY3VzdG9tLW9iamNsYXNzZXMtZ3JvdXBzI2Rv
Yy13cmFwcGVyIgogICAgICAgIGNsYXNzPSJtb3otdHh0LWxpbmstZnJlZXRleHQiPmh0dHBzOi8v
YWNjZXNzLnJlZGhhdC5jb20vZG9jdW1lbnRhdGlvbi9lbi11cy9yZWRfaGF0X2VudGVycHJpc2Vf
bGludXgvNy9odG1sL2xpbnV4X2RvbWFpbl9pZGVudGl0eV9hdXRoZW50aWNhdGlvbl9hbmRfcG9s
aWN5X2d1aWRlL2FkZGluZy1jdXN0b20tb2JqY2xhc3Nlcy1ncm91cHMjZG9jLXdyYXBwZXI8L2E+
wqA8L3A+CiAgICA8cD5hZGRpbmcgYW4gZXh0cmEgb2JqZWN0Q2xhc3MgKGdyb3VwT2ZVbmlxdWVO
YW1lcyBpbiB0aGlzIGNhc2UpIHRvCiAgICAgIG5ld2x5IGNyZWF0ZWQgZ3JvdXBzIHR1cm5lZCBv
dXQgdG8gYmUgZWFzeS48L3A+CiAgICA8cD5JdCBzZWVtcyB3ZSBkZXBlbmQgb2YgdGhpcyBvYmpl
Y3RDbGFzcyBhbmQgaXRzIGF0dHJpYnV0ZQogICAgICAidW5pcXVlTWVtYmVyIiBiZWNhdXNlIG9m
IGV4aXN0aW5nIGFwcGxpY2F0aW9ucy4gQWRkaW5nIHRoZSBsYXR0ZXIKICAgICAgYXR0cmlidXRl
IHdpbGwgb25seSB3b3JrIGZyb20gdGhlIENMSS4gKGlwYSBncm91cC1tb2QgZHVtbXkzCi0tYWRk
YXR0cj11bmlxdWVNZW1iZXI9dWlkPXNvbWV1c2VyLGNuPXVzZXJzLGNuPWFjY291bnRzLGRjPWV4
YW1wbGUsZGM9Y29tKTwvcD4KICAgIDxwPk9LLCB0aGlzIHNlZW1zIHRvIHdvcmsgd2VsbCwgYnV0
IHRoZSBvYmplY3RDbGFzcyB3aWxsIGJlIGFkZGVkIHRvCiAgICAgIEFMTCBuZXdseSBjcmVhdGVk
IGdyb3VwcyBzaW5jZSB0aGUgb2JqZWN0Q2xhc3MgaXMgYWRkZWQgdG8gdGhlCiAgICAgIGRlZmF1
bHRzLsKgIE5vdywgbGV0J3Mgc2F5IEkgd2FudCB0byBhZGQgYW4gZXh0cmEgb2JqZWN0Q2xhc3Mg
dG8KICAgICAgb25seSBvbmUgbmV3IGNyZWF0ZWQgZ3JvdXA7IGhvdyB3b3VsZCB0aGF0IGJlIHBv
c3NpYmxlPyBUaGUKICAgICAgY29tbWFuZCAiaXBhIGdyb3VwLWFkZCIgY29tbWFuZCBkb2VzIG5v
dCBwcm92aWRlIHN1Y2ggYW4gb3B0aW9uLAogICAgICBkb2VzIGl0PzwvcD4KICAgIDxwPkZZSSwg
SSdtIHJ1bm5pbmcvdGVzdGluZyBJUEEgdmVyc2lvbjogNC4xMS4wIG9uIFJIRUwgOS40IEJldGEg
Oik8L3A+CiAgICA8cD5UaGUgbmV3IGF0dHJpYnV0ZXMgd2lsbCBub3QgYmUgdmlzaWJsZSBpbiBk
ZSB3ZWJVSSwgb25seSB1c2luZwogICAgICB0aGUgQ0xJIChvciBnb29kLW9sZCBBcGFjaGUgRGly
ZWN0b3J5IFN0dWRpbyBvZiBsZGFwc2VhcmNoKS4KICAgICAgQ29ycmVjdD88L3A+CiAgICA8ZGl2
IGNsYXNzPSJtb3otc2lnbmF0dXJlIj4tLSA8YnI+CiAgICAgIDxtZXRhIGh0dHAtZXF1aXY9ImNv
bnRlbnQtdHlwZSIgY29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PVVURi04Ij4KICAgICAgPHRp
dGxlPmVtYWlsIGhhbmR0ZWtlbmluZyBwcml2w6k8L3RpdGxlPgogICAgICA8Zm9udCBmYWNlPSJD
YXJsaXRvIj4gTWV0IHZyaWVuZGVsaWprZSBncm9ldCw8YnI+CiAgICAgICAgPGJyPgogICAgICAg
IDxpbWcgc3JjPSJjaWQ6cGFydDEuRkZZNFVJcGIuZWlkdFFOV2tAZGRzLm5sIiB3aWR0aD0iNjYi
CiAgICAgICAgICBoZWlnaHQ9IjY2IiBhbGlnbj0ibGVmdCI+V2luZnJpZWQgZGUgSGVpZGVuPGJy
PgogICAgICAgIDxhIGhyZWY9Im1haWx0bzp3ZGhAZGRzLm5sIiBjbGFzcz0ibW96LXR4dC1saW5r
LWZyZWV0ZXh0Ij53ZGhAZGRzLm5sPC9hPjxicj4KICAgICAgICA8YnI+CiAgICAgIDwvZm9udD4g
PC9kaXY+CiAgPC9ib2R5Pgo8L2h0bWw+
--===============1991240808166781822==
Content-Type: image/jpeg
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="CrWSOZRro0lgUl3W.jpg"

/9j/4AAQSkZJRgABAQEAYABgAAD/4QBmRXhpZgAATU0AKgAAAAgABAEaAAUAAAABAAAAPgEbAAUA
AAABAAAARgEoAAMAAAABAAIAAAExAAIAAAAQAAAATgAAAAAAAABgAAAAAQAAAGAAAAABcGFpbnQu
bmV0IDQuMS4xAP/bAEMAAgEBAgEBAgICAgICAgIDBQMDAwMDBgQEAwUHBgcHBwYHBwgJCwkICAoI
BwcKDQoKCwwMDAwHCQ4PDQwOCwwMDP/bAEMBAgICAwMDBgMDBgwIBwgMDAwMDAwMDAwMDAwMDAwM
DAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDP/AABEIAqEEsAMBIgACEQEDEQH/xAAf
AAABBQEBAQEBAQAAAAAAAAAAAQIDBAUGBwgJCgv/xAC1EAACAQMDAgQDBQUEBAAAAX0BAgMABBEF
EiExQQYTUWEHInEUMoGRoQgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJ
SlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3
uLm6wsPExcbHyMnK0tPU1dbX2Nna4eLj5OXm5+jp6vHy8/T19vf4+fr/xAAfAQADAQEBAQEBAQEB
AAAAAAAAAQIDBAUGBwgJCgv/xAC1EQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIy
gQgUQpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNk
ZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfI
ycrS09TV1tfY2dri4+Tl5ufo6ery8/T19vf4+fr/2gAMAwEAAhEDEQA/AP38ooooAKKKKACiiigA
ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACi
iigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKK
KACiiigAooooAKKKKACvnf8A4KD/APBSjwT/AME4PDHh3VvGmm6/qNv4luZbW2GlwxyMjxqGO7e6
8YPbNfRFfkr/AMHYH/JFPhL/ANhq8/8ARCUDR9KfsWf8F0/hV+3P8erH4e+FND8YWWsahbzXKS6h
bQxwKsS7myVkY59OK+1q/nD/AODcj/lKL4Z/7BGo/wDomv6Mta1aPQ9LmupVZo4V3MF64rnxmLo4
WhPE4iSjCCcpN7JJXbfklqUoNtRjuy1RXHQfGvS7idI1jut0jBRlfWuxBzXz/DXGmR8QRqSyXExr
qnbm5Xe172v62f3GuIwlahZVouN+4UUUV9Qc4UUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFF
FFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUU
UAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQ
AUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAB
RRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFF
FFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABX5K/8HYH/JFPhL/2Grz/ANEJX61V+Sv/AAdgf8kU
+Ev/AGGrz/0QlA47nxb/AMG5H/KUXwz/ANgjUf8A0TX9EXxF/wCRK1H/AK4mv53f+Dcj/lKL4Z/7
BGo/+ia/oi+Iv/Ilaj/1xNfJcff8kxmP/Xit/wCm5HThf48PVfmeKaZ/yErf/rqv8xX0KOlfPWmf
8hK3/wCuq/zFfQo6V/Kf0NP91zX/ABUfyqH03FnxUvn+gUUUV/bJ8eFFFFABRRRQAUUUUAFFFFAB
RRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFF
FFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUU
UAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQ
AUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAB
RRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAV+Sv/B2B/yRT4S/9hq8/wDR
CV+tVfkr/wAHYH/JFPhL/wBhq8/9EJQOO58W/wDBuR/ylF8M/wDYI1H/ANE1/RF8Rf8AkStR/wCu
Jr+d3/g3I/5Si+Gf+wRqP/omv6IviL/yJWo/9cTXyXH3/JMZj/14rf8ApuR04X+PD1X5nimmf8hK
3/66r/MV9CjpXz1pn/ISt/8Arqv8xX0KOlfyn9DT/dc1/wAVH8qh9NxZ8VL5/oFFFFf2yfHhRRRQ
AUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAGa/J7/AILCf8F+Z/gH8RI/hz8Fbqwvtc0O9jk8
Qa0yie3iaNwzWUXZicbZG/h5Uc5I1P8AguL/AMFtofgDZal8I/hPqcc3jedDBresW7Bl0NSMGGNh
wbg9/wC5/vdPxS+Dnwg8UftLfF3SfCfhewutc8TeJLryoIV+ZpHbJZ2PZQMszHgAEmgpI/pq/wCC
an/BSXwf/wAFF/gtDrWkSw6d4o05Fi13Q2kzNYzY+8vdom6qw+h5FfSFfJf/AASp/wCCVfhb/gnJ
8LFO231j4ha1Cv8AbWslOR0P2eHPKxKfxYjJ7AfSHxE8fR+D7Ly48SXsw/dr2Uf3jXg8TcS5dkGW
1c2zSooUqau31fZJdZN6JLdmuHw869RUqSu2dJRXF/Dn4oR6+kdnfMsd70V+izf/AF67SuPg3jTK
uKMshmuUVOeEt19qMusZLpJduu6bTTKxWEq4ao6VVWf5+gUUUV9UcwUUUUAFFFFABRRRQAUUUUAF
FFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUU
UUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRR
QAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFA
BRRRQAUUUUAFfCf/AAWA/wCCy9n/AME5obXwroegXGueP9csvtdo11G0enWcRYqJGf8A5aMCD8i+
nJFfdlfKH/BXf/gnDp//AAUP/ZruNOtY4bfxz4bV73w7eMdo83HzQOe6SAY9m2ntQCPjb/ghd/wW
v8T/AB1+MWpfDH4ya5/a2r+JrmS+8PatMiQ7ZSAWsSqgKFIBaP0OV7jH68V/Htq2k+Ivgh8SZrO8
hv8Aw/4n8M322SNwYbixuIm/MMrCv6JP+CTH/BXrQP22fgDHZ6/dQ2/xQ8M26R6vp6qEN+o+VbuI
f3G4DY+6xx0K58/Ns2wmWYOpj8fUVOlTV5SeyX9fNvRamsKMqklCCu30PuWivLNE+Mt23ijzrwhb
Cb5DEvSEdmz1PvXqMMy3ESyRsGRxuUjoRXxPh74o5HxnRrVcnk70pcrjJWlb7M7Xfuy6X10aaTOr
HZbWwjSqrdf0vVDqKKK/RjgCiiigAooooAKKKKACiiigAooooAKKKKACvyV/4OwP+SKfCX/sNXn/
AKISv1qr8lf+DsD/AJIp8Jf+w1ef+iEoHHc+Lf8Ag3I/5Si+Gf8AsEaj/wCia/oi+Iv/ACJWo/8A
XE1/O7/wbkf8pRfDP/YI1H/0TX9EXxF/5ErUf+uJr5Lj7/kmMx/68Vv/AE3I6cL/AB4eq/M8U0z/
AJCVv/11X+Yr6FHSvnrTP+Qlb/8AXVf5ivoUdK/lP6Gn+65r/io/lUPpuLPipfP9Aooor+2T48KK
KKACiiigAooooAKKKKACiiigAooooAKKKKACvzX/AOC53/BY+H9kvwpdfDH4b6tC3xM1aLZf3kOH
/wCEegcHJz0FwwPyj+EHd1xW9/wWp/4LM2P7Dfhm68AeBZ4b74ratbcycPF4diccTOOjSkHKJ2+8
eMA/gBbW3iT44fEdY411TxL4o8SXuABuuLq/uJG/EszMaCkh/gTwJ4k+PHxLsdD0Oy1DxB4m8RXf
lwwxgyz3UznJJPU8kksfcmv6KP8AgkB/wR88P/8ABPXwRH4j16O11r4q6xbBb7UCoePSY25NtbZ+
6Ozv1bGOnFYn/BFP/gkBY/sHfD5PGHjS0tL74ra9D+9fIkTQrdgCLeI4/wBYf+WjjqflBwMn7i8Y
eMbXwfpxmmbdM3EUQPzOf8PevMznOcFlOCqZjmNRU6VNXlJ7Jfq3sktW9FqaU6c6s1Tpq7ZB468d
2/g2x5xJdSD91Fnr7n2rxrVtVuNc1CS5uJGkmlOSf6D2pdY1efXdRkurh2kklOee3sK774X/AAx2
eXqWoR/N96GFh0/2j/QV/nbxDxBxH4zcTRyrK06eDpu6T+GEdnVqW3m18Menwx+1J/dUKGHyjD+1
q6zf4vsvIsfC74aLp0cepX6brhhuhjP/ACyHqff+Vd5RRX96cC8DZXwnlUMpyuForWUn8U5dZSfV
v7ktFoj4nGYypiarq1H/AMDyCiiivsTlCiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAK
KKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAoo
ooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiii
gAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA/JP8A
4ON/+CXUXjrwpJ8ePA+mbdc0lAniq0toeb+3HC3hA/jj4VuOVwf4efx7/Zw/aA8Qfsu/GjQ/HHhm
4aHU9EnDmPcRHdxHiSCT1R1ypHbgjkA1/XVqWm2+s6dPaXUMdxa3UbRTRSKGSRGGCpB4II4xX84f
/BcL/gl7P+wX8eP+Eg8N2kjfDPxpM82mOoZxpc/BktJGxgcksmTyvHVTXLjcFQxmHnhMVBTpzTjK
L1Ti1Zp+TWhpTm4tSjuj9ef2Zv2i/Dv7VfwX0Xxt4ZuFm0/VoQZIiwMllMOJIJB2dGyD68EcEV9C
fBzxzuH9k3T8jm3Zj1/2f8K/nL/4JQf8FDbj9iH40LY63cTSfDvxVKkOsRZyNOk+6l6g9U6OB95M
9Sqiv3p0vVIr22t72yuI5oZlWaCeFw6SKRlWVhwQRggjg1/m5n+VZt4Ncb08fgbzwlS7hd6VKTa5
qcn/ADw0178s7a2PvqNSnm2DdOekl+D6P0Z9IUVzvw38aL4u0YeYR9st8LKP73o3410Vf6I8NcRY
HPcso5tl0ualVipJ9V3T7NO6a6NM+DxFCdGo6VRaoKKKK9wxCiiigAooooAKKKKACiiigAooooAK
/JX/AIOwP+SKfCX/ALDV5/6ISv1qr8lf+DsD/kinwl/7DV5/6ISgcdz4t/4NyP8AlKL4Z/7BGo/+
ia/oi+Iv/Ilaj/1xNfzu/wDBuR/ylF8M/wDYI1H/ANE1/RF8Rf8AkStR/wCuJr5Lj7/kmMx/68Vv
/Tcjpwv8eHqvzPFNM/5CVv8A9dV/mK+hR0r560z/AJCVv/11X+Yr6FHSv5T+hp/uua/4qP5VD6bi
z4qXz/QKKKK/tk+PCiiigAooooAKKKKACiiigAooooAKKKKACvh3/gsF/wAFhdC/4J8eBZfDvhuS
z1n4raxAfsVkTvi0hGHFzcD/ANBTqx68A56b/grT/wAFUPDX/BO34O3EFvcwah8SdetnTQtKQhmg
JBAuph/DEh5weXIwO5H82fxB+IPiL43fEPUPEHiC/vte8Ra9cme5uJSZJrmVz2H6ADpwBQUkS+K/
Ffij9oH4pXGqapdaj4k8VeKL7dJI+Zri9uJGwAB1JJIAA9gK/ev/AIIkf8EZLb9jHwxb/ET4iWNt
dfFDVoc29q4EieHYWH3AennkfeYfd+6O5PJf8ELv+CLcH7POh6b8XPilpccvjzUIhPoulXMYYaBE
wyJHU/8ALwwPflAccHOP0z8UeJ7bwppbXNw3siA/NI3oK4czzPC5dhKmOx1RU6VNOUpPRJLr/W+y
LjCVSShBXbG+LvFUHhHSWuJvmY/LGmeXavE9e1648R6lJdXT7nc8Dsg9BUvifxPdeK9Ta4uW9kQf
djHoK6r4WfDYasU1K+X/AEdTmKIj/Wn1Pt/Ov87eNuMM88X+JKfD/D8XHCQd0norLR1qvpe0Y62v
ZXlJ3+5weFo5Vh3Xr/G/6sv1JfhV8N2uJY9S1CP92vMETD7x/vEfyr0yhV2rgDAHQDtRX9xeHHh3
lnBuURyvLld7zm/inLq32XSMdku7u38dj8dUxdX2lT5Lsgooor744gooooAKKKKACiiigAooooAK
KKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAoo
ooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiii
gAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKA
CiiigAooooAKKKKACiiigArzn9rH9mDwz+2J8Bte8A+LLWO403WoCqSlA0llOOY54/R0bBB+o6E1
6NRQB/JR+2R+yf4m/Yr/AGgte+H/AIot5I7zSZiba4K7Uv7Yk+VOn+y68+xyOor9D/8AghP/AMFF
v7fs7f4I+MtQzfWsbN4Vu7iTm4iUFmssn+JFBZPVQy/wjP3h/wAFo/8AglnY/wDBQf4If2roMEFt
8TvCUDyaPcH5RqEWdz2kh9GwShP3W9mNfziwT638LfG8csbahoPiHw/eiRGGYbqwuYnyD6q6uv4E
V8D4leH+B4xyOrlGM0k9ac7awmvhkvLpJdYtrR2a9DL8dPDVlVh813R/Ut4X8ST+FtXjuoT904dM
8SL3Br3LRNZg1/S4bu3bdFMMj2PcV+cX/BLn9vu1/bm+BEc+oSW9v468OhLXXrRCF81sYS6ReySg
E4HCsGXoBn7H+FvjlvDWp/ZZ2/0K6bBz/wAs29f8a/irwV4+x/h7xLV4O4l9yhKfK77U6mnLNP8A
kmrXe1nGfR3+szjAwx2HWLw/xJfeu3qv+AewUUKwZcjkHoR3or/RNO+qPgwooooAKKKKACiiigAo
oooAKKKKACvyV/4OwP8Akinwl/7DV5/6ISv1qr4J/wCC73/BPH4if8FB/hv4B0v4ew6PLdeHdRub
q7+33n2ZQjxqq7Tg5OQaBrc/Ln/g3I/5Si+Gf+wRqP8A6Jr+iL4i/wDIlaj/ANcTX5K/8Ef/APgi
p8bP2Kv23dF8eeNrfwymgWNheW0rWWpieUPLHtXC7Rxmv1q+Iv8AyJWo/wDXE18lx9/yTGY/9eK3
/puR04X+PD1X5nimmf8AISt/+uq/zFfQo6V89aZ/yErf/rqv8xX0KOlfyn9DT/dc1/xUfyqH03Fn
xUvn+gUUUV/bJ8eFFFFABRRRQAUUUUAFFFFABRRRQAV8q/8ABV3/AIKc+H/+Cb3wRW+YQ6n458RJ
JD4e0kn/AFrLgNPLj7sUe4E92JAHcja/4KW/8FJPCX/BOX4LPrmrtHqXibVFaLQtFWTbLfSj+Ju6
xLkFm+gHJr+a39qf9qnxp+2R8Y9S8beOdVm1TV9QbbGmcQ2cQPyQxJ0RF7Ae5OSSaCkjG+Nnxs8U
/tIfFLVPF3i7VLrW/EGtzmWeeU7iSeiKP4VHQKOAK/Zb/ggz/wAEX1+Fum2Pxm+LGjQyeIr1EuPD
WjXce46VGRkXUqngTMCNqkfIOfvHA5f/AIIdf8ENrZbHQfjT8X7BbiSUR6h4b8Ozr8iDho7q5U9T
0KxnjoT2FfsHq+rW+gabJc3DLHDCufr7D3rnxeLo4WhPE4mSjCCblJuySWrbfRJFJOT5Y7sZr+v2
3hvTZLq6fbGnQfxOfQe9eLeL/Ftx4v1Zrib5YxxHGDwg/wAad4z8ZXHjDUvMkJWGMkRRZ4Uf41qf
Db4dv4ouVurhWWxjb/v6fQe1f53+JXiJnPinnsOFeF4v6qpadOe29Wo/swjvFP1a5mkvuMvwFLLa
LxWJ+L8vJef9bFj4ZfDZtflW+vUK2SnKKesx/wDif516tHGsMaqqhVUYAA6URRLBEqIoVVGAAOAK
dX9m+F/hhlnBWVLA4Nc1WVnUqNe9OX6RX2Y9N3dtt/J5lmNTGVeee3Rdgooor9LPPCiiigAooooA
KKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAo
oooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACii
igAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKK
ACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAK/Ff/g4w/wCCVk2j6zefH/wLp7SWN4V/
4S2ygj/49pOgvv8AdbhX9Dg9zX7UVS8R+HLDxfoF5pWqWdvqGm6jC9vdWtxGJIriNhhkZTwQQSCD
QB/J1+xj+1nr/wCxf8etJ8aaGXnitz5Gp2G/bHqdoxHmQt6HgMp/hZVPTIP9DPwL+Nvh39ov4UaL
4y8K3yX+i65AJoXH3o26PG4/hdGBVlPQg1+Jn/BYz/gm3qH/AAT5/aWvI9Ot5pvh74ole98PXe0l
YVPL2rnoHjYkD1TafXG9/wAEX/8AgoP/AMMqfGBvBfie+aPwF40nVC8jny9JvjhUnHZUfhH+iN/C
a/mH6R/g+uJMtefZXD/bMPHVJa1aa1cfOUdXHq1eOt42+kyHNPq9T2NR+5L8H/W5/Ql8IvHv9oW6
6XdN/pEQxCxP+sUdvqK7yvnayvHtZ454ZNroQ6Mp/Kvb/A3i6LxfoyTKQtxGNsyZ5Vv8DXk/Rn8X
pZzg/wDVjN5/7TRX7tvepTXTzlD73Gz3UmXxDlfsZ/WKS92W/k/8mbVFFFf1ofMBRRRQAUUUUAFF
FFABRRRQAUUUUAFZvjDTJtZ8NXlrAFMs0ZVcnAzWlRXn5rltLMMFWwGIvyVYyhK2jtJOLs+9noXT
qOE1Nbp3PJLL4Oa1BeQyMtttRwxxL2Br1scCiivhfDnwqyXgqFenkzm1WcXLnkpfDe1rRVvidztx
+ZVsY06ttO3mFFFFfpR54UUUUAFFFFABRRRQAUUUUAFeG/t7/t+eB/8Agn18GbjxV4tuhNeTBo9K
0mFx9q1SfHCIOyjjc54Ue+Adb9tj9tLwb+wh8CtS8deMrlvs9sPKsrCAj7VqlwfuQxKT1J6k8KMk
9K/mV/bi/bb8Zft5/HXUfG3i66I85jHp2nRuTbaVbg/LDGD6Dq3VjkmgaRn/ALYv7XfjD9t3486x
488ZX0lze6hKy2lqGJg0u2DEx20K9kQHHqxyxySSf0X/AOCG/wDwRAuviJq2kfGL4vaUYfDduVu/
D+gXUeH1RxylxOp6RDgqp++cE/L15j/gg5/wRxvP2gfGOm/GD4laT5Xw/wBJk87R9NvIv+RgnH3Z
Cp/5d0POTw7DA4Br93p57fQ9O3MY7e2t0x02qijoAP6VnWrU6NOVWrJRjFNtt2SS1bbeyXVlat2Q
3UdRt9A0xppmWG3gX6ADsAK8b8deOZ/GWoZ+aO1jP7qL+p96m+IfjyTxjqG2PdHZQn92n98/3jTf
APgCfxjebm3RWMZ/eSf3v9lff+Vf57+LfilmviHnEeD+EIueH5re7p7VreUn0pR3V9Hbml0S+3yv
LaeApfW8VpL8v+C/+ATfDj4fN4uvPOuN0djCfmI4Mp/uj+pr2C1tY7G3SGFFjjjG1VUYAFN0/T4d
Ks47e3jWOKMbVUVNX9ZeEfhPl/BOVqhTtPE1EnVqW1k/5Y31UI9F13er0+ZzTM6mMqcz0itl/XUK
KKK/WjywooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAoooo
AKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigA
ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACi
iigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA8b/
AG8P2MPDf7d/7OWteA/EUcaSXUZm0y+K5fTbxVPlTL34JwR3UkV8df8ABL7/AIN7vCv7LF3B4w+K
zaZ448bROJLKzEZfTdJx0O1uJpM87mAC9h3r9KaKAueZ/F7wAtlnVLOMLF0njUYC+jAfzrlPB/im
bwlrUdzGSYz8sqZ4da90uIEuoGjkUNHICrAjqK4PTvghDHrs0lxNusVbMUS/eb2J9ulfxX4qeBOd
Q4tw/EfA65JVZ807NRVKotXU/wAEteZWfvXVmpJL67Lc6o/VZYfGapLTzXb1X9bHc6ffxapZR3EL
CSKZQysO4qao7S0jsbdYYY1jjjGFVRgAVJX9mYP26oQWKadSy5uW/LzW1tfW19r62Pk5Wu+XYKKK
K6CQooooAKK8X/aT/wCChvwZ/ZIt5P8AhPPiB4f0e9jQuNPWf7RfScZwII9z8+4A5HNfAf7QX/B1
P4I8PGe1+GvgDWvEcyuVS91mZbG3YA8MI13uQeuDtNAWP1kqO4uo7SPfLJHGo6s7BRX85Pxt/wCD
iv8AaS+LTtHpuvaR4Ks2Ur5WjWChzkYP7yTe3vwRg18rfE/9rv4pfGmZpPFfxC8Ya9u25S71SZ4/
lGB8m7bx9KCuU/qW8eftp/CH4XpG3iH4neA9H812jUXOuW6MWXqMb85HevDPiJ/wXj/ZZ+Hdm0jf
E611qRZPK8nSdPubt8885Ee3bx13Yr+Zd2x8zH3JNafhTwTrXjy7+z6Dousa5PnHl6dZS3bflGrG
oqVIU4udRpJdXohqN9Ef0BeNv+DnL9nHw0If7Mh8eeImkBLfZdIWERY7HzpE6+2a5bU/+DqT4J2+
nySWngj4kXNwv3InhtIw/wDwLzjj8q/G/Qf2Bvjh4lK/Y/hH8R23dDL4euoQfxdAK6i3/wCCUf7R
l1GrL8I/FCq3I8xraI/k8oP518/X4xyCg7V8dRi/OrBfnI3jhasvhg/uZ+p1n/wdcfC+W5jWf4Y+
PIYmYB3W5tXKjucbhn6Zrof+Ip34F7v+RP8AiXj1+yWn/wAfr8lD/wAEmv2jR/zSbxB+F1Zf/H6p
3/8AwS1/aG0yIvN8I/F21f8AnlDHP+kbsawjx3w1J2jmNB+lan/8kV9Sr/yP7mftR4M/4OXv2Z/E
lismoXnjTw/Mz7DDeaG0pUf3sws4x+vHSvbfBX/BYz9mPx9cCKw+MnhGOTy/NxfSyWOBx3nRBnnp
nNfzceLP2Nfi74FgebVvhd8QrGCP70snh278tfq4j2/rXnN/aTaVdtb3UMtrcJ96KdDHIv1VsEfi
K93B5lhMYubCVY1F/dkpfk2YSpSj8SaP6+Ph78d/BPxasVufC3i/wz4igkQSB9N1OG6G0nGfkY9+
PrXWA5r+OLRtevvDl2J9PvLuxnXGJLeVomGDkcqQeozXunwe/wCCpf7QXwLnVvD/AMVfFqxruPkX
t4b6HLYz8k24dh9K7SOU/qpor8GfgX/wdJ/FrwaLe38c+EvDHjK3TCyT2+7T7phuGT8u5M7cgfKO
cGvtP9nr/g5e+AfxYnjtfFcPiH4d3jLkyX9v9rs8/MSBJDluw6oOWFArM/ROiuL+DP7RvgP9ofw+
uqeB/F/h/wAU2LYzJp16kxjPoyg7lPswBrtKBBRRRQB+dv8AwXY/4JNeKP27/C+neMvAesXlx4q8
K27Rjw9dXRFnqMPLHyAfljuPrgOMAkEDPw5/wRU/4Il337Svjmfx18WdJvtL8FeFtQe1j0e7haGb
WbyFsOjg4IhRhhv7xBXsa/fWmxxLCuEVVBJYgDGSeSfxoHcq6dp9j4V0OG1tYbfT9P0+ERRRRqI4
oI1GAoA4AAGMV5P8RviDJ4svWhhYpYQt8ij/AJan+8f6CvUPF/hlfFeiyWrTSQ7uQVPBPbI7ivK9
I+GV/e+KW0+eNokhO6WUD5dvqD3z2r+RfpM4rjHGTwnDeTUJfVsS1Fyg7upN7U5fyRSXM7u0km27
RZ9Pw9HCQ5sRWl70ej6Luu7/AK6lbwR4KuPGWpBFBjtozmaX+6PQe5r2nStMh0bT4rW3XZFCu1RT
dH0e30HT47W1jEcUYwAO/uferVfqHgz4O4LgjL3KbVTGVUvaT6LryQ7RT3e8nq+iXnZtm08ZU7RW
y/V+YUUUV+1HkBRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUVj+PfiBofwt8I32v+JNW0/Q
9F0yIzXV7ezrDBAg7szEAf1oA2KRXV/usGwcHB6Gvxi/4KR/8HK76lHqng/4B28kMJLQS+LrtNrS
LghjawsMr7SPzxwo61xf/Bv5/wAFYdW8F/Hm6+F/xJ12+1XS/iJfm407U7+dppLTU5ONjMcnbMcD
sA+D3NBXKfulRRRnmgkKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiii
gAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKA
CiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAK
KKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKxPiF8SNA+E3hO817xNrGnaFo+n
xtLcXd7OsMUagZPLH9ByaANusH4kfFHw38HvCV1r3irXNK8O6LZrumvdQuUt4Yx7sxAz7dTX5dft
xf8ABzz4X8DG60T4I6KPFeoqpT+3dUjeGwhbpmOLh5cep2j61+Rn7T/7aPxO/bI8XNrHxE8Xap4h
mB/cW0knl2doPSKBcIg+gye5NBXKfs/+1x/wc3/Cz4S3V3pfw10XUPiHqcJ2C+c/Y9NzzkhiDI+P
ZQDnrX5iftSf8FuP2hv2pZp4LvxteeFdFmJxpvh1msI9ucgNIp8x8YHVse3Jrwv4BfsofEb9qHW/
sPgPwjrHiFlYLLcQw7bS3P8A00nbEa/Qtn2r9Bv2Z/8Ag3BvtSjtdQ+LHjL+z0JDy6R4eCyTY/ut
cyKVX32xt7MOtfC8V+JXDfDiazXFRjP+Re9P/wABjdq/d2XmduGy+vX/AIcfn0+8/L29vrjVr5pr
iaa5uZ2+Z5HLySH6nkmvePgX/wAEu/jt+0Na291oPw91i0026wUv9YA023Kn+Iedh2XvlFbPav3K
/Z0/4J5fB39lhFk8G+BdHs9RwAdTukN5qDf9t5dzqPZCq+1e0rCFr+ceJPpTVZN0+H8HZdJ1nd/+
AQen/gb9D3sPw6t60vkv83/kfkZ8HP8Ag2x16/EM/j74iafpykAyWmh2jXMgPp5su0fjsNfTPw4/
4IFfs/8AgmOJtT03xH4qmTBZtR1V40cj/Yg8sYPoc19uiPNKI6/Fc48YON8zb9rjpwXanaml84JS
+9s9alleEp7QT9dTyP4f/sLfBv4WwwroPwv8B6e1v9yYaLBJP9TK6lyfcsTXpunaNbaPaLb2dvBa
wJwscKBEX6AcVobKNlfnOMljMbLnxlWVR95Scn97bO6MYQ+FJfIqmLPbNJ5OKtmOmmP2rzZZd5Gv
tCqY6Y0Weoq2Y6aYa46mXlKoUzDxxWP4o8B6L4ztzDrOj6Xq0LDBS9tI7hcfRwRXQNFTGjrz5YWd
OXPTbTXVaP7y7p7nzr8Tf+CWf7P/AMVg7ah8LfDFnO/WfSYDpcn1zblMn6g187fFv/g3b+FniiGS
Twj4l8VeFbpslUndNQtwe3ysFfH/AAPNfoe8WaieOvqcp8UOMsna+o5jWSW0XNzj/wCAz5o/gc1T
LsJV+Omvut+R+KPxi/4N8fjH4HSSfwvqnhfxpbr0jjuGsLph/uSjZ/5Er5M+NP7K/wASP2dbvyvG
3gnxF4cXO1bi6s2+yuf9mdcxN+DGv6XSuKju7KHULdobiKOaGQYZJFDKw9CDwa/ZeG/pc8TYNqGc
YeniY9Wr05v5q8P/ACQ8vEcMYeWtKTj+K/r5n8vfhLxvrXgPVI7/AEPVtS0e8jYMlxY3T28ikdCG
Qg19kfs2f8HAn7Rn7Pv2e1vvE0PjzSYcA23iGH7RLt9BOuJPzJ6V+l/x8/4JLfAb9oWa5utS8D2e
hatdA7tR8Pt/Zk+4/wAZWMeU7e7xtXxN8ef+DcjXtFgnuvhv46tNbVSTHYa7D9lnI9POjBRm+qIK
/orhX6UXBebWp42csJUfSorxv5TjdW85KB4WJ4dxdPWKUl5f5H1j+zP/AMHRPwv+IFxb2PxI8L61
4GupMK97an+0LFTzycASKOn8Ld6/Q34I/tK+Af2kfDy6p4F8XaD4os2ALNYXiSvF7OgO5D7MB0r+
WX9oH9iH4rfsvTt/wmvgnWtKswcC/SL7RYt/23j3IPoxB9q4X4e/E3xF8J/EcOseF9e1bw9qluQ0
V3p129tMv/AkIOPbpX9AZbmmDzCgsVgKsatN7ShJSi/mm0eJUoyg+Waafmf2GUV+Af7H/wDwcyfF
r4MW9rpXxJ02z+JekRkKbx2FpqqJ/wBdFGyQ/wC+uT3av1I/Y5/4LUfAj9sdbGx03xPH4Y8TXgx/
YuulbWff3VHJ8uT22tk+ldxlZn1pRjmkR1kQMpDKwyCDwRS0CCiiigAooooAKKKKACiiigAooooA
KKKKACiiigAooooAKKwfiV8T/D3wd8F33iLxTrGn6DommxGa5vLyYRRRqBnqep9AOT2r8a/+CkX/
AAcrat4lnvvCfwCjbSdOy0M3iq7izdXA5B+zRNxGPR2y3oFPNAH6B/8ABRX/AIK+/DD/AIJ66NLZ
6ndDxJ44li3Wvh6wkBmBOdrTt0iTI75Y9ga/Bb9vb/gqT8VP+Cg3iVn8WasbDw1byl7Hw/YEx2Ns
MnBYZzI+ONzZ9gK8Nji8TfG34gYVda8VeJ9duMnHmXl5fTMeT3d2P41+sX/BNL/g2wvdam0/xh8f
i1jZqRNB4Ttpf303cfapF+6OnyKSSDgkdKC9j4B/YP8A+CaXxP8A+CgnjVbHwfo8lvoVvIF1DX7x
Gj0+xHcb8fO/+wmT64HNfvd/wTy/4I4fCn9gDTbfUrPT4/FHjoR4n8RajErSxE53C3Q5EKnOPl+Y
jqa+kPDnhzwr8A/Alno+iabpnh3Q9NjEVpYWMCwxRgdlRQPz/OuH8afFe88Rhre13WdmeCAfnkHu
f6CvybxK8ZeH+DKLjjZ+0xDV40oNOT7OXSEfN/8Abqlsejl+V18W/cVo93t/wTsPGnxctdALW9nt
u7ocEg/u4z7nv9BXD6J8S7+y8ULf3UzzRyfLKn8IT2HtWLpOj3WuXiwWsLzSN2UcD6ntXpngr4QW
+jlLjUNt1cjkJ/yzjP8AU1/JGT8QeJnifn1LH5bJ4fD0JqUWrxo02n161Z20a1vd6Riz6atQy7Lq
DhU96Ul83/kv61OytrlLy3jljbdHIoZSO4NSUAbRxRX+htPnUEqjTdtWlZX62V3ZeV36nwr8gooo
qwCiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAoooo
AKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigA
ooooAKKKKACiiigAooooAKK/K/8AbW/4ONL39kL9tjxf8PIPh/pnirwz4YmgtGu49Sa2uzN5aNPz
tdDhmKgYBBXmvQvgz/wcxfs7/ES3iXxH/wAJX4Fu2Ch1v9ON1CpLYwJIC5IAwSSo4NA7H6HUV5T8
Jv26fg38c4YW8J/EzwXrTXA3JDDqkSzkbtvMbEOOeORXqkM8dym6N1kX1U5FAh1FFFABRRRQAUUU
UAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUjMEUsxCqoySe1ch8c/j74P/Zr+Hl94
q8ca/p/h3Q7BC0lxdyhd57Ig6u56BVBJNfhL/wAFP/8Ag4H8bftS6hqHhL4W3F/4J+HpLQvdRnyt
U1hOOZHBzEh5+RDkg/MT0AOx+jX/AAUS/wCC9vwt/Yxg1DQPDMsPxC+IFvmMWFnL/oNi+OtxOOOP
7iZbt8vWvwx/bI/4KB/FL9urxtJq/j7xHdXVsrlrTSbZmh07T1P8MUOcf8CbLHua8o8K+EtY+Ini
W30nRdN1HXNYv32wWlnA9xcXDH+6igsTX6hfsA/8EAtyWfij45k7uJYfClpccAYyPtcyHk/9M4zj
jlzytfEcbeIeR8K4X6zm1WzfwwWs5/4Y9u7dorq0duDwNXES5aS+fRH56/s1/sg/ET9rjxR/ZXgP
w1e6w0ZxcXZHlWVoPWWZsIv0zuPYGv1H/Y9/4N6vBvw5e11n4s6p/wAJzqyxhjo1oGt9IgfqQ7cS
3GOnOxT3Q1+gXw++HGg/Czwta6H4b0fTtD0exTZBZ2NusEMY9lUAfjW8seK/i3jb6Q3EWeuWGyn/
AGSg9Pdd6kl5z+z6QtbZyZ9Zg8joUfeq+9L8Pu/zMvwh4J0nwH4ftdJ0TTLDR9LskEdvaWdusEMK
jgBUUAAfQVrKlPWPNSrHX4lTwkpyc5u7erb1bPX5ktEQrHmpFixUgjqRYs16tHAGbqEIi9qcI6mE
NOEQrvhl5n7Qr+XR5dWvL9qPL9q1/s8XtCqY6aYqtGKkMOayll4/aFRoqa0WKttDimGOuOrl5amU
2SmPFmrbR1G8VeRXwJrGZTeOo3SrjJULxYrwcVgTeMym8e2o2XFW2TFQyR4r5zE4Vx1NoyIKKc64
ptea9DYju7SK/t3hnijmhkG10kUMrD0IPBr5U/aX/wCCMnwP/aJgvbq38Pt4H1+6Jcal4dItR5n9
57cgwPk9fkDH+8DzX1fRXvcP8U5vkeI+tZPiZ0Z94SavbpJbSXlJNeRhXwtKsuWrFP1Pw7/aa/4I
TfGL4J3F3eeFo7P4jaDCN6S6b+51BV777Vzkkf8ATN5M+3SvjXXdA1LwZrk1hqljfaTqVo2Jbe6h
aCeFh6qwDA/Wv6jq8v8A2jf2M/hn+1ho/wBl8deE9N1iRFKw3oUw3ttn/nnOmHX6Zx6g1/VnBH0u
sxw7jh+KMOq0NnUppRn6uDfJJ+nIfN4zhiEvew8reT2+/f8AM/HX9if/AILe/HL9jK8sbKPX5PGn
hG1URHQtdkaeNI/SGX/WREZ4wSvqpxX7FfsQf8F6fgj+2D9h0m/1Jvh/4wuFCtpmtOqQSyekNzwj
57BtrH0r8z/2wv8Ag308UeALe41n4Q6tJ4w0+MNI+iai0cOpxgc4il+WKb6ERtwMbia/Pbxb4O1j
4e+Ip9K1zS9S0TVbRsTWl9bvb3EJ90cBh+Vf2Vwb4hcP8U4f6xkmJjUtvHacf8UHaS9bWfRs+UxW
BrYeXLWjb8vvP7E4LiO6hWSN1kjkG5WU7lYeoNOr+Zn9gv8A4LY/GT9hq7t9Pj1R/Gng2PCNoWsz
vIkKd/Il5aI/TK/7Jr9xv2Fv+Cufwd/bx0m2g8P6/BonixkH2jw7qsiwXiPjJEWcCZRz8yZ46gdK
+0OKx9QUUUUCCiiigAooooAKKKKACiiigAoorm/iv8YPC/wL8EXniTxhrum+HdD09C895fTiKNcD
OBnlmOOFGSTwATQB0lfJH/BQ3/gsf8Kf2A9GurG81CPxT468s/ZfD2myh5FfAwbhx8sK8g8/MR0B
r86P+Cnv/BxxrXxcF94M+BL33hvw22YbnxJKnlahqA5B8hTzDGf7x/eH/Z6V+X+i6H4g+L3jWGz0
+11XxH4g1ifbHFCj3V1dysewGWZjQUonsX7c/wDwUi+KH/BQDxxJqXjXWpl0eGVn0/QbRzHp+nKS
cBU/iYDje+WPrjitL9g//glt8Vv+CgfiVI/Cejtp/hyKUJe+INQVorG1GRnacZlcDnYmT6461+hH
/BMz/g2yVY9O8aftAMzN8s9t4RtpPlAxkfa5Bz3B8tMYIwW6iv1w0+08O/Bnwja6bp9nYaLpNjGI
raytIVjRFHRVRa48wzHC4DDzxeNqRp04K8pSaSS7tvQuEZTkoQV2z57/AOCdv/BJb4Y/8E7fC0cm
kWq+IPGc0W2/8SahEv2iQ91iXpDHnoF5I6s1e6eM/i9a6KrQWO26uuhP/LOP8e9cb41+J954pdoo
S1rZ9BGD8zj/AGj/AErB0fRLrXrxbe0haaRvQcL7k9q/ifxI+k9jMfXeScCU25SfKqvK3OTen7qF
rrylJN9orRn1uX8OxhH22Nfnbp82Gr61da7eNPdTSTSN3Y8D2A7V0Hg/4U33iPZNcZs7M87mHzuP
Yf1Ndj4K+EdroIS4vdt1d9QMfu4z7Dv9TXYgYFX4bfRhxGNq/wBtceTlKc3zey5m5Sb1vVndu76x
i795LVE5hxFGC9jglouv+SKGgeGrPwzZiG0hWNe7fxMfUmr9FFf2rl+X4XA4eGEwVONOnBWjGKSS
XZJaHyM6kpy5pu7YUUUV2EhRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQA
UUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABR
RRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAH4fftv/wDBuT8cviZ8Z/GHjzQPFHg/
xZceJ9TutVe2kd9PuFMkpZYxuBjJCnqWUfLXwn8aP+CXn7QP7P63Enib4UeLre1tt5ku7SzN9bKq
nBYyQb1C89SRxX9VtFBXMfzg/wDBKz/glZo37a3gbxvq3i/UvEvhubQdRh07T2sSkUkcwQyTeYki
HON0YA4IOa+mn/4JYftIfs6ySSfBn9o7VvsnzFbDVZri0xkg9VM0ZJx12LX6z+O/hHJrusSXmn/Y
bbzsGRBHsMr92YgcnpyeeK47U/hnrWl/esZJl9YiH/8Ar1/D/iVxh4tZHxNi8ZldKq8Fze4vZRq0
+VJK+ilKN2m94vVs+uy/DZZWw8Y1WufrrZ3Pzdj/AG5v+Chn7J6qvijwDpfxQ0mFmzd2VnHfPIOP
+fRlmAGOC0Q612Xw7/4Oj9B0HxA2jfFj4R+KvBuooSGFpL5sijHGYJlicc57nivta5tJbN9s0ckT
Zxh1K/zrC8dfDrw/8UNI/s/xLoej+ILHn/R9Ss47qP8A75kBFePkv0wM2w8vY57l0JtaN05Sptf9
uyU7vurx+RtW4WpyV6M/v1/KxX+Cf/BbT9mf46ssWn/E7SdGvGJH2bXY5NMbhdx+aUBD+DdRX0z4
Q8caL8QNHj1DQdW03WrCUApc2NylxEwIyMMhI5BBr86fit/wRz/Z5+K4kkk8BW+g3T/8t9DuZbDb
9I1byv8AxyvEdV/4IOzfDi9+3/CH41eOPA98jGSNZWLqGxj78DxN7ZweK/Ysj+lZwTjrRxjq4Z/3
4cy++m5u3qkeVW4axcPhtL0f+dj9mKK/G3S9C/4KI/sqoH0Dx9onxW0212hbS8uIpppFUYA/0lY2
6dcSkkjqa2tI/wCDgL48fs+NH/wu79nbVLPTYQi3Go2ME9ogIB3NvYPCcnBADgDmv2bIfEHhrOrL
K8fSqt/ZU483/gDal96PJrYHEUv4kGvkfrxRX57/AAQ/4OWP2c/iksMeuXHiTwTPKUUnULE3FuGY
kH95AX4HBJIHWvrb4P8A7bfwh+PzQp4N+JHg3xBcToHS3ttTi+0EE7RmIkOCSQMFc5Ir7A5D1Kii
igAooooAKKKKACiiigAooooAKKKKACvmf/go5/wVI+Hv/BObwD9p164XV/FuoRltK8O2sq/arrqB
I/8AzziB6sevQZNeQf8ABX//AILTeH/2D/Dl14Q8G3Gn698VrtNgts+ZDoKsuRLOB/HggrHnJ6nj
r/Pp8YvjN4o+PvxB1HxZ4y1y+8QeINUffc3t3Jud8dAOyqBwFAAA6CgpI9D/AG2v29/iL+3v8TG8
ReOtXa4ht2cadpkH7uz0yMnOyNPXoCxyxxya2f2Gf+CbfxD/AG7PEi/2DZ/2R4UtZQl/4ivkItIM
H5kiHWaXGfkXgcbmTIz9Gf8ABNb/AIIi6x8bG0/xt8Wre80Dwi2J7TQ2Bhv9XXgq0neGE+n32H90
YJ/YbwT4I0n4c+FbHQ9B02z0fSNNiEFrZ2kQiht0HRVUcD+pr+VvFr6R2FyeU8o4Yca2JWkqm9Om
+qXSc1/4DF78zvE+kyzIpVbVK+ke3V/5I8n/AGM/2Afh5+xF4QWx8J6Ws2rTRhb7W7tQ9/fHvl8f
Knoi4UehPNe5Rx5ojjzUyJX8T4rGY3NMXLHZhUlUqzd3KTu3/wADstktFofWxjCnHkpqyQIlSpHS
xx1MiV6+FwZlKQ1Y6lSLNPSLFSLHX0WGwJhKYxY6eI6kSHNSLEBXuUcvMZTIRF7U4QmpxHS7K9Kn
l/kR7Qh8ijyKnEdL5ftXR/ZpPtCsYTTTF7VZ8ugx1jUy/wAh+0KZjprR1baP2pjQ151bLy4zKbQ1
G8dW2j5qN4814mIwJtGZTeOonTFW5I8VFJHXz+KwZ0RkU5I6hdauOmKhkjr5fGYM6IyKUseKhZcG
rbpUMiYr5TFYdp3OmMiGigjBorzjUKKKKACvN/2jf2R/h7+1f4ZOl+OvDOn6wqoUt7op5d5Z57xT
Lh09cA49Qa9Iorsy/McVgcRHF4KpKnUi7qUW4yT8mrNEVKcZx5Zq6Pxf/bY/4IN+OPgrHea98MZ5
/H3huEGV9OKhdYtF74QYW4AH9zD+iHrXwfbXWoeEtd8yGS80zU9PmI3KWhntpVOD6MrA8diDX9SF
fNv7an/BLb4YftqW819qmn/8I/4uZT5ev6Yix3DtjA89fuzKOPvfMAMBhX9ieGf0rsThuXAcYR9p
DZVoL31/jgrKS/vRtL+7Js+WzDhqL9/Cuz7P9GfG/wDwTf8A+Djzxb8Co9P8J/GSG88a+FYsRR61
G27VrBMYG7PE6j3IbnqcYr9tfgV+0B4N/aY+HVn4r8C+INP8R6DfD93c2sm7Yw6o69UcdCrAEV/M
N+2z/wAE4fiN+w3re7xFYjVPDE8nl2fiGwQtZzEn5UkHWGQ/3X6/wlqwf2O/26viT+wx8QF174f6
/caf5jKb3T5CZLHUVH8MsXRuM4bqM8EV/cWSZ7l+cYOGYZXWjVpT2lF3Xp5NdU7NPRpM+OrUJ05O
FRWZ/WRRXxH/AMEwf+C2ngH/AIKAW9v4d1RYfBvxIVAG0meYGHUzglmtXP3sY5Q4Ye45r7cr1jAK
KKKACiiigAooooA+Lf8AgpD/AMFtfhj+wTZXei2c0Hjb4hqCiaJY3A2WT8f8fUgz5fX7oBY46DrX
4L/tq/8ABQj4nft6eO31jx1rkk1pG5NlpFsTHp+nr6Rx56+rNkn1r7g/4L2/8EmPEXhj9pzT/Hvw
v8L6jrek/Eu78m50/TLV5ntNTOSflXO1JRlgeACr9BXr/wDwTM/4NtrHw5Fp/jL4/LHqGofLPb+E
4Jd1vAeDi6dThz2KKdvqT0oK0R+en/BPL/gkv8Uf+ChniOGbQ9PfQ/BcUm298SX8ZW0QA4ZIR1mk
6/KvAP3itfvn+wZ/wSy+FP8AwT58NR/8IvpMeoeJmi23viLUFEl9cZA3BT0iQ4+6mB65r3ISaD8I
PClpp9la2elabYxCG0sbSJY0jQcBURcAAV5z4w+J194oZolb7LZ54jQ8sP8AaP8ASvxzxO8buH+D
Kbo4iXtcVbSlBq/k5vaC9dWtos9TL8pr4x3irR7v9O51/jP4x2+ltJb6aFupxwZf+WaH29f5V5nq
eq3Gs3bT3UzzSt3Y9PpUmh+H7zxHdiGzhaZu5H3U+pr1LwX8J7Pw8Fnutt3eDnJHyIfYf1r+PKOE
8QPGXHe0rS9lgovezjRh/hW9Sa9W+7imfVSlgcphZaz/ABf+S/rU5HwX8JbrxAq3F5utbU8gEfvJ
B7Dt9a9P0Pw9Z+HLMQ2cKxL3IHzMfUnvV0DAor+0PDfwd4f4NoL6jT58Q1aVaSvN97dIR/ux+bb1
PkcwzWvi5e+7R6Jbf8EKKKK/VjzQooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigA
ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACi
iigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAhu9
Pt79Ns0MUy+jqGrC1P4U6HqZJ+yeQx7wsU/TpXR0V87nXCOSZxHlzXCU63+OEZP5Nq6+TN6OKrUt
acmvRnnupfAaFgTaX0i+glUN+orB1H4M6xZE+WsNyvqj4P5GvYKK/H88+jHwJmF5UaEsPJ9ac2v/
ACWfPH7kj1aPEWNhvJS9V/lY8B1DwxqGlE/aLK5iwcZKHH51QKq6sp5DcEetfRjKHGGAI9xWdqnh
DTNZU/aLG3kJ77MN+Yr8az76HE1eeS5in2jVhb75wb/9IPWo8WdK1P7n+j/zPir4sfsGfBn44Q3C
+J/hp4Q1Ca6/1l1HYJa3hPqJ4dkoPuGr5p+IH/Bvh8HNcZ5vC+teNvB92rb4DDfLewwtnIOJVMhx
/wBdR9a/UvUvghpN1zbyXFq3s25fyNc/qHwJv4ATb3dvP6BgUP8AWvjv+Ic+M/CemV1ak6a6UqvP
DT/p3N3/APJPI6v7QyjE/wARJPzVvxX+Z+V2if8ABOj9rf8AZk3t8KP2jrq9tIlxFY6lcTxIRu3Y
EUnnwgk/TqR0Jr9Uv2UfF/iK4+AfhOH4ia1p998QP7PjOuPCI4ozdHl1QIAu0HgEDkDNc9qHw61r
TcmSwmZR/FH8w/SseaCS2fbJG8bejKRXVg/pIeInD9T2XEmEVRf9PKUqUvk4qMf/ACVilkGArq+H
nb0d/wCvvPohJFlXcrKw9Qc06vn7T9evdKcNb3VxCR/dc4/LpXrHwm1fUNc8PSXF9M02ZCkZKgHA
69OvP8q/oLwq+kRguM8yjk6wU6NZxlJtSjOCUVrd+7JXdkvderR4WZZDPCU/auaa27P+vmdTRRRX
9GHghRRRQAUUUUAFfm//AMFoP+C3Nj+x1pl98OfhrdWupfE27iMd3eqRJD4cVh1I6NPg5CnheCfS
tL/gtr/wWRtv2IPCc3w/8B3EN58UtctiWuFIePw7C3HmuO8xGdiHp949g38/F5eax8RvFzzTPqGt
65rV1kk7ri5vZ5G/FndmPuSTSlJRXNLYqMRdS1LWviZ4ylurqXUNd17XLvc7sWuLq+uJG/FndmPu
STX6wf8ABLL/AIIsR/Di5034ifGCxhutejK3Ok+HJAJIdNbqJbnqHlHBCcqh5OWxt67/AIJHf8El
4/2aLC1+InxGsYLj4g3ke7TtPkAkTw7Gw6nsblh1I+4DtByWNff8S81/BXjp9IarjqtThzhWpajr
GpWi9Z9HGm+kOjktZbRfLrL7TJ8jUUsRiVr0Xbzf+Q+FNoqxGlMReasRJiv5YwOHufSTkOjTAqeN
MU2JM1PGlfYYLCnJOQqJUyR4ojTAqZEr6vB4Q5pSBI6mSLFKiYqVEr6rCYI5pTGqlSLETT0iwOae
FzX0GHwJhKYxYcU4IBUqxZpwir1qWX+RlKoQ7Pb9KNnt+lWPK9qPK9q6f7OI9oVyvtTTCDVkxUxo
awqZf5FRqFVoSKjaOrhQio2j3V5eIwJtGoVHjzUTxYq28eKidK+fxWCNoyKbpUMke2rkkeKhdK+Y
xmEOiMim6VA6Yq5ImKgkSvlMbhTqhIpypUEiZFW5FyKgkXFfH47DbnVCRTdaZViVMGoGGDXyleny
yOqLuJRRRWBQUUUUAFFFFAFHxP4X03xr4fvNJ1jT7PVdL1CMw3VndwrNBcIequjAqwPoRX5a/wDB
QL/ggs2mRX3iz4ILJNCu6e48KTyl3XnJ+ySMckekbknsGPC1+rFFfe8A+JWe8H4z63k9W0W1z03r
Tmv70e/aStJdGjhxuX0cVHlqr0fVH8uqSax8OvFh2nUND1zR7gqfv291ZTIcEdmRlI9iK/XX/glb
/wAHGdzp82l+Afj9cfaLXC29n4wC/vY+yrdoo+YdB5qjPdgeWr23/god/wAErvBn7cehTapbJb+G
fiFbRYtNbhh+W7x0iulH+sTjAb76diRlT+I37RH7NnjL9lb4j3Phbxto1xpOpQ5aJj80F5HnAlhk
HDofUdOhAPFf6VeFXjPkvG2G5aD9lior36Mnr/ig9OePmldfaS0b+BzLKauEl72sej/rY/rj0TW7
PxLo9rqGn3VvfWN7Es1vcQOHjmRhlWVhwQQc5FWq/nI/4JNf8FuPFX7BGpQ+FPFS3niz4Y3ky77V
5i11omThpLYtwV7mI4B6gg9f6Dfgx8a/C/7Qnw707xX4O1qy17QdUjEkFzbSBh7qw6qw6FTgg1+w
nkNWOqooooEFFFFAARmiiigDjfi94MOu6at9bruurUcgdXTv+IrmPBnwguta2XF/utbU87P+Wjj+
les0V+G8SfR/4Yz3ib/WTMIt3S5qa0hOS0UpW12smlZO131v7GHzzE0cP9Xp/J9UuyKmi6Fa+H7J
bezhWGNfTq3uT3q3RRX7Rg8Hh8JQjhsLBQpwVoxikkkuiS0SPJlKUnzSd2FFFFdRIUUUUAFFFFAB
RRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFF
FFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUU
UAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAVBd6Zb367ZreGUe
joDU9FY1sPSrQdOtFSi900mvuY4yad0c3qXwo0TUiT9l8lj3iYr/APWrW8O6DD4a0iOzg3GOLOC3
U5OeavUV87lfBOQZbjpZll+Dp0q0ouLlCCi3FtNp8qSeqXnob1MXXqQ9nOTa7N3CiiivqDnCiiig
Ar49/wCCwf8AwVB0X/gnl8CLiDT7y3uPiZ4mt3i8P6fjeYP4TdyjtGnbP3mAA6HHs37cf7YPh39h
j9m/XviF4iPnR6bH5dlZqwWTUbp8iKFfqep7KCe1fy7/ALVH7Tvir9r/AON+ueO/GF9LeaprE7Ok
ZcmOyiydkEY/hRBwB+PUmgpI5Lxz441n4oeMtQ17XtQu9X1rWLhri6up3MktxIxyST7k9K/Xr/gj
T/wS0X4FaFZ/FL4haYv/AAm2pReZo+n3MYJ0GBh/rGUji4dT9UU44JavLv8AgiL/AMExI9ebT/jV
8QNO32sb+b4U0y5j+WVgeL+RT1AI/dAjkjf/AHDX6uZr+EfpJeOTqyq8IZBP3V7teonu+tKL7Lao
+r9zbmv9nkOT7YqsvRfr/kOQZNTwrgVFEM1YQc1/G+Bp3dz6qbJIlqwi1HEuKsRLX2mAonJORJGt
WIkqONasRrX2mBw5xzkOjXNWI0xTYV71Mi19lgcKcs5DkSpkTYKI02ipY0zX12DwtzlnIRI81Mkd
ORKlSLdX02FwJyymMVKcIiamWOnhK96jgDFzPN/2pv2j/Dv7IPwJ1z4h+K4dVn0Hw+ITdLptuLi4
PmzJCm1Cyj78igksAAck1+cXxD/4OlPDNrdzR+EvhH4g1CBWIjm1nWIbFnHqY4knx/33X6C/8FBf
hFN8cv2H/it4VtLf7Tfat4YvlsoghdnuUiaSAADknzUTGO9fz4fCL/gk3+0f8bdOjvNF+D/jC3s5
AGWXV4E0cMD0IF20TMPcA1+jcJ8P5TXw86uYJc0X1lZWsrdV1ucWIr1FK0D7A1v/AIOj/Hk9xnTv
hT4PtYv7tzqlzcN+aqn8qm8Pf8HSHjSCX/ibfCXwreJ/06axcWx/8eSSvD9L/wCDeL9qDU4BI3hn
wrY5/gu/EcG4f9+hIP1qv4i/4N8v2ofD9q0qeEfD+rbf4NP8RWzMfwmMVfTyyXhR+41T/wDA3+fM
Ye0xG+p91fA3/g5l+E/ja+js/HXhDxZ4GkkIH2yApq1kvuxTZMP+AwtX3R8Cv2m/h7+074ZXV/AP
i/Q/FNnj5zY3IaWA/wB2SM4eNvZ1B9q/mc+PH7IvxQ/Zg1Frf4geAvFHhUbtq3N7YuLOY/8ATO4X
MMn/AAFzXMfDT4o+JPg34xtPEHhPXNU8O61YuHhvLC4aGVSOcEqeV9VOQe4NePmnhhleMp+0y6bg
+mvNF/r87v0NKeYVIu09T+sJl9ahkj2mvzu/4JJf8FubT9qi+sPhv8UpLPSfiFIvlaZqihYbTxCQ
CdhHSO5wPuj5X/hwflr9F2XNfz/xHw3issxDw2LjZ9OzXdPqv+Gep7eHxEakeaJTdKryJirkiY4q
GVdwr8+x2FO6EinKmRVeRauOKryrg18djsOdUJFSVcVBKtWpVqCRcivjMfROuEio68Yqs44q3IMV
XlXDV8TjqJ2QkQ0UHiivHNgooooAKKKKACiiigArzf8Aaj/ZQ8E/tgfDK48L+NNKjvbdwXtbtAFu
9OlxxLDJjKsPTow4IIOK9Iorsy/MMVgMTDGYKo6dSDTjKLaaa6poipTjOLhNXTP52P27P2BPGX7C
fxLk0vW4ZNR8O3sjHR9diixb6hGOcN18uYA/MhOe4yuDXZf8Evf+CpHi/wD4Jx/FeO4tXuNY8C6r
Ko1vQmk+SZennRZ4SZR0PRsYPHT90Pi78HvDXx5+H+oeF/F2j2euaHqibJ7a4TI9mU9VdTyGUgg8
g1+Ev/BSr/gm3r37B/xE863F1q3w/wBZmb+yNVK7mhPX7NOQMLKo6HgOBkchgP8ASLwN8f6HFUY5
NnVqeOS0e0a1t3FdJ21lHZ6uOl4x+CzjJZYb97S1h+X/AAPM/pJ/Zk/al8D/ALYHwpsvGXgDXLfX
NFvMoxX5ZrWQfeiljPzRuPQ9sEZBBPoVfyu/8E6P+CjnjX/gnX8Y4tf8PTPf6BfMsetaHLIRb6lC
PT+7IvO1x06HIJFf0vfsrftQ+Ef2xfgfovj7wVffbtF1mMna42zWkqnbJDKv8MiMCCOh4IJBBP8A
TR840eiUUUUCCiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKA
CiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAK
KKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAoo
ooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAqrruu2fhjRLzUtQuYbOw0+F7i5uJnC
RwxoCzMxPAAAJJNWq/Jv/g5N/wCCksnw38HR/AfwlemPWPEdut14lnhfDW1mxOy2yDwZcZYf3MD+
KgD4E/4LJ/8ABT3Uv+ChXx9kttJnntvhv4Umkt9CtMlftZzhruVc43vjj+6uB1JzQ/4JH/8ABPGb
9tX4zHWNetZB8OvCMySao54XUp/vJZqfcYaQjomBwXU18/8A7NP7Puu/tSfG3QfA/h2LdqGt3ARp
SMpaQjmSZ/8AZRQT78Dqa/om/Zp/Z38O/srfBbRPA/hi38nTdHh2tKwHm3kx5knkI6u7ZJP0A4AF
fzb9Irxe/wBVcr/snLZ2xuITs1vTp7OflJ6xh53l9mz+iyPK/rNT2k/gj+L7f5nbadp1vo+nwWlp
DFbWtrGsUMMSBUiRRhVUDgAAAACphyaKVRlq/wAy7uTuz9C2JYR81WIhk1DAOKsxCvoMvp7HNNk8
Y4qxGtQoOasRivuMvpnJUZNCtWI1qGNcCrEIy1fbZfR2OObJo1qeJcmokFWIxtWvt8BROOpIkRdx
qeNKZEtTxpk19pgcOcdSQ+KPNTIlJGtTxR55r6/B4W5yykIkWalWKnKlSJFur6bDYG5zymR+XQI8
VYEQFHlCvSWXabGftCq0dRvFVxoaiZK4cRgbIqMzJ13QLLxLpNxp+pWdrf2N5G0U9vcxLLDOhGCr
KwIYEEjBFfl1/wAFPP8Ag300Dxp4e1Hxp8CbCHQfEVqjT3HhZG22OpqOWFtn/Uy+if6tjx8nWv1W
kjyKrutcGFx2Ky2r7bDSt3XR+TX9PsaShGatI/kSlivPDesNHIt5p2o6fOVZSGhuLWZG/BkdWHsQ
R2Ir9+/+CJP/AAUbuP22fgPP4f8AFd9HcfETwOscF9IxxJqtoeIrsju+QUfH8QDcb8V8c/8ABxp+
wFbfCb4j2Hxp8M2a2+j+Mrn7Hr8MS4WDUdpZJ8dvOVW3f7aZ6tXxz/wTW/a3uP2Lv2w/CXjBrr7N
oclyuma8rfcksJ2VZSf9w7ZB7xj1r9Cz/L6HE2R+2or94k3HupLePz2+5nHRqSoVbPY/pllXK1A4
qxFMlzCskbK8cgDKwOQwPQ1DIuOK/kfH0LXR9NTkVZVwaryrkVbmXIqvIOa+IzCidlNlSQZqvIOa
tSiuV+LHxX8N/BLwVdeI/FmtWPh/Q7IqJ728k2RRlmCqCfUsQAO5NfG4nCVK1RUqUXKUnZJK7bey
SWrb7HVGSSuzXlFV5hkV8seM/wDgt3+zb4UnaNPHcurMpwTp+kXcy59iYwD9QcVyL/8ABfn9nlpg
n9o+K9p/j/sSTA/XNTX8K+L68eellldr/r1NfmgjmWFWjqL7z7Of71Nr5f8AAf8AwWY/Zz+IFysM
fxAh0iaRtqrqthc2in/gbJsH4sK+hfAXxK8O/FTQ11Pwzruj+INOY4+06deR3UWfQshIB9q/Pc74
TzvKH/wqYSrRXecJRT9HJJP5HoUcVRq/w5J+jNuiiivnToCiiigAooooAKKKKACsH4n/AAu8P/Gj
wHqXhnxRpVprWhatF5N1aXKbkkHUEd1YHBDDBBAIIIreorWhXq0Kka1GTjKLTTTs01qmmtU09U0T
KKkrPY/Af/gp1/wTc1b9hH4krdaf9q1T4e67K39k6i43PbP1NrORx5ij7rcb1GeoYBP+CXv/AAU+
8Wf8E4/i6t5ZyXGqeCdYlRdd0RpP3c6dPOjHRZlHQ9+h46fuj8aPgz4b/aC+GereEfFmmQ6toWsQ
mKeCTgqequjdUdThlYcggGvwL/4KGfsC+Iv2Dfi+2l3nnal4V1Znl0HWNmFu4weYpMDCzJkBl6EE
MODgf6TfR/8AHKHFGHjkeczSx1NaN6e2iuq/vpfEuq95acyj8DnWTvDy9rSXuP8AD/gdj+n/AOCn
xl8P/tBfCzQ/GXhXUIdS0LxBapd2s0bA/KwyVYD7rqeGU8ggiupr+cP/AIIq/wDBWjUf2B/imvhf
xPc3V98LvE9wqXduX3f2NOxA+1xD07OowCOeoFf0ZaJrdp4k0e11DT7iG8sb6JZ7eeJw8cyMMqyk
cEEHOa/p0+casWqKKKBBRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUU
UAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQ
AUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAB
RRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAHlP7a37Vuh/sWfs1+JviFrzo0Wi2z
fZLYuFa/umBEMC+7Njp0AJ7V/Kp8afjDr3x++KmveNPFF/JqWveIrt728uJD95mPQeiqMAAcAACv
0J/4OSf29G+O/wC0bb/CfQ7pZPDXw5kJvWikyt3qTLh8/wDXJTs9iXr5z/4JI/sXt+2D+1Rp66pZ
tN4N8IlNV1piP3c+1sw2x9fMccjuiPXh8S8QYPIsrr5vj3alRi5Pu7bJecnaKXVtI6MPQlVqKnDd
n6E/8EPv2BJP2cfg/J8RPFFn5XjLx1bo1rBNFtl0nTjhkQ55EkpxI44wBGp5Vq+76REWNAqgKqjA
AHQUtf4+cacXY7ibOa+dZg/fqu9ukYrSMV5RVku+71bZ+p4PCww9JUobL+rhTk602nR18xD4kdD2
LEQwtWYeWqtD90Vahr6rLo7HLU2PLv2mP23Php+x1/Y//Cw/EX9g/wBvecbEfZJrjzvJ8vzP9WjY
x5qdcferyhv+C5H7M8A58fTt/u6Len/2lXyn/wAHNUX7v4OSe+sr/wCm81+Udf254W+CeRZ5w5hs
4xdSqqlTmuoyio+7OUVa8G9kr67nyOYZtWpV5UopWX+R/UB+y3+1p4F/bF8DXXiP4f6tJrGkWN62
nzTPaS2xWZUVyu2RVJ+V1OcY5r1CEcV+cf8AwbTT7/2N/GEf/PPxdMfztLav0ei+5X57xHkdDKc7
xGXYZtwpysm7N2snrZJfgjtw9aVWipy3ZNEORVhRk1DFy9WE616WXw2M6jJohViEcVDH0q1EOBX3
GX09jiqMkjWrMa1FCOanjHFfb5fRWhyVGSRJnmp1TNNjHSp4kzX2mBwqaOOUhFiNBhNWFTNBjxXv
xwPu3MedlNo8VHImRVyVMiq7ivHxmFSRrGRTdaryrg1ckXDVXmHFfF46jY66cjy39rv9l7w/+2R+
z74i+HfiZriHS9fiQfabcL59nLHIskc0e4EblZAeRg8g8E15N+yj/wAEjPgX+x9Fb3Og+D7fWvEF
uwf+3dexqF8HH8SFgI4f+2SJ+PWvqOQZqrIOtfL4rMMVSoSw1Ko4wbu0nZN+djojCLfM1qVZFwah
mHNWJhUE33a/OcwgehTK0g4NVZBVqTqaryivhcwidtMqzDmvnH/grD4DHxD/AOCePxUsfLEkltoz
ahHkfda3dJ8/lGa+kJhzWfrOl22t6bcWd5bw3dpdI0U0EyCSOVGBDKynggg4IPWvmcLmEsvzChj4
q7pTjO3+GSdvwN5U+em4d1Y/lR0nTrjX5/KsLe4vpOyW8ZlY/goNdAfgr4yFuZf+ER8UeWvVv7Ju
No/HZX9PGh+BtF8K2aQaXpGmadDH91La1SJV+gUCrjntzX71mX0tKlKX+z5YredXX8KZ49PhpNe9
U/D/AIJ/K1qNjPo96ba8hmtbhesUyGOQf8BODXQ/Cj4z+LfgV4pj1rwb4i1jwzqkZB+0WFw0RcA5
2uPuuv8AsuCp7g1/Sv8AED4P+E/ihpz2fiTwzoOvWr5zFqFhFcKc+zqfzr8+v2+f+CDPh3xb4f1D
xN8FYf7B8QQBp38OSTFrDUQASUgZjmCQ9gT5ZPGE+9XucL/Sm4azussr4gwrw6qe7eTVSk79Jtxi
0n3cXFfaaWpjiOHcRSXtKMua3yfyNL/gmr/wW6tfjrrWn+Bfiyun6N4qumENhrkIEFjqr8BY5U6Q
zMehX5GJwAhwD+iVfy26zo974Y1u60+/triw1DT52guLeZDHNbyoxVlYHlWVgQR1BFft9/wRT/bu
uP2rfgJP4W8S3jXXjfwCsdvPPK+6XU7JsiC4Pcuu0xueclVYnL1+WfSJ8DMFk2G/1p4bhy4dte1p
rWMOZ2jOHaDbScdotrl91tR9LIs4nVl9WrvXo+/kz7Uooor+PD6oKKKKACiiigAooooAK8z/AGuP
2VvDX7Y3wR1TwX4mhHk3a+ZZXioGm0y5UHy54/dScEdGUsp4NemUV25bmOJwGKp43BTcKtNqUZLR
pp3TRFSnGpFwmrpn8zv7SX7O3iX9lb4x6x4J8VWv2fVNKk+WRf8AVXkJz5c8Z7o4GR6cg4IIr9UP
+DeL/grZDoy6f8A/iJqRWKaUReD9RnJIVmJJspHJ4BOPL9yV/u17V/wVZ/4J+2X7bfwLmuNLtY4/
iD4Wie50O5AVWux1ezkY9Ukx8uT8r7T03A/gwRqHg/xDhhcadqml3GCDmOa2mjb81ZWH4EV/q34L
+KmH42yVYido4qlaNWC720nFfyzs2uzTjra7/Nc2y2WEq8v2Xs/66o/sbor42/4Iuf8ABSW1/b+/
Zpt4dWuI1+IXg+OOy12An5roAYjuwPSTBzjowb2r7Jr9gPICiiigAooooAKKKKACiiigAooooAKK
KKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooo
oAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiig
AooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAK8W/4K
Eftaaf8AsTfskeMPiBeMrXWm2jQaZATg3N7J8kCD/gRBPspr2mvwq/4OhP2vZPHvx68OfCPTbpjp
fgy3GpamiSApLezj5AwHeOLsehkNA0flz4l8R33i/wAQ3+ralcS3mo6lcSXV1O53PNK7FmY+pJJN
fvv/AMEnP2RD+yL+yDoljqVpHb+LPEwGta5x88UsqgxwE/8ATKPahHTfvI61+Vv/AARq/ZMj/aj/
AGxNNuNUtUuvDPgZF1zUUkXdHPIrgW0JHQhpfmIPBWJh3r96q/hf6XHiBzTocIYSWitVrW7/APLu
D9FebT7wfQ+z4ZwO+Kl6L9X+n3hRRRX8Pn2AU6Om06Oqp/EhS2LMX3VqzF2qrCflFWoTzX1mXdDl
nsfmH/wc06ep+G/wivMfNHq2owZ9ngib/wBpV+RdftN/wcl+FV1L9jfwZq6rul0rxnDET/djlsbw
H/x5Er8Wa/0w+j7iFU4Kw8V9iVRf+TuX/tx8BnUbYuXy/I/Zr/g2S1Dzf2c/iRa7v9T4mjlx6b7S
If8Ashr9OIfuivyf/wCDYXxED4e+Luk55S6028A9NyXCf+yV+sER+WvwvxMp+z4uxifVxf3wiz2M
vd8NH+upYh+/VhOtV4T89WE61wZe9iqhYTpVqLtVWM8VaiPAr7vL5bHDULEFWIu1VoTzViM19xl8
locdQtx9asRfdqrG3FTRPivuMvqJHHNFyGnS4xUCvilMma+ohio8ljn5dRsneq0v9amlfioHavn8
dVTNoEE33qrTdDViRstVeZuK+HzCSudlMryVXm6mrEhqrIetfD5hLc7KZXm6VBN92p5jVeY8V8Jm
DO6mQP8AeqtL3qxJ1NV5TXwuYs7KZXnqtL/WrMx5qtL/AFr4bMDsgVn6VXfrViQ8VXfrXwuYM7qZ
Vk6mo6kl71HXx9b4zqjsfj7/AMHDX7MFl4C+Lnhr4m6TZ/Z4/GaPYauUHyPewqDHKf8AaeLIPr5O
epJrwH/gj98bW+CH7fXgmaSZorDxJK+gXgBwHS4G1M+wmETf8Br9Nv8Agu54D/4TP/gn/ql1HbtP
daDrFhewhELP80nkHAHP3ZjX5A/s+/A34lXvxQ8M6x4f8A+PNSOmara3iz2egXc0aeXMj5LrGVHT
ua/0Z8HM4o8R+FVTLM1qL3I1cPeUktOW8NX/ACxnFLtyo+DzSk6GYqpSXVS0/E/pIopEbcinkZGc
Ecilr/OA++CiiigAooooAKKKKACiiigAr8mf+C8n/BPhfC2pt8bvCNlt0/UJUg8U2sKALbzMdsd4
AP4XOEf0Yof4mI/Wasvxr4N0v4ieENT0HWrKDUdI1i1ks7y1mXdHPE6lWUj3Br9A8MvEDGcH59Sz
fDXcfhqQ/npt+9H16xfSST2ujhzHAxxVF0pb9H2Z/PD/AME//wBs7XP2EP2nfD/j7R3lktbWUW+r
WSt8uo2TkebER0zjlT2ZVNf1NfB74t6D8ePhfofjDwvfw6loPiK0S9s7iNsh0YZwfRgcgjsQR2r+
V/8Abx/ZJ1H9i39pLW/Bt15s2mq32zR7tx/x+WUhPltnuy4KN/tIfUV+jX/Bsj/wUAOieI9S+Avi
S+ma31Qyan4YaV8pDKozPbLk8bgN4A4yH7mv9d8ozbC5ngqWY4GfPSqxUotdU1df8Fbp6M/L61KV
OThPdH7VUUUV6JiFFFFABRXI/HH48+Ef2bPh1eeLPHGuWnh3w7YsqzXtyGKIzHCrhQSSTwABya+b
5/8AgvF+yrBJt/4WpZt7rpl4w/8ARVAH19RXwr4k/wCDjP8AZb8P3skMXijxBqnltt8yz0Oco3uC
4XIrj/Gf/Bz3+zv4eSL+zNP+IGvNICWEOlxQrHjpkySjr7A0Dsz9GqK/Li//AODqr4QRWkzW/gDx
9NOqExo5tkV27AnzDgH1wa4y6/4Ox/Dwl/c/B3WWj7F9cjVv0iNAcrP16or8V/En/B2NrT38n9j/
AAf0uO1z8n2zWXeQj32xgVzPiz/g60+JN/YImjfDPwbp1xu+eS4uri4UjHYArg/nQHKz9zqK/AC+
/wCDov4+XNnNHD4f+H1vJIpVJBYzMYyehwZcHHvXFXH/AAciftPzSFl13wvEP7q6HFgfmTQPlZ/R
pRX80PiT/gvx+1N4ivpJh8Rv7PWQ5EVnpdtGifT5CfzNcr4t/wCCz/7TvjKGOO6+L3iSBY84+yeV
bE59SiAmgOU/qIpN49RX8p19/wAFPP2htRtpYZfjJ8QTHMpRwNXlXIPB5ByPwri7r9rL4qX0pkm+
JPj6Z+7Pr90T+e+gOU/rlWRXztYNtODg9KWvy/8A+DXf4ua58SP2bPiRa67q19rFzp/iZJlnvJ2n
mIlto85diSeY+5r9QKCQoozzRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAU
UUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRR
RQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQBznxf+Jen/
AAZ+FXiPxbq0gj03w3ps+pXLE4wkUZc/njFfyVftAfGTUv2hPjZ4o8bavLLLqHibUpr+TzG3FA7k
qmfRVwo9hX74f8HI37UbfAv9giTwnYzCPVvidfLpIwxDJaR4muGH1ASM+0pr8Ef2evgzf/tEfHLw
p4H01vLu/FGpw2Alxn7OjN+8lx/sRh3/AOA1z4zGUcLQnisRLlhBOUm9lGKu2/RK5pTi5NRW7P2Y
/wCCGH7Ma/A39ji18SXtq0OufESUatKzjDraAFbZfoUzJ/21r7Sqj4Y8OWfg7w1p+k6fEILDS7aO
ztox/wAs4o1CIv4KAKvV/jLxlxLX4gzzFZziPirTcrdo7Rj/ANuxSivJH6xg8OqFGNJdEFFFFfMn
QFOQ802lU4aqjuBZiOVqxCcNVWA8VYiNfTZfPY5ah8ef8F6/DY8Qf8E3/Ec20s2j6tpt8pH8P+kL
CT/3zMa/Bav6NP8Agqh4Gf4if8E8/ixp0S7pI9CkvkGOrWzLcD9YhX85df6I/Rjxqq8M1qF9YVn9
0oQt+KZ8PxBG2IT7o/Sr/g2Z8dHTP2l/iJ4dZsLrHhyK+UeptrkJ/wC3NftNCeK/n7/4IIeOF8H/
APBSbwvas20eItM1HSwM43HyDcD9bcV/QFC2Gr4jxqw3sOKnU/5+U4S+68f/AG06splfD27NlqM4
K1YU81VjNWI23LXxuX1djqqItRNViFqqRNxViN8V9xl9Y4pxLcbVYjaqaPU8T4r7LA4i1jknEuRP
ip1fiqaPUiS4r6zCY2xyyiW1lx3pWl4qsJqUzAV6yzDQz5CRpM1FJJgU1pc1Gz15+Kx1zSMBHaq8
rZNSSSYFV3avlcdibnRCIyVuKrSHipZXyaglavi8fWOyESGQ5NQTHLVKxqvI1fE4+qdlNEUh4NVp
DU8x4qvIcGvh8wqHZTIJm5qvKeKmlNV5TXw+YT3OymiGU8VVkPJqxMarSHg18PmEzspkEpqOnSHN
Nr5Kp8R1R2AjIozRRUFBRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAHx3/wWb/Ycb9rL9m+TXdDs2uP
G/gNJL/T0jHz39tjNxbY7sVUOg/vJgfeNfiL8L/iXrXwc+Iei+KvDl9NpuuaDdx3tlcxHDRSIcg/
TsR3BIr+n6vwN/4LB/sgf8Mo/td6pJplnHa+E/GxfWtIWIYjgZ2/0iADoNkpJAHAR0Hav7o+iX4j
ymqnB2NlsnUo37b1IL7+eK/x+R8bxNgLNYqHo/0f6fcf0NfsDftcaX+29+yp4U+IWmmKObVbYR6l
bI277FeR/LNEfowJGeqlT3r2Svwd/wCDZb9t5fhL8e9X+EOtXXl6L4+/0vS/MfCw6hGuCo/66RjH
uY1r94q/uA+OYUUUUCPkP/guz4QXxn/wS6+Jlv8AZ7i6mt4rS6t44VLOZEu4cYA5PU8V/OfD+y18
Trnb5fw58eSb/u7dAuzu+n7uv66pYlmTa6qynqGGRShFH8I/KgpM/lD8Gf8ABN/4+eP4DLpfwf8A
iFNEriMvLos9uoJ95FXj36CvQdM/4In/ALSGppu/4QW3t/8ArvrNmuPylNf09TKPJYY4weK8Cm0O
7e4k8u0uWXccERNjr9K/nfx68UuIeDvqX9hUYVfbe05ueE5NcnJa3LKNk+Z3vc93JcvoYvn9s2rW
6rrfufhLpP8AwQR/aG1PHm6f4PsM9ftGt5I/74jauo0r/g3d+NF0y/bPEHgCzU9dt7cS4/KEV+2s
HhXU7k4j0+7b/tmamj8B6xK2Bpt1+K4r+df+JhPFTFrmwuDVn/Jh5v8ANyPd/sXLY/FP/wAmR+N+
l/8ABt146l2/bfiR4Sg/vCGyuJSPz2102l/8G1twyj7d8WoFPcW+gE/q04/lX66D4W68f+XFv++1
/wAasRfB7XJU3fZ4V9mlGaP+IkeOeKfLRoVo+mFiv/SqbD6jk8d5L/wL/gn5Q6V/wbY+H0f/AE74
qa5Kv/TDSIo//QpGrpNI/wCDcP4Y2x/03x148uv+uX2WH/2k1fqBB8FNalb5vssf1kz/ACFWE+Be
pk/Nc2i/mal5r494pX5cQr/9O6cP/bYsOTJI9V97Z+cekf8ABvf8B9PQfaLzx/ft3M2rQqD/AN8Q
LXT6T/wQt/Zz02PbL4X1q+b+9Prt0P8A0B1r7+/4UJc5/wCQjD7/ALo/41Zi+Aa7P3mpNu/2Yf8A
69V/qn484t2lVxEf+5iEPyqIPrWSx2S/8Bb/AEPhXTv+CMn7N2nEf8W5iuMf89tYv3B+o8/FdFpn
/BKv9nXSXVo/g/4LkZehubP7T/6MLV9nQfAS0U/vNQumH+yqr/Q1PF8CtMQ/Nc3jD6gf0pf8Qj8a
sTG9fFVV5Sxbf5TaF/auUR+GK/8AAf8AgHh3wX+GHhn9nHSrqx+H/hzQfBdnfusl1Fomnw2K3LqM
Kz+Wo3EA4BOa6qbxPqVw2Xv7tj7ymvUh8FtDB+5df9/jViL4TaDGm37Fu92lbP8AOuqP0b/EzFL2
eKzCCituavVkr+SUGT/b+XR1jTf/AICv8zi/hBqt1deMlWa4nmUwsAJJC2Oh716xWTo/gfStBuln
tLOOGZQQHGc4Na1f1f4L8C5pwnkEsrzetGrVdSU+aLlJWaikryUXfR9D5nNsZTxNf2lJWVkgooor
9aPMCiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAoo
ooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA+af2qf+Cu
HwM/Yv8AiofBfxC8T32k+IBaRX3kRaTc3K+VIWCnfGjLztPGc15v/wAREf7Kf/Q96p/4T19/8ar8
7/8Ag4z/AGePH3xI/wCCiJ1Tw74I8Xa9preGbCIXenaRcXUJdWm3LvRCMjIyM96+C/8Ahjz4t/8A
RL/iJ/4Tl5/8boK5T+gT/iIj/ZT/AOh71T/wnr7/AONUf8REf7Kf/Q96p/4T19/8ar8P/gL/AMEq
fjn+0JPqC6b4H1LQ49NVGaXxDDLpUUxYkbY2lQB2GMkDoCPWvR/+HCH7Q3/QN8Jf+D2P/wCJr4vO
fEbhfKcVLA5nj6VGrGzcZzjGSTV1o31TujrpZfXqx56cG0frz/xER/sp/wDQ96p/4T19/wDGqP8A
iIj/AGU/+h71T/wnr7/41X5Df8OEP2hv+gb4S/8AB7H/APE0f8OEP2hv+gb4S/8AB7H/APE15f8A
xGHgj/oa0P8AwZH/ADNP7KxX/Pt/cfrz/wAREf7Kf/Q96p/4T19/8ao/4iI/2U/+h71T/wAJ6+/+
NV+Q3/DhD9ob/oG+Ev8Awex//E0f8OEP2hv+gb4S/wDB7H/8TR/xGHgj/oa0P/Bkf8w/srFf8+39
x+vP/ERH+yn/AND3qn/hPX3/AMao/wCIiP8AZT/6HvVP/Cevv/jVfkN/w4Q/aG/6BvhL/wAHsf8A
8TR/w4Q/aG/6BvhL/wAHsf8A8TR/xGHgj/oa0P8AwZH/ADD+ysV/z7f3H68/8REf7Kf/AEPeqf8A
hPX3/wAar6O/ZM/bF8A/tufDa48W/DrVLjWNDtb59Oknls5bVhMiozLtkVW4DrzjHNfz8f8ADhD9
ob/oG+Ev/B7H/wDE1+s//BDr4Ea7+wp+yPqng74hfYLLWrrxHcalGlncfao2heGBFO5R1zG3FXT8
XuCZuyzXD/OrBfmxSyvFJX9nL7j7worm/wDhbeg/8/v/AJDb/Cr2geNtN8T3LxWU5mkjXcw2EYHT
uK9PL/EThbH4mGDwOY0KlWbtGMasJSb3skpNv5GNTA4iEeacGl5pmtRRRX2RyhRRUOpahFpOnXF1
cNsgtY2lkbGdqqCSfyFAH8+v/BzP8f1+KX7fFr4TtbpprL4e6NDZSICNiXU/7+XHHXa0SnrytZ//
AAbu/BCPxn+0z4n8cXVr50PgvSRb2kjD5Yrq7YruH+0IY5l+ktfHv7Xfxdm+PX7UPj7xjNI0h8Q6
7d3iE7uI2lbYPmJIAXaMHpjFfsB/wQV+D4+HP7ClrrUsPl3njXVLjU2JGGaJCIIvwxEWH+/X4L9J
TiR5TwLiYQdp4hxor0lrP74Rkvme7kGH9rjI32jr93/BPtaiiiv8sT9HCiiigAoBxRRQBNCfmqxE
cGqsbYqxG1e1l9W1jCaM74l+GE8cfDXxBosiho9X025smBGciSJk/wDZq/lv1TTZdF1O5s51KT2c
rwSKeqshKkfmDX9VMTV/N5/wUg+Fw+Df7dXxR0FI/Kt49enu7dR0ENwRcR/+Oyiv7g+inm6+sY7L
nvKMJr/t1uL/APSonyHElPSFT1RgfsV/Etvg7+178MfE4l8mPR/E1jLOxOAIGmVJsn0MTuPxr+ny
JsD6elfyatuKnazRt2YdVPrX9QH7HHxgf4+fsrfDzxlMVN14i8P2d5d46C4MSiYfhIHH4V9n9IbL
3GeCzFf3oP8ACUf/AG45cjqfFT+Z6pG1TRNg1UhfFTo1fhmAxGh684ltWwanjeqsb7hUkb4r7DA4
o5KkS7HJip0eqaPxUiSba+swmMOWUS4kuKlWSqiSU4PX0FHHGEoFsSUvmVVEnvR5nvXb/aHmR7Ms
NJ71G0tRGSmtJXLWx5UYDmeoZJMUjy+lRO+K8HFYw3jESRqglfJpZJKiZtor5XG4o6acRsrYFQOa
c796hlbAr4/HYg7IRI5GyarytgVI5qvK2TXxWOrnVCJHI2KryNzUkrVXkbivi8fW3OymiKVqrzHA
qWQ1XlbLV8Rj6p2QRE5y1JQTmivnjoCiiigAooooAKKKKACiiigAooooAKKKKACiiigAr5N/4LLf
spH9pr9jbV7rTbJbrxN4IJ1zTio/ePGg/wBJiX13RbiB3aNK+sqbLEs8bI6q6MMMrDIYehFe9wvx
FicizfD5xg/jozUl52esX5SV4vybMMTh41qUqUtmj+X/AOG/j7Uvhb4/0XxLo9xJa6poN7Df2sqN
tZJI3Dqc/UV/WN+yF+0dpP7Wv7NvhH4haLIr2niTT0nkQMCbecfLLE3+0kgZT9K/ma/4KY/svj9k
n9sjxZ4ZtLVrXQLyUavoY/hNlcZZUU+kbiSL/tlX6S/8Gr37WX2zRvHHwZ1O7/eWbL4i0SN2/gYi
O6RR7N5T4/22Nf7K5HnOGzbLqGaYN3p1oRnH0kk1fzV7NdHdH5TXoypzdOW6dj9iKKKK9UwCiiig
AoA2jjiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAo
oooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACii
igAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAON+M+l3WraHax2sE1wyz7isaliBtPpX
nH/CF6v/ANA2+/78t/hXvNFfzp4jfRzyzi/O553isXUpykox5YqLS5Vbrrrue9l+fVMLR9jGKaPB
v+EL1f8A6Bt9/wB+W/wo/wCEL1f/AKBt9/35b/CveaK+G/4k5yT/AKGFX/wGB2/62Vv5F+J4N/wh
er/9A2+/78t/hR/wher/APQNvv8Avy3+Fe80Uf8AEnOSf9DCr/4DAP8AWyt/IvxPBv8AhC9X/wCg
bff9+W/wo/4QvV/+gbff9+W/wr3mij/iTnJP+hhV/wDAYB/rZW/kX4ng3/CF6v8A9A2+/wC/Lf4U
f8IXq/8A0Db7/vy3+Fe80Uf8Sc5J/wBDCr/4DAP9bK38i/E8G/4QvV/+gbff9+W/wrsvgvoV7pGt
3jXVrcW6yQAKZIyoJ3D1r0eivqOC/oxZTw5neHzvD42pOVGXMoyjGz0a1tr1ObGcRVcRRlRlBJP1
Ciiiv6cPnQrwv/gpj8Vl+Cv7A/xW8RedHDNa+HbmGBnJAMsq+Ug45yWcYr3Svz7/AODlj4lyeBv+
Cbd1pcM00MnivX7LTmCdHRS07KfY+UOlAH87eGc/LlmboPU1/S5+yj8Ol+Ef7M3gHwysYjOi6DZ2
zqO0ghXf+bFjX88f7KXgCP4p/tOfD3w5Mu+31rxFYWkwxnMb3CB//HSa/pcAVRhQFUdAO1fw39Mj
OP8AkW5VH/p5Uf8A5LGP/t59nwrS1qVPRBRRRX8Nn2IUUUUAFFFFADkODU0LZFV6ljfBrqw1TlkR
NFuN6/Fz/g4x+DS+DP2s/DfjC3j2weNNCEc5/vXNo5jY/wDfqS3H4V+0CNXwz/wcFfAtPib+xHH4
qhg8zUfh7q0N/wCYoywtZz9nnX/d3PC59oq/ojwA4kWWcYYRzdo1m6T/AO31aP8A5Pyng53h/aYW
Vumv3f8AAPw8r91f+DeT41SfEX9hh/DlxN5lx4F1i4sEBPzLbzH7RHn23SSAf7tfhVX6G/8ABub8
fW8BftX654GuLgJY+OdKMkEbNgG7tcyLj3MTTf8AfIr+4PGjJ3j+Fa8oK8qLVRf9u6S/8lcj5HK6
vJiFfroft6jVYjfIqnHJmpkev4lwWKsfWyiXEepkfcKpxvuqZH5r6zB4w5pRLSSbamSWqaS561Ir
V9Hhscc0qZbWSniUiqizYp4mr2qOYGLplrz6PPqv51Hm10/2hoT7MnMxNMaT1NQtNTWmrCpmHmUq
ZK0mKieWml81G0gWvIxGONo0xzNioZJN1NeTPWo3evncVjDojEHeq8j5p0km6oXevlcbizojEbK+
BVeRqdI9QyvivkMdiTqhEjkbJqCVqfI+BVeRsmvjsfiDrhEbI3FVpGqWZ+arscmvjcZV5nY64IKK
KK4TQKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD84/+DiX9nVfFfwW8L/Euzi/0zwnd
nTL5lH3rS5I2E/7kyqB/11avzz/4JrftJXH7KH7bvw98ZR3DW9na6pHa6iR0e0nPlTA+21ifqBX7
0ftU/BS3/aM/Zz8ZeCbiNH/4SDS5raAsP9XPt3Qv/wABkCH8K/mr1LTrjRNTuLO6jkt7uzlaGaNh
hopFJVlPuCCPwr/R76JnFjzDhirk1WV54Sen/XupeUfukp+isfBcS4XkxCqraS/Ff0j+x22uEvLe
OaNg8cqh0YdGB5Bp9fM3/BH/APaTb9qb/gnv8PfEVxI0up2Vl/Y+osw5Nxanymb/AIEFVuP71fTN
f1UfMBRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAU
UUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRR
RQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFF
ABRRRQAUUUUAFfkz/wAHX3jxtO+BXwn8NpcQqura5eahJAceY4ggRFYd8AzkH3Ir9Zq/Ej/g7Iv/
ADPi38G7XzVbydI1GXy93K7poRnHvtx/wGgcdz4i/wCCP3g9/Gv/AAUi+F0Cj93Y3l1qUhxwogsr
iRc/8DVB9SK/oIr8R/8Ag3z8Px6t+3vPdyfe0vwrf3EfszS20X8pTX7cV/m39LjHutxnSodKdCC+
bnUk/wAGvuP0DhiFsK5d5P8AJBRRRX8tn0YUUUUAFFFFABTkODTaKE7agWInrB+MXw5s/jH8I/FH
hLUEWSx8TaVdaXOGGfkmiaMn6jdke4FbKNU8b7hXv5XmFShVjWpO0otNPs07p/ec9SmmnF7H8tnj
XwfqHw98Y6toGrQm31TRLyWwu4z/AASxOUcfmprf/Z5+Md5+z18dfCPjiwEjXPhXVINQ2RnDTIjD
zI/+Bxl0+jV9Rf8ABdz9nKT4LfttXniK3i26R8RLZdWhYDCrcLiO4X67gr/9ta+K6/2A4ZznDcSc
P0MwsnDEU1zLp7ytOPyd4v0Py/EUpUKzh1i/+GP6rfBHjLT/AIgeENL17SLmO80vWrSK+tJ0PyzQ
yoHRh9VYGtlJM1+f/wDwb7/tTH4xfsjTeBtSvVn1z4a3X2OJWb94+nTEyW59wjebEMdFiT15++kf
mv8APXiLKq2RZxiMprb0pNJ947xl84tP5n22HqKtSjUXUtq9TJLmqaS5qVXp4XHBKJcV6ekmKqJL
ipFlzXv4fHmMqZaWb1pwkBqqHpwevTp5h5mbplrdRuqtvo3iuj+0PMn2ZYLgU0zAVBvoL1jUzDzK
9mSNKTUZemNJio2mzXm1seaRgSPJioXkzTWkqJ5MV4eKxxrGA53qGSTNI8maid6+axWMOiMQkeq7
vmld81DJJk18tjMUdMYiSvmq8j4FOdqgkfNfJY7FXOqMRrtTKM5orwJSu7nQtAoooqQCiiigAooo
oAKKKKACiiigAooooAKKKKACiiigAooooAK/n8/4K+/A+T4Gft++OLdYhHp/iSZPEViQMBkugXk/
KcTr/wABr+gOvy3/AODkX4K+Zp3w3+Ilug3Qy3Hh2+I/iDD7Rb/kUuf++xX9IfRa4l/s3jaGDm7Q
xUJU325kueL9bxcV/iPA4jw/tMJzreLv+h6Z/wAGpn7Qn2nQviX8L7qYb7WWDxFp6EjJVx5M+B1O
CsJ9Bu96/Yiv5n/+CCvx0X4G/wDBTXwG08jR2PiszeHbj96Y1JuExFuAB3fvVjwD3wcjFf0wV/pw
fnkgooooJCiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACii
igAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKK
ACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA
KKKKACiiigAr8D/+DqG7ab9uHwXD/DD4OiIHpm7uf8K/fCvwL/4OnEK/t2eEW7N4Ngx/4F3NBUTj
v+DdC0Wb9r7xbMRzD4RmAPpuvLT/AAr9ma/Gz/g3Km2ftZeNE/v+EpCPwvLX/Gv2Tr/MH6Urb49r
X/590v8A0k/ROG/9zXqwooor+dT3gooooAKKKKACiiigAzipI3xUdAOKunNxdxNXPkX/AILc/ssv
+0d+xdqGrabarceIvh7IddtQo/eSW6ri6jX6xfvMdzCor8Hc1/U9NDHd28kM0aSwzKUdHG5XU8EE
dwfSv52/+ClP7KDfsdftceJPC9rbmHw9eSf2poJzlfsUxJWMH/pmweP1/dg96/vf6JvH0a+Gr8LY
mXvQvVpX6xdlOK9HaSX96T6HxXEuD5ZLER66P9DoP+CSH7WI/ZK/bQ8O6lfTrD4d8Sn+wtYZ22pH
FMwCSn/rnKEYnsu6v6HoZxIqspypGQQa/lHZQ6lWGVPBHrX73f8ABFf9txf2sf2V7bR9YvI5fGnw
/EelakpbMl1b7cW10c8neilGP9+Jz3Fe19Jbg6XLS4owsfhtTq27X9yT+b5W/OKMchxSu8PL1X6n
2gr1IkmKprJipFkr+UsPjj6SUC4smakD1TWSnrLXs0ceZuBbEnvThKaqianCWvQp5gZumWfONHnG
qwlo8zFbf2gT7MsGU00y+9QmUYppmrKWYFezJjJTWkqFpSaY0lcFbMC1TJXlzUTvTGlqNpa8fEY4
1jAc8mKid80jvULy5rwcVjTaMRZJM1C70jvUMkmTXzOLxh0RiEsmaiZsmhmyaSvnqtRzZ0RjYKKK
KyKCiiigAooooAKKKKACiiigAqO6uo7G2kmmkWKGFS8jscKigZJJ9AKkr8+/+C6n7fa/BT4Xf8Kn
8M3m3xX4ytt2qzQyYfS9OYkFeORJPgqPRA57qa+t4H4PxvFGd0MlwC96o9X0hFaym/KK183ZLVo5
cZioYai6s+n4vsdL8Hf+C7nwm+IHxw13wlr3neFdMh1FrTRPEFxJ5mn6nGDtDynANvuYEgtlNpBL
qeK+2dO1K31ixhurS4hurW4UPFNC4kjkU9CrDgg+or+Wmvv7/ghD8U/jBrP7RNt4P8O65PJ8OdNg
e+16zvkNxaWkPIUQ5IMUryYA2kDAclW2kV/Wfi99GXKMsymrnmQ4j2MaELzhVbcZcq3jLVqcn9lp
qUnZcqsj5nK+IKs6io1le70a3/4Y/Z6iiiv4fPsAooooAKKKKACvlH/gtZ8K/wDhaH/BPLxk8abr
rwzJba5D7eTKBJ/5BeUfjX1dXE/tJeBV+J37Pfjjw6yq/wDbWhXlmAR/E8DqP1Ir6bgvOHlXEGCz
JO3sqtOT9FJN/erpnNjKXtKE6fdM/m9+D3j25+Ffxa8MeJrNnS68P6rbajEVk8tt0UquMN2+71r+
vTwp4hh8W+F9N1W3aNrfUrWK6jKOHUq6BhgjgjB6iv45yjRnbINsi8MPQ96/qw/4JhfEuP4t/wDB
P74S60k9vcPJ4ctbaZofurJCgiZceoKYPvX+0R+TSPeKKKKCQooooAKKKKACiiigAooooAKKKKAC
iiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKK
KKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooo
oAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAK/DX/g688L29l+0R8KtYQyfatQ
8PXVrKCfl2w3AZMe/wC+bP4V+5Vfjr/wdl+BoW0b4L+JhJILiOfU9MZNvyspW3kBz6gqePf2oHHc
+Vf+Dd/UFt/23tbt2bb9q8IXgA/vFbqyb+QNftRX4L/8EQPGo8If8FIvBULtsi1601HTHP1s5ZlH
4vCo/Gv3or/NP6WWDlR43jVe1ShTkvlKcf8A20/QeGZXwjXZv8kFFFFfzGfRBRRRQAUUUUAFFFFA
BRRRQAA4r4l/4Lh/sX/8NHfs1t4y0WzEviz4dpJegIP3l3YdbiL3KgCQD/YYD71fbVNliWeNkdVd
HBVlYZDA9QRX0/BvFWM4bznD51gX79KSdukltKL8pRbT9TnxeFjiKUqU+p/LKDmvcv8Agnb+2Hff
sS/tPaL4ujkmbQ7g/wBn69bJz9pspGG/juyELIvumOhNdz/wVt/YUf8AYw/aOnm0e1dfAvjBpNQ0
VljxHZMTmWzz0/dscr/0zZOpBr5Ur/XPL8dlPGPDsa9P95hsVT1XWzVmn2lF3T7SWmx+YVIVMLX5
XpKLP6ovDHiix8X+HrHVtNuobzTtSgS6tbiJt0c0TqGVgfQgg1orJmvym/4IL/8ABReNrO3+BvjC
+2TRl38JXczn96vLPYknuOWj9RuXsoP6oLLiv8z+O+FsbwnndXKMZeyd4S6Tg/hkvya6STXQ+/wW
IjiaKqw+a7MuLJiniXNVFlp4mzXz9HMPM3dMtiWlEtVRJSiT3ruhmHmR7MtebR5tVvN+lHm/StP7
Q8xezLHm/SkMtV/M96DJ71Esw8x+zJml5pjS5qIygUxpq4qmYeZSpkrSVG0tRtLUbPXlV8eaxgSN
JUTyYpjzelRs9eHiMc2axiOeXNRM2aQnNFeRUqOT1NoxsFFFFZlBRRRQAUUUUAFFFFABRRRQAUUV
meM/GelfDvwnqGu65f2+l6PpMD3V5d3D7Y4I1GWYn/Oa0p051JqnTTcm7JLVtvZJdWxSkkrs89/b
P/at0P8AY0+AGseNta2zPar5GnWW/a+oXbg+XCv1wST2VWPav53vjL8Xte+PfxR1vxh4mvGvtc1+
5a6uZTwATwqKOyKoVVHZVAr2/wD4Kb/8FA9S/bv+NX2i38+y8D+HWe30DT24LKTh7qUf89ZMDj+B
QqjncW+aq/1A+j74R/6oZR9dzCK+u4hJz704bxpp9+s7by01UUz87zrM/rVXlh8EdvPz/wAibT9P
uNW1C3tLWGW5urqVYYYYl3PNIxCqqjuxJAA7k1/QP/wS/wD2IoP2I/2bbPS7yKM+Ltf26hr8ykNi
cr8sAYdViU7Rjgnce9fFH/BCT/gnZ/wkutW3xv8AGFn/AMS/TZWHhW0mQFbmcZVr0g/wxnIj/wBv
LfwqT+s1fgP0pfFeOYYr/VHK53pUXes1tKotoeahvL+/po4Ht8OZbyR+tVFq9vTv8/yCiiiv45Pq
gooooAKKKKACjAP3gCvcHvRRQB/Mz+0r4RXwB+0T480NV2ppPiC/tVA7Klw6j9AK/oA/4Nw/HMvj
D/gmNoFrNPFM2g6vf6eqrjdEgl8xQwHfEmeexFfiX/wVT8JjwZ/wUL+Ktmq7Vm1j7aoA7Twxz/8A
tSv1V/4NUfGq6l+y38RNB8srJpXiNLovuzuE1ugHHbBjNf7UcJ4/69keDxt7+0pU5f8AgUIv9T8k
xUOSrKHZv8z9UaKKK+gOYKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACi
iigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKK
KACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAoooo
AKKKKACiiigAooooAKKKKACvzW/4Oi/BEniH9gjQNYjigb/hH/FVvJI7Y3oksM0Xy/VimR7e1fpT
Xyx/wWp+FLfF7/gmd8UrCGCOe60/TV1WANEZGDW8iSkqACQ21WGR60Aj+eD/AIJ8eLV8Dftx/CfV
HZY1g8T2UTMx4VZZBC5P/AZGr+jrGK/lt0TWZ/Dms2eoWrGO5sJ0uYWHVXRgyn8wK/p2+GfjGL4i
fDnQdfgbdDrenW9+hHcSxq4/9Cr+DfpkZTKOMy3M1tKNSm/+3XGS+/nl9x9twrV92pT9GblFFFfx
SfXBRRRQAUUUUAFFFFABRRRQAUUUUAeNft4/shaX+2v+znrHg288m31Mr9r0a+kH/HjeoD5bkgE7
TkqwHVWPfFfzxfEf4d618JPHmreGfEVjNput6HcvaXltKMNFIp5+oPBBHBBBHBr+oKvgH/gtr/wT
iH7QPgGT4peD7Bn8ceGLbGpW0K5bWrBMk4UdZohkqerJuXnCY/qr6NPi9HIMf/q5ms7YXES9yT2p
1HZa9oT0T6KVnonJnzfEGV+2h9Ypr3o7+a/zR+Neh65eeGdas9S0+6nsdQ0+dLm2uIXKSQSowZHV
hyGDAEEdxX78/wDBLn/godpv7cnwVhW/mt7fx94diSDXLEHaZj0W7jX/AJ5ydTj7rZHpn+fw8Gu0
/Z9+P/if9mL4s6T408I332HWdJk3LuG6G5jP34ZV/ijccEfiCCAR/YHjF4WYfjTKPYwahiqV3Sm9
rveEv7srK/ZpSV7NP5bK8xlhKt94vdfr6n9OQlFOD14j+xB+2t4Z/bg+C9p4o0FktdQiAh1fSWlD
zaVc45Rv7yHqj4G5SOhyB7MJK/y5zLD43K8ZUy/MKbp1abcZRe6a/Pya0a1V0folOUakFUg7ploS
Uvm/WqwkPrS+caxjmA/Zlnzfejzfeq/nmjz/AGrT+0BezLBlppkqDzjSGU1EswH7MnL01pBmoC/v
TS9clTHtlKmTNN6VG0maYWzSVxzxEpGiihxfNNoornvcoKKKKACiiigAooooAKKKKACiiigAoopG
YIpZiFVRkk9qAEnnS2heSR1jjjUs7sdqqByST2Ar8Yf+Cy//AAU/i/aU8QN8NfAOovJ4D0efdqV/
CxVNeuVPAX+9bxnoejt83QKT2H/BY7/grIfiBc6j8Jfhjqn/ABIIibfxDrVrJ/yEmBw1rCw/5ZAj
DuD85+UfKDu/NMcV/fH0dPAeWB9nxZxFC1XejSa+BPapNP7X8kfs/E/ety/FZ7nPPfDUHp1ffyXk
FfRn/BNT9gfVv26/jlb2Lx3Fr4J0KRLjxDqK/KEizkW0Z/57S4IHXau5j0APnP7Kn7L/AIm/a9+N
Gl+C/C9uz3V64e6u2QmHTbcEeZPIR0VQeB1YkKOTX9Cn7Lv7NHhn9kr4MaT4J8K2vk2OnJumncDz
r+dv9ZPKe7sfyGAMAAV+i+P3jNDhHL/7My2SeOrJ8v8A06i9PaP+90gu95PSNnwZLlTxVT2lT4F+
Pl/mdn4W8L6f4I8NWGj6TZ2+n6XpcCWtpbQJtjgiQBVVQOgAAq/RRX+YlSpKcnObu3q292+7P0RJ
JWQUUUVIBRRRQAUUUUAFFFFAH4R/8F09DOkf8FGvFE2zaupadpt0P9r/AEWOMn84zX2r/wAGm/jS
Mp8ZPDpixMDp2orJu+8p8+MjHsQDn3r5S/4OE7fyv277F8f67wpZMfcia5H9BX0N/wAGnf8AyWP4
wf8AYHsP/R0tf6/+DuIdbgfKpv8A58U1/wCAxUf0Py3NI2xVRebP26ooor9JPNCiiigAooooAKKK
KACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAoooo
AKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigA
ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigArD+JnguD4j/D
nXvD90oe31zT57GRSSoKyRsh5HPetyigD+PL4leCrv4b/EPXPD9/C1ve6Jfz2M0bA5R45ChHPPav
3f8A+COHxi/4XF/wT98EySNuvPDiSaDc85INuxVM/WIxn8a/Nz/g4A/Z2j+AH/BSPxVNZwtHpvja
GLxHb56b5srNjn/nsjnn19MV7T/wbg/HFrbxB8Qfhzczr5d1DD4hsIyedyEQXGPwa3P4Gv5x+lJw
28z4Jni6avPCzjU8+V+5L8Jcz8on0PDuI9ni1F7SVv1P1cooor/MU/QwooooAKKKKACiiigAoooo
AKKKKACgjIoooA/IX/gtB/wSxk+GOp6h8Xvh3pufDF05n8R6XbJ/yCZWPN1Go/5YsT84A/dk5+6T
t/N2v6l7+xh1SxmtbmGO4t7hGilikUMkiMMMpB4IIJBBr8XP+Cs//BJa6/Zj1G++IXw/s5rz4d3U
hkvrKMFpPDrMfzNuSeG/g6HjBr+/Po6+PEcbTp8K8RVLVo2jRqSfxrZU5N/bW0W/jVov3kub4nPM
lcG8RQWnVdvP0/I+V/2Uf2sPGH7HPxZs/Fvg++8maMiO9spSTa6nBnLQyqOoPZhyp5Br96/2Jv23
/B/7cvwqTxF4Zma21C02xavpE7D7VpUxGdrf3kPO2QcMB2IZR/ORXc/s8ftHeMP2WfiXa+LPBWrT
aTqtsNkgHzQ3cRILRSp0dDjoenBBBANfqnjR4I4HjXC/WsNaljoL3Z9JpfYqW1a7S1cX3V0/NynN
54SXLLWD3X6o/pjozivlf/gnp/wVU8F/tyaVDpExj8M/EK3h33WizP8AJd4+9Jauf9YvcqfnXuCB
uP1RX+ZfEfDWZ5Dj55Zm1F0qsN0+q6NPaUX0km0+jP0LD4inXgqlJ3QbqN1FFeGbBnNFFFABRRRQ
AUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUVxP7QH7RHg/8AZf8Ahvd+KvG2sW+j6Ra/KC3zS3Mh
6RRIPmkkPZR9TgAkdODweIxdeGFwsHOpNpRjFNtt7JJatsmc4wi5SdkjsNS1K30bTp7y8uIbW1tY
2lmmmcJHEijLMzHgAAZJPAr8eP8Agqn/AMFkbr44Sah8PPhVfXFj4MBaDUtaiJjn1zsyRHqlv2zw
0g9F4PlX/BRH/grZ4y/bVvLrw/o5uvCfw63bV0uKXE+qANkPdOv3ugPlD5BgZ3EA18i1/oB4IfRv
hk84Z7xTFTxCs6dLRxpv+afSU10SvGO93K3L8Rm+fOrejh9I9X3/AOAAGBXZfAL4CeKP2mPirpfg
3wjp7ahrOrSbVByIrdB9+aVsHZGo5LH6DJIBtfs4fs1+MP2r/inZeEPBelvqOqXfzyyNlbexiB+a
ad8EJGvr1JwACSAf3g/YB/4J6eEv2Dfh0bLS9ureKdSRTrGuSxhZbthz5aD/AJZwqTwueepJNfqH
jL40ZfwVgnRpNVMbUX7un2v9upbaK6LRzei0vJeflWUzxc7vSC3f6LzLn7BP7CHhf9hH4Rx6Jo6p
qGv6gFl1vWnjCzajMOw/uxJkhEzwOTliSfdKKK/y6zrOsbm2OqZlmNR1K1R3lJ7t/olsktEkkkkj
9Fo0YUoKnTVkgoooryzQKKKKACiiigAooooAKKKKAPxV/wCDh5VH7buin+I+ErTP/gTd17T/AMGo
19fR/tIfFC3jh3afN4dt3nk2/ckW4xGM9shpOO+PavEf+Dhibf8Atz6Wv9zwnZ/rcXRr6B/4NO/+
Sx/GD/sD2H/o6Wv9dvBJW4Eyv/r1H9T8uzb/AHup6s/bqiiiv1I8wKKKKACivnv/AIKl/tbN+xV+
w/428b2dwtvr0dsLDRCQCTezny4iAeDsyXI54Q1+YH7L3/B014x8Mva2PxY8F6d4ktF+WXUtGb7J
d49TE2Y2P0K0DsfuHRXyv+y7/wAFn/2ev2rpobPRfHNpoetTYA0zXx/Z87NzwrOfLc8dFYnpxX1L
b3Md5AksMiSxSDcro25WHqCKBD6KKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKK
KKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooo
oAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiivi3/gpF/wW2+Gf7BFp
daJZyR+NfiEqER6LZTgR2jdjcyjIjH+yAW9h1oA+nPj7+0V4L/Zg+HV54q8da/Y+H9Fs1y01w+Gl
bskafedj2VQTX4n/APBQL/g5J8dfFjxYmk/BfzvBXhTT7qOY6jLGralquw52tnKxREj7q/MRwTgk
V8O/tjft0/En9un4jS+IviB4guNQ2uxsdOjPl2OmRk8JDEOBgYBY5ZsckmvY/wDgnT/wRf8Ail+3
zqtnqgs5PCPgDzFNxr+oRFfPTgkW0Z5lYg8HhPVqCrH7w/8ABND9vfQ/+ChX7NGm+MNP8q11y0Is
td04Nuawu1AJHujDDKfQ46g19CV4z+xX+wv8O/2APhKPDPgbTfsscm2XUtSuX33epygY8yV/zwow
qg8Cum8bfGWO3WS10r95J0Nwfur/ALo7/wAq+K448Qsj4TwTxuc1lHflitZzfaMd366RXVpHVg8D
WxU+Sir+fRep6BRXF/Cbx42vWjWN5JuvIcsrMeZV/wARXaV18F8YZfxPk9HOctd4VFs94yXxRlbZ
p/fo1o0Ri8LUw9V0am6/q4UUUV9UcwUUUUAFFFFAH5b/APB0V+y03xC/Zm8L/FDT7Vpb7wHf/YtQ
dMkixuiFDEdMLMI+cf8ALQ81+PH7DH7RDfsq/tY+CfHDtIun6XfrFqYTq9lMDFccd8RuzAf3kWv6
k/2oPgnZ/tIfs7+NPAl8E+z+KtIuNP3MMiN3QhH/AOAvtb6iv5LPiL4E1D4X+Pta8N6tCYdT0G9m
sLpCMbZI3KN+orgzXLcPmOCrZfi1enVjKEl3jJNNfczajUcJKcd07n9P9tcx3ltHNDIssMqh0dTl
XU8gg+hqSvlX/gjp+0//AMNKfsVaAl5dC48QeDANA1HJ/eMIlAgkP+9Ds57lWr6qr/GPifh/EZHm
2IyjF/HRnKD87PRrykrNeTR+r4avGtSjVjs1cKKKK8I3CiiigAooooAKKKKACiiigAooooAKjvLO
HUbSW3uIY57edDHJFIoZJFIwVYHggjgg9akopptO6A/IX/gqL/wRYvPhtc6n8Qfg/psl74aO651H
w5bqXn0ruz2y8l4ep2D5kHTKjC/m7mv6nK+A/wDgpZ/wRX0f9oye88a/DCPT/DfjiQtNfacf3Nhr
jHktxxFOf7wG1z97B+av7d8FfpMeyVPI+MZ+7ooV3q12VXv/ANfN/wCfrJfH5tw/vWwq9Y/5f5fc
fjVoOvX3hbW7TUtMvLrT9RsJVntrq2lMU1vIpyroy4KsD0Ir9PP2Dv8Agvs9nDY+F/jdC8yoFhi8
U2cWXPYG6hUc+8kY57p1Nfmv8TvhZ4j+C/jS88O+K9F1DQdasW2zWl5EY3XsGHZlPZlJB7GsCv6q
408P+HeNcvjSzOmqkbXhUi1zRv1hNX0e9tYvS6eh85hcbXwk703buunzR/UR4M8baP8AEXwzaa1o
OqWOs6TfIJLe8s5lmhmX1DKcf4VqV/N/+yn+3H8Sv2M/EovvA/iCa1spJPMu9Iuh9o02+7HzIScB
sfxoVcdmr9Vv2Rv+C8Pwy+NlvZ6Z49Rvh14kkAR5LhzNpU7+qT4zGD6SgAdNzda/gXxG+jVxLw7K
WJyyLxmG3vBfvIr+9TV2/WHMur5dj7XA8QUK/u1Pdl57fJ/5n3VRVPQPEOn+K9Ht9Q0u+tNRsLpd
8NzbTLNFKvqrKSD+FXK/nOcZQk4yVmt0z3k7q6CiiipAKKKKACiiigAooooAKKKKACiikZwiszEK
qjJJ7CgBaRmCKWYhVUZJPavlz9qb/gr/APBj9l557GTXG8XeIIcj+y9BK3LIw7SS5EUfPXLFh/dN
flj+2n/wV4+KX7YYudJW6/4QvwbNuT+xdJmbddIe1zPw8vHVQFT/AGe9fuPh99H/AIq4onGs6Tw2
HerqVE1df3IaSn5PSPeSPHx2eYbDqyfNLsv1Z+jX7dP/AAWw+H/7MQu9B8Gta+PvGkQ2NHbTZ02w
f/ptMv3mH9yPJ7Eqa/H79pT9qjx1+1v4+bxF471241e8XctrB/q7TT4yc+XBEPljXpkj5mwCxY81
54OKdFE08qxxqzySMFVVGWYngADuTX9/eG3g1w7wZS58DD2mIatKtOzm+6j0hHyjuvicrXPicfmt
fFv33aPZbf8ABG17l+xF/wAE/fHn7dHjb7F4btfsOg2cgGp67doRZ2Q7qP8AnpLjpGvPTJUc19Gf
sBf8ENfFfxzudP8AFHxSW68H+DWxMmmfc1bVF7Aj/l3jPdm+cjooyGH7A/Db4ZeH/g74KsfDvhfS
LHQ9D02Py7aztI9kcY/mSTyWOSSckk1+WeMH0lMBkUZ5XwzKNfFapz3p0n+U5rsvdT+JtpxfpZXk
E6zVSv7se3V/5I8+/Y1/Yq8F/sRfC6Pw74TtTJc3G2TU9VnUG71WYD77nsoyQqD5VHuST69RRX+e
ea5rjMzxdTH4+o6lWo7ylJ3bf9bLZLRaH3FOnCnFQgrJBRRRXnmgUUUUAFFFFABRRRQAUUUUAFFF
FAH4af8ABe/Xv7X/AOChWpW//QK0LTrX6ZjM3/tWvrH/AINOPCd03i/4xa55eLFbTTrEPnrIXmcj
8AB+dfDP/BY/xKPE/wDwUg+JUituWzuLSyHsYrKBGH4MGr9Iv+DUHw9dWvwT+K+qPE62l5rVpbxS
EfK7RwsWA+nmL+df7FeFOF+rcGZVRe/1ek36uEW/xZ+V5lLmxNR/3n+Z+tVFFFffHnhRRRQB86/8
FJf+Cdmj/wDBSL4R6b4T1rxTr/hm30m9OoQnTxG8c020oplRh84UFsAMuCxr8b/2n/8Ag20+O3wW
lvLzwh/ZPxG0eHc8ZsJfs98UAJ5hkxk4HRWOSa/oaooHc/kT1L9mXx94d+K2l+CtW8La3oPiTWL+
LTbW11Gzkt2eaSTy1xuAyu7uMjANfvx8J/2Sb79nXwJoemfDP4h+MvBNxpNrHFNCLr+1NK1CQIqv
JJZ3W9FLMu4+QYjknnmvtjxr8ONF+IFtCuq6bY3ktq4ltppbdJJLWQch42YEqw9RzXE658Dby0Ba
xuI7pR/A42P/AIGv5n8f6HiG6+ExfBnP7KipOfspLmlKTVlKm378UlouWWreh9DkssDaUcXa72v/
AJ9DyTQf2sfjH8NLxo/GHgfQ/HWkRrn+0vCdybS+69Wsrltp4wfkmY8HAr0f4U/t/wDwr+LOrR6T
D4kj8P8AiKQ7f7E8QwvpOo7uOFinCl+uMpuHvWLqnh6+0VyLq1mhx3ZflP49K5X4hfC7w38WvD76
X4o0HR/EGmycm31C0S4jz2IDA4I9RyK/F+HvpWcS5TW+pcV4JVXHRtJ0aq7txacW/JRh6nrV+GcP
VXPhZ2/Ff1959VK25cjkHkEd6K+IdE+Bniv4NTxyfCr4leIvCdnCAE0DVx/b2hYBB2rDOwnhXqMQ
zoADwtdt4V/bg+Inw20/y/ih8NW1KOHAbWfAs7ajA4xy72coS4j5H3U84DPWv6Y4R+kBwTn6jCli
1Qqv7Fb9279lJtwfopt+R87isjxdDVxuu61/4J9UUV5n8H/2xvhn8dr/AOw+G/F2l3WrqMyaVcMb
TUYuo+a3lCyjp3WvTK/ZoVIzipwd09mtmeS7rRhRRRVAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUA
FFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAU
UUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAVj+PfiDofws8J3mveJNX0/Q9F09PN
ub2+nWGCBfVmYgCvnf8A4KIf8FXvhj/wTy8JXA1zUIda8azQ79P8M2cwN3OSPlaUjPkxn++w57Am
v5+f26v+Cl/xS/4KAeMpL7xlrElvosLlrHQbJmjsLJe3yZ+d8dXbJPt0oKSPuH/gqJ/wca618Rrn
UvA/wJkuNB0BS1vdeKGGy+v8HB+zD/ljGccOfnIPRa/Lrwv4T8SfGnx5Dp2kWOreJfEetXB2QW8b
3N1dysck4GSxJOSa94/4J8/8Er/if/wUQ8VCPwzY/wBk+FbWTZqHiO/jZbK2xjKp3lkwfuL+JA5r
+gL9gH/gl78Mf+CevguO38Maamo+Jpoguo+Ib2MNeXbYG7af+WUZIyEXj1JPNA9j4b/4Jbf8G49j
4NXTvHXx8ht9U1TCXNl4TjffbWhwGH2thxI4P/LNSUHct0H6tXmpaR8NfDtvbxx29jZ2sYhtrWBA
iqqjARFHAAHpwKw/HXxch0YNbacyXF10aTqkX+J9q8x1LVLjWLtprmaSaVu7HP5V/LPiz9JfLMgc
8s4etiMUtHK96VN+bXxyX8qdk93dNH0OWcP1MRapX92P4v8AyNrxn8R73xdIY8m3swfliU/e/wB4
9/5Vm+HfC974pvPJs4i3PzOeFQe5rpPA3wkuNdC3Oob7W1PKp0kk/wABXp+laRb6JZrBawrDGvZR
1+tfjfA/gdxNx9jf9ZONa04Up6+9/EmuijFq1OHZ22+GNnc9bGZzh8FD6vg0m19y/wA2Yngj4bWn
hFFlb/SL3HMpH3fUKK6Siiv7t4b4ZyzIcBDLcooqlSjsl1fVt7uT6tttnxeIxFStN1Kruwooor3T
EKKKKACiiigAr+f/AP4OWv2OJPgt+1pZfErS7FIfDvxGtwZ3iXCx6jEMShvQumx/c7vSv6AK8D/4
KW/sZWP7dn7IXijwNNHCusNCb3Q7mQf8et9ECYjnsG5Rv9lzQNH4Pf8ABET9riP9m/8Aa0h8P6tc
R2/hv4iqmlTvI+1Le8DE2sh7csWiP/XUHtX7o1/Ljr+h33g7xHeabfQzWOpaXcvbXETfLJBLGxVg
fQhgfxFfv1/wSp/bHX9sf9k/SNS1C6im8XeHQNI19BwzzIPkuCPSaPa+Rxu3gfdr+EfpbeHbp1qX
GGDjpK1Otbo0v3c36pcjeyagt2facM47R4WXqv1X6/efSlFFFfxKfXhRRRQAUUUUAFFFFABRRRQA
UUUUAFFFFABRRRQB5T+1d+xd8P8A9szwS2j+NtFjupYlIstSgxFf6cx/iilxkc8lTlW7g1+O37bX
/BGv4n/sn3F5q2j2svjzwTGzOupabCTdWUY5H2m3GWXA6um5OMkpkCv3for9g8NfG3iLgyao4Sft
cNfWjNtx83B7wfmtG9ZRkeVmGT0MXrLSXdfr3P5Y6K/fX9rr/gkD8If2sZrjUm0yTwf4omBP9q6I
qQ+c57zQ48uTnqcBv9oV+YP7Vf8AwRe+M37Nk015pukt8QvDke5hqGgxNJPGo/562vMqnH9zzFH9
6v7z4B+kNwlxMo0J1fq2If8Ay7qtJN/3Z/DLyV4yf8p8ZjcjxOH1tzR7r/I8S/Z8/bA+JX7LGrLd
eBfF2raGm/fJaK4ms5z/ALcDho2+pXPvX3v+zv8A8HG99Z7bP4qeB471OP8AiaeG5PKk/wCBW0zb
T9VlX/dr8wJI2hlaN1ZZI2KsrDDKRwQR2I9KbX2PGHhTwpxPeeb4OMqj/wCXkfcqf+Bxs3btK68j
lwuZYnD/AMKTS7dPuP6F/gz/AMFVPgH8cbS3bS/iLo2m3lxhfsOtFtLuUY/w4mCqx/3GYe5r33S9
Wtdbs1uLK5t7y3k5WWCQSI30I4r+WsjcMHoe1dF4F+L3iz4XzLJ4b8TeIPD7Kcg6dqEtr+iMBX84
5/8AQ5wFRueS5hOn2jVip/8Ak0XC3/gLPeo8U1FpVgn6af5n9PWaK/n0+Hv/AAV0/aI+G6Rx2nxK
1TUIYxgR6pbwX+R9ZUZv1r1HQf8Ag4G+PWlRqt1H4H1Tb1afSHjZv+/cqj9K/Lcw+iPxlRk/q1Wh
UXlOUX90oJfiz0KfE+FfxJr7v8z9uqK/Gix/4OMvi5AuJ/B/w8uPcQXif+1zT7v/AIONvi1KmIfB
fw8hbuTFeP8A+1xXi/8AErXH17exp+vtYm3+seC7v7j9lKK/EzWP+DhH466gHFtY+A9P3DAMelyy
Ff8AvuZh+leb+O/+Cyv7Rnj2FopPiDNpULfw6Xp9taEf8CWPf/49XrYH6JPGlaS9vUoU15zk390Y
P8zOfE2FXwpv5f8ABP35uLiO0haSV1jjXlnc7VX6mvHPi/8A8FCvgn8CluF8S/Enwva3VqDvs7a5
+23efTyYA8mf+A1/P14//aH8ffFXP/CTeNPFWvK38F9qk0yf98s239K4xVCDCgKPQV+nZF9DfDxa
lnOYykusaUFH/wAnm5f+kHn1uKpf8uofe/8Ahj9bf2gP+Djbw3pdhPa/DHwTqesXxJWPUNfcWdqg
/viGMtJJ9GaI/wAq+C/2k/8AgpZ8Zv2qJbiHxL4yvrbR5wV/sjSf9BsQv91kQ5k/7aM5968HoJwK
/ojg/wAF+D+G2qmXYOLqr/l5U/eTv3TldRf+BRPBxWa4rEaVJadlogAxRXvn7Lv/AATO+Mf7Wstp
ceG/Cd1Y6BdfN/bmr5stPCf3kZhvlH/XJH/DrX6Xfsi/8EFfhv8ABY2erfEC6b4ieIIfnNvLGYNJ
hb2hyWlx6yMQeu0dK4+O/HDhPhVSp4vEKrXX/Lqlac79pWfLD/t5p9kzTB5RicTrGNl3ei/4PyPy
6/ZL/YJ+Jn7aGvx2/g3QZG0pX23Ot3uYNNtMdd0uDub/AGIwze2Mkfr/APsJf8Ee/h3+x2trrepK
vjbx3Gqs2q30AFvZP3+ywEkR8/xsWf3AOK+rtD0Kx8MaRb6fptna6fY2iCOC3toliihUdAqqAAPY
Var+F/Ez6RXEXFUZYLCv6rhXo4Qb5pL+/PRtf3YqMX1Utz7DL8hoYf35+9Lu9l6IKKKK/n09wKKK
KACiiigAooooAKKKKACiiigAooooAKMZorD+JnjGP4d/DjX9fmYLHounXF8xPYRRs/8AStKNGdWp
GlTV5SaS9XoiZSsrs/nT/bj8Wjx1+2R8UNWWTzI7zxNflHH8SrOyL+iiv26/4NhvBjeH/wDgnlfa
o0m7+3vE93Oq7cbBGkcX45KE1/Pzq+rza/q11f3B3T30z3Eh9Wdix/U1/T9/wRf+F7fCb/gmf8Kt
PkVVmvtL/tSTEXlnNxI0wyO5wwGe9f7aZTgVgsDRwcdqcIx/8Bil+h+R1p80nLuz6iooor0DEKKK
KACiiigAooooAbNAlwhWRVdT1DDINc3rnwl0fWSWWFrSQ/xQnH6dK6aivnuIOE8mz2j9XzjCwrR/
vRTa9Hun5ppm9DFVaL5qUmvQ8l1/4K6lpu57N476PPAHyvj6dDXJ3+mXGly7LmCWBvR1K19DVDeW
EGoxGOeGOZDwQ65r+ZuLvojZDjHKtkOInhpfyy/eQ+V2pr5yl6H0OF4orw0rRUvPZ/5Hyf8AEj4I
eEfi6kP/AAknh/TdWltzmC4lixcWx/vRyriSNvdWBrm9K+HfxP8Agukknw1+KuqtbKd0eg+NIjr2
mkc/u1nLLeRDkc+bJjA+UjivqrW/gxpepbmt/Ms5D/cOV/I1x+u/B3VtIG6FUvo/+mfDD8D/AEr8
ZnwH4ueHjdXJ5znRjr+5ftab9aMlf1fJp3PWWNyvHaVUk/PR/f8A8Ez/ANmv9pfxl8Q9fl8P+Pvh
+nhXU7e2acatpurw3+i35DKuyJm8u4SQ7idkkIGFOGavcAdw4r53uLaSzm8uaOSKRf4XXaRWpofj
vVfDx/0e7kKf3JPnX9a+74S+l5VpNYXirBarRzpaP505vfvaS8orY48Vwsn72Gn8n/mv8j3SiuD8
F/GGTXdSgsrmz/fTNtDxH5fqQa7yv614K48yXivAvMMkqucE+WV4yi4ysnZppa2a2uvM+XxmCrYa
fJWVmFFFFfYHKFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUU
AFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRXz/
APt4f8FKPhn/AME+fA39peMtU+0axdIx07Q7IiS+vmAyPl/gT/bbA+p4oA9w8VeK9M8DeHL3WNa1
Cz0rStNiae6vLuZYYbeNRks7sQFA9TX5A/8ABTz/AIORYY4dR8E/AB2kkYNb3Pi6aPCr2P2RG5z/
ANNGGO4Hevhv/go5/wAFiPid/wAFCtXm0+8uX8L+A4pC1r4esJiI5B2a4fgzN0OD8oPQDrXnX7D3
/BPj4kft9/EWPRPBOjzNp8MijUdZnQrY6YhPJeToWxyEGWPp3oK5Tyy/1HxJ8afH/m3M2reJvEuv
XIXdIz3N3ezOcAd2ZiT0r9Yv+CZn/Btrda7/AGb40+PjSWNrlbi38J277ZpOhH2uT+EHkGNefVh0
r7m/4Jzf8EYfhb/wT/s7bWI7VfFnxA8rbNr+oRhjbkgblto/uxLx97lyDjdjivpbxr8V7Tw0zW9u
FurwdQD8ifU/0FfN8VcXZRw5gXmOc11SprvvJ9opayfkk++x0YfD1cRP2dFXZZ0PRfDPwP8ABFnp
Ok2On6DommxiG1srOFYo41HRURa4Dxt8UrvxK7Q25a1s+m0H5n+p/pWDrviC68SXzXF3KZJDwB/C
o9AK3vBHwtuvE+2e43Wtn/eI+aT6D+tfwlxl4wcWeJOPfDnB9GdPDy3UdJzjtzVZ3tCHeKdujctD
7HC5Vhcvh9YxbTl+C9F1Zg6JoN14ivlt7SFpZD1x0UepPavUvBXwntfDpW4utt1eDkZHyRn2H9a6
DQPDln4ZsVt7OFY16k9Wc+pNXq/ePCX6N+U8NqGY53y4nGLVdadN/wB1P4mv5pL/AApbvxc04gq4
i9Ol7sPxfr/kA4ooor+mT54KKKKACiiigAooooAKKKKACiiigD8E/wDg5F/4J6n4G/HCH4w+G7Ip
4Z8eTlNVWMDZZ6jjJOB0Eqgt/vBvUV8q/wDBLb9tmb9ir9pmw1C+uJV8H+Iimm6/EOVSJm+S4x6x
Md3rtLjvX9Jv7XX7MPh79sb9nrxJ8PPE0RbTdettiSr/AKy0nX5oplP95HAPuMjoa/lh/al/Zp8T
/sifHPXvAHi+0FrrOhT+WxU7o7mMjdHKh7q6kMPrg8givG4iyHB53ltfKcwjzUq0XGS9eq7NOzT6
NJnRh686U1Uhuj+le1uo761jmhkWWGZBJG6nKupGQQe4I5qSvzZ/4IP/APBQZvH/AIXT4LeLLxW1
fQLcv4ZuZD815Zpy1qxPV4RynrHx/wAs+f0mr/ILj7gnHcJ53WyXH7wd4ytpOD+Ga8mt10acXqmf
qGBxkMTRVWHz8n2CiiivjTsCiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA8l/aD/AGFv
hP8AtQwSf8Jn4J0fUr2T/mIxRfZr5T/13j2ufoSR7V8UfHX/AINyPDuru1z8OfHWoaLIckWWtwC8
h+glj2uv4hq/TGiv0PhXxX4t4dShlWOnGC2g3zw/8AnzRXySZwYjLMLX1qQV++z/AAPwV+L/APwR
Q/aD+FFzIbfwnb+LrFMlbnQb5J8j/rlJslz7BD9a+a/H/wALPFHwo1RrLxR4b17w3dIcGLVNPms2
P08xVz+Ff0/VDf6db6rbNDdQQ3MLdY5UDqfqDxX7/kP0ws8oJRzfA06y7wlKnJ+bv7SP3JI8Stwt
Sf8ACm166/5H8tIO7pzRX9InxA/YP+CvxS8xte+FfgG/mkOWm/sS3inJ/wCuiKr/AK15fr//AARW
/Zt12RmX4e/YGbr9j1m/iX8F87A/AV+nZf8ATC4anH/bcHXg/wC77Oa+9zg/wPPnwviF8Mk/vX6M
/Auiv3Xuv+CEf7Otw2U8PeIIPZNeuSP/AB5jTbb/AIIQfs6wvl9B8RTD+6+vTgf+OkGvX/4m34Kt
f2eI/wDBcP8A5YZf6s4vuvv/AOAfhVQeBX72aR/wRI/Zt0p8t4Dur3npca9qDD9JhXpHgX/gnT8C
PhvtOk/CTwHHIpBWW50iK8mBHfzJg7Z9815mO+mBwvCP+yYSvN/3lTivvU5P8DWHC+JfxSS+/wDy
P53PCng/WPHmrR2Gg6TqmuX0p2pbadaSXUzH0CRgt+lfQvwm/wCCQf7QnxcuoVg+H99oNrLgm616
VNOjjHqUc+b+UZr9+tE8Paf4atRBptjZ6fAowIrWBYUH0VQBVyvzXPPpi5tVTjlGX06XnUlKo/W0
VTS+dzvo8K01/Fm36K3+Z+VfwS/4NwLhrqG4+InxCiWEAF7Hw/aksT6efMP5R19ofs//APBLX4Hf
s4mOfRfA+nalqceCNR1of2jcBh/EvmZVD7oq19CUV+C8UeM3GXECcMwx01B/YhanG3ZqFub/ALeu
ezh8pwlHWEFfu9fzERRGiqoCqowAOgFLRRX5eekFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFA
BRRRQAV8zf8ABYD4tL8If+CfHxAuFk8u61y2j0O2AOCzXUixNj6RmRvopr6Zr8t/+Dj34+Klh8P/
AIY2rKXkkk8S6jg8qqhre2X8S1yf+ALX6l4K8OyzvjXL8Ha8Y1FUl25afvu/ry8vq0jzc4r+ywk5
eVvv0Py+8F+GLjxt4x0nRrNPMutWvIbOFM43PI4RRn6kV/Xv8LPBMPw0+GXh3w7b58nQdNt9Pjy2
44ijVBz3+71r+bT/AIIWfs6yftFf8FJvAcMiyf2b4RlbxLesFJAW1w0YJ7bpjEOfXFf001/rsfl8
gooooJCiiigAooooAKKKKACiiigAooooAKKKKAKup6JaazEUureGZTx865xXJa18D9PvNzWc0tqx
/hPzr/jXb0V8XxR4dcNcRxtnODhVf81rTXpONpL7zrw2OxFB/uptfl92xwvw8+GNx4X8Qy3N00Ui
xpiFl7k9eK7qiituCeCMq4Uy3+ysni40uaUtXdtyfV9bKyV9bJasWMxlXE1Pa1dwooor645Qoooo
AKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigA
ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAqG/v4NLspbm6mit7eBS8ksrhEjUc
kkngAeprG+KnxEtfhJ8N9c8T31rqF7ZaDZyX08FhAZ7mRI1LMEQfebA6V/O1/wAFN/8AguH8RP27
7q88N6KbjwP8OVkZBpdrOwudTUcZu5BjcD18sDaD13EZoHa597f8FOP+DjPw78GoNR8G/BFrXxR4
rG+3uPEEi79O0tumYh0nkBz1+QEfxdK/Ez4mfFHxX+0F8RbzxB4n1bVfE/iTWp90txcyNPNO7HhV
HpzgKowOABXTfss/sffET9s74iw+Gfh74dvNcv2IaeUfu7ayQkAyTSt8qKM9zk9gTxX72f8ABL3/
AIIZeA/2F7Cz8TeKVs/GvxMaNWe+lj3WelNgEpbI3cH/AJasNx7BelBWx8Cf8EvP+DeDxR+0DNp3
jT4zRX3hHwW2y4t9GB8rU9WXggOCMwxEcHOHOeAOtft18MPhX4N/Zl+Glj4d8LaPpnhnw7pUYjgt
raMIoA4yT1dj3YkknqTV3xl8SLHwlG0YIuLzHywqen1PavJ/Efiq98U3hmu5mYZ+VBwiD2Ffzx4s
/SFybhNSwGAtiMZ/Kn7kH/08kuv9xe935bpnt5ZkdbFe/P3Yd+r9P8zpfG3xfuNZDW+n7rW3PBk/
5aSD+g/WuR0/TrjWLtYbeKSaZzwFGa2PB/w5vvFkquFNvaZ+aZx1/wB0d/5V614a8J2fhWzEVrEq
tj55D95z7mv5s4X8M+M/FXMFnvE9aVLDdJSVrx/lo09Eo/3tuvvO57+IzDCZZD2OGScv63f6fkcz
4G+EMOlbLrUgtxc9Vi6xx/4n9K7hVCLgDAHAAoor+7ODOBcl4WwCy/JqKhHq95Tfect2/wAFsklo
fGYvGVsTP2lZ3f4L0CiiivrjlCiiigAooooAKKKKACiiigAooooAKKKKACvzn/4ODv8AgmlJ+1n8
DY/iP4TsfP8AHXgG3d5oYUzJqunjLPGPV4+XUYJPzDuK/Rihl3LgjIPBB70Afx5fD7x9rXwi8e6X
4i0G8n0vXNBukurS4ThoZUORkdx2IPBBIPWv6Cf+CfH7cuh/t1/A238QWfk2XiLTdtrr2lhstY3G
PvL3MT4LI3pkdVIr4f8A+Dg//gk/H+zz41l+Mvw/01o/Bvia6Ztes4R8mkX0jE+YigfLDIcn0VuO
AQK+Ff2K/wBrzxF+xT8d9N8ZaCzTQL/o2q6ezYj1S0YgvE3owwGVv4WUHpkH8N8cvCOjxplHPhko
42im6Utubq6cn2l0b+GWuzlf28nzR4Srr8L3/wAz+kKiuO+Anx48M/tK/CvSvGPhHUE1DRtWiDoe
kkD/AMUUi/wyKeCp6EemDXY1/ljjMJXwteeGxMHCcG4yi1Zpp2aaezT3P0eM1KKlHVMKKKK5ygoo
ooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiii
gAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAEZwilmZVVeSScAV/Ox/wUk/aLP7UX7Z/
jbxRDc/adJjvP7M0kg/KLO2/dRlfZyrSfWQ1+yn/AAVk/aeX9l79i3xNfW1wIde8RxnQtJAbDiWd
SryD/ci8xs+oFfgP4T8LX3jbxRpui6ZA11qOq3Mdnawr1lkkYKq/iSK/ur6IHBjjDF8UV4/F+5p+
itKo18+RJ+UkfG8UYu7jh4+r/Q/a/wD4NX/2YR4b+Enjj4sX1v8A6V4lu10TTXYci3g+aUjjo0jK
OD/yy6dK/WmvK/2Jf2d7X9lH9lTwP4BtY1RvD2lxQ3JBz5lww3zNnvmRmNeqV/bx8aFFFFABRRRQ
AUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAB
RRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFF
FFABRRRQAUUUUAFFFFACOiyoysoZWGCCMgivyk/aC/4NrdL+M/7eN74o0/XIPDfwo1of2nqFharm
8S7Z8yW8IxtWN/vbv4c4ANfq5RQBwH7OP7L/AIF/ZN+HNr4W8A+HrHQNJtwNwhT97cvjBklf7zue
5YmqvxF+Kt1BeTafYxyWvlnbJKww5+np9a9JrkPiH8M/+Etvbe4t2jgmyEmJH3l9fqK/HvG/LeK8
bw3KlwlVca3MuaMbKc4PRqMnblabTdmm0mr9H6mT1MNDEJ4pXX4J+a6nk0UU2oXW1FkmmlPAA3Mx
r0bwR8G1gCXWrbZH6rbj7q/73r9K6jwl4EsfCEH7lPMuCPnmcfMf8B7VtV+UeE/0YsHlco5rxXav
iN1T3pwf97/n5L/yVf3tGepmnEU6v7rDe7Hv1f8Al+Y2KJYY1VFCqowABwBTqKK/raMVFcsdj5cK
KKKoAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAMf4g+ANH+KfgnVPDuv2FvqejazbPa
XdtMu5JY3GCD/j2NfzV/8Fdf+CXOsf8ABOT42BbP7Vqnw98SO82h6k0ZPk882szYx5qDp/eXB9QP
6bK4b9o39nTwn+1X8ItW8E+NdLh1bQ9WjKujj54H/hljbqsinkMP5UDTP5pP+Cbf/BRfXv2C/ifu
ZbjVvAutyqutaSG5HQfaYM8CZB24Dj5Tjhl/er4ZfEzQvjJ4C0vxP4a1K31bQ9at1ubS6hOVkQ+o
6hh0KnBBBBwRX4Gf8FLv+CeHij/gnb8f7zw3qkFzdeGdQd5/D2sFf3epW4PQkcCVMgOvUHB6EE7/
APwTN/4Kca5+wl4z/s3Uluta+HWrTbtQ0xGzJZOetzb543/3kJAcDscGv5b8fvAiPE1KWe5FBLHQ
XvR2VaKW3b2iXwv7S91/Za+lyXOXh37Gt8D/AA/4B++VFc98Kvit4d+N3w/0zxT4V1a11rQdYiE1
rd27ZVx0II6qynIZWAKkEEAiuhr/ADhxGHq0KsqFeLjOLaaaaaa0aaeqaejT2PvIyUlzR2CiiisS
gooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAC
iiigAooooAKKKKACiiigAooooAKKKKACiiigAoor5T/4K5ftxr+xt+zXcQ6TdJH428YCTTtGUH57
VduJrr28tWG0/wB9k9693hnh3G59mtDJ8vjzVa0lFdl3b7KKvJvok2Y4jEQoUnVnsj84f+C4H7YK
/tH/ALVMnhfSbgTeGPhv5mmxOkm6O7viR9qlGOMKyiIf9cmPRq9C/wCDcT9iNv2iP2vW+IGsWLTe
F/hkq3aM6/u59RfIgT0JQbpD6FV9a/P3wn4W1Lx94r0/RtJtZtQ1bWLlLW1gT5pLiaRgqqPcsR1r
+pb/AIJl/sW2P7CH7IXhnwRFHD/bXlC/124T/l6vpADIc9wvCL/soK/2H4P4YwnDuTYfJcF8FGKj
frJ7yk/OUm5Pzeh+V4vESr1ZVZ7s+gKKKK+kOUKKKKACiiigAooooAKKKKACiiigAooooAKKKKAC
iiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKK
KKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooo
oAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA8v/a8/ZC8E
/tt/BfUPA/jrTFvtNu/3lvcJ8tzp04Hyzwv1V1z9CCQQQSK/m5/4KOf8EyfHn/BOf4mHT/EEDal4
X1KZxouvQIfs98g5Ct/clAxlD9Rkc1/UtXC/tIfs3eD/ANrH4Rar4J8caTDq+h6tGVdWGJLd/wCG
WJ+qSKeQw/lkUDTP5p/+CdP/AAUp8UfsGeNWhVZtc8C6rMH1XRWkxtPTz7cnhJQMZ7OAAegI/cz9
nf8AaQ8H/tT/AAzs/FngnWINW0u6wsgX5ZrOXALQzIeY5FyMg+xGQQT+MH/BUT/gj544/wCCdnip
tQh+0eKPh3fSt9h1uGA5tQSdsVyBwkgGPm+63bHQeKfsfftleNP2KPilH4m8I3g8ubbFqWmTkmz1
WEHOyRR3HO1x8yk8cEg/zd41fR/wXFsJ5rlVqWPS32hVtsp9pdFP5SurOP0OU51PDP2dTWH4r0/y
P6RKK8B/Yg/4KNfD39ubw0raDef2X4ntovMv/D964W7t8dXTtLHn+NenGQp4r36v83s7yPMMnxk8
vzOjKlVg7OMlZ+vmn0aumtU2j72jWhVgp03dBRRRXkmoUUUUAFFFFABRRRQAUUUUAFFFFABRRRQA
UUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFR3t7
DptnNcXEscFvbo0kskjBVjUDJYk8AADOaaTbsgMH4s/FbQfgf8ONY8WeJ9Qh0vQ9Dtmubu4kP3VH
RVHVmY4VVHLMwA5Nfz0/t2fth6x+25+0JqnjDURNa6ap+yaLpzvuGnWak7E443tku5HVmPYDHun/
AAV//wCCmL/tf+Oh4N8IXkyfDjw7cFhIhKjXbpcjz2HeJeRGD6lu4x5x/wAEwv8Agnjr/wDwUS/a
LsvDdms1l4X01ku/EGqBDstLYMMop6ea4yqj1yegNf6S/Rx8G3w1gv7fzeFsZWj7sXvSpvW3lOW8
usVaOj5r/AZ9mv1ifsab9yP4v/I+1f8Ag2u/4JvSePfHMnx48WabnQ9Bd7bwxHcR/LeXY+V7lc9V
i5UH++T/AHa/cKsP4Z/DfRfg/wDD/R/C/h3T7fS9D0K1Szs7aFAqRRoMDgdz1J7kk1uV/UR80FFF
FABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUU
AFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQA
UUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABR
RRQAUUUUAFFFFABRXEeE/wBpLwH45+LOveBNJ8WaHf8AjDwyiSalpMV0rXVsrgEEpnJAyAcZ2kgH
Brt6ACiiigAooooAKKKKAMrxx4H0f4leEtQ0HX9Ns9X0fVIWt7uzuohJFPGwwVZTX4Wf8Faf+Dfr
XP2eru+8efBezvfEXgXBmvdEUtPqGjdyU4zLD/48o67h81fvRSModSrAMrDBB70Bc/ju8G+M9a+G
Pi+z1rQ9RvtF1vSphLbXdrIYZrdx6Ec+xB4I4PFfrh/wT5/4Lr+H/ifaWPhT4xSW/hrxNhYYNfVd
mm6m2cDzQP8Aj3kPGSf3Z5OU4Wvoj/gqN/wQA8H/ALWyah4x+Ga2Pgn4hsDLLbqnl6ZrL4PEiqP3
UhP/AC0UYPcHrX4S/Hv9nrxl+zF8SL7wl460C+8P65YNiS3uUwJFPR0bo6HqGUkGvznxE8Lci4zw
aw+a07VI/BUjZTh6PrHvF3T30dmvSwOZVsLLmpPTqujP6ZLW7ivraOaCSOaGZQ6SRsGV1PIII4IP
qKkr8Ef2EP8Agrf8Q/2LHt9HuGbxl4FU4OjXs5WSzB7202CY/wDcIKH0B5r9jv2SP26Phz+2n4R/
tLwXrSvewqpvdHvMQ6jp7EZxJFk5XsHQshxw3Wv84vE7wP4h4NqSrV4e2wt9K0Fp5Ka1cH6+63pG
TPvMvzihilZaS7P9O57BRRRX40esFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUA
FFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUVleN/HOj/DXwpfa74g1Oy0fR9Mhae6v
LuURQwIBklmP8up6DmtKVKdWap005SbskldtvZJLdsUpJK7NG8vIdPtJLi4ljhghQvJJIwVY1AyS
SeAAO5r8ef8Agr1/wVvPxzlvvhh8MdQkj8GRkxa1q8J2trrA8wxHqLcEcn/lof8AYHz8v/wU+/4L
Eat+1XLe+Cfh/JeaF8OlYxXNycx3niHB6uOscHHEf3m6v/cX5N/Zz/Zx8YftV/FrSfBPgfR7jWNd
1aUJHHGMRwJ/FLI/RI1HJY8D64Ff354C/R3eWTp8R8UwXt1aVKi9VT7Tn0c+sY/Y3fv2Ufis6zz2
idDDv3er7+nl+Ze/ZS/Za8Xftj/G/RfAfgyxa71bVpQrSsD5FlEPvzSsAdqKOSe/AGSQK/pu/wCC
ev7B/hf/AIJ7/s86f4J8P/6ZeMftWsao8e2XVLsgBpCP4VGAFXOAB6kk8z/wTH/4JneE/wDgnJ8G
o9L09YNU8X6oiya7rZjxJdyf880zysS9FXv1PJr6ar+yD5NsKKKKCQooooAKKKKACiiigAooooAK
KKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAoo
ooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiii
gAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAr8/f8Agt9/
wVz0/wDYi+Gt14D8G6gs3xW8RW37swkN/YFu/H2iT0kYZ2Kef4ugGfS/+CuH/BT7R/8AgnR8DWms
5LLUPiFryGLQ9LkfJXs1zIvXy098bjx64/m2+JfxJ8UftFfFfUfEniG+vPEHinxNeebcTv8APLcy
uQqqAPwUKOAAAKCkjb+AnxL+Imj/ALRmg+IPAuoa1N8RLnU1ewntWaS7vLmRvunu+8khgcggnNf1
c/AmTxdL8HfDb+PRpq+MnsIm1ddPUrbrcFQXCgk9Dx1xnOOK+C/+CHf/AARqt/2PPDUPxK+Itja3
fxL1iFWsbWRBIvhuFgeFP/PdwcMw+6PlHcn9DPFniu38I6W1xcfMx4jjH3pD6V5+bZthMswdTH4+
oqdKmnKUnskv60W7ei1LhTlUmoQV2y1ea3a6fewW808cc1wSI0Y8tirVfP8ArmvXGv6rJeTu3msc
rg/cHYD6V698M7nVLzw2kmpcs3+qLDDlOxavwTwr8fIcZZ/ispp4SUacbypzWq5FZfvf5ZSesbXW
vLurv2cyyR4ShGq5K73Xn5dzoqKKK/os8EKKKKACiiigAryb9rf9iL4bftueAX8P/ELw5aatGqt9
kvFXy7zT3IxvhlHzKfboe4Nes0UAfzt/8FH/APggB8R/2PY9Q8UeCftHxB8A2+ZXlt4s6lpsfczR
KPmUf30z7gV8IeDfGmtfDXxVaa1oOp6homsadJ5lvd2czQzwMPRlIP1HQ9DX9iZG4YNfDf7ff/BB
n4Q/toXWoeINJtz4B8cXgaRtS0yMfZryXHBng4U5PVl2sfU1nVpQqQdOok4tWaaumnumuqZcZNO5
+c37F3/BwNrfhSS00P4zae2vadnYPEGmwql9AOxmhGElHqU2t7Ma/UL4KfHzwb+0X4Kg8Q+CfEWm
eItJmAzLaShmgY/wSp96Nx3VwGHpX4Xftvf8EkPjN+wjdSXPibw+2reGQx8vXtIDXFkR28zjdEfZ
wB7mvC/hF8avFvwD8YR6/wCC/EWq+GtYjXYbmxnMZlTOdjr92RM87XBX2r+X/Eb6LmQ505YzIGsH
XevKlelJ+cVrD1hov5Gz6PAcRVqPu1vej+P39fmf06UV+Tv7KH/Bw/qWkta6V8XvDq6lbqAja5oq
CO4H+1Jbk7W9yjL7L2r9Hv2fv2s/h1+1JoS3/gXxZpOvLs3y20cuy8th/wBNIGxIn4rj0Jr+I+N/
CXijhSbebYZ+z6VI+9Tf/by2v2lyvyPrsHmmGxK/dy17PRnolFFFfm56AUUUUAFFFFABRRRQAUUU
UAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRXD/AB5/aU8C/syeEG1z
x14l03w9Y4JiFxJma6I/hiiXLyN7ID+Ffl/+2b/wcCeIPG0d5oXwf06Twzp75j/t6+RX1CQdzFFy
kWfVtzf7pr9K4C8JeJeL6qWU0H7K9nVn7tNd/et7zXVRUpeR5+NzTD4VfvHr2W59/ftrf8FFvhz+
w74cZvEeoDUPElxEZLDw/ZMHvbo4+VnHSKMn+N8DrgMeK/Fn9t7/AIKMfEL9ujxJu8Q3a6X4ZtZf
MsNAsnItLY9ncnmWTH8bdOdoUcV4rrmuax8RfFdxqGpXmoa5rerz75ri4le4uryVjjLM2WZjwO56
Cv0b/wCCa3/Bu343/aMuLPxR8XI7/wAB+DGIkj09l2atqa8cbD/qEP8AeYbv9nvX+hPhX4CZFwdG
OMn/ALRjLa1ZLSL6qnHXl/xayeuqTsfD5lnVbFe78Me3+fc+Sv2Bf+Cefj7/AIKD/Fu38PeE9Pnh
0mFwdW1yWE/YtKiyMlm4DOQfljB3N9ASP6OP2Bf+CengP/gnv8JIfDvhOzS41KdQ2q61PGv2zU5c
clj/AAoOyDgD1PNejfAf9n/wd+zL8N7Hwn4G0DT/AA7oVgPkt7WIL5jYAMjt1d2xyzEk12Vfup4j
YUUUUCCiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigA
ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACi
iigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKK
KACiiigAooooAKKKKACvCf8AgoR+3z4S/wCCenwGuvGHiQteXs7G20jS4mxNqdyQSEH91B1ZugHu
QD3H7S37S/g79kn4Q6p438catDpOh6WmSzcyXMhB2wxL1eRiMAD9ACa/mP8A+Cif7e/in/goL+0N
qni7XJ54NHileDQtKL5i0u0DfIoHTzCMF27sT2wADSOO/ay/al8Wftm/HjXPH3i67e51TWZiY4Fd
mhsIQf3dvCCTtjQcAd+SeSTX6t/8EDP+CMjeH/7N+OHxX0ho77K3HhXRbtP9SMZF7Mh6N3jU9PvH
nFeOf8EDv+CQEn7RXimw+MnxDsZI/A+hXYk0XT50Zf7cuYyCJSCObdG/B2GOgNfvDc3EOlWLSSFY
YYVyewUCs61aFKDq1Goxim23oklu2+iRWrdkR61rNvoOnSXVzIsccYzz3PoPevEvF/iy48Xao1xM
dsa8RRjog/x96ufEHx1J4y1L5d0dnCSIk9f9o+9T/Df4fyeK79Z7hGXT4T856eaf7o/rX+ePit4i
Zp4mZ/T4R4VTlhlKyaulUa3qT7U4atX6e89WkvucswFPLqDxeK+K33eS82aHwr+HR1eWPUrxf9Fj
bMUZH+tI7n2/nXqgGBTYIEtYVjjVUjQYVQOAKdX9meGHhtl3BeTxy7B+9UlZ1J9Zztq/KK2jHovN
tv5LMcwqYur7Se3RdkFFFFfoxwBRRRQAUUUUAFFFFABRRRQBDqOm2+sWM1rd28N1a3ClJYZkDxyK
eoKngg+hr8+/25P+DdX4P/tMfa9a8Dq3wx8VShnzYR79MunPP7y3z8nPeMr9DX6FUUAfy9/tf/8A
BHT47fsbXV5ca34Rutc8O2uWGt6KpvLQpz8zBRvj4GTuUY9a+afDfibUvBev2uqaPqF9pOqWL77e
7s53t7iBvVXUhlP0Nf2MTQrcRNHIqujDDKwyCK+Rf2xv+CInwF/bGkuNQvvDf/CJ+JZkIGr+HyLS
QsejSRY8qT/gS5wTyOMTUhGcXCauno09muzKUrO5+PP7Mv8AwXu+LXwasrbTfGFvYfEjSoDt869Y
2upqnp9oQFZMesiMx7tX3t+zp/wW6+B/x2mis9S1a68B6tJx5GvII4GPotwpMf8A30V+lfI37V//
AAbPfGb4OS6hqHw/vtL+JGhwFnhhib7Jqnl9gYX+Rmx/cc5x07V8C/Fj4H+MPgR4hbSfGfhnXPDG
ojOINSs3t2bBwSu4DcMjqMivwjjD6OPBeeuVaFB4aq/tUXyq/nBpw9bRTfc9rC59i6OnNzLs9fx3
P6Z9C1+x8U6RDqGmXtpqNjcDdFc2syzQyj1VlJB/A1cr+ZT4R/tCeOvgHqX2vwX4u8QeGJtwZhp9
48UchH9+POx/oykV9o/Aj/g4b+KfgaW2t/HXh/w/48sYwFknhH9lag3+1vjVoWPt5S59RX8xcVfR
H4kwV6mSV4YqPSL/AHU/uk3B+vOvQ+iw3E1CelZOP4r/AD/A/ZqiviX4O/8ABfL4F/EeaO31yTxH
4HunwM6pY+fb59pbcyce7KtfUXwt/aY+Hvxtt1k8I+NfDPiDzOiWWoRySfQpncD7EV/PfEHAPEmS
N/2tgatJL7Tg+X5SScX8me5Rx2Hrfw5p/M7iig8GivkTqCiiigAooooAKKKKACiiigAooooAKKKK
ACiiigAooo6mgAorl/iP8bfB3wfsmuPFXinw/wCHYVGd2o38Vv8AkGYE/hXzX8Xv+C4f7Pvws3R2
niTUfGF4vHk6Fp7zKT/11k8uL8nr6bI+C8/zppZVg6ta/WMJNfOVrL5s5q2MoUv4k0vmfXlGf8a/
Jv47f8HHutaiGtfhr8P7HS0z/wAhDxDcm6kI9reHYqn3Mrj2r4x+PX/BRP40ftJyXC+KvH+uS6fc
Aq2m2LiwsQv90wwhVce77j7mv3bhf6KXGGY2qZm4YSD/AJnzz+UYXXylOLPGxHEmGhpTvJ/cvx/y
P2y/aK/4Ke/BT9maGaPXPGmn6hqsJK/2Xo7C/u9w7MsZKp/wNlr4A/ah/wCDhzxh4xW70z4WeHbX
wjZSKY01bUwt5qHP8SRf6mM/73mfhX53eH/D194p1e30/S7G61C+unCQ21tE0ssrHoFVQST9K+yP
2U/+CCH7Q37TOoWs154Z/wCEB8PzYZ9T8Qt5DBDg/JAMyscHjKgepFf0/wAG/Rh4PyVxr46MsZVX
Wp8F/KmtGvKbmfO4riHFVdIvlXlv9/8Awx8k/Ef4oeJPjD4qm1zxVruq+ItYuOJLzULlriUjsoLE
7VHZRgDsK+iv2IP+CPPxp/boNvqGg6D/AGF4VmIP9vauDBauvrEMbpf+AjHvX7I/sXf8G+PwN/ZZ
8nUvEFi/xN8TKvN1rkStZwsevl2oyn4vvPfivunTdNt9HsIbW0t4bW1t0EcUMSBI41HAVVHAA9BX
9EUKFOjTVGjFRjFWSSSSS6JLRI8KU23dnxf/AME5/wDgh38Lf2Dxa69eRJ46+IEY3f21qEAEdkfS
2hyVj/3zl/cdK+1qKK1ICiiigDn/AIrfFHRfgp8N9a8WeJLwWGh+H7SS9vZypby40GTgDkn0Ar8E
f2l/+DiD4leMf21tJ8d+Amk0fwR4VMlpY6DcsfK1i2cjzHulBwZH2jaRzHgYPXP9BGp6bb6zp09n
eQQ3VrdRtFNDKgeOVGGCrA8EEHBBr8Kf+C03/BCzUvgdr+qfFH4O6PJfeBLjfd6volsN02gP1Z4l
6tbnrgZMfP8ADjAVE/Wb9gH/AIKC+B/+ChXwbh8T+E7j7PqFqFi1fR5nH2rSpiPusP4kPO1xww9D
kD3av5I/2T/2rfHH7HHxk0zxj4E1S40/VLOVRJbgk2+oR55hmTo6N0weR1GCAa/pg8D/ALSWvfFj
4NeF9W1DQbjwfrWq2EN5qOnyTrM9nKyhjEGXggfn2Pevz/xE8SMn4Ny36/mktZXUIL45tWuorsrr
mb0S82k+zA5fVxVTkpfN9Ee+UVyvw/8AiVb+KLdLe4ZYdQUYKnpL7j/Cuqr3uFeK8s4iy6GaZTVV
SnNdN4vrGS+zJdU/yszHE4apQqOnVVmgooor6I5wooooAKKKKACiiigAooooAKKKKACiiigAoooo
AKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigA
ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACi
iigAooooAKKKKACiiigAooooAKKKKACsfx/4+0f4W+CtT8ReINQtdJ0XR7d7q7u7mQRxwxqMkknj
/E1f1nWLXw9pN1f31xDZ2VlE0888zhI4Y1BLMxPAAAJJNfzyf8FuP+Cv91+3J49bwR4HvLyz+F/h
+dlJVyn/AAkM6nHnuB/yzH8Cn/ePJGAEeY/8Fav+Coevf8FHPjR5kQm03wB4dmkj0DTDwxU8G4lx
wZHAHso4HcnuP+CKf/BJbUv28Pivb+K/FVjNb/Cnw3cBr2RwU/tuZeRaxH+7nBdh0HHU8eY/8Er/
APgmp4g/4KOfHmHSY1vNN8FaOVn8QaykeVto+qwoTwZZMYA5wMsRgV/S58Dvgl4Z/Zy+FWi+C/CG
mw6T4f0G3Fva28Y6AdWY9WZjkljySSaCm7G54d8O6b4G8NWel6XZ2ul6TpcCwW1tBGIobeJRgKqj
gAAV5l8T/iGfEt19ktHb7DCeSP8Als3r9PStH4s/EM3U0ml2Mn7leJ5FP3j/AHR7etch4W8NXHiv
Vktbcf7Tueka9ya/g/x88X8XxBjv9ReE7zUpKFSUNXUnf+HFr7CfxPaTVvhTv9lkmVxoQ+u4rTqr
9F3fn2LXgbwbN4x1ZYl3Jbx/NNJj7o9B7mvatM02HSLGO3t0EcUQ2qBUHh7QLfw3pcdrbqFVBycc
ufU1er+gvBTwfwvBOWc1a08ZVS9pPst1Tj/dT3f2nq9LJeHm+ayxlTTSC2X6sKKKK/bjxwooooAK
KKKACiiigAooooAKKKKACiiigAooooAK5f4pfBPwf8b9CbTfGHhnQ/E1iwx5OpWUdwo+m4HH4V1F
FAH59/tI/wDBtz+z/wDGe3nuPC9vrHw51aQfJJpdwZrQHj70EuRj/dK9a/Pj9ob/AINk/jx8LjcX
Xg2+8NfETT4gWRLa5+wXzDjjypsJnk8CQ/d+gr+guigfMfyQfGr9jv4p/s6X32fxv4A8VeG2JIWS
80+RYZOSPlkAKN909Cc4rzq3nksblZoXkhmQ5DoSrL+I5r+x3UdLtdYtGt7y3guoH4aOaMOrfUHi
vBvjL/wSy/Z++PCS/wDCQ/Cvwo88x3NcWdoLKfO0qDvh2ngH9BRurMfMfzZ/C39vP4zfBeaJvDnx
K8W2UcONtvLfNdW+B28qbemPbFfQ3gP/AIOBvjt4VMS6pD4M8Txp983mmNbySD/egdFB99p+lfoz
8Zf+DXv4H+Nh5nhPXvF/gybj5VnS+hPXPyyDdzx/F2r5k+In/BqT8QNMj3eF/if4V1b75KahYzWR
4+6AVMgye/THvXxOdeGvCubNyzHL6NST+04RUv8AwJJS/E7KOYYil/Dm18yH4ff8HJ2nTQRp4r+F
d9byAYkm0fWUnDH1EcsaY+hkP1r2LwJ/wcC/ALxS6R6ofG3hd26tf6N50YP1tnlP5gV8L/Ej/g32
/ak+HZLR+BbXxFCsTSmTR9VgnxjPy7WZWLHGQADnI714X4//AOCfnxy+Fvkf298JfiFp63OfLZtD
uHVsdeVUjvX5bmn0XeAcXd0aFSjf+SpL8Pac6/A9KnxFjY7yT9V/lY/bbwz/AMFYP2dfFkYa3+K3
hu33dBfiaxP/AJHRK7jw9+2t8HfFiqdN+Knw7vN3AEXiK0Zj+HmZr+b7V/DepeHrqaG/sL2xmt3M
csdxA0bRsDgqwYAg+xqi6K/3lDfUV8Pi/od5BJ/7Lj60f8ShL8owOyPFNdfFBP7z+oXTPiJ4f1qB
ZbPXdHvI26PDexyKfxDVfi1izn/1d1byf7sgNfy2RfuGzH8h9V4q3Dr99bf6u8uo/wDdlYf1r5+t
9DOF/wB1mz+dD/KqbLip9af4/wDAP6jxOjDhl/OmtdRr1kQfU1/L6nj7Xo02rresKvoL2QD/ANCp
knjTWZfvatqjf711If61y/8AEmda+ubL/wAEP/5aV/rV/wBO/wAf+Af1AT6xZ2q5kureMerSBayd
X+K3hfQIvMv/ABJoFkg/in1CGMfqwr+Y641++ul2y3l1Ivo0rN/WqLRq5yyqT6kV10PoZ07/AL7N
n8qH+dVky4ql0p/j/wAA/pN8Sftu/BvwjD5mpfFT4eWY6YfxDa7j/wAB35/SuB8R/wDBXP8AZz8M
D998UtFuPaytrq8/9FRMK/nxRFT7oC/QVp6R4P1fxFfQ2un6XqV9c3LBIore2eWSUnoFCgkk+1fQ
4P6HfD0f96x1aX+FQj+cZmE+KK7+GCX3n7TfED/g4J+AvhUMujp428VSD7pstIFvGT7m5kiP5Ka8
f8ef8HJ9nHDIvhf4U3UzsPkl1bW1i2n3jiifP0Dj618D/D7/AIJ9/HL4qPKNB+EvxB1AQ43sNDuI
0XJwPmdQP1r3r4d/8G9f7UnxARml8E6f4djCK4bV9Xgi37uwVC7ZHcECvuMs+i7wDhLe1oVK1v56
svx9nyL8DkqcRY2W0kvRL9bl34gf8HBfxz8ViRNHtfBfhWNvutaac9zMn/Ap3dSf+ACvn34l/wDB
Q343/F2WRtd+J/i6aOXO6C1vTZQc9vLg2Lj8K++fhp/wamfELVJY28W/Ezwro8WEZk020mvXycb1
y/ljjnB5z6V9LfCX/g1w+CnhGVZfFPibxp4tkVy3liaOxhZccAiNS3XnO6v03JvDPhPKmpZfl1GD
XXki5f8AgUk5fiebWzDEVPjm38z8EtT1O51u8a4vLi4vLhjkyTSGRz+Jya6v4X/s7+PfjbqUdn4R
8G+JvElxKwVV07TZbjkgkZKqQMgE8nsa/pg+Df8AwR9/Zx+BssM2jfC3w7cXkATbc6mjX8uVOQ2Z
SwznuBX0R4f8Mab4T0+Oz0vT7HTbWNQqQ2sCwxqB0AVQBX3EYqKstjj5j+cf4A/8G9P7S3xueGa+
8L2HgXTpcE3PiG9WFwCCc+THvlzxjDKOo96+9P2cP+DWb4c+ELWK4+JnjLXPGF8G3Na6Yo06zA54
J+aRu3IZelfqlRTFzM8n/Z8/YY+Ef7LNlHD4D8A+HdBkjGPtUVqJLpuvWZsuep6nvXrFFFAgoooo
AKKKKACiiigAps8Ed1A8UqLJHIpV0YZVgeCCPQ06igD8Tf8AguT/AMEOv+EF/tP4xfBvR5H0dma5
8R+HbSPd9hzy11boB/qu7oPu9RxkDx3/AIJNf8Fgbv4Mahpvw1+KmoSXXg2Vhb6VrVwxaXQmPCxT
MeWtz0BPMfun3f6EpYlniZJFV0cFWVhkMD2Ir8hf+C3n/BC+38Safqvxe+DOkrBqcCtc6/4btI8J
dqOWuLZB0cDlowPm6jng/IcccD5VxXlc8qzanzResZL4oS6Sg+jX3NaNNNo7MHjKmGqKpTev5+TP
u7TtRW4ihurWdZI5AssM0T7lYHkMrDgg9QRXrvw0+JC+I4Vs7xlS+jHyk8CYe3v7V/Px/wAEtf8A
grxqn7LGpWXgL4iz3epfD2SQQW90+6S68OEnGQOr247p1Tqufun9pPD/AIgtfEGk2eqaXeQ3lleR
Jc2t1bSB45o2AZXRhwQQQQRX+f0VxV4KcS3l+9wtX1VOtBffyVI383Fv7UHr9s/q2b4ftNfen+qf
9an0pRXC/DH4m/2sE0/UHxddIpD/AMtfY+/867qv9AOB+OMr4ryqGbZVO8ZaSi/ihLrGS6Nfc1Zq
6Z8PjMHVw1R0qq1/PzQUUUV9gcoUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAU
UUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRR
RQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFF
ABRRRQAUjOEUsxCqoySe1LX5T/8ABff/AILER/BnRdV+B/w5vFk8Vata+T4h1WCX/kEQyDm3jZT/
AK5l+9/cBx1PAB4z/wAF6f8Ags7J8R9U1H4K/CjWF/4Rq3zB4l1m0kOdSkBIa0jYf8slx8zA/OeO
g5/Pn9hb9ibxd+3v8ftO8C+E4QrSD7TqV/ID5Gl2isoeZz7bgAvVmIArkv2eP2e/Fn7VHxe0jwT4
N02bVte1qYRxooO2Jf4pZG/hRRyWNf00/wDBNr/gnd4S/wCCdvwItvDuiwxXXiHUUSfX9YZf32o3
AHIz1ESZIRegGT1JNBex3H7Hv7JPhP8AYp+BGjeA/CNmsNlpsQ+0XTIon1Gcj555SB8zMfyGAOBW
p8V/iL/ZySaZZMftDDE0gP8Aqx6D3rQ+JXxDXwvaNbWrK2oSDjjPlD1Pv6V5LHHPq18FXfNcXD/V
mY1/Hv0ivG2WBjLhLhyd8TP3as46uCens4219pLrbWK0XvP3fp8hyfnf1rEL3Vsn1835Emj6Rca9
qMdrboZJZDx7e5r2rwb4OtvB+miKFd0zgGWQ/ec/4e1U/h14CTwdYs8m2S8nA8xh0Uf3RXSV9N9H
3wShwxhFnecwTx1RaJ2fsYv7K/vyXxPovdXW/PnmcPEz9jSfuL8f+B2Ciiiv6cPnQooooAKKKKAC
iiigAooooAKKKKACiivK/wBsb9sLwf8AsOfBmXx142ku49FhvILIraxiSZ3lfaNqkjdgZYgc4U0A
eqUV4R+zN/wUx+B/7XIii8E/EDRbzUpsAabdSfY77cQDgRSYZjzj5cjOa93oAKKKKACiiigAoooo
AKKKKACiiigAooooAx/EHw/0HxZbSQ6pomkalDMcyR3VnHMrn3DA5rifEv7FXwd8YaXLZ6p8K/h7
e2sxBeOTw9akMRyD9zrXp1FAHzprH/BI/wDZp1zT5rWb4L+BUjmGGaCwEMg+jIQy/gRXKXH/AAQu
/ZXuP+aT6Wn+5fXS/wDtWvraigLnyD/w4e/ZW/6JbZ/+DK7/APjtA/4IP/srg/8AJLLP/wAGN3/8
dr6+ooC7Pkmy/wCCGH7K9lMrr8J9LkKnOJL26YH8DLXbQf8ABKf9m+2kVl+Cvw8yvTdpEbD8iMGv
oCigLnm3h/8AY2+EfhXT4LXTfhf8PrK3tf8AVJF4etFEfOeP3fqTXd6d4X03SBH9k06xtfLUKnk2
6ptA6AYHFXqKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACgjIoooA/Kv/gsX
/wAED9M+MtjrnxQ+DViun+M/mvdT8PwgLbaz1LvAv8E567fuufQnn4G/4Jm/8FV/EH7D/iRfAvju
PUdQ+H32loZLeRWN54bkLYdo1PzGMHO6LtyVwchv6Ta/Mn/gsx/wQntv2rri8+Jfwmt7LS/iFjfq
elEiG118D+NTjCXGO54fvg8n5vizhHK+JMtnlWb0lUpS++L6Si94yXRr0d02n04XFVKFRVKbs0fS
3gbxzpPxF8J6b4g8P6la6po+qwJdWd5ayb4542GVZSP/ANYPHBr1/wCHHxWN5JHYaky+ZwsU5/jP
o3v71/PJ/wAE8P8Ago94u/4JwfEu98C+N7DVJ/Bf25odU0iZCLvQrjdh5oVbHPHzx8BsZGDyf2y+
GPxP0D4y+BdN8TeF9VtNa0PVoRPa3ds+5JFPY91YHgqcFSCCARX+eebZTxX4L8RrGYKTqYSo7KX2
KsVryTS0jUSvbqvijdXR9zTqYbNsPyT0mvvT7ryPqrNFecfDf4rbFj0/VH6YWKc/yb/GvR1bcuRy
D0Nf3r4feImUcYZZHMcrnropwfxU5dpL8ntJarrb4nHYGrhans6q9H0YUUUV92cYUUUUAFFFFABR
RRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFF
FABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUU
AFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABX4m/8Fiv+CA/iG18fan8TfgpZ3Gu6drt15+q+
HA7SXlpcSuN0kBPLxMzZKk5Ttkfd/bKigD4w/wCCPH/BJ/R/+CdHwqfUtW8nVPiZ4mgT+2L9RlLK
PhhaQ/7Knlm6uw9AoH1j478bw+DdM3fLJdS5EUeep9T7Ct6uR+JHw1Hisfa7ZvLvY1xtP3ZQO3sa
+B8TsVxFQ4cxFThamp4q3u3eqX2pQT0lNL4Yu133aUX3ZfGhLERWJdo/1v5Hk97eTatfyTSs0k0z
ZJ7kmvVPhZ8Pf+Eetvtt5Gv22YfKp6wr6fU1Q+Fnw1No39oajCyzK37mJx9zH8R9/SvQa/nL6PHg
lWw9SPGPE0W68rypQnvG+vtJp6873inqvifvNW97Ps4Ul9Uw/wAK3a/JeQUUUV/ZZ8mFFFFABRRR
QAUUUUAFFFFABRRRQAUUUUAFfi//AMHVP7Sxutb+H3wns5jstY5PEOpIrcFmzFACPYCQ/jX7PSSL
EjMzBVUZJJwAK/lc/wCCp/7R3/DVP7e/xI8WwXP2rS31V9P0xwflNrb/ALmMjgcME3f8CoKie5/8
G6X7Nn/C8/8AgoTpuu3MLSaX8PbOTWpTg7fOP7uEZyOdzFu/3Olf0YTzLbwtIxwqAsT7CvzS/wCD
Yb9mlvhj+xtrXj6+szDqHxC1Qm2d0wzWVtmNMZAOGkMp4JBGPev0L+K2s/2R4NuMH95cYhXn16/p
mvB4pz6lkuT4rNq3w0acp+vKm0vm7L5m2HoutWjSXVpE2j/EvR9abbHdrHJ/dl+Q/rW6jiRQykMr
cgjvXz5pGnNq+qW9rGMtPIqD8TX0BaWy2drHCvCxqFH4V+LeAPixnfG2GxNTNaEIKi4pThdc0pXb
XK29Ukm7PqtD1c8yyjg5RVKTd+j6ElFFFf0OeEFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAB
RRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQB+eH/BaP
/gizY/tv6HP4++H8FrpvxS02H97DxHD4ijUcRueizAcK54PQ8YI/Jb9g79u/xx/wTG+Nd94d8SaZ
qx8LzXZh8Q+HblDHPZyghWuIVbG2ZQMEcBwMHorD+niviH/gsL/wSG0X/goR8PH17w7DZ6T8UtDh
P2C9IEceqoOfs059/wCFz90n0JrxeIuHcvz3L6mV5pTVSjUVmn+DT3TT1TWqeqN8PiJ0ZqpTdmjq
vg18Z/DP7QHw503xZ4R1a21nQ9Uj3w3EJ+6e6OvVHU8FWwQa9l+GXxQ/s7y9P1FyYSdsUx/5Z+x9
vftX84H7Jn7WvxK/4JWftFahpWq6bqVtZw3QtvE3ha9zF52MDzFB4WZV5RxwwwDlTX7nfs//ALQf
hT9p34X6f4v8G6pDqmj6ggOV+WW2kx80UqdUkXoVP6jBr/O/irhHiXwc4hhnOTVHUws3aMmvdkt3
SrJac1tnpe3NGzTUfusPicPmtD2NZWkv6uj6/Rw6hlIZT0I70teT/DX4mtoUq2V87NZscI55MJ/w
/lXq0Uqzxq6MrKwyCDkEV/cHhj4oZVxrlixuAfLVjZVKbfvQf6xf2ZJWfk00vjswy6rg6nJPbo+4
6iiiv0o88KKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKK
KACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAoooo
AKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigA
ooooAKKKKACiiigAooooAKKKKACiiigD5r/4K6ftOj9k79gD4geJYZhDq15YnR9L+bDG5uf3SleQ
cqrM/HPyZxxX8wvw78Dah8UfiBovhzS4zNqWv38On2y/3pZXCL+rCv1s/wCDqj9pqS68QfD/AOEt
jdHybWJ/EOqRKThnbMUAb6KJD/wIV84/8G6P7Mq/Hj/goFYa/e2/naT8O7N9ZckfL9oP7uAH33MW
/wCAUFLY/f79nf4Oaf8As9/Arwj4H0tVWx8L6Vb6dGQMbzGgDN9WbLH3Jrn/AI5a39q1m3sVYFbV
PMbH95v/AK3869QuJ1toHkc7VjBYn0ArwHxDqra3rd1dMc+dIWH07fpiv5T+lpxb9Q4apZLSl7+K
nqv+ndO0n98uT7mfScMYX2mJdZ7RX4v/AIFzqPglon2/xJJdsuUs0+X/AHm4/ln869Yrl/hFon9k
eEY5GXbJdnzW+h6fpXUV+ifR/wCE/wCwOCcJSmrVKy9tP1qWcU/NQUU/NHn55ivb4yTWy0Xy/wCD
cKKKK/aDyQooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigDy3
9tb9o6T9kb9lnxn8SIdH/wCEgk8J2IvBp/n+R9o/eIhBfa20ANnOD0r8mIP+Dpzx94y+Ivh+x0/4
d+D9A0m8voLe9lvLye6dI3lCs4YbAuFOeQelfrT+254CPxQ/Y7+KHh9ZI4W1bwvqNusjruVGNu+C
R7HFfyVwSm1uY5P4o2DfkaCon9kFrcLdWscqsrLIoYEdCCM8VJXFfs4+Mf8AhYH7PPgfXvKMP9sa
BY3vl7t2zzLdHxnvjNZmq/HO4t7iaGHT41aNymXkJ6cdK+E448Scg4RpU6ue1XTVTm5Uoyk5ONr/
AAp23W7R1YPL6+KbVFXtvqkekUVm+D9cbxH4ctbxwqyTLlgvQH0rSr63K8yoZhg6WPwrvTqxjOL7
xkk1+DOapTlCbhLdOwUUUV3EBRRRQAUUUUAFFFFABRRRQAUUUUAfIX/BU3/gkj4L/wCCingKa+WC
30P4k6ZbMuk65Gu3zSOVguAP9ZGSMAnJTJI7g/hR8FPjt8Wf+CRn7UeqaTeWd1YXWn3ItvEHh28Y
i11SIdGHbdt5jlXpkdVJU/1KV8q/8FPv+CVfgv8A4KO/DR0vI4dE8eaXCw0XX44/3kZ6iGbHMkJP
UHlc5XHOfNzjJ8FmuDqZfmNNVKVRWlGSumv81umtU7NNNGtGtOnJTg7NHL/st/tSeEf2vfhJY+MP
B98LizuP3dzbOQLjTpwAWgmUH5XGfoQQRkEGvdPh58TZvDTx2l0zSWBOB3aH6e3tX52f8EUP+CNv
xW/Zi+OvirxN8QdYu/Dei2DS6VHo9lOHh8SEDC3L5yPKXO5DgPnPQZDffvjLwbceDtSMUgLwtzFL
jhx/jX+eXHfhvxJ4U5uuJuGqrlheaylu4pv+HWWzi9lLZ6fDKx9zg8ww+ZUvq2IXvf1qvM9xtrmO
8gSWJ1kjkG5WU5DCn1478PPiPJ4Sm+z3G+axc8qOTEfUf4V65YahDqlnHcW8iyQyDcrA9a/sfwo8
W8r42y/2uHap4mCXtKTesX/NH+aDez6bOzPlMyyurg6lpaxez/rqTUUUV+sHmBRRRQAUUUUAFFFF
ABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUA
FFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAU
UUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABTZ
plt4WkdgqRgsxPYCnV87/wDBVr9p6P8AZH/YK+IXixZNmpyac2laUN2GN3cgwxkc/wAO4vx2Q0Af
zvf8FRf2kP8Ahqv9u34ieLopvO06bU3stOPb7NB+6jI46ELu/wCBV+wX/Bsl+zS3wr/Yu1Px1eW5
i1D4iak0sLMpDG0t8xx/gX8w/lX4LeAfBWofE7x7o/h7TI2n1TX76Gwtk7vLK4Rf1YV/W1+zZ8Fr
H9nP4A+D/AumhfsnhXSbfTlYADzGjQB3OAOWbcxOOSaCpGj8V9c/sXwhMqttkuv3K/j1/SvItG01
tY1a3tV6zyBPz612Hxz1n7TrNvYq3y26b3H+03T9P51X+Cei/b/E0l0y/u7NMg/7R4H6Zr/O3xYq
T448WaHD1J81KlKFF26Je/WfqveT/wAKPucstg8rlXe7u/0R6taW62drHCg2rGoUAegqSiiv9D6d
ONOCpwVklZLskfCN31YUUUVYBRRRQAUUUUAFFFFABRRRQB57+1d8fbX9lr9nDxn8Q7yzfUbfwjpc
uoG1R9jXJUfLGG5xuYgZwcZr89fh1/wdOfDjxd4lsdN1D4aeNLFr51hVre4t7kmVuFULlc5YgZ96
+jv+C8Hj1fAX/BLP4oM0BuG1aC20tAG27DNdRDcfoATjvX86v7KHg6X4hftQfDvQ4WVZNV8S6fbA
scAbrmMUFRR/XJZXDXdnDK0bQtIgco33kyM4PuKkpsS+VCq/3QBXE3Pxws7O9mhezuG8mRk3qwIO
DjIr5HivjvIeGo0555iVRVRtRupO7Vr/AAp7XW50YbB1sQ2qMb23O4oql4f1yLxHpUV5CsixzfdD
jBq7X0mBx1DG4ani8LJSp1EpRktnFq6a8mtTnlFxk4y3QUUUV1EhRRRQAUUUUAFFFFABRRRQBDqV
lHqenXFtNGs0NxG0UkbDKurAgg+xBr+QP41eD5Ph78YvFmgzQfZZNF1i7sWhB/1RimdNv4YxX9gV
fyxf8FbvhzF8K/8AgpL8YtJt4biC3PiKa+jWY5YrchbjIOPukynHtjrQVE/ff/gip8Qo/iR/wTA+
EV3G80jafo/9lSGX72+2leA/h8gx7Yrr/HFp9i8X6jH2WdiM+/P9a+Z/+DZT4gr4t/4JwtpTXa3E
3hjxLfWflZ+a3SQRzqPoTKxH419V/GC1+y+Obg/LiZEkGPpj+lfyb9L7Lfa8L4XGJa066Xopwlf8
Yo+m4XqWxUod1+TR3HwYu/tPgtF4/cyun65/rXWV5/8AAW63abqEPdJVb8CP/rV6BX614G5j9d4D
yys+lNQ/8Abh/wC2nk5xT5MbUXnf79Qooor9YPNCiiigAooooAKKKKACiiigAooooAKKKKACqeua
Fa+ItPe1uo/Mjb81PqD61corlxuBw+Mw88Li4KdOaalGSTTT3TT0aZUZyjJSi7NHlv8AwpS6Hiby
PMzp/wB/zv4sf3cf3q9K0rS4dFsI7W3jEcMQwoFWKK/P+A/Cfh3hCriK+T0rTrNtuTu4x3VOL3UE
9bat6Xbsrd2NzOvilFVXov6v6hRRRX6UeeFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQ
AUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAB
RRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFF
FFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFfi/8A8HVf7TRudZ+HvwjsLw+XapJ4
j1aFG4LtmG2Dc9QombBH8QNfs9POtrA8kjbY41LMT2A5Nfyp/wDBTj9o5v2q/wBuj4ieMVkaSxut
UktNP5yFtYP3MWOB1VM9O9BUT33/AIN0P2aP+F6/8FCNN1+8tfP0j4d2cmsysR8ouD+7tx1HO5i3
f7nSv6L5plghaRuFQFifavze/wCDZb9mtvhT+xRqHje8g8vUPiJqbTxMykN9kgzHH2HBbzG7jmvv
34s61/ZHg6ZV/wBZdEQjnsev6V8/xVn9LI8mxOb1/howlP1aWi+bsvmbYei61aNJdWkeS+IdVbW9
burti37+QsM9h2H5V6t8INE/snwhHIy4kvGMp47dv0ryfRdNbWdXtrVetxIE/Dv+le/WtutnbRxI
MLGoUD2FfxT9E/IK2aZ9j+LMb70oXim+tSq+ab9VFW/7fPreJqyp0YYWH9JaL+vIkooor+9j4oKK
KKACiiigAooooAKKKKACiiigD87P+DnHxJdaN/wTlt7SCZo4tV8UWUE6g48xFSaQA+o3Ip/AV+Ov
/BJDwpb+Nf8AgpT8G7C6WRoP+EjhuCEODmFWlX8NyDPtmv03/wCDrzxfDa/Az4U6F9odbi91u7vf
IAO10ihVNx7cGTA+pr4Z/wCDefwb/wAJb/wVG8FzNZ/ao9FtL6/ZtpItyLd0V/blwOfWgpbH9JU8
gigdm+6qkmvnm8l827mf+87H9a988Q3JtNBvJV6xws36V8/gbvxr+E/plY3mxGV4NdFVl97gl+TP
suE46VJ+i/M90+H9s1p4N09G6+SG/PmtiquhW/2TRbSMchIlH6Var+z+F8H9TybCYT/n3Spx/wDA
YJfofI4ifPVlLu3+YUUUV7piFFFFABRRRQAUUUUAFFFFABX86X/Byf4NHhj/AIKc6teiVpP+Eg0H
Tr4qVx5ZWMwYHr/qQc+9f0W1+HH/AAdbfDxtO+P3wx8ULHbrHqmh3GnMyj96zQzb/m9gJuPxoKie
k/8ABpx44kn8C/GLw20Mfk2t/p+ppKM7y0kcsbKe2B5SkfU+1fpb8eLTy9bsptv+shKlvUg//Xr8
av8Ag1c8epon7Y/jjQJPOzr3hcyx4b5N0FxGeR67XbB7c+tftP8AHq0D6ZYTc7klZfwI/wDrV+E/
SSy5Yvw/xrtrTdOa+VSKf/krZ7GQ1OXHw87r8DM+BF35euXkO7HmQhgvqQf/AK9epV438Hrr7N45
gX5cTRvGc/TP9K9krwfop5j9Z4GjRf8Ay5q1Iffyz/8Abzbiany42/dJ/p+gUUUV/Sh8+FFFFABR
RRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFF
FABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUU
AFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQA
UUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAUfFHh6Dxd4a1DSrppltdSt5
LWYxPsfY6lWww6HBPNfk3+0j/wAGrnhvXZZ774YeP9Q0eZ23iw1yEXMPJGQJUww/i6g8kV+uVFAH
F/s5fBiw/Z3+BHhLwPpqqtn4X0uDT1KjAcogDP0H3myfxrn/AI46z9q1y3s1bK2ybmx/eP8A9b+d
eqVx/i34Q2/iO/mvI7mWG4mOWyNyk/SvxXx84Z4g4g4VnlXD0FOc5xc05KLcI3lZXsm3JR0bWlz1
8lxFChilVrvRJ29Tl/glov27xHJdMuVs04/3m4/lmvWK5/4d+Dm8G6RJDIyyTSyl2ZehHQV0FdPg
TwTW4Y4Qw+BxkOSvNyqVF1UpPRO3VRUU/NE51jFicVKcHeK0Xov+CFFFFfsJ5QUUUUAFFFFABRRR
QAUUUUAFFFFAH4kf8HX/AIzhu/ix8JvD6xyfaLHS7y+dyflKyyoigD1/dmvP/wDg1s8LXGqft0eK
NUQf6PpPhWZZTkdZZ4lUY/4Cfyqp/wAHQ/iu41f9vrQ9MkI+z6P4WthENvOZJZXY579vyr1X/g09
8Fw3Hj/4u+IGkk+0WthY2CJj5drySuT9fkFBXQ/ZP4iz/ZvBWosDtPkkD8eK8RsYvOvIY+u51X9R
XsHxguFh8D3Cn/loyqPzryzwlbtdeKNPjVdxadOPoc1/nv8ASkk8dx3l+Wx1/d0131nVl09Lep9v
w37mCqVPN/gke8wLshRR0VQBTqKK/wBBoxUYqK6HwwUUUVQBRRRQAUUUUAFFFFABRRRQAV+TX/B1
x4HW++BXwu8RLayPJp+tXFi9wM7Y0lhDBT9TH+lfrLX5/wD/AAcp+BP+Es/4JrX2oeYyt4d12xvQ
Aud4ZmiIPp/rOtA1ufll/wAG9fxBbwL/AMFQ/BcJumtodftb3TJFAyJ90DOqH/gSKfqK/oj+Mtr9
o8DzN/zxlR/1x/Wv5ef+CYXxCb4Xf8FBPhHrIa3RYfEtpA7TnagSV/KbJ7cOce9f1LfEG0+3+CtR
QLu/clh+HNfEeJWX/XuE8ywqV3KhVt6qDa/FI7MDU5MVTn5r8zyHwTefYfF2nSY3bZ1BHrnj+te8
V872c32e7hk6eW6t+RzX0NBKJoEdfusoYfQ1/Mn0N8x5sBmWAb+GdOaX+KMov/0hH0PFlO1SnPum
vu/4cdRRRX9pHyIUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRR
RQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFF
ABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUA
FFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAU
UUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQB/NX/wcE+Mz4v/AOCo/jtBefa49Jhs
rBBuJEG23Rig9MMxPHc197f8GpHhCGz/AGefihrnkSLcX+vW9n5pPyusUG7A+hl5+or8u/8AgrH4
pt/GX/BSD4x31o7yQN4kuIFZhg5ixGf1Q49q/ZL/AINkdAuNJ/4JvSXU0bRx6p4ovp4GI/1iKsUZ
I9tyMPqDQV0Ptr453Hl+F4I8f6y4HPpgGuH+GVv9o8daeP7rl/yBNdZ8fJmFnpseflZ3Yj6AD+tc
/wDBq2E/jiNmz+6idhjseB/jX+evihfMPG/CYTdRqYWPy9yb/Nn3GXfu8nlLupf5HsVFFFf6FHwo
UUUUAFFFFABRRRQAUUUUAFFFFABXzV/wWE8Fy+Pf+CaPxgsYViaSPQZLweZ0/cssp/HCHHvX0rXI
ftA+Co/iR8CPGnh+a1W+j1rQ7yy+zt0mMkDqF/EkUAfyQ/DTxD/wiXxG8P6tsaT+zNStrvarbS3l
yq+Ae3TrX9e2m3qeJ/AlvchWWPULFJQueQHjBx+tfx66lZyaZqVxbyI0c1vK0bKeCjKSCPwxX9YP
7APj6D4p/sQ/CrXbeaS4TUPC1gzSSDDFxAqvn3DAj8KwxVCNajOjPaSafo1Y05rNNHJsu0le6nFe
+eE7v7d4ZsZs7t8CEn8K8O163+x65eRZz5czrn15Nev/AAruvtXgay4A8sFOPYmv4D+iXWlg+K8x
yupu6buvOnUS9PtP9D7Tidc+Gp1V3/Nf8A6Kiiiv9Az4cKKKKACiiigAooooAKKKKACiiigAoooo
AKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigA
ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACi
iigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKK
KACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAoooo
A/Nf9o7/AINoPhl8e/i7r3jCHx5400S+8SX02o3kIS3uIvOldnfZlAVGW4BJxX2H+wR+xzp37Bv7
M+j/AA10vWLzXrPSLi6uFvbqJY5ZfOmeXBVeBjcBx1xmvZaKAueX/Hm43azYx7vuwsxHpk034Dwb
9evJNv3IAM+mW/8ArV13jH4Z2vjG9W4lmmhmVAg2424+lP8ABHgCPwTLctHcSTLcBQQygYxn/Gv5
Dj4R8S1PFv8A1sxFKP1T2jlzKcW0lTcYXi3zXuo3sna9/T6j+1MOsr+qxfv27ed2dDRRRX9eHy4U
UUUAFFFFABRRRQAUUUUAFFFFABTZYxNEyN91gQfxp1FAH5Xx/wDBrH8Pda8bX2ra18SPFk0F9qE1
21nZWsEKpG8rMsYdg5yFIBbHJ5wOlfot+zT8AdI/Zb+Bvh34f6Dc6hdaL4YtvslnJeurz+WCSAzK
qg4zjOK7qigDxD4l2n2PxxqC4UbnDjHuAa7v4G3Il8LzR85inOfxANTeKvhRB4q1yS8e6kh3qF2q
oOSK1vB/gu38GW0kdvLNIsxDNvI69K/kLw78IuJck8SsVxBVpRjg5yr2fPFtxm242inda2vdKx9R
j80w9bL40E/fSj07GxRRRX9eny4UUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAU
UUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRR
RQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFF
ABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUA
FFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAU
UUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRR
RQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFF
ABRRRQAUUUUAFFFFABRRRQAUUUUAf//Z
--===============1991240808166781822==--

From rcritten at redhat.com Wed Apr 10 15:13:17 2024
Content-Type: multipart/mixed; boundary="===============3474676102824840688=="
MIME-Version: 1.0
From: Rob Crittenden <rcritten at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: Extra objectClass for new IPA group
Date: Wed, 10 Apr 2024 11:13:00 -0400
Message-ID: <16bd9a7a-f054-753f-3f09-f907d310a1c8@redhat.com>
In-Reply-To: 55fadd1d-aded-4ea0-9c8f-aa5fd9f904bb@dds.nl

--===============3474676102824840688==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Winfried de Heiden via FreeIPA-users wrote:
> Hi all,
> =

> Following documentation as provided on:
> =

> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/=
html/linux_domain_identity_authentication_and_policy_guide/adding-custom-ob=
jclasses-groups#doc-wrapper=C2=A0
> =

> adding an extra objectClass (groupOfUniqueNames in this case) to newly
> created groups turned out to be easy.
> =

> It seems we depend of this objectClass and its attribute "uniqueMember"
> because of existing applications. Adding the latter attribute will only
> work from the CLI. (ipa group-mod dummy3
> --addattr=3DuniqueMember=3Duid=3Dsomeuser,cn=3Dusers,cn=3Daccounts,dc=3De=
xample,dc=3Dcom)

Let me guess, vSphere?

You can try https://www.freeipa.org/page/HowTo/vsphere5_integration but
it's very old. I can't guarantee it will work.

It has the benefit that rather than manually modifying your entries the
extra attributes are calculated on the fly.

rob


> =

> OK, this seems to work well, but the objectClass will be added to ALL
> newly created groups since the objectClass is added to the defaults.=C2=
=A0
> Now, let's say I want to add an extra objectClass to only one new
> created group; how would that be possible? The command "ipa group-add"
> command does not provide such an option, does it?
> =

> FYI, I'm running/testing IPA version: 4.11.0 on RHEL 9.4 Beta :)
> =

> The new attributes will not be visible in de webUI, only using the CLI
> (or good-old Apache Directory Studio of ldapsearch). Correct?
> =

> -- =

> email handtekening priv=C3=A9 Met vriendelijke groet,
> =

> Winfried de Heiden
> wdh(a)dds.nl
> =

> =

> --
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.=
org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code=
-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users=
(a)lists.fedorahosted.org
> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/=
new_issue
>=20

--===============3474676102824840688==--

From orion at nwra.com Wed Apr 10 22:34:01 2024
Content-Type: multipart/mixed; boundary="===============8164727226344116697=="
MIME-Version: 1.0
From: Orion Poplawski <orion at nwra.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Cannot retrieve CRL from new EL9 IPA replica
Date: Wed, 10 Apr 2024 16:33:20 -0600
Message-ID: <a1675df1-e47b-4f36-8e1a-cf3adc9518cb@nwra.com>

--===============8164727226344116697==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

I've just added an EL9 IPA replica into our domain.  I seems to generally be
working fine, but trying to download the MasterCRL.bin fails:

=3D=3D> /var/log/httpd/access_log <=3D=3D
10.20.0.37 - - [10/Apr/2024:14:13:17 -0700] "GET /ipa/crl/MasterCRL.bin
HTTP/1.1" 301 293 "-" "curl/7.76.1"

=3D=3D> /var/log/httpd/error_log <=3D=3D
[Wed Apr 10 14:14:17.830119 2024] [proxy_ajp:error] [pid 28001:tid 28040]
(70007)The timeout specified has expired: AH01030: ajp_ilink_receive() can't
receive header
[Wed Apr 10 14:14:17.830249 2024] [proxy_ajp:error] [pid 28001:tid 28040]
[client 10.20.0.37:35124] AH00992: ajp_read_header: ajp_ilink_receive failed
[Wed Apr 10 14:14:17.830261 2024] [proxy_ajp:error] [pid 28001:tid 28040]
(70007)The timeout specified has expired: [client 10.20.0.37:35124] AH00878:
read response failed from [::1]:8009 (localhost:8009)

=3D=3D> /var/log/httpd/access_log <=3D=3D
10.20.0.37 - - [10/Apr/2024:14:13:17 -0700] "GET
/ca/ee/ca/getCRL?op=3DgetCRL&crlIssuingPoint=3DMasterCRL HTTP/1.1" 500 527 =
"-"
"curl/7.76.1"

I'm not sure where else to look for logs.

TIA,
  Orion

-- =

Orion Poplawski
he/him/his  - surely the least important thing about me
Manager of IT Systems                      720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion(a)nwra.com
Boulder, CO 80301                 https://www.nwra.com/

--===============8164727226344116697==
Content-Type: application/pkcs7-signature
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCClEw
ggUVMIID/aADAgECAhEArxwEsqyM/5sAAAAAUc4Y4zANBgkqhkiG9w0BAQsFADCBtDEUMBIGA1UE
ChMLRW50cnVzdC5uZXQxQDA+BgNVBAsUN3d3dy5lbnRydXN0Lm5ldC9DUFNfMjA0OCBpbmNvcnAu
IGJ5IHJlZi4gKGxpbWl0cyBsaWFiLikxJTAjBgNVBAsTHChjKSAxOTk5IEVudHJ1c3QubmV0IExp
bWl0ZWQxMzAxBgNVBAMTKkVudHJ1c3QubmV0IENlcnRpZmljYXRpb24gQXV0aG9yaXR5ICgyMDQ4
KTAeFw0yMDA3MjkxNTQ4MzBaFw0yOTA2MjkxNjE4MzBaMIGlMQswCQYDVQQGEwJVUzEWMBQGA1UE
ChMNRW50cnVzdCwgSW5jLjE5MDcGA1UECxMwd3d3LmVudHJ1c3QubmV0L0NQUyBpcyBpbmNvcnBv
cmF0ZWQgYnkgcmVmZXJlbmNlMR8wHQYDVQQLExYoYykgMjAxMCBFbnRydXN0LCBJbmMuMSIwIAYD
VQQDExlFbnRydXN0IENsYXNzIDIgQ2xpZW50IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAxDKNQtCeGZ1bkFoQTLUQACG5B0jerm6A1v8UUAboda9rRo7npU+tw4yw+nvgGZH98GOt
cUnzqBwfqzQZIE5LVOkAk75wCDHeiVOsV7wk7yqPQtT36pUlXRR20s2nEvobsrRcYUC9X91Xm0RV
2MWJGTxlPbno1KUtwizT6oMxogg8XlmuEi4qCoxe87MxrgqtfuywSQn8py4iHmhkNJ0W46Y9AzFA
FveU9ksZNMmX5iKcSN5koIMLWAWYxCJGiQX9o772SUxhAxak+AqZHOLAxn5pAjJXkAOvAJShudzO
r+/0fBjOMAvKh/jVXx9ZUdiLC7k4xljCU3zaJtTb8r2QzQIDAQABo4IBLTCCASkwDgYDVR0PAQH/
BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEFBQcDAjASBgNVHRMBAf8ECDAGAQH/AgEA
MDMGCCsGAQUFBwEBBCcwJTAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuZW50cnVzdC5uZXQwMgYD
VR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5lbnRydXN0Lm5ldC8yMDQ4Y2EuY3JsMDsGA1UdIAQ0
MDIwMAYEVR0gADAoMCYGCCsGAQUFBwIBFhpodHRwOi8vd3d3LmVudHJ1c3QubmV0L3JwYTAdBgNV
HQ4EFgQUCZGluunyLip1381+/nfK8t5rmyQwHwYDVR0jBBgwFoAUVeSB0RGAvtiJuQijMfmhJAkW
uXAwDQYJKoZIhvcNAQELBQADggEBAD+96RB180Kn0WyBJqFGIFcSJBVasgwIf91HuT9Ck6QKr0wR
7sxrMPS0LITeCheQ+Xg0rq4mRXYFNSSDwJNzmU+lcnFjtAmIEctsbu+UldVJN8+hAPANSxRRRvRo
cbL+YKE3DyX87yBaM8aph8nqUvbXaUiWzlrPEJv2twHDOiGlyEPAhJ0D+MU0CIfLiwqDXKojK+n/
uN6nSQ5tMhWBMMgn9MD+zxp1zIe7uhGhgmVQBZ/zRZKHoEW4Gedf+EYKW8zYXWsWkUwVlWrj5Pze
BnT2bFTdxCXwaRbW6g4/Wb4BYvlgnx1AszH3EJwv+YpEZthgAk4xELH2l47+IIO9TUowggU0MIIE
HKADAgECAhBOGocb/uu4yQAAAABMPXr3MA0GCSqGSIb3DQEBCwUAMIGlMQswCQYDVQQGEwJVUzEW
MBQGA1UEChMNRW50cnVzdCwgSW5jLjE5MDcGA1UECxMwd3d3LmVudHJ1c3QubmV0L0NQUyBpcyBp
bmNvcnBvcmF0ZWQgYnkgcmVmZXJlbmNlMR8wHQYDVQQLExYoYykgMjAxMCBFbnRydXN0LCBJbmMu
MSIwIAYDVQQDExlFbnRydXN0IENsYXNzIDIgQ2xpZW50IENBMB4XDTIzMTIxNjIxMTUyNVoXDTI2
MTIxNjIxNDUyMlowgbAxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQH
EwdTZWF0dGxlMSYwJAYDVQQKEx1Ob3J0aFdlc3QgUmVzZWFyY2ggQXNzb2NpYXRlczEbMBkGA1UE
YRMSTlRSVVMrV0EtNjAwNTczMjUxMTUwFgYDVQQDEw9PcmlvbiBQb3BsYXdza2kwGwYJKoZIhvcN
AQkBFg5vcmlvbkBud3JhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKn5wO5B
job6bLDahVowly2lAyCWBHGRq1bSptv7tXpj+Xaci4zpCqRoyqX0Gjpo8BEulUYQK8b7nO7UM3aM
LC8H6vyzQ64AGupPGIKuJg+Qr8jA0ihCVH+duE0bNXfDPTm/8VsXOubmVLPLp0cejxzrEC/RI5l8
rdl0sQ+2QZp9jTlyghB1Rxt2AYVYhVVnRMSJ8RgKp9MLV3qIfHqF1k5MGBIP6rS1afmlGd/yW9IW
SB8ziASPtr/Ml5ObbxtYZG47kCKCS7RF2rI6rGNmK/R6cITRs37dzUfBmagDFV897wAW3tHTyLQM
4vobhmS2UYi8C5voc+I75LYOsvLaXHUCAwEAAaOCAVEwggFNMA4GA1UdDwEB/wQEAwIFoDAdBgNV
HSUEFjAUBggrBgEFBQcDBAYIKwYBBQUHAwIwFAYDVR0gBA0wCzAJBgdngQwBBQMBMGoGCCsGAQUF
BwEBBF4wXDAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuZW50cnVzdC5uZXQwNQYIKwYBBQUHMAKG
KWh0dHA6Ly9haWEuZW50cnVzdC5uZXQvMjA0OGNsYXNzMnNoYTIuY2VyMDQGA1UdHwQtMCswKaAn
oCWGI2h0dHA6Ly9jcmwuZW50cnVzdC5uZXQvY2xhc3MyY2EuY3JsMBkGA1UdEQQSMBCBDm9yaW9u
QG53cmEuY29tMB8GA1UdIwQYMBaAFAmRpbrp8i4qdd/Nfv53yvLea5skMB0GA1UdDgQWBBSZhCz4
u7bZ2JjPtNAM8gx3QVEp1zAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQA2L6VG0IcimaH2
4eRr4+L6a/Q51YxInV1pDPt73Lr2uz9CzKWiqWgm6IohO9gSEhDsAYUXED8lkJ3jId9Lo/fDj5M+
13S4eChfzFb1VWyA9fBeOE+/zEYrSPQIuRUM324gPEm8eP/mYaZzHXoA0RJC7jyZlLRdzu/kGqUQ
Dr+81YnkXoyoKc8WeNZnSQSL+LqRvPJCcCTuJbCdd7C8zYW1dRgh4d9hYooUSsKTsSeDoRkFyqk4
ZH0V3PFqa2HiFrdi8h3vpBX44VFddyaae+ekomLvvVZWGtJgXWr6VEBo8PTah0fw8BQjCIfFym44
D9dulz1YW7E6FRPMSZ7x8X3UMYIEXzCCBFsCAQEwgbowgaUxCzAJBgNVBAYTAlVTMRYwFAYDVQQK
Ew1FbnRydXN0LCBJbmMuMTkwNwYDVQQLEzB3d3cuZW50cnVzdC5uZXQvQ1BTIGlzIGluY29ycG9y
YXRlZCBieSByZWZlcmVuY2UxHzAdBgNVBAsTFihjKSAyMDEwIEVudHJ1c3QsIEluYy4xIjAgBgNV
BAMTGUVudHJ1c3QgQ2xhc3MgMiBDbGllbnQgQ0ECEE4ahxv+67jJAAAAAEw9evcwDQYJYIZIAWUD
BAIBBQCgggJ1MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTI0MDQx
MDIyMzMyMVowLwYJKoZIhvcNAQkEMSIEILyoJ2HY1LZJ3W+7BhsYk+Nd/M7ZiCs+VWUm4jI1rSas
MGwGCSqGSIb3DQEJDzFfMF0wCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAO
BggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwgcsG
CSsGAQQBgjcQBDGBvTCBujCBpTELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4x
OTA3BgNVBAsTMHd3dy5lbnRydXN0Lm5ldC9DUFMgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5j
ZTEfMB0GA1UECxMWKGMpIDIwMTAgRW50cnVzdCwgSW5jLjEiMCAGA1UEAxMZRW50cnVzdCBDbGFz
cyAyIENsaWVudCBDQQIQThqHG/7ruMkAAAAATD169zCBzQYLKoZIhvcNAQkQAgsxgb2ggbowgaUx
CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1FbnRydXN0LCBJbmMuMTkwNwYDVQQLEzB3d3cuZW50cnVz
dC5uZXQvQ1BTIGlzIGluY29ycG9yYXRlZCBieSByZWZlcmVuY2UxHzAdBgNVBAsTFihjKSAyMDEw
IEVudHJ1c3QsIEluYy4xIjAgBgNVBAMTGUVudHJ1c3QgQ2xhc3MgMiBDbGllbnQgQ0ECEE4ahxv+
67jJAAAAAEw9evcwDQYJKoZIhvcNAQEBBQAEggEAYf2xkdpmjWWgyH3uT9lqG4m/NHgz6nrZ9/q5
EDEZUdKYzMTNCDvmuql41Tn2Ng43OxfKalk396KdkKDIIPOGpRa1BAAtvvk9EqWOAxBG2MhUXEIz
1KB0r52VQjVVi6VcwJWRDCQLkkUNgZIOj5Fxd5laaq6CP/OgCNG0KpfD3j6FX6VJj0s2UQ2bYIyD
nSEHOe6dsJozN+p+jpBRvREstF1CKIWw4aZH4NZloJFY0OZq6gbYMDDg3Se8utqVBJ6ris2Df3yJ
jKwBmUkAjIlfJ1zOECbAtVNZjLTv5p08Ig2UPNVIRVjvuDnRRuY/nn4qSUaWB1fUkKkuiD3SoWMt
MQAAAAAAAA==
--===============8164727226344116697==--

From bo.langgaard.lind at gmail.com Thu Apr 11 09:15:13 2024
Content-Type: multipart/mixed; boundary="===============0776682702867456909=="
MIME-Version: 1.0
From: Bo Lind <bo.langgaard.lind at gmail.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] httpd uses 2x100% CPU
Date: Thu, 11 Apr 2024 09:15:01 +0000
Message-ID: <20240411091501.19374.32160@mailman01.iad2.fedoraproject.org>

--===============0776682702867456909==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

I just went to check on one of my replicas, and noticed that the IPA web se=
rver seems to use a lot of CPU:

>From htop:
    PID USER       PRI  NI  VIRT   RES   SHR S  CPU%=E2=96=BDMEM%   TIME+  =
Command
 507664 ipaapi      20   0 1353M  459M 16656 S 100.8  0.2 24h15:19 (wsgi:ip=
a)      -DFOREGROUND
 507984 ipaapi      20   0 1353M  459M 16656 R 100.8  0.2 24h15:12 (wsgi:ip=
a)      -DFOREGROUND

>From top:
    PID USER      PR  NI    VIRT    RES    SHR S  %CPU  %MEM     TIME+ COMM=
AND                                                                    =

 507664 ipaapi    20   0 1385892 470580  16656 S 100.0   0.2   1456:06 httpd

I checked /var/log/httpd/access_log and error_log, but there was nothing ou=
t of the ordinary.

I have not yet restarted the service/machine, as it's in production.

Any ideas?
--===============0776682702867456909==--

From wdh at dds.nl Thu Apr 11 09:58:14 2024
Content-Type: multipart/mixed; boundary="===============7929516368166767436=="
MIME-Version: 1.0
From: Winfried de Heiden <wdh at dds.nl>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: Extra objectClass for new IPA group
Date: Thu, 11 Apr 2024 11:57:58 +0200
Message-ID: <2d708a8c-43ae-4cbd-a226-e278f6d74244@dds.nl>
In-Reply-To: 16bd9a7a-f054-753f-3f09-f907d310a1c8@redhat.com

--===============7929516368166767436==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

hi all,

Nice tip, but no: not Vsphere although it might usefull later; so thanks

We need it for several self-build applications.

email handtekening priv=C3=A9 Met vriendelijke groet,

Winfried de Heiden
wdh(a)dds.nl

Op 10-04-2024 om 17:13 schreef Rob Crittenden:
> Winfried de Heiden via FreeIPA-users wrote:
>> Hi all,
>>
>> Following documentation as provided on:
>>
>> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7=
/html/linux_domain_identity_authentication_and_policy_guide/adding-custom-o=
bjclasses-groups#doc-wrapper  =

>>
>> adding an extra objectClass (groupOfUniqueNames in this case) to newly
>> created groups turned out to be easy.
>>
>> It seems we depend of this objectClass and its attribute "uniqueMember"
>> because of existing applications. Adding the latter attribute will only
>> work from the CLI. (ipa group-mod dummy3
>> --addattr=3DuniqueMember=3Duid=3Dsomeuser,cn=3Dusers,cn=3Daccounts,dc=3D=
example,dc=3Dcom)
> Let me guess, vSphere?
>
> You can tryhttps://www.freeipa.org/page/HowTo/vsphere5_integration  but
> it's very old. I can't guarantee it will work.
>
> It has the benefit that rather than manually modifying your entries the
> extra attributes are calculated on the fly.
>
> rob
>
>
>> OK, this seems to work well, but the objectClass will be added to ALL
>> newly created groups since the objectClass is added to the defaults.
>> Now, let's say I want to add an extra objectClass to only one new
>> created group; how would that be possible? The command "ipa group-add"
>> command does not provide such an option, does it?
>>
>> FYI, I'm running/testing IPA version: 4.11.0 on RHEL 9.4 Beta :)
>>
>> The new attributes will not be visible in de webUI, only using the CLI
>> (or good-old Apache Directory Studio of ldapsearch). Correct?
>>
>> -- =

>> email handtekening priv=C3=A9 Met vriendelijke groet,
>>
>> Winfried de Heiden
>> wdh(a)dds.nl
>>
>>
>> --
>> _______________________________________________
>> FreeIPA-users mailing list --freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email tofreeipa-users-leave(a)lists.fedorahosted.=
org
>> Fedora Code of Conduct:https://docs.fedoraproject.org/en-US/project/code=
-of-conduct/
>> List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:https://lists.fedorahosted.org/archives/list/freeipa-users=
(a)lists.fedorahosted.org
>> Do not reply to spam, report it:https://pagure.io/fedora-infrastructure/=
new_issue
>>

--===============7929516368166767436==
Content-Type: text/html
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.html"

PCFET0NUWVBFIGh0bWw+CjxodG1sPgogIDxoZWFkPgogICAgPG1ldGEgaHR0cC1lcXVpdj0iQ29u
dGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9VVRGLTgiPgogIDwvaGVhZD4K
ICA8Ym9keT4KICAgIDxwPmhpIGFsbCw8L3A+CiAgICA8cD5OaWNlIHRpcCwgYnV0IG5vOiBub3Qg
VnNwaGVyZSBhbHRob3VnaCBpdCBtaWdodCB1c2VmdWxsIGxhdGVyOyBzbwogICAgICB0aGFua3M8
L3A+CiAgICA8cD5XZSBuZWVkIGl0IGZvciBzZXZlcmFsIHNlbGYtYnVpbGQgYXBwbGljYXRpb25z
Ljxicj4KICAgIDwvcD4KICAgIDxkaXYgY2xhc3M9Im1vei1zaWduYXR1cmUiPgogICAgICA8bWV0
YSBodHRwLWVxdWl2PSJjb250ZW50LXR5cGUiIGNvbnRlbnQ9InRleHQvaHRtbDsgY2hhcnNldD1V
VEYtOCI+CiAgICAgIDx0aXRsZT5lbWFpbCBoYW5kdGVrZW5pbmcgcHJpdsOpPC90aXRsZT4KICAg
ICAgPGZvbnQgZmFjZT0iQ2FybGl0byI+IE1ldCB2cmllbmRlbGlqa2UgZ3JvZXQsPGJyPgogICAg
ICAgIDxicj4KICAgICAgICA8aW1nIHNyYz0iY2lkOnBhcnQxLllsZUttYTNNLmgxc2M5b2ZkQGRk
cy5ubCIgd2lkdGg9IjY2IgogICAgICAgICAgaGVpZ2h0PSI2NiIgYWxpZ249ImxlZnQiPldpbmZy
aWVkIGRlIEhlaWRlbjxicj4KICAgICAgICA8YSBocmVmPSJtYWlsdG86d2RoQGRkcy5ubCIgY2xh
c3M9Im1vei10eHQtbGluay1mcmVldGV4dCI+d2RoQGRkcy5ubDwvYT48YnI+CiAgICAgICAgPGJy
PgogICAgICA8L2ZvbnQ+IDwvZGl2PgogICAgPGRpdiBjbGFzcz0ibW96LWNpdGUtcHJlZml4Ij5P
cCAxMC0wNC0yMDI0IG9tIDE3OjEzIHNjaHJlZWYgUm9iCiAgICAgIENyaXR0ZW5kZW46PGJyPgog
ICAgPC9kaXY+CiAgICA8YmxvY2txdW90ZSB0eXBlPSJjaXRlIgogICAgICBjaXRlPSJtaWQ6MTZi
ZDlhN2EtZjA1NC03NTNmLTNmMDktZjkwN2QzMTBhMWM4QHJlZGhhdC5jb20iPgogICAgICA8cHJl
IGNsYXNzPSJtb3otcXVvdGUtcHJlIiB3cmFwPSIiPldpbmZyaWVkIGRlIEhlaWRlbiB2aWEgRnJl
ZUlQQS11c2VycyB3cm90ZToKPC9wcmU+CiAgICAgIDxibG9ja3F1b3RlIHR5cGU9ImNpdGUiPgog
ICAgICAgIDxwcmUgY2xhc3M9Im1vei1xdW90ZS1wcmUiIHdyYXA9IiI+SGkgYWxsLAoKRm9sbG93
aW5nIGRvY3VtZW50YXRpb24gYXMgcHJvdmlkZWQgb246Cgo8YSBjbGFzcz0ibW96LXR4dC1saW5r
LWZyZWV0ZXh0IiBocmVmPSJodHRwczovL2FjY2Vzcy5yZWRoYXQuY29tL2RvY3VtZW50YXRpb24v
ZW4tdXMvcmVkX2hhdF9lbnRlcnByaXNlX2xpbnV4LzcvaHRtbC9saW51eF9kb21haW5faWRlbnRp
dHlfYXV0aGVudGljYXRpb25fYW5kX3BvbGljeV9ndWlkZS9hZGRpbmctY3VzdG9tLW9iamNsYXNz
ZXMtZ3JvdXBzI2RvYy13cmFwcGVyIj5odHRwczovL2FjY2Vzcy5yZWRoYXQuY29tL2RvY3VtZW50
YXRpb24vZW4tdXMvcmVkX2hhdF9lbnRlcnByaXNlX2xpbnV4LzcvaHRtbC9saW51eF9kb21haW5f
aWRlbnRpdHlfYXV0aGVudGljYXRpb25fYW5kX3BvbGljeV9ndWlkZS9hZGRpbmctY3VzdG9tLW9i
amNsYXNzZXMtZ3JvdXBzI2RvYy13cmFwcGVyPC9hPsKgCgphZGRpbmcgYW4gZXh0cmEgb2JqZWN0
Q2xhc3MgKGdyb3VwT2ZVbmlxdWVOYW1lcyBpbiB0aGlzIGNhc2UpIHRvIG5ld2x5CmNyZWF0ZWQg
Z3JvdXBzIHR1cm5lZCBvdXQgdG8gYmUgZWFzeS4KCkl0IHNlZW1zIHdlIGRlcGVuZCBvZiB0aGlz
IG9iamVjdENsYXNzIGFuZCBpdHMgYXR0cmlidXRlICJ1bmlxdWVNZW1iZXIiCmJlY2F1c2Ugb2Yg
ZXhpc3RpbmcgYXBwbGljYXRpb25zLiBBZGRpbmcgdGhlIGxhdHRlciBhdHRyaWJ1dGUgd2lsbCBv
bmx5CndvcmsgZnJvbSB0aGUgQ0xJLiAoaXBhIGdyb3VwLW1vZCBkdW1teTMKLS1hZGRhdHRyPXVu
aXF1ZU1lbWJlcj11aWQ9c29tZXVzZXIsY249dXNlcnMsY249YWNjb3VudHMsZGM9ZXhhbXBsZSxk
Yz1jb20pCjwvcHJlPgogICAgICA8L2Jsb2NrcXVvdGU+CiAgICAgIDxwcmUgY2xhc3M9Im1vei1x
dW90ZS1wcmUiIHdyYXA9IiI+CkxldCBtZSBndWVzcywgdlNwaGVyZT8KCllvdSBjYW4gdHJ5IDxh
IGNsYXNzPSJtb3otdHh0LWxpbmstZnJlZXRleHQiIGhyZWY9Imh0dHBzOi8vd3d3LmZyZWVpcGEu
b3JnL3BhZ2UvSG93VG8vdnNwaGVyZTVfaW50ZWdyYXRpb24iPmh0dHBzOi8vd3d3LmZyZWVpcGEu
b3JnL3BhZ2UvSG93VG8vdnNwaGVyZTVfaW50ZWdyYXRpb248L2E+IGJ1dAppdCdzIHZlcnkgb2xk
LiBJIGNhbid0IGd1YXJhbnRlZSBpdCB3aWxsIHdvcmsuCgpJdCBoYXMgdGhlIGJlbmVmaXQgdGhh
dCByYXRoZXIgdGhhbiBtYW51YWxseSBtb2RpZnlpbmcgeW91ciBlbnRyaWVzIHRoZQpleHRyYSBh
dHRyaWJ1dGVzIGFyZSBjYWxjdWxhdGVkIG9uIHRoZSBmbHkuCgpyb2IKCgo8L3ByZT4KICAgICAg
PGJsb2NrcXVvdGUgdHlwZT0iY2l0ZSI+CiAgICAgICAgPHByZSBjbGFzcz0ibW96LXF1b3RlLXBy
ZSIgd3JhcD0iIj4KT0ssIHRoaXMgc2VlbXMgdG8gd29yayB3ZWxsLCBidXQgdGhlIG9iamVjdENs
YXNzIHdpbGwgYmUgYWRkZWQgdG8gQUxMCm5ld2x5IGNyZWF0ZWQgZ3JvdXBzIHNpbmNlIHRoZSBv
YmplY3RDbGFzcyBpcyBhZGRlZCB0byB0aGUgZGVmYXVsdHMuwqAKTm93LCBsZXQncyBzYXkgSSB3
YW50IHRvIGFkZCBhbiBleHRyYSBvYmplY3RDbGFzcyB0byBvbmx5IG9uZSBuZXcKY3JlYXRlZCBn
cm91cDsgaG93IHdvdWxkIHRoYXQgYmUgcG9zc2libGU/IFRoZSBjb21tYW5kICJpcGEgZ3JvdXAt
YWRkIgpjb21tYW5kIGRvZXMgbm90IHByb3ZpZGUgc3VjaCBhbiBvcHRpb24sIGRvZXMgaXQ/CgpG
WUksIEknbSBydW5uaW5nL3Rlc3RpbmcgSVBBIHZlcnNpb246IDQuMTEuMCBvbiBSSEVMIDkuNCBC
ZXRhIDopCgpUaGUgbmV3IGF0dHJpYnV0ZXMgd2lsbCBub3QgYmUgdmlzaWJsZSBpbiBkZSB3ZWJV
SSwgb25seSB1c2luZyB0aGUgQ0xJCihvciBnb29kLW9sZCBBcGFjaGUgRGlyZWN0b3J5IFN0dWRp
byBvZiBsZGFwc2VhcmNoKS4gQ29ycmVjdD8KCi0tIAplbWFpbCBoYW5kdGVrZW5pbmcgcHJpdsOp
IE1ldCB2cmllbmRlbGlqa2UgZ3JvZXQsCgpXaW5mcmllZCBkZSBIZWlkZW4KPGEgY2xhc3M9Im1v
ei10eHQtbGluay1hYmJyZXZpYXRlZCIgaHJlZj0ibWFpbHRvOndkaEBkZHMubmwiPndkaEBkZHMu
bmw8L2E+CgoKLS0KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X18KRnJlZUlQQS11c2VycyBtYWlsaW5nIGxpc3QgLS0gPGEgY2xhc3M9Im1vei10eHQtbGluay1h
YmJyZXZpYXRlZCIgaHJlZj0ibWFpbHRvOmZyZWVpcGEtdXNlcnNAbGlzdHMuZmVkb3JhaG9zdGVk
Lm9yZyI+ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3JnPC9hPgpUbyB1bnN1YnNj
cmliZSBzZW5kIGFuIGVtYWlsIHRvIDxhIGNsYXNzPSJtb3otdHh0LWxpbmstYWJicmV2aWF0ZWQi
IGhyZWY9Im1haWx0bzpmcmVlaXBhLXVzZXJzLWxlYXZlQGxpc3RzLmZlZG9yYWhvc3RlZC5vcmci
PmZyZWVpcGEtdXNlcnMtbGVhdmVAbGlzdHMuZmVkb3JhaG9zdGVkLm9yZzwvYT4KRmVkb3JhIENv
ZGUgb2YgQ29uZHVjdDogPGEgY2xhc3M9Im1vei10eHQtbGluay1mcmVldGV4dCIgaHJlZj0iaHR0
cHM6Ly9kb2NzLmZlZG9yYXByb2plY3Qub3JnL2VuLVVTL3Byb2plY3QvY29kZS1vZi1jb25kdWN0
LyI+aHR0cHM6Ly9kb2NzLmZlZG9yYXByb2plY3Qub3JnL2VuLVVTL3Byb2plY3QvY29kZS1vZi1j
b25kdWN0LzwvYT4KTGlzdCBHdWlkZWxpbmVzOiA8YSBjbGFzcz0ibW96LXR4dC1saW5rLWZyZWV0
ZXh0IiBocmVmPSJodHRwczovL2ZlZG9yYXByb2plY3Qub3JnL3dpa2kvTWFpbGluZ19saXN0X2d1
aWRlbGluZXMiPmh0dHBzOi8vZmVkb3JhcHJvamVjdC5vcmcvd2lraS9NYWlsaW5nX2xpc3RfZ3Vp
ZGVsaW5lczwvYT4KTGlzdCBBcmNoaXZlczogPGEgY2xhc3M9Im1vei10eHQtbGluay1mcmVldGV4
dCIgaHJlZj0iaHR0cHM6Ly9saXN0cy5mZWRvcmFob3N0ZWQub3JnL2FyY2hpdmVzL2xpc3QvZnJl
ZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3JnIj5odHRwczovL2xpc3RzLmZlZG9yYWhv
c3RlZC5vcmcvYXJjaGl2ZXMvbGlzdC9mcmVlaXBhLXVzZXJzQGxpc3RzLmZlZG9yYWhvc3RlZC5v
cmc8L2E+CkRvIG5vdCByZXBseSB0byBzcGFtLCByZXBvcnQgaXQ6IDxhIGNsYXNzPSJtb3otdHh0
LWxpbmstZnJlZXRleHQiIGhyZWY9Imh0dHBzOi8vcGFndXJlLmlvL2ZlZG9yYS1pbmZyYXN0cnVj
dHVyZS9uZXdfaXNzdWUiPmh0dHBzOi8vcGFndXJlLmlvL2ZlZG9yYS1pbmZyYXN0cnVjdHVyZS9u
ZXdfaXNzdWU8L2E+Cgo8L3ByZT4KICAgICAgPC9ibG9ja3F1b3RlPgogICAgICA8cHJlIGNsYXNz
PSJtb3otcXVvdGUtcHJlIiB3cmFwPSIiPgo8L3ByZT4KICAgIDwvYmxvY2txdW90ZT4KICA8L2Jv
ZHk+CjwvaHRtbD4=
--===============7929516368166767436==
Content-Type: image/jpeg
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="z9UqMrGxLCilZG0D.jpg"

/9j/4AAQSkZJRgABAQEAYABgAAD/4QBmRXhpZgAATU0AKgAAAAgABAEaAAUAAAABAAAAPgEbAAUA
AAABAAAARgEoAAMAAAABAAIAAAExAAIAAAAQAAAATgAAAAAAAABgAAAAAQAAAGAAAAABcGFpbnQu
bmV0IDQuMS4xAP/bAEMAAgEBAgEBAgICAgICAgIDBQMDAwMDBgQEAwUHBgcHBwYHBwgJCwkICAoI
BwcKDQoKCwwMDAwHCQ4PDQwOCwwMDP/bAEMBAgICAwMDBgMDBgwIBwgMDAwMDAwMDAwMDAwMDAwM
DAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDP/AABEIAqEEsAMBIgACEQEDEQH/xAAf
AAABBQEBAQEBAQAAAAAAAAAAAQIDBAUGBwgJCgv/xAC1EAACAQMDAgQDBQUEBAAAAX0BAgMABBEF
EiExQQYTUWEHInEUMoGRoQgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJ
SlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3
uLm6wsPExcbHyMnK0tPU1dbX2Nna4eLj5OXm5+jp6vHy8/T19vf4+fr/xAAfAQADAQEBAQEBAQEB
AAAAAAAAAQIDBAUGBwgJCgv/xAC1EQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIy
gQgUQpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNk
ZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfI
ycrS09TV1tfY2dri4+Tl5ufo6ery8/T19vf4+fr/2gAMAwEAAhEDEQA/AP38ooooAKKKKACiiigA
ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACi
iigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKK
KACiiigAooooAKKKKACvnf8A4KD/APBSjwT/AME4PDHh3VvGmm6/qNv4luZbW2GlwxyMjxqGO7e6
8YPbNfRFfkr/AMHYH/JFPhL/ANhq8/8ARCUDR9KfsWf8F0/hV+3P8erH4e+FND8YWWsahbzXKS6h
bQxwKsS7myVkY59OK+1q/nD/AODcj/lKL4Z/7BGo/wDomv6Mta1aPQ9LmupVZo4V3MF64rnxmLo4
WhPE4iSjCCcpN7JJXbfklqUoNtRjuy1RXHQfGvS7idI1jut0jBRlfWuxBzXz/DXGmR8QRqSyXExr
qnbm5Xe172v62f3GuIwlahZVouN+4UUUV9Qc4UUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFF
FFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUU
UAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQ
AUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAB
RRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFF
FFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABX5K/8HYH/JFPhL/2Grz/ANEJX61V+Sv/AAdgf8kU
+Ev/AGGrz/0QlA47nxb/AMG5H/KUXwz/ANgjUf8A0TX9EXxF/wCRK1H/AK4mv53f+Dcj/lKL4Z/7
BGo/+ia/oi+Iv/Ilaj/1xNfJcff8kxmP/Xit/wCm5HThf48PVfmeKaZ/yErf/rqv8xX0KOlfPWmf
8hK3/wCuq/zFfQo6V/Kf0NP91zX/ABUfyqH03FnxUvn+gUUUV/bJ8eFFFFABRRRQAUUUUAFFFFAB
RRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFF
FFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUU
UAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQ
AUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAB
RRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAV+Sv/B2B/yRT4S/9hq8/wDR
CV+tVfkr/wAHYH/JFPhL/wBhq8/9EJQOO58W/wDBuR/ylF8M/wDYI1H/ANE1/RF8Rf8AkStR/wCu
Jr+d3/g3I/5Si+Gf+wRqP/omv6IviL/yJWo/9cTXyXH3/JMZj/14rf8ApuR04X+PD1X5nimmf8hK
3/66r/MV9CjpXz1pn/ISt/8Arqv8xX0KOlfyn9DT/dc1/wAVH8qh9NxZ8VL5/oFFFFf2yfHhRRRQ
AUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAGa/J7/AILCf8F+Z/gH8RI/hz8Fbqwvtc0O9jk8
Qa0yie3iaNwzWUXZicbZG/h5Uc5I1P8AguL/AMFtofgDZal8I/hPqcc3jedDBresW7Bl0NSMGGNh
wbg9/wC5/vdPxS+Dnwg8UftLfF3SfCfhewutc8TeJLryoIV+ZpHbJZ2PZQMszHgAEmgpI/pq/wCC
an/BSXwf/wAFF/gtDrWkSw6d4o05Fi13Q2kzNYzY+8vdom6qw+h5FfSFfJf/AASp/wCCVfhb/gnJ
8LFO231j4ha1Cv8AbWslOR0P2eHPKxKfxYjJ7AfSHxE8fR+D7Ly48SXsw/dr2Uf3jXg8TcS5dkGW
1c2zSooUqau31fZJdZN6JLdmuHw869RUqSu2dJRXF/Dn4oR6+kdnfMsd70V+izf/AF67SuPg3jTK
uKMshmuUVOeEt19qMusZLpJduu6bTTKxWEq4ao6VVWf5+gUUUV9UcwUUUUAFFFFABRRRQAUUUUAF
FFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUU
UUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRR
QAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFA
BRRRQAUUUUAFfCf/AAWA/wCCy9n/AME5obXwroegXGueP9csvtdo11G0enWcRYqJGf8A5aMCD8i+
nJFfdlfKH/BXf/gnDp//AAUP/ZruNOtY4bfxz4bV73w7eMdo83HzQOe6SAY9m2ntQCPjb/ghd/wW
v8T/AB1+MWpfDH4ya5/a2r+JrmS+8PatMiQ7ZSAWsSqgKFIBaP0OV7jH68V/Htq2k+Ivgh8SZrO8
hv8Aw/4n8M322SNwYbixuIm/MMrCv6JP+CTH/BXrQP22fgDHZ6/dQ2/xQ8M26R6vp6qEN+o+VbuI
f3G4DY+6xx0K58/Ns2wmWYOpj8fUVOlTV5SeyX9fNvRamsKMqklCCu30PuWivLNE+Mt23ijzrwhb
Cb5DEvSEdmz1PvXqMMy3ESyRsGRxuUjoRXxPh74o5HxnRrVcnk70pcrjJWlb7M7Xfuy6X10aaTOr
HZbWwjSqrdf0vVDqKKK/RjgCiiigAooooAKKKKACiiigAooooAKKKKACvyV/4OwP+SKfCX/sNXn/
AKISv1qr8lf+DsD/AJIp8Jf+w1ef+iEoHHc+Lf8Ag3I/5Si+Gf8AsEaj/wCia/oi+Iv/ACJWo/8A
XE1/O7/wbkf8pRfDP/YI1H/0TX9EXxF/5ErUf+uJr5Lj7/kmMx/68Vv/AE3I6cL/AB4eq/M8U0z/
AJCVv/11X+Yr6FHSvnrTP+Qlb/8AXVf5ivoUdK/lP6Gn+65r/io/lUPpuLPipfP9Aooor+2T48KK
KKACiiigAooooAKKKKACiiigAooooAKKKKACvzX/AOC53/BY+H9kvwpdfDH4b6tC3xM1aLZf3kOH
/wCEegcHJz0FwwPyj+EHd1xW9/wWp/4LM2P7Dfhm68AeBZ4b74ratbcycPF4diccTOOjSkHKJ2+8
eMA/gBbW3iT44fEdY411TxL4o8SXuABuuLq/uJG/EszMaCkh/gTwJ4k+PHxLsdD0Oy1DxB4m8RXf
lwwxgyz3UznJJPU8kksfcmv6KP8AgkB/wR88P/8ABPXwRH4j16O11r4q6xbBb7UCoePSY25NtbZ+
6Ozv1bGOnFYn/BFP/gkBY/sHfD5PGHjS0tL74ra9D+9fIkTQrdgCLeI4/wBYf+WjjqflBwMn7i8Y
eMbXwfpxmmbdM3EUQPzOf8PevMznOcFlOCqZjmNRU6VNXlJ7Jfq3sktW9FqaU6c6s1Tpq7ZB468d
2/g2x5xJdSD91Fnr7n2rxrVtVuNc1CS5uJGkmlOSf6D2pdY1efXdRkurh2kklOee3sK774X/AAx2
eXqWoR/N96GFh0/2j/QV/nbxDxBxH4zcTRyrK06eDpu6T+GEdnVqW3m18Menwx+1J/dUKGHyjD+1
q6zf4vsvIsfC74aLp0cepX6brhhuhjP/ACyHqff+Vd5RRX96cC8DZXwnlUMpyuForWUn8U5dZSfV
v7ktFoj4nGYypiarq1H/AMDyCiiivsTlCiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAK
KKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAoo
ooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiii
gAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA/JP8A
4ON/+CXUXjrwpJ8ePA+mbdc0lAniq0toeb+3HC3hA/jj4VuOVwf4efx7/Zw/aA8Qfsu/GjQ/HHhm
4aHU9EnDmPcRHdxHiSCT1R1ypHbgjkA1/XVqWm2+s6dPaXUMdxa3UbRTRSKGSRGGCpB4II4xX84f
/BcL/gl7P+wX8eP+Eg8N2kjfDPxpM82mOoZxpc/BktJGxgcksmTyvHVTXLjcFQxmHnhMVBTpzTjK
L1Ti1Zp+TWhpTm4tSjuj9ef2Zv2i/Dv7VfwX0Xxt4ZuFm0/VoQZIiwMllMOJIJB2dGyD68EcEV9C
fBzxzuH9k3T8jm3Zj1/2f8K/nL/4JQf8FDbj9iH40LY63cTSfDvxVKkOsRZyNOk+6l6g9U6OB95M
9Sqiv3p0vVIr22t72yuI5oZlWaCeFw6SKRlWVhwQRggjg1/m5n+VZt4Ncb08fgbzwlS7hd6VKTa5
qcn/ADw0178s7a2PvqNSnm2DdOekl+D6P0Z9IUVzvw38aL4u0YeYR9st8LKP73o3410Vf6I8NcRY
HPcso5tl0ualVipJ9V3T7NO6a6NM+DxFCdGo6VRaoKKKK9wxCiiigAooooAKKKKACiiigAooooAK
/JX/AIOwP+SKfCX/ALDV5/6ISv1qr8lf+DsD/kinwl/7DV5/6ISgcdz4t/4NyP8AlKL4Z/7BGo/+
ia/oi+Iv/Ilaj/1xNfzu/wDBuR/ylF8M/wDYI1H/ANE1/RF8Rf8AkStR/wCuJr5Lj7/kmMx/68Vv
/Tcjpwv8eHqvzPFNM/5CVv8A9dV/mK+hR0r560z/AJCVv/11X+Yr6FHSv5T+hp/uua/4qP5VD6bi
z4qXz/QKKKK/tk+PCiiigAooooAKKKKACiiigAooooAKKKKACvh3/gsF/wAFhdC/4J8eBZfDvhuS
z1n4raxAfsVkTvi0hGHFzcD/ANBTqx68A56b/grT/wAFUPDX/BO34O3EFvcwah8SdetnTQtKQhmg
JBAuph/DEh5weXIwO5H82fxB+IPiL43fEPUPEHiC/vte8Ra9cme5uJSZJrmVz2H6ADpwBQUkS+K/
Ffij9oH4pXGqapdaj4k8VeKL7dJI+Zri9uJGwAB1JJIAA9gK/ev/AIIkf8EZLb9jHwxb/ET4iWNt
dfFDVoc29q4EieHYWH3AennkfeYfd+6O5PJf8ELv+CLcH7POh6b8XPilpccvjzUIhPoulXMYYaBE
wyJHU/8ALwwPflAccHOP0z8UeJ7bwppbXNw3siA/NI3oK4czzPC5dhKmOx1RU6VNOUpPRJLr/W+y
LjCVSShBXbG+LvFUHhHSWuJvmY/LGmeXavE9e1648R6lJdXT7nc8Dsg9BUvifxPdeK9Ta4uW9kQf
djHoK6r4WfDYasU1K+X/AEdTmKIj/Wn1Pt/Ov87eNuMM88X+JKfD/D8XHCQd0norLR1qvpe0Y62v
ZXlJ3+5weFo5Vh3Xr/G/6sv1JfhV8N2uJY9S1CP92vMETD7x/vEfyr0yhV2rgDAHQDtRX9xeHHh3
lnBuURyvLld7zm/inLq32XSMdku7u38dj8dUxdX2lT5Lsgooor744gooooAKKKKACiiigAooooAK
KKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAoo
ooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiii
gAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKA
CiiigAooooAKKKKACiiigArzn9rH9mDwz+2J8Bte8A+LLWO403WoCqSlA0llOOY54/R0bBB+o6E1
6NRQB/JR+2R+yf4m/Yr/AGgte+H/AIot5I7zSZiba4K7Uv7Yk+VOn+y68+xyOor9D/8AghP/AMFF
v7fs7f4I+MtQzfWsbN4Vu7iTm4iUFmssn+JFBZPVQy/wjP3h/wAFo/8AglnY/wDBQf4If2roMEFt
8TvCUDyaPcH5RqEWdz2kh9GwShP3W9mNfziwT638LfG8csbahoPiHw/eiRGGYbqwuYnyD6q6uv4E
V8D4leH+B4xyOrlGM0k9ac7awmvhkvLpJdYtrR2a9DL8dPDVlVh813R/Ut4X8ST+FtXjuoT904dM
8SL3Br3LRNZg1/S4bu3bdFMMj2PcV+cX/BLn9vu1/bm+BEc+oSW9v468OhLXXrRCF81sYS6ReySg
E4HCsGXoBn7H+FvjlvDWp/ZZ2/0K6bBz/wAs29f8a/irwV4+x/h7xLV4O4l9yhKfK77U6mnLNP8A
kmrXe1nGfR3+szjAwx2HWLw/xJfeu3qv+AewUUKwZcjkHoR3or/RNO+qPgwooooAKKKKACiiigAo
oooAKKKKACvyV/4OwP8Akinwl/7DV5/6ISv1qr4J/wCC73/BPH4if8FB/hv4B0v4ew6PLdeHdRub
q7+33n2ZQjxqq7Tg5OQaBrc/Ln/g3I/5Si+Gf+wRqP8A6Jr+iL4i/wDIlaj/ANcTX5K/8Ef/APgi
p8bP2Kv23dF8eeNrfwymgWNheW0rWWpieUPLHtXC7Rxmv1q+Iv8AyJWo/wDXE18lx9/yTGY/9eK3
/puR04X+PD1X5nimmf8AISt/+uq/zFfQo6V89aZ/yErf/rqv8xX0KOlfyn9DT/dc1/xUfyqH03Fn
xUvn+gUUUV/bJ8eFFFFABRRRQAUUUUAFFFFABRRRQAV8q/8ABV3/AIKc+H/+Cb3wRW+YQ6n458RJ
JD4e0kn/AFrLgNPLj7sUe4E92JAHcja/4KW/8FJPCX/BOX4LPrmrtHqXibVFaLQtFWTbLfSj+Ju6
xLkFm+gHJr+a39qf9qnxp+2R8Y9S8beOdVm1TV9QbbGmcQ2cQPyQxJ0RF7Ae5OSSaCkjG+Nnxs8U
/tIfFLVPF3i7VLrW/EGtzmWeeU7iSeiKP4VHQKOAK/Zb/ggz/wAEX1+Fum2Pxm+LGjQyeIr1EuPD
WjXce46VGRkXUqngTMCNqkfIOfvHA5f/AIIdf8ENrZbHQfjT8X7BbiSUR6h4b8Ozr8iDho7q5U9T
0KxnjoT2FfsHq+rW+gabJc3DLHDCufr7D3rnxeLo4WhPE4mSjCCblJuySWrbfRJFJOT5Y7sZr+v2
3hvTZLq6fbGnQfxOfQe9eLeL/Ftx4v1Zrib5YxxHGDwg/wAad4z8ZXHjDUvMkJWGMkRRZ4Uf41qf
Db4dv4ouVurhWWxjb/v6fQe1f53+JXiJnPinnsOFeF4v6qpadOe29Wo/swjvFP1a5mkvuMvwFLLa
LxWJ+L8vJef9bFj4ZfDZtflW+vUK2SnKKesx/wDif516tHGsMaqqhVUYAA6URRLBEqIoVVGAAOAK
dX9m+F/hhlnBWVLA4Nc1WVnUqNe9OX6RX2Y9N3dtt/J5lmNTGVeee3Rdgooor9LPPCiiigAooooA
KKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAo
oooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACii
igAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKK
ACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAK/Ff/g4w/wCCVk2j6zefH/wLp7SWN4V/
4S2ygj/49pOgvv8AdbhX9Dg9zX7UVS8R+HLDxfoF5pWqWdvqGm6jC9vdWtxGJIriNhhkZTwQQSCD
QB/J1+xj+1nr/wCxf8etJ8aaGXnitz5Gp2G/bHqdoxHmQt6HgMp/hZVPTIP9DPwL+Nvh39ov4UaL
4y8K3yX+i65AJoXH3o26PG4/hdGBVlPQg1+Jn/BYz/gm3qH/AAT5/aWvI9Ot5pvh74ole98PXe0l
YVPL2rnoHjYkD1TafXG9/wAEX/8AgoP/AMMqfGBvBfie+aPwF40nVC8jny9JvjhUnHZUfhH+iN/C
a/mH6R/g+uJMtefZXD/bMPHVJa1aa1cfOUdXHq1eOt42+kyHNPq9T2NR+5L8H/W5/Ql8IvHv9oW6
6XdN/pEQxCxP+sUdvqK7yvnayvHtZ454ZNroQ6Mp/Kvb/A3i6LxfoyTKQtxGNsyZ5Vv8DXk/Rn8X
pZzg/wDVjN5/7TRX7tvepTXTzlD73Gz3UmXxDlfsZ/WKS92W/k/8mbVFFFf1ofMBRRRQAUUUUAFF
FFABRRRQAUUUUAFZvjDTJtZ8NXlrAFMs0ZVcnAzWlRXn5rltLMMFWwGIvyVYyhK2jtJOLs+9noXT
qOE1Nbp3PJLL4Oa1BeQyMtttRwxxL2Br1scCiivhfDnwqyXgqFenkzm1WcXLnkpfDe1rRVvidztx
+ZVsY06ttO3mFFFFfpR54UUUUAFFFFABRRRQAUUUUAFeG/t7/t+eB/8Agn18GbjxV4tuhNeTBo9K
0mFx9q1SfHCIOyjjc54Ue+Adb9tj9tLwb+wh8CtS8deMrlvs9sPKsrCAj7VqlwfuQxKT1J6k8KMk
9K/mV/bi/bb8Zft5/HXUfG3i66I85jHp2nRuTbaVbg/LDGD6Dq3VjkmgaRn/ALYv7XfjD9t3486x
488ZX0lze6hKy2lqGJg0u2DEx20K9kQHHqxyxySSf0X/AOCG/wDwRAuviJq2kfGL4vaUYfDduVu/
D+gXUeH1RxylxOp6RDgqp++cE/L15j/gg5/wRxvP2gfGOm/GD4laT5Xw/wBJk87R9NvIv+RgnH3Z
Cp/5d0POTw7DA4Br93p57fQ9O3MY7e2t0x02qijoAP6VnWrU6NOVWrJRjFNtt2SS1bbeyXVlat2Q
3UdRt9A0xppmWG3gX6ADsAK8b8deOZ/GWoZ+aO1jP7qL+p96m+IfjyTxjqG2PdHZQn92n98/3jTf
APgCfxjebm3RWMZ/eSf3v9lff+Vf57+LfilmviHnEeD+EIueH5re7p7VreUn0pR3V9Hbml0S+3yv
LaeApfW8VpL8v+C/+ATfDj4fN4uvPOuN0djCfmI4Mp/uj+pr2C1tY7G3SGFFjjjG1VUYAFN0/T4d
Ks47e3jWOKMbVUVNX9ZeEfhPl/BOVqhTtPE1EnVqW1k/5Y31UI9F13er0+ZzTM6mMqcz0itl/XUK
KKK/WjywooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAoooo
AKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigA
ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACi
iigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA8b/
AG8P2MPDf7d/7OWteA/EUcaSXUZm0y+K5fTbxVPlTL34JwR3UkV8df8ABL7/AIN7vCv7LF3B4w+K
zaZ448bROJLKzEZfTdJx0O1uJpM87mAC9h3r9KaKAueZ/F7wAtlnVLOMLF0njUYC+jAfzrlPB/im
bwlrUdzGSYz8sqZ4da90uIEuoGjkUNHICrAjqK4PTvghDHrs0lxNusVbMUS/eb2J9ulfxX4qeBOd
Q4tw/EfA65JVZ807NRVKotXU/wAEteZWfvXVmpJL67Lc6o/VZYfGapLTzXb1X9bHc6ffxapZR3EL
CSKZQysO4qao7S0jsbdYYY1jjjGFVRgAVJX9mYP26oQWKadSy5uW/LzW1tfW19r62Pk5Wu+XYKKK
K6CQooooAKK8X/aT/wCChvwZ/ZIt5P8AhPPiB4f0e9jQuNPWf7RfScZwII9z8+4A5HNfAf7QX/B1
P4I8PGe1+GvgDWvEcyuVS91mZbG3YA8MI13uQeuDtNAWP1kqO4uo7SPfLJHGo6s7BRX85Pxt/wCD
iv8AaS+LTtHpuvaR4Ks2Ur5WjWChzkYP7yTe3vwRg18rfE/9rv4pfGmZpPFfxC8Ya9u25S71SZ4/
lGB8m7bx9KCuU/qW8eftp/CH4XpG3iH4neA9H812jUXOuW6MWXqMb85HevDPiJ/wXj/ZZ+Hdm0jf
E611qRZPK8nSdPubt8885Ee3bx13Yr+Zd2x8zH3JNafhTwTrXjy7+z6Dousa5PnHl6dZS3bflGrG
oqVIU4udRpJdXohqN9Ef0BeNv+DnL9nHw0If7Mh8eeImkBLfZdIWERY7HzpE6+2a5bU/+DqT4J2+
nySWngj4kXNwv3InhtIw/wDwLzjj8q/G/Qf2Bvjh4lK/Y/hH8R23dDL4euoQfxdAK6i3/wCCUf7R
l1GrL8I/FCq3I8xraI/k8oP518/X4xyCg7V8dRi/OrBfnI3jhasvhg/uZ+p1n/wdcfC+W5jWf4Y+
PIYmYB3W5tXKjucbhn6Zrof+Ip34F7v+RP8AiXj1+yWn/wAfr8lD/wAEmv2jR/zSbxB+F1Zf/H6p
3/8AwS1/aG0yIvN8I/F21f8AnlDHP+kbsawjx3w1J2jmNB+lan/8kV9Sr/yP7mftR4M/4OXv2Z/E
lismoXnjTw/Mz7DDeaG0pUf3sws4x+vHSvbfBX/BYz9mPx9cCKw+MnhGOTy/NxfSyWOBx3nRBnnp
nNfzceLP2Nfi74FgebVvhd8QrGCP70snh278tfq4j2/rXnN/aTaVdtb3UMtrcJ96KdDHIv1VsEfi
K93B5lhMYubCVY1F/dkpfk2YSpSj8SaP6+Ph78d/BPxasVufC3i/wz4igkQSB9N1OG6G0nGfkY9+
PrXWA5r+OLRtevvDl2J9PvLuxnXGJLeVomGDkcqQeozXunwe/wCCpf7QXwLnVvD/AMVfFqxruPkX
t4b6HLYz8k24dh9K7SOU/qpor8GfgX/wdJ/FrwaLe38c+EvDHjK3TCyT2+7T7phuGT8u5M7cgfKO
cGvtP9nr/g5e+AfxYnjtfFcPiH4d3jLkyX9v9rs8/MSBJDluw6oOWFArM/ROiuL+DP7RvgP9ofw+
uqeB/F/h/wAU2LYzJp16kxjPoyg7lPswBrtKBBRRRQB+dv8AwXY/4JNeKP27/C+neMvAesXlx4q8
K27Rjw9dXRFnqMPLHyAfljuPrgOMAkEDPw5/wRU/4Il337Svjmfx18WdJvtL8FeFtQe1j0e7haGb
WbyFsOjg4IhRhhv7xBXsa/fWmxxLCuEVVBJYgDGSeSfxoHcq6dp9j4V0OG1tYbfT9P0+ERRRRqI4
oI1GAoA4AAGMV5P8RviDJ4svWhhYpYQt8ij/AJan+8f6CvUPF/hlfFeiyWrTSQ7uQVPBPbI7ivK9
I+GV/e+KW0+eNokhO6WUD5dvqD3z2r+RfpM4rjHGTwnDeTUJfVsS1Fyg7upN7U5fyRSXM7u0km27
RZ9Pw9HCQ5sRWl70ej6Luu7/AK6lbwR4KuPGWpBFBjtozmaX+6PQe5r2nStMh0bT4rW3XZFCu1RT
dH0e30HT47W1jEcUYwAO/uferVfqHgz4O4LgjL3KbVTGVUvaT6LryQ7RT3e8nq+iXnZtm08ZU7RW
y/V+YUUUV+1HkBRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUVj+PfiBofwt8I32v+JNW0/Q
9F0yIzXV7ezrDBAg7szEAf1oA2KRXV/usGwcHB6Gvxi/4KR/8HK76lHqng/4B28kMJLQS+LrtNrS
LghjawsMr7SPzxwo61xf/Bv5/wAFYdW8F/Hm6+F/xJ12+1XS/iJfm407U7+dppLTU5ONjMcnbMcD
sA+D3NBXKfulRRRnmgkKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiii
gAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKA
CiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAK
KKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKxPiF8SNA+E3hO817xNrGnaFo+n
xtLcXd7OsMUagZPLH9ByaANusH4kfFHw38HvCV1r3irXNK8O6LZrumvdQuUt4Yx7sxAz7dTX5dft
xf8ABzz4X8DG60T4I6KPFeoqpT+3dUjeGwhbpmOLh5cep2j61+Rn7T/7aPxO/bI8XNrHxE8Xap4h
mB/cW0knl2doPSKBcIg+gye5NBXKfs/+1x/wc3/Cz4S3V3pfw10XUPiHqcJ2C+c/Y9NzzkhiDI+P
ZQDnrX5iftSf8FuP2hv2pZp4LvxteeFdFmJxpvh1msI9ucgNIp8x8YHVse3Jrwv4BfsofEb9qHW/
sPgPwjrHiFlYLLcQw7bS3P8A00nbEa/Qtn2r9Bv2Z/8Ag3BvtSjtdQ+LHjL+z0JDy6R4eCyTY/ut
cyKVX32xt7MOtfC8V+JXDfDiazXFRjP+Re9P/wABjdq/d2XmduGy+vX/AIcfn0+8/L29vrjVr5pr
iaa5uZ2+Z5HLySH6nkmvePgX/wAEu/jt+0Na291oPw91i0026wUv9YA023Kn+Iedh2XvlFbPav3K
/Z0/4J5fB39lhFk8G+BdHs9RwAdTukN5qDf9t5dzqPZCq+1e0rCFr+ceJPpTVZN0+H8HZdJ1nd/+
AQen/gb9D3sPw6t60vkv83/kfkZ8HP8Ag2x16/EM/j74iafpykAyWmh2jXMgPp5su0fjsNfTPw4/
4IFfs/8AgmOJtT03xH4qmTBZtR1V40cj/Yg8sYPoc19uiPNKI6/Fc48YON8zb9rjpwXanaml84JS
+9s9alleEp7QT9dTyP4f/sLfBv4WwwroPwv8B6e1v9yYaLBJP9TK6lyfcsTXpunaNbaPaLb2dvBa
wJwscKBEX6AcVobKNlfnOMljMbLnxlWVR95Scn97bO6MYQ+FJfIqmLPbNJ5OKtmOmmP2rzZZd5Gv
tCqY6Y0Weoq2Y6aYa46mXlKoUzDxxWP4o8B6L4ztzDrOj6Xq0LDBS9tI7hcfRwRXQNFTGjrz5YWd
OXPTbTXVaP7y7p7nzr8Tf+CWf7P/AMVg7ah8LfDFnO/WfSYDpcn1zblMn6g187fFv/g3b+FniiGS
Twj4l8VeFbpslUndNQtwe3ysFfH/AAPNfoe8WaieOvqcp8UOMsna+o5jWSW0XNzj/wCAz5o/gc1T
LsJV+Omvut+R+KPxi/4N8fjH4HSSfwvqnhfxpbr0jjuGsLph/uSjZ/5Er5M+NP7K/wASP2dbvyvG
3gnxF4cXO1bi6s2+yuf9mdcxN+DGv6XSuKju7KHULdobiKOaGQYZJFDKw9CDwa/ZeG/pc8TYNqGc
YeniY9Wr05v5q8P/ACQ8vEcMYeWtKTj+K/r5n8vfhLxvrXgPVI7/AEPVtS0e8jYMlxY3T28ikdCG
Qg19kfs2f8HAn7Rn7Pv2e1vvE0PjzSYcA23iGH7RLt9BOuJPzJ6V+l/x8/4JLfAb9oWa5utS8D2e
hatdA7tR8Pt/Zk+4/wAZWMeU7e7xtXxN8ef+DcjXtFgnuvhv46tNbVSTHYa7D9lnI9POjBRm+qIK
/orhX6UXBebWp42csJUfSorxv5TjdW85KB4WJ4dxdPWKUl5f5H1j+zP/AMHRPwv+IFxb2PxI8L61
4GupMK97an+0LFTzycASKOn8Ld6/Q34I/tK+Af2kfDy6p4F8XaD4os2ALNYXiSvF7OgO5D7MB0r+
WX9oH9iH4rfsvTt/wmvgnWtKswcC/SL7RYt/23j3IPoxB9q4X4e/E3xF8J/EcOseF9e1bw9qluQ0
V3p129tMv/AkIOPbpX9AZbmmDzCgsVgKsatN7ShJSi/mm0eJUoyg+Waafmf2GUV+Af7H/wDwcyfF
r4MW9rpXxJ02z+JekRkKbx2FpqqJ/wBdFGyQ/wC+uT3av1I/Y5/4LUfAj9sdbGx03xPH4Y8TXgx/
YuulbWff3VHJ8uT22tk+ldxlZn1pRjmkR1kQMpDKwyCDwRS0CCiiigAooooAKKKKACiiigAooooA
KKKKACiiigAooooAKKwfiV8T/D3wd8F33iLxTrGn6DommxGa5vLyYRRRqBnqep9AOT2r8a/+CkX/
AAcrat4lnvvCfwCjbSdOy0M3iq7izdXA5B+zRNxGPR2y3oFPNAH6B/8ABRX/AIK+/DD/AIJ66NLZ
6ndDxJ44li3Wvh6wkBmBOdrTt0iTI75Y9ga/Bb9vb/gqT8VP+Cg3iVn8WasbDw1byl7Hw/YEx2Ns
MnBYZzI+ONzZ9gK8Nji8TfG34gYVda8VeJ9duMnHmXl5fTMeT3d2P41+sX/BNL/g2wvdam0/xh8f
i1jZqRNB4Ttpf303cfapF+6OnyKSSDgkdKC9j4B/YP8A+CaXxP8A+CgnjVbHwfo8lvoVvIF1DX7x
Gj0+xHcb8fO/+wmT64HNfvd/wTy/4I4fCn9gDTbfUrPT4/FHjoR4n8RajErSxE53C3Q5EKnOPl+Y
jqa+kPDnhzwr8A/Alno+iabpnh3Q9NjEVpYWMCwxRgdlRQPz/OuH8afFe88Rhre13WdmeCAfnkHu
f6CvybxK8ZeH+DKLjjZ+0xDV40oNOT7OXSEfN/8Abqlsejl+V18W/cVo93t/wTsPGnxctdALW9nt
u7ocEg/u4z7nv9BXD6J8S7+y8ULf3UzzRyfLKn8IT2HtWLpOj3WuXiwWsLzSN2UcD6ntXpngr4QW
+jlLjUNt1cjkJ/yzjP8AU1/JGT8QeJnifn1LH5bJ4fD0JqUWrxo02n161Z20a1vd6Riz6atQy7Lq
DhU96Ul83/kv61OytrlLy3jljbdHIoZSO4NSUAbRxRX+htPnUEqjTdtWlZX62V3ZeV36nwr8gooo
qwCiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAoooo
AKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigA
ooooAKKKKACiiigAooooAKK/K/8AbW/4ONL39kL9tjxf8PIPh/pnirwz4YmgtGu49Sa2uzN5aNPz
tdDhmKgYBBXmvQvgz/wcxfs7/ES3iXxH/wAJX4Fu2Ch1v9ON1CpLYwJIC5IAwSSo4NA7H6HUV5T8
Jv26fg38c4YW8J/EzwXrTXA3JDDqkSzkbtvMbEOOeORXqkM8dym6N1kX1U5FAh1FFFABRRRQAUUU
UAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUjMEUsxCqoySe1ch8c/j74P/Zr+Hl94
q8ca/p/h3Q7BC0lxdyhd57Ig6u56BVBJNfhL/wAFP/8Ag4H8bftS6hqHhL4W3F/4J+HpLQvdRnyt
U1hOOZHBzEh5+RDkg/MT0AOx+jX/AAUS/wCC9vwt/Yxg1DQPDMsPxC+IFvmMWFnL/oNi+OtxOOOP
7iZbt8vWvwx/bI/4KB/FL9urxtJq/j7xHdXVsrlrTSbZmh07T1P8MUOcf8CbLHua8o8K+EtY+Ini
W30nRdN1HXNYv32wWlnA9xcXDH+6igsTX6hfsA/8EAtyWfij45k7uJYfClpccAYyPtcyHk/9M4zj
jlzytfEcbeIeR8K4X6zm1WzfwwWs5/4Y9u7dorq0duDwNXES5aS+fRH56/s1/sg/ET9rjxR/ZXgP
w1e6w0ZxcXZHlWVoPWWZsIv0zuPYGv1H/Y9/4N6vBvw5e11n4s6p/wAJzqyxhjo1oGt9IgfqQ7cS
3GOnOxT3Q1+gXw++HGg/Czwta6H4b0fTtD0exTZBZ2NusEMY9lUAfjW8seK/i3jb6Q3EWeuWGyn/
AGSg9Pdd6kl5z+z6QtbZyZ9Zg8joUfeq+9L8Pu/zMvwh4J0nwH4ftdJ0TTLDR9LskEdvaWdusEMK
jgBUUAAfQVrKlPWPNSrHX4lTwkpyc5u7erb1bPX5ktEQrHmpFixUgjqRYs16tHAGbqEIi9qcI6mE
NOEQrvhl5n7Qr+XR5dWvL9qPL9q1/s8XtCqY6aYqtGKkMOayll4/aFRoqa0WKttDimGOuOrl5amU
2SmPFmrbR1G8VeRXwJrGZTeOo3SrjJULxYrwcVgTeMym8e2o2XFW2TFQyR4r5zE4Vx1NoyIKKc64
ptea9DYju7SK/t3hnijmhkG10kUMrD0IPBr5U/aX/wCCMnwP/aJgvbq38Pt4H1+6Jcal4dItR5n9
57cgwPk9fkDH+8DzX1fRXvcP8U5vkeI+tZPiZ0Z94SavbpJbSXlJNeRhXwtKsuWrFP1Pw7/aa/4I
TfGL4J3F3eeFo7P4jaDCN6S6b+51BV777Vzkkf8ATN5M+3SvjXXdA1LwZrk1hqljfaTqVo2Jbe6h
aCeFh6qwDA/Wv6jq8v8A2jf2M/hn+1ho/wBl8deE9N1iRFKw3oUw3ttn/nnOmHX6Zx6g1/VnBH0u
sxw7jh+KMOq0NnUppRn6uDfJJ+nIfN4zhiEvew8reT2+/f8AM/HX9if/AILe/HL9jK8sbKPX5PGn
hG1URHQtdkaeNI/SGX/WREZ4wSvqpxX7FfsQf8F6fgj+2D9h0m/1Jvh/4wuFCtpmtOqQSyekNzwj
57BtrH0r8z/2wv8Ag308UeALe41n4Q6tJ4w0+MNI+iai0cOpxgc4il+WKb6ERtwMbia/Pbxb4O1j
4e+Ip9K1zS9S0TVbRsTWl9bvb3EJ90cBh+Vf2Vwb4hcP8U4f6xkmJjUtvHacf8UHaS9bWfRs+UxW
BrYeXLWjb8vvP7E4LiO6hWSN1kjkG5WU7lYeoNOr+Zn9gv8A4LY/GT9hq7t9Pj1R/Gng2PCNoWsz
vIkKd/Il5aI/TK/7Jr9xv2Fv+Cufwd/bx0m2g8P6/BonixkH2jw7qsiwXiPjJEWcCZRz8yZ46gdK
+0OKx9QUUUUCCiiigAooooAKKKKACiiigAoorm/iv8YPC/wL8EXniTxhrum+HdD09C895fTiKNcD
OBnlmOOFGSTwATQB0lfJH/BQ3/gsf8Kf2A9GurG81CPxT468s/ZfD2myh5FfAwbhx8sK8g8/MR0B
r86P+Cnv/BxxrXxcF94M+BL33hvw22YbnxJKnlahqA5B8hTzDGf7x/eH/Z6V+X+i6H4g+L3jWGz0
+11XxH4g1ifbHFCj3V1dysewGWZjQUonsX7c/wDwUi+KH/BQDxxJqXjXWpl0eGVn0/QbRzHp+nKS
cBU/iYDje+WPrjitL9g//glt8Vv+CgfiVI/Cejtp/hyKUJe+INQVorG1GRnacZlcDnYmT6461+hH
/BMz/g2yVY9O8aftAMzN8s9t4RtpPlAxkfa5Bz3B8tMYIwW6iv1w0+08O/Bnwja6bp9nYaLpNjGI
raytIVjRFHRVRa48wzHC4DDzxeNqRp04K8pSaSS7tvQuEZTkoQV2z57/AOCdv/BJb4Y/8E7fC0cm
kWq+IPGc0W2/8SahEv2iQ91iXpDHnoF5I6s1e6eM/i9a6KrQWO26uuhP/LOP8e9cb41+J954pdoo
S1rZ9BGD8zj/AGj/AErB0fRLrXrxbe0haaRvQcL7k9q/ifxI+k9jMfXeScCU25SfKqvK3OTen7qF
rrylJN9orRn1uX8OxhH22Nfnbp82Gr61da7eNPdTSTSN3Y8D2A7V0Hg/4U33iPZNcZs7M87mHzuP
Yf1Ndj4K+EdroIS4vdt1d9QMfu4z7Dv9TXYgYFX4bfRhxGNq/wBtceTlKc3zey5m5Sb1vVndu76x
i795LVE5hxFGC9jglouv+SKGgeGrPwzZiG0hWNe7fxMfUmr9FFf2rl+X4XA4eGEwVONOnBWjGKSS
XZJaHyM6kpy5pu7YUUUV2EhRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQA
UUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABR
RRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAH4fftv/wDBuT8cviZ8Z/GHjzQPFHg/
xZceJ9TutVe2kd9PuFMkpZYxuBjJCnqWUfLXwn8aP+CXn7QP7P63Enib4UeLre1tt5ku7SzN9bKq
nBYyQb1C89SRxX9VtFBXMfzg/wDBKz/glZo37a3gbxvq3i/UvEvhubQdRh07T2sSkUkcwQyTeYki
HON0YA4IOa+mn/4JYftIfs6ySSfBn9o7VvsnzFbDVZri0xkg9VM0ZJx12LX6z+O/hHJrusSXmn/Y
bbzsGRBHsMr92YgcnpyeeK47U/hnrWl/esZJl9YiH/8Ar1/D/iVxh4tZHxNi8ZldKq8Fze4vZRq0
+VJK+ilKN2m94vVs+uy/DZZWw8Y1WufrrZ3Pzdj/AG5v+Chn7J6qvijwDpfxQ0mFmzd2VnHfPIOP
+fRlmAGOC0Q612Xw7/4Oj9B0HxA2jfFj4R+KvBuooSGFpL5sijHGYJlicc57nivta5tJbN9s0ckT
Zxh1K/zrC8dfDrw/8UNI/s/xLoej+ILHn/R9Ss47qP8A75kBFePkv0wM2w8vY57l0JtaN05Sptf9
uyU7vurx+RtW4WpyV6M/v1/KxX+Cf/BbT9mf46ssWn/E7SdGvGJH2bXY5NMbhdx+aUBD+DdRX0z4
Q8caL8QNHj1DQdW03WrCUApc2NylxEwIyMMhI5BBr86fit/wRz/Z5+K4kkk8BW+g3T/8t9DuZbDb
9I1byv8AxyvEdV/4IOzfDi9+3/CH41eOPA98jGSNZWLqGxj78DxN7ZweK/Ysj+lZwTjrRxjq4Z/3
4cy++m5u3qkeVW4axcPhtL0f+dj9mKK/G3S9C/4KI/sqoH0Dx9onxW0212hbS8uIpppFUYA/0lY2
6dcSkkjqa2tI/wCDgL48fs+NH/wu79nbVLPTYQi3Go2ME9ogIB3NvYPCcnBADgDmv2bIfEHhrOrL
K8fSqt/ZU483/gDal96PJrYHEUv4kGvkfrxRX57/AAQ/4OWP2c/iksMeuXHiTwTPKUUnULE3FuGY
kH95AX4HBJIHWvrb4P8A7bfwh+PzQp4N+JHg3xBcToHS3ttTi+0EE7RmIkOCSQMFc5Ir7A5D1Kii
igAooooAKKKKACiiigAooooAKKKKACvmf/go5/wVI+Hv/BObwD9p164XV/FuoRltK8O2sq/arrqB
I/8AzziB6sevQZNeQf8ABX//AILTeH/2D/Dl14Q8G3Gn698VrtNgts+ZDoKsuRLOB/HggrHnJ6nj
r/Pp8YvjN4o+PvxB1HxZ4y1y+8QeINUffc3t3Jud8dAOyqBwFAAA6CgpI9D/AG2v29/iL+3v8TG8
ReOtXa4ht2cadpkH7uz0yMnOyNPXoCxyxxya2f2Gf+CbfxD/AG7PEi/2DZ/2R4UtZQl/4ivkItIM
H5kiHWaXGfkXgcbmTIz9Gf8ABNb/AIIi6x8bG0/xt8Wre80Dwi2J7TQ2Bhv9XXgq0neGE+n32H90
YJ/YbwT4I0n4c+FbHQ9B02z0fSNNiEFrZ2kQiht0HRVUcD+pr+VvFr6R2FyeU8o4Yca2JWkqm9Om
+qXSc1/4DF78zvE+kyzIpVbVK+ke3V/5I8n/AGM/2Afh5+xF4QWx8J6Ws2rTRhb7W7tQ9/fHvl8f
Knoi4UehPNe5Rx5ojjzUyJX8T4rGY3NMXLHZhUlUqzd3KTu3/wADstktFofWxjCnHkpqyQIlSpHS
xx1MiV6+FwZlKQ1Y6lSLNPSLFSLHX0WGwJhKYxY6eI6kSHNSLEBXuUcvMZTIRF7U4QmpxHS7K9Kn
l/kR7Qh8ijyKnEdL5ftXR/ZpPtCsYTTTF7VZ8ugx1jUy/wAh+0KZjprR1baP2pjQ151bLy4zKbQ1
G8dW2j5qN4814mIwJtGZTeOonTFW5I8VFJHXz+KwZ0RkU5I6hdauOmKhkjr5fGYM6IyKUseKhZcG
rbpUMiYr5TFYdp3OmMiGigjBorzjUKKKKACvN/2jf2R/h7+1f4ZOl+OvDOn6wqoUt7op5d5Z57xT
Lh09cA49Qa9Iorsy/McVgcRHF4KpKnUi7qUW4yT8mrNEVKcZx5Zq6Pxf/bY/4IN+OPgrHea98MZ5
/H3huEGV9OKhdYtF74QYW4AH9zD+iHrXwfbXWoeEtd8yGS80zU9PmI3KWhntpVOD6MrA8diDX9SF
fNv7an/BLb4YftqW819qmn/8I/4uZT5ev6Yix3DtjA89fuzKOPvfMAMBhX9ieGf0rsThuXAcYR9p
DZVoL31/jgrKS/vRtL+7Js+WzDhqL9/Cuz7P9GfG/wDwTf8A+Djzxb8Co9P8J/GSG88a+FYsRR61
G27VrBMYG7PE6j3IbnqcYr9tfgV+0B4N/aY+HVn4r8C+INP8R6DfD93c2sm7Yw6o69UcdCrAEV/M
N+2z/wAE4fiN+w3re7xFYjVPDE8nl2fiGwQtZzEn5UkHWGQ/3X6/wlqwf2O/26viT+wx8QF174f6
/caf5jKb3T5CZLHUVH8MsXRuM4bqM8EV/cWSZ7l+cYOGYZXWjVpT2lF3Xp5NdU7NPRpM+OrUJ05O
FRWZ/WRRXxH/AMEwf+C2ngH/AIKAW9v4d1RYfBvxIVAG0meYGHUzglmtXP3sY5Q4Ye45r7cr1jAK
KKKACiiigAooooA+Lf8AgpD/AMFtfhj+wTZXei2c0Hjb4hqCiaJY3A2WT8f8fUgz5fX7oBY46DrX
4L/tq/8ABQj4nft6eO31jx1rkk1pG5NlpFsTHp+nr6Rx56+rNkn1r7g/4L2/8EmPEXhj9pzT/Hvw
v8L6jrek/Eu78m50/TLV5ntNTOSflXO1JRlgeACr9BXr/wDwTM/4NtrHw5Fp/jL4/LHqGofLPb+E
4Jd1vAeDi6dThz2KKdvqT0oK0R+en/BPL/gkv8Uf+ChniOGbQ9PfQ/BcUm298SX8ZW0QA4ZIR1mk
6/KvAP3itfvn+wZ/wSy+FP8AwT58NR/8IvpMeoeJmi23viLUFEl9cZA3BT0iQ4+6mB65r3ISaD8I
PClpp9la2elabYxCG0sbSJY0jQcBURcAAV5z4w+J194oZolb7LZ54jQ8sP8AaP8ASvxzxO8buH+D
Kbo4iXtcVbSlBq/k5vaC9dWtos9TL8pr4x3irR7v9O51/jP4x2+ltJb6aFupxwZf+WaH29f5V5nq
eq3Gs3bT3UzzSt3Y9PpUmh+H7zxHdiGzhaZu5H3U+pr1LwX8J7Pw8Fnutt3eDnJHyIfYf1r+PKOE
8QPGXHe0rS9lgovezjRh/hW9Sa9W+7imfVSlgcphZaz/ABf+S/rU5HwX8JbrxAq3F5utbU8gEfvJ
B7Dt9a9P0Pw9Z+HLMQ2cKxL3IHzMfUnvV0DAor+0PDfwd4f4NoL6jT58Q1aVaSvN97dIR/ux+bb1
PkcwzWvi5e+7R6Jbf8EKKKK/VjzQooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigA
ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACi
iigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAhu9
Pt79Ns0MUy+jqGrC1P4U6HqZJ+yeQx7wsU/TpXR0V87nXCOSZxHlzXCU63+OEZP5Nq6+TN6OKrUt
acmvRnnupfAaFgTaX0i+glUN+orB1H4M6xZE+WsNyvqj4P5GvYKK/H88+jHwJmF5UaEsPJ9ac2v/
ACWfPH7kj1aPEWNhvJS9V/lY8B1DwxqGlE/aLK5iwcZKHH51QKq6sp5DcEetfRjKHGGAI9xWdqnh
DTNZU/aLG3kJ77MN+Yr8az76HE1eeS5in2jVhb75wb/9IPWo8WdK1P7n+j/zPir4sfsGfBn44Q3C
+J/hp4Q1Ca6/1l1HYJa3hPqJ4dkoPuGr5p+IH/Bvh8HNcZ5vC+teNvB92rb4DDfLewwtnIOJVMhx
/wBdR9a/UvUvghpN1zbyXFq3s25fyNc/qHwJv4ATb3dvP6BgUP8AWvjv+Ic+M/CemV1ak6a6UqvP
DT/p3N3/APJPI6v7QyjE/wARJPzVvxX+Z+V2if8ABOj9rf8AZk3t8KP2jrq9tIlxFY6lcTxIRu3Y
EUnnwgk/TqR0Jr9Uv2UfF/iK4+AfhOH4ia1p998QP7PjOuPCI4ozdHl1QIAu0HgEDkDNc9qHw61r
TcmSwmZR/FH8w/SseaCS2fbJG8bejKRXVg/pIeInD9T2XEmEVRf9PKUqUvk4qMf/ACVilkGArq+H
nb0d/wCvvPohJFlXcrKw9Qc06vn7T9evdKcNb3VxCR/dc4/LpXrHwm1fUNc8PSXF9M02ZCkZKgHA
69OvP8q/oLwq+kRguM8yjk6wU6NZxlJtSjOCUVrd+7JXdkvderR4WZZDPCU/auaa27P+vmdTRRRX
9GHghRRRQAUUUUAFfm//AMFoP+C3Nj+x1pl98OfhrdWupfE27iMd3eqRJD4cVh1I6NPg5CnheCfS
tL/gtr/wWRtv2IPCc3w/8B3EN58UtctiWuFIePw7C3HmuO8xGdiHp949g38/F5eax8RvFzzTPqGt
65rV1kk7ri5vZ5G/FndmPuSTSlJRXNLYqMRdS1LWviZ4ylurqXUNd17XLvc7sWuLq+uJG/FndmPu
STX6wf8ABLL/AIIsR/Di5034ifGCxhutejK3Ok+HJAJIdNbqJbnqHlHBCcqh5OWxt67/AIJHf8El
4/2aLC1+InxGsYLj4g3ke7TtPkAkTw7Gw6nsblh1I+4DtByWNff8S81/BXjp9IarjqtThzhWpajr
GpWi9Z9HGm+kOjktZbRfLrL7TJ8jUUsRiVr0Xbzf+Q+FNoqxGlMReasRJiv5YwOHufSTkOjTAqeN
MU2JM1PGlfYYLCnJOQqJUyR4ojTAqZEr6vB4Q5pSBI6mSLFKiYqVEr6rCYI5pTGqlSLETT0iwOae
FzX0GHwJhKYxYcU4IBUqxZpwir1qWX+RlKoQ7Pb9KNnt+lWPK9qPK9q6f7OI9oVyvtTTCDVkxUxo
awqZf5FRqFVoSKjaOrhQio2j3V5eIwJtGoVHjzUTxYq28eKidK+fxWCNoyKbpUMke2rkkeKhdK+Y
xmEOiMim6VA6Yq5ImKgkSvlMbhTqhIpypUEiZFW5FyKgkXFfH47DbnVCRTdaZViVMGoGGDXyleny
yOqLuJRRRWBQUUUUAFFFFAFHxP4X03xr4fvNJ1jT7PVdL1CMw3VndwrNBcIequjAqwPoRX5a/wDB
QL/ggs2mRX3iz4ILJNCu6e48KTyl3XnJ+ySMckekbknsGPC1+rFFfe8A+JWe8H4z63k9W0W1z03r
Tmv70e/aStJdGjhxuX0cVHlqr0fVH8uqSax8OvFh2nUND1zR7gqfv291ZTIcEdmRlI9iK/XX/glb
/wAHGdzp82l+Afj9cfaLXC29n4wC/vY+yrdoo+YdB5qjPdgeWr23/god/wAErvBn7cehTapbJb+G
fiFbRYtNbhh+W7x0iulH+sTjAb76diRlT+I37RH7NnjL9lb4j3Phbxto1xpOpQ5aJj80F5HnAlhk
HDofUdOhAPFf6VeFXjPkvG2G5aD9lior36Mnr/ig9OePmldfaS0b+BzLKauEl72sej/rY/rj0TW7
PxLo9rqGn3VvfWN7Es1vcQOHjmRhlWVhwQQc5FWq/nI/4JNf8FuPFX7BGpQ+FPFS3niz4Y3ky77V
5i11omThpLYtwV7mI4B6gg9f6Dfgx8a/C/7Qnw707xX4O1qy17QdUjEkFzbSBh7qw6qw6FTgg1+w
nkNWOqooooEFFFFAARmiiigDjfi94MOu6at9bruurUcgdXTv+IrmPBnwguta2XF/utbU87P+Wjj+
les0V+G8SfR/4Yz3ib/WTMIt3S5qa0hOS0UpW12smlZO131v7GHzzE0cP9Xp/J9UuyKmi6Fa+H7J
bezhWGNfTq3uT3q3RRX7Rg8Hh8JQjhsLBQpwVoxikkkuiS0SPJlKUnzSd2FFFFdRIUUUUAFFFFAB
RRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFF
FFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUU
UAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAVBd6Zb367ZreGUe
joDU9FY1sPSrQdOtFSi900mvuY4yad0c3qXwo0TUiT9l8lj3iYr/APWrW8O6DD4a0iOzg3GOLOC3
U5OeavUV87lfBOQZbjpZll+Dp0q0ouLlCCi3FtNp8qSeqXnob1MXXqQ9nOTa7N3CiiivqDnCiiig
Ar49/wCCwf8AwVB0X/gnl8CLiDT7y3uPiZ4mt3i8P6fjeYP4TdyjtGnbP3mAA6HHs37cf7YPh39h
j9m/XviF4iPnR6bH5dlZqwWTUbp8iKFfqep7KCe1fy7/ALVH7Tvir9r/AON+ueO/GF9LeaprE7Ok
ZcmOyiydkEY/hRBwB+PUmgpI5Lxz441n4oeMtQ17XtQu9X1rWLhri6up3MktxIxyST7k9K/Xr/gj
T/wS0X4FaFZ/FL4haYv/AAm2pReZo+n3MYJ0GBh/rGUji4dT9UU44JavLv8AgiL/AMExI9ebT/jV
8QNO32sb+b4U0y5j+WVgeL+RT1AI/dAjkjf/AHDX6uZr+EfpJeOTqyq8IZBP3V7teonu+tKL7Lao
+r9zbmv9nkOT7YqsvRfr/kOQZNTwrgVFEM1YQc1/G+Bp3dz6qbJIlqwi1HEuKsRLX2mAonJORJGt
WIkqONasRrX2mBw5xzkOjXNWI0xTYV71Mi19lgcKcs5DkSpkTYKI02ipY0zX12DwtzlnIRI81Mkd
ORKlSLdX02FwJyymMVKcIiamWOnhK96jgDFzPN/2pv2j/Dv7IPwJ1z4h+K4dVn0Hw+ITdLptuLi4
PmzJCm1Cyj78igksAAck1+cXxD/4OlPDNrdzR+EvhH4g1CBWIjm1nWIbFnHqY4knx/33X6C/8FBf
hFN8cv2H/it4VtLf7Tfat4YvlsoghdnuUiaSAADknzUTGO9fz4fCL/gk3+0f8bdOjvNF+D/jC3s5
AGWXV4E0cMD0IF20TMPcA1+jcJ8P5TXw86uYJc0X1lZWsrdV1ucWIr1FK0D7A1v/AIOj/Hk9xnTv
hT4PtYv7tzqlzcN+aqn8qm8Pf8HSHjSCX/ibfCXwreJ/06axcWx/8eSSvD9L/wCDeL9qDU4BI3hn
wrY5/gu/EcG4f9+hIP1qv4i/4N8v2ofD9q0qeEfD+rbf4NP8RWzMfwmMVfTyyXhR+41T/wDA3+fM
Ye0xG+p91fA3/g5l+E/ja+js/HXhDxZ4GkkIH2yApq1kvuxTZMP+AwtX3R8Cv2m/h7+074ZXV/AP
i/Q/FNnj5zY3IaWA/wB2SM4eNvZ1B9q/mc+PH7IvxQ/Zg1Frf4geAvFHhUbtq3N7YuLOY/8ATO4X
MMn/AAFzXMfDT4o+JPg34xtPEHhPXNU8O61YuHhvLC4aGVSOcEqeV9VOQe4NePmnhhleMp+0y6bg
+mvNF/r87v0NKeYVIu09T+sJl9ahkj2mvzu/4JJf8FubT9qi+sPhv8UpLPSfiFIvlaZqihYbTxCQ
CdhHSO5wPuj5X/hwflr9F2XNfz/xHw3issxDw2LjZ9OzXdPqv+Gep7eHxEakeaJTdKryJirkiY4q
GVdwr8+x2FO6EinKmRVeRauOKryrg18djsOdUJFSVcVBKtWpVqCRcivjMfROuEio68Yqs44q3IMV
XlXDV8TjqJ2QkQ0UHiivHNgooooAKKKKACiiigArzf8Aaj/ZQ8E/tgfDK48L+NNKjvbdwXtbtAFu
9OlxxLDJjKsPTow4IIOK9Iorsy/MMVgMTDGYKo6dSDTjKLaaa6poipTjOLhNXTP52P27P2BPGX7C
fxLk0vW4ZNR8O3sjHR9diixb6hGOcN18uYA/MhOe4yuDXZf8Evf+CpHi/wD4Jx/FeO4tXuNY8C6r
Ko1vQmk+SZennRZ4SZR0PRsYPHT90Pi78HvDXx5+H+oeF/F2j2euaHqibJ7a4TI9mU9VdTyGUgg8
g1+Ev/BSr/gm3r37B/xE863F1q3w/wBZmb+yNVK7mhPX7NOQMLKo6HgOBkchgP8ASLwN8f6HFUY5
NnVqeOS0e0a1t3FdJ21lHZ6uOl4x+CzjJZYb97S1h+X/AAPM/pJ/Zk/al8D/ALYHwpsvGXgDXLfX
NFvMoxX5ZrWQfeiljPzRuPQ9sEZBBPoVfyu/8E6P+CjnjX/gnX8Y4tf8PTPf6BfMsetaHLIRb6lC
PT+7IvO1x06HIJFf0vfsrftQ+Ef2xfgfovj7wVffbtF1mMna42zWkqnbJDKv8MiMCCOh4IJBBP8A
TR840eiUUUUCCiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKA
CiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAK
KKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAoo
ooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAqrruu2fhjRLzUtQuYbOw0+F7i5uJnC
RwxoCzMxPAAAJJNWq/Jv/g5N/wCCksnw38HR/AfwlemPWPEdut14lnhfDW1mxOy2yDwZcZYf3MD+
KgD4E/4LJ/8ABT3Uv+ChXx9kttJnntvhv4Umkt9CtMlftZzhruVc43vjj+6uB1JzQ/4JH/8ABPGb
9tX4zHWNetZB8OvCMySao54XUp/vJZqfcYaQjomBwXU18/8A7NP7Puu/tSfG3QfA/h2LdqGt3ARp
SMpaQjmSZ/8AZRQT78Dqa/om/Zp/Z38O/srfBbRPA/hi38nTdHh2tKwHm3kx5knkI6u7ZJP0A4AF
fzb9Irxe/wBVcr/snLZ2xuITs1vTp7OflJ6xh53l9mz+iyPK/rNT2k/gj+L7f5nbadp1vo+nwWlp
DFbWtrGsUMMSBUiRRhVUDgAAAACphyaKVRlq/wAy7uTuz9C2JYR81WIhk1DAOKsxCvoMvp7HNNk8
Y4qxGtQoOasRivuMvpnJUZNCtWI1qGNcCrEIy1fbZfR2OObJo1qeJcmokFWIxtWvt8BROOpIkRdx
qeNKZEtTxpk19pgcOcdSQ+KPNTIlJGtTxR55r6/B4W5yykIkWalWKnKlSJFur6bDYG5zymR+XQI8
VYEQFHlCvSWXabGftCq0dRvFVxoaiZK4cRgbIqMzJ13QLLxLpNxp+pWdrf2N5G0U9vcxLLDOhGCr
KwIYEEjBFfl1/wAFPP8Ag300Dxp4e1Hxp8CbCHQfEVqjT3HhZG22OpqOWFtn/Uy+if6tjx8nWv1W
kjyKrutcGFx2Ky2r7bDSt3XR+TX9PsaShGatI/kSlivPDesNHIt5p2o6fOVZSGhuLWZG/BkdWHsQ
R2Ir9+/+CJP/AAUbuP22fgPP4f8AFd9HcfETwOscF9IxxJqtoeIrsju+QUfH8QDcb8V8c/8ABxp+
wFbfCb4j2Hxp8M2a2+j+Mrn7Hr8MS4WDUdpZJ8dvOVW3f7aZ6tXxz/wTW/a3uP2Lv2w/CXjBrr7N
oclyuma8rfcksJ2VZSf9w7ZB7xj1r9Cz/L6HE2R+2or94k3HupLePz2+5nHRqSoVbPY/pllXK1A4
qxFMlzCskbK8cgDKwOQwPQ1DIuOK/kfH0LXR9NTkVZVwaryrkVbmXIqvIOa+IzCidlNlSQZqvIOa
tSiuV+LHxX8N/BLwVdeI/FmtWPh/Q7IqJ728k2RRlmCqCfUsQAO5NfG4nCVK1RUqUXKUnZJK7bey
SWrb7HVGSSuzXlFV5hkV8seM/wDgt3+zb4UnaNPHcurMpwTp+kXcy59iYwD9QcVyL/8ABfn9nlpg
n9o+K9p/j/sSTA/XNTX8K+L68eellldr/r1NfmgjmWFWjqL7z7Of71Nr5f8AAf8AwWY/Zz+IFysM
fxAh0iaRtqrqthc2in/gbJsH4sK+hfAXxK8O/FTQ11Pwzruj+INOY4+06deR3UWfQshIB9q/Pc74
TzvKH/wqYSrRXecJRT9HJJP5HoUcVRq/w5J+jNuiiivnToCiiigAooooAKKKKACsH4n/AAu8P/Gj
wHqXhnxRpVprWhatF5N1aXKbkkHUEd1YHBDDBBAIIIreorWhXq0Kka1GTjKLTTTs01qmmtU09U0T
KKkrPY/Af/gp1/wTc1b9hH4krdaf9q1T4e67K39k6i43PbP1NrORx5ij7rcb1GeoYBP+CXv/AAU+
8Wf8E4/i6t5ZyXGqeCdYlRdd0RpP3c6dPOjHRZlHQ9+h46fuj8aPgz4b/aC+GereEfFmmQ6toWsQ
mKeCTgqequjdUdThlYcggGvwL/4KGfsC+Iv2Dfi+2l3nnal4V1Znl0HWNmFu4weYpMDCzJkBl6EE
MODgf6TfR/8AHKHFGHjkeczSx1NaN6e2iuq/vpfEuq95acyj8DnWTvDy9rSXuP8AD/gdj+n/AOCn
xl8P/tBfCzQ/GXhXUIdS0LxBapd2s0bA/KwyVYD7rqeGU8ggiupr+cP/AIIq/wDBWjUf2B/imvhf
xPc3V98LvE9wqXduX3f2NOxA+1xD07OowCOeoFf0ZaJrdp4k0e11DT7iG8sb6JZ7eeJw8cyMMqyk
cEEHOa/p0+casWqKKKBBRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUU
UAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQ
AUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAB
RRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAHlP7a37Vuh/sWfs1+JviFrzo0Wi2z
fZLYuFa/umBEMC+7Njp0AJ7V/Kp8afjDr3x++KmveNPFF/JqWveIrt728uJD95mPQeiqMAAcAACv
0J/4OSf29G+O/wC0bb/CfQ7pZPDXw5kJvWikyt3qTLh8/wDXJTs9iXr5z/4JI/sXt+2D+1Rp66pZ
tN4N8IlNV1piP3c+1sw2x9fMccjuiPXh8S8QYPIsrr5vj3alRi5Pu7bJecnaKXVtI6MPQlVqKnDd
n6E/8EPv2BJP2cfg/J8RPFFn5XjLx1bo1rBNFtl0nTjhkQ55EkpxI44wBGp5Vq+76REWNAqgKqjA
AHQUtf4+cacXY7ibOa+dZg/fqu9ukYrSMV5RVku+71bZ+p4PCww9JUobL+rhTk602nR18xD4kdD2
LEQwtWYeWqtD90Vahr6rLo7HLU2PLv2mP23Php+x1/Y//Cw/EX9g/wBvecbEfZJrjzvJ8vzP9WjY
x5qdcferyhv+C5H7M8A58fTt/u6Len/2lXyn/wAHNUX7v4OSe+sr/wCm81+Udf254W+CeRZ5w5hs
4xdSqqlTmuoyio+7OUVa8G9kr67nyOYZtWpV5UopWX+R/UB+y3+1p4F/bF8DXXiP4f6tJrGkWN62
nzTPaS2xWZUVyu2RVJ+V1OcY5r1CEcV+cf8AwbTT7/2N/GEf/PPxdMfztLav0ei+5X57xHkdDKc7
xGXYZtwpysm7N2snrZJfgjtw9aVWipy3ZNEORVhRk1DFy9WE616WXw2M6jJohViEcVDH0q1EOBX3
GX09jiqMkjWrMa1FCOanjHFfb5fRWhyVGSRJnmp1TNNjHSp4kzX2mBwqaOOUhFiNBhNWFTNBjxXv
xwPu3MedlNo8VHImRVyVMiq7ivHxmFSRrGRTdaryrg1ckXDVXmHFfF46jY66cjy39rv9l7w/+2R+
z74i+HfiZriHS9fiQfabcL59nLHIskc0e4EblZAeRg8g8E15N+yj/wAEjPgX+x9Fb3Og+D7fWvEF
uwf+3dexqF8HH8SFgI4f+2SJ+PWvqOQZqrIOtfL4rMMVSoSw1Ko4wbu0nZN+djojCLfM1qVZFwah
mHNWJhUE33a/OcwgehTK0g4NVZBVqTqaryivhcwidtMqzDmvnH/grD4DHxD/AOCePxUsfLEkltoz
ahHkfda3dJ8/lGa+kJhzWfrOl22t6bcWd5bw3dpdI0U0EyCSOVGBDKynggg4IPWvmcLmEsvzChj4
q7pTjO3+GSdvwN5U+em4d1Y/lR0nTrjX5/KsLe4vpOyW8ZlY/goNdAfgr4yFuZf+ER8UeWvVv7Ju
No/HZX9PGh+BtF8K2aQaXpGmadDH91La1SJV+gUCrjntzX71mX0tKlKX+z5YredXX8KZ49PhpNe9
U/D/AIJ/K1qNjPo96ba8hmtbhesUyGOQf8BODXQ/Cj4z+LfgV4pj1rwb4i1jwzqkZB+0WFw0RcA5
2uPuuv8AsuCp7g1/Sv8AED4P+E/ihpz2fiTwzoOvWr5zFqFhFcKc+zqfzr8+v2+f+CDPh3xb4f1D
xN8FYf7B8QQBp38OSTFrDUQASUgZjmCQ9gT5ZPGE+9XucL/Sm4azussr4gwrw6qe7eTVSk79Jtxi
0n3cXFfaaWpjiOHcRSXtKMua3yfyNL/gmr/wW6tfjrrWn+Bfiyun6N4qumENhrkIEFjqr8BY5U6Q
zMehX5GJwAhwD+iVfy26zo974Y1u60+/triw1DT52guLeZDHNbyoxVlYHlWVgQR1BFft9/wRT/bu
uP2rfgJP4W8S3jXXjfwCsdvPPK+6XU7JsiC4Pcuu0xueclVYnL1+WfSJ8DMFk2G/1p4bhy4dte1p
rWMOZ2jOHaDbScdotrl91tR9LIs4nVl9WrvXo+/kz7Uooor+PD6oKKKKACiiigAooooAK8z/AGuP
2VvDX7Y3wR1TwX4mhHk3a+ZZXioGm0y5UHy54/dScEdGUsp4NemUV25bmOJwGKp43BTcKtNqUZLR
pp3TRFSnGpFwmrpn8zv7SX7O3iX9lb4x6x4J8VWv2fVNKk+WRf8AVXkJz5c8Z7o4GR6cg4IIr9UP
+DeL/grZDoy6f8A/iJqRWKaUReD9RnJIVmJJspHJ4BOPL9yV/u17V/wVZ/4J+2X7bfwLmuNLtY4/
iD4Wie50O5AVWux1ezkY9Ukx8uT8r7T03A/gwRqHg/xDhhcadqml3GCDmOa2mjb81ZWH4EV/q34L
+KmH42yVYido4qlaNWC720nFfyzs2uzTjra7/Nc2y2WEq8v2Xs/66o/sbor42/4Iuf8ABSW1/b+/
Zpt4dWuI1+IXg+OOy12An5roAYjuwPSTBzjowb2r7Jr9gPICiiigAooooAKKKKACiiigAooooAKK
KKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooo
oAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiig
AooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAK8W/4K
Eftaaf8AsTfskeMPiBeMrXWm2jQaZATg3N7J8kCD/gRBPspr2mvwq/4OhP2vZPHvx68OfCPTbpjp
fgy3GpamiSApLezj5AwHeOLsehkNA0flz4l8R33i/wAQ3+ralcS3mo6lcSXV1O53PNK7FmY+pJJN
fvv/AMEnP2RD+yL+yDoljqVpHb+LPEwGta5x88UsqgxwE/8ATKPahHTfvI61+Vv/AARq/ZMj/aj/
AGxNNuNUtUuvDPgZF1zUUkXdHPIrgW0JHQhpfmIPBWJh3r96q/hf6XHiBzTocIYSWitVrW7/APLu
D9FebT7wfQ+z4ZwO+Kl6L9X+n3hRRRX8Pn2AU6Om06Oqp/EhS2LMX3VqzF2qrCflFWoTzX1mXdDl
nsfmH/wc06ep+G/wivMfNHq2owZ9ngib/wBpV+RdftN/wcl+FV1L9jfwZq6rul0rxnDET/djlsbw
H/x5Er8Wa/0w+j7iFU4Kw8V9iVRf+TuX/tx8BnUbYuXy/I/Zr/g2S1Dzf2c/iRa7v9T4mjlx6b7S
If8Ashr9OIfuivyf/wCDYXxED4e+Luk55S6028A9NyXCf+yV+sER+WvwvxMp+z4uxifVxf3wiz2M
vd8NH+upYh+/VhOtV4T89WE61wZe9iqhYTpVqLtVWM8VaiPAr7vL5bHDULEFWIu1VoTzViM19xl8
locdQtx9asRfdqrG3FTRPivuMvqJHHNFyGnS4xUCvilMma+ohio8ljn5dRsneq0v9amlfioHavn8
dVTNoEE33qrTdDViRstVeZuK+HzCSudlMryVXm6mrEhqrIetfD5hLc7KZXm6VBN92p5jVeY8V8Jm
DO6mQP8AeqtL3qxJ1NV5TXwuYs7KZXnqtL/WrMx5qtL/AFr4bMDsgVn6VXfrViQ8VXfrXwuYM7qZ
Vk6mo6kl71HXx9b4zqjsfj7/AMHDX7MFl4C+Lnhr4m6TZ/Z4/GaPYauUHyPewqDHKf8AaeLIPr5O
epJrwH/gj98bW+CH7fXgmaSZorDxJK+gXgBwHS4G1M+wmETf8Br9Nv8Agu54D/4TP/gn/ql1HbtP
daDrFhewhELP80nkHAHP3ZjX5A/s+/A34lXvxQ8M6x4f8A+PNSOmara3iz2egXc0aeXMj5LrGVHT
ua/0Z8HM4o8R+FVTLM1qL3I1cPeUktOW8NX/ACxnFLtyo+DzSk6GYqpSXVS0/E/pIopEbcinkZGc
Ecilr/OA++CiiigAooooAKKKKACiiigAr8mf+C8n/BPhfC2pt8bvCNlt0/UJUg8U2sKALbzMdsd4
AP4XOEf0Yof4mI/Wasvxr4N0v4ieENT0HWrKDUdI1i1ks7y1mXdHPE6lWUj3Br9A8MvEDGcH59Sz
fDXcfhqQ/npt+9H16xfSST2ujhzHAxxVF0pb9H2Z/PD/AME//wBs7XP2EP2nfD/j7R3lktbWUW+r
WSt8uo2TkebER0zjlT2ZVNf1NfB74t6D8ePhfofjDwvfw6loPiK0S9s7iNsh0YZwfRgcgjsQR2r+
V/8Abx/ZJ1H9i39pLW/Bt15s2mq32zR7tx/x+WUhPltnuy4KN/tIfUV+jX/Bsj/wUAOieI9S+Avi
S+ma31Qyan4YaV8pDKozPbLk8bgN4A4yH7mv9d8ozbC5ngqWY4GfPSqxUotdU1df8Fbp6M/L61KV
OThPdH7VUUUV6JiFFFFABRXI/HH48+Ef2bPh1eeLPHGuWnh3w7YsqzXtyGKIzHCrhQSSTwABya+b
5/8AgvF+yrBJt/4WpZt7rpl4w/8ARVAH19RXwr4k/wCDjP8AZb8P3skMXijxBqnltt8yz0Oco3uC
4XIrj/Gf/Bz3+zv4eSL+zNP+IGvNICWEOlxQrHjpkySjr7A0Dsz9GqK/Li//AODqr4QRWkzW/gDx
9NOqExo5tkV27AnzDgH1wa4y6/4Ox/Dwl/c/B3WWj7F9cjVv0iNAcrP16or8V/En/B2NrT38n9j/
AAf0uO1z8n2zWXeQj32xgVzPiz/g60+JN/YImjfDPwbp1xu+eS4uri4UjHYArg/nQHKz9zqK/AC+
/wCDov4+XNnNHD4f+H1vJIpVJBYzMYyehwZcHHvXFXH/AAciftPzSFl13wvEP7q6HFgfmTQPlZ/R
pRX80PiT/gvx+1N4ivpJh8Rv7PWQ5EVnpdtGifT5CfzNcr4t/wCCz/7TvjKGOO6+L3iSBY84+yeV
bE59SiAmgOU/qIpN49RX8p19/wAFPP2htRtpYZfjJ8QTHMpRwNXlXIPB5ByPwri7r9rL4qX0pkm+
JPj6Z+7Pr90T+e+gOU/rlWRXztYNtODg9KWvy/8A+DXf4ua58SP2bPiRa67q19rFzp/iZJlnvJ2n
mIlto85diSeY+5r9QKCQoozzRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAU
UUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRR
RQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQBznxf+Jen/
AAZ+FXiPxbq0gj03w3ps+pXLE4wkUZc/njFfyVftAfGTUv2hPjZ4o8bavLLLqHibUpr+TzG3FA7k
qmfRVwo9hX74f8HI37UbfAv9giTwnYzCPVvidfLpIwxDJaR4muGH1ASM+0pr8Ef2evgzf/tEfHLw
p4H01vLu/FGpw2Alxn7OjN+8lx/sRh3/AOA1z4zGUcLQnisRLlhBOUm9lGKu2/RK5pTi5NRW7P2Y
/wCCGH7Ma/A39ji18SXtq0OufESUatKzjDraAFbZfoUzJ/21r7Sqj4Y8OWfg7w1p+k6fEILDS7aO
ztox/wAs4o1CIv4KAKvV/jLxlxLX4gzzFZziPirTcrdo7Rj/ANuxSivJH6xg8OqFGNJdEFFFFfMn
QFOQ802lU4aqjuBZiOVqxCcNVWA8VYiNfTZfPY5ah8ef8F6/DY8Qf8E3/Ec20s2j6tpt8pH8P+kL
CT/3zMa/Bav6NP8Agqh4Gf4if8E8/ixp0S7pI9CkvkGOrWzLcD9YhX85df6I/Rjxqq8M1qF9YVn9
0oQt+KZ8PxBG2IT7o/Sr/g2Z8dHTP2l/iJ4dZsLrHhyK+UeptrkJ/wC3NftNCeK/n7/4IIeOF8H/
APBSbwvas20eItM1HSwM43HyDcD9bcV/QFC2Gr4jxqw3sOKnU/5+U4S+68f/AG06splfD27NlqM4
K1YU81VjNWI23LXxuX1djqqItRNViFqqRNxViN8V9xl9Y4pxLcbVYjaqaPU8T4r7LA4i1jknEuRP
ip1fiqaPUiS4r6zCY2xyyiW1lx3pWl4qsJqUzAV6yzDQz5CRpM1FJJgU1pc1Gz15+Kx1zSMBHaq8
rZNSSSYFV3avlcdibnRCIyVuKrSHipZXyaglavi8fWOyESGQ5NQTHLVKxqvI1fE4+qdlNEUh4NVp
DU8x4qvIcGvh8wqHZTIJm5qvKeKmlNV5TXw+YT3OymiGU8VVkPJqxMarSHg18PmEzspkEpqOnSHN
Nr5Kp8R1R2AjIozRRUFBRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAHx3/wWb/Ycb9rL9m+TXdDs2uP
G/gNJL/T0jHz39tjNxbY7sVUOg/vJgfeNfiL8L/iXrXwc+Iei+KvDl9NpuuaDdx3tlcxHDRSIcg/
TsR3BIr+n6vwN/4LB/sgf8Mo/td6pJplnHa+E/GxfWtIWIYjgZ2/0iADoNkpJAHAR0Hav7o+iX4j
ymqnB2NlsnUo37b1IL7+eK/x+R8bxNgLNYqHo/0f6fcf0NfsDftcaX+29+yp4U+IWmmKObVbYR6l
bI277FeR/LNEfowJGeqlT3r2Svwd/wCDZb9t5fhL8e9X+EOtXXl6L4+/0vS/MfCw6hGuCo/66RjH
uY1r94q/uA+OYUUUUCPkP/guz4QXxn/wS6+Jlv8AZ7i6mt4rS6t44VLOZEu4cYA5PU8V/OfD+y18
Trnb5fw58eSb/u7dAuzu+n7uv66pYlmTa6qynqGGRShFH8I/KgpM/lD8Gf8ABN/4+eP4DLpfwf8A
iFNEriMvLos9uoJ95FXj36CvQdM/4In/ALSGppu/4QW3t/8ArvrNmuPylNf09TKPJYY4weK8Cm0O
7e4k8u0uWXccERNjr9K/nfx68UuIeDvqX9hUYVfbe05ueE5NcnJa3LKNk+Z3vc93JcvoYvn9s2rW
6rrfufhLpP8AwQR/aG1PHm6f4PsM9ftGt5I/74jauo0r/g3d+NF0y/bPEHgCzU9dt7cS4/KEV+2s
HhXU7k4j0+7b/tmamj8B6xK2Bpt1+K4r+df+JhPFTFrmwuDVn/Jh5v8ANyPd/sXLY/FP/wAmR+N+
l/8ABt146l2/bfiR4Sg/vCGyuJSPz2102l/8G1twyj7d8WoFPcW+gE/q04/lX66D4W68f+XFv++1
/wAasRfB7XJU3fZ4V9mlGaP+IkeOeKfLRoVo+mFiv/SqbD6jk8d5L/wL/gn5Q6V/wbY+H0f/AE74
qa5Kv/TDSIo//QpGrpNI/wCDcP4Y2x/03x148uv+uX2WH/2k1fqBB8FNalb5vssf1kz/ACFWE+Be
pk/Nc2i/mal5r494pX5cQr/9O6cP/bYsOTJI9V97Z+cekf8ABvf8B9PQfaLzx/ft3M2rQqD/AN8Q
LXT6T/wQt/Zz02PbL4X1q+b+9Prt0P8A0B1r7+/4UJc5/wCQjD7/ALo/41Zi+Aa7P3mpNu/2Yf8A
69V/qn484t2lVxEf+5iEPyqIPrWSx2S/8Bb/AEPhXTv+CMn7N2nEf8W5iuMf89tYv3B+o8/FdFpn
/BKv9nXSXVo/g/4LkZehubP7T/6MLV9nQfAS0U/vNQumH+yqr/Q1PF8CtMQ/Nc3jD6gf0pf8Qj8a
sTG9fFVV5Sxbf5TaF/auUR+GK/8AAf8AgHh3wX+GHhn9nHSrqx+H/hzQfBdnfusl1Fomnw2K3LqM
Kz+Wo3EA4BOa6qbxPqVw2Xv7tj7ymvUh8FtDB+5df9/jViL4TaDGm37Fu92lbP8AOuqP0b/EzFL2
eKzCCituavVkr+SUGT/b+XR1jTf/AICv8zi/hBqt1deMlWa4nmUwsAJJC2Oh716xWTo/gfStBuln
tLOOGZQQHGc4Na1f1f4L8C5pwnkEsrzetGrVdSU+aLlJWaikryUXfR9D5nNsZTxNf2lJWVkgooor
9aPMCiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAoo
ooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA+af2qf+Cu
HwM/Yv8AiofBfxC8T32k+IBaRX3kRaTc3K+VIWCnfGjLztPGc15v/wAREf7Kf/Q96p/4T19/8ar8
7/8Ag4z/AGePH3xI/wCCiJ1Tw74I8Xa9preGbCIXenaRcXUJdWm3LvRCMjIyM96+C/8Ahjz4t/8A
RL/iJ/4Tl5/8boK5T+gT/iIj/ZT/AOh71T/wnr7/AONUf8REf7Kf/Q96p/4T19/8ar8P/gL/AMEq
fjn+0JPqC6b4H1LQ49NVGaXxDDLpUUxYkbY2lQB2GMkDoCPWvR/+HCH7Q3/QN8Jf+D2P/wCJr4vO
fEbhfKcVLA5nj6VGrGzcZzjGSTV1o31TujrpZfXqx56cG0frz/xER/sp/wDQ96p/4T19/wDGqP8A
iIj/AGU/+h71T/wnr7/41X5Df8OEP2hv+gb4S/8AB7H/APE0f8OEP2hv+gb4S/8AB7H/APE15f8A
xGHgj/oa0P8AwZH/ADNP7KxX/Pt/cfrz/wAREf7Kf/Q96p/4T19/8ao/4iI/2U/+h71T/wAJ6+/+
NV+Q3/DhD9ob/oG+Ev8Awex//E0f8OEP2hv+gb4S/wDB7H/8TR/xGHgj/oa0P/Bkf8w/srFf8+39
x+vP/ERH+yn/AND3qn/hPX3/AMao/wCIiP8AZT/6HvVP/Cevv/jVfkN/w4Q/aG/6BvhL/wAHsf8A
8TR/w4Q/aG/6BvhL/wAHsf8A8TR/xGHgj/oa0P8AwZH/ADD+ysV/z7f3H68/8REf7Kf/AEPeqf8A
hPX3/wAar6O/ZM/bF8A/tufDa48W/DrVLjWNDtb59Oknls5bVhMiozLtkVW4DrzjHNfz8f8ADhD9
ob/oG+Ev/B7H/wDE1+s//BDr4Ea7+wp+yPqng74hfYLLWrrxHcalGlncfao2heGBFO5R1zG3FXT8
XuCZuyzXD/OrBfmxSyvFJX9nL7j7worm/wDhbeg/8/v/AJDb/Cr2geNtN8T3LxWU5mkjXcw2EYHT
uK9PL/EThbH4mGDwOY0KlWbtGMasJSb3skpNv5GNTA4iEeacGl5pmtRRRX2RyhRRUOpahFpOnXF1
cNsgtY2lkbGdqqCSfyFAH8+v/BzP8f1+KX7fFr4TtbpprL4e6NDZSICNiXU/7+XHHXa0SnrytZ//
AAbu/BCPxn+0z4n8cXVr50PgvSRb2kjD5Yrq7YruH+0IY5l+ktfHv7Xfxdm+PX7UPj7xjNI0h8Q6
7d3iE7uI2lbYPmJIAXaMHpjFfsB/wQV+D4+HP7ClrrUsPl3njXVLjU2JGGaJCIIvwxEWH+/X4L9J
TiR5TwLiYQdp4hxor0lrP74Rkvme7kGH9rjI32jr93/BPtaiiiv8sT9HCiiigAoBxRRQBNCfmqxE
cGqsbYqxG1e1l9W1jCaM74l+GE8cfDXxBosiho9X025smBGciSJk/wDZq/lv1TTZdF1O5s51KT2c
rwSKeqshKkfmDX9VMTV/N5/wUg+Fw+Df7dXxR0FI/Kt49enu7dR0ENwRcR/+Oyiv7g+inm6+sY7L
nvKMJr/t1uL/APSonyHElPSFT1RgfsV/Etvg7+178MfE4l8mPR/E1jLOxOAIGmVJsn0MTuPxr+ny
JsD6elfyatuKnazRt2YdVPrX9QH7HHxgf4+fsrfDzxlMVN14i8P2d5d46C4MSiYfhIHH4V9n9IbL
3GeCzFf3oP8ACUf/AG45cjqfFT+Z6pG1TRNg1UhfFTo1fhmAxGh684ltWwanjeqsb7hUkb4r7DA4
o5KkS7HJip0eqaPxUiSba+swmMOWUS4kuKlWSqiSU4PX0FHHGEoFsSUvmVVEnvR5nvXb/aHmR7Ms
NJ71G0tRGSmtJXLWx5UYDmeoZJMUjy+lRO+K8HFYw3jESRqglfJpZJKiZtor5XG4o6acRsrYFQOa
c796hlbAr4/HYg7IRI5GyarytgVI5qvK2TXxWOrnVCJHI2KryNzUkrVXkbivi8fW3OymiKVqrzHA
qWQ1XlbLV8Rj6p2QRE5y1JQTmivnjoCiiigAooooAKKKKACiiigAooooAKKKKACiiigAr5N/4LLf
spH9pr9jbV7rTbJbrxN4IJ1zTio/ePGg/wBJiX13RbiB3aNK+sqbLEs8bI6q6MMMrDIYehFe9wvx
FicizfD5xg/jozUl52esX5SV4vybMMTh41qUqUtmj+X/AOG/j7Uvhb4/0XxLo9xJa6poN7Df2sqN
tZJI3Dqc/UV/WN+yF+0dpP7Wv7NvhH4haLIr2niTT0nkQMCbecfLLE3+0kgZT9K/ma/4KY/svj9k
n9sjxZ4ZtLVrXQLyUavoY/hNlcZZUU+kbiSL/tlX6S/8Gr37WX2zRvHHwZ1O7/eWbL4i0SN2/gYi
O6RR7N5T4/22Nf7K5HnOGzbLqGaYN3p1oRnH0kk1fzV7NdHdH5TXoypzdOW6dj9iKKKK9UwCiiig
AoA2jjiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAo
oooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACii
igAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAON+M+l3WraHax2sE1wyz7isaliBtPpX
nH/CF6v/ANA2+/78t/hXvNFfzp4jfRzyzi/O553isXUpykox5YqLS5Vbrrrue9l+fVMLR9jGKaPB
v+EL1f8A6Bt9/wB+W/wo/wCEL1f/AKBt9/35b/CveaK+G/4k5yT/AKGFX/wGB2/62Vv5F+J4N/wh
er/9A2+/78t/hR/wher/APQNvv8Avy3+Fe80Uf8AEnOSf9DCr/4DAP8AWyt/IvxPBv8AhC9X/wCg
bff9+W/wo/4QvV/+gbff9+W/wr3mij/iTnJP+hhV/wDAYB/rZW/kX4ng3/CF6v8A9A2+/wC/Lf4U
f8IXq/8A0Db7/vy3+Fe80Uf8Sc5J/wBDCr/4DAP9bK38i/E8G/4QvV/+gbff9+W/wrsvgvoV7pGt
3jXVrcW6yQAKZIyoJ3D1r0eivqOC/oxZTw5neHzvD42pOVGXMoyjGz0a1tr1ObGcRVcRRlRlBJP1
Ciiiv6cPnQrwv/gpj8Vl+Cv7A/xW8RedHDNa+HbmGBnJAMsq+Ug45yWcYr3Svz7/AODlj4lyeBv+
Cbd1pcM00MnivX7LTmCdHRS07KfY+UOlAH87eGc/LlmboPU1/S5+yj8Ol+Ef7M3gHwysYjOi6DZ2
zqO0ghXf+bFjX88f7KXgCP4p/tOfD3w5Mu+31rxFYWkwxnMb3CB//HSa/pcAVRhQFUdAO1fw39Mj
OP8AkW5VH/p5Uf8A5LGP/t59nwrS1qVPRBRRRX8Nn2IUUUUAFFFFADkODU0LZFV6ljfBrqw1TlkR
NFuN6/Fz/g4x+DS+DP2s/DfjC3j2weNNCEc5/vXNo5jY/wDfqS3H4V+0CNXwz/wcFfAtPib+xHH4
qhg8zUfh7q0N/wCYoywtZz9nnX/d3PC59oq/ojwA4kWWcYYRzdo1m6T/AO31aP8A5Pyng53h/aYW
Vumv3f8AAPw8r91f+DeT41SfEX9hh/DlxN5lx4F1i4sEBPzLbzH7RHn23SSAf7tfhVX6G/8ABub8
fW8BftX654GuLgJY+OdKMkEbNgG7tcyLj3MTTf8AfIr+4PGjJ3j+Fa8oK8qLVRf9u6S/8lcj5HK6
vJiFfroft6jVYjfIqnHJmpkev4lwWKsfWyiXEepkfcKpxvuqZH5r6zB4w5pRLSSbamSWqaS561Ir
V9Hhscc0qZbWSniUiqizYp4mr2qOYGLplrz6PPqv51Hm10/2hoT7MnMxNMaT1NQtNTWmrCpmHmUq
ZK0mKieWml81G0gWvIxGONo0xzNioZJN1NeTPWo3evncVjDojEHeq8j5p0km6oXevlcbizojEbK+
BVeRqdI9QyvivkMdiTqhEjkbJqCVqfI+BVeRsmvjsfiDrhEbI3FVpGqWZ+arscmvjcZV5nY64IKK
KK4TQKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD84/+DiX9nVfFfwW8L/Euzi/0zwnd
nTL5lH3rS5I2E/7kyqB/11avzz/4JrftJXH7KH7bvw98ZR3DW9na6pHa6iR0e0nPlTA+21ifqBX7
0ftU/BS3/aM/Zz8ZeCbiNH/4SDS5raAsP9XPt3Qv/wABkCH8K/mr1LTrjRNTuLO6jkt7uzlaGaNh
hopFJVlPuCCPwr/R76JnFjzDhirk1WV54Sen/XupeUfukp+isfBcS4XkxCqraS/Ff0j+x22uEvLe
OaNg8cqh0YdGB5Bp9fM3/BH/APaTb9qb/gnv8PfEVxI0up2Vl/Y+osw5Nxanymb/AIEFVuP71fTN
f1UfMBRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAU
UUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRR
RQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFF
ABRRRQAUUUUAFfkz/wAHX3jxtO+BXwn8NpcQqura5eahJAceY4ggRFYd8AzkH3Ir9Zq/Ej/g7Iv/
ADPi38G7XzVbydI1GXy93K7poRnHvtx/wGgcdz4i/wCCP3g9/Gv/AAUi+F0Cj93Y3l1qUhxwogsr
iRc/8DVB9SK/oIr8R/8Ag3z8Px6t+3vPdyfe0vwrf3EfszS20X8pTX7cV/m39LjHutxnSodKdCC+
bnUk/wAGvuP0DhiFsK5d5P8AJBRRRX8tn0YUUUUAFFFFABTkODTaKE7agWInrB+MXw5s/jH8I/FH
hLUEWSx8TaVdaXOGGfkmiaMn6jdke4FbKNU8b7hXv5XmFShVjWpO0otNPs07p/ec9SmmnF7H8tnj
XwfqHw98Y6toGrQm31TRLyWwu4z/AASxOUcfmprf/Z5+Md5+z18dfCPjiwEjXPhXVINQ2RnDTIjD
zI/+Bxl0+jV9Rf8ABdz9nKT4LfttXniK3i26R8RLZdWhYDCrcLiO4X67gr/9ta+K6/2A4ZznDcSc
P0MwsnDEU1zLp7ytOPyd4v0Py/EUpUKzh1i/+GP6rfBHjLT/AIgeENL17SLmO80vWrSK+tJ0PyzQ
yoHRh9VYGtlJM1+f/wDwb7/tTH4xfsjTeBtSvVn1z4a3X2OJWb94+nTEyW59wjebEMdFiT15++kf
mv8APXiLKq2RZxiMprb0pNJ947xl84tP5n22HqKtSjUXUtq9TJLmqaS5qVXp4XHBKJcV6ekmKqJL
ipFlzXv4fHmMqZaWb1pwkBqqHpwevTp5h5mbplrdRuqtvo3iuj+0PMn2ZYLgU0zAVBvoL1jUzDzK
9mSNKTUZemNJio2mzXm1seaRgSPJioXkzTWkqJ5MV4eKxxrGA53qGSTNI8maid6+axWMOiMQkeq7
vmld81DJJk18tjMUdMYiSvmq8j4FOdqgkfNfJY7FXOqMRrtTKM5orwJSu7nQtAoooqQCiiigAooo
oAKKKKACiiigAooooAKKKKACiiigAooooAK/n8/4K+/A+T4Gft++OLdYhHp/iSZPEViQMBkugXk/
KcTr/wABr+gOvy3/AODkX4K+Zp3w3+Ilug3Qy3Hh2+I/iDD7Rb/kUuf++xX9IfRa4l/s3jaGDm7Q
xUJU325kueL9bxcV/iPA4jw/tMJzreLv+h6Z/wAGpn7Qn2nQviX8L7qYb7WWDxFp6EjJVx5M+B1O
CsJ9Bu96/Yiv5n/+CCvx0X4G/wDBTXwG08jR2PiszeHbj96Y1JuExFuAB3fvVjwD3wcjFf0wV/pw
fnkgooooJCiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACii
igAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKK
ACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA
KKKKACiiigAr8D/+DqG7ab9uHwXD/DD4OiIHpm7uf8K/fCvwL/4OnEK/t2eEW7N4Ngx/4F3NBUTj
v+DdC0Wb9r7xbMRzD4RmAPpuvLT/AAr9ma/Gz/g3Km2ftZeNE/v+EpCPwvLX/Gv2Tr/MH6Urb49r
X/590v8A0k/ROG/9zXqwooor+dT3gooooAKKKKACiiigAzipI3xUdAOKunNxdxNXPkX/AILc/ssv
+0d+xdqGrabarceIvh7IddtQo/eSW6ri6jX6xfvMdzCor8Hc1/U9NDHd28kM0aSwzKUdHG5XU8EE
dwfSv52/+ClP7KDfsdftceJPC9rbmHw9eSf2poJzlfsUxJWMH/pmweP1/dg96/vf6JvH0a+Gr8LY
mXvQvVpX6xdlOK9HaSX96T6HxXEuD5ZLER66P9DoP+CSH7WI/ZK/bQ8O6lfTrD4d8Sn+wtYZ22pH
FMwCSn/rnKEYnsu6v6HoZxIqspypGQQa/lHZQ6lWGVPBHrX73f8ABFf9txf2sf2V7bR9YvI5fGnw
/EelakpbMl1b7cW10c8neilGP9+Jz3Fe19Jbg6XLS4owsfhtTq27X9yT+b5W/OKMchxSu8PL1X6n
2gr1IkmKprJipFkr+UsPjj6SUC4smakD1TWSnrLXs0ceZuBbEnvThKaqianCWvQp5gZumWfONHnG
qwlo8zFbf2gT7MsGU00y+9QmUYppmrKWYFezJjJTWkqFpSaY0lcFbMC1TJXlzUTvTGlqNpa8fEY4
1jAc8mKid80jvULy5rwcVjTaMRZJM1C70jvUMkmTXzOLxh0RiEsmaiZsmhmyaSvnqtRzZ0RjYKKK
KyKCiiigAooooAKKKKACiiigAqO6uo7G2kmmkWKGFS8jscKigZJJ9AKkr8+/+C6n7fa/BT4Xf8Kn
8M3m3xX4ytt2qzQyYfS9OYkFeORJPgqPRA57qa+t4H4PxvFGd0MlwC96o9X0hFaym/KK183ZLVo5
cZioYai6s+n4vsdL8Hf+C7nwm+IHxw13wlr3neFdMh1FrTRPEFxJ5mn6nGDtDynANvuYEgtlNpBL
qeK+2dO1K31ixhurS4hurW4UPFNC4kjkU9CrDgg+or+Wmvv7/ghD8U/jBrP7RNt4P8O65PJ8OdNg
e+16zvkNxaWkPIUQ5IMUryYA2kDAclW2kV/Wfi99GXKMsymrnmQ4j2MaELzhVbcZcq3jLVqcn9lp
qUnZcqsj5nK+IKs6io1le70a3/4Y/Z6iiiv4fPsAooooAKKKKACvlH/gtZ8K/wDhaH/BPLxk8abr
rwzJba5D7eTKBJ/5BeUfjX1dXE/tJeBV+J37Pfjjw6yq/wDbWhXlmAR/E8DqP1Ir6bgvOHlXEGCz
JO3sqtOT9FJN/erpnNjKXtKE6fdM/m9+D3j25+Ffxa8MeJrNnS68P6rbajEVk8tt0UquMN2+71r+
vTwp4hh8W+F9N1W3aNrfUrWK6jKOHUq6BhgjgjB6iv45yjRnbINsi8MPQ96/qw/4JhfEuP4t/wDB
P74S60k9vcPJ4ctbaZofurJCgiZceoKYPvX+0R+TSPeKKKKCQooooAKKKKACiiigAooooAKKKKAC
iiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKK
KKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooo
oAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAK/DX/g688L29l+0R8KtYQyfatQ
8PXVrKCfl2w3AZMe/wC+bP4V+5Vfjr/wdl+BoW0b4L+JhJILiOfU9MZNvyspW3kBz6gqePf2oHHc
+Vf+Dd/UFt/23tbt2bb9q8IXgA/vFbqyb+QNftRX4L/8EQPGo8If8FIvBULtsi1601HTHP1s5ZlH
4vCo/Gv3or/NP6WWDlR43jVe1ShTkvlKcf8A20/QeGZXwjXZv8kFFFFfzGfRBRRRQAUUUUAFFFFA
BRRRQAA4r4l/4Lh/sX/8NHfs1t4y0WzEviz4dpJegIP3l3YdbiL3KgCQD/YYD71fbVNliWeNkdVd
HBVlYZDA9QRX0/BvFWM4bznD51gX79KSdukltKL8pRbT9TnxeFjiKUqU+p/LKDmvcv8Agnb+2Hff
sS/tPaL4ujkmbQ7g/wBn69bJz9pspGG/juyELIvumOhNdz/wVt/YUf8AYw/aOnm0e1dfAvjBpNQ0
VljxHZMTmWzz0/dscr/0zZOpBr5Ur/XPL8dlPGPDsa9P95hsVT1XWzVmn2lF3T7SWmx+YVIVMLX5
XpKLP6ovDHiix8X+HrHVtNuobzTtSgS6tbiJt0c0TqGVgfQgg1orJmvym/4IL/8ABReNrO3+BvjC
+2TRl38JXczn96vLPYknuOWj9RuXsoP6oLLiv8z+O+FsbwnndXKMZeyd4S6Tg/hkvya6STXQ+/wW
IjiaKqw+a7MuLJiniXNVFlp4mzXz9HMPM3dMtiWlEtVRJSiT3ruhmHmR7MtebR5tVvN+lHm/StP7
Q8xezLHm/SkMtV/M96DJ71Esw8x+zJml5pjS5qIygUxpq4qmYeZSpkrSVG0tRtLUbPXlV8eaxgSN
JUTyYpjzelRs9eHiMc2axiOeXNRM2aQnNFeRUqOT1NoxsFFFFZlBRRRQAUUUUAFFFFABRRRQAUUV
meM/GelfDvwnqGu65f2+l6PpMD3V5d3D7Y4I1GWYn/Oa0p051JqnTTcm7JLVtvZJdWxSkkrs89/b
P/at0P8AY0+AGseNta2zPar5GnWW/a+oXbg+XCv1wST2VWPav53vjL8Xte+PfxR1vxh4mvGvtc1+
5a6uZTwATwqKOyKoVVHZVAr2/wD4Kb/8FA9S/bv+NX2i38+y8D+HWe30DT24LKTh7qUf89ZMDj+B
QqjncW+aq/1A+j74R/6oZR9dzCK+u4hJz704bxpp9+s7by01UUz87zrM/rVXlh8EdvPz/wAibT9P
uNW1C3tLWGW5urqVYYYYl3PNIxCqqjuxJAA7k1/QP/wS/wD2IoP2I/2bbPS7yKM+Ltf26hr8ykNi
cr8sAYdViU7Rjgnce9fFH/BCT/gnZ/wkutW3xv8AGFn/AMS/TZWHhW0mQFbmcZVr0g/wxnIj/wBv
LfwqT+s1fgP0pfFeOYYr/VHK53pUXes1tKotoeahvL+/po4Ht8OZbyR+tVFq9vTv8/yCiiiv45Pq
gooooAKKKKACjAP3gCvcHvRRQB/Mz+0r4RXwB+0T480NV2ppPiC/tVA7Klw6j9AK/oA/4Nw/HMvj
D/gmNoFrNPFM2g6vf6eqrjdEgl8xQwHfEmeexFfiX/wVT8JjwZ/wUL+Ktmq7Vm1j7aoA7Twxz/8A
tSv1V/4NUfGq6l+y38RNB8srJpXiNLovuzuE1ugHHbBjNf7UcJ4/69keDxt7+0pU5f8AgUIv9T8k
xUOSrKHZv8z9UaKKK+gOYKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACi
iigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKK
KACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAoooo
AKKKKACiiigAooooAKKKKACvzW/4Oi/BEniH9gjQNYjigb/hH/FVvJI7Y3oksM0Xy/VimR7e1fpT
Xyx/wWp+FLfF7/gmd8UrCGCOe60/TV1WANEZGDW8iSkqACQ21WGR60Aj+eD/AIJ8eLV8Dftx/CfV
HZY1g8T2UTMx4VZZBC5P/AZGr+jrGK/lt0TWZ/Dms2eoWrGO5sJ0uYWHVXRgyn8wK/p2+GfjGL4i
fDnQdfgbdDrenW9+hHcSxq4/9Cr+DfpkZTKOMy3M1tKNSm/+3XGS+/nl9x9twrV92pT9GblFFFfx
SfXBRRRQAUUUUAFFFFABRRRQAUUUUAeNft4/shaX+2v+znrHg288m31Mr9r0a+kH/HjeoD5bkgE7
TkqwHVWPfFfzxfEf4d618JPHmreGfEVjNput6HcvaXltKMNFIp5+oPBBHBBBHBr+oKvgH/gtr/wT
iH7QPgGT4peD7Bn8ceGLbGpW0K5bWrBMk4UdZohkqerJuXnCY/qr6NPi9HIMf/q5ms7YXES9yT2p
1HZa9oT0T6KVnonJnzfEGV+2h9Ypr3o7+a/zR+Neh65eeGdas9S0+6nsdQ0+dLm2uIXKSQSowZHV
hyGDAEEdxX78/wDBLn/godpv7cnwVhW/mt7fx94diSDXLEHaZj0W7jX/AJ5ydTj7rZHpn+fw8Gu0
/Z9+P/if9mL4s6T408I332HWdJk3LuG6G5jP34ZV/ijccEfiCCAR/YHjF4WYfjTKPYwahiqV3Sm9
rveEv7srK/ZpSV7NP5bK8xlhKt94vdfr6n9OQlFOD14j+xB+2t4Z/bg+C9p4o0FktdQiAh1fSWlD
zaVc45Rv7yHqj4G5SOhyB7MJK/y5zLD43K8ZUy/MKbp1abcZRe6a/Pya0a1V0folOUakFUg7ploS
Uvm/WqwkPrS+caxjmA/Zlnzfejzfeq/nmjz/AGrT+0BezLBlppkqDzjSGU1EswH7MnL01pBmoC/v
TS9clTHtlKmTNN6VG0maYWzSVxzxEpGiihxfNNoornvcoKKKKACiiigAooooAKKKKACiiigAoopG
YIpZiFVRkk9qAEnnS2heSR1jjjUs7sdqqByST2Ar8Yf+Cy//AAU/i/aU8QN8NfAOovJ4D0efdqV/
CxVNeuVPAX+9bxnoejt83QKT2H/BY7/grIfiBc6j8Jfhjqn/ABIIibfxDrVrJ/yEmBw1rCw/5ZAj
DuD85+UfKDu/NMcV/fH0dPAeWB9nxZxFC1XejSa+BPapNP7X8kfs/E/ety/FZ7nPPfDUHp1ffyXk
FfRn/BNT9gfVv26/jlb2Lx3Fr4J0KRLjxDqK/KEizkW0Z/57S4IHXau5j0APnP7Kn7L/AIm/a9+N
Gl+C/C9uz3V64e6u2QmHTbcEeZPIR0VQeB1YkKOTX9Cn7Lv7NHhn9kr4MaT4J8K2vk2OnJumncDz
r+dv9ZPKe7sfyGAMAAV+i+P3jNDhHL/7My2SeOrJ8v8A06i9PaP+90gu95PSNnwZLlTxVT2lT4F+
Pl/mdn4W8L6f4I8NWGj6TZ2+n6XpcCWtpbQJtjgiQBVVQOgAAq/RRX+YlSpKcnObu3q292+7P0RJ
JWQUUUVIBRRRQAUUUUAFFFFAH4R/8F09DOkf8FGvFE2zaupadpt0P9r/AEWOMn84zX2r/wAGm/jS
Mp8ZPDpixMDp2orJu+8p8+MjHsQDn3r5S/4OE7fyv277F8f67wpZMfcia5H9BX0N/wAGnf8AyWP4
wf8AYHsP/R0tf6/+DuIdbgfKpv8A58U1/wCAxUf0Py3NI2xVRebP26ooor9JPNCiiigAooooAKKK
KACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAoooo
AKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigA
ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigArD+JnguD4j/D
nXvD90oe31zT57GRSSoKyRsh5HPetyigD+PL4leCrv4b/EPXPD9/C1ve6Jfz2M0bA5R45ChHPPav
3f8A+COHxi/4XF/wT98EySNuvPDiSaDc85INuxVM/WIxn8a/Nz/g4A/Z2j+AH/BSPxVNZwtHpvja
GLxHb56b5srNjn/nsjnn19MV7T/wbg/HFrbxB8Qfhzczr5d1DD4hsIyedyEQXGPwa3P4Gv5x+lJw
28z4Jni6avPCzjU8+V+5L8Jcz8on0PDuI9ni1F7SVv1P1cooor/MU/QwooooAKKKKACiiigAoooo
AKKKKACgjIoooA/IX/gtB/wSxk+GOp6h8Xvh3pufDF05n8R6XbJ/yCZWPN1Go/5YsT84A/dk5+6T
t/N2v6l7+xh1SxmtbmGO4t7hGilikUMkiMMMpB4IIJBBr8XP+Cs//BJa6/Zj1G++IXw/s5rz4d3U
hkvrKMFpPDrMfzNuSeG/g6HjBr+/Po6+PEcbTp8K8RVLVo2jRqSfxrZU5N/bW0W/jVov3kub4nPM
lcG8RQWnVdvP0/I+V/2Uf2sPGH7HPxZs/Fvg++8maMiO9spSTa6nBnLQyqOoPZhyp5Br96/2Jv23
/B/7cvwqTxF4Zma21C02xavpE7D7VpUxGdrf3kPO2QcMB2IZR/ORXc/s8ftHeMP2WfiXa+LPBWrT
aTqtsNkgHzQ3cRILRSp0dDjoenBBBANfqnjR4I4HjXC/WsNaljoL3Z9JpfYqW1a7S1cX3V0/NynN
54SXLLWD3X6o/pjozivlf/gnp/wVU8F/tyaVDpExj8M/EK3h33WizP8AJd4+9Jauf9YvcqfnXuCB
uP1RX+ZfEfDWZ5Dj55Zm1F0qsN0+q6NPaUX0km0+jP0LD4inXgqlJ3QbqN1FFeGbBnNFFFABRRRQ
AUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUVxP7QH7RHg/8AZf8Ahvd+KvG2sW+j6Ra/KC3zS3Mh
6RRIPmkkPZR9TgAkdODweIxdeGFwsHOpNpRjFNtt7JJatsmc4wi5SdkjsNS1K30bTp7y8uIbW1tY
2lmmmcJHEijLMzHgAAZJPAr8eP8Agqn/AMFkbr44Sah8PPhVfXFj4MBaDUtaiJjn1zsyRHqlv2zw
0g9F4PlX/BRH/grZ4y/bVvLrw/o5uvCfw63bV0uKXE+qANkPdOv3ugPlD5BgZ3EA18i1/oB4IfRv
hk84Z7xTFTxCs6dLRxpv+afSU10SvGO93K3L8Rm+fOrejh9I9X3/AOAAGBXZfAL4CeKP2mPirpfg
3wjp7ahrOrSbVByIrdB9+aVsHZGo5LH6DJIBtfs4fs1+MP2r/inZeEPBelvqOqXfzyyNlbexiB+a
ad8EJGvr1JwACSAf3g/YB/4J6eEv2Dfh0bLS9ureKdSRTrGuSxhZbthz5aD/AJZwqTwueepJNfqH
jL40ZfwVgnRpNVMbUX7un2v9upbaK6LRzei0vJeflWUzxc7vSC3f6LzLn7BP7CHhf9hH4Rx6Jo6p
qGv6gFl1vWnjCzajMOw/uxJkhEzwOTliSfdKKK/y6zrOsbm2OqZlmNR1K1R3lJ7t/olsktEkkkkj
9Fo0YUoKnTVkgoooryzQKKKKACiiigAooooAKKKKAPxV/wCDh5VH7buin+I+ErTP/gTd17T/AMGo
19fR/tIfFC3jh3afN4dt3nk2/ckW4xGM9shpOO+PavEf+Dhibf8Atz6Wv9zwnZ/rcXRr6B/4NO/+
Sx/GD/sD2H/o6Wv9dvBJW4Eyv/r1H9T8uzb/AHup6s/bqiiiv1I8wKKKKACivnv/AIKl/tbN+xV+
w/428b2dwtvr0dsLDRCQCTezny4iAeDsyXI54Q1+YH7L3/B014x8Mva2PxY8F6d4ktF+WXUtGb7J
d49TE2Y2P0K0DsfuHRXyv+y7/wAFn/2ev2rpobPRfHNpoetTYA0zXx/Z87NzwrOfLc8dFYnpxX1L
b3Md5AksMiSxSDcro25WHqCKBD6KKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKK
KKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooo
oAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiivi3/gpF/wW2+Gf7BFp
daJZyR+NfiEqER6LZTgR2jdjcyjIjH+yAW9h1oA+nPj7+0V4L/Zg+HV54q8da/Y+H9Fs1y01w+Gl
bskafedj2VQTX4n/APBQL/g5J8dfFjxYmk/BfzvBXhTT7qOY6jLGralquw52tnKxREj7q/MRwTgk
V8O/tjft0/En9un4jS+IviB4guNQ2uxsdOjPl2OmRk8JDEOBgYBY5ZsckmvY/wDgnT/wRf8Ail+3
zqtnqgs5PCPgDzFNxr+oRFfPTgkW0Z5lYg8HhPVqCrH7w/8ABND9vfQ/+ChX7NGm+MNP8q11y0Is
td04Nuawu1AJHujDDKfQ46g19CV4z+xX+wv8O/2APhKPDPgbTfsscm2XUtSuX33epygY8yV/zwow
qg8Cum8bfGWO3WS10r95J0Nwfur/ALo7/wAq+K448Qsj4TwTxuc1lHflitZzfaMd366RXVpHVg8D
WxU+Sir+fRep6BRXF/Cbx42vWjWN5JuvIcsrMeZV/wARXaV18F8YZfxPk9HOctd4VFs94yXxRlbZ
p/fo1o0Ri8LUw9V0am6/q4UUUV9UcwUUUUAFFFFAH5b/APB0V+y03xC/Zm8L/FDT7Vpb7wHf/YtQ
dMkixuiFDEdMLMI+cf8ALQ81+PH7DH7RDfsq/tY+CfHDtIun6XfrFqYTq9lMDFccd8RuzAf3kWv6
k/2oPgnZ/tIfs7+NPAl8E+z+KtIuNP3MMiN3QhH/AOAvtb6iv5LPiL4E1D4X+Pta8N6tCYdT0G9m
sLpCMbZI3KN+orgzXLcPmOCrZfi1enVjKEl3jJNNfczajUcJKcd07n9P9tcx3ltHNDIssMqh0dTl
XU8gg+hqSvlX/gjp+0//AMNKfsVaAl5dC48QeDANA1HJ/eMIlAgkP+9Ds57lWr6qr/GPifh/EZHm
2IyjF/HRnKD87PRrykrNeTR+r4avGtSjVjs1cKKKK8I3CiiigAooooAKKKKACiiigAooooAKjvLO
HUbSW3uIY57edDHJFIoZJFIwVYHggjgg9akopptO6A/IX/gqL/wRYvPhtc6n8Qfg/psl74aO651H
w5bqXn0ruz2y8l4ep2D5kHTKjC/m7mv6nK+A/wDgpZ/wRX0f9oye88a/DCPT/DfjiQtNfacf3Nhr
jHktxxFOf7wG1z97B+av7d8FfpMeyVPI+MZ+7ooV3q12VXv/ANfN/wCfrJfH5tw/vWwq9Y/5f5fc
fjVoOvX3hbW7TUtMvLrT9RsJVntrq2lMU1vIpyroy4KsD0Ir9PP2Dv8Agvs9nDY+F/jdC8yoFhi8
U2cWXPYG6hUc+8kY57p1Nfmv8TvhZ4j+C/jS88O+K9F1DQdasW2zWl5EY3XsGHZlPZlJB7GsCv6q
408P+HeNcvjSzOmqkbXhUi1zRv1hNX0e9tYvS6eh85hcbXwk703buunzR/UR4M8baP8AEXwzaa1o
OqWOs6TfIJLe8s5lmhmX1DKcf4VqV/N/+yn+3H8Sv2M/EovvA/iCa1spJPMu9Iuh9o02+7HzIScB
sfxoVcdmr9Vv2Rv+C8Pwy+NlvZ6Z49Rvh14kkAR5LhzNpU7+qT4zGD6SgAdNzda/gXxG+jVxLw7K
WJyyLxmG3vBfvIr+9TV2/WHMur5dj7XA8QUK/u1Pdl57fJ/5n3VRVPQPEOn+K9Ht9Q0u+tNRsLpd
8NzbTLNFKvqrKSD+FXK/nOcZQk4yVmt0z3k7q6CiiipAKKKKACiiigAooooAKKKKACiikZwiszEK
qjJJ7CgBaRmCKWYhVUZJPavlz9qb/gr/APBj9l557GTXG8XeIIcj+y9BK3LIw7SS5EUfPXLFh/dN
flj+2n/wV4+KX7YYudJW6/4QvwbNuT+xdJmbddIe1zPw8vHVQFT/AGe9fuPh99H/AIq4onGs6Tw2
HerqVE1df3IaSn5PSPeSPHx2eYbDqyfNLsv1Z+jX7dP/AAWw+H/7MQu9B8Gta+PvGkQ2NHbTZ02w
f/ptMv3mH9yPJ7Eqa/H79pT9qjx1+1v4+bxF471241e8XctrB/q7TT4yc+XBEPljXpkj5mwCxY81
54OKdFE08qxxqzySMFVVGWYngADuTX9/eG3g1w7wZS58DD2mIatKtOzm+6j0hHyjuvicrXPicfmt
fFv33aPZbf8ABG17l+xF/wAE/fHn7dHjb7F4btfsOg2cgGp67doRZ2Q7qP8AnpLjpGvPTJUc19Gf
sBf8ENfFfxzudP8AFHxSW68H+DWxMmmfc1bVF7Aj/l3jPdm+cjooyGH7A/Db4ZeH/g74KsfDvhfS
LHQ9D02Py7aztI9kcY/mSTyWOSSckk1+WeMH0lMBkUZ5XwzKNfFapz3p0n+U5rsvdT+JtpxfpZXk
E6zVSv7se3V/5I8+/Y1/Yq8F/sRfC6Pw74TtTJc3G2TU9VnUG71WYD77nsoyQqD5VHuST69RRX+e
ea5rjMzxdTH4+o6lWo7ylJ3bf9bLZLRaH3FOnCnFQgrJBRRRXnmgUUUUAFFFFABRRRQAUUUUAFFF
FAH4af8ABe/Xv7X/AOChWpW//QK0LTrX6ZjM3/tWvrH/AINOPCd03i/4xa55eLFbTTrEPnrIXmcj
8AB+dfDP/BY/xKPE/wDwUg+JUituWzuLSyHsYrKBGH4MGr9Iv+DUHw9dWvwT+K+qPE62l5rVpbxS
EfK7RwsWA+nmL+df7FeFOF+rcGZVRe/1ek36uEW/xZ+V5lLmxNR/3n+Z+tVFFFffHnhRRRQB86/8
FJf+Cdmj/wDBSL4R6b4T1rxTr/hm30m9OoQnTxG8c020oplRh84UFsAMuCxr8b/2n/8Ag20+O3wW
lvLzwh/ZPxG0eHc8ZsJfs98UAJ5hkxk4HRWOSa/oaooHc/kT1L9mXx94d+K2l+CtW8La3oPiTWL+
LTbW11Gzkt2eaSTy1xuAyu7uMjANfvx8J/2Sb79nXwJoemfDP4h+MvBNxpNrHFNCLr+1NK1CQIqv
JJZ3W9FLMu4+QYjknnmvtjxr8ONF+IFtCuq6bY3ktq4ltppbdJJLWQch42YEqw9RzXE658Dby0Ba
xuI7pR/A42P/AIGv5n8f6HiG6+ExfBnP7KipOfspLmlKTVlKm378UlouWWreh9DkssDaUcXa72v/
AJ9DyTQf2sfjH8NLxo/GHgfQ/HWkRrn+0vCdybS+69Wsrltp4wfkmY8HAr0f4U/t/wDwr+LOrR6T
D4kj8P8AiKQ7f7E8QwvpOo7uOFinCl+uMpuHvWLqnh6+0VyLq1mhx3ZflP49K5X4hfC7w38WvD76
X4o0HR/EGmycm31C0S4jz2IDA4I9RyK/F+HvpWcS5TW+pcV4JVXHRtJ0aq7txacW/JRh6nrV+GcP
VXPhZ2/Ff1959VK25cjkHkEd6K+IdE+Bniv4NTxyfCr4leIvCdnCAE0DVx/b2hYBB2rDOwnhXqMQ
zoADwtdt4V/bg+Inw20/y/ih8NW1KOHAbWfAs7ajA4xy72coS4j5H3U84DPWv6Y4R+kBwTn6jCli
1Qqv7Fb9279lJtwfopt+R87isjxdDVxuu61/4J9UUV5n8H/2xvhn8dr/AOw+G/F2l3WrqMyaVcMb
TUYuo+a3lCyjp3WvTK/ZoVIzipwd09mtmeS7rRhRRRVAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUA
FFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAU
UUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAVj+PfiDofws8J3mveJNX0/Q9F09PN
ub2+nWGCBfVmYgCvnf8A4KIf8FXvhj/wTy8JXA1zUIda8azQ79P8M2cwN3OSPlaUjPkxn++w57Am
v5+f26v+Cl/xS/4KAeMpL7xlrElvosLlrHQbJmjsLJe3yZ+d8dXbJPt0oKSPuH/gqJ/wca618Rrn
UvA/wJkuNB0BS1vdeKGGy+v8HB+zD/ljGccOfnIPRa/Lrwv4T8SfGnx5Dp2kWOreJfEetXB2QW8b
3N1dysck4GSxJOSa94/4J8/8Er/if/wUQ8VCPwzY/wBk+FbWTZqHiO/jZbK2xjKp3lkwfuL+JA5r
+gL9gH/gl78Mf+CevguO38Maamo+Jpoguo+Ib2MNeXbYG7af+WUZIyEXj1JPNA9j4b/4Jbf8G49j
4NXTvHXx8ht9U1TCXNl4TjffbWhwGH2thxI4P/LNSUHct0H6tXmpaR8NfDtvbxx29jZ2sYhtrWBA
iqqjARFHAAHpwKw/HXxch0YNbacyXF10aTqkX+J9q8x1LVLjWLtprmaSaVu7HP5V/LPiz9JfLMgc
8s4etiMUtHK96VN+bXxyX8qdk93dNH0OWcP1MRapX92P4v8AyNrxn8R73xdIY8m3swfliU/e/wB4
9/5Vm+HfC974pvPJs4i3PzOeFQe5rpPA3wkuNdC3Oob7W1PKp0kk/wABXp+laRb6JZrBawrDGvZR
1+tfjfA/gdxNx9jf9ZONa04Up6+9/EmuijFq1OHZ22+GNnc9bGZzh8FD6vg0m19y/wA2Yngj4bWn
hFFlb/SL3HMpH3fUKK6Siiv7t4b4ZyzIcBDLcooqlSjsl1fVt7uT6tttnxeIxFStN1Kruwooor3T
EKKKKACiiigAr+f/AP4OWv2OJPgt+1pZfErS7FIfDvxGtwZ3iXCx6jEMShvQumx/c7vSv6AK8D/4
KW/sZWP7dn7IXijwNNHCusNCb3Q7mQf8et9ECYjnsG5Rv9lzQNH4Pf8ABET9riP9m/8Aa0h8P6tc
R2/hv4iqmlTvI+1Le8DE2sh7csWiP/XUHtX7o1/Ljr+h33g7xHeabfQzWOpaXcvbXETfLJBLGxVg
fQhgfxFfv1/wSp/bHX9sf9k/SNS1C6im8XeHQNI19BwzzIPkuCPSaPa+Rxu3gfdr+EfpbeHbp1qX
GGDjpK1Otbo0v3c36pcjeyagt2facM47R4WXqv1X6/efSlFFFfxKfXhRRRQAUUUUAFFFFABRRRQA
UUUUAFFFFABRRRQB5T+1d+xd8P8A9szwS2j+NtFjupYlIstSgxFf6cx/iilxkc8lTlW7g1+O37bX
/BGv4n/sn3F5q2j2svjzwTGzOupabCTdWUY5H2m3GWXA6um5OMkpkCv3for9g8NfG3iLgyao4Sft
cNfWjNtx83B7wfmtG9ZRkeVmGT0MXrLSXdfr3P5Y6K/fX9rr/gkD8If2sZrjUm0yTwf4omBP9q6I
qQ+c57zQ48uTnqcBv9oV+YP7Vf8AwRe+M37Nk015pukt8QvDke5hqGgxNJPGo/562vMqnH9zzFH9
6v7z4B+kNwlxMo0J1fq2If8Ay7qtJN/3Z/DLyV4yf8p8ZjcjxOH1tzR7r/I8S/Z8/bA+JX7LGrLd
eBfF2raGm/fJaK4ms5z/ALcDho2+pXPvX3v+zv8A8HG99Z7bP4qeB471OP8AiaeG5PKk/wCBW0zb
T9VlX/dr8wJI2hlaN1ZZI2KsrDDKRwQR2I9KbX2PGHhTwpxPeeb4OMqj/wCXkfcqf+Bxs3btK68j
lwuZYnD/AMKTS7dPuP6F/gz/AMFVPgH8cbS3bS/iLo2m3lxhfsOtFtLuUY/w4mCqx/3GYe5r33S9
Wtdbs1uLK5t7y3k5WWCQSI30I4r+WsjcMHoe1dF4F+L3iz4XzLJ4b8TeIPD7Kcg6dqEtr+iMBX84
5/8AQ5wFRueS5hOn2jVip/8Ak0XC3/gLPeo8U1FpVgn6af5n9PWaK/n0+Hv/AAV0/aI+G6Rx2nxK
1TUIYxgR6pbwX+R9ZUZv1r1HQf8Ag4G+PWlRqt1H4H1Tb1afSHjZv+/cqj9K/Lcw+iPxlRk/q1Wh
UXlOUX90oJfiz0KfE+FfxJr7v8z9uqK/Gix/4OMvi5AuJ/B/w8uPcQXif+1zT7v/AIONvi1KmIfB
fw8hbuTFeP8A+1xXi/8AErXH17exp+vtYm3+seC7v7j9lKK/EzWP+DhH466gHFtY+A9P3DAMelyy
Ff8AvuZh+leb+O/+Cyv7Rnj2FopPiDNpULfw6Xp9taEf8CWPf/49XrYH6JPGlaS9vUoU15zk390Y
P8zOfE2FXwpv5f8ABP35uLiO0haSV1jjXlnc7VX6mvHPi/8A8FCvgn8CluF8S/Enwva3VqDvs7a5
+23efTyYA8mf+A1/P14//aH8ffFXP/CTeNPFWvK38F9qk0yf98s239K4xVCDCgKPQV+nZF9DfDxa
lnOYykusaUFH/wAnm5f+kHn1uKpf8uofe/8Ahj9bf2gP+Djbw3pdhPa/DHwTqesXxJWPUNfcWdqg
/viGMtJJ9GaI/wAq+C/2k/8AgpZ8Zv2qJbiHxL4yvrbR5wV/sjSf9BsQv91kQ5k/7aM5968HoJwK
/ojg/wAF+D+G2qmXYOLqr/l5U/eTv3TldRf+BRPBxWa4rEaVJadlogAxRXvn7Lv/AATO+Mf7Wstp
ceG/Cd1Y6BdfN/bmr5stPCf3kZhvlH/XJH/DrX6Xfsi/8EFfhv8ABY2erfEC6b4ieIIfnNvLGYNJ
hb2hyWlx6yMQeu0dK4+O/HDhPhVSp4vEKrXX/Lqlac79pWfLD/t5p9kzTB5RicTrGNl3ei/4PyPy
6/ZL/YJ+Jn7aGvx2/g3QZG0pX23Ot3uYNNtMdd0uDub/AGIwze2Mkfr/APsJf8Ee/h3+x2trrepK
vjbx3Gqs2q30AFvZP3+ywEkR8/xsWf3AOK+rtD0Kx8MaRb6fptna6fY2iCOC3toliihUdAqqAAPY
Var+F/Ez6RXEXFUZYLCv6rhXo4Qb5pL+/PRtf3YqMX1Utz7DL8hoYf35+9Lu9l6IKKKK/n09wKKK
KACiiigAooooAKKKKACiiigAooooAKMZorD+JnjGP4d/DjX9fmYLHounXF8xPYRRs/8AStKNGdWp
GlTV5SaS9XoiZSsrs/nT/bj8Wjx1+2R8UNWWTzI7zxNflHH8SrOyL+iiv26/4NhvBjeH/wDgnlfa
o0m7+3vE93Oq7cbBGkcX45KE1/Pzq+rza/q11f3B3T30z3Eh9Wdix/U1/T9/wRf+F7fCb/gmf8Kt
PkVVmvtL/tSTEXlnNxI0wyO5wwGe9f7aZTgVgsDRwcdqcIx/8Bil+h+R1p80nLuz6iooor0DEKKK
KACiiigAooooAbNAlwhWRVdT1DDINc3rnwl0fWSWWFrSQ/xQnH6dK6aivnuIOE8mz2j9XzjCwrR/
vRTa9Hun5ppm9DFVaL5qUmvQ8l1/4K6lpu57N476PPAHyvj6dDXJ3+mXGly7LmCWBvR1K19DVDeW
EGoxGOeGOZDwQ65r+ZuLvojZDjHKtkOInhpfyy/eQ+V2pr5yl6H0OF4orw0rRUvPZ/5Hyf8AEj4I
eEfi6kP/AAknh/TdWltzmC4lixcWx/vRyriSNvdWBrm9K+HfxP8Agukknw1+KuqtbKd0eg+NIjr2
mkc/u1nLLeRDkc+bJjA+UjivqrW/gxpepbmt/Ms5D/cOV/I1x+u/B3VtIG6FUvo/+mfDD8D/AEr8
ZnwH4ueHjdXJ5znRjr+5ftab9aMlf1fJp3PWWNyvHaVUk/PR/f8A8Ez/ANmv9pfxl8Q9fl8P+Pvh
+nhXU7e2acatpurw3+i35DKuyJm8u4SQ7idkkIGFOGavcAdw4r53uLaSzm8uaOSKRf4XXaRWpofj
vVfDx/0e7kKf3JPnX9a+74S+l5VpNYXirBarRzpaP505vfvaS8orY48Vwsn72Gn8n/mv8j3SiuD8
F/GGTXdSgsrmz/fTNtDxH5fqQa7yv614K48yXivAvMMkqucE+WV4yi4ysnZppa2a2uvM+XxmCrYa
fJWVmFFFFfYHKFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUU
AFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRXz/
APt4f8FKPhn/AME+fA39peMtU+0axdIx07Q7IiS+vmAyPl/gT/bbA+p4oA9w8VeK9M8DeHL3WNa1
Cz0rStNiae6vLuZYYbeNRks7sQFA9TX5A/8ABTz/AIORYY4dR8E/AB2kkYNb3Pi6aPCr2P2RG5z/
ANNGGO4Hevhv/go5/wAFiPid/wAFCtXm0+8uX8L+A4pC1r4esJiI5B2a4fgzN0OD8oPQDrXnX7D3
/BPj4kft9/EWPRPBOjzNp8MijUdZnQrY6YhPJeToWxyEGWPp3oK5Tyy/1HxJ8afH/m3M2reJvEuv
XIXdIz3N3ezOcAd2ZiT0r9Yv+CZn/Btrda7/AGb40+PjSWNrlbi38J277ZpOhH2uT+EHkGNefVh0
r7m/4Jzf8EYfhb/wT/s7bWI7VfFnxA8rbNr+oRhjbkgblto/uxLx97lyDjdjivpbxr8V7Tw0zW9u
FurwdQD8ifU/0FfN8VcXZRw5gXmOc11SprvvJ9opayfkk++x0YfD1cRP2dFXZZ0PRfDPwP8ABFnp
Ok2On6DommxiG1srOFYo41HRURa4Dxt8UrvxK7Q25a1s+m0H5n+p/pWDrviC68SXzXF3KZJDwB/C
o9AK3vBHwtuvE+2e43Wtn/eI+aT6D+tfwlxl4wcWeJOPfDnB9GdPDy3UdJzjtzVZ3tCHeKdujctD
7HC5Vhcvh9YxbTl+C9F1Zg6JoN14ivlt7SFpZD1x0UepPavUvBXwntfDpW4utt1eDkZHyRn2H9a6
DQPDln4ZsVt7OFY16k9Wc+pNXq/ePCX6N+U8NqGY53y4nGLVdadN/wB1P4mv5pL/AApbvxc04gq4
i9Ol7sPxfr/kA4ooor+mT54KKKKACiiigAooooAKKKKACiiigD8E/wDg5F/4J6n4G/HCH4w+G7Ip
4Z8eTlNVWMDZZ6jjJOB0Eqgt/vBvUV8q/wDBLb9tmb9ir9pmw1C+uJV8H+Iimm6/EOVSJm+S4x6x
Md3rtLjvX9Jv7XX7MPh79sb9nrxJ8PPE0RbTdettiSr/AKy0nX5oplP95HAPuMjoa/lh/al/Zp8T
/sifHPXvAHi+0FrrOhT+WxU7o7mMjdHKh7q6kMPrg8givG4iyHB53ltfKcwjzUq0XGS9eq7NOzT6
NJnRh686U1Uhuj+le1uo761jmhkWWGZBJG6nKupGQQe4I5qSvzZ/4IP/APBQZvH/AIXT4LeLLxW1
fQLcv4ZuZD815Zpy1qxPV4RynrHx/wAs+f0mr/ILj7gnHcJ53WyXH7wd4ytpOD+Ga8mt10acXqmf
qGBxkMTRVWHz8n2CiiivjTsCiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA8l/aD/AGFv
hP8AtQwSf8Jn4J0fUr2T/mIxRfZr5T/13j2ufoSR7V8UfHX/AINyPDuru1z8OfHWoaLIckWWtwC8
h+glj2uv4hq/TGiv0PhXxX4t4dShlWOnGC2g3zw/8AnzRXySZwYjLMLX1qQV++z/AAPwV+L/APwR
Q/aD+FFzIbfwnb+LrFMlbnQb5J8j/rlJslz7BD9a+a/H/wALPFHwo1RrLxR4b17w3dIcGLVNPms2
P08xVz+Ff0/VDf6db6rbNDdQQ3MLdY5UDqfqDxX7/kP0ws8oJRzfA06y7wlKnJ+bv7SP3JI8Stwt
Sf8ACm166/5H8tIO7pzRX9InxA/YP+CvxS8xte+FfgG/mkOWm/sS3inJ/wCuiKr/AK15fr//AARW
/Zt12RmX4e/YGbr9j1m/iX8F87A/AV+nZf8ATC4anH/bcHXg/wC77Oa+9zg/wPPnwviF8Mk/vX6M
/Auiv3Xuv+CEf7Otw2U8PeIIPZNeuSP/AB5jTbb/AIIQfs6wvl9B8RTD+6+vTgf+OkGvX/4m34Kt
f2eI/wDBcP8A5YZf6s4vuvv/AOAfhVQeBX72aR/wRI/Zt0p8t4Dur3npca9qDD9JhXpHgX/gnT8C
PhvtOk/CTwHHIpBWW50iK8mBHfzJg7Z9815mO+mBwvCP+yYSvN/3lTivvU5P8DWHC+JfxSS+/wDy
P53PCng/WPHmrR2Gg6TqmuX0p2pbadaSXUzH0CRgt+lfQvwm/wCCQf7QnxcuoVg+H99oNrLgm616
VNOjjHqUc+b+UZr9+tE8Paf4atRBptjZ6fAowIrWBYUH0VQBVyvzXPPpi5tVTjlGX06XnUlKo/W0
VTS+dzvo8K01/Fm36K3+Z+VfwS/4NwLhrqG4+InxCiWEAF7Hw/aksT6efMP5R19ofs//APBLX4Hf
s4mOfRfA+nalqceCNR1of2jcBh/EvmZVD7oq19CUV+C8UeM3GXECcMwx01B/YhanG3ZqFub/ALeu
ezh8pwlHWEFfu9fzERRGiqoCqowAOgFLRRX5eekFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFA
BRRRQAV8zf8ABYD4tL8If+CfHxAuFk8u61y2j0O2AOCzXUixNj6RmRvopr6Zr8t/+Dj34+Klh8P/
AIY2rKXkkk8S6jg8qqhre2X8S1yf+ALX6l4K8OyzvjXL8Ha8Y1FUl25afvu/ry8vq0jzc4r+ywk5
eVvv0Py+8F+GLjxt4x0nRrNPMutWvIbOFM43PI4RRn6kV/Xv8LPBMPw0+GXh3w7b58nQdNt9Pjy2
44ijVBz3+71r+bT/AIIWfs6yftFf8FJvAcMiyf2b4RlbxLesFJAW1w0YJ7bpjEOfXFf001/rsfl8
gooooJCiiigAooooAKKKKACiiigAooooAKKKKAKup6JaazEUureGZTx865xXJa18D9PvNzWc0tqx
/hPzr/jXb0V8XxR4dcNcRxtnODhVf81rTXpONpL7zrw2OxFB/uptfl92xwvw8+GNx4X8Qy3N00Ui
xpiFl7k9eK7qiituCeCMq4Uy3+ysni40uaUtXdtyfV9bKyV9bJasWMxlXE1Pa1dwooor645Qoooo
AKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigA
ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAqG/v4NLspbm6mit7eBS8ksrhEjUc
kkngAeprG+KnxEtfhJ8N9c8T31rqF7ZaDZyX08FhAZ7mRI1LMEQfebA6V/O1/wAFN/8AguH8RP27
7q88N6KbjwP8OVkZBpdrOwudTUcZu5BjcD18sDaD13EZoHa597f8FOP+DjPw78GoNR8G/BFrXxR4
rG+3uPEEi79O0tumYh0nkBz1+QEfxdK/Ez4mfFHxX+0F8RbzxB4n1bVfE/iTWp90txcyNPNO7HhV
HpzgKowOABXTfss/sffET9s74iw+Gfh74dvNcv2IaeUfu7ayQkAyTSt8qKM9zk9gTxX72f8ABL3/
AIIZeA/2F7Cz8TeKVs/GvxMaNWe+lj3WelNgEpbI3cH/AJasNx7BelBWx8Cf8EvP+DeDxR+0DNp3
jT4zRX3hHwW2y4t9GB8rU9WXggOCMwxEcHOHOeAOtft18MPhX4N/Zl+Glj4d8LaPpnhnw7pUYjgt
raMIoA4yT1dj3YkknqTV3xl8SLHwlG0YIuLzHywqen1PavJ/Efiq98U3hmu5mYZ+VBwiD2Ffzx4s
/SFybhNSwGAtiMZ/Kn7kH/08kuv9xe935bpnt5ZkdbFe/P3Yd+r9P8zpfG3xfuNZDW+n7rW3PBk/
5aSD+g/WuR0/TrjWLtYbeKSaZzwFGa2PB/w5vvFkquFNvaZ+aZx1/wB0d/5V614a8J2fhWzEVrEq
tj55D95z7mv5s4X8M+M/FXMFnvE9aVLDdJSVrx/lo09Eo/3tuvvO57+IzDCZZD2OGScv63f6fkcz
4G+EMOlbLrUgtxc9Vi6xx/4n9K7hVCLgDAHAAoor+7ODOBcl4WwCy/JqKhHq95Tfect2/wAFsklo
fGYvGVsTP2lZ3f4L0CiiivrjlCiiigAooooAKKKKACiiigAooooAKKKKACvzn/4ODv8AgmlJ+1n8
DY/iP4TsfP8AHXgG3d5oYUzJqunjLPGPV4+XUYJPzDuK/Rihl3LgjIPBB70Afx5fD7x9rXwi8e6X
4i0G8n0vXNBukurS4ThoZUORkdx2IPBBIPWv6Cf+CfH7cuh/t1/A238QWfk2XiLTdtrr2lhstY3G
PvL3MT4LI3pkdVIr4f8A+Dg//gk/H+zz41l+Mvw/01o/Bvia6Ztes4R8mkX0jE+YigfLDIcn0VuO
AQK+Ff2K/wBrzxF+xT8d9N8ZaCzTQL/o2q6ezYj1S0YgvE3owwGVv4WUHpkH8N8cvCOjxplHPhko
42im6Utubq6cn2l0b+GWuzlf28nzR4Srr8L3/wAz+kKiuO+Anx48M/tK/CvSvGPhHUE1DRtWiDoe
kkD/AMUUi/wyKeCp6EemDXY1/ljjMJXwteeGxMHCcG4yi1Zpp2aaezT3P0eM1KKlHVMKKKK5ygoo
ooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiii
gAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAEZwilmZVVeSScAV/Ox/wUk/aLP7UX7Z/
jbxRDc/adJjvP7M0kg/KLO2/dRlfZyrSfWQ1+yn/AAVk/aeX9l79i3xNfW1wIde8RxnQtJAbDiWd
SryD/ci8xs+oFfgP4T8LX3jbxRpui6ZA11qOq3Mdnawr1lkkYKq/iSK/ur6IHBjjDF8UV4/F+5p+
itKo18+RJ+UkfG8UYu7jh4+r/Q/a/wD4NX/2YR4b+Enjj4sX1v8A6V4lu10TTXYci3g+aUjjo0jK
OD/yy6dK/WmvK/2Jf2d7X9lH9lTwP4BtY1RvD2lxQ3JBz5lww3zNnvmRmNeqV/bx8aFFFFABRRRQ
AUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAB
RRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFF
FFABRRRQAUUUUAFFFFACOiyoysoZWGCCMgivyk/aC/4NrdL+M/7eN74o0/XIPDfwo1of2nqFharm
8S7Z8yW8IxtWN/vbv4c4ANfq5RQBwH7OP7L/AIF/ZN+HNr4W8A+HrHQNJtwNwhT97cvjBklf7zue
5YmqvxF+Kt1BeTafYxyWvlnbJKww5+np9a9JrkPiH8M/+Etvbe4t2jgmyEmJH3l9fqK/HvG/LeK8
bw3KlwlVca3MuaMbKc4PRqMnblabTdmm0mr9H6mT1MNDEJ4pXX4J+a6nk0UU2oXW1FkmmlPAA3Mx
r0bwR8G1gCXWrbZH6rbj7q/73r9K6jwl4EsfCEH7lPMuCPnmcfMf8B7VtV+UeE/0YsHlco5rxXav
iN1T3pwf97/n5L/yVf3tGepmnEU6v7rDe7Hv1f8Al+Y2KJYY1VFCqowABwBTqKK/raMVFcsdj5cK
KKKoAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAMf4g+ANH+KfgnVPDuv2FvqejazbPa
XdtMu5JY3GCD/j2NfzV/8Fdf+CXOsf8ABOT42BbP7Vqnw98SO82h6k0ZPk882szYx5qDp/eXB9QP
6bK4b9o39nTwn+1X8ItW8E+NdLh1bQ9WjKujj54H/hljbqsinkMP5UDTP5pP+Cbf/BRfXv2C/ifu
ZbjVvAutyqutaSG5HQfaYM8CZB24Dj5Tjhl/er4ZfEzQvjJ4C0vxP4a1K31bQ9at1ubS6hOVkQ+o
6hh0KnBBBBwRX4Gf8FLv+CeHij/gnb8f7zw3qkFzdeGdQd5/D2sFf3epW4PQkcCVMgOvUHB6EE7/
APwTN/4Kca5+wl4z/s3Uluta+HWrTbtQ0xGzJZOetzb543/3kJAcDscGv5b8fvAiPE1KWe5FBLHQ
XvR2VaKW3b2iXwv7S91/Za+lyXOXh37Gt8D/AA/4B++VFc98Kvit4d+N3w/0zxT4V1a11rQdYiE1
rd27ZVx0II6qynIZWAKkEEAiuhr/ADhxGHq0KsqFeLjOLaaaaaa0aaeqaejT2PvIyUlzR2CiiisS
gooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAC
iiigAooooAKKKKACiiigAooooAKKKKACiiigAoor5T/4K5ftxr+xt+zXcQ6TdJH428YCTTtGUH57
VduJrr28tWG0/wB9k9693hnh3G59mtDJ8vjzVa0lFdl3b7KKvJvok2Y4jEQoUnVnsj84f+C4H7YK
/tH/ALVMnhfSbgTeGPhv5mmxOkm6O7viR9qlGOMKyiIf9cmPRq9C/wCDcT9iNv2iP2vW+IGsWLTe
F/hkq3aM6/u59RfIgT0JQbpD6FV9a/P3wn4W1Lx94r0/RtJtZtQ1bWLlLW1gT5pLiaRgqqPcsR1r
+pb/AIJl/sW2P7CH7IXhnwRFHD/bXlC/124T/l6vpADIc9wvCL/soK/2H4P4YwnDuTYfJcF8FGKj
frJ7yk/OUm5Pzeh+V4vESr1ZVZ7s+gKKKK+kOUKKKKACiiigAooooAKKKKACiiigAooooAKKKKAC
iiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKK
KKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooo
oAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA8v/a8/ZC8E
/tt/BfUPA/jrTFvtNu/3lvcJ8tzp04Hyzwv1V1z9CCQQQSK/m5/4KOf8EyfHn/BOf4mHT/EEDal4
X1KZxouvQIfs98g5Ct/clAxlD9Rkc1/UtXC/tIfs3eD/ANrH4Rar4J8caTDq+h6tGVdWGJLd/wCG
WJ+qSKeQw/lkUDTP5p/+CdP/AAUp8UfsGeNWhVZtc8C6rMH1XRWkxtPTz7cnhJQMZ7OAAegI/cz9
nf8AaQ8H/tT/AAzs/FngnWINW0u6wsgX5ZrOXALQzIeY5FyMg+xGQQT+MH/BUT/gj544/wCCdnip
tQh+0eKPh3fSt9h1uGA5tQSdsVyBwkgGPm+63bHQeKfsfftleNP2KPilH4m8I3g8ubbFqWmTkmz1
WEHOyRR3HO1x8yk8cEg/zd41fR/wXFsJ5rlVqWPS32hVtsp9pdFP5SurOP0OU51PDP2dTWH4r0/y
P6RKK8B/Yg/4KNfD39ubw0raDef2X4ntovMv/D964W7t8dXTtLHn+NenGQp4r36v83s7yPMMnxk8
vzOjKlVg7OMlZ+vmn0aumtU2j72jWhVgp03dBRRRXkmoUUUUAFFFFABRRRQAUUUUAFFFFABRRRQA
UUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFR3t7
DptnNcXEscFvbo0kskjBVjUDJYk8AADOaaTbsgMH4s/FbQfgf8ONY8WeJ9Qh0vQ9Dtmubu4kP3VH
RVHVmY4VVHLMwA5Nfz0/t2fth6x+25+0JqnjDURNa6ap+yaLpzvuGnWak7E443tku5HVmPYDHun/
AAV//wCCmL/tf+Oh4N8IXkyfDjw7cFhIhKjXbpcjz2HeJeRGD6lu4x5x/wAEwv8Agnjr/wDwUS/a
LsvDdms1l4X01ku/EGqBDstLYMMop6ea4yqj1yegNf6S/Rx8G3w1gv7fzeFsZWj7sXvSpvW3lOW8
usVaOj5r/AZ9mv1ifsab9yP4v/I+1f8Ag2u/4JvSePfHMnx48WabnQ9Bd7bwxHcR/LeXY+V7lc9V
i5UH++T/AHa/cKsP4Z/DfRfg/wDD/R/C/h3T7fS9D0K1Szs7aFAqRRoMDgdz1J7kk1uV/UR80FFF
FABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUU
AFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQA
UUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABR
RRQAUUUUAFFFFABRXEeE/wBpLwH45+LOveBNJ8WaHf8AjDwyiSalpMV0rXVsrgEEpnJAyAcZ2kgH
Brt6ACiiigAooooAKKKKAMrxx4H0f4leEtQ0HX9Ns9X0fVIWt7uzuohJFPGwwVZTX4Wf8Faf+Dfr
XP2eru+8efBezvfEXgXBmvdEUtPqGjdyU4zLD/48o67h81fvRSModSrAMrDBB70Bc/ju8G+M9a+G
Pi+z1rQ9RvtF1vSphLbXdrIYZrdx6Ec+xB4I4PFfrh/wT5/4Lr+H/ifaWPhT4xSW/hrxNhYYNfVd
mm6m2cDzQP8Aj3kPGSf3Z5OU4Wvoj/gqN/wQA8H/ALWyah4x+Ga2Pgn4hsDLLbqnl6ZrL4PEiqP3
UhP/AC0UYPcHrX4S/Hv9nrxl+zF8SL7wl460C+8P65YNiS3uUwJFPR0bo6HqGUkGvznxE8Lci4zw
aw+a07VI/BUjZTh6PrHvF3T30dmvSwOZVsLLmpPTqujP6ZLW7ivraOaCSOaGZQ6SRsGV1PIII4IP
qKkr8Ef2EP8Agrf8Q/2LHt9HuGbxl4FU4OjXs5WSzB7202CY/wDcIKH0B5r9jv2SP26Phz+2n4R/
tLwXrSvewqpvdHvMQ6jp7EZxJFk5XsHQshxw3Wv84vE7wP4h4NqSrV4e2wt9K0Fp5Ka1cH6+63pG
TPvMvzihilZaS7P9O57BRRRX40esFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUA
FFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUVleN/HOj/DXwpfa74g1Oy0fR9Mhae6v
LuURQwIBklmP8up6DmtKVKdWap005SbskldtvZJLdsUpJK7NG8vIdPtJLi4ljhghQvJJIwVY1AyS
SeAAO5r8ef8Agr1/wVvPxzlvvhh8MdQkj8GRkxa1q8J2trrA8wxHqLcEcn/lof8AYHz8v/wU+/4L
Eat+1XLe+Cfh/JeaF8OlYxXNycx3niHB6uOscHHEf3m6v/cX5N/Zz/Zx8YftV/FrSfBPgfR7jWNd
1aUJHHGMRwJ/FLI/RI1HJY8D64Ff354C/R3eWTp8R8UwXt1aVKi9VT7Tn0c+sY/Y3fv2Ufis6zz2
idDDv3er7+nl+Ze/ZS/Za8Xftj/G/RfAfgyxa71bVpQrSsD5FlEPvzSsAdqKOSe/AGSQK/pu/wCC
ev7B/hf/AIJ7/s86f4J8P/6ZeMftWsao8e2XVLsgBpCP4VGAFXOAB6kk8z/wTH/4JneE/wDgnJ8G
o9L09YNU8X6oiya7rZjxJdyf880zysS9FXv1PJr6ar+yD5NsKKKKCQooooAKKKKACiiigAooooAK
KKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAoo
ooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiii
gAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAr8/f8Agt9/
wVz0/wDYi+Gt14D8G6gs3xW8RW37swkN/YFu/H2iT0kYZ2Kef4ugGfS/+CuH/BT7R/8AgnR8DWms
5LLUPiFryGLQ9LkfJXs1zIvXy098bjx64/m2+JfxJ8UftFfFfUfEniG+vPEHinxNeebcTv8APLcy
uQqqAPwUKOAAAKCkjb+AnxL+Imj/ALRmg+IPAuoa1N8RLnU1ewntWaS7vLmRvunu+8khgcggnNf1
c/AmTxdL8HfDb+PRpq+MnsIm1ddPUrbrcFQXCgk9Dx1xnOOK+C/+CHf/AARqt/2PPDUPxK+Itja3
fxL1iFWsbWRBIvhuFgeFP/PdwcMw+6PlHcn9DPFniu38I6W1xcfMx4jjH3pD6V5+bZthMswdTH4+
oqdKmnKUnskv60W7ei1LhTlUmoQV2y1ea3a6fewW808cc1wSI0Y8tirVfP8ArmvXGv6rJeTu3msc
rg/cHYD6V698M7nVLzw2kmpcs3+qLDDlOxavwTwr8fIcZZ/ispp4SUacbypzWq5FZfvf5ZSesbXW
vLurv2cyyR4ShGq5K73Xn5dzoqKKK/os8EKKKKACiiigAryb9rf9iL4bftueAX8P/ELw5aatGqt9
kvFXy7zT3IxvhlHzKfboe4Nes0UAfzt/8FH/APggB8R/2PY9Q8UeCftHxB8A2+ZXlt4s6lpsfczR
KPmUf30z7gV8IeDfGmtfDXxVaa1oOp6homsadJ5lvd2czQzwMPRlIP1HQ9DX9iZG4YNfDf7ff/BB
n4Q/toXWoeINJtz4B8cXgaRtS0yMfZryXHBng4U5PVl2sfU1nVpQqQdOok4tWaaumnumuqZcZNO5
+c37F3/BwNrfhSS00P4zae2vadnYPEGmwql9AOxmhGElHqU2t7Ma/UL4KfHzwb+0X4Kg8Q+CfEWm
eItJmAzLaShmgY/wSp96Nx3VwGHpX4Xftvf8EkPjN+wjdSXPibw+2reGQx8vXtIDXFkR28zjdEfZ
wB7mvC/hF8avFvwD8YR6/wCC/EWq+GtYjXYbmxnMZlTOdjr92RM87XBX2r+X/Eb6LmQ505YzIGsH
XevKlelJ+cVrD1hov5Gz6PAcRVqPu1vej+P39fmf06UV+Tv7KH/Bw/qWkta6V8XvDq6lbqAja5oq
CO4H+1Jbk7W9yjL7L2r9Hv2fv2s/h1+1JoS3/gXxZpOvLs3y20cuy8th/wBNIGxIn4rj0Jr+I+N/
CXijhSbebYZ+z6VI+9Tf/by2v2lyvyPrsHmmGxK/dy17PRnolFFFfm56AUUUUAFFFFABRRRQAUUU
UAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRXD/AB5/aU8C/syeEG1z
x14l03w9Y4JiFxJma6I/hiiXLyN7ID+Ffl/+2b/wcCeIPG0d5oXwf06Twzp75j/t6+RX1CQdzFFy
kWfVtzf7pr9K4C8JeJeL6qWU0H7K9nVn7tNd/et7zXVRUpeR5+NzTD4VfvHr2W59/ftrf8FFvhz+
w74cZvEeoDUPElxEZLDw/ZMHvbo4+VnHSKMn+N8DrgMeK/Fn9t7/AIKMfEL9ujxJu8Q3a6X4ZtZf
MsNAsnItLY9ncnmWTH8bdOdoUcV4rrmuax8RfFdxqGpXmoa5rerz75ri4le4uryVjjLM2WZjwO56
Cv0b/wCCa3/Bu343/aMuLPxR8XI7/wAB+DGIkj09l2atqa8cbD/qEP8AeYbv9nvX+hPhX4CZFwdG
OMn/ALRjLa1ZLSL6qnHXl/xayeuqTsfD5lnVbFe78Me3+fc+Sv2Bf+Cefj7/AIKD/Fu38PeE9Pnh
0mFwdW1yWE/YtKiyMlm4DOQfljB3N9ASP6OP2Bf+CengP/gnv8JIfDvhOzS41KdQ2q61PGv2zU5c
clj/AAoOyDgD1PNejfAf9n/wd+zL8N7Hwn4G0DT/AA7oVgPkt7WIL5jYAMjt1d2xyzEk12Vfup4j
YUUUUCCiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigA
ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACi
iigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKK
KACiiigAooooAKKKKACvCf8AgoR+3z4S/wCCenwGuvGHiQteXs7G20jS4mxNqdyQSEH91B1ZugHu
QD3H7S37S/g79kn4Q6p438catDpOh6WmSzcyXMhB2wxL1eRiMAD9ACa/mP8A+Cif7e/in/goL+0N
qni7XJ54NHileDQtKL5i0u0DfIoHTzCMF27sT2wADSOO/ay/al8Wftm/HjXPH3i67e51TWZiY4Fd
mhsIQf3dvCCTtjQcAd+SeSTX6t/8EDP+CMjeH/7N+OHxX0ho77K3HhXRbtP9SMZF7Mh6N3jU9PvH
nFeOf8EDv+CQEn7RXimw+MnxDsZI/A+hXYk0XT50Zf7cuYyCJSCObdG/B2GOgNfvDc3EOlWLSSFY
YYVyewUCs61aFKDq1Goxim23oklu2+iRWrdkR61rNvoOnSXVzIsccYzz3PoPevEvF/iy48Xao1xM
dsa8RRjog/x96ufEHx1J4y1L5d0dnCSIk9f9o+9T/Df4fyeK79Z7hGXT4T856eaf7o/rX+ePit4i
Zp4mZ/T4R4VTlhlKyaulUa3qT7U4atX6e89WkvucswFPLqDxeK+K33eS82aHwr+HR1eWPUrxf9Fj
bMUZH+tI7n2/nXqgGBTYIEtYVjjVUjQYVQOAKdX9meGHhtl3BeTxy7B+9UlZ1J9Zztq/KK2jHovN
tv5LMcwqYur7Se3RdkFFFFfoxwBRRRQAUUUUAFFFFABRRRQBDqOm2+sWM1rd28N1a3ClJYZkDxyK
eoKngg+hr8+/25P+DdX4P/tMfa9a8Dq3wx8VShnzYR79MunPP7y3z8nPeMr9DX6FUUAfy9/tf/8A
BHT47fsbXV5ca34Rutc8O2uWGt6KpvLQpz8zBRvj4GTuUY9a+afDfibUvBev2uqaPqF9pOqWL77e
7s53t7iBvVXUhlP0Nf2MTQrcRNHIqujDDKwyCK+Rf2xv+CInwF/bGkuNQvvDf/CJ+JZkIGr+HyLS
QsejSRY8qT/gS5wTyOMTUhGcXCauno09muzKUrO5+PP7Mv8AwXu+LXwasrbTfGFvYfEjSoDt869Y
2upqnp9oQFZMesiMx7tX3t+zp/wW6+B/x2mis9S1a68B6tJx5GvII4GPotwpMf8A30V+lfI37V//
AAbPfGb4OS6hqHw/vtL+JGhwFnhhib7Jqnl9gYX+Rmx/cc5x07V8C/Fj4H+MPgR4hbSfGfhnXPDG
ojOINSs3t2bBwSu4DcMjqMivwjjD6OPBeeuVaFB4aq/tUXyq/nBpw9bRTfc9rC59i6OnNzLs9fx3
P6Z9C1+x8U6RDqGmXtpqNjcDdFc2syzQyj1VlJB/A1cr+ZT4R/tCeOvgHqX2vwX4u8QeGJtwZhp9
48UchH9+POx/oykV9o/Aj/g4b+KfgaW2t/HXh/w/48sYwFknhH9lag3+1vjVoWPt5S59RX8xcVfR
H4kwV6mSV4YqPSL/AHU/uk3B+vOvQ+iw3E1CelZOP4r/AD/A/ZqiviX4O/8ABfL4F/EeaO31yTxH
4HunwM6pY+fb59pbcyce7KtfUXwt/aY+Hvxtt1k8I+NfDPiDzOiWWoRySfQpncD7EV/PfEHAPEmS
N/2tgatJL7Tg+X5SScX8me5Rx2Hrfw5p/M7iig8GivkTqCiiigAooooAKKKKACiiigAooooAKKKK
ACiiigAooo6mgAorl/iP8bfB3wfsmuPFXinw/wCHYVGd2o38Vv8AkGYE/hXzX8Xv+C4f7Pvws3R2
niTUfGF4vHk6Fp7zKT/11k8uL8nr6bI+C8/zppZVg6ta/WMJNfOVrL5s5q2MoUv4k0vmfXlGf8a/
Jv47f8HHutaiGtfhr8P7HS0z/wAhDxDcm6kI9reHYqn3Mrj2r4x+PX/BRP40ftJyXC+KvH+uS6fc
Aq2m2LiwsQv90wwhVce77j7mv3bhf6KXGGY2qZm4YSD/AJnzz+UYXXylOLPGxHEmGhpTvJ/cvx/y
P2y/aK/4Ke/BT9maGaPXPGmn6hqsJK/2Xo7C/u9w7MsZKp/wNlr4A/ah/wCDhzxh4xW70z4WeHbX
wjZSKY01bUwt5qHP8SRf6mM/73mfhX53eH/D194p1e30/S7G61C+unCQ21tE0ssrHoFVQST9K+yP
2U/+CCH7Q37TOoWs154Z/wCEB8PzYZ9T8Qt5DBDg/JAMyscHjKgepFf0/wAG/Rh4PyVxr46MsZVX
Wp8F/KmtGvKbmfO4riHFVdIvlXlv9/8Awx8k/Ef4oeJPjD4qm1zxVruq+ItYuOJLzULlriUjsoLE
7VHZRgDsK+iv2IP+CPPxp/boNvqGg6D/AGF4VmIP9vauDBauvrEMbpf+AjHvX7I/sXf8G+PwN/ZZ
8nUvEFi/xN8TKvN1rkStZwsevl2oyn4vvPfivunTdNt9HsIbW0t4bW1t0EcUMSBI41HAVVHAA9BX
9EUKFOjTVGjFRjFWSSSSS6JLRI8KU23dnxf/AME5/wDgh38Lf2Dxa69eRJ46+IEY3f21qEAEdkfS
2hyVj/3zl/cdK+1qKK1ICiiigDn/AIrfFHRfgp8N9a8WeJLwWGh+H7SS9vZypby40GTgDkn0Ar8E
f2l/+DiD4leMf21tJ8d+Amk0fwR4VMlpY6DcsfK1i2cjzHulBwZH2jaRzHgYPXP9BGp6bb6zp09n
eQQ3VrdRtFNDKgeOVGGCrA8EEHBBr8Kf+C03/BCzUvgdr+qfFH4O6PJfeBLjfd6volsN02gP1Z4l
6tbnrgZMfP8ADjAVE/Wb9gH/AIKC+B/+ChXwbh8T+E7j7PqFqFi1fR5nH2rSpiPusP4kPO1xww9D
kD3av5I/2T/2rfHH7HHxk0zxj4E1S40/VLOVRJbgk2+oR55hmTo6N0weR1GCAa/pg8D/ALSWvfFj
4NeF9W1DQbjwfrWq2EN5qOnyTrM9nKyhjEGXggfn2Pevz/xE8SMn4Ny36/mktZXUIL45tWuorsrr
mb0S82k+zA5fVxVTkpfN9Ee+UVyvw/8AiVb+KLdLe4ZYdQUYKnpL7j/Cuqr3uFeK8s4iy6GaZTVV
SnNdN4vrGS+zJdU/yszHE4apQqOnVVmgooor6I5wooooAKKKKACiiigAooooAKKKKACiiigAoooo
AKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigA
ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACi
iigAooooAKKKKACiiigAooooAKKKKACsfx/4+0f4W+CtT8ReINQtdJ0XR7d7q7u7mQRxwxqMkknj
/E1f1nWLXw9pN1f31xDZ2VlE0888zhI4Y1BLMxPAAAJJNfzyf8FuP+Cv91+3J49bwR4HvLyz+F/h
+dlJVyn/AAkM6nHnuB/yzH8Cn/ePJGAEeY/8Fav+Coevf8FHPjR5kQm03wB4dmkj0DTDwxU8G4lx
wZHAHso4HcnuP+CKf/BJbUv28Pivb+K/FVjNb/Cnw3cBr2RwU/tuZeRaxH+7nBdh0HHU8eY/8Er/
APgmp4g/4KOfHmHSY1vNN8FaOVn8QaykeVto+qwoTwZZMYA5wMsRgV/S58Dvgl4Z/Zy+FWi+C/CG
mw6T4f0G3Fva28Y6AdWY9WZjkljySSaCm7G54d8O6b4G8NWel6XZ2ul6TpcCwW1tBGIobeJRgKqj
gAAV5l8T/iGfEt19ktHb7DCeSP8Als3r9PStH4s/EM3U0ml2Mn7leJ5FP3j/AHR7etch4W8NXHiv
Vktbcf7Tueka9ya/g/x88X8XxBjv9ReE7zUpKFSUNXUnf+HFr7CfxPaTVvhTv9lkmVxoQ+u4rTqr
9F3fn2LXgbwbN4x1ZYl3Jbx/NNJj7o9B7mvatM02HSLGO3t0EcUQ2qBUHh7QLfw3pcdrbqFVBycc
ufU1er+gvBTwfwvBOWc1a08ZVS9pPst1Tj/dT3f2nq9LJeHm+ayxlTTSC2X6sKKKK/bjxwooooAK
KKKACiiigAooooAKKKKACiiigAooooAK5f4pfBPwf8b9CbTfGHhnQ/E1iwx5OpWUdwo+m4HH4V1F
FAH59/tI/wDBtz+z/wDGe3nuPC9vrHw51aQfJJpdwZrQHj70EuRj/dK9a/Pj9ob/AINk/jx8LjcX
Xg2+8NfETT4gWRLa5+wXzDjjypsJnk8CQ/d+gr+guigfMfyQfGr9jv4p/s6X32fxv4A8VeG2JIWS
80+RYZOSPlkAKN909Cc4rzq3nksblZoXkhmQ5DoSrL+I5r+x3UdLtdYtGt7y3guoH4aOaMOrfUHi
vBvjL/wSy/Z++PCS/wDCQ/Cvwo88x3NcWdoLKfO0qDvh2ngH9BRurMfMfzZ/C39vP4zfBeaJvDnx
K8W2UcONtvLfNdW+B28qbemPbFfQ3gP/AIOBvjt4VMS6pD4M8Txp983mmNbySD/egdFB99p+lfoz
8Zf+DXv4H+Nh5nhPXvF/gybj5VnS+hPXPyyDdzx/F2r5k+In/BqT8QNMj3eF/if4V1b75KahYzWR
4+6AVMgye/THvXxOdeGvCubNyzHL6NST+04RUv8AwJJS/E7KOYYil/Dm18yH4ff8HJ2nTQRp4r+F
d9byAYkm0fWUnDH1EcsaY+hkP1r2LwJ/wcC/ALxS6R6ofG3hd26tf6N50YP1tnlP5gV8L/Ej/g32
/ak+HZLR+BbXxFCsTSmTR9VgnxjPy7WZWLHGQADnI714X4//AOCfnxy+Fvkf298JfiFp63OfLZtD
uHVsdeVUjvX5bmn0XeAcXd0aFSjf+SpL8Pac6/A9KnxFjY7yT9V/lY/bbwz/AMFYP2dfFkYa3+K3
hu33dBfiaxP/AJHRK7jw9+2t8HfFiqdN+Knw7vN3AEXiK0Zj+HmZr+b7V/DepeHrqaG/sL2xmt3M
csdxA0bRsDgqwYAg+xqi6K/3lDfUV8Pi/od5BJ/7Lj60f8ShL8owOyPFNdfFBP7z+oXTPiJ4f1qB
ZbPXdHvI26PDexyKfxDVfi1izn/1d1byf7sgNfy2RfuGzH8h9V4q3Dr99bf6u8uo/wDdlYf1r5+t
9DOF/wB1mz+dD/KqbLip9af4/wDAP6jxOjDhl/OmtdRr1kQfU1/L6nj7Xo02rresKvoL2QD/ANCp
knjTWZfvatqjf711If61y/8AEmda+ubL/wAEP/5aV/rV/wBO/wAf+Af1AT6xZ2q5kureMerSBayd
X+K3hfQIvMv/ABJoFkg/in1CGMfqwr+Y641++ul2y3l1Ivo0rN/WqLRq5yyqT6kV10PoZ07/AL7N
n8qH+dVky4ql0p/j/wAA/pN8Sftu/BvwjD5mpfFT4eWY6YfxDa7j/wAB35/SuB8R/wDBXP8AZz8M
D998UtFuPaytrq8/9FRMK/nxRFT7oC/QVp6R4P1fxFfQ2un6XqV9c3LBIore2eWSUnoFCgkk+1fQ
4P6HfD0f96x1aX+FQj+cZmE+KK7+GCX3n7TfED/g4J+AvhUMujp428VSD7pstIFvGT7m5kiP5Ka8
f8ef8HJ9nHDIvhf4U3UzsPkl1bW1i2n3jiifP0Dj618D/D7/AIJ9/HL4qPKNB+EvxB1AQ43sNDuI
0XJwPmdQP1r3r4d/8G9f7UnxARml8E6f4djCK4bV9Xgi37uwVC7ZHcECvuMs+i7wDhLe1oVK1v56
svx9nyL8DkqcRY2W0kvRL9bl34gf8HBfxz8ViRNHtfBfhWNvutaac9zMn/Ap3dSf+ACvn34l/wDB
Q343/F2WRtd+J/i6aOXO6C1vTZQc9vLg2Lj8K++fhp/wamfELVJY28W/Ezwro8WEZk020mvXycb1
y/ljjnB5z6V9LfCX/g1w+CnhGVZfFPibxp4tkVy3liaOxhZccAiNS3XnO6v03JvDPhPKmpZfl1GD
XXki5f8AgUk5fiebWzDEVPjm38z8EtT1O51u8a4vLi4vLhjkyTSGRz+Jya6v4X/s7+PfjbqUdn4R
8G+JvElxKwVV07TZbjkgkZKqQMgE8nsa/pg+Df8AwR9/Zx+BssM2jfC3w7cXkATbc6mjX8uVOQ2Z
SwznuBX0R4f8Mab4T0+Oz0vT7HTbWNQqQ2sCwxqB0AVQBX3EYqKstjj5j+cf4A/8G9P7S3xueGa+
8L2HgXTpcE3PiG9WFwCCc+THvlzxjDKOo96+9P2cP+DWb4c+ELWK4+JnjLXPGF8G3Na6Yo06zA54
J+aRu3IZelfqlRTFzM8n/Z8/YY+Ef7LNlHD4D8A+HdBkjGPtUVqJLpuvWZsuep6nvXrFFFAgoooo
AKKKKACiiigAps8Ed1A8UqLJHIpV0YZVgeCCPQ06igD8Tf8AguT/AMEOv+EF/tP4xfBvR5H0dma5
8R+HbSPd9hzy11boB/qu7oPu9RxkDx3/AIJNf8Fgbv4Mahpvw1+KmoSXXg2Vhb6VrVwxaXQmPCxT
MeWtz0BPMfun3f6EpYlniZJFV0cFWVhkMD2Ir8hf+C3n/BC+38Safqvxe+DOkrBqcCtc6/4btI8J
dqOWuLZB0cDlowPm6jng/IcccD5VxXlc8qzanzResZL4oS6Sg+jX3NaNNNo7MHjKmGqKpTev5+TP
u7TtRW4ihurWdZI5AssM0T7lYHkMrDgg9QRXrvw0+JC+I4Vs7xlS+jHyk8CYe3v7V/Px/wAEtf8A
grxqn7LGpWXgL4iz3epfD2SQQW90+6S68OEnGQOr247p1Tqufun9pPD/AIgtfEGk2eqaXeQ3lleR
Jc2t1bSB45o2AZXRhwQQQQRX+f0VxV4KcS3l+9wtX1VOtBffyVI383Fv7UHr9s/q2b4ftNfen+qf
9an0pRXC/DH4m/2sE0/UHxddIpD/AMtfY+/867qv9AOB+OMr4ryqGbZVO8ZaSi/ihLrGS6Nfc1Zq
6Z8PjMHVw1R0qq1/PzQUUUV9gcoUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAU
UUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRR
RQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFF
ABRRRQAUjOEUsxCqoySe1LX5T/8ABff/AILER/BnRdV+B/w5vFk8Vata+T4h1WCX/kEQyDm3jZT/
AK5l+9/cBx1PAB4z/wAF6f8Ags7J8R9U1H4K/CjWF/4Rq3zB4l1m0kOdSkBIa0jYf8slx8zA/OeO
g5/Pn9hb9ibxd+3v8ftO8C+E4QrSD7TqV/ID5Gl2isoeZz7bgAvVmIArkv2eP2e/Fn7VHxe0jwT4
N02bVte1qYRxooO2Jf4pZG/hRRyWNf00/wDBNr/gnd4S/wCCdvwItvDuiwxXXiHUUSfX9YZf32o3
AHIz1ESZIRegGT1JNBex3H7Hv7JPhP8AYp+BGjeA/CNmsNlpsQ+0XTIon1Gcj555SB8zMfyGAOBW
p8V/iL/ZySaZZMftDDE0gP8Aqx6D3rQ+JXxDXwvaNbWrK2oSDjjPlD1Pv6V5LHHPq18FXfNcXD/V
mY1/Hv0ivG2WBjLhLhyd8TP3as46uCens4219pLrbWK0XvP3fp8hyfnf1rEL3Vsn1835Emj6Rca9
qMdrboZJZDx7e5r2rwb4OtvB+miKFd0zgGWQ/ec/4e1U/h14CTwdYs8m2S8nA8xh0Uf3RXSV9N9H
3wShwxhFnecwTx1RaJ2fsYv7K/vyXxPovdXW/PnmcPEz9jSfuL8f+B2Ciiiv6cPnQooooAKKKKAC
iiigAooooAKKKKACiivK/wBsb9sLwf8AsOfBmXx142ku49FhvILIraxiSZ3lfaNqkjdgZYgc4U0A
eqUV4R+zN/wUx+B/7XIii8E/EDRbzUpsAabdSfY77cQDgRSYZjzj5cjOa93oAKKKKACiiigAoooo
AKKKKACiiigAooooAx/EHw/0HxZbSQ6pomkalDMcyR3VnHMrn3DA5rifEv7FXwd8YaXLZ6p8K/h7
e2sxBeOTw9akMRyD9zrXp1FAHzprH/BI/wDZp1zT5rWb4L+BUjmGGaCwEMg+jIQy/gRXKXH/AAQu
/ZXuP+aT6Wn+5fXS/wDtWvraigLnyD/w4e/ZW/6JbZ/+DK7/APjtA/4IP/srg/8AJLLP/wAGN3/8
dr6+ooC7Pkmy/wCCGH7K9lMrr8J9LkKnOJL26YH8DLXbQf8ABKf9m+2kVl+Cvw8yvTdpEbD8iMGv
oCigLnm3h/8AY2+EfhXT4LXTfhf8PrK3tf8AVJF4etFEfOeP3fqTXd6d4X03SBH9k06xtfLUKnk2
6ptA6AYHFXqKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACgjIoooA/Kv/gsX
/wAED9M+MtjrnxQ+DViun+M/mvdT8PwgLbaz1LvAv8E567fuufQnn4G/4Jm/8FV/EH7D/iRfAvju
PUdQ+H32loZLeRWN54bkLYdo1PzGMHO6LtyVwchv6Ta/Mn/gsx/wQntv2rri8+Jfwmt7LS/iFjfq
elEiG118D+NTjCXGO54fvg8n5vizhHK+JMtnlWb0lUpS++L6Si94yXRr0d02n04XFVKFRVKbs0fS
3gbxzpPxF8J6b4g8P6la6po+qwJdWd5ayb4542GVZSP/ANYPHBr1/wCHHxWN5JHYaky+ZwsU5/jP
o3v71/PJ/wAE8P8Ago94u/4JwfEu98C+N7DVJ/Bf25odU0iZCLvQrjdh5oVbHPHzx8BsZGDyf2y+
GPxP0D4y+BdN8TeF9VtNa0PVoRPa3ds+5JFPY91YHgqcFSCCARX+eebZTxX4L8RrGYKTqYSo7KX2
KsVryTS0jUSvbqvijdXR9zTqYbNsPyT0mvvT7ryPqrNFecfDf4rbFj0/VH6YWKc/yb/GvR1bcuRy
D0Nf3r4feImUcYZZHMcrnropwfxU5dpL8ntJarrb4nHYGrhans6q9H0YUUUV92cYUUUUAFFFFABR
RRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFF
FABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUU
AFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABX4m/8Fiv+CA/iG18fan8TfgpZ3Gu6drt15+q+
HA7SXlpcSuN0kBPLxMzZKk5Ttkfd/bKigD4w/wCCPH/BJ/R/+CdHwqfUtW8nVPiZ4mgT+2L9RlLK
PhhaQ/7Knlm6uw9AoH1j478bw+DdM3fLJdS5EUeep9T7Ct6uR+JHw1Hisfa7ZvLvY1xtP3ZQO3sa
+B8TsVxFQ4cxFThamp4q3u3eqX2pQT0lNL4Yu133aUX3ZfGhLERWJdo/1v5Hk97eTatfyTSs0k0z
ZJ7kmvVPhZ8Pf+Eetvtt5Gv22YfKp6wr6fU1Q+Fnw1No39oajCyzK37mJx9zH8R9/SvQa/nL6PHg
lWw9SPGPE0W68rypQnvG+vtJp6873inqvifvNW97Ps4Ul9Uw/wAK3a/JeQUUUV/ZZ8mFFFFABRRR
QAUUUUAFFFFABRRRQAUUUUAFfi//AMHVP7Sxutb+H3wns5jstY5PEOpIrcFmzFACPYCQ/jX7PSSL
EjMzBVUZJJwAK/lc/wCCp/7R3/DVP7e/xI8WwXP2rS31V9P0xwflNrb/ALmMjgcME3f8CoKie5/8
G6X7Nn/C8/8AgoTpuu3MLSaX8PbOTWpTg7fOP7uEZyOdzFu/3Olf0YTzLbwtIxwqAsT7CvzS/wCD
Yb9mlvhj+xtrXj6+szDqHxC1Qm2d0wzWVtmNMZAOGkMp4JBGPev0L+K2s/2R4NuMH95cYhXn16/p
mvB4pz6lkuT4rNq3w0acp+vKm0vm7L5m2HoutWjSXVpE2j/EvR9abbHdrHJ/dl+Q/rW6jiRQykMr
cgjvXz5pGnNq+qW9rGMtPIqD8TX0BaWy2drHCvCxqFH4V+LeAPixnfG2GxNTNaEIKi4pThdc0pXb
XK29Ukm7PqtD1c8yyjg5RVKTd+j6ElFFFf0OeEFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAB
RRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQB+eH/BaP
/gizY/tv6HP4++H8FrpvxS02H97DxHD4ijUcRueizAcK54PQ8YI/Jb9g79u/xx/wTG+Nd94d8SaZ
qx8LzXZh8Q+HblDHPZyghWuIVbG2ZQMEcBwMHorD+niviH/gsL/wSG0X/goR8PH17w7DZ6T8UtDh
P2C9IEceqoOfs059/wCFz90n0JrxeIuHcvz3L6mV5pTVSjUVmn+DT3TT1TWqeqN8PiJ0ZqpTdmjq
vg18Z/DP7QHw503xZ4R1a21nQ9Uj3w3EJ+6e6OvVHU8FWwQa9l+GXxQ/s7y9P1FyYSdsUx/5Z+x9
vftX84H7Jn7WvxK/4JWftFahpWq6bqVtZw3QtvE3ha9zF52MDzFB4WZV5RxwwwDlTX7nfs//ALQf
hT9p34X6f4v8G6pDqmj6ggOV+WW2kx80UqdUkXoVP6jBr/O/irhHiXwc4hhnOTVHUws3aMmvdkt3
SrJac1tnpe3NGzTUfusPicPmtD2NZWkv6uj6/Rw6hlIZT0I70teT/DX4mtoUq2V87NZscI55MJ/w
/lXq0Uqzxq6MrKwyCDkEV/cHhj4oZVxrlixuAfLVjZVKbfvQf6xf2ZJWfk00vjswy6rg6nJPbo+4
6iiiv0o88KKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKK
KACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAoooo
AKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigA
ooooAKKKKACiiigAooooAKKKKACiiigD5r/4K6ftOj9k79gD4geJYZhDq15YnR9L+bDG5uf3SleQ
cqrM/HPyZxxX8wvw78Dah8UfiBovhzS4zNqWv38On2y/3pZXCL+rCv1s/wCDqj9pqS68QfD/AOEt
jdHybWJ/EOqRKThnbMUAb6KJD/wIV84/8G6P7Mq/Hj/goFYa/e2/naT8O7N9ZckfL9oP7uAH33MW
/wCAUFLY/f79nf4Oaf8As9/Arwj4H0tVWx8L6Vb6dGQMbzGgDN9WbLH3Jrn/AI5a39q1m3sVYFbV
PMbH95v/AK3869QuJ1toHkc7VjBYn0ArwHxDqra3rd1dMc+dIWH07fpiv5T+lpxb9Q4apZLSl7+K
nqv+ndO0n98uT7mfScMYX2mJdZ7RX4v/AIFzqPglon2/xJJdsuUs0+X/AHm4/ln869Yrl/hFon9k
eEY5GXbJdnzW+h6fpXUV+ifR/wCE/wCwOCcJSmrVKy9tP1qWcU/NQUU/NHn55ivb4yTWy0Xy/wCD
cKKKK/aDyQooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigDy3
9tb9o6T9kb9lnxn8SIdH/wCEgk8J2IvBp/n+R9o/eIhBfa20ANnOD0r8mIP+Dpzx94y+Ivh+x0/4
d+D9A0m8voLe9lvLye6dI3lCs4YbAuFOeQelfrT+254CPxQ/Y7+KHh9ZI4W1bwvqNusjruVGNu+C
R7HFfyVwSm1uY5P4o2DfkaCon9kFrcLdWscqsrLIoYEdCCM8VJXFfs4+Mf8AhYH7PPgfXvKMP9sa
BY3vl7t2zzLdHxnvjNZmq/HO4t7iaGHT41aNymXkJ6cdK+E448Scg4RpU6ue1XTVTm5Uoyk5ONr/
AAp23W7R1YPL6+KbVFXtvqkekUVm+D9cbxH4ctbxwqyTLlgvQH0rSr63K8yoZhg6WPwrvTqxjOL7
xkk1+DOapTlCbhLdOwUUUV3EBRRRQAUUUUAFFFFABRRRQAUUUUAfIX/BU3/gkj4L/wCCingKa+WC
30P4k6ZbMuk65Gu3zSOVguAP9ZGSMAnJTJI7g/hR8FPjt8Wf+CRn7UeqaTeWd1YXWn3ItvEHh28Y
i11SIdGHbdt5jlXpkdVJU/1KV8q/8FPv+CVfgv8A4KO/DR0vI4dE8eaXCw0XX44/3kZ6iGbHMkJP
UHlc5XHOfNzjJ8FmuDqZfmNNVKVRWlGSumv81umtU7NNNGtGtOnJTg7NHL/st/tSeEf2vfhJY+MP
B98LizuP3dzbOQLjTpwAWgmUH5XGfoQQRkEGvdPh58TZvDTx2l0zSWBOB3aH6e3tX52f8EUP+CNv
xW/Zi+OvirxN8QdYu/Dei2DS6VHo9lOHh8SEDC3L5yPKXO5DgPnPQZDffvjLwbceDtSMUgLwtzFL
jhx/jX+eXHfhvxJ4U5uuJuGqrlheaylu4pv+HWWzi9lLZ6fDKx9zg8ww+ZUvq2IXvf1qvM9xtrmO
8gSWJ1kjkG5WU5DCn1478PPiPJ4Sm+z3G+axc8qOTEfUf4V65YahDqlnHcW8iyQyDcrA9a/sfwo8
W8r42y/2uHap4mCXtKTesX/NH+aDez6bOzPlMyyurg6lpaxez/rqTUUUV+sHmBRRRQAUUUUAFFFF
ABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUA
FFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAU
UUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABTZ
plt4WkdgqRgsxPYCnV87/wDBVr9p6P8AZH/YK+IXixZNmpyac2laUN2GN3cgwxkc/wAO4vx2Q0Af
zvf8FRf2kP8Ahqv9u34ieLopvO06bU3stOPb7NB+6jI46ELu/wCBV+wX/Bsl+zS3wr/Yu1Px1eW5
i1D4iak0sLMpDG0t8xx/gX8w/lX4LeAfBWofE7x7o/h7TI2n1TX76Gwtk7vLK4Rf1YV/W1+zZ8Fr
H9nP4A+D/AumhfsnhXSbfTlYADzGjQB3OAOWbcxOOSaCpGj8V9c/sXwhMqttkuv3K/j1/SvItG01
tY1a3tV6zyBPz612Hxz1n7TrNvYq3y26b3H+03T9P51X+Cei/b/E0l0y/u7NMg/7R4H6Zr/O3xYq
T448WaHD1J81KlKFF26Je/WfqveT/wAKPucstg8rlXe7u/0R6taW62drHCg2rGoUAegqSiiv9D6d
ONOCpwVklZLskfCN31YUUUVYBRRRQAUUUUAFFFFABRRRQB57+1d8fbX9lr9nDxn8Q7yzfUbfwjpc
uoG1R9jXJUfLGG5xuYgZwcZr89fh1/wdOfDjxd4lsdN1D4aeNLFr51hVre4t7kmVuFULlc5YgZ96
+jv+C8Hj1fAX/BLP4oM0BuG1aC20tAG27DNdRDcfoATjvX86v7KHg6X4hftQfDvQ4WVZNV8S6fbA
scAbrmMUFRR/XJZXDXdnDK0bQtIgco33kyM4PuKkpsS+VCq/3QBXE3Pxws7O9mhezuG8mRk3qwIO
DjIr5HivjvIeGo0555iVRVRtRupO7Vr/AAp7XW50YbB1sQ2qMb23O4oql4f1yLxHpUV5CsixzfdD
jBq7X0mBx1DG4ani8LJSp1EpRktnFq6a8mtTnlFxk4y3QUUUV1EhRRRQAUUUUAFFFFABRRRQBDqV
lHqenXFtNGs0NxG0UkbDKurAgg+xBr+QP41eD5Ph78YvFmgzQfZZNF1i7sWhB/1RimdNv4YxX9gV
fyxf8FbvhzF8K/8AgpL8YtJt4biC3PiKa+jWY5YrchbjIOPukynHtjrQVE/ff/gip8Qo/iR/wTA+
EV3G80jafo/9lSGX72+2leA/h8gx7Yrr/HFp9i8X6jH2WdiM+/P9a+Z/+DZT4gr4t/4JwtpTXa3E
3hjxLfWflZ+a3SQRzqPoTKxH419V/GC1+y+Obg/LiZEkGPpj+lfyb9L7Lfa8L4XGJa066Xopwlf8
Yo+m4XqWxUod1+TR3HwYu/tPgtF4/cyun65/rXWV5/8AAW63abqEPdJVb8CP/rV6BX614G5j9d4D
yys+lNQ/8Abh/wC2nk5xT5MbUXnf79Qooor9YPNCiiigAooooAKKKKACiiigAooooAKKKKACqeua
Fa+ItPe1uo/Mjb81PqD61corlxuBw+Mw88Li4KdOaalGSTTT3TT0aZUZyjJSi7NHlv8AwpS6Hiby
PMzp/wB/zv4sf3cf3q9K0rS4dFsI7W3jEcMQwoFWKK/P+A/Cfh3hCriK+T0rTrNtuTu4x3VOL3UE
9bat6Xbsrd2NzOvilFVXov6v6hRRRX6UeeFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQ
AUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAB
RRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFF
FFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFfi/8A8HVf7TRudZ+HvwjsLw+XapJ4
j1aFG4LtmG2Dc9QombBH8QNfs9POtrA8kjbY41LMT2A5Nfyp/wDBTj9o5v2q/wBuj4ieMVkaSxut
UktNP5yFtYP3MWOB1VM9O9BUT33/AIN0P2aP+F6/8FCNN1+8tfP0j4d2cmsysR8ouD+7tx1HO5i3
f7nSv6L5plghaRuFQFifavze/wCDZb9mtvhT+xRqHje8g8vUPiJqbTxMykN9kgzHH2HBbzG7jmvv
34s61/ZHg6ZV/wBZdEQjnsev6V8/xVn9LI8mxOb1/howlP1aWi+bsvmbYei61aNJdWkeS+IdVbW9
burti37+QsM9h2H5V6t8INE/snwhHIy4kvGMp47dv0ryfRdNbWdXtrVetxIE/Dv+le/WtutnbRxI
MLGoUD2FfxT9E/IK2aZ9j+LMb70oXim+tSq+ab9VFW/7fPreJqyp0YYWH9JaL+vIkooor+9j4oKK
KKACiiigAooooAKKKKACiiigD87P+DnHxJdaN/wTlt7SCZo4tV8UWUE6g48xFSaQA+o3Ip/AV+Ov
/BJDwpb+Nf8AgpT8G7C6WRoP+EjhuCEODmFWlX8NyDPtmv03/wCDrzxfDa/Az4U6F9odbi91u7vf
IAO10ihVNx7cGTA+pr4Z/wCDefwb/wAJb/wVG8FzNZ/ao9FtL6/ZtpItyLd0V/blwOfWgpbH9JU8
gigdm+6qkmvnm8l827mf+87H9a988Q3JtNBvJV6xws36V8/gbvxr+E/plY3mxGV4NdFVl97gl+TP
suE46VJ+i/M90+H9s1p4N09G6+SG/PmtiquhW/2TRbSMchIlH6Var+z+F8H9TybCYT/n3Spx/wDA
YJfofI4ifPVlLu3+YUUUV7piFFFFABRRRQAUUUUAFFFFABX86X/Byf4NHhj/AIKc6teiVpP+Eg0H
Tr4qVx5ZWMwYHr/qQc+9f0W1+HH/AAdbfDxtO+P3wx8ULHbrHqmh3GnMyj96zQzb/m9gJuPxoKie
k/8ABpx44kn8C/GLw20Mfk2t/p+ppKM7y0kcsbKe2B5SkfU+1fpb8eLTy9bsptv+shKlvUg//Xr8
av8Ag1c8epon7Y/jjQJPOzr3hcyx4b5N0FxGeR67XbB7c+tftP8AHq0D6ZYTc7klZfwI/wDrV+E/
SSy5Yvw/xrtrTdOa+VSKf/krZ7GQ1OXHw87r8DM+BF35euXkO7HmQhgvqQf/AK9epV438Hrr7N45
gX5cTRvGc/TP9K9krwfop5j9Z4GjRf8Ay5q1Iffyz/8Abzbiany42/dJ/p+gUUUV/Sh8+FFFFABR
RRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFF
FABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUU
AFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQA
UUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAUfFHh6Dxd4a1DSrppltdSt5
LWYxPsfY6lWww6HBPNfk3+0j/wAGrnhvXZZ774YeP9Q0eZ23iw1yEXMPJGQJUww/i6g8kV+uVFAH
F/s5fBiw/Z3+BHhLwPpqqtn4X0uDT1KjAcogDP0H3myfxrn/AI46z9q1y3s1bK2ybmx/eP8A9b+d
eqVx/i34Q2/iO/mvI7mWG4mOWyNyk/SvxXx84Z4g4g4VnlXD0FOc5xc05KLcI3lZXsm3JR0bWlz1
8lxFChilVrvRJ29Tl/glov27xHJdMuVs04/3m4/lmvWK5/4d+Dm8G6RJDIyyTSyl2ZehHQV0FdPg
TwTW4Y4Qw+BxkOSvNyqVF1UpPRO3VRUU/NE51jFicVKcHeK0Xov+CFFFFfsJ5QUUUUAFFFFABRRR
QAUUUUAFFFFAH4kf8HX/AIzhu/ix8JvD6xyfaLHS7y+dyflKyyoigD1/dmvP/wDg1s8LXGqft0eK
NUQf6PpPhWZZTkdZZ4lUY/4Cfyqp/wAHQ/iu41f9vrQ9MkI+z6P4WthENvOZJZXY579vyr1X/g09
8Fw3Hj/4u+IGkk+0WthY2CJj5drySuT9fkFBXQ/ZP4iz/ZvBWosDtPkkD8eK8RsYvOvIY+u51X9R
XsHxguFh8D3Cn/loyqPzryzwlbtdeKNPjVdxadOPoc1/nv8ASkk8dx3l+Wx1/d0131nVl09Lep9v
w37mCqVPN/gke8wLshRR0VQBTqKK/wBBoxUYqK6HwwUUUVQBRRRQAUUUUAFFFFABRRRQAV+TX/B1
x4HW++BXwu8RLayPJp+tXFi9wM7Y0lhDBT9TH+lfrLX5/wD/AAcp+BP+Es/4JrX2oeYyt4d12xvQ
Aud4ZmiIPp/rOtA1ufll/wAG9fxBbwL/AMFQ/BcJumtodftb3TJFAyJ90DOqH/gSKfqK/oj+Mtr9
o8DzN/zxlR/1x/Wv5ef+CYXxCb4Xf8FBPhHrIa3RYfEtpA7TnagSV/KbJ7cOce9f1LfEG0+3+CtR
QLu/clh+HNfEeJWX/XuE8ywqV3KhVt6qDa/FI7MDU5MVTn5r8zyHwTefYfF2nSY3bZ1BHrnj+te8
V872c32e7hk6eW6t+RzX0NBKJoEdfusoYfQ1/Mn0N8x5sBmWAb+GdOaX+KMov/0hH0PFlO1SnPum
vu/4cdRRRX9pHyIUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRR
RQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFF
ABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUA
FFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAU
UUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQB/NX/wcE+Mz4v/AOCo/jtBefa49Jhs
rBBuJEG23Rig9MMxPHc197f8GpHhCGz/AGefihrnkSLcX+vW9n5pPyusUG7A+hl5+or8u/8AgrH4
pt/GX/BSD4x31o7yQN4kuIFZhg5ixGf1Q49q/ZL/AINkdAuNJ/4JvSXU0bRx6p4ovp4GI/1iKsUZ
I9tyMPqDQV0Ptr453Hl+F4I8f6y4HPpgGuH+GVv9o8daeP7rl/yBNdZ8fJmFnpseflZ3Yj6AD+tc
/wDBq2E/jiNmz+6idhjseB/jX+evihfMPG/CYTdRqYWPy9yb/Nn3GXfu8nlLupf5HsVFFFf6FHwo
UUUUAFFFFABRRRQAUUUUAFFFFABXzV/wWE8Fy+Pf+CaPxgsYViaSPQZLweZ0/cssp/HCHHvX0rXI
ftA+Co/iR8CPGnh+a1W+j1rQ7yy+zt0mMkDqF/EkUAfyQ/DTxD/wiXxG8P6tsaT+zNStrvarbS3l
yq+Ae3TrX9e2m3qeJ/AlvchWWPULFJQueQHjBx+tfx66lZyaZqVxbyI0c1vK0bKeCjKSCPwxX9YP
7APj6D4p/sQ/CrXbeaS4TUPC1gzSSDDFxAqvn3DAj8KwxVCNajOjPaSafo1Y05rNNHJsu0le6nFe
+eE7v7d4ZsZs7t8CEn8K8O163+x65eRZz5czrn15Nev/AAruvtXgay4A8sFOPYmv4D+iXWlg+K8x
yupu6buvOnUS9PtP9D7Tidc+Gp1V3/Nf8A6Kiiiv9Az4cKKKKACiiigAooooAKKKKACiiigAoooo
AKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigA
ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACi
iigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKK
KACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAoooo
A/Nf9o7/AINoPhl8e/i7r3jCHx5400S+8SX02o3kIS3uIvOldnfZlAVGW4BJxX2H+wR+xzp37Bv7
M+j/AA10vWLzXrPSLi6uFvbqJY5ZfOmeXBVeBjcBx1xmvZaKAueX/Hm43azYx7vuwsxHpk034Dwb
9evJNv3IAM+mW/8ArV13jH4Z2vjG9W4lmmhmVAg2424+lP8ABHgCPwTLctHcSTLcBQQygYxn/Gv5
Dj4R8S1PFv8A1sxFKP1T2jlzKcW0lTcYXi3zXuo3sna9/T6j+1MOsr+qxfv27ed2dDRRRX9eHy4U
UUUAFFFFABRRRQAUUUUAFFFFABTZYxNEyN91gQfxp1FAH5Xx/wDBrH8Pda8bX2ra18SPFk0F9qE1
21nZWsEKpG8rMsYdg5yFIBbHJ5wOlfot+zT8AdI/Zb+Bvh34f6Dc6hdaL4YtvslnJeurz+WCSAzK
qg4zjOK7qigDxD4l2n2PxxqC4UbnDjHuAa7v4G3Il8LzR85inOfxANTeKvhRB4q1yS8e6kh3qF2q
oOSK1vB/gu38GW0kdvLNIsxDNvI69K/kLw78IuJck8SsVxBVpRjg5yr2fPFtxm242inda2vdKx9R
j80w9bL40E/fSj07GxRRRX9eny4UUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAU
UUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRR
RQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFF
ABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUA
FFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAU
UUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRR
RQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFF
ABRRRQAUUUUAFFFFABRRRQAUUUUAf//Z
--===============7929516368166767436==--

From sam at robots.org.uk Thu Apr 11 14:24:11 2024
Content-Type: multipart/mixed; boundary="===============1734229441309970215=="
MIME-Version: 1.0
From: Sam Morris <sam at robots.org.uk>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: "Credential cache is empty" error preventing
 certmonger from renewing a host's certificate
Date: Thu, 11 Apr 2024 15:23:24 +0100
Message-ID: <b9749fc7-2b7c-4ffa-9946-84322a6f7923@robots.org.uk>
In-Reply-To: e027b8c6-2b74-ad7d-81a4-ed89ebc24f85@robots.org.uk

--===============1734229441309970215==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

On 21/06/2023 09:02, Sam Morris via FreeIPA-users wrote:
> On 20/06/2023 15:34, Sam Morris via FreeIPA-users wrote:
>> I've got an IPA client on which certmonger is unable to renew a
>> certificate.
>>
>> Here are the log messages from certmonger...
>>
>> =C2=A0=C2=A0=C2=A0=C2=A0 2023-06-20 08:24:49 [622035] Certificate submis=
sion attempt =

>> complete.
>> =C2=A0=C2=A0=C2=A0=C2=A0 2023-06-20 08:24:49 [622035] Child status =3D 2.
>> =C2=A0=C2=A0=C2=A0=C2=A0 2023-06-20 08:24:49 [622035] Child output:
>> =C2=A0=C2=A0=C2=A0=C2=A0 "Server at https://ipa5.ipa.example.com/ipa/jso=
n denied our =

>> request, giving up: 2100 (Insufficient access: SASL(-1): generic =

>> failure: GSSAPI Error: Unspecified GSS failure.=C2=A0 Minor code may =

>> provide more information (Credential cache is >
>> =C2=A0=C2=A0=C2=A0=C2=A0 "
>> =C2=A0=C2=A0=C2=A0=C2=A0 2023-06-20 08:24:49 [622035] Server at =

>> https://ipa5.ipa.example.com/ipa/json denied our request, giving up: =

>> 2100 (Insufficient access: SASL(-1): generic failure: GSSAPI Error: =

>> Unspecified GSS failure.=C2=A0 Minor code may provide more infor>
>>
> Today I restarted certmonger (in order to increase its debug level) and =

> the newly-started instance immediately resubmitted its request and was =

> issued with a new certificate. So I guess the problem was on the client =

> after all.

(Posting to complete the thread)

With hindsight this must be the same issue I reported a couple of months =

later, =

<https://lists.fedorahosted.org/archives/list/freeipa-users(a)lists.fedorah=
osted.org/thread/FLZYF6YKRRU5DIJ6RCYLJKI6Y2MGRE4B/>, =

which was ultimately fixed in <https://pagure.io/freeipa/issue/9448>.

-- =

Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B  1855 D20B 4202 5CDA 27B9

--===============1734229441309970215==--

From flo at redhat.com Thu Apr 11 15:03:57 2024
Content-Type: multipart/mixed; boundary="===============7283073431009824792=="
MIME-Version: 1.0
From: Florence Blanc-Renaud <flo at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: Cannot retrieve CRL from new EL9 IPA replica
Date: Thu, 11 Apr 2024 17:03:29 +0200
Message-ID: <CAFDg7JxxqCfV70BL-BWp9mvbso2sesMwLg_ZPOEZCUcOGUsHiA@mail.gmail.com>
In-Reply-To: a1675df1-e47b-4f36-8e1a-cf3adc9518cb@nwra.com

--===============7283073431009824792==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Hi,

On Thu, Apr 11, 2024 at 12:34=E2=80=AFAM Orion Poplawski via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:

> I've just added an EL9 IPA replica into our domain.  I seems to generally
> be
> working fine, but trying to download the MasterCRL.bin fails:
>
> =3D=3D> /var/log/httpd/access_log <=3D=3D
> 10.20.0.37 - - [10/Apr/2024:14:13:17 -0700] "GET /ipa/crl/MasterCRL.bin
> HTTP/1.1" 301 293 "-" "curl/7.76.1"
>
> =3D=3D> /var/log/httpd/error_log <=3D=3D
> [Wed Apr 10 14:14:17.830119 2024] [proxy_ajp:error] [pid 28001:tid 28040]
> (70007)The timeout specified has expired: AH01030: ajp_ilink_receive()
> can't
> receive header
> [Wed Apr 10 14:14:17.830249 2024] [proxy_ajp:error] [pid 28001:tid 28040]
> [client 10.20.0.37:35124] AH00992: ajp_read_header: ajp_ilink_receive
> failed
> [Wed Apr 10 14:14:17.830261 2024] [proxy_ajp:error] [pid 28001:tid 28040]
> (70007)The timeout specified has expired: [client 10.20.0.37:35124]
> AH00878:
> read response failed from [::1]:8009 (localhost:8009)
>
> =3D=3D> /var/log/httpd/access_log <=3D=3D
> 10.20.0.37 - - [10/Apr/2024:14:13:17 -0700] "GET
> /ca/ee/ca/getCRL?op=3DgetCRL&crlIssuingPoint=3DMasterCRL HTTP/1.1" 500 52=
7 "-"
> "curl/7.76.1"
>
> I'm not sure where else to look for logs.
>

If you are requesting the MasterCRL.bin file on a replica that is not the
CRL generation master, the URL is transferred to the local CA server at
http://replica.ipa.test/ca/ee/ca/getCRL?op=3DgetCRL&crlIssuingPoint=3DMaste=
rCRL
(this is configured in /etc/httpd/conf.d/ipa-pki-proxy.conf).

Then the calls to /ca/ee/ca/getCRL are handled by an AJP connector
(LocationMatch defined in /etc/httpd/conf.d/ipa-pki-proxy.conf using
ajp://localhost:8009). The AJP connector is defined
in /etc/pki/pki-tomcat/server.xml and should be using the loopback address.
There can be issues if your /etc/hosts does not contain the following lines:
127.0.0.1   localhost localhost.localdomain localhost4
localhost4.localdomain4
::1         localhost localhost.localdomain localhost6
localhost6.localdomain6

You can have a look
in /var/log/pki/pki-tomcat/localhost_access_log.$DATE.txt and check if the
request really reached the PKI server. Then check logs
in /var/log/pki/pki-tomcat/ca/debug.$DATE.log

HTH,
flo


> TIA,
>   Orion
>
> --
> Orion Poplawski
> he/him/his  - surely the least important thing about me
> Manager of IT Systems                      720-772-5637
> NWRA, Boulder/CoRA Office             FAX: 303-415-9702
> 3380 Mitchell Lane                       orion(a)nwra.com
> Boulder, CO 80301                 https://www.nwra.com/
> --
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.=
org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users(a)lists.fedora=
hosted.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>

--===============7283073431009824792==
Content-Type: text/html
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.html"

PGRpdiBkaXI9Imx0ciI+PGRpdiBkaXI9Imx0ciI+PGRpdiBjbGFzcz0iZ21haWxfZGVmYXVsdCIg
c3R5bGU9ImZvbnQtZmFtaWx5OmFyaWFsLHNhbnMtc2VyaWYiPkhpLDwvZGl2PjwvZGl2Pjxicj48
ZGl2IGNsYXNzPSJnbWFpbF9xdW90ZSI+PGRpdiBkaXI9Imx0ciIgY2xhc3M9ImdtYWlsX2F0dHIi
Pk9uIFRodSwgQXByIDExLCAyMDI0IGF0IDEyOjM04oCvQU0gT3Jpb24gUG9wbGF3c2tpIHZpYSBG
cmVlSVBBLXVzZXJzICZsdDs8YSBocmVmPSJtYWlsdG86ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRv
cmFob3N0ZWQub3JnIj5mcmVlaXBhLXVzZXJzQGxpc3RzLmZlZG9yYWhvc3RlZC5vcmc8L2E+Jmd0
OyB3cm90ZTo8YnI+PC9kaXY+PGJsb2NrcXVvdGUgY2xhc3M9ImdtYWlsX3F1b3RlIiBzdHlsZT0i
bWFyZ2luOjBweCAwcHggMHB4IDAuOGV4O2JvcmRlci1sZWZ0OjFweCBzb2xpZCByZ2IoMjA0LDIw
NCwyMDQpO3BhZGRpbmctbGVmdDoxZXgiPkkmIzM5O3ZlIGp1c3QgYWRkZWQgYW4gRUw5IElQQSBy
ZXBsaWNhIGludG8gb3VyIGRvbWFpbi7CoCBJIHNlZW1zIHRvIGdlbmVyYWxseSBiZTxicj4Kd29y
a2luZyBmaW5lLCBidXQgdHJ5aW5nIHRvIGRvd25sb2FkIHRoZSBNYXN0ZXJDUkwuYmluIGZhaWxz
Ojxicj4KPGJyPgo9PSZndDsgL3Zhci9sb2cvaHR0cGQvYWNjZXNzX2xvZyAmbHQ7PT08YnI+CjEw
LjIwLjAuMzcgLSAtIFsxMC9BcHIvMjAyNDoxNDoxMzoxNyAtMDcwMF0gJnF1b3Q7R0VUIC9pcGEv
Y3JsL01hc3RlckNSTC5iaW48YnI+CkhUVFAvMS4xJnF1b3Q7IDMwMSAyOTMgJnF1b3Q7LSZxdW90
OyAmcXVvdDtjdXJsLzcuNzYuMSZxdW90Ozxicj4KPGJyPgo9PSZndDsgL3Zhci9sb2cvaHR0cGQv
ZXJyb3JfbG9nICZsdDs9PTxicj4KW1dlZCBBcHIgMTAgMTQ6MTQ6MTcuODMwMTE5IDIwMjRdIFtw
cm94eV9hanA6ZXJyb3JdIFtwaWQgMjgwMDE6dGlkIDI4MDQwXTxicj4KKDcwMDA3KVRoZSB0aW1l
b3V0IHNwZWNpZmllZCBoYXMgZXhwaXJlZDogQUgwMTAzMDogYWpwX2lsaW5rX3JlY2VpdmUoKSBj
YW4mIzM5O3Q8YnI+CnJlY2VpdmUgaGVhZGVyPGJyPgpbV2VkIEFwciAxMCAxNDoxNDoxNy44MzAy
NDkgMjAyNF0gW3Byb3h5X2FqcDplcnJvcl0gW3BpZCAyODAwMTp0aWQgMjgwNDBdPGJyPgpbY2xp
ZW50IDxhIGhyZWY9Imh0dHA6Ly8xMC4yMC4wLjM3OjM1MTI0IiByZWw9Im5vcmVmZXJyZXIiIHRh
cmdldD0iX2JsYW5rIj4xMC4yMC4wLjM3OjM1MTI0PC9hPl0gQUgwMDk5MjogYWpwX3JlYWRfaGVh
ZGVyOiBhanBfaWxpbmtfcmVjZWl2ZSBmYWlsZWQ8YnI+CltXZWQgQXByIDEwIDE0OjE0OjE3Ljgz
MDI2MSAyMDI0XSBbcHJveHlfYWpwOmVycm9yXSBbcGlkIDI4MDAxOnRpZCAyODA0MF08YnI+Cig3
MDAwNylUaGUgdGltZW91dCBzcGVjaWZpZWQgaGFzIGV4cGlyZWQ6IFtjbGllbnQgPGEgaHJlZj0i
aHR0cDovLzEwLjIwLjAuMzc6MzUxMjQiIHJlbD0ibm9yZWZlcnJlciIgdGFyZ2V0PSJfYmxhbmsi
PjEwLjIwLjAuMzc6MzUxMjQ8L2E+XSBBSDAwODc4Ojxicj4KcmVhZCByZXNwb25zZSBmYWlsZWQg
ZnJvbSBbOjoxXTo4MDA5IChsb2NhbGhvc3Q6ODAwOSk8YnI+Cjxicj4KPT0mZ3Q7IC92YXIvbG9n
L2h0dHBkL2FjY2Vzc19sb2cgJmx0Oz09PGJyPgoxMC4yMC4wLjM3IC0gLSBbMTAvQXByLzIwMjQ6
MTQ6MTM6MTcgLTA3MDBdICZxdW90O0dFVDxicj4KL2NhL2VlL2NhL2dldENSTD9vcD1nZXRDUkwm
YW1wO2NybElzc3VpbmdQb2ludD1NYXN0ZXJDUkwgSFRUUC8xLjEmcXVvdDsgNTAwIDUyNyAmcXVv
dDstJnF1b3Q7PGJyPgomcXVvdDtjdXJsLzcuNzYuMSZxdW90Ozxicj4KPGJyPgpJJiMzOTttIG5v
dCBzdXJlIHdoZXJlIGVsc2UgdG8gbG9vayBmb3IgbG9ncy48YnI+PC9ibG9ja3F1b3RlPjxkaXY+
PGJyPjwvZGl2PjxkaXYgY2xhc3M9ImdtYWlsX2RlZmF1bHQiIHN0eWxlPSJmb250LWZhbWlseTph
cmlhbCxzYW5zLXNlcmlmIj5JZiB5b3UgYXJlIHJlcXVlc3RpbmcgdGhlIE1hc3RlckNSTC5iaW4g
ZmlsZSBvbiBhIHJlcGxpY2EgdGhhdCBpcyBub3QgdGhlIENSTCBnZW5lcmF0aW9uIG1hc3Rlciwg
dGhlIFVSTCBpcyB0cmFuc2ZlcnJlZCB0byB0aGUgbG9jYWwgQ0Egc2VydmVyIGF0wqA8YSBocmVm
PSJodHRwOi8vcmVwbGljYS5pcGEudGVzdC9jYS9lZS9jYS9nZXRDUkw/b3A9Z2V0Q1JMJmFtcDtj
cmxJc3N1aW5nUG9pbnQ9TWFzdGVyQ1JMIj5odHRwOi8vcmVwbGljYS5pcGEudGVzdC9jYS9lZS9j
YS9nZXRDUkw/b3A9Z2V0Q1JMJmFtcDtjcmxJc3N1aW5nUG9pbnQ9TWFzdGVyQ1JMPC9hPiAodGhp
cyBpcyBjb25maWd1cmVkIGluwqAvZXRjL2h0dHBkL2NvbmYuZC9pcGEtcGtpLXByb3h5LmNvbmYp
LjwvZGl2PjxkaXYgY2xhc3M9ImdtYWlsX2RlZmF1bHQiIHN0eWxlPSJmb250LWZhbWlseTphcmlh
bCxzYW5zLXNlcmlmIj48YnI+PC9kaXY+PGRpdiBjbGFzcz0iZ21haWxfZGVmYXVsdCIgc3R5bGU9
ImZvbnQtZmFtaWx5OmFyaWFsLHNhbnMtc2VyaWYiPlRoZW4gdGhlIGNhbGxzIHRvIC9jYS9lZS9j
YS9nZXRDUkwgYXJlIGhhbmRsZWQgYnkgYW4gQUpQIGNvbm5lY3RvciAoTG9jYXRpb25NYXRjaCBk
ZWZpbmVkIGluwqAvZXRjL2h0dHBkL2NvbmYuZC9pcGEtcGtpLXByb3h5LmNvbmYgdXNpbmcgYWpw
Oi8vbG9jYWxob3N0OjgwMDkpLiBUaGUgQUpQIGNvbm5lY3RvciBpcyBkZWZpbmVkIGluwqAvZXRj
L3BraS9wa2ktdG9tY2F0L3NlcnZlci54bWwgYW5kIHNob3VsZCBiZSB1c2luZ8KgdGhlIGxvb3Bi
YWNrIGFkZHJlc3MuIFRoZXJlIGNhbiBiZSBpc3N1ZXMgaWYgeW91ciAvZXRjL2hvc3RzIGRvZXMg
bm90IGNvbnRhaW4gdGhlIGZvbGxvd2luZyBsaW5lczo8L2Rpdj48ZGl2IGNsYXNzPSJnbWFpbF9k
ZWZhdWx0IiBzdHlsZT0iZm9udC1mYW1pbHk6YXJpYWwsc2Fucy1zZXJpZiI+MTI3LjAuMC4xIMKg
IGxvY2FsaG9zdCBsb2NhbGhvc3QubG9jYWxkb21haW4gbG9jYWxob3N0NCBsb2NhbGhvc3Q0Lmxv
Y2FsZG9tYWluNDxicj46OjEgwqAgwqAgwqAgwqAgbG9jYWxob3N0IGxvY2FsaG9zdC5sb2NhbGRv
bWFpbiBsb2NhbGhvc3Q2IGxvY2FsaG9zdDYubG9jYWxkb21haW42PGJyPjxicj48L2Rpdj48ZGl2
IGNsYXNzPSJnbWFpbF9kZWZhdWx0IiBzdHlsZT0iZm9udC1mYW1pbHk6YXJpYWwsc2Fucy1zZXJp
ZiI+WW91IGNhbiBoYXZlIGEgbG9vayBpbsKgL3Zhci9sb2cvcGtpL3BraS10b21jYXQvbG9jYWxo
b3N0X2FjY2Vzc19sb2cuJERBVEUudHh0IGFuZCBjaGVjayBpZiB0aGUgcmVxdWVzdCByZWFsbHkg
cmVhY2hlZCB0aGUgUEtJIHNlcnZlci4gVGhlbiBjaGVjayBsb2dzIGluwqAvdmFyL2xvZy9wa2kv
cGtpLXRvbWNhdC9jYS9kZWJ1Zy4kREFURS5sb2c8L2Rpdj48ZGl2IGNsYXNzPSJnbWFpbF9kZWZh
dWx0IiBzdHlsZT0iZm9udC1mYW1pbHk6YXJpYWwsc2Fucy1zZXJpZiI+PGJyPjwvZGl2PjxkaXYg
Y2xhc3M9ImdtYWlsX2RlZmF1bHQiIHN0eWxlPSJmb250LWZhbWlseTphcmlhbCxzYW5zLXNlcmlm
Ij5IVEgsPC9kaXY+PGRpdiBjbGFzcz0iZ21haWxfZGVmYXVsdCIgc3R5bGU9ImZvbnQtZmFtaWx5
OmFyaWFsLHNhbnMtc2VyaWYiPmZsbzwvZGl2PjxkaXYgY2xhc3M9ImdtYWlsX2RlZmF1bHQiIHN0
eWxlPSJmb250LWZhbWlseTphcmlhbCxzYW5zLXNlcmlmIj48YnI+PC9kaXY+PGJsb2NrcXVvdGUg
Y2xhc3M9ImdtYWlsX3F1b3RlIiBzdHlsZT0ibWFyZ2luOjBweCAwcHggMHB4IDAuOGV4O2JvcmRl
ci1sZWZ0OjFweCBzb2xpZCByZ2IoMjA0LDIwNCwyMDQpO3BhZGRpbmctbGVmdDoxZXgiPgo8YnI+
ClRJQSw8YnI+CsKgIE9yaW9uPGJyPgo8YnI+Ci0tIDxicj4KT3Jpb24gUG9wbGF3c2tpPGJyPgpo
ZS9oaW0vaGlzwqAgLSBzdXJlbHkgdGhlIGxlYXN0IGltcG9ydGFudCB0aGluZyBhYm91dCBtZTxi
cj4KTWFuYWdlciBvZiBJVCBTeXN0ZW1zwqAgwqAgwqAgwqAgwqAgwqAgwqAgwqAgwqAgwqAgwqAg
NzIwLTc3Mi01NjM3PGJyPgpOV1JBLCBCb3VsZGVyL0NvUkEgT2ZmaWNlwqAgwqAgwqAgwqAgwqAg
wqAgwqBGQVg6IDMwMy00MTUtOTcwMjxicj4KMzM4MCBNaXRjaGVsbCBMYW5lwqAgwqAgwqAgwqAg
wqAgwqAgwqAgwqAgwqAgwqAgwqAgwqA8YSBocmVmPSJtYWlsdG86b3Jpb25AbndyYS5jb20iIHRh
cmdldD0iX2JsYW5rIj5vcmlvbkBud3JhLmNvbTwvYT48YnI+CkJvdWxkZXIsIENPIDgwMzAxwqAg
wqAgwqAgwqAgwqAgwqAgwqAgwqAgwqA8YSBocmVmPSJodHRwczovL3d3dy5ud3JhLmNvbS8iIHJl
bD0ibm9yZWZlcnJlciIgdGFyZ2V0PSJfYmxhbmsiPmh0dHBzOi8vd3d3Lm53cmEuY29tLzwvYT48
YnI+Ci0tPGJyPgpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
Xzxicj4KRnJlZUlQQS11c2VycyBtYWlsaW5nIGxpc3QgLS0gPGEgaHJlZj0ibWFpbHRvOmZyZWVp
cGEtdXNlcnNAbGlzdHMuZmVkb3JhaG9zdGVkLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPmZyZWVpcGEt
dXNlcnNAbGlzdHMuZmVkb3JhaG9zdGVkLm9yZzwvYT48YnI+ClRvIHVuc3Vic2NyaWJlIHNlbmQg
YW4gZW1haWwgdG8gPGEgaHJlZj0ibWFpbHRvOmZyZWVpcGEtdXNlcnMtbGVhdmVAbGlzdHMuZmVk
b3JhaG9zdGVkLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPmZyZWVpcGEtdXNlcnMtbGVhdmVAbGlzdHMu
ZmVkb3JhaG9zdGVkLm9yZzwvYT48YnI+CkZlZG9yYSBDb2RlIG9mIENvbmR1Y3Q6IDxhIGhyZWY9
Imh0dHBzOi8vZG9jcy5mZWRvcmFwcm9qZWN0Lm9yZy9lbi1VUy9wcm9qZWN0L2NvZGUtb2YtY29u
ZHVjdC8iIHJlbD0ibm9yZWZlcnJlciIgdGFyZ2V0PSJfYmxhbmsiPmh0dHBzOi8vZG9jcy5mZWRv
cmFwcm9qZWN0Lm9yZy9lbi1VUy9wcm9qZWN0L2NvZGUtb2YtY29uZHVjdC88L2E+PGJyPgpMaXN0
IEd1aWRlbGluZXM6IDxhIGhyZWY9Imh0dHBzOi8vZmVkb3JhcHJvamVjdC5vcmcvd2lraS9NYWls
aW5nX2xpc3RfZ3VpZGVsaW5lcyIgcmVsPSJub3JlZmVycmVyIiB0YXJnZXQ9Il9ibGFuayI+aHR0
cHM6Ly9mZWRvcmFwcm9qZWN0Lm9yZy93aWtpL01haWxpbmdfbGlzdF9ndWlkZWxpbmVzPC9hPjxi
cj4KTGlzdCBBcmNoaXZlczogPGEgaHJlZj0iaHR0cHM6Ly9saXN0cy5mZWRvcmFob3N0ZWQub3Jn
L2FyY2hpdmVzL2xpc3QvZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3JnIiByZWw9
Im5vcmVmZXJyZXIiIHRhcmdldD0iX2JsYW5rIj5odHRwczovL2xpc3RzLmZlZG9yYWhvc3RlZC5v
cmcvYXJjaGl2ZXMvbGlzdC9mcmVlaXBhLXVzZXJzQGxpc3RzLmZlZG9yYWhvc3RlZC5vcmc8L2E+
PGJyPgpEbyBub3QgcmVwbHkgdG8gc3BhbSwgcmVwb3J0IGl0OiA8YSBocmVmPSJodHRwczovL3Bh
Z3VyZS5pby9mZWRvcmEtaW5mcmFzdHJ1Y3R1cmUvbmV3X2lzc3VlIiByZWw9Im5vcmVmZXJyZXIi
IHRhcmdldD0iX2JsYW5rIj5odHRwczovL3BhZ3VyZS5pby9mZWRvcmEtaW5mcmFzdHJ1Y3R1cmUv
bmV3X2lzc3VlPC9hPjxicj4KPC9ibG9ja3F1b3RlPjwvZGl2PjwvZGl2Pgo=

--===============7283073431009824792==--

From rcritten at redhat.com Thu Apr 11 15:48:37 2024
Content-Type: multipart/mixed; boundary="===============3381513398903433460=="
MIME-Version: 1.0
From: Rob Crittenden <rcritten at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: httpd uses 2x100% CPU
Date: Thu, 11 Apr 2024 11:48:22 -0400
Message-ID: <49098ec9-1069-a7cd-0c7e-9414fedfb3ac@redhat.com>
In-Reply-To: 20240411091501.19374.32160@mailman01.iad2.fedoraproject.org

--===============3381513398903433460==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Bo Lind via FreeIPA-users wrote:
> I just went to check on one of my replicas, and noticed that the IPA web =
server seems to use a lot of CPU:
> =

> From htop:
>     PID USER       PRI  NI  VIRT   RES   SHR S  CPU%=E2=96=BDMEM%   TIME+=
  Command
>  507664 ipaapi      20   0 1353M  459M 16656 S 100.8  0.2 24h15:19 (wsgi:=
ipa)      -DFOREGROUND
>  507984 ipaapi      20   0 1353M  459M 16656 R 100.8  0.2 24h15:12 (wsgi:=
ipa)      -DFOREGROUND
> =

> From top:
>     PID USER      PR  NI    VIRT    RES    SHR S  %CPU  %MEM     TIME+ CO=
MMAND                                                                    =

>  507664 ipaapi    20   0 1385892 470580  16656 S 100.0   0.2   1456:06 ht=
tpd
> =

> I checked /var/log/httpd/access_log and error_log, but there was nothing =
out of the ordinary.
> =

> I have not yet restarted the service/machine, as it's in production.
> =

> Any ideas?

You said you looked at the logs but not what you looked at. Is the
server being hammered with requests?

strace would be a brute force way of seeing what it is doing but it
might not be easy to find from what I expect to be gigantic output what
is going on.

rob

--===============3381513398903433460==--

From orion at nwra.com Thu Apr 11 16:02:22 2024
Content-Type: multipart/mixed; boundary="===============8384887239569975922=="
MIME-Version: 1.0
From: Orion Poplawski <orion at nwra.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: Cannot retrieve CRL from new EL9 IPA replica
Date: Thu, 11 Apr 2024 10:02:00 -0600
Message-ID: <9fc297f6-d0bb-4f58-8db0-9db92111be14@nwra.com>
In-Reply-To: CAFDg7JxxqCfV70BL-BWp9mvbso2sesMwLg_ZPOEZCUcOGUsHiA@mail.gmail.com

--===============8384887239569975922==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

On 4/11/24 09:03, Florence Blanc-Renaud wrote:
> Hi,
> =

> On Thu, Apr 11, 2024 at 12:34=E2=80=AFAM Orion Poplawski via FreeIPA-users
> <freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users(a)lists.fedorahosted.org>> wrote:
> =

>     I've just added an EL9 IPA replica into our domain.=C2=A0 I seems to =
generally be
>     working fine, but trying to download the MasterCRL.bin fails:
> =

>     =3D=3D> /var/log/httpd/access_log <=3D=3D
>     10.20.0.37 - - [10/Apr/2024:14:13:17 -0700] "GET /ipa/crl/MasterCRL.b=
in
>     HTTP/1.1" 301 293 "-" "curl/7.76.1"
> =

>     =3D=3D> /var/log/httpd/error_log <=3D=3D
>     [Wed Apr 10 14:14:17.830119 2024] [proxy_ajp:error] [pid 28001:tid 28=
040]
>     (70007)The timeout specified has expired: AH01030: ajp_ilink_receive(=
) can't
>     receive header
>     [Wed Apr 10 14:14:17.830249 2024] [proxy_ajp:error] [pid 28001:tid 28=
040]
>     [client 10.20.0.37:35124 <http://10.20.0.37:35124>] AH00992:
>     ajp_read_header: ajp_ilink_receive failed
>     [Wed Apr 10 14:14:17.830261 2024] [proxy_ajp:error] [pid 28001:tid 28=
040]
>     (70007)The timeout specified has expired: [client 10.20.0.37:35124
>     <http://10.20.0.37:35124>] AH00878:
>     read response failed from [::1]:8009 (localhost:8009)
> =

>     =3D=3D> /var/log/httpd/access_log <=3D=3D
>     10.20.0.37 - - [10/Apr/2024:14:13:17 -0700] "GET
>     /ca/ee/ca/getCRL?op=3DgetCRL&crlIssuingPoint=3DMasterCRL HTTP/1.1" 50=
0 527 "-"
>     "curl/7.76.1"
> =

>     I'm not sure where else to look for logs.
> =

> =

> If you are requesting the MasterCRL.bin file on a replica that is not the=
 CRL
> generation master, the URL is transferred to the local CA server
> at=C2=A0http://replica.ipa.test/ca/ee/ca/getCRL?op=3DgetCRL&crlIssuingPoi=
nt=3DMasterCRL
> <http://replica.ipa.test/ca/ee/ca/getCRL?op=3DgetCRL&crlIssuingPoint=3DMa=
sterCRL>
> (this is configured in=C2=A0/etc/httpd/conf.d/ipa-pki-proxy.conf).
> =

> Then the calls to /ca/ee/ca/getCRL are handled by an AJP connector
> (LocationMatch defined in=C2=A0/etc/httpd/conf.d/ipa-pki-proxy.conf using
> ajp://localhost:8009). The AJP connector is defined
> in=C2=A0/etc/pki/pki-tomcat/server.xml and should be using=C2=A0the loopb=
ack address.
> There can be issues if your /etc/hosts does not contain the following lin=
es:
> 127.0.0.1 =C2=A0 localhost localhost.localdomain localhost4 localhost4.lo=
caldomain4
> ::1 =C2=A0 =C2=A0 =C2=A0 =C2=A0 localhost localhost.localdomain localhost=
6 localhost6.localdomain6
> =

> You can have a look in=C2=A0/var/log/pki/pki-tomcat/localhost_access_log.=
$DATE.txt
> and check if the request really reached the PKI server. Then check logs
> in=C2=A0/var/log/pki/pki-tomcat/ca/debug.$DATE.log

The machine in question is not the CRL generator.  We are getting redirected
to /ca/ee/ca/getCRL?op=3DgetCRL&crlIssuingPoint=3DMasterCRL on that machine=
.  But
it is that request that is timing out.

Looks like the tomcat server may be hosed:

Apr 05 00:01:00 server[5758]: java.util.logging.ErrorManager: 1: FileHandler
is closed or not yet initialized, unable to log [2024-04-05 00:01:00 [Timer=
-0]
INFO: SessionTimer: checking security domain sessions
Apr 05 00:01:00 server[5758]: ]
Apr 05 00:01:02 server[5758]: java.util.logging.ErrorManager: 1: FileHandler
is closed or not yet initialized, unable to log [2024-04-05 00:01:02
[pool-1-thread-1] SEVERE: Unable to run maintenance task: access denied
("java.io.FilePermission" "/var/lib/pki/pki-tomcat/logs/acme" "read")
Apr 05 00:01:02 server[5758]: java.security.AccessControlException: access
denied ("java.io.FilePermission" "/var/lib/pki/pki-tomcat/logs/acme" "read")
Apr 05 00:01:02 server[5758]:         at
java.base/java.security.AccessControlContext.checkPermission(AccessControlC=
ontext.java:485)

Apr 06 00:01:13 server[16841]: java.util.logging.ErrorManager: 1: FileHandl=
er
is closed or not yet initialized, unable to log [2024-04-06 00:01:13
[pool-1-thread-1] SEVERE: Unable to run maintenance task: access denied
("java.io.FilePermission" "/var/lib/pki/pki-tomcat/logs/acme" "read")
Apr 06 00:01:13 server[16841]: java.security.AccessControlException: access
denied ("java.io.FilePermission" "/var/lib/pki/pki-tomcat/logs/acme" "read")
Apr 06 00:01:13 server[16841]:         at
java.base/java.security.AccessControlContext.checkPermis

Apr 06 00:01:14 server[16841]: java.util.logging.ErrorManager: 1: FileHandl=
er
is closed or not yet initialized, unable to log [2024-04-06 00:01:14
[KeyStatusUpdateTask] WARNING: Repository: Unable to check next range: acce=
ss
denied ("java.io.FilePermission" "/var/lib/pki/pki-tomcat/logs/kra" "read")
Apr 06 00:01:14 server[16841]: java.security.AccessControlException: access
denied ("java.io.FilePermission" "/var/lib/pki/pki-tomcat/logs/kra" "read")
Apr 06 00:01:14 server[16841]:         at
java.base/java.security.AccessControlContext.checkPermission(AccessControlC=
ontext.java:485)
Apr 06 00:01:14 server[16841]:         at
java.base/java.security.AccessController.checkPermission(AccessController.j=
ava:1068)


And that's where logging ends.

Rebooted and everything is fine now.  We had some IO lockups on that machine
and I guess that put things into a bad state.

Thanks for the pointers.


-- =

Orion Poplawski
he/him/his  - surely the least important thing about me
Manager of IT Systems                      720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion(a)nwra.com
Boulder, CO 80301                 https://www.nwra.com/


--===============8384887239569975922==
Content-Type: application/pkcs7-signature
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCClEw
ggUVMIID/aADAgECAhEArxwEsqyM/5sAAAAAUc4Y4zANBgkqhkiG9w0BAQsFADCBtDEUMBIGA1UE
ChMLRW50cnVzdC5uZXQxQDA+BgNVBAsUN3d3dy5lbnRydXN0Lm5ldC9DUFNfMjA0OCBpbmNvcnAu
IGJ5IHJlZi4gKGxpbWl0cyBsaWFiLikxJTAjBgNVBAsTHChjKSAxOTk5IEVudHJ1c3QubmV0IExp
bWl0ZWQxMzAxBgNVBAMTKkVudHJ1c3QubmV0IENlcnRpZmljYXRpb24gQXV0aG9yaXR5ICgyMDQ4
KTAeFw0yMDA3MjkxNTQ4MzBaFw0yOTA2MjkxNjE4MzBaMIGlMQswCQYDVQQGEwJVUzEWMBQGA1UE
ChMNRW50cnVzdCwgSW5jLjE5MDcGA1UECxMwd3d3LmVudHJ1c3QubmV0L0NQUyBpcyBpbmNvcnBv
cmF0ZWQgYnkgcmVmZXJlbmNlMR8wHQYDVQQLExYoYykgMjAxMCBFbnRydXN0LCBJbmMuMSIwIAYD
VQQDExlFbnRydXN0IENsYXNzIDIgQ2xpZW50IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAxDKNQtCeGZ1bkFoQTLUQACG5B0jerm6A1v8UUAboda9rRo7npU+tw4yw+nvgGZH98GOt
cUnzqBwfqzQZIE5LVOkAk75wCDHeiVOsV7wk7yqPQtT36pUlXRR20s2nEvobsrRcYUC9X91Xm0RV
2MWJGTxlPbno1KUtwizT6oMxogg8XlmuEi4qCoxe87MxrgqtfuywSQn8py4iHmhkNJ0W46Y9AzFA
FveU9ksZNMmX5iKcSN5koIMLWAWYxCJGiQX9o772SUxhAxak+AqZHOLAxn5pAjJXkAOvAJShudzO
r+/0fBjOMAvKh/jVXx9ZUdiLC7k4xljCU3zaJtTb8r2QzQIDAQABo4IBLTCCASkwDgYDVR0PAQH/
BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEFBQcDAjASBgNVHRMBAf8ECDAGAQH/AgEA
MDMGCCsGAQUFBwEBBCcwJTAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuZW50cnVzdC5uZXQwMgYD
VR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5lbnRydXN0Lm5ldC8yMDQ4Y2EuY3JsMDsGA1UdIAQ0
MDIwMAYEVR0gADAoMCYGCCsGAQUFBwIBFhpodHRwOi8vd3d3LmVudHJ1c3QubmV0L3JwYTAdBgNV
HQ4EFgQUCZGluunyLip1381+/nfK8t5rmyQwHwYDVR0jBBgwFoAUVeSB0RGAvtiJuQijMfmhJAkW
uXAwDQYJKoZIhvcNAQELBQADggEBAD+96RB180Kn0WyBJqFGIFcSJBVasgwIf91HuT9Ck6QKr0wR
7sxrMPS0LITeCheQ+Xg0rq4mRXYFNSSDwJNzmU+lcnFjtAmIEctsbu+UldVJN8+hAPANSxRRRvRo
cbL+YKE3DyX87yBaM8aph8nqUvbXaUiWzlrPEJv2twHDOiGlyEPAhJ0D+MU0CIfLiwqDXKojK+n/
uN6nSQ5tMhWBMMgn9MD+zxp1zIe7uhGhgmVQBZ/zRZKHoEW4Gedf+EYKW8zYXWsWkUwVlWrj5Pze
BnT2bFTdxCXwaRbW6g4/Wb4BYvlgnx1AszH3EJwv+YpEZthgAk4xELH2l47+IIO9TUowggU0MIIE
HKADAgECAhBOGocb/uu4yQAAAABMPXr3MA0GCSqGSIb3DQEBCwUAMIGlMQswCQYDVQQGEwJVUzEW
MBQGA1UEChMNRW50cnVzdCwgSW5jLjE5MDcGA1UECxMwd3d3LmVudHJ1c3QubmV0L0NQUyBpcyBp
bmNvcnBvcmF0ZWQgYnkgcmVmZXJlbmNlMR8wHQYDVQQLExYoYykgMjAxMCBFbnRydXN0LCBJbmMu
MSIwIAYDVQQDExlFbnRydXN0IENsYXNzIDIgQ2xpZW50IENBMB4XDTIzMTIxNjIxMTUyNVoXDTI2
MTIxNjIxNDUyMlowgbAxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQH
EwdTZWF0dGxlMSYwJAYDVQQKEx1Ob3J0aFdlc3QgUmVzZWFyY2ggQXNzb2NpYXRlczEbMBkGA1UE
YRMSTlRSVVMrV0EtNjAwNTczMjUxMTUwFgYDVQQDEw9PcmlvbiBQb3BsYXdza2kwGwYJKoZIhvcN
AQkBFg5vcmlvbkBud3JhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKn5wO5B
job6bLDahVowly2lAyCWBHGRq1bSptv7tXpj+Xaci4zpCqRoyqX0Gjpo8BEulUYQK8b7nO7UM3aM
LC8H6vyzQ64AGupPGIKuJg+Qr8jA0ihCVH+duE0bNXfDPTm/8VsXOubmVLPLp0cejxzrEC/RI5l8
rdl0sQ+2QZp9jTlyghB1Rxt2AYVYhVVnRMSJ8RgKp9MLV3qIfHqF1k5MGBIP6rS1afmlGd/yW9IW
SB8ziASPtr/Ml5ObbxtYZG47kCKCS7RF2rI6rGNmK/R6cITRs37dzUfBmagDFV897wAW3tHTyLQM
4vobhmS2UYi8C5voc+I75LYOsvLaXHUCAwEAAaOCAVEwggFNMA4GA1UdDwEB/wQEAwIFoDAdBgNV
HSUEFjAUBggrBgEFBQcDBAYIKwYBBQUHAwIwFAYDVR0gBA0wCzAJBgdngQwBBQMBMGoGCCsGAQUF
BwEBBF4wXDAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuZW50cnVzdC5uZXQwNQYIKwYBBQUHMAKG
KWh0dHA6Ly9haWEuZW50cnVzdC5uZXQvMjA0OGNsYXNzMnNoYTIuY2VyMDQGA1UdHwQtMCswKaAn
oCWGI2h0dHA6Ly9jcmwuZW50cnVzdC5uZXQvY2xhc3MyY2EuY3JsMBkGA1UdEQQSMBCBDm9yaW9u
QG53cmEuY29tMB8GA1UdIwQYMBaAFAmRpbrp8i4qdd/Nfv53yvLea5skMB0GA1UdDgQWBBSZhCz4
u7bZ2JjPtNAM8gx3QVEp1zAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQA2L6VG0IcimaH2
4eRr4+L6a/Q51YxInV1pDPt73Lr2uz9CzKWiqWgm6IohO9gSEhDsAYUXED8lkJ3jId9Lo/fDj5M+
13S4eChfzFb1VWyA9fBeOE+/zEYrSPQIuRUM324gPEm8eP/mYaZzHXoA0RJC7jyZlLRdzu/kGqUQ
Dr+81YnkXoyoKc8WeNZnSQSL+LqRvPJCcCTuJbCdd7C8zYW1dRgh4d9hYooUSsKTsSeDoRkFyqk4
ZH0V3PFqa2HiFrdi8h3vpBX44VFddyaae+ekomLvvVZWGtJgXWr6VEBo8PTah0fw8BQjCIfFym44
D9dulz1YW7E6FRPMSZ7x8X3UMYIEXzCCBFsCAQEwgbowgaUxCzAJBgNVBAYTAlVTMRYwFAYDVQQK
Ew1FbnRydXN0LCBJbmMuMTkwNwYDVQQLEzB3d3cuZW50cnVzdC5uZXQvQ1BTIGlzIGluY29ycG9y
YXRlZCBieSByZWZlcmVuY2UxHzAdBgNVBAsTFihjKSAyMDEwIEVudHJ1c3QsIEluYy4xIjAgBgNV
BAMTGUVudHJ1c3QgQ2xhc3MgMiBDbGllbnQgQ0ECEE4ahxv+67jJAAAAAEw9evcwDQYJYIZIAWUD
BAIBBQCgggJ1MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTI0MDQx
MTE2MDIwMVowLwYJKoZIhvcNAQkEMSIEIMqF8sCwFnA9mefRiXQLND2hBB1dNyJzF+A7h0Y1KJQq
MGwGCSqGSIb3DQEJDzFfMF0wCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAO
BggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwgcsG
CSsGAQQBgjcQBDGBvTCBujCBpTELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4x
OTA3BgNVBAsTMHd3dy5lbnRydXN0Lm5ldC9DUFMgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5j
ZTEfMB0GA1UECxMWKGMpIDIwMTAgRW50cnVzdCwgSW5jLjEiMCAGA1UEAxMZRW50cnVzdCBDbGFz
cyAyIENsaWVudCBDQQIQThqHG/7ruMkAAAAATD169zCBzQYLKoZIhvcNAQkQAgsxgb2ggbowgaUx
CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1FbnRydXN0LCBJbmMuMTkwNwYDVQQLEzB3d3cuZW50cnVz
dC5uZXQvQ1BTIGlzIGluY29ycG9yYXRlZCBieSByZWZlcmVuY2UxHzAdBgNVBAsTFihjKSAyMDEw
IEVudHJ1c3QsIEluYy4xIjAgBgNVBAMTGUVudHJ1c3QgQ2xhc3MgMiBDbGllbnQgQ0ECEE4ahxv+
67jJAAAAAEw9evcwDQYJKoZIhvcNAQEBBQAEggEATxXExzKA7Id8leXAahTzusROtQQXHSpaX7XK
vkBJFm+H3soBLZkbISrltBBuMQHwfo1gM00hk4axevIotswNr6aKndcVU17ZtrOLjUk9FFSILM8U
WB2LXCWeZYAlx1ixcriwhLI0l5OI9q++1wzvEqdiuXsLY8qDzvrqqVQaoF64ZwGceteEnLhDaovk
4yZnO48MXOdloK0JeBMiDlBdf+4pjEtS/P5RnbkiComVXCWqXspN7fKi+NZGynL4Ppbi2Bo7oXPU
oWqZugscqcVlXxH5TD3gEULbT/mRbm/u/X8wPH7Lw8oH1YIwraBAmDiUhUaoa9brYYIgB9U079Vz
8AAAAAAAAA==
--===============8384887239569975922==--

From flo at redhat.com Fri Apr 12 14:07:07 2024
Content-Type: multipart/mixed; boundary="===============3396695578579038944=="
MIME-Version: 1.0
From: Florence Blanc-Renaud <flo at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: Cannot retrieve CRL from new EL9 IPA replica
Date: Fri, 12 Apr 2024 16:06:30 +0200
Message-ID: <CAFDg7JwnqU-2wT_MsNMTqDjrRwpHGGmoRE50m5icwF_A+dsKTQ@mail.gmail.com>
In-Reply-To: 9fc297f6-d0bb-4f58-8db0-9db92111be14@nwra.com

--===============3396695578579038944==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Hi,

On Thu, Apr 11, 2024 at 6:02=E2=80=AFPM Orion Poplawski <orion(a)nwra.com> =
wrote:

> On 4/11/24 09:03, Florence Blanc-Renaud wrote:
> > Hi,
> >
> > On Thu, Apr 11, 2024 at 12:34=E2=80=AFAM Orion Poplawski via FreeIPA-us=
ers
> > <freeipa-users(a)lists.fedorahosted.org
> > <mailto:freeipa-users(a)lists.fedorahosted.org>> wrote:
> >
> >     I've just added an EL9 IPA replica into our domain.  I seems to
> generally be
> >     working fine, but trying to download the MasterCRL.bin fails:
> >
> >     =3D=3D> /var/log/httpd/access_log <=3D=3D
> >     10.20.0.37 - - [10/Apr/2024:14:13:17 -0700] "GET
> /ipa/crl/MasterCRL.bin
> >     HTTP/1.1" 301 293 "-" "curl/7.76.1"
> >
> >     =3D=3D> /var/log/httpd/error_log <=3D=3D
> >     [Wed Apr 10 14:14:17.830119 2024] [proxy_ajp:error] [pid 28001:tid
> 28040]
> >     (70007)The timeout specified has expired: AH01030:
> ajp_ilink_receive() can't
> >     receive header
> >     [Wed Apr 10 14:14:17.830249 2024] [proxy_ajp:error] [pid 28001:tid
> 28040]
> >     [client 10.20.0.37:35124 <http://10.20.0.37:35124>] AH00992:
> >     ajp_read_header: ajp_ilink_receive failed
> >     [Wed Apr 10 14:14:17.830261 2024] [proxy_ajp:error] [pid 28001:tid
> 28040]
> >     (70007)The timeout specified has expired: [client 10.20.0.37:35124
> >     <http://10.20.0.37:35124>] AH00878:
> >     read response failed from [::1]:8009 (localhost:8009)
> >
> >     =3D=3D> /var/log/httpd/access_log <=3D=3D
> >     10.20.0.37 - - [10/Apr/2024:14:13:17 -0700] "GET
> >     /ca/ee/ca/getCRL?op=3DgetCRL&crlIssuingPoint=3DMasterCRL HTTP/1.1" =
500
> 527 "-"
> >     "curl/7.76.1"
> >
> >     I'm not sure where else to look for logs.
> >
> >
> > If you are requesting the MasterCRL.bin file on a replica that is not
> the CRL
> > generation master, the URL is transferred to the local CA server
> > at
> http://replica.ipa.test/ca/ee/ca/getCRL?op=3DgetCRL&crlIssuingPoint=3DMas=
terCRL
> > <
> http://replica.ipa.test/ca/ee/ca/getCRL?op=3DgetCRL&crlIssuingPoint=3DMas=
terCRL
> >
> > (this is configured in /etc/httpd/conf.d/ipa-pki-proxy.conf).
> >
> > Then the calls to /ca/ee/ca/getCRL are handled by an AJP connector
> > (LocationMatch defined in /etc/httpd/conf.d/ipa-pki-proxy.conf using
> > ajp://localhost:8009). The AJP connector is defined
> > in /etc/pki/pki-tomcat/server.xml and should be using the loopback
> address.
> > There can be issues if your /etc/hosts does not contain the following
> lines:
> > 127.0.0.1   localhost localhost.localdomain localhost4
> localhost4.localdomain4
> > ::1         localhost localhost.localdomain localhost6
> localhost6.localdomain6
> >
> > You can have a look
> in /var/log/pki/pki-tomcat/localhost_access_log.$DATE.txt
> > and check if the request really reached the PKI server. Then check logs
> > in /var/log/pki/pki-tomcat/ca/debug.$DATE.log
>
> The machine in question is not the CRL generator.  We are getting
> redirected
> to /ca/ee/ca/getCRL?op=3DgetCRL&crlIssuingPoint=3DMasterCRL on that machi=
ne.
> But
> it is that request that is timing out.
>
> Looks like the tomcat server may be hosed:
>
> Apr 05 00:01:00 server[5758]: java.util.logging.ErrorManager: 1:
> FileHandler
> is closed or not yet initialized, unable to log [2024-04-05 00:01:00
> [Timer-0]
> INFO: SessionTimer: checking security domain sessions
> Apr 05 00:01:00 server[5758]: ]
> Apr 05 00:01:02 server[5758]: java.util.logging.ErrorManager: 1:
> FileHandler
> is closed or not yet initialized, unable to log [2024-04-05 00:01:02
> [pool-1-thread-1] SEVERE: Unable to run maintenance task: access denied
> ("java.io.FilePermission" "/var/lib/pki/pki-tomcat/logs/acme" "read")
> Apr 05 00:01:02 server[5758]: java.security.AccessControlException: access
> denied ("java.io.FilePermission" "/var/lib/pki/pki-tomcat/logs/acme"
> "read")
> Apr 05 00:01:02 server[5758]:         at
>
> java.base/java.security.AccessControlContext.checkPermission(AccessContro=
lContext.java:485)
>
> Apr 06 00:01:13 server[16841]: java.util.logging.ErrorManager: 1:
> FileHandler
> is closed or not yet initialized, unable to log [2024-04-06 00:01:13
> [pool-1-thread-1] SEVERE: Unable to run maintenance task: access denied
> ("java.io.FilePermission" "/var/lib/pki/pki-tomcat/logs/acme" "read")
> Apr 06 00:01:13 server[16841]: java.security.AccessControlException: acce=
ss
> denied ("java.io.FilePermission" "/var/lib/pki/pki-tomcat/logs/acme"
> "read")
> Apr 06 00:01:13 server[16841]:         at
> java.base/java.security.AccessControlContext.checkPermis
>
> Apr 06 00:01:14 server[16841]: java.util.logging.ErrorManager: 1:
> FileHandler
> is closed or not yet initialized, unable to log [2024-04-06 00:01:14
> [KeyStatusUpdateTask] WARNING: Repository: Unable to check next range:
> access
> denied ("java.io.FilePermission" "/var/lib/pki/pki-tomcat/logs/kra" "read=
")
> Apr 06 00:01:14 server[16841]: java.security.AccessControlException: acce=
ss
> denied ("java.io.FilePermission" "/var/lib/pki/pki-tomcat/logs/kra" "read=
")
> Apr 06 00:01:14 server[16841]:         at
>
> java.base/java.security.AccessControlContext.checkPermission(AccessContro=
lContext.java:485)
> Apr 06 00:01:14 server[16841]:         at
>
> java.base/java.security.AccessController.checkPermission(AccessController=
.java:1068)
>
> Based on your logs and the 00:01:xx timestamp, I believe you are hitting
this issue:
https://github.com/dogtagpki/pki/issues/4703

After the logs are rotated, pki often has problems accessing its log files.
Can you add your problem to the above ticket? It will help prioritize the
problem.

Thanks,
flo


> And that's where logging ends.
>
> Rebooted and everything is fine now.  We had some IO lockups on that
> machine
> and I guess that put things into a bad state.
>
> Thanks for the pointers.
>
>
> --
> Orion Poplawski
> he/him/his  - surely the least important thing about me
> Manager of IT Systems                      720-772-5637
> NWRA, Boulder/CoRA Office             FAX: 303-415-9702
> 3380 Mitchell Lane                       orion(a)nwra.com
> Boulder, CO 80301                 https://www.nwra.com/
>
>

--===============3396695578579038944==
Content-Type: text/html
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.html"

PGRpdiBkaXI9Imx0ciI+PGRpdiBkaXI9Imx0ciI+PGRpdiBjbGFzcz0iZ21haWxfZGVmYXVsdCIg
c3R5bGU9ImZvbnQtZmFtaWx5OmFyaWFsLHNhbnMtc2VyaWYiPkhpLDwvZGl2PjwvZGl2Pjxicj48
ZGl2IGNsYXNzPSJnbWFpbF9xdW90ZSI+PGRpdiBkaXI9Imx0ciIgY2xhc3M9ImdtYWlsX2F0dHIi
Pk9uIFRodSwgQXByIDExLCAyMDI0IGF0IDY6MDLigK9QTSBPcmlvbiBQb3BsYXdza2kgJmx0Ozxh
IGhyZWY9Im1haWx0bzpvcmlvbkBud3JhLmNvbSI+b3Jpb25AbndyYS5jb208L2E+Jmd0OyB3cm90
ZTo8YnI+PC9kaXY+PGJsb2NrcXVvdGUgY2xhc3M9ImdtYWlsX3F1b3RlIiBzdHlsZT0ibWFyZ2lu
OjBweCAwcHggMHB4IDAuOGV4O2JvcmRlci1sZWZ0OjFweCBzb2xpZCByZ2IoMjA0LDIwNCwyMDQp
O3BhZGRpbmctbGVmdDoxZXgiPk9uIDQvMTEvMjQgMDk6MDMsIEZsb3JlbmNlIEJsYW5jLVJlbmF1
ZCB3cm90ZTo8YnI+CiZndDsgSGksPGJyPgomZ3Q7IDxicj4KJmd0OyBPbiBUaHUsIEFwciAxMSwg
MjAyNCBhdCAxMjozNOKAr0FNIE9yaW9uIFBvcGxhd3NraSB2aWEgRnJlZUlQQS11c2Vyczxicj4K
Jmd0OyAmbHQ7PGEgaHJlZj0ibWFpbHRvOmZyZWVpcGEtdXNlcnNAbGlzdHMuZmVkb3JhaG9zdGVk
Lm9yZyIgdGFyZ2V0PSJfYmxhbmsiPmZyZWVpcGEtdXNlcnNAbGlzdHMuZmVkb3JhaG9zdGVkLm9y
ZzwvYT48YnI+CiZndDsgJmx0O21haWx0bzo8YSBocmVmPSJtYWlsdG86ZnJlZWlwYS11c2Vyc0Bs
aXN0cy5mZWRvcmFob3N0ZWQub3JnIiB0YXJnZXQ9Il9ibGFuayI+ZnJlZWlwYS11c2Vyc0BsaXN0
cy5mZWRvcmFob3N0ZWQub3JnPC9hPiZndDsmZ3Q7IHdyb3RlOjxicj4KJmd0OyA8YnI+CiZndDvC
oCDCoCDCoEkmIzM5O3ZlIGp1c3QgYWRkZWQgYW4gRUw5IElQQSByZXBsaWNhIGludG8gb3VyIGRv
bWFpbi7CoCBJIHNlZW1zIHRvIGdlbmVyYWxseSBiZTxicj4KJmd0O8KgIMKgIMKgd29ya2luZyBm
aW5lLCBidXQgdHJ5aW5nIHRvIGRvd25sb2FkIHRoZSBNYXN0ZXJDUkwuYmluIGZhaWxzOjxicj4K
Jmd0OyA8YnI+CiZndDvCoCDCoCDCoD09Jmd0OyAvdmFyL2xvZy9odHRwZC9hY2Nlc3NfbG9nICZs
dDs9PTxicj4KJmd0O8KgIMKgIMKgMTAuMjAuMC4zNyAtIC0gWzEwL0Fwci8yMDI0OjE0OjEzOjE3
IC0wNzAwXSAmcXVvdDtHRVQgL2lwYS9jcmwvTWFzdGVyQ1JMLmJpbjxicj4KJmd0O8KgIMKgIMKg
SFRUUC8xLjEmcXVvdDsgMzAxIDI5MyAmcXVvdDstJnF1b3Q7ICZxdW90O2N1cmwvNy43Ni4xJnF1
b3Q7PGJyPgomZ3Q7IDxicj4KJmd0O8KgIMKgIMKgPT0mZ3Q7IC92YXIvbG9nL2h0dHBkL2Vycm9y
X2xvZyAmbHQ7PT08YnI+CiZndDvCoCDCoCDCoFtXZWQgQXByIDEwIDE0OjE0OjE3LjgzMDExOSAy
MDI0XSBbcHJveHlfYWpwOmVycm9yXSBbcGlkIDI4MDAxOnRpZCAyODA0MF08YnI+CiZndDvCoCDC
oCDCoCg3MDAwNylUaGUgdGltZW91dCBzcGVjaWZpZWQgaGFzIGV4cGlyZWQ6IEFIMDEwMzA6IGFq
cF9pbGlua19yZWNlaXZlKCkgY2FuJiMzOTt0PGJyPgomZ3Q7wqAgwqAgwqByZWNlaXZlIGhlYWRl
cjxicj4KJmd0O8KgIMKgIMKgW1dlZCBBcHIgMTAgMTQ6MTQ6MTcuODMwMjQ5IDIwMjRdIFtwcm94
eV9hanA6ZXJyb3JdIFtwaWQgMjgwMDE6dGlkIDI4MDQwXTxicj4KJmd0O8KgIMKgIMKgW2NsaWVu
dCA8YSBocmVmPSJodHRwOi8vMTAuMjAuMC4zNzozNTEyNCIgcmVsPSJub3JlZmVycmVyIiB0YXJn
ZXQ9Il9ibGFuayI+MTAuMjAuMC4zNzozNTEyNDwvYT4gJmx0OzxhIGhyZWY9Imh0dHA6Ly8xMC4y
MC4wLjM3OjM1MTI0IiByZWw9Im5vcmVmZXJyZXIiIHRhcmdldD0iX2JsYW5rIj5odHRwOi8vMTAu
MjAuMC4zNzozNTEyNDwvYT4mZ3Q7XSBBSDAwOTkyOjxicj4KJmd0O8KgIMKgIMKgYWpwX3JlYWRf
aGVhZGVyOiBhanBfaWxpbmtfcmVjZWl2ZSBmYWlsZWQ8YnI+CiZndDvCoCDCoCDCoFtXZWQgQXBy
IDEwIDE0OjE0OjE3LjgzMDI2MSAyMDI0XSBbcHJveHlfYWpwOmVycm9yXSBbcGlkIDI4MDAxOnRp
ZCAyODA0MF08YnI+CiZndDvCoCDCoCDCoCg3MDAwNylUaGUgdGltZW91dCBzcGVjaWZpZWQgaGFz
IGV4cGlyZWQ6IFtjbGllbnQgPGEgaHJlZj0iaHR0cDovLzEwLjIwLjAuMzc6MzUxMjQiIHJlbD0i
bm9yZWZlcnJlciIgdGFyZ2V0PSJfYmxhbmsiPjEwLjIwLjAuMzc6MzUxMjQ8L2E+PGJyPgomZ3Q7
wqAgwqAgwqAmbHQ7PGEgaHJlZj0iaHR0cDovLzEwLjIwLjAuMzc6MzUxMjQiIHJlbD0ibm9yZWZl
cnJlciIgdGFyZ2V0PSJfYmxhbmsiPmh0dHA6Ly8xMC4yMC4wLjM3OjM1MTI0PC9hPiZndDtdIEFI
MDA4Nzg6PGJyPgomZ3Q7wqAgwqAgwqByZWFkIHJlc3BvbnNlIGZhaWxlZCBmcm9tIFs6OjFdOjgw
MDkgKGxvY2FsaG9zdDo4MDA5KTxicj4KJmd0OyA8YnI+CiZndDvCoCDCoCDCoD09Jmd0OyAvdmFy
L2xvZy9odHRwZC9hY2Nlc3NfbG9nICZsdDs9PTxicj4KJmd0O8KgIMKgIMKgMTAuMjAuMC4zNyAt
IC0gWzEwL0Fwci8yMDI0OjE0OjEzOjE3IC0wNzAwXSAmcXVvdDtHRVQ8YnI+CiZndDvCoCDCoCDC
oC9jYS9lZS9jYS9nZXRDUkw/b3A9Z2V0Q1JMJmFtcDtjcmxJc3N1aW5nUG9pbnQ9TWFzdGVyQ1JM
IEhUVFAvMS4xJnF1b3Q7IDUwMCA1MjcgJnF1b3Q7LSZxdW90Ozxicj4KJmd0O8KgIMKgIMKgJnF1
b3Q7Y3VybC83Ljc2LjEmcXVvdDs8YnI+CiZndDsgPGJyPgomZ3Q7wqAgwqAgwqBJJiMzOTttIG5v
dCBzdXJlIHdoZXJlIGVsc2UgdG8gbG9vayBmb3IgbG9ncy48YnI+CiZndDsgPGJyPgomZ3Q7IDxi
cj4KJmd0OyBJZiB5b3UgYXJlIHJlcXVlc3RpbmcgdGhlIE1hc3RlckNSTC5iaW4gZmlsZSBvbiBh
IHJlcGxpY2EgdGhhdCBpcyBub3QgdGhlIENSTDxicj4KJmd0OyBnZW5lcmF0aW9uIG1hc3Rlciwg
dGhlIFVSTCBpcyB0cmFuc2ZlcnJlZCB0byB0aGUgbG9jYWwgQ0Egc2VydmVyPGJyPgomZ3Q7IGF0
wqA8YSBocmVmPSJodHRwOi8vcmVwbGljYS5pcGEudGVzdC9jYS9lZS9jYS9nZXRDUkw/b3A9Z2V0
Q1JMJmFtcDtjcmxJc3N1aW5nUG9pbnQ9TWFzdGVyQ1JMIiByZWw9Im5vcmVmZXJyZXIiIHRhcmdl
dD0iX2JsYW5rIj5odHRwOi8vcmVwbGljYS5pcGEudGVzdC9jYS9lZS9jYS9nZXRDUkw/b3A9Z2V0
Q1JMJmFtcDtjcmxJc3N1aW5nUG9pbnQ9TWFzdGVyQ1JMPC9hPjxicj4KJmd0OyAmbHQ7PGEgaHJl
Zj0iaHR0cDovL3JlcGxpY2EuaXBhLnRlc3QvY2EvZWUvY2EvZ2V0Q1JMP29wPWdldENSTCZhbXA7
Y3JsSXNzdWluZ1BvaW50PU1hc3RlckNSTCIgcmVsPSJub3JlZmVycmVyIiB0YXJnZXQ9Il9ibGFu
ayI+aHR0cDovL3JlcGxpY2EuaXBhLnRlc3QvY2EvZWUvY2EvZ2V0Q1JMP29wPWdldENSTCZhbXA7
Y3JsSXNzdWluZ1BvaW50PU1hc3RlckNSTDwvYT4mZ3Q7PGJyPgomZ3Q7ICh0aGlzIGlzIGNvbmZp
Z3VyZWQgaW7CoC9ldGMvaHR0cGQvY29uZi5kL2lwYS1wa2ktcHJveHkuY29uZikuPGJyPgomZ3Q7
IDxicj4KJmd0OyBUaGVuIHRoZSBjYWxscyB0byAvY2EvZWUvY2EvZ2V0Q1JMIGFyZSBoYW5kbGVk
IGJ5IGFuIEFKUCBjb25uZWN0b3I8YnI+CiZndDsgKExvY2F0aW9uTWF0Y2ggZGVmaW5lZCBpbsKg
L2V0Yy9odHRwZC9jb25mLmQvaXBhLXBraS1wcm94eS5jb25mIHVzaW5nPGJyPgomZ3Q7IGFqcDov
L2xvY2FsaG9zdDo4MDA5KS4gVGhlIEFKUCBjb25uZWN0b3IgaXMgZGVmaW5lZDxicj4KJmd0OyBp
bsKgL2V0Yy9wa2kvcGtpLXRvbWNhdC9zZXJ2ZXIueG1sIGFuZCBzaG91bGQgYmUgdXNpbmfCoHRo
ZSBsb29wYmFjayBhZGRyZXNzLjxicj4KJmd0OyBUaGVyZSBjYW4gYmUgaXNzdWVzIGlmIHlvdXIg
L2V0Yy9ob3N0cyBkb2VzIG5vdCBjb250YWluIHRoZSBmb2xsb3dpbmcgbGluZXM6PGJyPgomZ3Q7
IDEyNy4wLjAuMSDCoCBsb2NhbGhvc3QgbG9jYWxob3N0LmxvY2FsZG9tYWluIGxvY2FsaG9zdDQg
bG9jYWxob3N0NC5sb2NhbGRvbWFpbjQ8YnI+CiZndDsgOjoxIMKgIMKgIMKgIMKgIGxvY2FsaG9z
dCBsb2NhbGhvc3QubG9jYWxkb21haW4gbG9jYWxob3N0NiBsb2NhbGhvc3Q2LmxvY2FsZG9tYWlu
Njxicj4KJmd0OyA8YnI+CiZndDsgWW91IGNhbiBoYXZlIGEgbG9vayBpbsKgL3Zhci9sb2cvcGtp
L3BraS10b21jYXQvbG9jYWxob3N0X2FjY2Vzc19sb2cuJERBVEUudHh0PGJyPgomZ3Q7IGFuZCBj
aGVjayBpZiB0aGUgcmVxdWVzdCByZWFsbHkgcmVhY2hlZCB0aGUgUEtJIHNlcnZlci4gVGhlbiBj
aGVjayBsb2dzPGJyPgomZ3Q7IGluwqAvdmFyL2xvZy9wa2kvcGtpLXRvbWNhdC9jYS9kZWJ1Zy4k
REFURS5sb2c8YnI+Cjxicj4KVGhlIG1hY2hpbmUgaW4gcXVlc3Rpb24gaXMgbm90IHRoZSBDUkwg
Z2VuZXJhdG9yLsKgIFdlIGFyZSBnZXR0aW5nIHJlZGlyZWN0ZWQ8YnI+CnRvIC9jYS9lZS9jYS9n
ZXRDUkw/b3A9Z2V0Q1JMJmFtcDtjcmxJc3N1aW5nUG9pbnQ9TWFzdGVyQ1JMIG9uIHRoYXQgbWFj
aGluZS7CoCBCdXQ8YnI+Cml0IGlzIHRoYXQgcmVxdWVzdCB0aGF0IGlzIHRpbWluZyBvdXQuPGJy
Pgo8YnI+Ckxvb2tzIGxpa2UgdGhlIHRvbWNhdCBzZXJ2ZXIgbWF5IGJlIGhvc2VkOjxicj4KPGJy
PgpBcHIgMDUgMDA6MDE6MDAgc2VydmVyWzU3NThdOiBqYXZhLnV0aWwubG9nZ2luZy5FcnJvck1h
bmFnZXI6IDE6IEZpbGVIYW5kbGVyPGJyPgppcyBjbG9zZWQgb3Igbm90IHlldCBpbml0aWFsaXpl
ZCwgdW5hYmxlIHRvIGxvZyBbMjAyNC0wNC0wNSAwMDowMTowMCBbVGltZXItMF08YnI+CklORk86
IFNlc3Npb25UaW1lcjogY2hlY2tpbmcgc2VjdXJpdHkgZG9tYWluIHNlc3Npb25zPGJyPgpBcHIg
MDUgMDA6MDE6MDAgc2VydmVyWzU3NThdOiBdPGJyPgpBcHIgMDUgMDA6MDE6MDIgc2VydmVyWzU3
NThdOiBqYXZhLnV0aWwubG9nZ2luZy5FcnJvck1hbmFnZXI6IDE6IEZpbGVIYW5kbGVyPGJyPgpp
cyBjbG9zZWQgb3Igbm90IHlldCBpbml0aWFsaXplZCwgdW5hYmxlIHRvIGxvZyBbMjAyNC0wNC0w
NSAwMDowMTowMjxicj4KW3Bvb2wtMS10aHJlYWQtMV0gU0VWRVJFOiBVbmFibGUgdG8gcnVuIG1h
aW50ZW5hbmNlIHRhc2s6IGFjY2VzcyBkZW5pZWQ8YnI+CigmcXVvdDtqYXZhLmlvLkZpbGVQZXJt
aXNzaW9uJnF1b3Q7ICZxdW90Oy92YXIvbGliL3BraS9wa2ktdG9tY2F0L2xvZ3MvYWNtZSZxdW90
OyAmcXVvdDtyZWFkJnF1b3Q7KTxicj4KQXByIDA1IDAwOjAxOjAyIHNlcnZlcls1NzU4XTogamF2
YS5zZWN1cml0eS5BY2Nlc3NDb250cm9sRXhjZXB0aW9uOiBhY2Nlc3M8YnI+CmRlbmllZCAoJnF1
b3Q7amF2YS5pby5GaWxlUGVybWlzc2lvbiZxdW90OyAmcXVvdDsvdmFyL2xpYi9wa2kvcGtpLXRv
bWNhdC9sb2dzL2FjbWUmcXVvdDsgJnF1b3Q7cmVhZCZxdW90Oyk8YnI+CkFwciAwNSAwMDowMTow
MiBzZXJ2ZXJbNTc1OF06wqAgwqAgwqAgwqAgwqBhdDxicj4KamF2YS5iYXNlL2phdmEuc2VjdXJp
dHkuQWNjZXNzQ29udHJvbENvbnRleHQuY2hlY2tQZXJtaXNzaW9uKEFjY2Vzc0NvbnRyb2xDb250
ZXh0LmphdmE6NDg1KTxicj4KPGJyPgpBcHIgMDYgMDA6MDE6MTMgc2VydmVyWzE2ODQxXTogamF2
YS51dGlsLmxvZ2dpbmcuRXJyb3JNYW5hZ2VyOiAxOiBGaWxlSGFuZGxlcjxicj4KaXMgY2xvc2Vk
IG9yIG5vdCB5ZXQgaW5pdGlhbGl6ZWQsIHVuYWJsZSB0byBsb2cgWzIwMjQtMDQtMDYgMDA6MDE6
MTM8YnI+Cltwb29sLTEtdGhyZWFkLTFdIFNFVkVSRTogVW5hYmxlIHRvIHJ1biBtYWludGVuYW5j
ZSB0YXNrOiBhY2Nlc3MgZGVuaWVkPGJyPgooJnF1b3Q7amF2YS5pby5GaWxlUGVybWlzc2lvbiZx
dW90OyAmcXVvdDsvdmFyL2xpYi9wa2kvcGtpLXRvbWNhdC9sb2dzL2FjbWUmcXVvdDsgJnF1b3Q7
cmVhZCZxdW90Oyk8YnI+CkFwciAwNiAwMDowMToxMyBzZXJ2ZXJbMTY4NDFdOiBqYXZhLnNlY3Vy
aXR5LkFjY2Vzc0NvbnRyb2xFeGNlcHRpb246IGFjY2Vzczxicj4KZGVuaWVkICgmcXVvdDtqYXZh
LmlvLkZpbGVQZXJtaXNzaW9uJnF1b3Q7ICZxdW90Oy92YXIvbGliL3BraS9wa2ktdG9tY2F0L2xv
Z3MvYWNtZSZxdW90OyAmcXVvdDtyZWFkJnF1b3Q7KTxicj4KQXByIDA2IDAwOjAxOjEzIHNlcnZl
clsxNjg0MV06wqAgwqAgwqAgwqAgwqBhdDxicj4KamF2YS5iYXNlL2phdmEuc2VjdXJpdHkuQWNj
ZXNzQ29udHJvbENvbnRleHQuY2hlY2tQZXJtaXM8YnI+Cjxicj4KQXByIDA2IDAwOjAxOjE0IHNl
cnZlclsxNjg0MV06IGphdmEudXRpbC5sb2dnaW5nLkVycm9yTWFuYWdlcjogMTogRmlsZUhhbmRs
ZXI8YnI+CmlzIGNsb3NlZCBvciBub3QgeWV0IGluaXRpYWxpemVkLCB1bmFibGUgdG8gbG9nIFsy
MDI0LTA0LTA2IDAwOjAxOjE0PGJyPgpbS2V5U3RhdHVzVXBkYXRlVGFza10gV0FSTklORzogUmVw
b3NpdG9yeTogVW5hYmxlIHRvIGNoZWNrIG5leHQgcmFuZ2U6IGFjY2Vzczxicj4KZGVuaWVkICgm
cXVvdDtqYXZhLmlvLkZpbGVQZXJtaXNzaW9uJnF1b3Q7ICZxdW90Oy92YXIvbGliL3BraS9wa2kt
dG9tY2F0L2xvZ3Mva3JhJnF1b3Q7ICZxdW90O3JlYWQmcXVvdDspPGJyPgpBcHIgMDYgMDA6MDE6
MTQgc2VydmVyWzE2ODQxXTogamF2YS5zZWN1cml0eS5BY2Nlc3NDb250cm9sRXhjZXB0aW9uOiBh
Y2Nlc3M8YnI+CmRlbmllZCAoJnF1b3Q7amF2YS5pby5GaWxlUGVybWlzc2lvbiZxdW90OyAmcXVv
dDsvdmFyL2xpYi9wa2kvcGtpLXRvbWNhdC9sb2dzL2tyYSZxdW90OyAmcXVvdDtyZWFkJnF1b3Q7
KTxicj4KQXByIDA2IDAwOjAxOjE0IHNlcnZlclsxNjg0MV06wqAgwqAgwqAgwqAgwqBhdDxicj4K
amF2YS5iYXNlL2phdmEuc2VjdXJpdHkuQWNjZXNzQ29udHJvbENvbnRleHQuY2hlY2tQZXJtaXNz
aW9uKEFjY2Vzc0NvbnRyb2xDb250ZXh0LmphdmE6NDg1KTxicj4KQXByIDA2IDAwOjAxOjE0IHNl
cnZlclsxNjg0MV06wqAgwqAgwqAgwqAgwqBhdDxicj4KamF2YS5iYXNlL2phdmEuc2VjdXJpdHku
QWNjZXNzQ29udHJvbGxlci5jaGVja1Blcm1pc3Npb24oQWNjZXNzQ29udHJvbGxlci5qYXZhOjEw
NjgpPGJyPgo8YnI+PC9ibG9ja3F1b3RlPjxkaXY+PHNwYW4gY2xhc3M9ImdtYWlsX2RlZmF1bHQi
IHN0eWxlPSJmb250LWZhbWlseTphcmlhbCxzYW5zLXNlcmlmIj48L3NwYW4+PC9kaXY+PGRpdj48
c3BhbiBjbGFzcz0iZ21haWxfZGVmYXVsdCIgc3R5bGU9ImZvbnQtZmFtaWx5OmFyaWFsLHNhbnMt
c2VyaWYiPkJhc2VkIG9uIHlvdXIgbG9ncyBhbmQgdGhlIDAwOjAxOnh4IHRpbWVzdGFtcCwgSSBi
ZWxpZXZlIHlvdSBhcmUgaGl0dGluZyB0aGlzIGlzc3VlOjwvc3Bhbj48L2Rpdj48ZGl2PjxzcGFu
IGNsYXNzPSJnbWFpbF9kZWZhdWx0IiBzdHlsZT0iZm9udC1mYW1pbHk6YXJpYWwsc2Fucy1zZXJp
ZiI+PGEgaHJlZj0iaHR0cHM6Ly9naXRodWIuY29tL2RvZ3RhZ3BraS9wa2kvaXNzdWVzLzQ3MDMi
Pmh0dHBzOi8vZ2l0aHViLmNvbS9kb2d0YWdwa2kvcGtpL2lzc3Vlcy80NzAzPC9hPsKgPGJyPjwv
c3Bhbj48L2Rpdj48ZGl2PjxzcGFuIGNsYXNzPSJnbWFpbF9kZWZhdWx0IiBzdHlsZT0iZm9udC1m
YW1pbHk6YXJpYWwsc2Fucy1zZXJpZiI+PGJyPjwvc3Bhbj48L2Rpdj48ZGl2PjxkaXYgY2xhc3M9
ImdtYWlsX2RlZmF1bHQiIHN0eWxlPSJmb250LWZhbWlseTphcmlhbCxzYW5zLXNlcmlmIj5BZnRl
ciB0aGUgbG9ncyBhcmUgcm90YXRlZCwgcGtpIG9mdGVuIGhhc8KgcHJvYmxlbXMgYWNjZXNzaW5n
IGl0cyBsb2cgZmlsZXMuIENhbiB5b3UgYWRkIHlvdXIgcHJvYmxlbSB0byB0aGUgYWJvdmUgdGlj
a2V0PyBJdCB3aWxsIGhlbHAgcHJpb3JpdGl6ZSB0aGUgcHJvYmxlbS48L2Rpdj48ZGl2IGNsYXNz
PSJnbWFpbF9kZWZhdWx0IiBzdHlsZT0iZm9udC1mYW1pbHk6YXJpYWwsc2Fucy1zZXJpZiI+PGJy
PjwvZGl2PjxkaXYgY2xhc3M9ImdtYWlsX2RlZmF1bHQiIHN0eWxlPSJmb250LWZhbWlseTphcmlh
bCxzYW5zLXNlcmlmIj5UaGFua3MsPC9kaXY+PGRpdiBjbGFzcz0iZ21haWxfZGVmYXVsdCIgc3R5
bGU9ImZvbnQtZmFtaWx5OmFyaWFsLHNhbnMtc2VyaWYiPmZsbzwvZGl2Pjxicj48L2Rpdj48Ymxv
Y2txdW90ZSBjbGFzcz0iZ21haWxfcXVvdGUiIHN0eWxlPSJtYXJnaW46MHB4IDBweCAwcHggMC44
ZXg7Ym9yZGVyLWxlZnQ6MXB4IHNvbGlkIHJnYigyMDQsMjA0LDIwNCk7cGFkZGluZy1sZWZ0OjFl
eCI+Cjxicj4KQW5kIHRoYXQmIzM5O3Mgd2hlcmUgbG9nZ2luZyBlbmRzLjxicj4KPGJyPgpSZWJv
b3RlZCBhbmQgZXZlcnl0aGluZyBpcyBmaW5lIG5vdy7CoCBXZSBoYWQgc29tZSBJTyBsb2NrdXBz
IG9uIHRoYXQgbWFjaGluZTxicj4KYW5kIEkgZ3Vlc3MgdGhhdCBwdXQgdGhpbmdzIGludG8gYSBi
YWQgc3RhdGUuPGJyPgo8YnI+ClRoYW5rcyBmb3IgdGhlIHBvaW50ZXJzLjxicj4KPGJyPgo8YnI+
Ci0tIDxicj4KT3Jpb24gUG9wbGF3c2tpPGJyPgpoZS9oaW0vaGlzwqAgLSBzdXJlbHkgdGhlIGxl
YXN0IGltcG9ydGFudCB0aGluZyBhYm91dCBtZTxicj4KTWFuYWdlciBvZiBJVCBTeXN0ZW1zwqAg
wqAgwqAgwqAgwqAgwqAgwqAgwqAgwqAgwqAgwqAgNzIwLTc3Mi01NjM3PGJyPgpOV1JBLCBCb3Vs
ZGVyL0NvUkEgT2ZmaWNlwqAgwqAgwqAgwqAgwqAgwqAgwqBGQVg6IDMwMy00MTUtOTcwMjxicj4K
MzM4MCBNaXRjaGVsbCBMYW5lwqAgwqAgwqAgwqAgwqAgwqAgwqAgwqAgwqAgwqAgwqAgwqA8YSBo
cmVmPSJtYWlsdG86b3Jpb25AbndyYS5jb20iIHRhcmdldD0iX2JsYW5rIj5vcmlvbkBud3JhLmNv
bTwvYT48YnI+CkJvdWxkZXIsIENPIDgwMzAxwqAgwqAgwqAgwqAgwqAgwqAgwqAgwqAgwqA8YSBo
cmVmPSJodHRwczovL3d3dy5ud3JhLmNvbS8iIHJlbD0ibm9yZWZlcnJlciIgdGFyZ2V0PSJfYmxh
bmsiPmh0dHBzOi8vd3d3Lm53cmEuY29tLzwvYT48YnI+Cjxicj4KPC9ibG9ja3F1b3RlPjwvZGl2
PjwvZGl2Pgo=

--===============3396695578579038944==--

From craigawilson at gmail.com Fri Apr 12 16:46:19 2024
Content-Type: multipart/mixed; boundary="===============5883636696220306325=="
MIME-Version: 1.0
From: C Wilson <craigawilson at gmail.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] ipaclient-install.log certutil: Could not find cert:
Date: Fri, 12 Apr 2024 16:46:06 +0000
Message-ID: <20240412164606.10693.39062@mailman01.iad2.fedoraproject.org>

--===============5883636696220306325==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Hello

I'm trying to roll out a new IPA server for our development environment and=
 have nicely automated the server installation process with Ansible but whe=
n I've come to rolling out the clients I'm hitting this problem. =


When running ipa-client-install:
ipa-client-install -N --fixed-primary --server server.domain.local --realm =
DOMAIN.LOCAL --domain DOMAIN.local --principal admin --password 'adminpassw=
ord' -U

I get the following error:
Please make sure the following ports are opened in the firewall settings:
     TCP: 80, 88, 389
     UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properl=
y after enrollment:
     TCP: 464
     UDP: 464, 123 (if NTP enabled)
Installation failed. Rolling back changes.
Disabling client Kerberos and LDAP configurations
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.
Kerberos authentication failed: kinit: Cannot contact any KDC for realm 'DO=
MAIN.LOCAL' while getting initial credentials


I've disabled the firewall on both systems, DNS resolves the server name. I=
 can nmap and telnet to the ports listed so I don't think it's a networking=
 issue. The ipa server appears to be running fine:

[root(a)server tmp]# service ipa status
Redirecting to /bin/systemctl status ipa.service
=E2=97=8F ipa.service - Identity, Policy, Audit
     Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled; preset: =
disabled)
     Active: active (exited) since Wed 2024-04-10 15:49:49 UTC; 2 days ago
   Main PID: 18336 (code=3Dexited, status=3D0/SUCCESS)
        CPU: 1.610s

Apr 10 15:49:48 server ipactl[18336]: Assuming stale, cleaning and proceedi=
ng
Apr 10 15:49:49 server ipactl[18336]: ipa: INFO: The ipactl command was suc=
cessful
Apr 10 15:49:49 server ipactl[18336]: Starting Directory Service
Apr 10 15:49:49 server ipactl[18336]: Starting krb5kdc Service
Apr 10 15:49:49 server ipactl[18336]: Starting kadmin Service
Apr 10 15:49:49 server ipactl[18336]: Starting httpd Service
Apr 10 15:49:49 server ipactl[18336]: Starting ipa-custodia Service
Apr 10 15:49:49 server ipactl[18336]: Starting pki-tomcatd Service
Apr 10 15:49:49 server ipactl[18336]: Starting ipa-otpd Service
Apr 10 15:49:49 server systemd[1]: Finished Identity, Policy, Audit.


Looking at the ipaclient-install.log there are lines that are semi interest=
ing but I can't see how to progress from here to resolve the issue:

2024-04-12T16:25:51Z DEBUG stderr=3Dkinit: Cannot contact any KDC for realm=
 'DOMAIN.LOCAL' while getting initial credentials
2024-04-12T16:25:51Z ERROR Installation failed. Rolling back changes.
2024-04-12T16:25:52Z DEBUG stderr=3D
2024-04-12T16:25:52Z DEBUG stderr=3Dcertutil: Could not find cert: IPA Mach=
ine Certificate - virt01.domain.local
: PR_FILE_NOT_FOUND_ERROR: File not found


but if I run `kinit admin(a)server.domain.local` it authenticates. =


I seem to be at a dead end, How do I troubleshoot this further?=20
--===============5883636696220306325==--

From rcritten at redhat.com Fri Apr 12 17:21:07 2024
Content-Type: multipart/mixed; boundary="===============1728410126576464603=="
MIME-Version: 1.0
From: Rob Crittenden <rcritten at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: ipaclient-install.log certutil: Could not find
 cert:
Date: Fri, 12 Apr 2024 13:20:52 -0400
Message-ID: <dfb57ef8-fd4a-033c-e919-b7a546e76115@redhat.com>
In-Reply-To: 20240412164606.10693.39062@mailman01.iad2.fedoraproject.org

--===============1728410126576464603==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

C Wilson via FreeIPA-users wrote:
> Hello
> =

> I'm trying to roll out a new IPA server for our development environment a=
nd have nicely automated the server installation process with Ansible but w=
hen I've come to rolling out the clients I'm hitting this problem. =

> =

> When running ipa-client-install:
> ipa-client-install -N --fixed-primary --server server.domain.local --real=
m DOMAIN.LOCAL --domain DOMAIN.local --principal admin --password 'adminpas=
sword' -U
> =

> I get the following error:
> Please make sure the following ports are opened in the firewall settings:
>      TCP: 80, 88, 389
>      UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
> Also note that following ports are necessary for ipa-client working prope=
rly after enrollment:
>      TCP: 464
>      UDP: 464, 123 (if NTP enabled)
> Installation failed. Rolling back changes.
> Disabling client Kerberos and LDAP configurations
> nscd daemon is not installed, skip configuration
> nslcd daemon is not installed, skip configuration
> Client uninstall complete.
> Kerberos authentication failed: kinit: Cannot contact any KDC for realm '=
DOMAIN.LOCAL' while getting initial credentials
> =

> =

> I've disabled the firewall on both systems, DNS resolves the server name.=
 I can nmap and telnet to the ports listed so I don't think it's a networki=
ng issue. The ipa server appears to be running fine:
> =

> [root(a)server tmp]# service ipa status
> Redirecting to /bin/systemctl status ipa.service
> =E2=97=8F ipa.service - Identity, Policy, Audit
>      Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled; preset=
: disabled)
>      Active: active (exited) since Wed 2024-04-10 15:49:49 UTC; 2 days ago
>    Main PID: 18336 (code=3Dexited, status=3D0/SUCCESS)
>         CPU: 1.610s
> =

> Apr 10 15:49:48 server ipactl[18336]: Assuming stale, cleaning and procee=
ding
> Apr 10 15:49:49 server ipactl[18336]: ipa: INFO: The ipactl command was s=
uccessful
> Apr 10 15:49:49 server ipactl[18336]: Starting Directory Service
> Apr 10 15:49:49 server ipactl[18336]: Starting krb5kdc Service
> Apr 10 15:49:49 server ipactl[18336]: Starting kadmin Service
> Apr 10 15:49:49 server ipactl[18336]: Starting httpd Service
> Apr 10 15:49:49 server ipactl[18336]: Starting ipa-custodia Service
> Apr 10 15:49:49 server ipactl[18336]: Starting pki-tomcatd Service
> Apr 10 15:49:49 server ipactl[18336]: Starting ipa-otpd Service
> Apr 10 15:49:49 server systemd[1]: Finished Identity, Policy, Audit.
> =

> =

> Looking at the ipaclient-install.log there are lines that are semi intere=
sting but I can't see how to progress from here to resolve the issue:
> =

> 2024-04-12T16:25:51Z DEBUG stderr=3Dkinit: Cannot contact any KDC for rea=
lm 'DOMAIN.LOCAL' while getting initial credentials
> 2024-04-12T16:25:51Z ERROR Installation failed. Rolling back changes.
> 2024-04-12T16:25:52Z DEBUG stderr=3D
> 2024-04-12T16:25:52Z DEBUG stderr=3Dcertutil: Could not find cert: IPA Ma=
chine Certificate - virt01.domain.local
> : PR_FILE_NOT_FOUND_ERROR: File not found
> =

> =

> but if I run `kinit admin(a)server.domain.local` it authenticates. =


The cert error is a red herring. It is looking to see if there is one
that needs to be cleaned up (there isn't).

Do you already have krb5.conf configured? Otherwise I don't know how the
KDC is contacted.

You can find the temporary krb5.conf that is used by the installer in
the log. You can put that into a file and try something like:

KRB5_CONFIG=3D/tmp/krb.conf KRB5_TRACE=3D/dev/stderr kinit admin

This should fail since this is doing the same thing as
ipa-client-install. The output may help identify what it's doing.

rob

--===============1728410126576464603==--

From cheimes at redhat.com Fri Apr 12 18:06:56 2024
Content-Type: multipart/mixed; boundary="===============5591961028950902754=="
MIME-Version: 1.0
From: Christian Heimes <cheimes at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: ipaclient-install.log certutil: Could not find
 cert:
Date: Fri, 12 Apr 2024 20:06:35 +0200
Message-ID: <06864355-734a-4668-af0f-b34e515c3936@redhat.com>
In-Reply-To: 20240412164606.10693.39062@mailman01.iad2.fedoraproject.org

--===============5591961028950902754==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

On 12/04/2024 18.46, C Wilson via FreeIPA-users wrote:
> Hello
>
> I'm trying to roll out a new IPA server for our development environment a=
nd have nicely automated the server installation process with Ansible but w=
hen I've come to rolling out the clients I'm hitting this problem.
>
> When running ipa-client-install:
> ipa-client-install -N --fixed-primary --server server.domain.local --real=
m DOMAIN.LOCAL --domain DOMAIN.local --principal admin --password 'adminpas=
sword' -U

I recommend against use of .local TLD for an IPA installation. The =

.local addresses are reserved for link-local networks, mDNS and =

zeroconf. Host lookups for .local behave differently and may result in =

surprising behavior.

Instead use one of the recommended TLDs from =

https://www.rfc-editor.org/rfc/rfc6762#appendix-G or =

https://www.rfc-editor.org/rfc/rfc2606.html .

Christian

-- =

Christian Heimes
Principal Software Engineer, Identity Management and Platform Security

Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael O'N=
eill

--===============5591961028950902754==--

From basile.pinsard at gmail.com Fri Apr 12 20:52:10 2024
Content-Type: multipart/mixed; boundary="===============8868600681727047957=="
MIME-Version: 1.0
From: Basile Pinsard <basile.pinsard at gmail.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] pki-tomcat won't start + expired certificates
Date: Fri, 12 Apr 2024 20:51:53 +0000
Message-ID: <20240412205153.31731.16457@mailman01.iad2.fedoraproject.org>

--===============8868600681727047957==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Hi freeipa experts.

I have been using freeipa for the past 5 years running in a docker containe=
r, no replicas.
currently  on VERSION: 4.9.6, API_VERSION: 2.245

I have the following issue, not sure what caused this: pki-tomcat service i=
s not starting, and it is no longer possible to login through the web-ui.
Auth through ldap (some websites) and through sssd on linux servers is stil=
l working, kerberos tickets are generated when logging with password or whe=
n running kinit, so critical operations are still possible.

The messages in `systemctl status pki-tomcatd(a)pki-tomcat.service` are
```
Apr 12 13:50:33 ipa.domain.com ipa-pki-wait-running[17869]: ipa-pki-wait-ru=
nning: Request failed unexpectedly, 404 Client Error:  for url: http://ipa.=
domain.com:8080/ca/admin/ca/getStatus
Apr 12 13:50:34 ipa.domain.com systemd[1]: pki-tomcatd(a)pki-tomcat.service=
: start-post operation timed out. Terminating.
Apr 12 13:50:34 ipa.domain.com systemd[1]: pki-tomcatd(a)pki-tomcat.service=
: Control process exited, code=3Dkilled, status=3D15/TERM
Apr 12 13:50:34 ipa.domain.com systemd[1]: pki-tomcatd(a)pki-tomcat.service=
: Failed with result 'timeout'.
Apr 12 13:50:34 ipa.domain.com systemd[1]: Failed to start PKI Tomcat Serve=
r pki-tomcat.
```

journalctl give other errors (filtered what seems relevant).
```
Apr 12 13:49:05 ipa.domain.com server[17868]: WARNING: Problem with JAR fil=
e [/usr/share/pki/server/common/lib/commons-collections.jar], exists: [fals=
e], canRead: [false]
Apr 12 13:49:07 ipa.domain.com java[17868]: usr/lib/api/apiutil.c Could not=
 open /run/lock/opencryptoki/LCK..APIlock
Apr 12 13:49:18 ipa.domain.com server[17868]: SEVERE: Context [/acme] start=
up failed due to previous errors

```


`/var/log/pki/pki-tomcat/pki/debug.2024-04-12.log`
contains the following errors =

```
2024-04-12 15:01:12 [main] SEVERE: Exception initializing random number gen=
erator using provider [Mozilla-JSS]
java.security.NoSuchProviderException: no such provider: Mozilla-JSS
        at java.base/sun.security.jca.GetInstance.getService(GetInstance.ja=
va:83)
        at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.j=
ava:206)
....
```

`/var/log/pki/pki-tomcat/ca/debug.2024-04-12.log`
contains the following type of errors

```
2024-04-12 00:17:37 [main] SEVERE: Unable to start CA engine: Property inst=
anceRoot missing value
Property instanceRoot missing value
        at com.netscape.cmscore.base.PropConfigStore.getString(PropConfigSt=
ore.java:297)
        at com.netscape.cmscore.apps.EngineConfig.getInstanceDir(EngineConf=
ig.java:55)
        at com.netscape.cmscore.apps.CMSEngine.loadConfig(CMSEngine.java:23=
3)
        at com.netscape.cmscore.apps.CMSEngine.start(CMSEngine.java:1025)
....

2024-04-12 17:49:21 [main] SEVERE: Exception sending context initialized ev=
ent to listener instance of class [org.dogtagpki.server.ca.CAEngine]
java.lang.RuntimeException: Unable to start CA engine: Property instanceRoo=
t missing value
        at com.netscape.cmscore.apps.CMSEngine.contextInitialized(CMSEngine=
.java:1672)
        at org.apache.catalina.core.StandardContext.listenerStart(StandardC=
ontext.java:4768)
        at org.apache.catalina.core.StandardContext.startInternal(StandardC=
ontext.java:5230)
```

`getcert list` reports all entries except the caCACert as expired.

I tried pretty much everything I could find on the internet (though most of=
 the threads I found were never resolved).
Tried ipa-cert-fix.
Tried ipa-restoring a backup in a new container, same problem occurs.

My guess is that an upgrade years back did break the certificate auto-renew=
al and went undetected, and now everything is expired it's failing.
 =

If you have any ideas of what to check/try I would be very grateful as I am=
 losing my sanity here.
Also, I am a bit scared of breaking what is currently working (ldap+sssd) a=
nd critical to our operations, so if anything can be tested on a copy of th=
e data in a container that would be great. =


Thanks!
--===============8868600681727047957==--

From sam at robots.org.uk Sat Apr 13 16:06:58 2024
Content-Type: multipart/mixed; boundary="===============2241049064748292685=="
MIME-Version: 1.0
From: Sam Morris <sam at robots.org.uk>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Assertion failure in dns_name_fromtext prevents
 named-pkcs11 from starting
Date: Sat, 13 Apr 2024 17:06:25 +0100
Message-ID: <4a0e0cc5e97968e071eb04d7a61fb81d8921b504.camel@robots.org.uk>

--===============2241049064748292685==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

I've got two RHEL 8 servers where named-pkcs11 aborts with an assertion fai=
lure after upgrading bind to version 32:9.11.36-11.el8_9.1.

```
Apr 13 15:54:50 named-pkcs11[372364]: zone localhost/IN: loaded serial 0  =

Apr 13 15:54:50 named-pkcs11[372364]: zone localhost.localdomain/IN: loaded=
 serial 0  =

Apr 13 15:54:50 named-pkcs11[372364]: zone 1.0.0.127.in-addr.arpa/IN: loade=
d serial 0  =

Apr 13 15:54:50 named-pkcs11[372364]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.=
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0  =

Apr 13 15:54:50 named-pkcs11[372364]: all zones loaded  =

Apr 13 15:54:50 named-pkcs11[372364]: running  =

Apr 13 15:54:50 named-pkcs11[372364]: ../../../lib/dns-pkcs11/name.c:1116: =
REQUIRE((target !=3D ((void *)0) && (__builtin_expect(((target) !=3D ((void=
 *)0)), 1) && __builtin_ex>  =

Apr 13 15:54:50 systemd[1]: named-pkcs11.service: New main PID 372364 does =
not belong to service, and PID file is not owned by root. Refusing.  =

Apr 13 15:54:50 named-pkcs11[372364]: #0 0x563c05be4d14 in ??  =

Apr 13 15:54:50 systemd[1]: named-pkcs11.service: New main PID 372364 does =
not belong to service, and PID file is not owned by root. Refusing.  =

Apr 13 15:54:50 named-pkcs11[372364]: #1 0x7fb179f28fe0 in ??  =

Apr 13 15:54:50 named-pkcs11[372364]: #2 0x7fb17a23b7b2 in ??  =

Apr 13 15:54:50 named-pkcs11[372364]: #3 0x7fb1687e4156 in ??  =

Apr 13 15:54:50 named-pkcs11[372364]: #4 0x7fb1687e45e1 in ??  =

Apr 13 15:54:50 named-pkcs11[372364]: #5 0x7fb1687e5e60 in ??  =

Apr 13 15:54:50 named-pkcs11[372364]: #6 0x7fb1687e6214 in ??  =

Apr 13 15:54:50 named-pkcs11[372364]: #7 0x7fb1687ef3e0 in ??  =

Apr 13 15:54:50 named-pkcs11[372364]: #8 0x7fb179f50904 in ??  =

Apr 13 15:54:50 named-pkcs11[372364]: #9 0x7fb179f5158f in ??  =

Apr 13 15:54:50 named-pkcs11[372364]: #10 0x7fb17733e1ca in ??  =

Apr 13 15:54:50 named-pkcs11[372364]: #11 0x7fb176c42e73 in ??  =

Apr 13 15:54:50 named-pkcs11[372364]: exiting (due to assertion failure)
```

Downgrading to 9.11.36-11.el8_9.x86_64 fixes the problem.

Here's the stack trace from 'coredumpctl info named-pkcs11':

```
Stack trace of thread 325662:
#0  0x00007f0575081acf raise (libc.so.6)
#1  0x00007f0575054ea5 abort (libc.so.6)
#2  0x0000557c3cbecd2a assertion_failed.cold.5 (named-pkcs11)
#3  0x00007f0578352fe0 isc_assertion_failed (libisc-pkcs11.so.1107)
#4  0x00007f05786657b2 dns_name_fromtext (libdns-pkcs11.so.1115)
#5  0x00007f056e20b156 empty_zone_search_next (ldap.so)
#6  0x00007f056e20b5e1 empty_zone_handle_conflicts (ldap.so)
#7  0x00007f056e20ce60 fwd_configure_zone (ldap.so)
#8  0x00007f056e20d214 fwd_reconfig_global (ldap.so)
#9  0x00007f056e2163e0 update_serverconfig (ldap.so)
#10 0x00007f057837a904 dispatch (libisc-pkcs11.so.1107)
#11 0x00007f057837b58f run_normal (libisc-pkcs11.so.1107)
#12 0x00007f05757681ca start_thread (libpthread.so.0)
#13 0x00007f057506ce73 __clone (libc.so.6)
```

I can open a Jira, attach coredumps, etc. next week if needed.

```
-- =

Sam Morris <sam(a)robots.org.uk>
```
--===============2241049064748292685==--

From louis at fazant.net Sat Apr 13 17:03:32 2024
Content-Type: multipart/mixed; boundary="===============6816373218248076573=="
MIME-Version: 1.0
From: Louis Lagendijk <louis at fazant.net>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: Assertion failure in dns_name_fromtext prevents
 named-pkcs11 from starting
Date: Sat, 13 Apr 2024 19:03:10 +0200
Message-ID: <058085ea86cd140c9b94d7dc325bcdc1030bd23c.camel@fazant.net>
In-Reply-To: 4a0e0cc5e97968e071eb04d7a61fb81d8921b504.camel@robots.org.uk

--===============6816373218248076573==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

On Sat, 2024-04-13 at 17:06 +0100, Sam Morris via FreeIPA-users wrote:
> I've got two RHEL 8 servers where named-pkcs11 aborts with an assertion
> failure after upgrading bind to version 32:9.11.36-11.el8_9.1.
> =

> ```
> Apr 13 15:54:50 named-pkcs11[372364]: zone localhost/IN: loaded serial
> 0=C2=A0 =

> Apr 13 15:54:50 named-pkcs11[372364]: zone localhost.localdomain/IN:
> loaded serial 0=C2=A0 =

> Apr 13 15:54:50 named-pkcs11[372364]: zone 1.0.0.127.in-addr.arpa/IN:
> loaded serial 0=C2=A0 =

> Apr 13 15:54:50 named-pkcs11[372364]: zone
> 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arp
> a/IN: loaded serial 0=C2=A0 =

> Apr 13 15:54:50 named-pkcs11[372364]: all zones loaded=C2=A0 =

> Apr 13 15:54:50 named-pkcs11[372364]: running=C2=A0 =

> Apr 13 15:54:50 named-pkcs11[372364]: ../../../lib/dns-
> pkcs11/name.c:1116: REQUIRE((target !=3D ((void *)0) &&
> (__builtin_expect(((target) !=3D ((void *)0)), 1) && __builtin_ex>=C2=A0 =

> Apr 13 15:54:50 systemd[1]: named-pkcs11.service: New main PID 372364
> does not belong to service, and PID file is not owned by root.
> Refusing.=C2=A0 =

> Apr 13 15:54:50 named-pkcs11[372364]: #0 0x563c05be4d14 in ??=C2=A0 =

> Apr 13 15:54:50 systemd[1]: named-pkcs11.service: New main PID 372364
> does not belong to service, and PID file is not owned by root.
> Refusing.=C2=A0 =

> Apr 13 15:54:50 named-pkcs11[372364]: #1 0x7fb179f28fe0 in ??=C2=A0 =

> Apr 13 15:54:50 named-pkcs11[372364]: #2 0x7fb17a23b7b2 in ??=C2=A0 =

> Apr 13 15:54:50 named-pkcs11[372364]: #3 0x7fb1687e4156 in ??=C2=A0 =

> Apr 13 15:54:50 named-pkcs11[372364]: #4 0x7fb1687e45e1 in ??=C2=A0 =

> Apr 13 15:54:50 named-pkcs11[372364]: #5 0x7fb1687e5e60 in ??=C2=A0 =

> Apr 13 15:54:50 named-pkcs11[372364]: #6 0x7fb1687e6214 in ??=C2=A0 =

> Apr 13 15:54:50 named-pkcs11[372364]: #7 0x7fb1687ef3e0 in ??=C2=A0 =

> Apr 13 15:54:50 named-pkcs11[372364]: #8 0x7fb179f50904 in ??=C2=A0 =

> Apr 13 15:54:50 named-pkcs11[372364]: #9 0x7fb179f5158f in ??=C2=A0 =

> Apr 13 15:54:50 named-pkcs11[372364]: #10 0x7fb17733e1ca in ??=C2=A0 =

> Apr 13 15:54:50 named-pkcs11[372364]: #11 0x7fb176c42e73 in ??=C2=A0 =

> Apr 13 15:54:50 named-pkcs11[372364]: exiting (due to assertion
> failure)
> ```
> =

> Downgrading to 9.11.36-11.el8_9.x86_64 fixes the problem.
> =

I had the same yesterday, so I rolled back the VMs to before the  last
update. When I tried again today I had no problems anymore. I guess due
to the fact that the update installed an updated bind-dyndb-ldap. This
has the following in the changelog:
* Thu Mar 28 2024 Rafael Jeffman <rjeffman(a)redhat.com> - 11.6-5
- Rebuild due to Bind ABI changes (CVE 2023-50387).
  Resolves: RHEL-28847

BR, Louis


--===============6816373218248076573==--

From sam at robots.org.uk Sat Apr 13 18:42:36 2024
Content-Type: multipart/mixed; boundary="===============4174610263238883901=="
MIME-Version: 1.0
From: Sam Morris <sam at robots.org.uk>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: Assertion failure in dns_name_fromtext prevents
 named-pkcs11 from starting
Date: Sat, 13 Apr 2024 19:42:00 +0100
Message-ID: <5f5bf5b659f212c5860d797358ff32933c3a4597.camel@robots.org.uk>
In-Reply-To: 058085ea86cd140c9b94d7dc325bcdc1030bd23c.camel@fazant.net

--===============4174610263238883901==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

On Sat, 2024-04-13 at 19:03 +0200, Louis Lagendijk via FreeIPA-users
wrote:
> =

> I had the same yesterday, so I rolled back the VMs to before the=C2=A0
> last
> update. When I tried again today I had no problems anymore. I guess
> due
> to the fact that the update installed an updated bind-dyndb-ldap.
> This
> has the following in the changelog:
> * Thu Mar 28 2024 Rafael Jeffman <rjeffman(a)redhat.com> - 11.6-5
> - Rebuild due to Bind ABI changes (CVE 2023-50387).
> =C2=A0 Resolves: RHEL-28847

Thanks, you're quite correct. On these servers I have dnf-automatic set
to apply security updates only, so bind-dyndb-ldap didn't get pulled
in. Upgrading that package fixed things.


> BR, Louis

-- =

Sam Morris <sam(a)robots.org.uk>
--===============4174610263238883901==--

From jdoe53851 at gmail.com Mon Apr 15 07:02:57 2024
Content-Type: multipart/mixed; boundary="===============3363101401336636409=="
MIME-Version: 1.0
From: John Doe <jdoe53851 at gmail.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] IPA Replica can't authenticate users
Date: Mon, 15 Apr 2024 09:01:26 +0200
Message-ID: <CAAzbKPmaa2gpRGZ1cHxSXR5Erq8L0W62t0gZ7Bbfkpht+Qvh5Q@mail.gmail.com>

--===============3363101401336636409==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

I'm playing around with IPA trying to figure out how to set it up to be
redundant. The problem is that the IPA Replica isn't able to authenticate
AD users if IPA Master is down.
My setup;
One Windows Server set up with Active Direcory Domain Services, Active
Directory Certificate Services and DNS server hosting the ad.labnet.org
domain and the Root CA.

Two Linux servers setup in the labnet.org domain. Both using the Windows
Server DNS server.
The first one is setup as a IPA Master server hosting the domain
ipa.labnet.org and act as a subordinate CA server. It was setup with the
following commands;
  sudo ipa-server-install --external-ca --external-ca-type=3Dms-cs
  sudo ipa-server-install --external-cert-file=3D/home/$USER/ipa.cer
--external-cert-file=3D/home/$USER/certnew.cer
  kinit admin
  sudo ipa-adtrust-install
  sudo ipa trust-add --type=3Dad ad.labnet.org --admin Administrator
--password --two-way=3Dtrue

The second one is setup as a IPA Replica also hosting the domain
ipa.labnet.org It has been setup with the following commands;
  sudo ipa-client-install --mkhomedir
  sudo ipa-replica-install
  sudo ipa-ca-install
  kinit admin
  sudo ipa-adtrust-install
  sudo ipa trust-add --type=3Dad ad.labnet.org --admin Administrator
--password --two-way=3Dtrue

All needed DNS records have been created in the DNS server on the Windows
server. At least I hope so.
IPA Healthceck on both IPA servers don't complain about anything missing.
  sudo ipa-healthcheck --output-type human

One IPA Client also setup in the labnet.org domain and using the Windows
server DNS, was setup with the following command;
sudo ipa-client-install --domain=3Dipa.labnet.org --mkhomedir

Testing authentication on the IPA Client as a user in the ad.labnet.org
works  out like this;
Both IPA Servers up works OK
Only IPA Master up works OK
Only IPA Replica up doesn't work.

After this check with IPA Healthcheck on the IPA Replica now comes back
with this;
WARNING: ipahealthcheck.ipa.trust.IPATrustCatalogCheck.{}: Look up of ID {}
for ad.labnet.org returned nothing
ERROR: ipahealthcheck.ipa.trust.IPATrustCatalogCheck.AD Global Catalog: AD
Global Catalog not found in /usr/sbin/sssctl 'domain-status' output: Active
servers:
IPA: lab003.labnet.org
ERROR: ipahealthcheck.ipa.trust.IPATrustCatalogCheck.AD Domain Controller:
AD Domain Controller not found in /usr/sbin/sssctl 'domain-status' output:
Active servers:
IPA: lab003.labnet.org

Can anyone suggest what I have done wrong or missed? As far as I can tell
there are no commands that let me write to the GLobal Catalog?
Thanks!

--===============3363101401336636409==
Content-Type: text/html
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.html"

PGRpdiBkaXI9Imx0ciI+SSYjMzk7bSBwbGF5aW5nIGFyb3VuZCB3aXRoIElQQSB0cnlpbmcgdG8g
ZmlndXJlIG91dCBob3cgdG8gc2V0IGl0IHVwIHRvIGJlIHJlZHVuZGFudC4gVGhlIHByb2JsZW0g
aXMgdGhhdCB0aGUgSVBBIFJlcGxpY2EgaXNuJiMzOTt0IGFibGUgdG8gYXV0aGVudGljYXRlIEFE
IHVzZXJzIGlmIElQQSBNYXN0ZXIgaXMgZG93bi48YnI+TXkgc2V0dXA7PGRpdj5PbmUgV2luZG93
cyBTZXJ2ZXIgc2V0IHVwIHdpdGggQWN0aXZlIERpcmVjb3J5wqBEb21haW4gU2VydmljZXMsIEFj
dGl2ZSBEaXJlY3RvcnkgQ2VydGlmaWNhdGUgU2VydmljZXMgYW5kIEROUyBzZXJ2ZXIgaG9zdGlu
ZyB0aGUgPGEgaHJlZj0iaHR0cDovL2FkLmxhYm5ldC5vcmciPmFkLmxhYm5ldC5vcmc8L2E+IGRv
bWFpbiBhbmQgdGhlIFJvb3QgQ0EuPGJyPjxicj5Ud28gTGludXggc2VydmVycyBzZXR1cCBpbiB0
aGUgPGEgaHJlZj0iaHR0cDovL2xhYm5ldC5vcmciPmxhYm5ldC5vcmc8L2E+IGRvbWFpbi4gQm90
aCB1c2luZyB0aGUgV2luZG93cyBTZXJ2ZXIgRE5TIHNlcnZlci48YnI+VGhlIGZpcnN0IG9uZSBp
cyBzZXR1cCBhcyBhIElQQSBNYXN0ZXIgc2VydmVyIGhvc3RpbmcgdGhlIGRvbWFpbiA8YSBocmVm
PSJodHRwOi8vaXBhLmxhYm5ldC5vcmciPmlwYS5sYWJuZXQub3JnPC9hPiBhbmQgYWN0IGFzIGEg
c3Vib3JkaW5hdGUgQ0Egc2VydmVyLiBJdCB3YXMgc2V0dXDCoHdpdGggdGhlIGZvbGxvd2luZyBj
b21tYW5kczs8L2Rpdj48ZGl2PsKgIHN1ZG8gaXBhLXNlcnZlci1pbnN0YWxsIC0tZXh0ZXJuYWwt
Y2EgLS1leHRlcm5hbC1jYS10eXBlPW1zLWNzPGJyPjwvZGl2PjxkaXY+wqAgc3VkbyBpcGEtc2Vy
dmVyLWluc3RhbGwgLS1leHRlcm5hbC1jZXJ0LWZpbGU9L2hvbWUvJFVTRVIvaXBhLmNlciAtLWV4
dGVybmFsLWNlcnQtZmlsZT0vaG9tZS8kVVNFUi9jZXJ0bmV3LmNlcjxicj48L2Rpdj48ZGl2PsKg
IGtpbml0IGFkbWluPC9kaXY+PGRpdj7CoCBzdWRvIGlwYS1hZHRydXN0LWluc3RhbGw8YnI+PC9k
aXY+PGRpdj7CoCBzdWRvIGlwYSB0cnVzdC1hZGQgLS10eXBlPWFkIDxhIGhyZWY9Imh0dHA6Ly9h
ZC5sYWJuZXQub3JnIj5hZC5sYWJuZXQub3JnPC9hPiAtLWFkbWluIEFkbWluaXN0cmF0b3IgLS1w
YXNzd29yZCAtLXR3by13YXk9dHJ1ZTxicj48L2Rpdj48ZGl2Pjxicj48L2Rpdj48ZGl2PlRoZSBz
ZWNvbmQgb25lIGlzIHNldHVwIGFzIGEgSVBBIFJlcGxpY2EgYWxzbyBob3N0aW5nIHRoZSBkb21h
aW4gPGEgaHJlZj0iaHR0cDovL2lwYS5sYWJuZXQub3JnIj5pcGEubGFibmV0Lm9yZzwvYT4gSXQg
aGFzIGJlZW4gc2V0dXAgd2l0aCB0aGUgZm9sbG93aW5nIGNvbW1hbmRzOzwvZGl2PjxkaXY+wqAg
c3VkbyBpcGEtY2xpZW50LWluc3RhbGwgLS1ta2hvbWVkaXI8YnI+PC9kaXY+PGRpdj7CoCBzdWRv
IGlwYS1yZXBsaWNhLWluc3RhbGw8L2Rpdj48ZGl2PsKgIHN1ZG8gaXBhLWNhLWluc3RhbGw8YnI+
PC9kaXY+PGRpdj7CoCBraW5pdCBhZG1pbjxicj48L2Rpdj48ZGl2PsKgIHN1ZG8gaXBhLWFkdHJ1
c3QtaW5zdGFsbDxicj48L2Rpdj48ZGl2PsKgIHN1ZG8gaXBhIHRydXN0LWFkZCAtLXR5cGU9YWQg
PGEgaHJlZj0iaHR0cDovL2FkLmxhYm5ldC5vcmciPmFkLmxhYm5ldC5vcmc8L2E+IC0tYWRtaW4g
QWRtaW5pc3RyYXRvciAtLXBhc3N3b3JkIC0tdHdvLXdheT10cnVlPGJyPjwvZGl2PjxkaXY+PGJy
PjwvZGl2PjxkaXY+QWxsIG5lZWRlZCBETlMgcmVjb3JkcyBoYXZlIGJlZW4gY3JlYXRlZCBpbiB0
aGUgRE5TIHNlcnZlciBvbiB0aGUgV2luZG93cyBzZXJ2ZXIuIEF0IGxlYXN0IEkgaG9wZSBzby48
L2Rpdj48ZGl2PklQQSBIZWFsdGhjZWNrIG9uIGJvdGggSVBBIHNlcnZlcnMgZG9uJiMzOTt0IGNv
bXBsYWluIGFib3V0IGFueXRoaW5nIG1pc3NpbmcuPGJyPsKgIHN1ZG8gaXBhLWhlYWx0aGNoZWNr
IC0tb3V0cHV0LXR5cGUgaHVtYW48YnI+PC9kaXY+PGRpdj48YnI+PC9kaXY+PGRpdj5PbmUgSVBB
IENsaWVudCBhbHNvIHNldHVwIGluIHRoZSA8YSBocmVmPSJodHRwOi8vbGFibmV0Lm9yZyI+bGFi
bmV0Lm9yZzwvYT4gZG9tYWluIGFuZCB1c2luZyB0aGUgV2luZG93cyBzZXJ2ZXIgRE5TLCB3YXMg
c2V0dXAgd2l0aCB0aGUgZm9sbG93aW5nIGNvbW1hbmQ7PC9kaXY+PGRpdj5zdWRvIGlwYS1jbGll
bnQtaW5zdGFsbCAtLWRvbWFpbj08YSBocmVmPSJodHRwOi8vaXBhLmxhYm5ldC5vcmciPmlwYS5s
YWJuZXQub3JnPC9hPiAtLW1raG9tZWRpcjxicj48L2Rpdj48ZGl2Pjxicj48L2Rpdj48ZGl2PlRl
c3RpbmcgYXV0aGVudGljYXRpb24gb24gdGhlIElQQSBDbGllbnQgYXMgYSB1c2VyIGluIHRoZSA8
YSBocmVmPSJodHRwOi8vYWQubGFibmV0Lm9yZyI+YWQubGFibmV0Lm9yZzwvYT4gd29ya3PCoCBv
dXQgbGlrZSB0aGlzOzwvZGl2PjxkaXY+Qm90aCBJUEEgU2VydmVycyB1cCB3b3JrcyBPSzwvZGl2
PjxkaXY+T25seSBJUEEgTWFzdGVyIHVwIHdvcmtzIE9LPC9kaXY+PGRpdj5Pbmx5IElQQSBSZXBs
aWNhIHVwIGRvZXNuJiMzOTt0IHdvcmsuPC9kaXY+PGRpdj48YnI+PC9kaXY+PGRpdj5BZnRlciB0
aGlzIGNoZWNrIHdpdGggSVBBIEhlYWx0aGNoZWNrIG9uIHRoZSBJUEEgUmVwbGljYSBub3cgY29t
ZXMgYmFjayB3aXRoIHRoaXM7PC9kaXY+PGRpdj48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6bW9u
b3NwYWNlIj48c3BhbiBzdHlsZT0iY29sb3I6cmdiKDAsMCwwKSI+V0FSTklORzogaXBhaGVhbHRo
Y2hlY2suaXBhLnRydXN0LklQQVRydXN0Q2F0YWxvZ0NoZWNrLnt9OiBMb29rIHVwIG9mIElEIHt9
IGZvciA8YSBocmVmPSJodHRwOi8vYWQubGFibmV0Lm9yZyI+YWQubGFibmV0Lm9yZzwvYT4gcmV0
dXJuZWQgbm90aGluZwo8L3NwYW4+PGJyPkVSUk9SOiA8YSBocmVmPSJodHRwOi8vaXBhaGVhbHRo
Y2hlY2suaXBhLnRydXN0LklQQVRydXN0Q2F0YWxvZ0NoZWNrLkFEIj5pcGFoZWFsdGhjaGVjay5p
cGEudHJ1c3QuSVBBVHJ1c3RDYXRhbG9nQ2hlY2suQUQ8L2E+IEdsb2JhbCBDYXRhbG9nOiBBRCBH
bG9iYWwgQ2F0YWxvZyBub3QgZm91bmQgaW4gL3Vzci9zYmluL3Nzc2N0bCAmIzM5O2RvbWFpbi1z
dGF0dXMmIzM5OyBvdXRwdXQ6IEFjdGl2ZSBzZXJ2ZXJzOgo8YnI+SVBBOiA8YSBocmVmPSJodHRw
Oi8vbGFiMDAzLmxhYm5ldC5vcmciPmxhYjAwMy5sYWJuZXQub3JnPC9hPgo8YnI+RVJST1I6IDxh
IGhyZWY9Imh0dHA6Ly9pcGFoZWFsdGhjaGVjay5pcGEudHJ1c3QuSVBBVHJ1c3RDYXRhbG9nQ2hl
Y2suQUQiPmlwYWhlYWx0aGNoZWNrLmlwYS50cnVzdC5JUEFUcnVzdENhdGFsb2dDaGVjay5BRDwv
YT4gRG9tYWluIENvbnRyb2xsZXI6IEFEIERvbWFpbiBDb250cm9sbGVyIG5vdCBmb3VuZCBpbiAv
dXNyL3NiaW4vc3NzY3RsICYjMzk7ZG9tYWluLXN0YXR1cyYjMzk7IG91dHB1dDogQWN0aXZlIHNl
cnZlcnM6Cjxicj5JUEE6IDxhIGhyZWY9Imh0dHA6Ly9sYWIwMDMubGFibmV0Lm9yZyI+bGFiMDAz
LmxhYm5ldC5vcmc8L2E+PGJyPgo8YnI+PC9zcGFuPjwvZGl2PjxkaXY+Q2FuIGFueW9uZSBzdWdn
ZXN0IHdoYXQgSSBoYXZlIGRvbmUgd3Jvbmcgb3IgbWlzc2VkPyBBcyBmYXIgYXMgSSBjYW4gdGVs
bCB0aGVyZSBhcmUgbm8gY29tbWFuZHMgdGhhdCBsZXQgbWUgd3JpdGUgdG8gdGhlIEdMb2JhbCBD
YXRhbG9nPzwvZGl2PjxkaXY+VGhhbmtzITwvZGl2PjwvZGl2Pgo=

--===============3363101401336636409==--

From flo at redhat.com Mon Apr 15 07:35:56 2024
Content-Type: multipart/mixed; boundary="===============8635841853851141744=="
MIME-Version: 1.0
From: Florence Blanc-Renaud <flo at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: IPA Replica can't authenticate users
Date: Mon, 15 Apr 2024 09:35:27 +0200
Message-ID: <CAFDg7JwPdCwXiuZMZ_Tc97uNx5JqOuxp2k98c1c61-zcWxB4_g@mail.gmail.com>
In-Reply-To: CAAzbKPmaa2gpRGZ1cHxSXR5Erq8L0W62t0gZ7Bbfkpht+Qvh5Q@mail.gmail.com

--===============8635841853851141744==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Hi,

On Mon, Apr 15, 2024 at 9:03=E2=80=AFAM John Doe via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:

> I'm playing around with IPA trying to figure out how to set it up to be
> redundant. The problem is that the IPA Replica isn't able to authenticate
> AD users if IPA Master is down.
> My setup;
> One Windows Server set up with Active Direcory Domain Services, Active
> Directory Certificate Services and DNS server hosting the ad.labnet.org
> domain and the Root CA.
>
> Two Linux servers setup in the labnet.org domain. Both using the Windows
> Server DNS server.
> The first one is setup as a IPA Master server hosting the domain
> ipa.labnet.org and act as a subordinate CA server. It was setup with the
> following commands;
>   sudo ipa-server-install --external-ca --external-ca-type=3Dms-cs
>   sudo ipa-server-install --external-cert-file=3D/home/$USER/ipa.cer
> --external-cert-file=3D/home/$USER/certnew.cer
>   kinit admin
>   sudo ipa-adtrust-install
>   sudo ipa trust-add --type=3Dad ad.labnet.org --admin Administrator
> --password --two-way=3Dtrue
>
> The second one is setup as a IPA Replica also hosting the domain
> ipa.labnet.org It has been setup with the following commands;
>   sudo ipa-client-install --mkhomedir
>   sudo ipa-replica-install
>   sudo ipa-ca-install
>   kinit admin
>   sudo ipa-adtrust-install
>   sudo ipa trust-add --type=3Dad ad.labnet.org --admin Administrator
> --password --two-way=3Dtrue
>
The above command (ipa trust-add) probably exited on error as the trust was
already established. Please read Trust controllers and Trust Agents
<https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/h=
tml/planning_identity_management/planning-a-cross-forest-trust-between-idm-=
and-ad_planning-identity-management#trust-controllers-and-trust-agents_plan=
ning-a-cross-forest-trust-between-idm-and-ad>
to
understand how the replica should be setup in order to be able to resolve
AD users and groups. With your set of commands, both master and replica are
configured as AD Trust Controllers and should be able to resolve users and
groups, but there is no need to run twice the trust-add part.


>
> All needed DNS records have been created in the DNS server on the Windows
> server. At least I hope so.
> IPA Healthceck on both IPA servers don't complain about anything missing.
>   sudo ipa-healthcheck --output-type human
>
> One IPA Client also setup in the labnet.org domain and using the Windows
> server DNS, was setup with the following command;
> sudo ipa-client-install --domain=3Dipa.labnet.org --mkhomedir
>
> Testing authentication on the IPA Client as a user in the ad.labnet.org
> works  out like this;
> Both IPA Servers up works OK
> Only IPA Master up works OK
> Only IPA Replica up doesn't work.
>
Did you test authentication on the IPA replica?
Is your master a DNS server for ipa.labnet.org Is the replica a DNS server
for ipa.labnet.org

flo

>
> After this check with IPA Healthcheck on the IPA Replica now comes back
> with this;
> WARNING: ipahealthcheck.ipa.trust.IPATrustCatalogCheck.{}: Look up of ID
> {} for ad.labnet.org returned nothing
> ERROR: ipahealthcheck.ipa.trust.IPATrustCatalogCheck.AD Global Catalog:
> AD Global Catalog not found in /usr/sbin/sssctl 'domain-status' output:
> Active servers:
> IPA: lab003.labnet.org
> ERROR: ipahealthcheck.ipa.trust.IPATrustCatalogCheck.AD Domain
> Controller: AD Domain Controller not found in /usr/sbin/sssctl
> 'domain-status' output: Active servers:
> IPA: lab003.labnet.org
>
> Can anyone suggest what I have done wrong or missed? As far as I can tell
> there are no commands that let me write to the GLobal Catalog?
> Thanks!
> --
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.=
org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users(a)lists.fedora=
hosted.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>

--===============8635841853851141744==
Content-Type: text/html
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.html"

PGRpdiBkaXI9Imx0ciI+PGRpdiBkaXI9Imx0ciI+PGRpdiBjbGFzcz0iZ21haWxfZGVmYXVsdCIg
c3R5bGU9ImZvbnQtZmFtaWx5OmFyaWFsLHNhbnMtc2VyaWYiPkhpLDwvZGl2PjwvZGl2Pjxicj48
ZGl2IGNsYXNzPSJnbWFpbF9xdW90ZSI+PGRpdiBkaXI9Imx0ciIgY2xhc3M9ImdtYWlsX2F0dHIi
Pk9uIE1vbiwgQXByIDE1LCAyMDI0IGF0IDk6MDPigK9BTSBKb2huIERvZSB2aWEgRnJlZUlQQS11
c2VycyAmbHQ7PGEgaHJlZj0ibWFpbHRvOmZyZWVpcGEtdXNlcnNAbGlzdHMuZmVkb3JhaG9zdGVk
Lm9yZyI+ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3JnPC9hPiZndDsgd3JvdGU6
PGJyPjwvZGl2PjxibG9ja3F1b3RlIGNsYXNzPSJnbWFpbF9xdW90ZSIgc3R5bGU9Im1hcmdpbjow
cHggMHB4IDBweCAwLjhleDtib3JkZXItbGVmdDoxcHggc29saWQgcmdiKDIwNCwyMDQsMjA0KTtw
YWRkaW5nLWxlZnQ6MWV4Ij48ZGl2IGRpcj0ibHRyIj5JJiMzOTttIHBsYXlpbmcgYXJvdW5kIHdp
dGggSVBBIHRyeWluZyB0byBmaWd1cmUgb3V0IGhvdyB0byBzZXQgaXQgdXAgdG8gYmUgcmVkdW5k
YW50LiBUaGUgcHJvYmxlbSBpcyB0aGF0IHRoZSBJUEEgUmVwbGljYSBpc24mIzM5O3QgYWJsZSB0
byBhdXRoZW50aWNhdGUgQUQgdXNlcnMgaWYgSVBBIE1hc3RlciBpcyBkb3duLjxicj5NeSBzZXR1
cDs8ZGl2Pk9uZSBXaW5kb3dzIFNlcnZlciBzZXQgdXAgd2l0aCBBY3RpdmUgRGlyZWNvcnnCoERv
bWFpbiBTZXJ2aWNlcywgQWN0aXZlIERpcmVjdG9yeSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlcyBhbmQg
RE5TIHNlcnZlciBob3N0aW5nIHRoZSA8YSBocmVmPSJodHRwOi8vYWQubGFibmV0Lm9yZyIgdGFy
Z2V0PSJfYmxhbmsiPmFkLmxhYm5ldC5vcmc8L2E+IGRvbWFpbiBhbmQgdGhlIFJvb3QgQ0EuPGJy
Pjxicj5Ud28gTGludXggc2VydmVycyBzZXR1cCBpbiB0aGUgPGEgaHJlZj0iaHR0cDovL2xhYm5l
dC5vcmciIHRhcmdldD0iX2JsYW5rIj5sYWJuZXQub3JnPC9hPiBkb21haW4uIEJvdGggdXNpbmcg
dGhlIFdpbmRvd3MgU2VydmVyIEROUyBzZXJ2ZXIuPGJyPlRoZSBmaXJzdCBvbmUgaXMgc2V0dXAg
YXMgYSBJUEEgTWFzdGVyIHNlcnZlciBob3N0aW5nIHRoZSBkb21haW4gPGEgaHJlZj0iaHR0cDov
L2lwYS5sYWJuZXQub3JnIiB0YXJnZXQ9Il9ibGFuayI+aXBhLmxhYm5ldC5vcmc8L2E+IGFuZCBh
Y3QgYXMgYSBzdWJvcmRpbmF0ZSBDQSBzZXJ2ZXIuIEl0IHdhcyBzZXR1cMKgd2l0aCB0aGUgZm9s
bG93aW5nIGNvbW1hbmRzOzwvZGl2PjxkaXY+wqAgc3VkbyBpcGEtc2VydmVyLWluc3RhbGwgLS1l
eHRlcm5hbC1jYSAtLWV4dGVybmFsLWNhLXR5cGU9bXMtY3M8YnI+PC9kaXY+PGRpdj7CoCBzdWRv
IGlwYS1zZXJ2ZXItaW5zdGFsbCAtLWV4dGVybmFsLWNlcnQtZmlsZT0vaG9tZS8kVVNFUi9pcGEu
Y2VyIC0tZXh0ZXJuYWwtY2VydC1maWxlPS9ob21lLyRVU0VSL2NlcnRuZXcuY2VyPGJyPjwvZGl2
PjxkaXY+wqAga2luaXQgYWRtaW48L2Rpdj48ZGl2PsKgIHN1ZG8gaXBhLWFkdHJ1c3QtaW5zdGFs
bDxicj48L2Rpdj48ZGl2PsKgIHN1ZG8gaXBhIHRydXN0LWFkZCAtLXR5cGU9YWQgPGEgaHJlZj0i
aHR0cDovL2FkLmxhYm5ldC5vcmciIHRhcmdldD0iX2JsYW5rIj5hZC5sYWJuZXQub3JnPC9hPiAt
LWFkbWluIEFkbWluaXN0cmF0b3IgLS1wYXNzd29yZCAtLXR3by13YXk9dHJ1ZTxicj48L2Rpdj48
ZGl2Pjxicj48L2Rpdj48ZGl2PlRoZSBzZWNvbmQgb25lIGlzIHNldHVwIGFzIGEgSVBBIFJlcGxp
Y2EgYWxzbyBob3N0aW5nIHRoZSBkb21haW4gPGEgaHJlZj0iaHR0cDovL2lwYS5sYWJuZXQub3Jn
IiB0YXJnZXQ9Il9ibGFuayI+aXBhLmxhYm5ldC5vcmc8L2E+IEl0IGhhcyBiZWVuIHNldHVwIHdp
dGggdGhlIGZvbGxvd2luZyBjb21tYW5kczs8L2Rpdj48ZGl2PsKgIHN1ZG8gaXBhLWNsaWVudC1p
bnN0YWxsIC0tbWtob21lZGlyPGJyPjwvZGl2PjxkaXY+wqAgc3VkbyBpcGEtcmVwbGljYS1pbnN0
YWxsPC9kaXY+PGRpdj7CoCBzdWRvIGlwYS1jYS1pbnN0YWxsPGJyPjwvZGl2PjxkaXY+wqAga2lu
aXQgYWRtaW48YnI+PC9kaXY+PGRpdj7CoCBzdWRvIGlwYS1hZHRydXN0LWluc3RhbGw8YnI+PC9k
aXY+PGRpdj7CoCBzdWRvIGlwYSB0cnVzdC1hZGQgLS10eXBlPWFkIDxhIGhyZWY9Imh0dHA6Ly9h
ZC5sYWJuZXQub3JnIiB0YXJnZXQ9Il9ibGFuayI+YWQubGFibmV0Lm9yZzwvYT4gLS1hZG1pbiBB
ZG1pbmlzdHJhdG9yIC0tcGFzc3dvcmQgLS10d28td2F5PXRydWU8YnI+PC9kaXY+PC9kaXY+PC9i
bG9ja3F1b3RlPjxkaXY+PHNwYW4gY2xhc3M9ImdtYWlsX2RlZmF1bHQiIHN0eWxlPSJmb250LWZh
bWlseTphcmlhbCxzYW5zLXNlcmlmIj5UaGUgYWJvdmUgY29tbWFuZCAoaXBhIHRydXN0LWFkZCkg
cHJvYmFibHkgZXhpdGVkIG9uIGVycm9yIGFzIHRoZSB0cnVzdCB3YXMgYWxyZWFkeSBlc3RhYmxp
c2hlZC4gUGxlYXNlIHJlYWQgPGEgaHJlZj0iaHR0cHM6Ly9hY2Nlc3MucmVkaGF0LmNvbS9kb2N1
bWVudGF0aW9uL2VuLXVzL3JlZF9oYXRfZW50ZXJwcmlzZV9saW51eC85L2h0bWwvcGxhbm5pbmdf
aWRlbnRpdHlfbWFuYWdlbWVudC9wbGFubmluZy1hLWNyb3NzLWZvcmVzdC10cnVzdC1iZXR3ZWVu
LWlkbS1hbmQtYWRfcGxhbm5pbmctaWRlbnRpdHktbWFuYWdlbWVudCN0cnVzdC1jb250cm9sbGVy
cy1hbmQtdHJ1c3QtYWdlbnRzX3BsYW5uaW5nLWEtY3Jvc3MtZm9yZXN0LXRydXN0LWJldHdlZW4t
aWRtLWFuZC1hZCI+VHJ1c3QgY29udHJvbGxlcnMgYW5kIFRydXN0IEFnZW50czwvYT7CoHRvIHVu
ZGVyc3RhbmQgaG93IHRoZSByZXBsaWNhIHNob3VsZCBiZSBzZXR1cCBpbiBvcmRlciB0byBiZSBh
YmxlIHRvIHJlc29sdmUgQUQgdXNlcnMgYW5kIGdyb3Vwcy4gV2l0aCB5b3VyIHNldCBvZiBjb21t
YW5kcywgYm90aCBtYXN0ZXIgYW5kIHJlcGxpY2EgYXJlIGNvbmZpZ3VyZWQgYXMgQUQgVHJ1c3Qg
Q29udHJvbGxlcnMgYW5kIHNob3VsZCBiZSBhYmxlIHRvIHJlc29sdmUgdXNlcnMgYW5kIGdyb3Vw
cywgYnV0IHRoZXJlIGlzIG5vIG5lZWQgdG8gcnVuIHR3aWNlIHRoZSB0cnVzdC1hZGQgcGFydC48
L3NwYW4+PC9kaXY+PGRpdj7CoDwvZGl2PjxibG9ja3F1b3RlIGNsYXNzPSJnbWFpbF9xdW90ZSIg
c3R5bGU9Im1hcmdpbjowcHggMHB4IDBweCAwLjhleDtib3JkZXItbGVmdDoxcHggc29saWQgcmdi
KDIwNCwyMDQsMjA0KTtwYWRkaW5nLWxlZnQ6MWV4Ij48ZGl2IGRpcj0ibHRyIj48ZGl2PjwvZGl2
PjxkaXY+PGJyPjwvZGl2PjxkaXY+QWxsIG5lZWRlZCBETlMgcmVjb3JkcyBoYXZlIGJlZW4gY3Jl
YXRlZCBpbiB0aGUgRE5TIHNlcnZlciBvbiB0aGUgV2luZG93cyBzZXJ2ZXIuIEF0IGxlYXN0IEkg
aG9wZSBzby48L2Rpdj48ZGl2PklQQSBIZWFsdGhjZWNrIG9uIGJvdGggSVBBIHNlcnZlcnMgZG9u
JiMzOTt0IGNvbXBsYWluIGFib3V0IGFueXRoaW5nIG1pc3NpbmcuPGJyPsKgIHN1ZG8gaXBhLWhl
YWx0aGNoZWNrIC0tb3V0cHV0LXR5cGUgaHVtYW48YnI+PC9kaXY+PGRpdj48YnI+PC9kaXY+PGRp
dj5PbmUgSVBBIENsaWVudCBhbHNvIHNldHVwIGluIHRoZSA8YSBocmVmPSJodHRwOi8vbGFibmV0
Lm9yZyIgdGFyZ2V0PSJfYmxhbmsiPmxhYm5ldC5vcmc8L2E+IGRvbWFpbiBhbmQgdXNpbmcgdGhl
IFdpbmRvd3Mgc2VydmVyIEROUywgd2FzIHNldHVwIHdpdGggdGhlIGZvbGxvd2luZyBjb21tYW5k
OzwvZGl2PjxkaXY+c3VkbyBpcGEtY2xpZW50LWluc3RhbGwgLS1kb21haW49PGEgaHJlZj0iaHR0
cDovL2lwYS5sYWJuZXQub3JnIiB0YXJnZXQ9Il9ibGFuayI+aXBhLmxhYm5ldC5vcmc8L2E+IC0t
bWtob21lZGlyPGJyPjwvZGl2PjxkaXY+PGJyPjwvZGl2PjxkaXY+VGVzdGluZyBhdXRoZW50aWNh
dGlvbiBvbiB0aGUgSVBBIENsaWVudCBhcyBhIHVzZXIgaW4gdGhlIDxhIGhyZWY9Imh0dHA6Ly9h
ZC5sYWJuZXQub3JnIiB0YXJnZXQ9Il9ibGFuayI+YWQubGFibmV0Lm9yZzwvYT4gd29ya3PCoCBv
dXQgbGlrZSB0aGlzOzwvZGl2PjxkaXY+Qm90aCBJUEEgU2VydmVycyB1cCB3b3JrcyBPSzwvZGl2
PjxkaXY+T25seSBJUEEgTWFzdGVyIHVwIHdvcmtzIE9LPC9kaXY+PGRpdj5Pbmx5IElQQSBSZXBs
aWNhIHVwIGRvZXNuJiMzOTt0IHdvcmsuPC9kaXY+PC9kaXY+PC9ibG9ja3F1b3RlPjxkaXY+PHNw
YW4gY2xhc3M9ImdtYWlsX2RlZmF1bHQiIHN0eWxlPSJmb250LWZhbWlseTphcmlhbCxzYW5zLXNl
cmlmIj5EaWQgeW91IHRlc3QgYXV0aGVudGljYXRpb24gb24gdGhlIElQQSByZXBsaWNhP8KgPC9z
cGFuPjwvZGl2PjxkaXYgY2xhc3M9ImdtYWlsX2RlZmF1bHQiIHN0eWxlPSJmb250LWZhbWlseTph
cmlhbCxzYW5zLXNlcmlmIj5JcyB5b3VyIG1hc3RlciBhIEROUyBzZXJ2ZXIgZm9yIDxhIGhyZWY9
Imh0dHA6Ly9pcGEubGFibmV0Lm9yZyI+aXBhLmxhYm5ldC5vcmc8L2E+PyBJcyB0aGUgcmVwbGlj
YSBhIEROUyBzZXJ2ZXIgZm9yIDxhIGhyZWY9Imh0dHA6Ly9pcGEubGFibmV0Lm9yZyI+aXBhLmxh
Ym5ldC5vcmc8L2E+PzwvZGl2PjxkaXYgY2xhc3M9ImdtYWlsX2RlZmF1bHQiIHN0eWxlPSJmb250
LWZhbWlseTphcmlhbCxzYW5zLXNlcmlmIj48YnI+PC9kaXY+PGRpdiBjbGFzcz0iZ21haWxfZGVm
YXVsdCIgc3R5bGU9ImZvbnQtZmFtaWx5OmFyaWFsLHNhbnMtc2VyaWYiPmZsbzwvZGl2PjxibG9j
a3F1b3RlIGNsYXNzPSJnbWFpbF9xdW90ZSIgc3R5bGU9Im1hcmdpbjowcHggMHB4IDBweCAwLjhl
eDtib3JkZXItbGVmdDoxcHggc29saWQgcmdiKDIwNCwyMDQsMjA0KTtwYWRkaW5nLWxlZnQ6MWV4
Ij48ZGl2IGRpcj0ibHRyIj48ZGl2Pjxicj48L2Rpdj48ZGl2PkFmdGVyIHRoaXMgY2hlY2sgd2l0
aCBJUEEgSGVhbHRoY2hlY2sgb24gdGhlIElQQSBSZXBsaWNhIG5vdyBjb21lcyBiYWNrIHdpdGgg
dGhpczs8L2Rpdj48ZGl2PjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTptb25vc3BhY2UiPjxzcGFu
IHN0eWxlPSJjb2xvcjpyZ2IoMCwwLDApIj5XQVJOSU5HOiBpcGFoZWFsdGhjaGVjay5pcGEudHJ1
c3QuSVBBVHJ1c3RDYXRhbG9nQ2hlY2sue306IExvb2sgdXAgb2YgSUQge30gZm9yIDxhIGhyZWY9
Imh0dHA6Ly9hZC5sYWJuZXQub3JnIiB0YXJnZXQ9Il9ibGFuayI+YWQubGFibmV0Lm9yZzwvYT4g
cmV0dXJuZWQgbm90aGluZwo8L3NwYW4+PGJyPkVSUk9SOiA8YSBocmVmPSJodHRwOi8vaXBhaGVh
bHRoY2hlY2suaXBhLnRydXN0LklQQVRydXN0Q2F0YWxvZ0NoZWNrLkFEIiB0YXJnZXQ9Il9ibGFu
ayI+aXBhaGVhbHRoY2hlY2suaXBhLnRydXN0LklQQVRydXN0Q2F0YWxvZ0NoZWNrLkFEPC9hPiBH
bG9iYWwgQ2F0YWxvZzogQUQgR2xvYmFsIENhdGFsb2cgbm90IGZvdW5kIGluIC91c3Ivc2Jpbi9z
c3NjdGwgJiMzOTtkb21haW4tc3RhdHVzJiMzOTsgb3V0cHV0OiBBY3RpdmUgc2VydmVyczoKPGJy
PklQQTogPGEgaHJlZj0iaHR0cDovL2xhYjAwMy5sYWJuZXQub3JnIiB0YXJnZXQ9Il9ibGFuayI+
bGFiMDAzLmxhYm5ldC5vcmc8L2E+Cjxicj5FUlJPUjogPGEgaHJlZj0iaHR0cDovL2lwYWhlYWx0
aGNoZWNrLmlwYS50cnVzdC5JUEFUcnVzdENhdGFsb2dDaGVjay5BRCIgdGFyZ2V0PSJfYmxhbmsi
PmlwYWhlYWx0aGNoZWNrLmlwYS50cnVzdC5JUEFUcnVzdENhdGFsb2dDaGVjay5BRDwvYT4gRG9t
YWluIENvbnRyb2xsZXI6IEFEIERvbWFpbiBDb250cm9sbGVyIG5vdCBmb3VuZCBpbiAvdXNyL3Ni
aW4vc3NzY3RsICYjMzk7ZG9tYWluLXN0YXR1cyYjMzk7IG91dHB1dDogQWN0aXZlIHNlcnZlcnM6
Cjxicj5JUEE6IDxhIGhyZWY9Imh0dHA6Ly9sYWIwMDMubGFibmV0Lm9yZyIgdGFyZ2V0PSJfYmxh
bmsiPmxhYjAwMy5sYWJuZXQub3JnPC9hPjxicj4KPGJyPjwvc3Bhbj48L2Rpdj48ZGl2PkNhbiBh
bnlvbmUgc3VnZ2VzdCB3aGF0IEkgaGF2ZSBkb25lIHdyb25nIG9yIG1pc3NlZD8gQXMgZmFyIGFz
IEkgY2FuIHRlbGwgdGhlcmUgYXJlIG5vIGNvbW1hbmRzIHRoYXQgbGV0IG1lIHdyaXRlIHRvIHRo
ZSBHTG9iYWwgQ2F0YWxvZz88L2Rpdj48ZGl2PlRoYW5rcyE8L2Rpdj48L2Rpdj4KLS08YnI+Cl9f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fPGJyPgpGcmVlSVBB
LXVzZXJzIG1haWxpbmcgbGlzdCAtLSA8YSBocmVmPSJtYWlsdG86ZnJlZWlwYS11c2Vyc0BsaXN0
cy5mZWRvcmFob3N0ZWQub3JnIiB0YXJnZXQ9Il9ibGFuayI+ZnJlZWlwYS11c2Vyc0BsaXN0cy5m
ZWRvcmFob3N0ZWQub3JnPC9hPjxicj4KVG8gdW5zdWJzY3JpYmUgc2VuZCBhbiBlbWFpbCB0byA8
YSBocmVmPSJtYWlsdG86ZnJlZWlwYS11c2Vycy1sZWF2ZUBsaXN0cy5mZWRvcmFob3N0ZWQub3Jn
IiB0YXJnZXQ9Il9ibGFuayI+ZnJlZWlwYS11c2Vycy1sZWF2ZUBsaXN0cy5mZWRvcmFob3N0ZWQu
b3JnPC9hPjxicj4KRmVkb3JhIENvZGUgb2YgQ29uZHVjdDogPGEgaHJlZj0iaHR0cHM6Ly9kb2Nz
LmZlZG9yYXByb2plY3Qub3JnL2VuLVVTL3Byb2plY3QvY29kZS1vZi1jb25kdWN0LyIgcmVsPSJu
b3JlZmVycmVyIiB0YXJnZXQ9Il9ibGFuayI+aHR0cHM6Ly9kb2NzLmZlZG9yYXByb2plY3Qub3Jn
L2VuLVVTL3Byb2plY3QvY29kZS1vZi1jb25kdWN0LzwvYT48YnI+Ckxpc3QgR3VpZGVsaW5lczog
PGEgaHJlZj0iaHR0cHM6Ly9mZWRvcmFwcm9qZWN0Lm9yZy93aWtpL01haWxpbmdfbGlzdF9ndWlk
ZWxpbmVzIiByZWw9Im5vcmVmZXJyZXIiIHRhcmdldD0iX2JsYW5rIj5odHRwczovL2ZlZG9yYXBy
b2plY3Qub3JnL3dpa2kvTWFpbGluZ19saXN0X2d1aWRlbGluZXM8L2E+PGJyPgpMaXN0IEFyY2hp
dmVzOiA8YSBocmVmPSJodHRwczovL2xpc3RzLmZlZG9yYWhvc3RlZC5vcmcvYXJjaGl2ZXMvbGlz
dC9mcmVlaXBhLXVzZXJzQGxpc3RzLmZlZG9yYWhvc3RlZC5vcmciIHJlbD0ibm9yZWZlcnJlciIg
dGFyZ2V0PSJfYmxhbmsiPmh0dHBzOi8vbGlzdHMuZmVkb3JhaG9zdGVkLm9yZy9hcmNoaXZlcy9s
aXN0L2ZyZWVpcGEtdXNlcnNAbGlzdHMuZmVkb3JhaG9zdGVkLm9yZzwvYT48YnI+CkRvIG5vdCBy
ZXBseSB0byBzcGFtLCByZXBvcnQgaXQ6IDxhIGhyZWY9Imh0dHBzOi8vcGFndXJlLmlvL2ZlZG9y
YS1pbmZyYXN0cnVjdHVyZS9uZXdfaXNzdWUiIHJlbD0ibm9yZWZlcnJlciIgdGFyZ2V0PSJfYmxh
bmsiPmh0dHBzOi8vcGFndXJlLmlvL2ZlZG9yYS1pbmZyYXN0cnVjdHVyZS9uZXdfaXNzdWU8L2E+
PGJyPgo8L2Jsb2NrcXVvdGU+PC9kaXY+PC9kaXY+Cg==

--===============8635841853851141744==--

From flo at redhat.com Mon Apr 15 07:50:04 2024
Content-Type: multipart/mixed; boundary="===============7741650297753641263=="
MIME-Version: 1.0
From: Florence Blanc-Renaud <flo at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: pki-tomcat won't start + expired certificates
Date: Mon, 15 Apr 2024 09:49:38 +0200
Message-ID: <CAFDg7JzTM-ySshy+mE4s+_W0QPTz77EyciUfvaNs309=W1X7nw@mail.gmail.com>
In-Reply-To: 20240412205153.31731.16457@mailman01.iad2.fedoraproject.org

--===============7741650297753641263==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Hi,

On Fri, Apr 12, 2024 at 10:52=E2=80=AFPM Basile Pinsard via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:

> Hi freeipa experts.
>
> I have been using freeipa for the past 5 years running in a docker
> container, no replicas.
> currently  on VERSION: 4.9.6, API_VERSION: 2.245
>
> I have the following issue, not sure what caused this: pki-tomcat service
> is not starting, and it is no longer possible to login through the web-ui.
> Auth through ldap (some websites) and through sssd on linux servers is
> still working, kerberos tickets are generated when logging with password =
or
> when running kinit, so critical operations are still possible.
>
> The messages in `systemctl status pki-tomcatd(a)pki-tomcat.service` are
> ```
> Apr 12 13:50:33 ipa.domain.com ipa-pki-wait-running[17869]:
> ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error:  for
> url: http://ipa.domain.com:8080/ca/admin/ca/getStatus
> Apr 12 13:50:34 ipa.domain.com systemd[1]: pki-tomcatd(a)pki-tomcat.servi=
ce:
> start-post operation timed out. Terminating.
> Apr 12 13:50:34 ipa.domain.com systemd[1]: pki-tomcatd(a)pki-tomcat.servi=
ce:
> Control process exited, code=3Dkilled, status=3D15/TERM
> Apr 12 13:50:34 ipa.domain.com systemd[1]: pki-tomcatd(a)pki-tomcat.servi=
ce:
> Failed with result 'timeout'.
> Apr 12 13:50:34 ipa.domain.com systemd[1]: Failed to start PKI Tomcat
> Server pki-tomcat.
> ```
>
> journalctl give other errors (filtered what seems relevant).
> ```
> Apr 12 13:49:05 ipa.domain.com server[17868]: WARNING: Problem with JAR
> file [/usr/share/pki/server/common/lib/commons-collections.jar], exists:
> [false], canRead: [false]
> Apr 12 13:49:07 ipa.domain.com java[17868]: usr/lib/api/apiutil.c Could
> not open /run/lock/opencryptoki/LCK..APIlock
>
The above error was a known issue in selinux, should have been fixed in
RHEL 8.5 (Bug 1894132 <https://bugzilla.redhat.com/show_bug.cgi?id=3D189413=
2>
- SELinux prevents 2 programs from accessing
/run/lock/opencryptoki/LCK..APIlock).

What are your exact versions of ipa, pki and selinux-policy? On which OS is
your server running?
flo

Apr 12 13:49:18 ipa.domain.com server[17868]: SEVERE: Context [/acme]
> startup failed due to previous errors
>
> ```
>
>
> `/var/log/pki/pki-tomcat/pki/debug.2024-04-12.log`
> contains the following errors
> ```
> 2024-04-12 15:01:12 [main] SEVERE: Exception initializing random number
> generator using provider [Mozilla-JSS]
> java.security.NoSuchProviderException: no such provider: Mozilla-JSS
>         at
> java.base/sun.security.jca.GetInstance.getService(GetInstance.java:83)
>         at
> java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:206)
> ....
> ```
>
> `/var/log/pki/pki-tomcat/ca/debug.2024-04-12.log`
> contains the following type of errors
>
> ```
> 2024-04-12 00:17:37 [main] SEVERE: Unable to start CA engine: Property
> instanceRoot missing value
> Property instanceRoot missing value
>         at
> com.netscape.cmscore.base.PropConfigStore.getString(PropConfigStore.java:=
297)
>         at
> com.netscape.cmscore.apps.EngineConfig.getInstanceDir(EngineConfig.java:5=
5)
>         at
> com.netscape.cmscore.apps.CMSEngine.loadConfig(CMSEngine.java:233)
>         at com.netscape.cmscore.apps.CMSEngine.start(CMSEngine.java:1025)
> ....
>
> 2024-04-12 17:49:21 [main] SEVERE: Exception sending context initialized
> event to listener instance of class [org.dogtagpki.server.ca.CAEngine]
> java.lang.RuntimeException: Unable to start CA engine: Property
> instanceRoot missing value
>         at
> com.netscape.cmscore.apps.CMSEngine.contextInitialized(CMSEngine.java:167=
2)
>         at
> org.apache.catalina.core.StandardContext.listenerStart(StandardContext.ja=
va:4768)
>         at
> org.apache.catalina.core.StandardContext.startInternal(StandardContext.ja=
va:5230)
> ```
>
> `getcert list` reports all entries except the caCACert as expired.
>
> I tried pretty much everything I could find on the internet (though most
> of the threads I found were never resolved).
> Tried ipa-cert-fix.
> Tried ipa-restoring a backup in a new container, same problem occurs.
>
> My guess is that an upgrade years back did break the certificate
> auto-renewal and went undetected, and now everything is expired it's
> failing.
>
> If you have any ideas of what to check/try I would be very grateful as I
> am losing my sanity here.
> Also, I am a bit scared of breaking what is currently working (ldap+sssd)
> and critical to our operations, so if anything can be tested on a copy of
> the data in a container that would be great.
>
> Thanks!
> --
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.=
org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users(a)lists.fedora=
hosted.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>

--===============7741650297753641263==
Content-Type: text/html
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.html"

PGRpdiBkaXI9Imx0ciI+PGRpdiBkaXI9Imx0ciI+PGRpdiBjbGFzcz0iZ21haWxfZGVmYXVsdCIg
c3R5bGU9ImZvbnQtZmFtaWx5OmFyaWFsLHNhbnMtc2VyaWYiPkhpLDwvZGl2PjwvZGl2Pjxicj48
ZGl2IGNsYXNzPSJnbWFpbF9xdW90ZSI+PGRpdiBkaXI9Imx0ciIgY2xhc3M9ImdtYWlsX2F0dHIi
Pk9uIEZyaSwgQXByIDEyLCAyMDI0IGF0IDEwOjUy4oCvUE0gQmFzaWxlIFBpbnNhcmQgdmlhIEZy
ZWVJUEEtdXNlcnMgJmx0OzxhIGhyZWY9Im1haWx0bzpmcmVlaXBhLXVzZXJzQGxpc3RzLmZlZG9y
YWhvc3RlZC5vcmciPmZyZWVpcGEtdXNlcnNAbGlzdHMuZmVkb3JhaG9zdGVkLm9yZzwvYT4mZ3Q7
IHdyb3RlOjxicj48L2Rpdj48YmxvY2txdW90ZSBjbGFzcz0iZ21haWxfcXVvdGUiIHN0eWxlPSJt
YXJnaW46MHB4IDBweCAwcHggMC44ZXg7Ym9yZGVyLWxlZnQ6MXB4IHNvbGlkIHJnYigyMDQsMjA0
LDIwNCk7cGFkZGluZy1sZWZ0OjFleCI+SGkgZnJlZWlwYSBleHBlcnRzLjxicj4KPGJyPgpJIGhh
dmUgYmVlbiB1c2luZyBmcmVlaXBhIGZvciB0aGUgcGFzdCA1IHllYXJzIHJ1bm5pbmcgaW4gYSBk
b2NrZXIgY29udGFpbmVyLCBubyByZXBsaWNhcy48YnI+CmN1cnJlbnRsecKgIG9uIFZFUlNJT046
IDQuOS42LCBBUElfVkVSU0lPTjogMi4yNDU8YnI+Cjxicj4KSSBoYXZlIHRoZSBmb2xsb3dpbmcg
aXNzdWUsIG5vdCBzdXJlIHdoYXQgY2F1c2VkIHRoaXM6IHBraS10b21jYXQgc2VydmljZSBpcyBu
b3Qgc3RhcnRpbmcsIGFuZCBpdCBpcyBubyBsb25nZXIgcG9zc2libGUgdG8gbG9naW4gdGhyb3Vn
aCB0aGUgd2ViLXVpLjxicj4KQXV0aCB0aHJvdWdoIGxkYXAgKHNvbWUgd2Vic2l0ZXMpIGFuZCB0
aHJvdWdoIHNzc2Qgb24gbGludXggc2VydmVycyBpcyBzdGlsbCB3b3JraW5nLCBrZXJiZXJvcyB0
aWNrZXRzIGFyZSBnZW5lcmF0ZWQgd2hlbiBsb2dnaW5nIHdpdGggcGFzc3dvcmQgb3Igd2hlbiBy
dW5uaW5nIGtpbml0LCBzbyBjcml0aWNhbCBvcGVyYXRpb25zIGFyZSBzdGlsbCBwb3NzaWJsZS48
YnI+Cjxicj4KVGhlIG1lc3NhZ2VzIGluIGBzeXN0ZW1jdGwgc3RhdHVzIHBraS10b21jYXRkQHBr
aS10b21jYXQuc2VydmljZWAgYXJlPGJyPgpgYGA8YnI+CkFwciAxMiAxMzo1MDozMyA8YSBocmVm
PSJodHRwOi8vaXBhLmRvbWFpbi5jb20iIHJlbD0ibm9yZWZlcnJlciIgdGFyZ2V0PSJfYmxhbmsi
PmlwYS5kb21haW4uY29tPC9hPiBpcGEtcGtpLXdhaXQtcnVubmluZ1sxNzg2OV06IGlwYS1wa2kt
d2FpdC1ydW5uaW5nOiBSZXF1ZXN0IGZhaWxlZCB1bmV4cGVjdGVkbHksIDQwNCBDbGllbnQgRXJy
b3I6wqAgZm9yIHVybDogPGEgaHJlZj0iaHR0cDovL2lwYS5kb21haW4uY29tOjgwODAvY2EvYWRt
aW4vY2EvZ2V0U3RhdHVzIiByZWw9Im5vcmVmZXJyZXIiIHRhcmdldD0iX2JsYW5rIj5odHRwOi8v
aXBhLmRvbWFpbi5jb206ODA4MC9jYS9hZG1pbi9jYS9nZXRTdGF0dXM8L2E+PGJyPgpBcHIgMTIg
MTM6NTA6MzQgPGEgaHJlZj0iaHR0cDovL2lwYS5kb21haW4uY29tIiByZWw9Im5vcmVmZXJyZXIi
IHRhcmdldD0iX2JsYW5rIj5pcGEuZG9tYWluLmNvbTwvYT4gc3lzdGVtZFsxXTogcGtpLXRvbWNh
dGRAcGtpLXRvbWNhdC5zZXJ2aWNlOiBzdGFydC1wb3N0IG9wZXJhdGlvbiB0aW1lZCBvdXQuIFRl
cm1pbmF0aW5nLjxicj4KQXByIDEyIDEzOjUwOjM0IDxhIGhyZWY9Imh0dHA6Ly9pcGEuZG9tYWlu
LmNvbSIgcmVsPSJub3JlZmVycmVyIiB0YXJnZXQ9Il9ibGFuayI+aXBhLmRvbWFpbi5jb208L2E+
IHN5c3RlbWRbMV06IHBraS10b21jYXRkQHBraS10b21jYXQuc2VydmljZTogQ29udHJvbCBwcm9j
ZXNzIGV4aXRlZCwgY29kZT1raWxsZWQsIHN0YXR1cz0xNS9URVJNPGJyPgpBcHIgMTIgMTM6NTA6
MzQgPGEgaHJlZj0iaHR0cDovL2lwYS5kb21haW4uY29tIiByZWw9Im5vcmVmZXJyZXIiIHRhcmdl
dD0iX2JsYW5rIj5pcGEuZG9tYWluLmNvbTwvYT4gc3lzdGVtZFsxXTogcGtpLXRvbWNhdGRAcGtp
LXRvbWNhdC5zZXJ2aWNlOiBGYWlsZWQgd2l0aCByZXN1bHQgJiMzOTt0aW1lb3V0JiMzOTsuPGJy
PgpBcHIgMTIgMTM6NTA6MzQgPGEgaHJlZj0iaHR0cDovL2lwYS5kb21haW4uY29tIiByZWw9Im5v
cmVmZXJyZXIiIHRhcmdldD0iX2JsYW5rIj5pcGEuZG9tYWluLmNvbTwvYT4gc3lzdGVtZFsxXTog
RmFpbGVkIHRvIHN0YXJ0IFBLSSBUb21jYXQgU2VydmVyIHBraS10b21jYXQuPGJyPgpgYGA8YnI+
Cjxicj4Kam91cm5hbGN0bCBnaXZlIG90aGVyIGVycm9ycyAoZmlsdGVyZWQgd2hhdCBzZWVtcyBy
ZWxldmFudCkuPGJyPgpgYGA8YnI+CkFwciAxMiAxMzo0OTowNSA8YSBocmVmPSJodHRwOi8vaXBh
LmRvbWFpbi5jb20iIHJlbD0ibm9yZWZlcnJlciIgdGFyZ2V0PSJfYmxhbmsiPmlwYS5kb21haW4u
Y29tPC9hPiBzZXJ2ZXJbMTc4NjhdOiBXQVJOSU5HOiBQcm9ibGVtIHdpdGggSkFSIGZpbGUgWy91
c3Ivc2hhcmUvcGtpL3NlcnZlci9jb21tb24vbGliL2NvbW1vbnMtY29sbGVjdGlvbnMuamFyXSwg
ZXhpc3RzOiBbZmFsc2VdLCBjYW5SZWFkOiBbZmFsc2VdPGJyPgpBcHIgMTIgMTM6NDk6MDcgPGEg
aHJlZj0iaHR0cDovL2lwYS5kb21haW4uY29tIiByZWw9Im5vcmVmZXJyZXIiIHRhcmdldD0iX2Js
YW5rIj5pcGEuZG9tYWluLmNvbTwvYT4gamF2YVsxNzg2OF06IHVzci9saWIvYXBpL2FwaXV0aWwu
YyBDb3VsZCBub3Qgb3BlbiAvcnVuL2xvY2svb3BlbmNyeXB0b2tpL0xDSy4uQVBJbG9jazxicj48
L2Jsb2NrcXVvdGU+PGRpdj48c3BhbiBjbGFzcz0iZ21haWxfZGVmYXVsdCIgc3R5bGU9ImZvbnQt
ZmFtaWx5OmFyaWFsLHNhbnMtc2VyaWYiPlRoZSBhYm92ZSBlcnJvciB3YXMgYSBrbm93biBpc3N1
ZSBpbiBzZWxpbnV4LCBzaG91bGQgaGF2ZSBiZWVuIGZpeGVkIGluIFJIRUwgOC41IChCdWcgPGEg
aHJlZj0iaHR0cHM6Ly9idWd6aWxsYS5yZWRoYXQuY29tL3Nob3dfYnVnLmNnaT9pZD0xODk0MTMy
Ij4xODk0MTMyPC9hPiAtIFNFTGludXggcHJldmVudHMgMiBwcm9ncmFtcyBmcm9tIGFjY2Vzc2lu
ZyAvcnVuL2xvY2svb3BlbmNyeXB0b2tpL0xDSy4uQVBJbG9jaykuPC9zcGFuPjwvZGl2PjxkaXY+
PHNwYW4gY2xhc3M9ImdtYWlsX2RlZmF1bHQiIHN0eWxlPSJmb250LWZhbWlseTphcmlhbCxzYW5z
LXNlcmlmIj48YnI+PC9zcGFuPjwvZGl2PjxkaXY+PHNwYW4gY2xhc3M9ImdtYWlsX2RlZmF1bHQi
IHN0eWxlPSJmb250LWZhbWlseTphcmlhbCxzYW5zLXNlcmlmIj5XaGF0IGFyZSB5b3VyIGV4YWN0
IHZlcnNpb25zIG9mIGlwYSwgcGtpIGFuZCBzZWxpbnV4LXBvbGljeT8gT24gd2hpY2ggT1MgaXMg
eW91ciBzZXJ2ZXIgcnVubmluZz88L3NwYW4+PC9kaXY+PGRpdj48c3BhbiBjbGFzcz0iZ21haWxf
ZGVmYXVsdCIgc3R5bGU9ImZvbnQtZmFtaWx5OmFyaWFsLHNhbnMtc2VyaWYiPmZsbzwvc3Bhbj48
L2Rpdj48ZGl2PjxzcGFuIGNsYXNzPSJnbWFpbF9kZWZhdWx0IiBzdHlsZT0iZm9udC1mYW1pbHk6
YXJpYWwsc2Fucy1zZXJpZiI+PGJyPjwvc3Bhbj48L2Rpdj48YmxvY2txdW90ZSBjbGFzcz0iZ21h
aWxfcXVvdGUiIHN0eWxlPSJtYXJnaW46MHB4IDBweCAwcHggMC44ZXg7Ym9yZGVyLWxlZnQ6MXB4
IHNvbGlkIHJnYigyMDQsMjA0LDIwNCk7cGFkZGluZy1sZWZ0OjFleCI+CkFwciAxMiAxMzo0OTox
OCA8YSBocmVmPSJodHRwOi8vaXBhLmRvbWFpbi5jb20iIHJlbD0ibm9yZWZlcnJlciIgdGFyZ2V0
PSJfYmxhbmsiPmlwYS5kb21haW4uY29tPC9hPiBzZXJ2ZXJbMTc4NjhdOiBTRVZFUkU6IENvbnRl
eHQgWy9hY21lXSBzdGFydHVwIGZhaWxlZCBkdWUgdG8gcHJldmlvdXMgZXJyb3JzPGJyPgo8YnI+
CmBgYDxicj4KPGJyPgo8YnI+CmAvdmFyL2xvZy9wa2kvcGtpLXRvbWNhdC9wa2kvZGVidWcuMjAy
NC0wNC0xMi5sb2dgPGJyPgpjb250YWlucyB0aGUgZm9sbG93aW5nIGVycm9ycyA8YnI+CmBgYDxi
cj4KMjAyNC0wNC0xMiAxNTowMToxMiBbbWFpbl0gU0VWRVJFOiA8c3BhbiBjbGFzcz0iZ21haWxf
ZGVmYXVsdCIgc3R5bGU9ImZvbnQtZmFtaWx5OmFyaWFsLHNhbnMtc2VyaWYiPjwvc3Bhbj5FeGNl
cHRpb24gaW5pdGlhbGl6aW5nIHJhbmRvbSBudW1iZXIgZ2VuZXJhdG9yIHVzaW5nIHByb3ZpZGVy
IFtNb3ppbGxhLUpTU108YnI+CmphdmEuc2VjdXJpdHkuTm9TdWNoUHJvdmlkZXJFeGNlcHRpb246
IG5vIHN1Y2ggcHJvdmlkZXI6IE1vemlsbGEtSlNTPGJyPgrCoCDCoCDCoCDCoCBhdCBqYXZhLmJh
c2Uvc3VuLnNlY3VyaXR5LmpjYS5HZXRJbnN0YW5jZS5nZXRTZXJ2aWNlKEdldEluc3RhbmNlLmph
dmE6ODMpPGJyPgrCoCDCoCDCoCDCoCBhdCBqYXZhLmJhc2Uvc3VuLnNlY3VyaXR5LmpjYS5HZXRJ
bnN0YW5jZS5nZXRJbnN0YW5jZShHZXRJbnN0YW5jZS5qYXZhOjIwNik8YnI+Ci4uLi48YnI+CmBg
YDxicj4KPGJyPgpgL3Zhci9sb2cvcGtpL3BraS10b21jYXQvY2EvZGVidWcuMjAyNC0wNC0xMi5s
b2dgPGJyPgpjb250YWlucyB0aGUgZm9sbG93aW5nIHR5cGUgb2YgZXJyb3JzPGJyPgo8YnI+CmBg
YDxicj4KMjAyNC0wNC0xMiAwMDoxNzozNyBbbWFpbl0gU0VWRVJFOiBVbmFibGUgdG8gc3RhcnQg
Q0EgZW5naW5lOiBQcm9wZXJ0eSBpbnN0YW5jZVJvb3QgbWlzc2luZyB2YWx1ZTxicj4KUHJvcGVy
dHkgaW5zdGFuY2VSb290IG1pc3NpbmcgdmFsdWU8YnI+CsKgIMKgIMKgIMKgIGF0IGNvbS5uZXRz
Y2FwZS5jbXNjb3JlLmJhc2UuUHJvcENvbmZpZ1N0b3JlLmdldFN0cmluZyhQcm9wQ29uZmlnU3Rv
cmUuamF2YToyOTcpPGJyPgrCoCDCoCDCoCDCoCBhdCBjb20ubmV0c2NhcGUuY21zY29yZS5hcHBz
LkVuZ2luZUNvbmZpZy5nZXRJbnN0YW5jZURpcihFbmdpbmVDb25maWcuamF2YTo1NSk8YnI+CsKg
IMKgIMKgIMKgIGF0IGNvbS5uZXRzY2FwZS5jbXNjb3JlLmFwcHMuQ01TRW5naW5lLmxvYWRDb25m
aWcoQ01TRW5naW5lLmphdmE6MjMzKTxicj4KwqAgwqAgwqAgwqAgYXQgY29tLm5ldHNjYXBlLmNt
c2NvcmUuYXBwcy5DTVNFbmdpbmUuc3RhcnQoQ01TRW5naW5lLmphdmE6MTAyNSk8YnI+Ci4uLi48
YnI+Cjxicj4KMjAyNC0wNC0xMiAxNzo0OToyMSBbbWFpbl0gU0VWRVJFOiBFeGNlcHRpb24gc2Vu
ZGluZyBjb250ZXh0IGluaXRpYWxpemVkIGV2ZW50IHRvIGxpc3RlbmVyIGluc3RhbmNlIG9mIGNs
YXNzIFs8YSBocmVmPSJodHRwOi8vb3JnLmRvZ3RhZ3BraS5zZXJ2ZXIuY2EiIHRhcmdldD0iX2Js
YW5rIj5vcmcuZG9ndGFncGtpLnNlcnZlci5jYTwvYT4uQ0FFbmdpbmVdPGJyPgpqYXZhLmxhbmcu
UnVudGltZUV4Y2VwdGlvbjogVW5hYmxlIHRvIHN0YXJ0IENBIGVuZ2luZTogUHJvcGVydHkgaW5z
dGFuY2VSb290IG1pc3NpbmcgdmFsdWU8YnI+CsKgIMKgIMKgIMKgIGF0IGNvbS5uZXRzY2FwZS5j
bXNjb3JlLmFwcHMuQ01TRW5naW5lLmNvbnRleHRJbml0aWFsaXplZChDTVNFbmdpbmUuamF2YTox
NjcyKTxicj4KwqAgwqAgwqAgwqAgYXQgb3JnLmFwYWNoZS5jYXRhbGluYS5jb3JlLlN0YW5kYXJk
Q29udGV4dC5saXN0ZW5lclN0YXJ0KFN0YW5kYXJkQ29udGV4dC5qYXZhOjQ3NjgpPGJyPgrCoCDC
oCDCoCDCoCBhdCBvcmcuYXBhY2hlLmNhdGFsaW5hLmNvcmUuU3RhbmRhcmRDb250ZXh0LnN0YXJ0
SW50ZXJuYWwoU3RhbmRhcmRDb250ZXh0LmphdmE6NTIzMCk8YnI+CmBgYDxicj4KPGJyPgpgZ2V0
Y2VydCBsaXN0YCByZXBvcnRzIGFsbCBlbnRyaWVzIGV4Y2VwdCB0aGUgY2FDQUNlcnQgYXMgZXhw
aXJlZC48YnI+Cjxicj4KSSB0cmllZCBwcmV0dHkgbXVjaCBldmVyeXRoaW5nIEkgY291bGQgZmlu
ZCBvbiB0aGUgaW50ZXJuZXQgKHRob3VnaCBtb3N0IG9mIHRoZSB0aHJlYWRzIEkgZm91bmQgd2Vy
ZSBuZXZlciByZXNvbHZlZCkuPGJyPgpUcmllZCBpcGEtY2VydC1maXguPGJyPgpUcmllZCBpcGEt
cmVzdG9yaW5nIGEgYmFja3VwIGluIGEgbmV3IGNvbnRhaW5lciwgc2FtZSBwcm9ibGVtIG9jY3Vy
cy48YnI+Cjxicj4KTXkgZ3Vlc3MgaXMgdGhhdCBhbiB1cGdyYWRlIHllYXJzIGJhY2sgZGlkIGJy
ZWFrIHRoZSBjZXJ0aWZpY2F0ZSBhdXRvLXJlbmV3YWwgYW5kIHdlbnQgdW5kZXRlY3RlZCwgYW5k
IG5vdyBldmVyeXRoaW5nIGlzIGV4cGlyZWQgaXQmIzM5O3MgZmFpbGluZy48YnI+Cjxicj4KSWYg
eW91IGhhdmUgYW55IGlkZWFzIG9mIHdoYXQgdG8gY2hlY2svdHJ5IEkgd291bGQgYmUgdmVyeSBn
cmF0ZWZ1bCBhcyBJIGFtIGxvc2luZyBteSBzYW5pdHkgaGVyZS48YnI+CkFsc28sIEkgYW0gYSBi
aXQgc2NhcmVkIG9mIGJyZWFraW5nIHdoYXQgaXMgY3VycmVudGx5IHdvcmtpbmcgKGxkYXArc3Nz
ZCkgYW5kIGNyaXRpY2FsIHRvIG91ciBvcGVyYXRpb25zLCBzbyBpZiBhbnl0aGluZyBjYW4gYmUg
dGVzdGVkIG9uIGEgY29weSBvZiB0aGUgZGF0YSBpbiBhIGNvbnRhaW5lciB0aGF0IHdvdWxkIGJl
IGdyZWF0LiA8YnI+Cjxicj4KVGhhbmtzITxicj4KLS08YnI+Cl9fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fPGJyPgpGcmVlSVBBLXVzZXJzIG1haWxpbmcgbGlz
dCAtLSA8YSBocmVmPSJtYWlsdG86ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn
IiB0YXJnZXQ9Il9ibGFuayI+ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3JnPC9h
Pjxicj4KVG8gdW5zdWJzY3JpYmUgc2VuZCBhbiBlbWFpbCB0byA8YSBocmVmPSJtYWlsdG86ZnJl
ZWlwYS11c2Vycy1sZWF2ZUBsaXN0cy5mZWRvcmFob3N0ZWQub3JnIiB0YXJnZXQ9Il9ibGFuayI+
ZnJlZWlwYS11c2Vycy1sZWF2ZUBsaXN0cy5mZWRvcmFob3N0ZWQub3JnPC9hPjxicj4KRmVkb3Jh
IENvZGUgb2YgQ29uZHVjdDogPGEgaHJlZj0iaHR0cHM6Ly9kb2NzLmZlZG9yYXByb2plY3Qub3Jn
L2VuLVVTL3Byb2plY3QvY29kZS1vZi1jb25kdWN0LyIgcmVsPSJub3JlZmVycmVyIiB0YXJnZXQ9
Il9ibGFuayI+aHR0cHM6Ly9kb2NzLmZlZG9yYXByb2plY3Qub3JnL2VuLVVTL3Byb2plY3QvY29k
ZS1vZi1jb25kdWN0LzwvYT48YnI+Ckxpc3QgR3VpZGVsaW5lczogPGEgaHJlZj0iaHR0cHM6Ly9m
ZWRvcmFwcm9qZWN0Lm9yZy93aWtpL01haWxpbmdfbGlzdF9ndWlkZWxpbmVzIiByZWw9Im5vcmVm
ZXJyZXIiIHRhcmdldD0iX2JsYW5rIj5odHRwczovL2ZlZG9yYXByb2plY3Qub3JnL3dpa2kvTWFp
bGluZ19saXN0X2d1aWRlbGluZXM8L2E+PGJyPgpMaXN0IEFyY2hpdmVzOiA8YSBocmVmPSJodHRw
czovL2xpc3RzLmZlZG9yYWhvc3RlZC5vcmcvYXJjaGl2ZXMvbGlzdC9mcmVlaXBhLXVzZXJzQGxp
c3RzLmZlZG9yYWhvc3RlZC5vcmciIHJlbD0ibm9yZWZlcnJlciIgdGFyZ2V0PSJfYmxhbmsiPmh0
dHBzOi8vbGlzdHMuZmVkb3JhaG9zdGVkLm9yZy9hcmNoaXZlcy9saXN0L2ZyZWVpcGEtdXNlcnNA
bGlzdHMuZmVkb3JhaG9zdGVkLm9yZzwvYT48YnI+CkRvIG5vdCByZXBseSB0byBzcGFtLCByZXBv
cnQgaXQ6IDxhIGhyZWY9Imh0dHBzOi8vcGFndXJlLmlvL2ZlZG9yYS1pbmZyYXN0cnVjdHVyZS9u
ZXdfaXNzdWUiIHJlbD0ibm9yZWZlcnJlciIgdGFyZ2V0PSJfYmxhbmsiPmh0dHBzOi8vcGFndXJl
LmlvL2ZlZG9yYS1pbmZyYXN0cnVjdHVyZS9uZXdfaXNzdWU8L2E+PGJyPgo8L2Jsb2NrcXVvdGU+
PC9kaXY+PC9kaXY+Cg==

--===============7741650297753641263==--

From jdoe53851 at gmail.com Mon Apr 15 08:12:08 2024
Content-Type: multipart/mixed; boundary="===============2814612615412466363=="
MIME-Version: 1.0
From: John Doe <jdoe53851 at gmail.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: IPA Replica can't authenticate users
Date: Mon, 15 Apr 2024 10:10:29 +0200
Message-ID: <CAAzbKPmGFELVDM0nLUV_yCgAB-vs-zBhVC0LtnwssaRWJaFUhA@mail.gmail.com>
In-Reply-To: CAFDg7JwPdCwXiuZMZ_Tc97uNx5JqOuxp2k98c1c61-zcWxB4_g@mail.gmail.com

--===============2814612615412466363==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Den m=C3=A5n 15 apr. 2024 kl 09:35 skrev Florence Blanc-Renaud <flo(a)redha=
t.com>:

> Hi,
>
> On Mon, Apr 15, 2024 at 9:03=E2=80=AFAM John Doe via FreeIPA-users <
> freeipa-users(a)lists.fedorahosted.org> wrote:
>
>> I'm playing around with IPA trying to figure out how to set it up to be
>> redundant. The problem is that the IPA Replica isn't able to authenticate
>> AD users if IPA Master is down.
>> My setup;
>> One Windows Server set up with Active Direcory Domain Services, Active
>> Directory Certificate Services and DNS server hosting the ad.labnet.org
>> domain and the Root CA.
>>
>> Two Linux servers setup in the labnet.org domain. Both using the Windows
>> Server DNS server.
>> The first one is setup as a IPA Master server hosting the domain
>> ipa.labnet.org and act as a subordinate CA server. It was setup with the
>> following commands;
>>   sudo ipa-server-install --external-ca --external-ca-type=3Dms-cs
>>   sudo ipa-server-install --external-cert-file=3D/home/$USER/ipa.cer
>> --external-cert-file=3D/home/$USER/certnew.cer
>>   kinit admin
>>   sudo ipa-adtrust-install
>>   sudo ipa trust-add --type=3Dad ad.labnet.org --admin Administrator
>> --password --two-way=3Dtrue
>>
>> The second one is setup as a IPA Replica also hosting the domain
>> ipa.labnet.org It has been setup with the following commands;
>>   sudo ipa-client-install --mkhomedir
>>   sudo ipa-replica-install
>>   sudo ipa-ca-install
>>   kinit admin
>>   sudo ipa-adtrust-install
>>   sudo ipa trust-add --type=3Dad ad.labnet.org --admin Administrator
>> --password --two-way=3Dtrue
>>
> The above command (ipa trust-add) probably exited on error as the trust
> was already established. Please read Trust controllers and Trust Agents
> <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9=
/html/planning_identity_management/planning-a-cross-forest-trust-between-id=
m-and-ad_planning-identity-management#trust-controllers-and-trust-agents_pl=
anning-a-cross-forest-trust-between-idm-and-ad> to
> understand how the replica should be setup in order to be able to resolve
> AD users and groups. With your set of commands, both master and replica a=
re
> configured as AD Trust Controllers and should be able to resolve users and
> groups, but there is no need to run twice the trust-add part.
>

They both show up in IPA Admin GUI as being both Trust Controllers and
Trust Agents. I read that at least two trust controllers should be
configured per IdM deployment.
Thanks I will check the document again.


> All needed DNS records have been created in the DNS server on the Windows
>> server. At least I hope so.
>> IPA Healthceck on both IPA servers don't complain about anything missing.
>>   sudo ipa-healthcheck --output-type human
>>
>> One IPA Client also setup in the labnet.org domain and using the Windows
>> server DNS, was setup with the following command;
>> sudo ipa-client-install --domain=3Dipa.labnet.org --mkhomedir
>>
>> Testing authentication on the IPA Client as a user in the ad.labnet.org
>> works  out like this;
>> Both IPA Servers up works OK
>> Only IPA Master up works OK
>> Only IPA Replica up doesn't work.
>>
> Did you test authentication on the IPA replica?
> Is your master a DNS server for ipa.labnet.org? Is the replica a DNS
> server for ipa.labnet.org?
>
> I may have missed that, but just tried it out now. No I'm not able to
authenticate as an AD user on the IPA Replica :-(
No only the Windows DNS server is a DNS server, hosting all the domains
labnet.org, ad.labnet.org and ipa.labnet.org

Thanks!

flo
>
>>
>> After this check with IPA Healthcheck on the IPA Replica now comes back
>> with this;
>> WARNING: ipahealthcheck.ipa.trust.IPATrustCatalogCheck.{}: Look up of ID
>> {} for ad.labnet.org returned nothing
>> ERROR: ipahealthcheck.ipa.trust.IPATrustCatalogCheck.AD Global Catalog:
>> AD Global Catalog not found in /usr/sbin/sssctl 'domain-status' output:
>> Active servers:
>> IPA: lab003.labnet.org
>> ERROR: ipahealthcheck.ipa.trust.IPATrustCatalogCheck.AD Domain
>> Controller: AD Domain Controller not found in /usr/sbin/sssctl
>> 'domain-status' output: Active servers:
>> IPA: lab003.labnet.org
>>
>> Can anyone suggest what I have done wrong or missed? As far as I can tell
>> there are no commands that let me write to the GLobal Catalog?
>> Thanks!
>> --
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-users-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedorahosted.org/archives/list/freeipa-users(a)lists.fedor=
ahosted.org
>> Do not reply to spam, report it:
>> https://pagure.io/fedora-infrastructure/new_issue
>>
>

--===============2814612615412466363==
Content-Type: text/html
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.html"

PGRpdiBkaXI9Imx0ciI+PGRpdiBkaXI9Imx0ciI+PGJyPjwvZGl2Pjxicj48ZGl2IGNsYXNzPSJn
bWFpbF9xdW90ZSI+PGRpdiBkaXI9Imx0ciIgY2xhc3M9ImdtYWlsX2F0dHIiPkRlbiBtw6VuIDE1
IGFwci4gMjAyNCBrbCAwOTozNSBza3JldiBGbG9yZW5jZSBCbGFuYy1SZW5hdWQgJmx0OzxhIGhy
ZWY9Im1haWx0bzpmbG9AcmVkaGF0LmNvbSI+ZmxvQHJlZGhhdC5jb208L2E+Jmd0Ozo8YnI+PC9k
aXY+PGJsb2NrcXVvdGUgY2xhc3M9ImdtYWlsX3F1b3RlIiBzdHlsZT0ibWFyZ2luOjBweCAwcHgg
MHB4IDAuOGV4O2JvcmRlci1sZWZ0OjFweCBzb2xpZCByZ2IoMjA0LDIwNCwyMDQpO3BhZGRpbmct
bGVmdDoxZXgiPjxkaXYgZGlyPSJsdHIiPjxkaXYgZGlyPSJsdHIiPjxkaXYgc3R5bGU9ImZvbnQt
ZmFtaWx5OmFyaWFsLHNhbnMtc2VyaWYiPkhpLDwvZGl2PjwvZGl2Pjxicj48ZGl2IGNsYXNzPSJn
bWFpbF9xdW90ZSI+PGRpdiBkaXI9Imx0ciIgY2xhc3M9ImdtYWlsX2F0dHIiPk9uIE1vbiwgQXBy
IDE1LCAyMDI0IGF0IDk6MDPigK9BTSBKb2huIERvZSB2aWEgRnJlZUlQQS11c2VycyAmbHQ7PGEg
aHJlZj0ibWFpbHRvOmZyZWVpcGEtdXNlcnNAbGlzdHMuZmVkb3JhaG9zdGVkLm9yZyIgdGFyZ2V0
PSJfYmxhbmsiPmZyZWVpcGEtdXNlcnNAbGlzdHMuZmVkb3JhaG9zdGVkLm9yZzwvYT4mZ3Q7IHdy
b3RlOjxicj48L2Rpdj48YmxvY2txdW90ZSBjbGFzcz0iZ21haWxfcXVvdGUiIHN0eWxlPSJtYXJn
aW46MHB4IDBweCAwcHggMC44ZXg7Ym9yZGVyLWxlZnQ6MXB4IHNvbGlkIHJnYigyMDQsMjA0LDIw
NCk7cGFkZGluZy1sZWZ0OjFleCI+PGRpdiBkaXI9Imx0ciI+SSYjMzk7bSBwbGF5aW5nIGFyb3Vu
ZCB3aXRoIElQQSB0cnlpbmcgdG8gZmlndXJlIG91dCBob3cgdG8gc2V0IGl0IHVwIHRvIGJlIHJl
ZHVuZGFudC4gVGhlIHByb2JsZW0gaXMgdGhhdCB0aGUgSVBBIFJlcGxpY2EgaXNuJiMzOTt0IGFi
bGUgdG8gYXV0aGVudGljYXRlIEFEIHVzZXJzIGlmIElQQSBNYXN0ZXIgaXMgZG93bi48YnI+TXkg
c2V0dXA7PGRpdj5PbmUgV2luZG93cyBTZXJ2ZXIgc2V0IHVwIHdpdGggQWN0aXZlIERpcmVjb3J5
wqBEb21haW4gU2VydmljZXMsIEFjdGl2ZSBEaXJlY3RvcnkgQ2VydGlmaWNhdGUgU2VydmljZXMg
YW5kIEROUyBzZXJ2ZXIgaG9zdGluZyB0aGUgPGEgaHJlZj0iaHR0cDovL2FkLmxhYm5ldC5vcmci
IHRhcmdldD0iX2JsYW5rIj5hZC5sYWJuZXQub3JnPC9hPiBkb21haW4gYW5kIHRoZSBSb290IENB
Ljxicj48YnI+VHdvIExpbnV4IHNlcnZlcnMgc2V0dXAgaW4gdGhlIDxhIGhyZWY9Imh0dHA6Ly9s
YWJuZXQub3JnIiB0YXJnZXQ9Il9ibGFuayI+bGFibmV0Lm9yZzwvYT4gZG9tYWluLiBCb3RoIHVz
aW5nIHRoZSBXaW5kb3dzIFNlcnZlciBETlMgc2VydmVyLjxicj5UaGUgZmlyc3Qgb25lIGlzIHNl
dHVwIGFzIGEgSVBBIE1hc3RlciBzZXJ2ZXIgaG9zdGluZyB0aGUgZG9tYWluIDxhIGhyZWY9Imh0
dHA6Ly9pcGEubGFibmV0Lm9yZyIgdGFyZ2V0PSJfYmxhbmsiPmlwYS5sYWJuZXQub3JnPC9hPiBh
bmQgYWN0IGFzIGEgc3Vib3JkaW5hdGUgQ0Egc2VydmVyLiBJdCB3YXMgc2V0dXDCoHdpdGggdGhl
IGZvbGxvd2luZyBjb21tYW5kczs8L2Rpdj48ZGl2PsKgIHN1ZG8gaXBhLXNlcnZlci1pbnN0YWxs
IC0tZXh0ZXJuYWwtY2EgLS1leHRlcm5hbC1jYS10eXBlPW1zLWNzPGJyPjwvZGl2PjxkaXY+wqAg
c3VkbyBpcGEtc2VydmVyLWluc3RhbGwgLS1leHRlcm5hbC1jZXJ0LWZpbGU9L2hvbWUvJFVTRVIv
aXBhLmNlciAtLWV4dGVybmFsLWNlcnQtZmlsZT0vaG9tZS8kVVNFUi9jZXJ0bmV3LmNlcjxicj48
L2Rpdj48ZGl2PsKgIGtpbml0IGFkbWluPC9kaXY+PGRpdj7CoCBzdWRvIGlwYS1hZHRydXN0LWlu
c3RhbGw8YnI+PC9kaXY+PGRpdj7CoCBzdWRvIGlwYSB0cnVzdC1hZGQgLS10eXBlPWFkIDxhIGhy
ZWY9Imh0dHA6Ly9hZC5sYWJuZXQub3JnIiB0YXJnZXQ9Il9ibGFuayI+YWQubGFibmV0Lm9yZzwv
YT4gLS1hZG1pbiBBZG1pbmlzdHJhdG9yIC0tcGFzc3dvcmQgLS10d28td2F5PXRydWU8YnI+PC9k
aXY+PGRpdj48YnI+PC9kaXY+PGRpdj5UaGUgc2Vjb25kIG9uZSBpcyBzZXR1cCBhcyBhIElQQSBS
ZXBsaWNhIGFsc28gaG9zdGluZyB0aGUgZG9tYWluIDxhIGhyZWY9Imh0dHA6Ly9pcGEubGFibmV0
Lm9yZyIgdGFyZ2V0PSJfYmxhbmsiPmlwYS5sYWJuZXQub3JnPC9hPiBJdCBoYXMgYmVlbiBzZXR1
cCB3aXRoIHRoZSBmb2xsb3dpbmcgY29tbWFuZHM7PC9kaXY+PGRpdj7CoCBzdWRvIGlwYS1jbGll
bnQtaW5zdGFsbCAtLW1raG9tZWRpcjxicj48L2Rpdj48ZGl2PsKgIHN1ZG8gaXBhLXJlcGxpY2Et
aW5zdGFsbDwvZGl2PjxkaXY+wqAgc3VkbyBpcGEtY2EtaW5zdGFsbDxicj48L2Rpdj48ZGl2PsKg
IGtpbml0IGFkbWluPGJyPjwvZGl2PjxkaXY+wqAgc3VkbyBpcGEtYWR0cnVzdC1pbnN0YWxsPGJy
PjwvZGl2PjxkaXY+wqAgc3VkbyBpcGEgdHJ1c3QtYWRkIC0tdHlwZT1hZCA8YSBocmVmPSJodHRw
Oi8vYWQubGFibmV0Lm9yZyIgdGFyZ2V0PSJfYmxhbmsiPmFkLmxhYm5ldC5vcmc8L2E+IC0tYWRt
aW4gQWRtaW5pc3RyYXRvciAtLXBhc3N3b3JkIC0tdHdvLXdheT10cnVlPGJyPjwvZGl2PjwvZGl2
PjwvYmxvY2txdW90ZT48ZGl2PjxzcGFuIGNsYXNzPSJnbWFpbF9kZWZhdWx0IiBzdHlsZT0iZm9u
dC1mYW1pbHk6YXJpYWwsc2Fucy1zZXJpZiI+VGhlIGFib3ZlIGNvbW1hbmQgKGlwYSB0cnVzdC1h
ZGQpIHByb2JhYmx5IGV4aXRlZCBvbiBlcnJvciBhcyB0aGUgdHJ1c3Qgd2FzIGFscmVhZHkgZXN0
YWJsaXNoZWQuIFBsZWFzZSByZWFkIDxhIGhyZWY9Imh0dHBzOi8vYWNjZXNzLnJlZGhhdC5jb20v
ZG9jdW1lbnRhdGlvbi9lbi11cy9yZWRfaGF0X2VudGVycHJpc2VfbGludXgvOS9odG1sL3BsYW5u
aW5nX2lkZW50aXR5X21hbmFnZW1lbnQvcGxhbm5pbmctYS1jcm9zcy1mb3Jlc3QtdHJ1c3QtYmV0
d2Vlbi1pZG0tYW5kLWFkX3BsYW5uaW5nLWlkZW50aXR5LW1hbmFnZW1lbnQjdHJ1c3QtY29udHJv
bGxlcnMtYW5kLXRydXN0LWFnZW50c19wbGFubmluZy1hLWNyb3NzLWZvcmVzdC10cnVzdC1iZXR3
ZWVuLWlkbS1hbmQtYWQiIHRhcmdldD0iX2JsYW5rIj5UcnVzdCBjb250cm9sbGVycyBhbmQgVHJ1
c3QgQWdlbnRzPC9hPsKgdG8gdW5kZXJzdGFuZCBob3cgdGhlIHJlcGxpY2Egc2hvdWxkIGJlIHNl
dHVwIGluIG9yZGVyIHRvIGJlIGFibGUgdG8gcmVzb2x2ZSBBRCB1c2VycyBhbmQgZ3JvdXBzLiBX
aXRoIHlvdXIgc2V0IG9mIGNvbW1hbmRzLCBib3RoIG1hc3RlciBhbmQgcmVwbGljYSBhcmUgY29u
ZmlndXJlZCBhcyBBRCBUcnVzdCBDb250cm9sbGVycyBhbmQgc2hvdWxkIGJlIGFibGUgdG8gcmVz
b2x2ZSB1c2VycyBhbmQgZ3JvdXBzLCBidXQgdGhlcmUgaXMgbm8gbmVlZCB0byBydW4gdHdpY2Ug
dGhlIHRydXN0LWFkZCBwYXJ0Ljwvc3Bhbj48L2Rpdj48L2Rpdj48L2Rpdj48L2Jsb2NrcXVvdGU+
PGRpdj48YnI+PC9kaXY+PGRpdj5UaGV5IGJvdGggc2hvdyB1cCBpbiBJUEEgQWRtaW4gR1VJIGFz
IGJlaW5nIGJvdGggVHJ1c3QgQ29udHJvbGxlcnMgYW5kIFRydXN0IEFnZW50cy4gSSByZWFkIHRo
YXQgYXQgbGVhc3QgdHdvIHRydXN0IGNvbnRyb2xsZXJzIHNob3VsZCBiZSBjb25maWd1cmVkIHBl
ciBJZE0gZGVwbG95bWVudC48YnI+VGhhbmtzIEkgd2lsbCBjaGVjayB0aGUgZG9jdW1lbnQgYWdh
aW4uPC9kaXY+PGRpdj7CoDwvZGl2PjxibG9ja3F1b3RlIGNsYXNzPSJnbWFpbF9xdW90ZSIgc3R5
bGU9Im1hcmdpbjowcHggMHB4IDBweCAwLjhleDtib3JkZXItbGVmdDoxcHggc29saWQgcmdiKDIw
NCwyMDQsMjA0KTtwYWRkaW5nLWxlZnQ6MWV4Ij48ZGl2IGRpcj0ibHRyIj48ZGl2IGNsYXNzPSJn
bWFpbF9xdW90ZSI+PGJsb2NrcXVvdGUgY2xhc3M9ImdtYWlsX3F1b3RlIiBzdHlsZT0ibWFyZ2lu
OjBweCAwcHggMHB4IDAuOGV4O2JvcmRlci1sZWZ0OjFweCBzb2xpZCByZ2IoMjA0LDIwNCwyMDQp
O3BhZGRpbmctbGVmdDoxZXgiPjxkaXYgZGlyPSJsdHIiPjxkaXY+QWxsIG5lZWRlZCBETlMgcmVj
b3JkcyBoYXZlIGJlZW4gY3JlYXRlZCBpbiB0aGUgRE5TIHNlcnZlciBvbiB0aGUgV2luZG93cyBz
ZXJ2ZXIuIEF0IGxlYXN0IEkgaG9wZSBzby48L2Rpdj48ZGl2PklQQSBIZWFsdGhjZWNrIG9uIGJv
dGggSVBBIHNlcnZlcnMgZG9uJiMzOTt0IGNvbXBsYWluIGFib3V0IGFueXRoaW5nIG1pc3Npbmcu
PGJyPsKgIHN1ZG8gaXBhLWhlYWx0aGNoZWNrIC0tb3V0cHV0LXR5cGUgaHVtYW48YnI+PC9kaXY+
PGRpdj48YnI+PC9kaXY+PGRpdj5PbmUgSVBBIENsaWVudCBhbHNvIHNldHVwIGluIHRoZSA8YSBo
cmVmPSJodHRwOi8vbGFibmV0Lm9yZyIgdGFyZ2V0PSJfYmxhbmsiPmxhYm5ldC5vcmc8L2E+IGRv
bWFpbiBhbmQgdXNpbmcgdGhlIFdpbmRvd3Mgc2VydmVyIEROUywgd2FzIHNldHVwIHdpdGggdGhl
IGZvbGxvd2luZyBjb21tYW5kOzwvZGl2PjxkaXY+c3VkbyBpcGEtY2xpZW50LWluc3RhbGwgLS1k
b21haW49PGEgaHJlZj0iaHR0cDovL2lwYS5sYWJuZXQub3JnIiB0YXJnZXQ9Il9ibGFuayI+aXBh
LmxhYm5ldC5vcmc8L2E+IC0tbWtob21lZGlyPGJyPjwvZGl2PjxkaXY+PGJyPjwvZGl2PjxkaXY+
VGVzdGluZyBhdXRoZW50aWNhdGlvbiBvbiB0aGUgSVBBIENsaWVudCBhcyBhIHVzZXIgaW4gdGhl
IDxhIGhyZWY9Imh0dHA6Ly9hZC5sYWJuZXQub3JnIiB0YXJnZXQ9Il9ibGFuayI+YWQubGFibmV0
Lm9yZzwvYT4gd29ya3PCoCBvdXQgbGlrZSB0aGlzOzwvZGl2PjxkaXY+Qm90aCBJUEEgU2VydmVy
cyB1cCB3b3JrcyBPSzwvZGl2PjxkaXY+T25seSBJUEEgTWFzdGVyIHVwIHdvcmtzIE9LPC9kaXY+
PGRpdj5Pbmx5IElQQSBSZXBsaWNhIHVwIGRvZXNuJiMzOTt0IHdvcmsuPC9kaXY+PC9kaXY+PC9i
bG9ja3F1b3RlPjxkaXY+PHNwYW4gY2xhc3M9ImdtYWlsX2RlZmF1bHQiIHN0eWxlPSJmb250LWZh
bWlseTphcmlhbCxzYW5zLXNlcmlmIj5EaWQgeW91IHRlc3QgYXV0aGVudGljYXRpb24gb24gdGhl
IElQQSByZXBsaWNhP8KgPC9zcGFuPjwvZGl2PjxkaXYgc3R5bGU9ImZvbnQtZmFtaWx5OmFyaWFs
LHNhbnMtc2VyaWYiPklzIHlvdXIgbWFzdGVyIGEgRE5TIHNlcnZlciBmb3IgPGEgaHJlZj0iaHR0
cDovL2lwYS5sYWJuZXQub3JnIiB0YXJnZXQ9Il9ibGFuayI+aXBhLmxhYm5ldC5vcmc8L2E+PyBJ
cyB0aGUgcmVwbGljYSBhIEROUyBzZXJ2ZXIgZm9yIDxhIGhyZWY9Imh0dHA6Ly9pcGEubGFibmV0
Lm9yZyIgdGFyZ2V0PSJfYmxhbmsiPmlwYS5sYWJuZXQub3JnPC9hPj88L2Rpdj48ZGl2IHN0eWxl
PSJmb250LWZhbWlseTphcmlhbCxzYW5zLXNlcmlmIj48YnI+PC9kaXY+PC9kaXY+PC9kaXY+PC9i
bG9ja3F1b3RlPjxkaXY+SSBtYXkgaGF2ZSBtaXNzZWQgdGhhdCwgYnV0IGp1c3QgdHJpZWQgaXQg
b3V0IG5vdy4gTm8gSSYjMzk7bSBub3QgYWJsZSB0byBhdXRoZW50aWNhdGUgYXMgYW4gQUQgdXNl
ciBvbiB0aGUgSVBBIFJlcGxpY2EgOi0owqA8L2Rpdj48ZGl2Pk5vIG9ubHkgdGhlIFdpbmRvd3Mg
RE5TIHNlcnZlciBpcyBhIEROUyBzZXJ2ZXIsIGhvc3RpbmcgYWxsIHRoZSBkb21haW5zIDxhIGhy
ZWY9Imh0dHA6Ly9sYWJuZXQub3JnIj5sYWJuZXQub3JnPC9hPiwgPGEgaHJlZj0iaHR0cDovL2Fk
LmxhYm5ldC5vcmciPmFkLmxhYm5ldC5vcmc8L2E+IGFuZCA8YSBocmVmPSJodHRwOi8vaXBhLmxh
Ym5ldC5vcmciPmlwYS5sYWJuZXQub3JnPC9hPjwvZGl2PjxkaXY+PGJyPjwvZGl2PjxkaXY+VGhh
bmtzITwvZGl2PjxkaXY+PGJyPjwvZGl2PjxibG9ja3F1b3RlIGNsYXNzPSJnbWFpbF9xdW90ZSIg
c3R5bGU9Im1hcmdpbjowcHggMHB4IDBweCAwLjhleDtib3JkZXItbGVmdDoxcHggc29saWQgcmdi
KDIwNCwyMDQsMjA0KTtwYWRkaW5nLWxlZnQ6MWV4Ij48ZGl2IGRpcj0ibHRyIj48ZGl2IGNsYXNz
PSJnbWFpbF9xdW90ZSI+PGRpdiBzdHlsZT0iZm9udC1mYW1pbHk6YXJpYWwsc2Fucy1zZXJpZiI+
PC9kaXY+PGRpdiBzdHlsZT0iZm9udC1mYW1pbHk6YXJpYWwsc2Fucy1zZXJpZiI+ZmxvPC9kaXY+
PGJsb2NrcXVvdGUgY2xhc3M9ImdtYWlsX3F1b3RlIiBzdHlsZT0ibWFyZ2luOjBweCAwcHggMHB4
IDAuOGV4O2JvcmRlci1sZWZ0OjFweCBzb2xpZCByZ2IoMjA0LDIwNCwyMDQpO3BhZGRpbmctbGVm
dDoxZXgiPjxkaXYgZGlyPSJsdHIiPjxkaXY+PGJyPjwvZGl2PjxkaXY+QWZ0ZXIgdGhpcyBjaGVj
ayB3aXRoIElQQSBIZWFsdGhjaGVjayBvbiB0aGUgSVBBIFJlcGxpY2Egbm93IGNvbWVzIGJhY2sg
d2l0aCB0aGlzOzwvZGl2PjxkaXY+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5Om1vbm9zcGFjZSI+
PHNwYW4gc3R5bGU9ImNvbG9yOnJnYigwLDAsMCkiPldBUk5JTkc6IGlwYWhlYWx0aGNoZWNrLmlw
YS50cnVzdC5JUEFUcnVzdENhdGFsb2dDaGVjay57fTogTG9vayB1cCBvZiBJRCB7fSBmb3IgPGEg
aHJlZj0iaHR0cDovL2FkLmxhYm5ldC5vcmciIHRhcmdldD0iX2JsYW5rIj5hZC5sYWJuZXQub3Jn
PC9hPiByZXR1cm5lZCBub3RoaW5nCjwvc3Bhbj48YnI+RVJST1I6IDxhIGhyZWY9Imh0dHA6Ly9p
cGFoZWFsdGhjaGVjay5pcGEudHJ1c3QuSVBBVHJ1c3RDYXRhbG9nQ2hlY2suQUQiIHRhcmdldD0i
X2JsYW5rIj5pcGFoZWFsdGhjaGVjay5pcGEudHJ1c3QuSVBBVHJ1c3RDYXRhbG9nQ2hlY2suQUQ8
L2E+IEdsb2JhbCBDYXRhbG9nOiBBRCBHbG9iYWwgQ2F0YWxvZyBub3QgZm91bmQgaW4gL3Vzci9z
YmluL3Nzc2N0bCAmIzM5O2RvbWFpbi1zdGF0dXMmIzM5OyBvdXRwdXQ6IEFjdGl2ZSBzZXJ2ZXJz
Ogo8YnI+SVBBOiA8YSBocmVmPSJodHRwOi8vbGFiMDAzLmxhYm5ldC5vcmciIHRhcmdldD0iX2Js
YW5rIj5sYWIwMDMubGFibmV0Lm9yZzwvYT4KPGJyPkVSUk9SOiA8YSBocmVmPSJodHRwOi8vaXBh
aGVhbHRoY2hlY2suaXBhLnRydXN0LklQQVRydXN0Q2F0YWxvZ0NoZWNrLkFEIiB0YXJnZXQ9Il9i
bGFuayI+aXBhaGVhbHRoY2hlY2suaXBhLnRydXN0LklQQVRydXN0Q2F0YWxvZ0NoZWNrLkFEPC9h
PiBEb21haW4gQ29udHJvbGxlcjogQUQgRG9tYWluIENvbnRyb2xsZXIgbm90IGZvdW5kIGluIC91
c3Ivc2Jpbi9zc3NjdGwgJiMzOTtkb21haW4tc3RhdHVzJiMzOTsgb3V0cHV0OiBBY3RpdmUgc2Vy
dmVyczoKPGJyPklQQTogPGEgaHJlZj0iaHR0cDovL2xhYjAwMy5sYWJuZXQub3JnIiB0YXJnZXQ9
Il9ibGFuayI+bGFiMDAzLmxhYm5ldC5vcmc8L2E+PGJyPgo8YnI+PC9zcGFuPjwvZGl2PjxkaXY+
Q2FuIGFueW9uZSBzdWdnZXN0IHdoYXQgSSBoYXZlIGRvbmUgd3Jvbmcgb3IgbWlzc2VkPyBBcyBm
YXIgYXMgSSBjYW4gdGVsbCB0aGVyZSBhcmUgbm8gY29tbWFuZHMgdGhhdCBsZXQgbWUgd3JpdGUg
dG8gdGhlIEdMb2JhbCBDYXRhbG9nPzwvZGl2PjxkaXY+VGhhbmtzITwvZGl2PjwvZGl2PgotLTxi
cj4KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX188YnI+CkZy
ZWVJUEEtdXNlcnMgbWFpbGluZyBsaXN0IC0tIDxhIGhyZWY9Im1haWx0bzpmcmVlaXBhLXVzZXJz
QGxpc3RzLmZlZG9yYWhvc3RlZC5vcmciIHRhcmdldD0iX2JsYW5rIj5mcmVlaXBhLXVzZXJzQGxp
c3RzLmZlZG9yYWhvc3RlZC5vcmc8L2E+PGJyPgpUbyB1bnN1YnNjcmliZSBzZW5kIGFuIGVtYWls
IHRvIDxhIGhyZWY9Im1haWx0bzpmcmVlaXBhLXVzZXJzLWxlYXZlQGxpc3RzLmZlZG9yYWhvc3Rl
ZC5vcmciIHRhcmdldD0iX2JsYW5rIj5mcmVlaXBhLXVzZXJzLWxlYXZlQGxpc3RzLmZlZG9yYWhv
c3RlZC5vcmc8L2E+PGJyPgpGZWRvcmEgQ29kZSBvZiBDb25kdWN0OiA8YSBocmVmPSJodHRwczov
L2RvY3MuZmVkb3JhcHJvamVjdC5vcmcvZW4tVVMvcHJvamVjdC9jb2RlLW9mLWNvbmR1Y3QvIiBy
ZWw9Im5vcmVmZXJyZXIiIHRhcmdldD0iX2JsYW5rIj5odHRwczovL2RvY3MuZmVkb3JhcHJvamVj
dC5vcmcvZW4tVVMvcHJvamVjdC9jb2RlLW9mLWNvbmR1Y3QvPC9hPjxicj4KTGlzdCBHdWlkZWxp
bmVzOiA8YSBocmVmPSJodHRwczovL2ZlZG9yYXByb2plY3Qub3JnL3dpa2kvTWFpbGluZ19saXN0
X2d1aWRlbGluZXMiIHJlbD0ibm9yZWZlcnJlciIgdGFyZ2V0PSJfYmxhbmsiPmh0dHBzOi8vZmVk
b3JhcHJvamVjdC5vcmcvd2lraS9NYWlsaW5nX2xpc3RfZ3VpZGVsaW5lczwvYT48YnI+Ckxpc3Qg
QXJjaGl2ZXM6IDxhIGhyZWY9Imh0dHBzOi8vbGlzdHMuZmVkb3JhaG9zdGVkLm9yZy9hcmNoaXZl
cy9saXN0L2ZyZWVpcGEtdXNlcnNAbGlzdHMuZmVkb3JhaG9zdGVkLm9yZyIgcmVsPSJub3JlZmVy
cmVyIiB0YXJnZXQ9Il9ibGFuayI+aHR0cHM6Ly9saXN0cy5mZWRvcmFob3N0ZWQub3JnL2FyY2hp
dmVzL2xpc3QvZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3JnPC9hPjxicj4KRG8g
bm90IHJlcGx5IHRvIHNwYW0sIHJlcG9ydCBpdDogPGEgaHJlZj0iaHR0cHM6Ly9wYWd1cmUuaW8v
ZmVkb3JhLWluZnJhc3RydWN0dXJlL25ld19pc3N1ZSIgcmVsPSJub3JlZmVycmVyIiB0YXJnZXQ9
Il9ibGFuayI+aHR0cHM6Ly9wYWd1cmUuaW8vZmVkb3JhLWluZnJhc3RydWN0dXJlL25ld19pc3N1
ZTwvYT48YnI+CjwvYmxvY2txdW90ZT48L2Rpdj48L2Rpdj4KPC9ibG9ja3F1b3RlPjwvZGl2Pjwv
ZGl2Pgo=

--===============2814612615412466363==--

From basile.pinsard at gmail.com Mon Apr 15 16:22:29 2024
Content-Type: multipart/mixed; boundary="===============8574104654190072512=="
MIME-Version: 1.0
From: Basile Pinsard <basile.pinsard at gmail.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: pki-tomcat won't start + expired certificates
Date: Mon, 15 Apr 2024 16:22:15 +0000
Message-ID: <20240415162215.18160.12528@mailman01.iad2.fedoraproject.org>
In-Reply-To: CAFDg7JzTM-ySshy+mE4s+_W0QPTz77EyciUfvaNs309=W1X7nw@mail.gmail.com

--===============8574104654190072512==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Bonjour Florence,
Thanks for your help.

I am using the docker image `freeipa/freeipa-server:fedora-34-4.9.6`, I gue=
ss the dependencies are correct as this is all bundled in the container, (t=
hough there might exists config mismatched if ipa upgrades failed container=
s updates).
Se-linux is disabled on host and in the container.

I made progress by fixing the missing instanceRoot parameter in the config =
file. =


Now I think I am stuck in a deadlock, because of letsencrypt certificates u=
sed for httpd/ldap (installed with ipa-cacert-manage) .

The certificated managed by freeipa is expired, but the letsencrypt one hav=
e renewed and there is no overlap of their period of validity.

- If I set back the date to when the freeipa certs are valid, pki connectio=
n to the ldap fails, as the letsencrypt one is not yet valid.
error is `SEVERE: Unable to create socket: org.mozilla.jss.ssl.SSLSocketExc=
eption: org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: =
(-8181) Peer's Certificate has expired.`  I think the message says expired =
for not-yet-valid certs too.  =


- If I use the current time, it is not possible to start the pki-server as =
the certs are expired. ( at least that's my guess, error is :`netscape.ldap=
.LDAPException: Authentication failed (48)` not much more details)

I was thinking about trying to:
- set the date to when the freeipa managed certs were still valid.
- manually generate a certificate/key from the CA (not sure how exactly, th=
ough)
- copy these certificate and key in the httpd and ldap config folder at the=
 right place.
- try to spin-up the pki-tomcat, hoping that it works.
- then hope that it auto-renews certs or manually trigger the renewal.
- move the date back to today, maybe by increments that cover the certs val=
idity, and trigger certs renewal at each increment.

Would that make sense?
Do you see any more sensible/simpler way?

Many thanks!

Basile
--===============8574104654190072512==--

From net.ricky at gmail.com Tue Apr 16 13:48:26 2024
Content-Type: multipart/mixed; boundary="===============6111009032924763760=="
MIME-Version: 1.0
From: Riccardo Rotondo <net.ricky at gmail.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: How to prevent non-admin users of FreeIPA from
 reading the list of users in the web interface?
Date: Tue, 16 Apr 2024 13:48:14 +0000
Message-ID: <20240416134814.5138.7345@mailman01.iad2.fedoraproject.org>
In-Reply-To: Zg6QdAsDNTiAa9p2@redhat.com

--===============6111009032924763760==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Hi Christian and Alexander, =

considering I'm still in the initial phase of the project I customised the =
Dockerfile to install the needed package. =

For those interested here is the fork with the branch: =

https://github.com/rrotondo/freeipa-container/tree/add-ipa-fas
with a custom version for Almalinux-9.

Thank you again for your support.
Regards,
Riccardo
--===============6111009032924763760==--

From menshutin at gmail.com Tue Apr 16 16:01:09 2024
Content-Type: multipart/mixed; boundary="===============3993257438262000988=="
MIME-Version: 1.0
From: Anton Menshutin <menshutin at gmail.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] windows client auth not working
Date: Tue, 16 Apr 2024 16:00:57 +0000
Message-ID: <20240416160057.1173.31199@mailman01.iad2.fedoraproject.org>

--===============3993257438262000988==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Hello, list.
I have installed freeipa server 4.10.2-8 under RockyLinux and would like to=
 setup windows clients to join freeipa domain.
I followed the guide https://www.freeipa.org/page/Windows_authentication_ag=
ainst_FreeIPA.
When I enter user credentials for the first time windows asks to change pas=
sword, after password is changed it does not login.

After that every attempt results in the "wrong user or password" message. =

Looking at kerberos log it seems that password is correct but windows does =
not let the user in for some reason. In audit log it says that login was re=
fused with some error that does not explain anything.
Time is in sync as well as timezone.

There are a lot of posts saying that this should work but I don't have any =
clues where to look. Any ideas what might be wrong?
--===============3993257438262000988==--

From abokovoy at redhat.com Tue Apr 16 16:28:07 2024
Content-Type: multipart/mixed; boundary="===============8167443972786235411=="
MIME-Version: 1.0
From: Alexander Bokovoy <abokovoy at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: windows client auth not working
Date: Tue, 16 Apr 2024 19:27:17 +0300
Message-ID: <Zh6m5SV8RVVA48lV@redhat.com>
In-Reply-To: 20240416160057.1173.31199@mailman01.iad2.fedoraproject.org

--===============8167443972786235411==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

On =D0=90=D1=9E=D1=82, 16 =D0=BA=D1=80=D0=B0 2024, Anton Menshutin via Free=
IPA-users wrote:
>Hello, list.
>I have installed freeipa server 4.10.2-8 under RockyLinux and would
>like to setup windows clients to join freeipa domain.  I followed the
>guide
>https://www.freeipa.org/page/Windows_authentication_against_FreeIPA.

This is a hack and is not supported at all. It is explicitly stated on
that page:
--------------------------------------------
Note also that the described configuration is not supported by FreeIPA
development team and also is not supported by Red Hat Enterprise Linux
Identity Management product. A work on making possible to login to
Windows machines already enrolled into a trusted Active Directory forest
is ongoing and is not available yet in any released FreeIPA version.
--------------------------------------------

>When I enter user credentials for the first time windows asks to change
>password, after password is changed it does not login.
>
>After that every attempt results in the "wrong user or password"
>message.  Looking at kerberos log it seems that password is correct but
>windows does not let the user in for some reason. In audit log it says
>that login was refused with some error that does not explain anything.
>Time is in sync as well as timezone.
>
>There are a lot of posts saying that this should work but I don't have
>any clues where to look. Any ideas what might be wrong?

Joining Windows clients to IPA domain is not supported. These
configurations may or may not work for some people. There are no plans
to enable this use case at all.

-- =

/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

--===============8167443972786235411==--

From slekkus75 at proton.me Thu Apr 18 15:05:04 2024
Content-Type: multipart/mixed; boundary="===============5436425095021542620=="
MIME-Version: 1.0
From: slek kus <slekkus75 at proton.me>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] sudo hbac rule resfues to work for AD users (one way
 trust).
Date: Thu, 18 Apr 2024 15:04:52 +0000
Message-ID: <20240418150452.26037.4245@mailman01.iad2.fedoraproject.org>

--===============5436425095021542620==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Hi, I posted a similair issue a while ago. then sudo rules magically starte=
d working after enabling and disabeling the "allow_all" rule.
This time, I cannot get any sudo command working, while a hbac testing is O=
K. I can even see in the log of the client that "allow_all" permits the sud=
o-i.
Issue is on all clients. There is no poblem with ssh/login for the AD users.

```
[admin(a)idm1 ~]$ ipa hbactest --user user1(a)INFRA.REDACTED.SERVICES --hos=
t host01.redacted.services --service sudo-i
--------------------
Access granted: True
--------------------
  Matched rules: allow_all
  Matched rules: infra-mgmt_clients_hg
< ... >
```

```
user1(a)INFRA.REDACTED.SERVICES@host01:~$ sudo -i
[sudo] password for user1(a)INFRA.REDACTED.SERVICES:
user1(a)INFRA.REDACTED.SERVICES is not allowed to run sudo on host01.
```
Enabling debugging:

sssd_domain.log
https://pastebin.com/mFGUEnse

sssd_sudo.log
https://pastebin.com/3d3ETTNh

Also enabled debug in /etc/sudo.conf. =

In this debug data there is no mention or trace about sss or the user. =


Configuration files seem OK. sssd.conf, krb5.conf, nssswithc.conf. =





--===============5436425095021542620==--

From flo at redhat.com Fri Apr 19 08:12:29 2024
Content-Type: multipart/mixed; boundary="===============0412814332714450940=="
MIME-Version: 1.0
From: Florence Blanc-Renaud <flo at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: pki-tomcat won't start + expired certificates
Date: Fri, 19 Apr 2024 10:11:51 +0200
Message-ID: <CAFDg7JwByJV9DrPOO_JAd5aTBuFXD91toakJjAZ9ev2xaSJw3A@mail.gmail.com>
In-Reply-To: 20240415162215.18160.12528@mailman01.iad2.fedoraproject.org

--===============0412814332714450940==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Hi,

On Mon, Apr 15, 2024 at 6:22=E2=80=AFPM Basile Pinsard via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:

> Bonjour Florence,
> Thanks for your help.
>
> I am using the docker image `freeipa/freeipa-server:fedora-34-4.9.6`, I
> guess the dependencies are correct as this is all bundled in the containe=
r,
> (though there might exists config mismatched if ipa upgrades failed
> containers updates).
> Se-linux is disabled on host and in the container.
>
> I made progress by fixing the missing instanceRoot parameter in the config
> file.
>
> Now I think I am stuck in a deadlock, because of letsencrypt certificates
> used for httpd/ldap (installed with ipa-cacert-manage) .
>
> The certificated managed by freeipa is expired, but the letsencrypt one
> have renewed and there is no overlap of their period of validity.
>
> - If I set back the date to when the freeipa certs are valid, pki
> connection to the ldap fails, as the letsencrypt one is not yet valid.
> error is `SEVERE: Unable to create socket:
> org.mozilla.jss.ssl.SSLSocketException:
> org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8181)
> Peer's Certificate has expired.`  I think the message says expired for
> not-yet-valid certs too.
>
> - If I use the current time, it is not possible to start the pki-server as
> the certs are expired. ( at least that's my guess, error is
> :`netscape.ldap.LDAPException: Authentication failed (48)` not much more
> details)
>
> I was thinking about trying to:
> - set the date to when the freeipa managed certs were still valid.
> - manually generate a certificate/key from the CA (not sure how exactly,
> though)
> - copy these certificate and key in the httpd and ldap config folder at
> the right place.
>
If you have a backup of the previous http/ldap certs you can put them back
in place.

> - try to spin-up the pki-tomcat, hoping that it works.
> - then hope that it auto-renews certs or manually trigger the renewal.
> - move the date back to today, maybe by increments that cover the certs
> validity, and trigger certs renewal at each increment.
>
> Would that make sense?
> Do you see any more sensible/simpler way?
>
> You mentioned that you already tried ipa-cert-fix, what was the output?
flo

Many thanks!
>
> Basile
> --
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.=
org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users(a)lists.fedora=
hosted.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>

--===============0412814332714450940==
Content-Type: text/html
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.html"

PGRpdiBkaXI9Imx0ciI+PGRpdiBkaXI9Imx0ciI+PGRpdiBjbGFzcz0iZ21haWxfZGVmYXVsdCIg
c3R5bGU9ImZvbnQtZmFtaWx5OmFyaWFsLHNhbnMtc2VyaWYiPkhpLDwvZGl2PjwvZGl2Pjxicj48
ZGl2IGNsYXNzPSJnbWFpbF9xdW90ZSI+PGRpdiBkaXI9Imx0ciIgY2xhc3M9ImdtYWlsX2F0dHIi
Pk9uIE1vbiwgQXByIDE1LCAyMDI0IGF0IDY6MjLigK9QTSBCYXNpbGUgUGluc2FyZCB2aWEgRnJl
ZUlQQS11c2VycyAmbHQ7PGEgaHJlZj0ibWFpbHRvOmZyZWVpcGEtdXNlcnNAbGlzdHMuZmVkb3Jh
aG9zdGVkLm9yZyI+ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3JnPC9hPiZndDsg
d3JvdGU6PGJyPjwvZGl2PjxibG9ja3F1b3RlIGNsYXNzPSJnbWFpbF9xdW90ZSIgc3R5bGU9Im1h
cmdpbjowcHggMHB4IDBweCAwLjhleDtib3JkZXItbGVmdDoxcHggc29saWQgcmdiKDIwNCwyMDQs
MjA0KTtwYWRkaW5nLWxlZnQ6MWV4Ij5Cb25qb3VyIEZsb3JlbmNlLDxicj4KVGhhbmtzIGZvciB5
b3VyIGhlbHAuPGJyPgo8YnI+CkkgYW0gdXNpbmcgdGhlIGRvY2tlciBpbWFnZSBgZnJlZWlwYS9m
cmVlaXBhLXNlcnZlcjpmZWRvcmEtMzQtNC45LjZgLCBJIGd1ZXNzIHRoZSBkZXBlbmRlbmNpZXMg
YXJlIGNvcnJlY3QgYXMgdGhpcyBpcyBhbGwgYnVuZGxlZCBpbiB0aGUgY29udGFpbmVyLCAodGhv
dWdoIHRoZXJlIG1pZ2h0IGV4aXN0cyBjb25maWcgbWlzbWF0Y2hlZCBpZiBpcGEgdXBncmFkZXMg
ZmFpbGVkIGNvbnRhaW5lcnMgdXBkYXRlcykuPGJyPgpTZS1saW51eCBpcyBkaXNhYmxlZCBvbiBo
b3N0IGFuZCBpbiB0aGUgY29udGFpbmVyLjxicj4KPGJyPgpJIG1hZGUgcHJvZ3Jlc3MgYnkgZml4
aW5nIHRoZSBtaXNzaW5nIGluc3RhbmNlUm9vdCBwYXJhbWV0ZXIgaW4gdGhlIGNvbmZpZyBmaWxl
LiA8YnI+Cjxicj4KTm93IEkgdGhpbmsgSSBhbSBzdHVjayBpbiBhIGRlYWRsb2NrLCBiZWNhdXNl
IG9mIGxldHNlbmNyeXB0IGNlcnRpZmljYXRlcyB1c2VkIGZvciBodHRwZC9sZGFwIChpbnN0YWxs
ZWQgd2l0aCBpcGEtY2FjZXJ0LW1hbmFnZSkgLjxicj4KPGJyPgpUaGUgY2VydGlmaWNhdGVkIG1h
bmFnZWQgYnkgZnJlZWlwYSBpcyBleHBpcmVkLCBidXQgdGhlIGxldHNlbmNyeXB0IG9uZSBoYXZl
IHJlbmV3ZWQgYW5kIHRoZXJlIGlzIG5vIG92ZXJsYXAgb2YgdGhlaXIgcGVyaW9kIG9mIHZhbGlk
aXR5Ljxicj4KPGJyPgotIElmIEkgc2V0IGJhY2sgdGhlIGRhdGUgdG8gd2hlbiB0aGUgZnJlZWlw
YSBjZXJ0cyBhcmUgdmFsaWQsIHBraSBjb25uZWN0aW9uIHRvIHRoZSBsZGFwIGZhaWxzLCBhcyB0
aGUgbGV0c2VuY3J5cHQgb25lIGlzIG5vdCB5ZXQgdmFsaWQuPGJyPgplcnJvciBpcyBgU0VWRVJF
OiBVbmFibGUgdG8gY3JlYXRlIHNvY2tldDogb3JnLm1vemlsbGEuanNzLnNzbC5TU0xTb2NrZXRF
eGNlcHRpb246IG9yZy5tb3ppbGxhLmpzcy5zc2wuU1NMU29ja2V0RXhjZXB0aW9uOiBTU0xfRm9y
Y2VIYW5kc2hha2UgZmFpbGVkOiAoLTgxODEpIFBlZXImIzM5O3MgQ2VydGlmaWNhdGUgaGFzIGV4
cGlyZWQuYMKgIEkgdGhpbmsgdGhlIG1lc3NhZ2Ugc2F5cyBleHBpcmVkIGZvciBub3QteWV0LXZh
bGlkIGNlcnRzIHRvby7CoCA8YnI+Cjxicj4KLSBJZiBJIHVzZSB0aGUgY3VycmVudCB0aW1lLCBp
dCBpcyBub3QgcG9zc2libGUgdG8gc3RhcnQgdGhlIHBraS1zZXJ2ZXIgYXMgdGhlIGNlcnRzIGFy
ZSBleHBpcmVkLiAoIGF0IGxlYXN0IHRoYXQmIzM5O3MgbXkgZ3Vlc3MsIGVycm9yIGlzIDpgbmV0
c2NhcGUubGRhcC5MREFQRXhjZXB0aW9uOiBBdXRoZW50aWNhdGlvbiBmYWlsZWQgKDQ4KWAgbm90
IG11Y2ggbW9yZSBkZXRhaWxzKTxicj4KPGJyPgpJIHdhcyB0aGlua2luZyBhYm91dCB0cnlpbmcg
dG86PGJyPgotIHNldCB0aGUgZGF0ZSB0byB3aGVuIHRoZSBmcmVlaXBhIG1hbmFnZWQgY2VydHMg
d2VyZSBzdGlsbCB2YWxpZC48YnI+Ci0gbWFudWFsbHkgZ2VuZXJhdGUgYSBjZXJ0aWZpY2F0ZS9r
ZXkgZnJvbSB0aGUgQ0EgKG5vdCBzdXJlIGhvdyBleGFjdGx5LCB0aG91Z2gpPGJyPgotIGNvcHkg
dGhlc2UgY2VydGlmaWNhdGUgYW5kIGtleSBpbiB0aGUgaHR0cGQgYW5kIGxkYXAgY29uZmlnIGZv
bGRlciBhdCB0aGUgcmlnaHQgcGxhY2UuPGJyPjwvYmxvY2txdW90ZT48ZGl2PjxzcGFuIGNsYXNz
PSJnbWFpbF9kZWZhdWx0IiBzdHlsZT0iZm9udC1mYW1pbHk6YXJpYWwsc2Fucy1zZXJpZiI+SWYg
eW91IGhhdmUgYSBiYWNrdXAgb2YgdGhlIHByZXZpb3VzIGh0dHAvbGRhcCBjZXJ0cyB5b3UgY2Fu
IHB1dCB0aGVtIGJhY2sgaW4gcGxhY2UuPC9zcGFuPsKgPC9kaXY+PGJsb2NrcXVvdGUgY2xhc3M9
ImdtYWlsX3F1b3RlIiBzdHlsZT0ibWFyZ2luOjBweCAwcHggMHB4IDAuOGV4O2JvcmRlci1sZWZ0
OjFweCBzb2xpZCByZ2IoMjA0LDIwNCwyMDQpO3BhZGRpbmctbGVmdDoxZXgiPgotIHRyeSB0byBz
cGluLXVwIHRoZSBwa2ktdG9tY2F0LCBob3BpbmcgdGhhdCBpdCB3b3Jrcy48YnI+Ci0gdGhlbiBo
b3BlIHRoYXQgaXQgYXV0by1yZW5ld3MgY2VydHMgb3IgbWFudWFsbHkgdHJpZ2dlciB0aGUgcmVu
ZXdhbC48YnI+Ci0gbW92ZSB0aGUgZGF0ZSBiYWNrIHRvIHRvZGF5LCBtYXliZSBieSBpbmNyZW1l
bnRzIHRoYXQgY292ZXIgdGhlIGNlcnRzIHZhbGlkaXR5LCBhbmQgdHJpZ2dlciBjZXJ0cyByZW5l
d2FsIGF0IGVhY2ggaW5jcmVtZW50Ljxicj4KPGJyPgpXb3VsZCB0aGF0IG1ha2Ugc2Vuc2U/PGJy
PgpEbyB5b3Ugc2VlIGFueSBtb3JlIHNlbnNpYmxlL3NpbXBsZXIgd2F5Pzxicj4KPGJyPjwvYmxv
Y2txdW90ZT48ZGl2PjxzcGFuIGNsYXNzPSJnbWFpbF9kZWZhdWx0IiBzdHlsZT0iZm9udC1mYW1p
bHk6YXJpYWwsc2Fucy1zZXJpZiI+WW91IG1lbnRpb25lZCB0aGF0IHlvdSBhbHJlYWR5IHRyaWVk
IGlwYS1jZXJ0LWZpeCwgd2hhdCB3YXMgdGhlIG91dHB1dD/CoDwvc3Bhbj48L2Rpdj48ZGl2IGNs
YXNzPSJnbWFpbF9kZWZhdWx0IiBzdHlsZT0iZm9udC1mYW1pbHk6YXJpYWwsc2Fucy1zZXJpZiI+
ZmxvPC9kaXY+PGRpdiBjbGFzcz0iZ21haWxfZGVmYXVsdCIgc3R5bGU9ImZvbnQtZmFtaWx5OmFy
aWFsLHNhbnMtc2VyaWYiPjxicj48L2Rpdj48YmxvY2txdW90ZSBjbGFzcz0iZ21haWxfcXVvdGUi
IHN0eWxlPSJtYXJnaW46MHB4IDBweCAwcHggMC44ZXg7Ym9yZGVyLWxlZnQ6MXB4IHNvbGlkIHJn
YigyMDQsMjA0LDIwNCk7cGFkZGluZy1sZWZ0OjFleCI+Ck1hbnkgdGhhbmtzITxicj4KPGJyPgpC
YXNpbGU8YnI+Ci0tPGJyPgpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fXzxicj4KRnJlZUlQQS11c2VycyBtYWlsaW5nIGxpc3QgLS0gPGEgaHJlZj0ibWFpbHRv
OmZyZWVpcGEtdXNlcnNAbGlzdHMuZmVkb3JhaG9zdGVkLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPmZy
ZWVpcGEtdXNlcnNAbGlzdHMuZmVkb3JhaG9zdGVkLm9yZzwvYT48YnI+ClRvIHVuc3Vic2NyaWJl
IHNlbmQgYW4gZW1haWwgdG8gPGEgaHJlZj0ibWFpbHRvOmZyZWVpcGEtdXNlcnMtbGVhdmVAbGlz
dHMuZmVkb3JhaG9zdGVkLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPmZyZWVpcGEtdXNlcnMtbGVhdmVA
bGlzdHMuZmVkb3JhaG9zdGVkLm9yZzwvYT48YnI+CkZlZG9yYSBDb2RlIG9mIENvbmR1Y3Q6IDxh
IGhyZWY9Imh0dHBzOi8vZG9jcy5mZWRvcmFwcm9qZWN0Lm9yZy9lbi1VUy9wcm9qZWN0L2NvZGUt
b2YtY29uZHVjdC8iIHJlbD0ibm9yZWZlcnJlciIgdGFyZ2V0PSJfYmxhbmsiPmh0dHBzOi8vZG9j
cy5mZWRvcmFwcm9qZWN0Lm9yZy9lbi1VUy9wcm9qZWN0L2NvZGUtb2YtY29uZHVjdC88L2E+PGJy
PgpMaXN0IEd1aWRlbGluZXM6IDxhIGhyZWY9Imh0dHBzOi8vZmVkb3JhcHJvamVjdC5vcmcvd2lr
aS9NYWlsaW5nX2xpc3RfZ3VpZGVsaW5lcyIgcmVsPSJub3JlZmVycmVyIiB0YXJnZXQ9Il9ibGFu
ayI+aHR0cHM6Ly9mZWRvcmFwcm9qZWN0Lm9yZy93aWtpL01haWxpbmdfbGlzdF9ndWlkZWxpbmVz
PC9hPjxicj4KTGlzdCBBcmNoaXZlczogPGEgaHJlZj0iaHR0cHM6Ly9saXN0cy5mZWRvcmFob3N0
ZWQub3JnL2FyY2hpdmVzL2xpc3QvZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn
IiByZWw9Im5vcmVmZXJyZXIiIHRhcmdldD0iX2JsYW5rIj5odHRwczovL2xpc3RzLmZlZG9yYWhv
c3RlZC5vcmcvYXJjaGl2ZXMvbGlzdC9mcmVlaXBhLXVzZXJzQGxpc3RzLmZlZG9yYWhvc3RlZC5v
cmc8L2E+PGJyPgpEbyBub3QgcmVwbHkgdG8gc3BhbSwgcmVwb3J0IGl0OiA8YSBocmVmPSJodHRw
czovL3BhZ3VyZS5pby9mZWRvcmEtaW5mcmFzdHJ1Y3R1cmUvbmV3X2lzc3VlIiByZWw9Im5vcmVm
ZXJyZXIiIHRhcmdldD0iX2JsYW5rIj5odHRwczovL3BhZ3VyZS5pby9mZWRvcmEtaW5mcmFzdHJ1
Y3R1cmUvbmV3X2lzc3VlPC9hPjxicj4KPC9ibG9ja3F1b3RlPjwvZGl2PjwvZGl2Pgo=

--===============0412814332714450940==--

From slekkus75 at proton.me Fri Apr 19 08:16:24 2024
Content-Type: multipart/mixed; boundary="===============6751520807382460032=="
MIME-Version: 1.0
From: slek kus <slekkus75 at proton.me>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: sudo hbac rule resfues to work for AD users (one
 way trust).
Date: Fri, 19 Apr 2024 08:16:08 +0000
Message-ID: <20240419081608.3327.83666@mailman01.iad2.fedoraproject.org>
In-Reply-To: 20240418150452.26037.4245@mailman01.iad2.fedoraproject.org

--===============6751520807382460032==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Issue might have started after enabling compat mode to allow LDAP authentic=
ation for AD users.
Found this: https://microdevsys.com/wp/user-is-not-allowed-to-run-sudo-on-s=
erver-this-incident-will-be-reported/

Went to disable the plugin, but greeted for the directory manager's passwor=
d. I do not recall to have set this during FreeIPA installation.


--===============6751520807382460032==--

From flo at redhat.com Fri Apr 19 08:26:22 2024
Content-Type: multipart/mixed; boundary="===============6799959363220103788=="
MIME-Version: 1.0
From: Florence Blanc-Renaud <flo at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: IPA Replica can't authenticate users
Date: Fri, 19 Apr 2024 10:25:42 +0200
Message-ID: <CAFDg7Jxk0W52nZjWo88QH0fhUbF=Hy44i=w+FO=z3UXwPMaLWg@mail.gmail.com>
In-Reply-To: CAAzbKPmGFELVDM0nLUV_yCgAB-vs-zBhVC0LtnwssaRWJaFUhA@mail.gmail.com

--===============6799959363220103788==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Hi,

On Mon, Apr 15, 2024 at 10:10=E2=80=AFAM John Doe <jdoe53851(a)gmail.com> w=
rote:

>
>
> Den m=C3=A5n 15 apr. 2024 kl 09:35 skrev Florence Blanc-Renaud <flo(a)red=
hat.com
> >:
>
>> Hi,
>>
>> On Mon, Apr 15, 2024 at 9:03=E2=80=AFAM John Doe via FreeIPA-users <
>> freeipa-users(a)lists.fedorahosted.org> wrote:
>>
>>> I'm playing around with IPA trying to figure out how to set it up to be
>>> redundant. The problem is that the IPA Replica isn't able to authentica=
te
>>> AD users if IPA Master is down.
>>> My setup;
>>> One Windows Server set up with Active Direcory Domain Services, Active
>>> Directory Certificate Services and DNS server hosting the ad.labnet.org
>>> domain and the Root CA.
>>>
>>> Two Linux servers setup in the labnet.org domain. Both using the
>>> Windows Server DNS server.
>>> The first one is setup as a IPA Master server hosting the domain
>>> ipa.labnet.org and act as a subordinate CA server. It was setup with
>>> the following commands;
>>>   sudo ipa-server-install --external-ca --external-ca-type=3Dms-cs
>>>   sudo ipa-server-install --external-cert-file=3D/home/$USER/ipa.cer
>>> --external-cert-file=3D/home/$USER/certnew.cer
>>>   kinit admin
>>>   sudo ipa-adtrust-install
>>>   sudo ipa trust-add --type=3Dad ad.labnet.org --admin Administrator
>>> --password --two-way=3Dtrue
>>>
>>> The second one is setup as a IPA Replica also hosting the domain
>>> ipa.labnet.org It has been setup with the following commands;
>>>   sudo ipa-client-install --mkhomedir
>>>   sudo ipa-replica-install
>>>   sudo ipa-ca-install
>>>   kinit admin
>>>   sudo ipa-adtrust-install
>>>   sudo ipa trust-add --type=3Dad ad.labnet.org --admin Administrator
>>> --password --two-way=3Dtrue
>>>
>> The above command (ipa trust-add) probably exited on error as the trust
>> was already established. Please read Trust controllers and Trust Agents
>> <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/=
9/html/planning_identity_management/planning-a-cross-forest-trust-between-i=
dm-and-ad_planning-identity-management#trust-controllers-and-trust-agents_p=
lanning-a-cross-forest-trust-between-idm-and-ad> to
>> understand how the replica should be setup in order to be able to resolve
>> AD users and groups. With your set of commands, both master and replica =
are
>> configured as AD Trust Controllers and should be able to resolve users a=
nd
>> groups, but there is no need to run twice the trust-add part.
>>
>
> They both show up in IPA Admin GUI as being both Trust Controllers and
> Trust Agents. I read that at least two trust controllers should be
> configured per IdM deployment.
> Thanks I will check the document again.
>
>
>> All needed DNS records have been created in the DNS server on the Windows
>>> server. At least I hope so.
>>> IPA Healthceck on both IPA servers don't complain about anything missin=
g.
>>>   sudo ipa-healthcheck --output-type human
>>>
>>> One IPA Client also setup in the labnet.org domain and using the
>>> Windows server DNS, was setup with the following command;
>>> sudo ipa-client-install --domain=3Dipa.labnet.org --mkhomedir
>>>
>>> Testing authentication on the IPA Client as a user in the ad.labnet.org
>>> works  out like this;
>>> Both IPA Servers up works OK
>>> Only IPA Master up works OK
>>> Only IPA Replica up doesn't work.
>>>
>> Did you test authentication on the IPA replica?
>> Is your master a DNS server for ipa.labnet.org Is the replica a DNS
>> server for ipa.labnet.org
>>
>> I may have missed that, but just tried it out now. No I'm not able to
> authenticate as an AD user on the IPA Replica :-(
>
You can enable debug level in the replica: add debug_level=3D9 in all the
sections in /etc/sssd/sssd.conf, restart sssd with systemctl restart sssd
and clean the cache. Then retry authentication of an AD user on the replica
and gather the logs from /var/log/sssd/*. We may be able to help with the
logs. Do not forget to remove the debug_level when you're done.

If authentication works on the master but not on the replica, it is often
related to DNS or firewall issues between the trust controller and the AD
domain controller.
You can refer to
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/ht=
ml/planning_identity_management/planning-a-cross-forest-trust-between-idm-a=
nd-ad_planning-identity-management#guidelines-for-setting-up-dns-for-an-idm=
-ad-trust_planning-a-cross-forest-trust-between-idm-and-ad
and
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/ht=
ml/installing_trust_between_idm_and_ad/configuring-dns-and-realm-settings-f=
or-a-trust_installing-trust-between-idm-and-ad#doc-wrapper

flo


No only the Windows DNS server is a DNS server, hosting all the domains
> labnet.org, ad.labnet.org and ipa.labnet.org
>
> Thanks!
>
> flo
>>
>>>
>>> After this check with IPA Healthcheck on the IPA Replica now comes back
>>> with this;
>>> WARNING: ipahealthcheck.ipa.trust.IPATrustCatalogCheck.{}: Look up of ID
>>> {} for ad.labnet.org returned nothing
>>> ERROR: ipahealthcheck.ipa.trust.IPATrustCatalogCheck.AD Global Catalog:
>>> AD Global Catalog not found in /usr/sbin/sssctl 'domain-status' output:
>>> Active servers:
>>> IPA: lab003.labnet.org
>>> ERROR: ipahealthcheck.ipa.trust.IPATrustCatalogCheck.AD Domain
>>> Controller: AD Domain Controller not found in /usr/sbin/sssctl
>>> 'domain-status' output: Active servers:
>>> IPA: lab003.labnet.org
>>>
>>> Can anyone suggest what I have done wrong or missed? As far as I can
>>> tell there are no commands that let me write to the GLobal Catalog?
>>> Thanks!
>>> --
>>> _______________________________________________
>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>>> To unsubscribe send an email to
>>> freeipa-users-leave(a)lists.fedorahosted.org
>>> Fedora Code of Conduct:
>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
>>> https://lists.fedorahosted.org/archives/list/freeipa-users(a)lists.fedo=
rahosted.org
>>> Do not reply to spam, report it:
>>> https://pagure.io/fedora-infrastructure/new_issue
>>>
>>

--===============6799959363220103788==
Content-Type: text/html
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.html"

PGRpdiBkaXI9Imx0ciI+PGRpdiBkaXI9Imx0ciI+PGRpdiBjbGFzcz0iZ21haWxfZGVmYXVsdCIg
c3R5bGU9ImZvbnQtZmFtaWx5OmFyaWFsLHNhbnMtc2VyaWYiPkhpLDwvZGl2PjwvZGl2Pjxicj48
ZGl2IGNsYXNzPSJnbWFpbF9xdW90ZSI+PGRpdiBkaXI9Imx0ciIgY2xhc3M9ImdtYWlsX2F0dHIi
Pk9uIE1vbiwgQXByIDE1LCAyMDI0IGF0IDEwOjEw4oCvQU0gSm9obiBEb2UgJmx0OzxhIGhyZWY9
Im1haWx0bzpqZG9lNTM4NTFAZ21haWwuY29tIj5qZG9lNTM4NTFAZ21haWwuY29tPC9hPiZndDsg
d3JvdGU6PGJyPjwvZGl2PjxibG9ja3F1b3RlIGNsYXNzPSJnbWFpbF9xdW90ZSIgc3R5bGU9Im1h
cmdpbjowcHggMHB4IDBweCAwLjhleDtib3JkZXItbGVmdDoxcHggc29saWQgcmdiKDIwNCwyMDQs
MjA0KTtwYWRkaW5nLWxlZnQ6MWV4Ij48ZGl2IGRpcj0ibHRyIj48ZGl2IGRpcj0ibHRyIj48YnI+
PC9kaXY+PGJyPjxkaXYgY2xhc3M9ImdtYWlsX3F1b3RlIj48ZGl2IGRpcj0ibHRyIiBjbGFzcz0i
Z21haWxfYXR0ciI+RGVuIG3DpW4gMTUgYXByLiAyMDI0IGtsIDA5OjM1IHNrcmV2IEZsb3JlbmNl
IEJsYW5jLVJlbmF1ZCAmbHQ7PGEgaHJlZj0ibWFpbHRvOmZsb0ByZWRoYXQuY29tIiB0YXJnZXQ9
Il9ibGFuayI+ZmxvQHJlZGhhdC5jb208L2E+Jmd0Ozo8YnI+PC9kaXY+PGJsb2NrcXVvdGUgY2xh
c3M9ImdtYWlsX3F1b3RlIiBzdHlsZT0ibWFyZ2luOjBweCAwcHggMHB4IDAuOGV4O2JvcmRlci1s
ZWZ0OjFweCBzb2xpZCByZ2IoMjA0LDIwNCwyMDQpO3BhZGRpbmctbGVmdDoxZXgiPjxkaXYgZGly
PSJsdHIiPjxkaXYgZGlyPSJsdHIiPjxkaXYgc3R5bGU9ImZvbnQtZmFtaWx5OmFyaWFsLHNhbnMt
c2VyaWYiPkhpLDwvZGl2PjwvZGl2Pjxicj48ZGl2IGNsYXNzPSJnbWFpbF9xdW90ZSI+PGRpdiBk
aXI9Imx0ciIgY2xhc3M9ImdtYWlsX2F0dHIiPk9uIE1vbiwgQXByIDE1LCAyMDI0IGF0IDk6MDPi
gK9BTSBKb2huIERvZSB2aWEgRnJlZUlQQS11c2VycyAmbHQ7PGEgaHJlZj0ibWFpbHRvOmZyZWVp
cGEtdXNlcnNAbGlzdHMuZmVkb3JhaG9zdGVkLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPmZyZWVpcGEt
dXNlcnNAbGlzdHMuZmVkb3JhaG9zdGVkLm9yZzwvYT4mZ3Q7IHdyb3RlOjxicj48L2Rpdj48Ymxv
Y2txdW90ZSBjbGFzcz0iZ21haWxfcXVvdGUiIHN0eWxlPSJtYXJnaW46MHB4IDBweCAwcHggMC44
ZXg7Ym9yZGVyLWxlZnQ6MXB4IHNvbGlkIHJnYigyMDQsMjA0LDIwNCk7cGFkZGluZy1sZWZ0OjFl
eCI+PGRpdiBkaXI9Imx0ciI+SSYjMzk7bSBwbGF5aW5nIGFyb3VuZCB3aXRoIElQQSB0cnlpbmcg
dG8gZmlndXJlIG91dCBob3cgdG8gc2V0IGl0IHVwIHRvIGJlIHJlZHVuZGFudC4gVGhlIHByb2Js
ZW0gaXMgdGhhdCB0aGUgSVBBIFJlcGxpY2EgaXNuJiMzOTt0IGFibGUgdG8gYXV0aGVudGljYXRl
IEFEIHVzZXJzIGlmIElQQSBNYXN0ZXIgaXMgZG93bi48YnI+TXkgc2V0dXA7PGRpdj5PbmUgV2lu
ZG93cyBTZXJ2ZXIgc2V0IHVwIHdpdGggQWN0aXZlIERpcmVjb3J5wqBEb21haW4gU2VydmljZXMs
IEFjdGl2ZSBEaXJlY3RvcnkgQ2VydGlmaWNhdGUgU2VydmljZXMgYW5kIEROUyBzZXJ2ZXIgaG9z
dGluZyB0aGUgPGEgaHJlZj0iaHR0cDovL2FkLmxhYm5ldC5vcmciIHRhcmdldD0iX2JsYW5rIj5h
ZC5sYWJuZXQub3JnPC9hPiBkb21haW4gYW5kIHRoZSBSb290IENBLjxicj48YnI+VHdvIExpbnV4
IHNlcnZlcnMgc2V0dXAgaW4gdGhlIDxhIGhyZWY9Imh0dHA6Ly9sYWJuZXQub3JnIiB0YXJnZXQ9
Il9ibGFuayI+bGFibmV0Lm9yZzwvYT4gZG9tYWluLiBCb3RoIHVzaW5nIHRoZSBXaW5kb3dzIFNl
cnZlciBETlMgc2VydmVyLjxicj5UaGUgZmlyc3Qgb25lIGlzIHNldHVwIGFzIGEgSVBBIE1hc3Rl
ciBzZXJ2ZXIgaG9zdGluZyB0aGUgZG9tYWluIDxhIGhyZWY9Imh0dHA6Ly9pcGEubGFibmV0Lm9y
ZyIgdGFyZ2V0PSJfYmxhbmsiPmlwYS5sYWJuZXQub3JnPC9hPiBhbmQgYWN0IGFzIGEgc3Vib3Jk
aW5hdGUgQ0Egc2VydmVyLiBJdCB3YXMgc2V0dXDCoHdpdGggdGhlIGZvbGxvd2luZyBjb21tYW5k
czs8L2Rpdj48ZGl2PsKgIHN1ZG8gaXBhLXNlcnZlci1pbnN0YWxsIC0tZXh0ZXJuYWwtY2EgLS1l
eHRlcm5hbC1jYS10eXBlPW1zLWNzPGJyPjwvZGl2PjxkaXY+wqAgc3VkbyBpcGEtc2VydmVyLWlu
c3RhbGwgLS1leHRlcm5hbC1jZXJ0LWZpbGU9L2hvbWUvJFVTRVIvaXBhLmNlciAtLWV4dGVybmFs
LWNlcnQtZmlsZT0vaG9tZS8kVVNFUi9jZXJ0bmV3LmNlcjxicj48L2Rpdj48ZGl2PsKgIGtpbml0
IGFkbWluPC9kaXY+PGRpdj7CoCBzdWRvIGlwYS1hZHRydXN0LWluc3RhbGw8YnI+PC9kaXY+PGRp
dj7CoCBzdWRvIGlwYSB0cnVzdC1hZGQgLS10eXBlPWFkIDxhIGhyZWY9Imh0dHA6Ly9hZC5sYWJu
ZXQub3JnIiB0YXJnZXQ9Il9ibGFuayI+YWQubGFibmV0Lm9yZzwvYT4gLS1hZG1pbiBBZG1pbmlz
dHJhdG9yIC0tcGFzc3dvcmQgLS10d28td2F5PXRydWU8YnI+PC9kaXY+PGRpdj48YnI+PC9kaXY+
PGRpdj5UaGUgc2Vjb25kIG9uZSBpcyBzZXR1cCBhcyBhIElQQSBSZXBsaWNhIGFsc28gaG9zdGlu
ZyB0aGUgZG9tYWluIDxhIGhyZWY9Imh0dHA6Ly9pcGEubGFibmV0Lm9yZyIgdGFyZ2V0PSJfYmxh
bmsiPmlwYS5sYWJuZXQub3JnPC9hPiBJdCBoYXMgYmVlbiBzZXR1cCB3aXRoIHRoZSBmb2xsb3dp
bmcgY29tbWFuZHM7PC9kaXY+PGRpdj7CoCBzdWRvIGlwYS1jbGllbnQtaW5zdGFsbCAtLW1raG9t
ZWRpcjxicj48L2Rpdj48ZGl2PsKgIHN1ZG8gaXBhLXJlcGxpY2EtaW5zdGFsbDwvZGl2PjxkaXY+
wqAgc3VkbyBpcGEtY2EtaW5zdGFsbDxicj48L2Rpdj48ZGl2PsKgIGtpbml0IGFkbWluPGJyPjwv
ZGl2PjxkaXY+wqAgc3VkbyBpcGEtYWR0cnVzdC1pbnN0YWxsPGJyPjwvZGl2PjxkaXY+wqAgc3Vk
byBpcGEgdHJ1c3QtYWRkIC0tdHlwZT1hZCA8YSBocmVmPSJodHRwOi8vYWQubGFibmV0Lm9yZyIg
dGFyZ2V0PSJfYmxhbmsiPmFkLmxhYm5ldC5vcmc8L2E+IC0tYWRtaW4gQWRtaW5pc3RyYXRvciAt
LXBhc3N3b3JkIC0tdHdvLXdheT10cnVlPGJyPjwvZGl2PjwvZGl2PjwvYmxvY2txdW90ZT48ZGl2
PjxzcGFuIGNsYXNzPSJnbWFpbF9kZWZhdWx0IiBzdHlsZT0iZm9udC1mYW1pbHk6YXJpYWwsc2Fu
cy1zZXJpZiI+VGhlIGFib3ZlIGNvbW1hbmQgKGlwYSB0cnVzdC1hZGQpIHByb2JhYmx5IGV4aXRl
ZCBvbiBlcnJvciBhcyB0aGUgdHJ1c3Qgd2FzIGFscmVhZHkgZXN0YWJsaXNoZWQuIFBsZWFzZSBy
ZWFkIDxhIGhyZWY9Imh0dHBzOi8vYWNjZXNzLnJlZGhhdC5jb20vZG9jdW1lbnRhdGlvbi9lbi11
cy9yZWRfaGF0X2VudGVycHJpc2VfbGludXgvOS9odG1sL3BsYW5uaW5nX2lkZW50aXR5X21hbmFn
ZW1lbnQvcGxhbm5pbmctYS1jcm9zcy1mb3Jlc3QtdHJ1c3QtYmV0d2Vlbi1pZG0tYW5kLWFkX3Bs
YW5uaW5nLWlkZW50aXR5LW1hbmFnZW1lbnQjdHJ1c3QtY29udHJvbGxlcnMtYW5kLXRydXN0LWFn
ZW50c19wbGFubmluZy1hLWNyb3NzLWZvcmVzdC10cnVzdC1iZXR3ZWVuLWlkbS1hbmQtYWQiIHRh
cmdldD0iX2JsYW5rIj5UcnVzdCBjb250cm9sbGVycyBhbmQgVHJ1c3QgQWdlbnRzPC9hPsKgdG8g
dW5kZXJzdGFuZCBob3cgdGhlIHJlcGxpY2Egc2hvdWxkIGJlIHNldHVwIGluIG9yZGVyIHRvIGJl
IGFibGUgdG8gcmVzb2x2ZSBBRCB1c2VycyBhbmQgZ3JvdXBzLiBXaXRoIHlvdXIgc2V0IG9mIGNv
bW1hbmRzLCBib3RoIG1hc3RlciBhbmQgcmVwbGljYSBhcmUgY29uZmlndXJlZCBhcyBBRCBUcnVz
dCBDb250cm9sbGVycyBhbmQgc2hvdWxkIGJlIGFibGUgdG8gcmVzb2x2ZSB1c2VycyBhbmQgZ3Jv
dXBzLCBidXQgdGhlcmUgaXMgbm8gbmVlZCB0byBydW4gdHdpY2UgdGhlIHRydXN0LWFkZCBwYXJ0
Ljwvc3Bhbj48L2Rpdj48L2Rpdj48L2Rpdj48L2Jsb2NrcXVvdGU+PGRpdj48YnI+PC9kaXY+PGRp
dj5UaGV5IGJvdGggc2hvdyB1cCBpbiBJUEEgQWRtaW4gR1VJIGFzIGJlaW5nIGJvdGggVHJ1c3Qg
Q29udHJvbGxlcnMgYW5kIFRydXN0IEFnZW50cy4gSSByZWFkIHRoYXQgYXQgbGVhc3QgdHdvIHRy
dXN0IGNvbnRyb2xsZXJzIHNob3VsZCBiZSBjb25maWd1cmVkIHBlciBJZE0gZGVwbG95bWVudC48
YnI+VGhhbmtzIEkgd2lsbCBjaGVjayB0aGUgZG9jdW1lbnQgYWdhaW4uPC9kaXY+PGRpdj7CoDwv
ZGl2PjxibG9ja3F1b3RlIGNsYXNzPSJnbWFpbF9xdW90ZSIgc3R5bGU9Im1hcmdpbjowcHggMHB4
IDBweCAwLjhleDtib3JkZXItbGVmdDoxcHggc29saWQgcmdiKDIwNCwyMDQsMjA0KTtwYWRkaW5n
LWxlZnQ6MWV4Ij48ZGl2IGRpcj0ibHRyIj48ZGl2IGNsYXNzPSJnbWFpbF9xdW90ZSI+PGJsb2Nr
cXVvdGUgY2xhc3M9ImdtYWlsX3F1b3RlIiBzdHlsZT0ibWFyZ2luOjBweCAwcHggMHB4IDAuOGV4
O2JvcmRlci1sZWZ0OjFweCBzb2xpZCByZ2IoMjA0LDIwNCwyMDQpO3BhZGRpbmctbGVmdDoxZXgi
PjxkaXYgZGlyPSJsdHIiPjxkaXY+QWxsIG5lZWRlZCBETlMgcmVjb3JkcyBoYXZlIGJlZW4gY3Jl
YXRlZCBpbiB0aGUgRE5TIHNlcnZlciBvbiB0aGUgV2luZG93cyBzZXJ2ZXIuIEF0IGxlYXN0IEkg
aG9wZSBzby48L2Rpdj48ZGl2PklQQSBIZWFsdGhjZWNrIG9uIGJvdGggSVBBIHNlcnZlcnMgZG9u
JiMzOTt0IGNvbXBsYWluIGFib3V0IGFueXRoaW5nIG1pc3NpbmcuPGJyPsKgIHN1ZG8gaXBhLWhl
YWx0aGNoZWNrIC0tb3V0cHV0LXR5cGUgaHVtYW48YnI+PC9kaXY+PGRpdj48YnI+PC9kaXY+PGRp
dj5PbmUgSVBBIENsaWVudCBhbHNvIHNldHVwIGluIHRoZSA8YSBocmVmPSJodHRwOi8vbGFibmV0
Lm9yZyIgdGFyZ2V0PSJfYmxhbmsiPmxhYm5ldC5vcmc8L2E+IGRvbWFpbiBhbmQgdXNpbmcgdGhl
IFdpbmRvd3Mgc2VydmVyIEROUywgd2FzIHNldHVwIHdpdGggdGhlIGZvbGxvd2luZyBjb21tYW5k
OzwvZGl2PjxkaXY+c3VkbyBpcGEtY2xpZW50LWluc3RhbGwgLS1kb21haW49PGEgaHJlZj0iaHR0
cDovL2lwYS5sYWJuZXQub3JnIiB0YXJnZXQ9Il9ibGFuayI+aXBhLmxhYm5ldC5vcmc8L2E+IC0t
bWtob21lZGlyPGJyPjwvZGl2PjxkaXY+PGJyPjwvZGl2PjxkaXY+VGVzdGluZyBhdXRoZW50aWNh
dGlvbiBvbiB0aGUgSVBBIENsaWVudCBhcyBhIHVzZXIgaW4gdGhlIDxhIGhyZWY9Imh0dHA6Ly9h
ZC5sYWJuZXQub3JnIiB0YXJnZXQ9Il9ibGFuayI+YWQubGFibmV0Lm9yZzwvYT4gd29ya3PCoCBv
dXQgbGlrZSB0aGlzOzwvZGl2PjxkaXY+Qm90aCBJUEEgU2VydmVycyB1cCB3b3JrcyBPSzwvZGl2
PjxkaXY+T25seSBJUEEgTWFzdGVyIHVwIHdvcmtzIE9LPC9kaXY+PGRpdj5Pbmx5IElQQSBSZXBs
aWNhIHVwIGRvZXNuJiMzOTt0IHdvcmsuPC9kaXY+PC9kaXY+PC9ibG9ja3F1b3RlPjxkaXY+PHNw
YW4gY2xhc3M9ImdtYWlsX2RlZmF1bHQiIHN0eWxlPSJmb250LWZhbWlseTphcmlhbCxzYW5zLXNl
cmlmIj5EaWQgeW91IHRlc3QgYXV0aGVudGljYXRpb24gb24gdGhlIElQQSByZXBsaWNhP8KgPC9z
cGFuPjwvZGl2PjxkaXYgc3R5bGU9ImZvbnQtZmFtaWx5OmFyaWFsLHNhbnMtc2VyaWYiPklzIHlv
dXIgbWFzdGVyIGEgRE5TIHNlcnZlciBmb3IgPGEgaHJlZj0iaHR0cDovL2lwYS5sYWJuZXQub3Jn
IiB0YXJnZXQ9Il9ibGFuayI+aXBhLmxhYm5ldC5vcmc8L2E+PyBJcyB0aGUgcmVwbGljYSBhIERO
UyBzZXJ2ZXIgZm9yIDxhIGhyZWY9Imh0dHA6Ly9pcGEubGFibmV0Lm9yZyIgdGFyZ2V0PSJfYmxh
bmsiPmlwYS5sYWJuZXQub3JnPC9hPj88L2Rpdj48ZGl2IHN0eWxlPSJmb250LWZhbWlseTphcmlh
bCxzYW5zLXNlcmlmIj48YnI+PC9kaXY+PC9kaXY+PC9kaXY+PC9ibG9ja3F1b3RlPjxkaXY+SSBt
YXkgaGF2ZSBtaXNzZWQgdGhhdCwgYnV0IGp1c3QgdHJpZWQgaXQgb3V0IG5vdy4gTm8gSSYjMzk7
bSBub3QgYWJsZSB0byBhdXRoZW50aWNhdGUgYXMgYW4gQUQgdXNlciBvbiB0aGUgSVBBIFJlcGxp
Y2EgOi0owqA8L2Rpdj48L2Rpdj48L2Rpdj48L2Jsb2NrcXVvdGU+PGRpdj48c3BhbiBjbGFzcz0i
Z21haWxfZGVmYXVsdCIgc3R5bGU9ImZvbnQtZmFtaWx5OmFyaWFsLHNhbnMtc2VyaWYiPllvdSBj
YW4gZW5hYmxlIGRlYnVnIGxldmVsIGluIHRoZSByZXBsaWNhOiBhZGQgZGVidWdfbGV2ZWw9OSBp
biBhbGwgdGhlIHNlY3Rpb25zIGluIC9ldGMvc3NzZC9zc3NkLmNvbmYsIHJlc3RhcnQgc3NzZCB3
aXRoIHN5c3RlbWN0bCByZXN0YXJ0IHNzc2QgYW5kIGNsZWFuIHRoZSBjYWNoZS4gVGhlbiByZXRy
eSBhdXRoZW50aWNhdGlvbiBvZiBhbiBBRCB1c2VyIG9uIHRoZSByZXBsaWNhIGFuZCBnYXRoZXIg
dGhlIGxvZ3MgZnJvbSAvdmFyL2xvZy9zc3NkLyouIFdlIG1heSBiZSBhYmxlIHRvIGhlbHAgd2l0
aCB0aGUgbG9ncy4gRG8gbm90IGZvcmdldCB0byByZW1vdmUgdGhlIGRlYnVnX2xldmVsIHdoZW4g
eW91JiMzOTtyZSBkb25lLjwvc3Bhbj48L2Rpdj48ZGl2Pjxicj48L2Rpdj48ZGl2IGNsYXNzPSJn
bWFpbF9kZWZhdWx0IiBzdHlsZT0iZm9udC1mYW1pbHk6YXJpYWwsc2Fucy1zZXJpZiI+SWYgYXV0
aGVudGljYXRpb24gd29ya3Mgb24gdGhlIG1hc3RlciBidXQgbm90IG9uIHRoZSByZXBsaWNhLCBp
dCBpcyBvZnRlbiByZWxhdGVkIHRvIEROUyBvciBmaXJld2FsbCBpc3N1ZXMgYmV0d2VlbiB0aGUg
dHJ1c3QgY29udHJvbGxlciBhbmQgdGhlIEFEIGRvbWFpbiBjb250cm9sbGVyLjwvZGl2PjxkaXYg
Y2xhc3M9ImdtYWlsX2RlZmF1bHQiIHN0eWxlPSJmb250LWZhbWlseTphcmlhbCxzYW5zLXNlcmlm
Ij5Zb3UgY2FuIHJlZmVyIHRvwqA8YSBocmVmPSJodHRwczovL2FjY2Vzcy5yZWRoYXQuY29tL2Rv
Y3VtZW50YXRpb24vZW4tdXMvcmVkX2hhdF9lbnRlcnByaXNlX2xpbnV4LzkvaHRtbC9wbGFubmlu
Z19pZGVudGl0eV9tYW5hZ2VtZW50L3BsYW5uaW5nLWEtY3Jvc3MtZm9yZXN0LXRydXN0LWJldHdl
ZW4taWRtLWFuZC1hZF9wbGFubmluZy1pZGVudGl0eS1tYW5hZ2VtZW50I2d1aWRlbGluZXMtZm9y
LXNldHRpbmctdXAtZG5zLWZvci1hbi1pZG0tYWQtdHJ1c3RfcGxhbm5pbmctYS1jcm9zcy1mb3Jl
c3QtdHJ1c3QtYmV0d2Vlbi1pZG0tYW5kLWFkIj5odHRwczovL2FjY2Vzcy5yZWRoYXQuY29tL2Rv
Y3VtZW50YXRpb24vZW4tdXMvcmVkX2hhdF9lbnRlcnByaXNlX2xpbnV4LzkvaHRtbC9wbGFubmlu
Z19pZGVudGl0eV9tYW5hZ2VtZW50L3BsYW5uaW5nLWEtY3Jvc3MtZm9yZXN0LXRydXN0LWJldHdl
ZW4taWRtLWFuZC1hZF9wbGFubmluZy1pZGVudGl0eS1tYW5hZ2VtZW50I2d1aWRlbGluZXMtZm9y
LXNldHRpbmctdXAtZG5zLWZvci1hbi1pZG0tYWQtdHJ1c3RfcGxhbm5pbmctYS1jcm9zcy1mb3Jl
c3QtdHJ1c3QtYmV0d2Vlbi1pZG0tYW5kLWFkPC9hPjwvZGl2PjxkaXYgY2xhc3M9ImdtYWlsX2Rl
ZmF1bHQiIHN0eWxlPSJmb250LWZhbWlseTphcmlhbCxzYW5zLXNlcmlmIj5hbmQ8L2Rpdj48ZGl2
IGNsYXNzPSJnbWFpbF9kZWZhdWx0IiBzdHlsZT0iZm9udC1mYW1pbHk6YXJpYWwsc2Fucy1zZXJp
ZiI+PGEgaHJlZj0iaHR0cHM6Ly9hY2Nlc3MucmVkaGF0LmNvbS9kb2N1bWVudGF0aW9uL2VuLXVz
L3JlZF9oYXRfZW50ZXJwcmlzZV9saW51eC85L2h0bWwvaW5zdGFsbGluZ190cnVzdF9iZXR3ZWVu
X2lkbV9hbmRfYWQvY29uZmlndXJpbmctZG5zLWFuZC1yZWFsbS1zZXR0aW5ncy1mb3ItYS10cnVz
dF9pbnN0YWxsaW5nLXRydXN0LWJldHdlZW4taWRtLWFuZC1hZCNkb2Mtd3JhcHBlciI+aHR0cHM6
Ly9hY2Nlc3MucmVkaGF0LmNvbS9kb2N1bWVudGF0aW9uL2VuLXVzL3JlZF9oYXRfZW50ZXJwcmlz
ZV9saW51eC85L2h0bWwvaW5zdGFsbGluZ190cnVzdF9iZXR3ZWVuX2lkbV9hbmRfYWQvY29uZmln
dXJpbmctZG5zLWFuZC1yZWFsbS1zZXR0aW5ncy1mb3ItYS10cnVzdF9pbnN0YWxsaW5nLXRydXN0
LWJldHdlZW4taWRtLWFuZC1hZCNkb2Mtd3JhcHBlcjwvYT48YnI+PC9kaXY+PGRpdiBjbGFzcz0i
Z21haWxfZGVmYXVsdCIgc3R5bGU9ImZvbnQtZmFtaWx5OmFyaWFsLHNhbnMtc2VyaWYiPjxicj48
L2Rpdj48ZGl2IGNsYXNzPSJnbWFpbF9kZWZhdWx0IiBzdHlsZT0iZm9udC1mYW1pbHk6YXJpYWws
c2Fucy1zZXJpZiI+ZmxvPC9kaXY+PGRpdiBjbGFzcz0iZ21haWxfZGVmYXVsdCIgc3R5bGU9ImZv
bnQtZmFtaWx5OmFyaWFsLHNhbnMtc2VyaWYiPjxicj48L2Rpdj48ZGl2IGNsYXNzPSJnbWFpbF9k
ZWZhdWx0IiBzdHlsZT0iZm9udC1mYW1pbHk6YXJpYWwsc2Fucy1zZXJpZiI+PGJyPjwvZGl2Pjxi
bG9ja3F1b3RlIGNsYXNzPSJnbWFpbF9xdW90ZSIgc3R5bGU9Im1hcmdpbjowcHggMHB4IDBweCAw
LjhleDtib3JkZXItbGVmdDoxcHggc29saWQgcmdiKDIwNCwyMDQsMjA0KTtwYWRkaW5nLWxlZnQ6
MWV4Ij48ZGl2IGRpcj0ibHRyIj48ZGl2IGNsYXNzPSJnbWFpbF9xdW90ZSI+PGRpdj5ObyBvbmx5
IHRoZSBXaW5kb3dzIEROUyBzZXJ2ZXIgaXMgYSBETlMgc2VydmVyLCBob3N0aW5nIGFsbCB0aGUg
ZG9tYWlucyA8YSBocmVmPSJodHRwOi8vbGFibmV0Lm9yZyIgdGFyZ2V0PSJfYmxhbmsiPmxhYm5l
dC5vcmc8L2E+LCA8YSBocmVmPSJodHRwOi8vYWQubGFibmV0Lm9yZyIgdGFyZ2V0PSJfYmxhbmsi
PmFkLmxhYm5ldC5vcmc8L2E+IGFuZCA8YSBocmVmPSJodHRwOi8vaXBhLmxhYm5ldC5vcmciIHRh
cmdldD0iX2JsYW5rIj5pcGEubGFibmV0Lm9yZzwvYT48L2Rpdj48ZGl2Pjxicj48L2Rpdj48ZGl2
PlRoYW5rcyE8L2Rpdj48ZGl2Pjxicj48L2Rpdj48YmxvY2txdW90ZSBjbGFzcz0iZ21haWxfcXVv
dGUiIHN0eWxlPSJtYXJnaW46MHB4IDBweCAwcHggMC44ZXg7Ym9yZGVyLWxlZnQ6MXB4IHNvbGlk
IHJnYigyMDQsMjA0LDIwNCk7cGFkZGluZy1sZWZ0OjFleCI+PGRpdiBkaXI9Imx0ciI+PGRpdiBj
bGFzcz0iZ21haWxfcXVvdGUiPjxkaXYgc3R5bGU9ImZvbnQtZmFtaWx5OmFyaWFsLHNhbnMtc2Vy
aWYiPjwvZGl2PjxkaXYgc3R5bGU9ImZvbnQtZmFtaWx5OmFyaWFsLHNhbnMtc2VyaWYiPmZsbzwv
ZGl2PjxibG9ja3F1b3RlIGNsYXNzPSJnbWFpbF9xdW90ZSIgc3R5bGU9Im1hcmdpbjowcHggMHB4
IDBweCAwLjhleDtib3JkZXItbGVmdDoxcHggc29saWQgcmdiKDIwNCwyMDQsMjA0KTtwYWRkaW5n
LWxlZnQ6MWV4Ij48ZGl2IGRpcj0ibHRyIj48ZGl2Pjxicj48L2Rpdj48ZGl2PkFmdGVyIHRoaXMg
Y2hlY2sgd2l0aCBJUEEgSGVhbHRoY2hlY2sgb24gdGhlIElQQSBSZXBsaWNhIG5vdyBjb21lcyBi
YWNrIHdpdGggdGhpczs8L2Rpdj48ZGl2PjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTptb25vc3Bh
Y2UiPjxzcGFuIHN0eWxlPSJjb2xvcjpyZ2IoMCwwLDApIj5XQVJOSU5HOiBpcGFoZWFsdGhjaGVj
ay5pcGEudHJ1c3QuSVBBVHJ1c3RDYXRhbG9nQ2hlY2sue306IExvb2sgdXAgb2YgSUQge30gZm9y
IDxhIGhyZWY9Imh0dHA6Ly9hZC5sYWJuZXQub3JnIiB0YXJnZXQ9Il9ibGFuayI+YWQubGFibmV0
Lm9yZzwvYT4gcmV0dXJuZWQgbm90aGluZwo8L3NwYW4+PGJyPkVSUk9SOiA8YSBocmVmPSJodHRw
Oi8vaXBhaGVhbHRoY2hlY2suaXBhLnRydXN0LklQQVRydXN0Q2F0YWxvZ0NoZWNrLkFEIiB0YXJn
ZXQ9Il9ibGFuayI+aXBhaGVhbHRoY2hlY2suaXBhLnRydXN0LklQQVRydXN0Q2F0YWxvZ0NoZWNr
LkFEPC9hPiBHbG9iYWwgQ2F0YWxvZzogQUQgR2xvYmFsIENhdGFsb2cgbm90IGZvdW5kIGluIC91
c3Ivc2Jpbi9zc3NjdGwgJiMzOTtkb21haW4tc3RhdHVzJiMzOTsgb3V0cHV0OiBBY3RpdmUgc2Vy
dmVyczoKPGJyPklQQTogPGEgaHJlZj0iaHR0cDovL2xhYjAwMy5sYWJuZXQub3JnIiB0YXJnZXQ9
Il9ibGFuayI+bGFiMDAzLmxhYm5ldC5vcmc8L2E+Cjxicj5FUlJPUjogPGEgaHJlZj0iaHR0cDov
L2lwYWhlYWx0aGNoZWNrLmlwYS50cnVzdC5JUEFUcnVzdENhdGFsb2dDaGVjay5BRCIgdGFyZ2V0
PSJfYmxhbmsiPmlwYWhlYWx0aGNoZWNrLmlwYS50cnVzdC5JUEFUcnVzdENhdGFsb2dDaGVjay5B
RDwvYT4gRG9tYWluIENvbnRyb2xsZXI6IEFEIERvbWFpbiBDb250cm9sbGVyIG5vdCBmb3VuZCBp
biAvdXNyL3NiaW4vc3NzY3RsICYjMzk7ZG9tYWluLXN0YXR1cyYjMzk7IG91dHB1dDogQWN0aXZl
IHNlcnZlcnM6Cjxicj5JUEE6IDxhIGhyZWY9Imh0dHA6Ly9sYWIwMDMubGFibmV0Lm9yZyIgdGFy
Z2V0PSJfYmxhbmsiPmxhYjAwMy5sYWJuZXQub3JnPC9hPjxicj4KPGJyPjwvc3Bhbj48L2Rpdj48
ZGl2PkNhbiBhbnlvbmUgc3VnZ2VzdCB3aGF0IEkgaGF2ZSBkb25lIHdyb25nIG9yIG1pc3NlZD8g
QXMgZmFyIGFzIEkgY2FuIHRlbGwgdGhlcmUgYXJlIG5vIGNvbW1hbmRzIHRoYXQgbGV0IG1lIHdy
aXRlIHRvIHRoZSBHTG9iYWwgQ2F0YWxvZz88L2Rpdj48ZGl2PlRoYW5rcyE8L2Rpdj48L2Rpdj4K
LS08YnI+Cl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fPGJy
PgpGcmVlSVBBLXVzZXJzIG1haWxpbmcgbGlzdCAtLSA8YSBocmVmPSJtYWlsdG86ZnJlZWlwYS11
c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3JnIiB0YXJnZXQ9Il9ibGFuayI+ZnJlZWlwYS11c2Vy
c0BsaXN0cy5mZWRvcmFob3N0ZWQub3JnPC9hPjxicj4KVG8gdW5zdWJzY3JpYmUgc2VuZCBhbiBl
bWFpbCB0byA8YSBocmVmPSJtYWlsdG86ZnJlZWlwYS11c2Vycy1sZWF2ZUBsaXN0cy5mZWRvcmFo
b3N0ZWQub3JnIiB0YXJnZXQ9Il9ibGFuayI+ZnJlZWlwYS11c2Vycy1sZWF2ZUBsaXN0cy5mZWRv
cmFob3N0ZWQub3JnPC9hPjxicj4KRmVkb3JhIENvZGUgb2YgQ29uZHVjdDogPGEgaHJlZj0iaHR0
cHM6Ly9kb2NzLmZlZG9yYXByb2plY3Qub3JnL2VuLVVTL3Byb2plY3QvY29kZS1vZi1jb25kdWN0
LyIgcmVsPSJub3JlZmVycmVyIiB0YXJnZXQ9Il9ibGFuayI+aHR0cHM6Ly9kb2NzLmZlZG9yYXBy
b2plY3Qub3JnL2VuLVVTL3Byb2plY3QvY29kZS1vZi1jb25kdWN0LzwvYT48YnI+Ckxpc3QgR3Vp
ZGVsaW5lczogPGEgaHJlZj0iaHR0cHM6Ly9mZWRvcmFwcm9qZWN0Lm9yZy93aWtpL01haWxpbmdf
bGlzdF9ndWlkZWxpbmVzIiByZWw9Im5vcmVmZXJyZXIiIHRhcmdldD0iX2JsYW5rIj5odHRwczov
L2ZlZG9yYXByb2plY3Qub3JnL3dpa2kvTWFpbGluZ19saXN0X2d1aWRlbGluZXM8L2E+PGJyPgpM
aXN0IEFyY2hpdmVzOiA8YSBocmVmPSJodHRwczovL2xpc3RzLmZlZG9yYWhvc3RlZC5vcmcvYXJj
aGl2ZXMvbGlzdC9mcmVlaXBhLXVzZXJzQGxpc3RzLmZlZG9yYWhvc3RlZC5vcmciIHJlbD0ibm9y
ZWZlcnJlciIgdGFyZ2V0PSJfYmxhbmsiPmh0dHBzOi8vbGlzdHMuZmVkb3JhaG9zdGVkLm9yZy9h
cmNoaXZlcy9saXN0L2ZyZWVpcGEtdXNlcnNAbGlzdHMuZmVkb3JhaG9zdGVkLm9yZzwvYT48YnI+
CkRvIG5vdCByZXBseSB0byBzcGFtLCByZXBvcnQgaXQ6IDxhIGhyZWY9Imh0dHBzOi8vcGFndXJl
LmlvL2ZlZG9yYS1pbmZyYXN0cnVjdHVyZS9uZXdfaXNzdWUiIHJlbD0ibm9yZWZlcnJlciIgdGFy
Z2V0PSJfYmxhbmsiPmh0dHBzOi8vcGFndXJlLmlvL2ZlZG9yYS1pbmZyYXN0cnVjdHVyZS9uZXdf
aXNzdWU8L2E+PGJyPgo8L2Jsb2NrcXVvdGU+PC9kaXY+PC9kaXY+CjwvYmxvY2txdW90ZT48L2Rp
dj48L2Rpdj4KPC9ibG9ja3F1b3RlPjwvZGl2PjwvZGl2Pgo=

--===============6799959363220103788==--

From clopmz at outlook.com Fri Apr 19 08:57:08 2024
Content-Type: multipart/mixed; boundary="===============6691024975383359730=="
MIME-Version: 1.0
From: Carlos Lopez <clopmz at outlook.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Password expired is not requested with Ubuntu clients
Date: Fri, 19 Apr 2024 08:56:36 +0000
Message-ID: <
 <PRAP251MB05671953ED3F5DF5931288D0DB0D2@PRAP251MB0567.EURP251.PROD.OUTLOOK.COM>>

--===============6691024975383359730==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Good morning,

I have configured some Ubuntu clientes to authenticate via Kerberos against=
 my RHEL9 IdM server. Everything works correctly: clients are authenticated=
, etc.

The problem comes when a user's password has expired. In the IdM server log=
s it is clear that the user must change the password:

2024-04-19T08:38:20.946335+00:00 rhelidmsrv01 krb5kdc[21392]: AS_REQ (8 ety=
pes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-h=
mac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha=
1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-c=
ts-cmac(26)}) 172.19.11.14: REQUIRED PWCHANGE: user1(a)MYDOM.ORG for krbtgt=
/MYDOM.ORG(a)MYDOM.ORG, Password has expired
2024-04-19T08:38:20.946413+00:00 rhelidmsrv01 krb5kdc[21392]: closing down =
fd 13
2024-04-19T08:38:20.946712+00:00 rhelidmsrv01 krb5kdc[21392]: AS_REQ (8 ety=
pes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-h=
mac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha=
1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-c=
ts-cmac(26)}) 172.19.11.14: NEEDED_PREAUTH: user1(a)MYDOM.ORG for kadmin/ch=
angepw(a)MYDOM.ORG, Additional pre-authentication required
2024-04-19T08:38:20.946747+00:00 rhelidmsrv01 krb5kdc[21392]: closing down =
fd 13
2024-04-19T08:38:20.950691+00:00 rhelidmsrv01 krb5kdc[21392]: AS_REQ (8 ety=
pes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-h=
mac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha=
1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-c=
ts-cmac(26)}) 172.19.11.14: ISSUE: authtime 1713515900, etypes {rep=3Daes25=
6-cts-hmac-sha1-96(18), tkt=3Daes256-cts-hmac-sha384-192(20), ses=3Daes256-=
cts-hmac-sha1-96(18)}, user1(a)MYDOM.ORG for kadmin/changepw(a)MYDOM.ORG

But when accessing to Ubuntu client via ssh, it never prompts to change the=
 password and you can log in.

My sssd's config in Ubuntu client is:

[sssd]
config_file_version =3D 2
services =3D pam
domains =3D mydom.org

[pam]
pam_pwd_expiration_warning =3D 2

[domain/mydom.org]
id_provider =3D proxy
proxy_lib_name =3D files
auth_provider =3D krb5
chpass_provider =3D krb5
krb5_server =3D rhelidmsrv01.mydom.org
krb5_kpasswd =3D rhelidmsrv01.mydom.org
krb5_realm =3D mydom.org
krb5_ccname_template =3D KEYRING:persistent:%U
krb5_validate =3D true
cache_credentials =3D true

What could be the problem?

Best regards,
C. L. Martinez
--===============6691024975383359730==--

From jdoe53851 at gmail.com Fri Apr 19 10:06:32 2024
Content-Type: multipart/mixed; boundary="===============7567587721283358485=="
MIME-Version: 1.0
From: John Doe <jdoe53851 at gmail.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: IPA Replica can't authenticate users
Date: Fri, 19 Apr 2024 12:04:45 +0200
Message-ID: <CAAzbKPm74-4pcaNwdmtzFgONMJx6dnQGAMS7nzy_V3wmYPXj3A@mail.gmail.com>
In-Reply-To: CAFDg7Jxk0W52nZjWo88QH0fhUbF=Hy44i=w+FO=z3UXwPMaLWg@mail.gmail.com

--===============7567587721283358485==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Hi,

Thank you for your continued support.
However after reading up on the chapters on Replicas and Trust Controller
and Trust Agents I was able to deduce my misstake ;-)

The problem was that I on the replica ran both of these commands, which had
already been run on the master;
  sudo ipa-adtrust-install
  sudo ipa trust-add --type=3Dad ad.labnet.org --admin Administrator
--password --two-way=3Dtrue

Instead I should only have run the following command on the replica;
   sudo ipa-adtrust-install --add-agents

So I redid the setup and correctd my misstake, now it all works :-)
Both IPA servers now have the roles Trust Controller and Trust Agent.
Now I can authenticate users from IPA clients no matter if both IPA servers
are or just one of them are up and running.

Thanks a million!


Den fre 19 apr. 2024 kl 10:25 skrev Florence Blanc-Renaud <flo(a)redhat.com=
>:

> Hi,
>
> On Mon, Apr 15, 2024 at 10:10=E2=80=AFAM John Doe <jdoe53851(a)gmail.com>=
 wrote:
>
>>
>>
>> Den m=C3=A5n 15 apr. 2024 kl 09:35 skrev Florence Blanc-Renaud <flo(a)re=
dhat.com
>> >:
>>
>>> Hi,
>>>
>>> On Mon, Apr 15, 2024 at 9:03=E2=80=AFAM John Doe via FreeIPA-users <
>>> freeipa-users(a)lists.fedorahosted.org> wrote:
>>>
>>>> I'm playing around with IPA trying to figure out how to set it up to be
>>>> redundant. The problem is that the IPA Replica isn't able to authentic=
ate
>>>> AD users if IPA Master is down.
>>>> My setup;
>>>> One Windows Server set up with Active Direcory Domain Services, Active
>>>> Directory Certificate Services and DNS server hosting the ad.labnet.org
>>>> domain and the Root CA.
>>>>
>>>> Two Linux servers setup in the labnet.org domain. Both using the
>>>> Windows Server DNS server.
>>>> The first one is setup as a IPA Master server hosting the domain
>>>> ipa.labnet.org and act as a subordinate CA server. It was setup with
>>>> the following commands;
>>>>   sudo ipa-server-install --external-ca --external-ca-type=3Dms-cs
>>>>   sudo ipa-server-install --external-cert-file=3D/home/$USER/ipa.cer
>>>> --external-cert-file=3D/home/$USER/certnew.cer
>>>>   kinit admin
>>>>   sudo ipa-adtrust-install
>>>>   sudo ipa trust-add --type=3Dad ad.labnet.org --admin Administrator
>>>> --password --two-way=3Dtrue
>>>>
>>>> The second one is setup as a IPA Replica also hosting the domain
>>>> ipa.labnet.org It has been setup with the following commands;
>>>>   sudo ipa-client-install --mkhomedir
>>>>   sudo ipa-replica-install
>>>>   sudo ipa-ca-install
>>>>   kinit admin
>>>>   sudo ipa-adtrust-install
>>>>   sudo ipa trust-add --type=3Dad ad.labnet.org --admin Administrator
>>>> --password --two-way=3Dtrue
>>>>
>>> The above command (ipa trust-add) probably exited on error as the trust
>>> was already established. Please read Trust controllers and Trust Agents
>>> <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux=
/9/html/planning_identity_management/planning-a-cross-forest-trust-between-=
idm-and-ad_planning-identity-management#trust-controllers-and-trust-agents_=
planning-a-cross-forest-trust-between-idm-and-ad> to
>>> understand how the replica should be setup in order to be able to resol=
ve
>>> AD users and groups. With your set of commands, both master and replica=
 are
>>> configured as AD Trust Controllers and should be able to resolve users =
and
>>> groups, but there is no need to run twice the trust-add part.
>>>
>>
>> They both show up in IPA Admin GUI as being both Trust Controllers and
>> Trust Agents. I read that at least two trust controllers should be
>> configured per IdM deployment.
>> Thanks I will check the document again.
>>
>>
>>> All needed DNS records have been created in the DNS server on the
>>>> Windows server. At least I hope so.
>>>> IPA Healthceck on both IPA servers don't complain about anything
>>>> missing.
>>>>   sudo ipa-healthcheck --output-type human
>>>>
>>>> One IPA Client also setup in the labnet.org domain and using the
>>>> Windows server DNS, was setup with the following command;
>>>> sudo ipa-client-install --domain=3Dipa.labnet.org --mkhomedir
>>>>
>>>> Testing authentication on the IPA Client as a user in the ad.labnet.org
>>>> works  out like this;
>>>> Both IPA Servers up works OK
>>>> Only IPA Master up works OK
>>>> Only IPA Replica up doesn't work.
>>>>
>>> Did you test authentication on the IPA replica?
>>> Is your master a DNS server for ipa.labnet.org? Is the replica a DNS
>>> server for ipa.labnet.org?
>>>
>>> I may have missed that, but just tried it out now. No I'm not able to
>> authenticate as an AD user on the IPA Replica :-(
>>
> You can enable debug level in the replica: add debug_level=3D9 in all the
> sections in /etc/sssd/sssd.conf, restart sssd with systemctl restart sssd
> and clean the cache. Then retry authentication of an AD user on the repli=
ca
> and gather the logs from /var/log/sssd/*. We may be able to help with the
> logs. Do not forget to remove the debug_level when you're done.
>
> If authentication works on the master but not on the replica, it is often
> related to DNS or firewall issues between the trust controller and the AD
> domain controller.
> You can refer to
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/=
html/planning_identity_management/planning-a-cross-forest-trust-between-idm=
-and-ad_planning-identity-management#guidelines-for-setting-up-dns-for-an-i=
dm-ad-trust_planning-a-cross-forest-trust-between-idm-and-ad
> and
>
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/=
html/installing_trust_between_idm_and_ad/configuring-dns-and-realm-settings=
-for-a-trust_installing-trust-between-idm-and-ad#doc-wrapper
>
> flo
>
>
> No only the Windows DNS server is a DNS server, hosting all the domains
>> labnet.org, ad.labnet.org and ipa.labnet.org
>>
>> Thanks!
>>
>> flo
>>>
>>>>
>>>> After this check with IPA Healthcheck on the IPA Replica now comes back
>>>> with this;
>>>> WARNING: ipahealthcheck.ipa.trust.IPATrustCatalogCheck.{}: Look up of
>>>> ID {} for ad.labnet.org returned nothing
>>>> ERROR: ipahealthcheck.ipa.trust.IPATrustCatalogCheck.AD Global
>>>> Catalog: AD Global Catalog not found in /usr/sbin/sssctl 'domain-statu=
s'
>>>> output: Active servers:
>>>> IPA: lab003.labnet.org
>>>> ERROR: ipahealthcheck.ipa.trust.IPATrustCatalogCheck.AD Domain
>>>> Controller: AD Domain Controller not found in /usr/sbin/sssctl
>>>> 'domain-status' output: Active servers:
>>>> IPA: lab003.labnet.org
>>>>
>>>> Can anyone suggest what I have done wrong or missed? As far as I can
>>>> tell there are no commands that let me write to the GLobal Catalog?
>>>> Thanks!
>>>> --
>>>> _______________________________________________
>>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>>>> To unsubscribe send an email to
>>>> freeipa-users-leave(a)lists.fedorahosted.org
>>>> Fedora Code of Conduct:
>>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>> List Archives:
>>>> https://lists.fedorahosted.org/archives/list/freeipa-users(a)lists.fed=
orahosted.org
>>>> Do not reply to spam, report it:
>>>> https://pagure.io/fedora-infrastructure/new_issue
>>>>
>>>

--===============7567587721283358485==
Content-Type: text/html
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.html"

PGRpdiBkaXI9Imx0ciI+SGksPGJyPjxicj5UaGFuayB5b3UgZm9yIHlvdXIgY29udGludWVkIHN1
cHBvcnQuPGJyPkhvd2V2ZXIgYWZ0ZXIgcmVhZGluZyB1cCBvbiB0aGUgY2hhcHRlcnMgb24gUmVw
bGljYXMgYW5kIFRydXN0IENvbnRyb2xsZXIgYW5kIFRydXN0IEFnZW50cyBJIHdhcyBhYmxlIHRv
IGRlZHVjZSBteSBtaXNzdGFrZcKgOy0pPGJyPjxicj48ZGl2PlRoZSBwcm9ibGVtIHdhcyB0aGF0
IEkgb24gdGhlIHJlcGxpY2EgcmFuIGJvdGggb2YgdGhlc2UgY29tbWFuZHMsIHdoaWNoIGhhZCBh
bHJlYWR5IGJlZW4gcnVuIG9uIHRoZSBtYXN0ZXI7PC9kaXY+PGRpdj48ZGl2IHN0eWxlPSIiPjxm
b250IGNvbG9yPSIjMDAwMDAwIj7CoMKgPC9mb250PjxzcGFuIHN0eWxlPSJjb2xvcjpyZ2IoMCww
LDApIj5zdWRvIGlwYS1hZHRydXN0LWluc3RhbGw8L3NwYW4+PC9kaXY+PGRpdiBzdHlsZT0iIj48
Zm9udCBjb2xvcj0iIzAwMDAwMCI+wqAgc3VkbyBpcGEgdHJ1c3QtYWRkIC0tdHlwZT1hZMKgPGEg
aHJlZj0iaHR0cDovL2FkLmxhYm5ldC5vcmcvIiB0YXJnZXQ9Il9ibGFuayIgc3R5bGU9IiI+YWQu
bGFibmV0Lm9yZzwvYT7CoC0tYWRtaW4gQWRtaW5pc3RyYXRvciAtLXBhc3N3b3JkIC0tdHdvLXdh
eT10cnVlPC9mb250PjwvZGl2PjwvZGl2PjxkaXYgc3R5bGU9IiI+PGZvbnQgY29sb3I9IiMwMDAw
MDAiPjxicj48L2ZvbnQ+PC9kaXY+PGRpdiBzdHlsZT0iIj48Zm9udCBjb2xvcj0iIzAwMDAwMCI+
SW5zdGVhZMKgSSBzaG91bGQgb25seSBoYXZlIHJ1biB0aGUgZm9sbG93aW5nIGNvbW1hbmQgb24g
dGhlIHJlcGxpY2E7PGJyPsKgIMKgPC9mb250PnN1ZG8gaXBhLWFkdHJ1c3QtaW5zdGFsbCAtLWFk
ZC1hZ2VudHM8L2Rpdj48ZGl2IHN0eWxlPSIiPjxicj48L2Rpdj48ZGl2IHN0eWxlPSIiPlNvIEkg
cmVkaWQgdGhlIHNldHVwIGFuZCBjb3JyZWN0ZMKgbXkgbWlzc3Rha2UsIG5vdyBpdCBhbGwgd29y
a3MgOi0pPC9kaXY+PGRpdiBzdHlsZT0iIj5Cb3RoIElQQSBzZXJ2ZXJzIG5vdyBoYXZlIHRoZSBy
b2xlcyBUcnVzdCBDb250cm9sbGVyIGFuZCBUcnVzdCBBZ2VudC48YnI+Tm93IEkgY2FuIGF1dGhl
bnRpY2F0ZSB1c2VycyBmcm9tIElQQSBjbGllbnRzIG5vIG1hdHRlciBpZiBib3RoIElQQSBzZXJ2
ZXJzIGFyZSBvciBqdXN0IG9uZSBvZiB0aGVtIGFyZSB1cCBhbmQgcnVubmluZy48L2Rpdj48ZGl2
IHN0eWxlPSIiPjxicj48L2Rpdj48ZGl2IHN0eWxlPSIiPlRoYW5rcyBhIG1pbGxpb24hPC9kaXY+
PGRpdiBzdHlsZT0iIj48YnI+PC9kaXY+PC9kaXY+PGJyPjxkaXYgY2xhc3M9ImdtYWlsX3F1b3Rl
Ij48ZGl2IGRpcj0ibHRyIiBjbGFzcz0iZ21haWxfYXR0ciI+RGVuIGZyZSAxOSBhcHIuIDIwMjQg
a2wgMTA6MjUgc2tyZXYgRmxvcmVuY2UgQmxhbmMtUmVuYXVkICZsdDs8YSBocmVmPSJtYWlsdG86
ZmxvQHJlZGhhdC5jb20iPmZsb0ByZWRoYXQuY29tPC9hPiZndDs6PGJyPjwvZGl2PjxibG9ja3F1
b3RlIGNsYXNzPSJnbWFpbF9xdW90ZSIgc3R5bGU9Im1hcmdpbjowcHggMHB4IDBweCAwLjhleDti
b3JkZXItbGVmdDoxcHggc29saWQgcmdiKDIwNCwyMDQsMjA0KTtwYWRkaW5nLWxlZnQ6MWV4Ij48
ZGl2IGRpcj0ibHRyIj48ZGl2IGRpcj0ibHRyIj48ZGl2IGNsYXNzPSJnbWFpbF9kZWZhdWx0IiBz
dHlsZT0iZm9udC1mYW1pbHk6YXJpYWwsc2Fucy1zZXJpZiI+SGksPC9kaXY+PC9kaXY+PGJyPjxk
aXYgY2xhc3M9ImdtYWlsX3F1b3RlIj48ZGl2IGRpcj0ibHRyIiBjbGFzcz0iZ21haWxfYXR0ciI+
T24gTW9uLCBBcHIgMTUsIDIwMjQgYXQgMTA6MTDigK9BTSBKb2huIERvZSAmbHQ7PGEgaHJlZj0i
bWFpbHRvOmpkb2U1Mzg1MUBnbWFpbC5jb20iIHRhcmdldD0iX2JsYW5rIj5qZG9lNTM4NTFAZ21h
aWwuY29tPC9hPiZndDsgd3JvdGU6PGJyPjwvZGl2PjxibG9ja3F1b3RlIGNsYXNzPSJnbWFpbF9x
dW90ZSIgc3R5bGU9Im1hcmdpbjowcHggMHB4IDBweCAwLjhleDtib3JkZXItbGVmdDoxcHggc29s
aWQgcmdiKDIwNCwyMDQsMjA0KTtwYWRkaW5nLWxlZnQ6MWV4Ij48ZGl2IGRpcj0ibHRyIj48ZGl2
IGRpcj0ibHRyIj48YnI+PC9kaXY+PGJyPjxkaXYgY2xhc3M9ImdtYWlsX3F1b3RlIj48ZGl2IGRp
cj0ibHRyIiBjbGFzcz0iZ21haWxfYXR0ciI+RGVuIG3DpW4gMTUgYXByLiAyMDI0IGtsIDA5OjM1
IHNrcmV2IEZsb3JlbmNlIEJsYW5jLVJlbmF1ZCAmbHQ7PGEgaHJlZj0ibWFpbHRvOmZsb0ByZWRo
YXQuY29tIiB0YXJnZXQ9Il9ibGFuayI+ZmxvQHJlZGhhdC5jb208L2E+Jmd0Ozo8YnI+PC9kaXY+
PGJsb2NrcXVvdGUgY2xhc3M9ImdtYWlsX3F1b3RlIiBzdHlsZT0ibWFyZ2luOjBweCAwcHggMHB4
IDAuOGV4O2JvcmRlci1sZWZ0OjFweCBzb2xpZCByZ2IoMjA0LDIwNCwyMDQpO3BhZGRpbmctbGVm
dDoxZXgiPjxkaXYgZGlyPSJsdHIiPjxkaXYgZGlyPSJsdHIiPjxkaXYgc3R5bGU9ImZvbnQtZmFt
aWx5OmFyaWFsLHNhbnMtc2VyaWYiPkhpLDwvZGl2PjwvZGl2Pjxicj48ZGl2IGNsYXNzPSJnbWFp
bF9xdW90ZSI+PGRpdiBkaXI9Imx0ciIgY2xhc3M9ImdtYWlsX2F0dHIiPk9uIE1vbiwgQXByIDE1
LCAyMDI0IGF0IDk6MDPigK9BTSBKb2huIERvZSB2aWEgRnJlZUlQQS11c2VycyAmbHQ7PGEgaHJl
Zj0ibWFpbHRvOmZyZWVpcGEtdXNlcnNAbGlzdHMuZmVkb3JhaG9zdGVkLm9yZyIgdGFyZ2V0PSJf
YmxhbmsiPmZyZWVpcGEtdXNlcnNAbGlzdHMuZmVkb3JhaG9zdGVkLm9yZzwvYT4mZ3Q7IHdyb3Rl
Ojxicj48L2Rpdj48YmxvY2txdW90ZSBjbGFzcz0iZ21haWxfcXVvdGUiIHN0eWxlPSJtYXJnaW46
MHB4IDBweCAwcHggMC44ZXg7Ym9yZGVyLWxlZnQ6MXB4IHNvbGlkIHJnYigyMDQsMjA0LDIwNCk7
cGFkZGluZy1sZWZ0OjFleCI+PGRpdiBkaXI9Imx0ciI+SSYjMzk7bSBwbGF5aW5nIGFyb3VuZCB3
aXRoIElQQSB0cnlpbmcgdG8gZmlndXJlIG91dCBob3cgdG8gc2V0IGl0IHVwIHRvIGJlIHJlZHVu
ZGFudC4gVGhlIHByb2JsZW0gaXMgdGhhdCB0aGUgSVBBIFJlcGxpY2EgaXNuJiMzOTt0IGFibGUg
dG8gYXV0aGVudGljYXRlIEFEIHVzZXJzIGlmIElQQSBNYXN0ZXIgaXMgZG93bi48YnI+TXkgc2V0
dXA7PGRpdj5PbmUgV2luZG93cyBTZXJ2ZXIgc2V0IHVwIHdpdGggQWN0aXZlIERpcmVjb3J5wqBE
b21haW4gU2VydmljZXMsIEFjdGl2ZSBEaXJlY3RvcnkgQ2VydGlmaWNhdGUgU2VydmljZXMgYW5k
IEROUyBzZXJ2ZXIgaG9zdGluZyB0aGUgPGEgaHJlZj0iaHR0cDovL2FkLmxhYm5ldC5vcmciIHRh
cmdldD0iX2JsYW5rIj5hZC5sYWJuZXQub3JnPC9hPiBkb21haW4gYW5kIHRoZSBSb290IENBLjxi
cj48YnI+VHdvIExpbnV4IHNlcnZlcnMgc2V0dXAgaW4gdGhlIDxhIGhyZWY9Imh0dHA6Ly9sYWJu
ZXQub3JnIiB0YXJnZXQ9Il9ibGFuayI+bGFibmV0Lm9yZzwvYT4gZG9tYWluLiBCb3RoIHVzaW5n
IHRoZSBXaW5kb3dzIFNlcnZlciBETlMgc2VydmVyLjxicj5UaGUgZmlyc3Qgb25lIGlzIHNldHVw
IGFzIGEgSVBBIE1hc3RlciBzZXJ2ZXIgaG9zdGluZyB0aGUgZG9tYWluIDxhIGhyZWY9Imh0dHA6
Ly9pcGEubGFibmV0Lm9yZyIgdGFyZ2V0PSJfYmxhbmsiPmlwYS5sYWJuZXQub3JnPC9hPiBhbmQg
YWN0IGFzIGEgc3Vib3JkaW5hdGUgQ0Egc2VydmVyLiBJdCB3YXMgc2V0dXDCoHdpdGggdGhlIGZv
bGxvd2luZyBjb21tYW5kczs8L2Rpdj48ZGl2PsKgIHN1ZG8gaXBhLXNlcnZlci1pbnN0YWxsIC0t
ZXh0ZXJuYWwtY2EgLS1leHRlcm5hbC1jYS10eXBlPW1zLWNzPGJyPjwvZGl2PjxkaXY+wqAgc3Vk
byBpcGEtc2VydmVyLWluc3RhbGwgLS1leHRlcm5hbC1jZXJ0LWZpbGU9L2hvbWUvJFVTRVIvaXBh
LmNlciAtLWV4dGVybmFsLWNlcnQtZmlsZT0vaG9tZS8kVVNFUi9jZXJ0bmV3LmNlcjxicj48L2Rp
dj48ZGl2PsKgIGtpbml0IGFkbWluPC9kaXY+PGRpdj7CoCBzdWRvIGlwYS1hZHRydXN0LWluc3Rh
bGw8YnI+PC9kaXY+PGRpdj7CoCBzdWRvIGlwYSB0cnVzdC1hZGQgLS10eXBlPWFkIDxhIGhyZWY9
Imh0dHA6Ly9hZC5sYWJuZXQub3JnIiB0YXJnZXQ9Il9ibGFuayI+YWQubGFibmV0Lm9yZzwvYT4g
LS1hZG1pbiBBZG1pbmlzdHJhdG9yIC0tcGFzc3dvcmQgLS10d28td2F5PXRydWU8YnI+PC9kaXY+
PGRpdj48YnI+PC9kaXY+PGRpdj5UaGUgc2Vjb25kIG9uZSBpcyBzZXR1cCBhcyBhIElQQSBSZXBs
aWNhIGFsc28gaG9zdGluZyB0aGUgZG9tYWluIDxhIGhyZWY9Imh0dHA6Ly9pcGEubGFibmV0Lm9y
ZyIgdGFyZ2V0PSJfYmxhbmsiPmlwYS5sYWJuZXQub3JnPC9hPiBJdCBoYXMgYmVlbiBzZXR1cCB3
aXRoIHRoZSBmb2xsb3dpbmcgY29tbWFuZHM7PC9kaXY+PGRpdj7CoCBzdWRvIGlwYS1jbGllbnQt
aW5zdGFsbCAtLW1raG9tZWRpcjxicj48L2Rpdj48ZGl2PsKgIHN1ZG8gaXBhLXJlcGxpY2EtaW5z
dGFsbDwvZGl2PjxkaXY+wqAgc3VkbyBpcGEtY2EtaW5zdGFsbDxicj48L2Rpdj48ZGl2PsKgIGtp
bml0IGFkbWluPGJyPjwvZGl2PjxkaXY+wqAgc3VkbyBpcGEtYWR0cnVzdC1pbnN0YWxsPGJyPjwv
ZGl2PjxkaXY+wqAgc3VkbyBpcGEgdHJ1c3QtYWRkIC0tdHlwZT1hZCA8YSBocmVmPSJodHRwOi8v
YWQubGFibmV0Lm9yZyIgdGFyZ2V0PSJfYmxhbmsiPmFkLmxhYm5ldC5vcmc8L2E+IC0tYWRtaW4g
QWRtaW5pc3RyYXRvciAtLXBhc3N3b3JkIC0tdHdvLXdheT10cnVlPGJyPjwvZGl2PjwvZGl2Pjwv
YmxvY2txdW90ZT48ZGl2PjxzcGFuIGNsYXNzPSJnbWFpbF9kZWZhdWx0IiBzdHlsZT0iZm9udC1m
YW1pbHk6YXJpYWwsc2Fucy1zZXJpZiI+VGhlIGFib3ZlIGNvbW1hbmQgKGlwYSB0cnVzdC1hZGQp
IHByb2JhYmx5IGV4aXRlZCBvbiBlcnJvciBhcyB0aGUgdHJ1c3Qgd2FzIGFscmVhZHkgZXN0YWJs
aXNoZWQuIFBsZWFzZSByZWFkIDxhIGhyZWY9Imh0dHBzOi8vYWNjZXNzLnJlZGhhdC5jb20vZG9j
dW1lbnRhdGlvbi9lbi11cy9yZWRfaGF0X2VudGVycHJpc2VfbGludXgvOS9odG1sL3BsYW5uaW5n
X2lkZW50aXR5X21hbmFnZW1lbnQvcGxhbm5pbmctYS1jcm9zcy1mb3Jlc3QtdHJ1c3QtYmV0d2Vl
bi1pZG0tYW5kLWFkX3BsYW5uaW5nLWlkZW50aXR5LW1hbmFnZW1lbnQjdHJ1c3QtY29udHJvbGxl
cnMtYW5kLXRydXN0LWFnZW50c19wbGFubmluZy1hLWNyb3NzLWZvcmVzdC10cnVzdC1iZXR3ZWVu
LWlkbS1hbmQtYWQiIHRhcmdldD0iX2JsYW5rIj5UcnVzdCBjb250cm9sbGVycyBhbmQgVHJ1c3Qg
QWdlbnRzPC9hPsKgdG8gdW5kZXJzdGFuZCBob3cgdGhlIHJlcGxpY2Egc2hvdWxkIGJlIHNldHVw
IGluIG9yZGVyIHRvIGJlIGFibGUgdG8gcmVzb2x2ZSBBRCB1c2VycyBhbmQgZ3JvdXBzLiBXaXRo
IHlvdXIgc2V0IG9mIGNvbW1hbmRzLCBib3RoIG1hc3RlciBhbmQgcmVwbGljYSBhcmUgY29uZmln
dXJlZCBhcyBBRCBUcnVzdCBDb250cm9sbGVycyBhbmQgc2hvdWxkIGJlIGFibGUgdG8gcmVzb2x2
ZSB1c2VycyBhbmQgZ3JvdXBzLCBidXQgdGhlcmUgaXMgbm8gbmVlZCB0byBydW4gdHdpY2UgdGhl
IHRydXN0LWFkZCBwYXJ0Ljwvc3Bhbj48L2Rpdj48L2Rpdj48L2Rpdj48L2Jsb2NrcXVvdGU+PGRp
dj48YnI+PC9kaXY+PGRpdj5UaGV5IGJvdGggc2hvdyB1cCBpbiBJUEEgQWRtaW4gR1VJIGFzIGJl
aW5nIGJvdGggVHJ1c3QgQ29udHJvbGxlcnMgYW5kIFRydXN0IEFnZW50cy4gSSByZWFkIHRoYXQg
YXQgbGVhc3QgdHdvIHRydXN0IGNvbnRyb2xsZXJzIHNob3VsZCBiZSBjb25maWd1cmVkIHBlciBJ
ZE0gZGVwbG95bWVudC48YnI+VGhhbmtzIEkgd2lsbCBjaGVjayB0aGUgZG9jdW1lbnQgYWdhaW4u
PC9kaXY+PGRpdj7CoDwvZGl2PjxibG9ja3F1b3RlIGNsYXNzPSJnbWFpbF9xdW90ZSIgc3R5bGU9
Im1hcmdpbjowcHggMHB4IDBweCAwLjhleDtib3JkZXItbGVmdDoxcHggc29saWQgcmdiKDIwNCwy
MDQsMjA0KTtwYWRkaW5nLWxlZnQ6MWV4Ij48ZGl2IGRpcj0ibHRyIj48ZGl2IGNsYXNzPSJnbWFp
bF9xdW90ZSI+PGJsb2NrcXVvdGUgY2xhc3M9ImdtYWlsX3F1b3RlIiBzdHlsZT0ibWFyZ2luOjBw
eCAwcHggMHB4IDAuOGV4O2JvcmRlci1sZWZ0OjFweCBzb2xpZCByZ2IoMjA0LDIwNCwyMDQpO3Bh
ZGRpbmctbGVmdDoxZXgiPjxkaXYgZGlyPSJsdHIiPjxkaXY+QWxsIG5lZWRlZCBETlMgcmVjb3Jk
cyBoYXZlIGJlZW4gY3JlYXRlZCBpbiB0aGUgRE5TIHNlcnZlciBvbiB0aGUgV2luZG93cyBzZXJ2
ZXIuIEF0IGxlYXN0IEkgaG9wZSBzby48L2Rpdj48ZGl2PklQQSBIZWFsdGhjZWNrIG9uIGJvdGgg
SVBBIHNlcnZlcnMgZG9uJiMzOTt0IGNvbXBsYWluIGFib3V0IGFueXRoaW5nIG1pc3NpbmcuPGJy
PsKgIHN1ZG8gaXBhLWhlYWx0aGNoZWNrIC0tb3V0cHV0LXR5cGUgaHVtYW48YnI+PC9kaXY+PGRp
dj48YnI+PC9kaXY+PGRpdj5PbmUgSVBBIENsaWVudCBhbHNvIHNldHVwIGluIHRoZSA8YSBocmVm
PSJodHRwOi8vbGFibmV0Lm9yZyIgdGFyZ2V0PSJfYmxhbmsiPmxhYm5ldC5vcmc8L2E+IGRvbWFp
biBhbmQgdXNpbmcgdGhlIFdpbmRvd3Mgc2VydmVyIEROUywgd2FzIHNldHVwIHdpdGggdGhlIGZv
bGxvd2luZyBjb21tYW5kOzwvZGl2PjxkaXY+c3VkbyBpcGEtY2xpZW50LWluc3RhbGwgLS1kb21h
aW49PGEgaHJlZj0iaHR0cDovL2lwYS5sYWJuZXQub3JnIiB0YXJnZXQ9Il9ibGFuayI+aXBhLmxh
Ym5ldC5vcmc8L2E+IC0tbWtob21lZGlyPGJyPjwvZGl2PjxkaXY+PGJyPjwvZGl2PjxkaXY+VGVz
dGluZyBhdXRoZW50aWNhdGlvbiBvbiB0aGUgSVBBIENsaWVudCBhcyBhIHVzZXIgaW4gdGhlIDxh
IGhyZWY9Imh0dHA6Ly9hZC5sYWJuZXQub3JnIiB0YXJnZXQ9Il9ibGFuayI+YWQubGFibmV0Lm9y
ZzwvYT4gd29ya3PCoCBvdXQgbGlrZSB0aGlzOzwvZGl2PjxkaXY+Qm90aCBJUEEgU2VydmVycyB1
cCB3b3JrcyBPSzwvZGl2PjxkaXY+T25seSBJUEEgTWFzdGVyIHVwIHdvcmtzIE9LPC9kaXY+PGRp
dj5Pbmx5IElQQSBSZXBsaWNhIHVwIGRvZXNuJiMzOTt0IHdvcmsuPC9kaXY+PC9kaXY+PC9ibG9j
a3F1b3RlPjxkaXY+PHNwYW4gY2xhc3M9ImdtYWlsX2RlZmF1bHQiIHN0eWxlPSJmb250LWZhbWls
eTphcmlhbCxzYW5zLXNlcmlmIj5EaWQgeW91IHRlc3QgYXV0aGVudGljYXRpb24gb24gdGhlIElQ
QSByZXBsaWNhP8KgPC9zcGFuPjwvZGl2PjxkaXYgc3R5bGU9ImZvbnQtZmFtaWx5OmFyaWFsLHNh
bnMtc2VyaWYiPklzIHlvdXIgbWFzdGVyIGEgRE5TIHNlcnZlciBmb3IgPGEgaHJlZj0iaHR0cDov
L2lwYS5sYWJuZXQub3JnIiB0YXJnZXQ9Il9ibGFuayI+aXBhLmxhYm5ldC5vcmc8L2E+PyBJcyB0
aGUgcmVwbGljYSBhIEROUyBzZXJ2ZXIgZm9yIDxhIGhyZWY9Imh0dHA6Ly9pcGEubGFibmV0Lm9y
ZyIgdGFyZ2V0PSJfYmxhbmsiPmlwYS5sYWJuZXQub3JnPC9hPj88L2Rpdj48ZGl2IHN0eWxlPSJm
b250LWZhbWlseTphcmlhbCxzYW5zLXNlcmlmIj48YnI+PC9kaXY+PC9kaXY+PC9kaXY+PC9ibG9j
a3F1b3RlPjxkaXY+SSBtYXkgaGF2ZSBtaXNzZWQgdGhhdCwgYnV0IGp1c3QgdHJpZWQgaXQgb3V0
IG5vdy4gTm8gSSYjMzk7bSBub3QgYWJsZSB0byBhdXRoZW50aWNhdGUgYXMgYW4gQUQgdXNlciBv
biB0aGUgSVBBIFJlcGxpY2EgOi0owqA8L2Rpdj48L2Rpdj48L2Rpdj48L2Jsb2NrcXVvdGU+PGRp
dj48c3BhbiBjbGFzcz0iZ21haWxfZGVmYXVsdCIgc3R5bGU9ImZvbnQtZmFtaWx5OmFyaWFsLHNh
bnMtc2VyaWYiPllvdSBjYW4gZW5hYmxlIGRlYnVnIGxldmVsIGluIHRoZSByZXBsaWNhOiBhZGQg
ZGVidWdfbGV2ZWw9OSBpbiBhbGwgdGhlIHNlY3Rpb25zIGluIC9ldGMvc3NzZC9zc3NkLmNvbmYs
IHJlc3RhcnQgc3NzZCB3aXRoIHN5c3RlbWN0bCByZXN0YXJ0IHNzc2QgYW5kIGNsZWFuIHRoZSBj
YWNoZS4gVGhlbiByZXRyeSBhdXRoZW50aWNhdGlvbiBvZiBhbiBBRCB1c2VyIG9uIHRoZSByZXBs
aWNhIGFuZCBnYXRoZXIgdGhlIGxvZ3MgZnJvbSAvdmFyL2xvZy9zc3NkLyouIFdlIG1heSBiZSBh
YmxlIHRvIGhlbHAgd2l0aCB0aGUgbG9ncy4gRG8gbm90IGZvcmdldCB0byByZW1vdmUgdGhlIGRl
YnVnX2xldmVsIHdoZW4geW91JiMzOTtyZSBkb25lLjwvc3Bhbj48L2Rpdj48ZGl2Pjxicj48L2Rp
dj48ZGl2IGNsYXNzPSJnbWFpbF9kZWZhdWx0IiBzdHlsZT0iZm9udC1mYW1pbHk6YXJpYWwsc2Fu
cy1zZXJpZiI+SWYgYXV0aGVudGljYXRpb24gd29ya3Mgb24gdGhlIG1hc3RlciBidXQgbm90IG9u
IHRoZSByZXBsaWNhLCBpdCBpcyBvZnRlbiByZWxhdGVkIHRvIEROUyBvciBmaXJld2FsbCBpc3N1
ZXMgYmV0d2VlbiB0aGUgdHJ1c3QgY29udHJvbGxlciBhbmQgdGhlIEFEIGRvbWFpbiBjb250cm9s
bGVyLjwvZGl2PjxkaXYgY2xhc3M9ImdtYWlsX2RlZmF1bHQiIHN0eWxlPSJmb250LWZhbWlseTph
cmlhbCxzYW5zLXNlcmlmIj5Zb3UgY2FuIHJlZmVyIHRvwqA8YSBocmVmPSJodHRwczovL2FjY2Vz
cy5yZWRoYXQuY29tL2RvY3VtZW50YXRpb24vZW4tdXMvcmVkX2hhdF9lbnRlcnByaXNlX2xpbnV4
LzkvaHRtbC9wbGFubmluZ19pZGVudGl0eV9tYW5hZ2VtZW50L3BsYW5uaW5nLWEtY3Jvc3MtZm9y
ZXN0LXRydXN0LWJldHdlZW4taWRtLWFuZC1hZF9wbGFubmluZy1pZGVudGl0eS1tYW5hZ2VtZW50
I2d1aWRlbGluZXMtZm9yLXNldHRpbmctdXAtZG5zLWZvci1hbi1pZG0tYWQtdHJ1c3RfcGxhbm5p
bmctYS1jcm9zcy1mb3Jlc3QtdHJ1c3QtYmV0d2Vlbi1pZG0tYW5kLWFkIiB0YXJnZXQ9Il9ibGFu
ayI+aHR0cHM6Ly9hY2Nlc3MucmVkaGF0LmNvbS9kb2N1bWVudGF0aW9uL2VuLXVzL3JlZF9oYXRf
ZW50ZXJwcmlzZV9saW51eC85L2h0bWwvcGxhbm5pbmdfaWRlbnRpdHlfbWFuYWdlbWVudC9wbGFu
bmluZy1hLWNyb3NzLWZvcmVzdC10cnVzdC1iZXR3ZWVuLWlkbS1hbmQtYWRfcGxhbm5pbmctaWRl
bnRpdHktbWFuYWdlbWVudCNndWlkZWxpbmVzLWZvci1zZXR0aW5nLXVwLWRucy1mb3ItYW4taWRt
LWFkLXRydXN0X3BsYW5uaW5nLWEtY3Jvc3MtZm9yZXN0LXRydXN0LWJldHdlZW4taWRtLWFuZC1h
ZDwvYT48L2Rpdj48ZGl2IGNsYXNzPSJnbWFpbF9kZWZhdWx0IiBzdHlsZT0iZm9udC1mYW1pbHk6
YXJpYWwsc2Fucy1zZXJpZiI+YW5kPC9kaXY+PGRpdiBjbGFzcz0iZ21haWxfZGVmYXVsdCIgc3R5
bGU9ImZvbnQtZmFtaWx5OmFyaWFsLHNhbnMtc2VyaWYiPjxhIGhyZWY9Imh0dHBzOi8vYWNjZXNz
LnJlZGhhdC5jb20vZG9jdW1lbnRhdGlvbi9lbi11cy9yZWRfaGF0X2VudGVycHJpc2VfbGludXgv
OS9odG1sL2luc3RhbGxpbmdfdHJ1c3RfYmV0d2Vlbl9pZG1fYW5kX2FkL2NvbmZpZ3VyaW5nLWRu
cy1hbmQtcmVhbG0tc2V0dGluZ3MtZm9yLWEtdHJ1c3RfaW5zdGFsbGluZy10cnVzdC1iZXR3ZWVu
LWlkbS1hbmQtYWQjZG9jLXdyYXBwZXIiIHRhcmdldD0iX2JsYW5rIj5odHRwczovL2FjY2Vzcy5y
ZWRoYXQuY29tL2RvY3VtZW50YXRpb24vZW4tdXMvcmVkX2hhdF9lbnRlcnByaXNlX2xpbnV4Lzkv
aHRtbC9pbnN0YWxsaW5nX3RydXN0X2JldHdlZW5faWRtX2FuZF9hZC9jb25maWd1cmluZy1kbnMt
YW5kLXJlYWxtLXNldHRpbmdzLWZvci1hLXRydXN0X2luc3RhbGxpbmctdHJ1c3QtYmV0d2Vlbi1p
ZG0tYW5kLWFkI2RvYy13cmFwcGVyPC9hPjxicj48L2Rpdj48ZGl2IGNsYXNzPSJnbWFpbF9kZWZh
dWx0IiBzdHlsZT0iZm9udC1mYW1pbHk6YXJpYWwsc2Fucy1zZXJpZiI+PGJyPjwvZGl2PjxkaXYg
Y2xhc3M9ImdtYWlsX2RlZmF1bHQiIHN0eWxlPSJmb250LWZhbWlseTphcmlhbCxzYW5zLXNlcmlm
Ij5mbG88L2Rpdj48ZGl2IGNsYXNzPSJnbWFpbF9kZWZhdWx0IiBzdHlsZT0iZm9udC1mYW1pbHk6
YXJpYWwsc2Fucy1zZXJpZiI+PGJyPjwvZGl2PjxkaXYgY2xhc3M9ImdtYWlsX2RlZmF1bHQiIHN0
eWxlPSJmb250LWZhbWlseTphcmlhbCxzYW5zLXNlcmlmIj48YnI+PC9kaXY+PGJsb2NrcXVvdGUg
Y2xhc3M9ImdtYWlsX3F1b3RlIiBzdHlsZT0ibWFyZ2luOjBweCAwcHggMHB4IDAuOGV4O2JvcmRl
ci1sZWZ0OjFweCBzb2xpZCByZ2IoMjA0LDIwNCwyMDQpO3BhZGRpbmctbGVmdDoxZXgiPjxkaXYg
ZGlyPSJsdHIiPjxkaXYgY2xhc3M9ImdtYWlsX3F1b3RlIj48ZGl2Pk5vIG9ubHkgdGhlIFdpbmRv
d3MgRE5TIHNlcnZlciBpcyBhIEROUyBzZXJ2ZXIsIGhvc3RpbmcgYWxsIHRoZSBkb21haW5zIDxh
IGhyZWY9Imh0dHA6Ly9sYWJuZXQub3JnIiB0YXJnZXQ9Il9ibGFuayI+bGFibmV0Lm9yZzwvYT4s
IDxhIGhyZWY9Imh0dHA6Ly9hZC5sYWJuZXQub3JnIiB0YXJnZXQ9Il9ibGFuayI+YWQubGFibmV0
Lm9yZzwvYT4gYW5kIDxhIGhyZWY9Imh0dHA6Ly9pcGEubGFibmV0Lm9yZyIgdGFyZ2V0PSJfYmxh
bmsiPmlwYS5sYWJuZXQub3JnPC9hPjwvZGl2PjxkaXY+PGJyPjwvZGl2PjxkaXY+VGhhbmtzITwv
ZGl2PjxkaXY+PGJyPjwvZGl2PjxibG9ja3F1b3RlIGNsYXNzPSJnbWFpbF9xdW90ZSIgc3R5bGU9
Im1hcmdpbjowcHggMHB4IDBweCAwLjhleDtib3JkZXItbGVmdDoxcHggc29saWQgcmdiKDIwNCwy
MDQsMjA0KTtwYWRkaW5nLWxlZnQ6MWV4Ij48ZGl2IGRpcj0ibHRyIj48ZGl2IGNsYXNzPSJnbWFp
bF9xdW90ZSI+PGRpdiBzdHlsZT0iZm9udC1mYW1pbHk6YXJpYWwsc2Fucy1zZXJpZiI+PC9kaXY+
PGRpdiBzdHlsZT0iZm9udC1mYW1pbHk6YXJpYWwsc2Fucy1zZXJpZiI+ZmxvPC9kaXY+PGJsb2Nr
cXVvdGUgY2xhc3M9ImdtYWlsX3F1b3RlIiBzdHlsZT0ibWFyZ2luOjBweCAwcHggMHB4IDAuOGV4
O2JvcmRlci1sZWZ0OjFweCBzb2xpZCByZ2IoMjA0LDIwNCwyMDQpO3BhZGRpbmctbGVmdDoxZXgi
PjxkaXYgZGlyPSJsdHIiPjxkaXY+PGJyPjwvZGl2PjxkaXY+QWZ0ZXIgdGhpcyBjaGVjayB3aXRo
IElQQSBIZWFsdGhjaGVjayBvbiB0aGUgSVBBIFJlcGxpY2Egbm93IGNvbWVzIGJhY2sgd2l0aCB0
aGlzOzwvZGl2PjxkaXY+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5Om1vbm9zcGFjZSI+PHNwYW4g
c3R5bGU9ImNvbG9yOnJnYigwLDAsMCkiPldBUk5JTkc6IGlwYWhlYWx0aGNoZWNrLmlwYS50cnVz
dC5JUEFUcnVzdENhdGFsb2dDaGVjay57fTogTG9vayB1cCBvZiBJRCB7fSBmb3IgPGEgaHJlZj0i
aHR0cDovL2FkLmxhYm5ldC5vcmciIHRhcmdldD0iX2JsYW5rIj5hZC5sYWJuZXQub3JnPC9hPiBy
ZXR1cm5lZCBub3RoaW5nCjwvc3Bhbj48YnI+RVJST1I6IDxhIGhyZWY9Imh0dHA6Ly9pcGFoZWFs
dGhjaGVjay5pcGEudHJ1c3QuSVBBVHJ1c3RDYXRhbG9nQ2hlY2suQUQiIHRhcmdldD0iX2JsYW5r
Ij5pcGFoZWFsdGhjaGVjay5pcGEudHJ1c3QuSVBBVHJ1c3RDYXRhbG9nQ2hlY2suQUQ8L2E+IEds
b2JhbCBDYXRhbG9nOiBBRCBHbG9iYWwgQ2F0YWxvZyBub3QgZm91bmQgaW4gL3Vzci9zYmluL3Nz
c2N0bCAmIzM5O2RvbWFpbi1zdGF0dXMmIzM5OyBvdXRwdXQ6IEFjdGl2ZSBzZXJ2ZXJzOgo8YnI+
SVBBOiA8YSBocmVmPSJodHRwOi8vbGFiMDAzLmxhYm5ldC5vcmciIHRhcmdldD0iX2JsYW5rIj5s
YWIwMDMubGFibmV0Lm9yZzwvYT4KPGJyPkVSUk9SOiA8YSBocmVmPSJodHRwOi8vaXBhaGVhbHRo
Y2hlY2suaXBhLnRydXN0LklQQVRydXN0Q2F0YWxvZ0NoZWNrLkFEIiB0YXJnZXQ9Il9ibGFuayI+
aXBhaGVhbHRoY2hlY2suaXBhLnRydXN0LklQQVRydXN0Q2F0YWxvZ0NoZWNrLkFEPC9hPiBEb21h
aW4gQ29udHJvbGxlcjogQUQgRG9tYWluIENvbnRyb2xsZXIgbm90IGZvdW5kIGluIC91c3Ivc2Jp
bi9zc3NjdGwgJiMzOTtkb21haW4tc3RhdHVzJiMzOTsgb3V0cHV0OiBBY3RpdmUgc2VydmVyczoK
PGJyPklQQTogPGEgaHJlZj0iaHR0cDovL2xhYjAwMy5sYWJuZXQub3JnIiB0YXJnZXQ9Il9ibGFu
ayI+bGFiMDAzLmxhYm5ldC5vcmc8L2E+PGJyPgo8YnI+PC9zcGFuPjwvZGl2PjxkaXY+Q2FuIGFu
eW9uZSBzdWdnZXN0IHdoYXQgSSBoYXZlIGRvbmUgd3Jvbmcgb3IgbWlzc2VkPyBBcyBmYXIgYXMg
SSBjYW4gdGVsbCB0aGVyZSBhcmUgbm8gY29tbWFuZHMgdGhhdCBsZXQgbWUgd3JpdGUgdG8gdGhl
IEdMb2JhbCBDYXRhbG9nPzwvZGl2PjxkaXY+VGhhbmtzITwvZGl2PjwvZGl2PgotLTxicj4KX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX188YnI+CkZyZWVJUEEt
dXNlcnMgbWFpbGluZyBsaXN0IC0tIDxhIGhyZWY9Im1haWx0bzpmcmVlaXBhLXVzZXJzQGxpc3Rz
LmZlZG9yYWhvc3RlZC5vcmciIHRhcmdldD0iX2JsYW5rIj5mcmVlaXBhLXVzZXJzQGxpc3RzLmZl
ZG9yYWhvc3RlZC5vcmc8L2E+PGJyPgpUbyB1bnN1YnNjcmliZSBzZW5kIGFuIGVtYWlsIHRvIDxh
IGhyZWY9Im1haWx0bzpmcmVlaXBhLXVzZXJzLWxlYXZlQGxpc3RzLmZlZG9yYWhvc3RlZC5vcmci
IHRhcmdldD0iX2JsYW5rIj5mcmVlaXBhLXVzZXJzLWxlYXZlQGxpc3RzLmZlZG9yYWhvc3RlZC5v
cmc8L2E+PGJyPgpGZWRvcmEgQ29kZSBvZiBDb25kdWN0OiA8YSBocmVmPSJodHRwczovL2RvY3Mu
ZmVkb3JhcHJvamVjdC5vcmcvZW4tVVMvcHJvamVjdC9jb2RlLW9mLWNvbmR1Y3QvIiByZWw9Im5v
cmVmZXJyZXIiIHRhcmdldD0iX2JsYW5rIj5odHRwczovL2RvY3MuZmVkb3JhcHJvamVjdC5vcmcv
ZW4tVVMvcHJvamVjdC9jb2RlLW9mLWNvbmR1Y3QvPC9hPjxicj4KTGlzdCBHdWlkZWxpbmVzOiA8
YSBocmVmPSJodHRwczovL2ZlZG9yYXByb2plY3Qub3JnL3dpa2kvTWFpbGluZ19saXN0X2d1aWRl
bGluZXMiIHJlbD0ibm9yZWZlcnJlciIgdGFyZ2V0PSJfYmxhbmsiPmh0dHBzOi8vZmVkb3JhcHJv
amVjdC5vcmcvd2lraS9NYWlsaW5nX2xpc3RfZ3VpZGVsaW5lczwvYT48YnI+Ckxpc3QgQXJjaGl2
ZXM6IDxhIGhyZWY9Imh0dHBzOi8vbGlzdHMuZmVkb3JhaG9zdGVkLm9yZy9hcmNoaXZlcy9saXN0
L2ZyZWVpcGEtdXNlcnNAbGlzdHMuZmVkb3JhaG9zdGVkLm9yZyIgcmVsPSJub3JlZmVycmVyIiB0
YXJnZXQ9Il9ibGFuayI+aHR0cHM6Ly9saXN0cy5mZWRvcmFob3N0ZWQub3JnL2FyY2hpdmVzL2xp
c3QvZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3JnPC9hPjxicj4KRG8gbm90IHJl
cGx5IHRvIHNwYW0sIHJlcG9ydCBpdDogPGEgaHJlZj0iaHR0cHM6Ly9wYWd1cmUuaW8vZmVkb3Jh
LWluZnJhc3RydWN0dXJlL25ld19pc3N1ZSIgcmVsPSJub3JlZmVycmVyIiB0YXJnZXQ9Il9ibGFu
ayI+aHR0cHM6Ly9wYWd1cmUuaW8vZmVkb3JhLWluZnJhc3RydWN0dXJlL25ld19pc3N1ZTwvYT48
YnI+CjwvYmxvY2txdW90ZT48L2Rpdj48L2Rpdj4KPC9ibG9ja3F1b3RlPjwvZGl2PjwvZGl2Pgo8
L2Jsb2NrcXVvdGU+PC9kaXY+PC9kaXY+CjwvYmxvY2txdW90ZT48L2Rpdj4K

--===============7567587721283358485==--

From rcritten at redhat.com Fri Apr 19 12:28:49 2024
Content-Type: multipart/mixed; boundary="===============7980859928759791521=="
MIME-Version: 1.0
From: Rob Crittenden <rcritten at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: sudo hbac rule resfues to work for AD users (one
 way trust).
Date: Fri, 19 Apr 2024 08:28:10 -0400
Message-ID: <86dcaba7-8471-a5d7-a0fa-85550a60c61a@redhat.com>
In-Reply-To: 20240419081608.3327.83666@mailman01.iad2.fedoraproject.org

--===============7980859928759791521==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

slek kus via FreeIPA-users wrote:
> Issue might have started after enabling compat mode to allow LDAP authent=
ication for AD users.
> Found this: https://microdevsys.com/wp/user-is-not-allowed-to-run-sudo-on=
-server-this-incident-will-be-reported/
> =

> Went to disable the plugin, but greeted for the directory manager's passw=
ord. I do not recall to have set this during FreeIPA installation.

Setting this password is required during installation.

To change it see
https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password

rob

--===============7980859928759791521==--

From slekkus75 at proton.me Fri Apr 19 12:56:21 2024
Content-Type: multipart/mixed; boundary="===============7535692170245785398=="
MIME-Version: 1.0
From: slek kus <slekkus75 at proton.me>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: sudo hbac rule resfues to work for AD users (one
 way trust).
Date: Fri, 19 Apr 2024 12:56:01 +0000
Message-ID: <20240419125601.30286.62134@mailman01.iad2.fedoraproject.org>
In-Reply-To: 86dcaba7-8471-a5d7-a0fa-85550a60c61a@redhat.com

--===============7535692170245785398==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Must have missed that, changed. Have disabled the compat module, restarted =
all. Still no sudo working on clients. =

It looks like sudo is not being handled by sssd (not aware of any rules), b=
ut wouldn't know where to look for an issue. All trivial checks and tests d=
one.
Most is confusing. Reading about nisdomains need to be set correctly to be =
able to use hostgroups but this has worked before without the need for this=
. =


I am lost here.=20
--===============7535692170245785398==--

From taniahagan at googlemail.com Fri Apr 19 14:13:40 2024
Content-Type: multipart/mixed; boundary="===============3102930435046919681=="
MIME-Version: 1.0
From: Tania Hagan <taniahagan at googlemail.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Expiring password Notification email template - images
Date: Fri, 19 Apr 2024 14:13:14 +0000
Message-ID: <20240419141314.15152.31605@mailman01.iad2.fedoraproject.org>

--===============3102930435046919681==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Hi FreeIPA Users,

Does anyone know if its possible to include inline images in the email temp=
late for Expiring Password Notification? I've experimented with including b=
ase64 encoding but the message just shows a white box with a black outline.=
  I think this is a limited of our email client, and tried swapping to usin=
g CID embedded image but have no way of pointing the template to the image =
file. =


Many Thanks, =

Tania
=20
--===============3102930435046919681==--

From sbose at redhat.com Fri Apr 19 15:47:01 2024
Content-Type: multipart/mixed; boundary="===============8346096630283557958=="
MIME-Version: 1.0
From: Sumit Bose <sbose at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: Password expired is not requested with Ubuntu
 clients
Date: Fri, 19 Apr 2024 17:46:43 +0200
Message-ID: <ZiKR4_AvWkXarq-U@sbose.users.ipa.redhat.com>
In-Reply-To: PRAP251MB05671953ED3F5DF5931288D0DB0D2@PRAP251MB0567.EURP251.PROD.OUTLOOK.COM

--===============8346096630283557958==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Am Fri, Apr 19, 2024 at 08:56:36AM +0000 schrieb Carlos Lopez via FreeIPA-u=
sers:
> Good morning,
> =

> I have configured some Ubuntu clientes to authenticate via Kerberos again=
st my RHEL9 IdM server. Everything works correctly: clients are authenticat=
ed, etc.
> =

> The problem comes when a user's password has expired. In the IdM server l=
ogs it is clear that the user must change the password:
> =

> 2024-04-19T08:38:20.946335+00:00 rhelidmsrv01 krb5kdc[21392]: AS_REQ (8 e=
types {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts=
-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-s=
ha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256=
-cts-cmac(26)}) 172.19.11.14: REQUIRED PWCHANGE: user1(a)MYDOM.ORG for krbt=
gt/MYDOM.ORG(a)MYDOM.ORG, Password has expired
> 2024-04-19T08:38:20.946413+00:00 rhelidmsrv01 krb5kdc[21392]: closing dow=
n fd 13
> 2024-04-19T08:38:20.946712+00:00 rhelidmsrv01 krb5kdc[21392]: AS_REQ (8 e=
types {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts=
-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-s=
ha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256=
-cts-cmac(26)}) 172.19.11.14: NEEDED_PREAUTH: user1(a)MYDOM.ORG for kadmin/=
changepw(a)MYDOM.ORG, Additional pre-authentication required
> 2024-04-19T08:38:20.946747+00:00 rhelidmsrv01 krb5kdc[21392]: closing dow=
n fd 13
> 2024-04-19T08:38:20.950691+00:00 rhelidmsrv01 krb5kdc[21392]: AS_REQ (8 e=
types {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts=
-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-s=
ha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256=
-cts-cmac(26)}) 172.19.11.14: ISSUE: authtime 1713515900, etypes {rep=3Daes=
256-cts-hmac-sha1-96(18), tkt=3Daes256-cts-hmac-sha384-192(20), ses=3Daes25=
6-cts-hmac-sha1-96(18)}, user1(a)MYDOM.ORG for kadmin/changepw(a)MYDOM.ORG
> =

> But when accessing to Ubuntu client via ssh, it never prompts to change t=
he password and you can log in.

Hi,

can you share your PAM configuration for the sshd service. I'm asking
because the change of expired passwords in handled in the 'account'
section and I guess with your configuration (local users with
authentication by SSSD) pam_sss.so is not called for local users during
'account'.

bye,
Sumit

> =

> My sssd's config in Ubuntu client is:
> =

> [sssd]
> config_file_version =3D 2
> services =3D pam
> domains =3D mydom.org
> =

> [pam]
> pam_pwd_expiration_warning =3D 2
> =

> [domain/mydom.org]
> id_provider =3D proxy
> proxy_lib_name =3D files
> auth_provider =3D krb5
> chpass_provider =3D krb5
> krb5_server =3D rhelidmsrv01.mydom.org
> krb5_kpasswd =3D rhelidmsrv01.mydom.org
> krb5_realm =3D mydom.org
> krb5_ccname_template =3D KEYRING:persistent:%U
> krb5_validate =3D true
> cache_credentials =3D true
> =

> What could be the problem?
> =

> Best regards,
> C. L. Martinez
> --
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.=
org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code=
-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users=
(a)lists.fedorahosted.org
> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/=
new_issue

--===============8346096630283557958==--

From basile.pinsard at gmail.com Fri Apr 19 16:20:09 2024
Content-Type: multipart/mixed; boundary="===============7499550387263785603=="
MIME-Version: 1.0
From: Basile Pinsard <basile.pinsard at gmail.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: pki-tomcat won't start + expired certificates
Date: Fri, 19 Apr 2024 16:19:50 +0000
Message-ID: <20240419161950.13506.9177@mailman01.iad2.fedoraproject.org>
In-Reply-To: CAFDg7JwByJV9DrPOO_JAd5aTBuFXD91toakJjAZ9ev2xaSJw3A@mail.gmail.com

--===============7499550387263785603==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Hi! =


Here is the output of ipa-cert-fix on the original instance:

```

The following certificates will be renewed:

Dogtag sslserver certificate:
  Subject: CN=3Dipa.DOMAIN.COM,O=3DDOMAIN.COM
  Serial:  3
  Expires: 2024-03-19 20:36:25

Dogtag subsystem certificate:
  Subject: CN=3DCA Subsystem,O=3DDOMAIN.COM
  Serial:  4
  Expires: 2024-03-19 20:36:27

Dogtag ca_ocsp_signing certificate:
  Subject: CN=3DOCSP Subsystem,O=3DDOMAIN.COM
  Serial:  2
  Expires: 2024-03-19 20:36:24

Dogtag ca_audit_signing certificate:
  Subject: CN=3DCA Audit,O=3DDOMAIN.COM
  Serial:  5
  Expires: 2024-03-19 20:36:30

IPA IPA RA certificate:
  Subject: CN=3DIPA RA,O=3DDOMAIN.COM
  Serial:  7
  Expires: 2024-03-19 20:38:19

IPA KDC certificate:
  Subject: CN=3Dipa.DOMAIN.COM,O=3DDOMAIN.COM
  Serial:  10
  Expires: 2024-03-30 20:40:27

Enter "yes" to proceed: yes
Proceeding.
CalledProcessError(Command ['pki-server', 'cert-fix', '--ldapi-socket', '/r=
un/slapd-DOMAIN-COM.socket', '--agent-uid', 'ipara', '--cert', 'sslserver'
, '--cert', 'subsystem', '--cert', 'ca_ocsp_signing', '--cert', 'ca_audit_s=
igning', '--extra-cert', '7', '--extra-cert', '10'] returned non-zero exit =
stat
us 1: "INFO: Loading instance: pki-tomcat\nINFO: Loading global Tomcat conf=
ig: /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config: /usr/share/pk=
i/et
c/tomcat.conf\nINFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/to=
mcat.conf\nINFO: Loading password config: /etc/pki/pki-tomcat/password.conf=
\nIN
FO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO:=
 Loading subsystem registry: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\n=
INFO
: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomca=
t\nINFO: Fixing the following system certs: ['sslserver', 'subsystem', 'ca_=
ocsp
_signing', 'ca_audit_signing']\nINFO: Renewing the following additional cer=
ts: ['7', '10']\nINFO: Stopping the instance to proceed with system cert re=
newa
l\nINFO: Configuring LDAP connection for CA\nINFO: Setting pkidbuser passwo=
rd via ldappasswd\nSASL/EXTERNAL authentication started\nSASL username: gid=
Numb
er=3D0+uidNumber=3D0,cn=3Dpeercred,cn=3Dexternal,cn=3Dauth\nSASL SSF: 0\nIN=
FO: Storing subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO:=
 Storing regis
try config: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO: Storing sub=
system config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO: Storing regist=
ry c
onfig: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO: Selftests disabl=
ed for subsystems: ca\nSASL/EXTERNAL authentication started\nSASL username:=
 gid
Number=3D0+uidNumber=3D0,cn=3Dpeercred,cn=3Dexternal,cn=3Dauth\nSASL SSF: 0=
\nINFO: Resetting password for uid=3Dipara,ou=3Dpeople,o=3Dipaca\nSASL/EXTE=
RNAL authentication
started\nSASL username: gidNumber=3D0+uidNumber=3D0,cn=3Dpeercred,cn=3Dexte=
rnal,cn=3Dauth\nSASL SSF: 0\nINFO: Creating a temporary sslserver cert\nINF=
O: Getting ssl
server cert info from CS.cfg\nINFO: Getting sslserver cert info from NSS da=
tabase\nINFO: Trying to create a new temp cert for sslserver.\nINFO: Genera=
te t
emp SSL certificate\nINFO: Getting sslserver cert info from CS.cfg\nINFO: G=
etting sslserver cert info from NSS database\nINFO: CSR for sslserver has b=
een
written to /tmp/tmpydx011j8/sslserver.csr\nINFO: Getting signing cert info =
from CS.cfg\nINFO: Getting signing cert info from NSS database\nINFO: CA ce=
rt w
ritten to /tmp/tmpydx011j8/ca_certificate.crt\nINFO: AKI: 0x7A0D23C6A1283EB=
899A0E5A4EFA3F92042F7F6D0\nINFO: Storing subsystem config: /var/lib/pki/pki=
-tom
cat/ca/conf/CS.cfg\nINFO: Storing registry config: /var/lib/pki/pki-tomcat/=
ca/conf/registry.cfg\nINFO: Selftests enabled for subsystems: ca\nINFO: Res=
tori
ng LDAP connection for CA\nINFO: Storing subsystem config: /var/lib/pki/pki=
-tomcat/ca/conf/CS.cfg\nINFO: Storing registry config: /var/lib/pki/pki-tom=
cat/
ca/conf/registry.cfg\nERROR: Failed to generate CA-signed temp SSL certific=
ate. RC: 255\n")
The ipa-cert-fix command failed.

```


> If you have a backup of the previous http/ldap certs you can put them back
> in place.

Unfortunately, I don't have these anymore.


However, I tried the approach I described above on a copy of the data in an=
other container, managed to install temporary certs/CA for the ldap/httpd s=
ervers, pki-tomcat seems to be able to establish the connection to the LDAP=
 but crashes at the following error. =


`Certificate not found: caSigningCert cert-pki-ca`

Not sure what else needs to be fixed.

On this copy, with the hacked temporary certs, if I run `ipa-cert-fix` I ge=
t the same error as on the original instance. If I run the `pki-server cert=
-fix` command that crashes, but removing `--cert sslserver`, it goes a bit =
further but is still blocked by `pki-tomcat` not being able to start.

Thanks for all the help.=20

--===============7499550387263785603==--

From clopmz at outlook.com Fri Apr 19 17:05:12 2024
Content-Type: multipart/mixed; boundary="===============8842526694852073790=="
MIME-Version: 1.0
From: Carlos Lopez <clopmz at outlook.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: Password expired is not requested with Ubuntu
 clients
Date: Fri, 19 Apr 2024 17:03:46 +0000
Message-ID: <
 <PRAP251MB0567925D61D0A97D0807FBD5DB0D2@PRAP251MB0567.EURP251.PROD.OUTLOOK.COM>>
In-Reply-To: ZiKR4_AvWkXarq-U@sbose.users.ipa.redhat.com

--===============8842526694852073790==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Of course. Here it is:

# PAM configuration for the Secure Shell service

# Standard Un*x authentication.
@include common-auth

# Disallow non-root logins when /etc/nologin exists.
account    required     pam_nologin.so

# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account  required     pam_access.so

# Standard Un*x authorization.
@include common-account

# SELinux needs to be the first session rule.  This ensures that any
# lingering context has been cleared.  Without this it is possible that a
# module could execute code in the wrong domain.
session [success=3Dok ignore=3Dignore module_unknown=3Dignore default=3Dbad=
]        pam_selinux.so close

# Set the loginuid process attribute.
session    required     pam_loginuid.so

# Create a new session keyring.
session    optional     pam_keyinit.so force revoke

# Standard Un*x session setup and teardown.
@include common-session

# Print the message of the day upon successful login.
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session    optional     pam_motd.so  motd=3D/run/motd.dynamic
session    optional     pam_motd.so noupdate

# Print the status of the user's mailbox upon successful login.
session    optional     pam_mail.so standard noenv # [1]

# Set up user limits from /etc/security/limits.conf.
session    required     pam_limits.so

# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
session    required     pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
session    required     pam_env.so user_readenv=3D1 envfile=3D/etc/default/=
locale

# SELinux needs to intervene at login time to ensure that the process starts
# in the proper default security context.  Only sessions which are intended
# to run in the user's context should be run after this.
session [success=3Dok ignore=3Dignore module_unknown=3Dignore default=3Dbad=
]        pam_selinux.so open

# Standard Un*x password updating.
@include common-password

and common-account:

#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system.  The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.
#

# here are the per-package modules (the "Primary" block)
account [success=3D1 new_authtok_reqd=3Ddone default=3Dignore]        pam_u=
nix.so
# here's the fallback if no module succeeds
account requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config

Best regards,
C. L. Martinez

________________________________________
From: Sumit Bose <sbose(a)redhat.com>
Sent: 19 April 2024 17:46
To: FreeIPA users list
Cc: Carlos Lopez
Subject: Re: [Freeipa-users] Password expired is not requested with Ubuntu =
clients

Am Fri, Apr 19, 2024 at 08:56:36AM +0000 schrieb Carlos Lopez via FreeIPA-u=
sers:
> Good morning,
>
> I have configured some Ubuntu clientes to authenticate via Kerberos again=
st my RHEL9 IdM server. Everything works correctly: clients are authenticat=
ed, etc.
>
> The problem comes when a user's password has expired. In the IdM server l=
ogs it is clear that the user must change the password:
>
> 2024-04-19T08:38:20.946335+00:00 rhelidmsrv01 krb5kdc[21392]: AS_REQ (8 e=
types {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts=
-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-s=
ha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256=
-cts-cmac(26)}) 172.19.11.14: REQUIRED PWCHANGE: user1(a)MYDOM.ORG for krbt=
gt/MYDOM.ORG(a)MYDOM.ORG, Password has expired
> 2024-04-19T08:38:20.946413+00:00 rhelidmsrv01 krb5kdc[21392]: closing dow=
n fd 13
> 2024-04-19T08:38:20.946712+00:00 rhelidmsrv01 krb5kdc[21392]: AS_REQ (8 e=
types {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts=
-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-s=
ha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256=
-cts-cmac(26)}) 172.19.11.14: NEEDED_PREAUTH: user1(a)MYDOM.ORG for kadmin/=
changepw(a)MYDOM.ORG, Additional pre-authentication required
> 2024-04-19T08:38:20.946747+00:00 rhelidmsrv01 krb5kdc[21392]: closing dow=
n fd 13
> 2024-04-19T08:38:20.950691+00:00 rhelidmsrv01 krb5kdc[21392]: AS_REQ (8 e=
types {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts=
-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-s=
ha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256=
-cts-cmac(26)}) 172.19.11.14: ISSUE: authtime 1713515900, etypes {rep=3Daes=
256-cts-hmac-sha1-96(18), tkt=3Daes256-cts-hmac-sha384-192(20), ses=3Daes25=
6-cts-hmac-sha1-96(18)}, user1(a)MYDOM.ORG for kadmin/changepw(a)MYDOM.ORG
>
> But when accessing to Ubuntu client via ssh, it never prompts to change t=
he password and you can log in.

Hi,

can you share your PAM configuration for the sshd service. I'm asking
because the change of expired passwords in handled in the 'account'
section and I guess with your configuration (local users with
authentication by SSSD) pam_sss.so is not called for local users during
'account'.

bye,
Sumit

>
> My sssd's config in Ubuntu client is:
>
> [sssd]
> config_file_version =3D 2
> services =3D pam
> domains =3D mydom.org
>
> [pam]
> pam_pwd_expiration_warning =3D 2
>
> [domain/mydom.org]
> id_provider =3D proxy
> proxy_lib_name =3D files
> auth_provider =3D krb5
> chpass_provider =3D krb5
> krb5_server =3D rhelidmsrv01.mydom.org
> krb5_kpasswd =3D rhelidmsrv01.mydom.org
> krb5_realm =3D mydom.org
> krb5_ccname_template =3D KEYRING:persistent:%U
> krb5_validate =3D true
> cache_credentials =3D true
>
> What could be the problem?
>
> Best regards,
> C. L. Martinez
> --
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.=
org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code=
-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users=
(a)lists.fedorahosted.org
> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/=
new_issue

--===============8842526694852073790==--

From sbose at redhat.com Fri Apr 19 17:34:03 2024
Content-Type: multipart/mixed; boundary="===============3580088927763873118=="
MIME-Version: 1.0
From: Sumit Bose <sbose at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: Password expired is not requested with Ubuntu
 clients
Date: Fri, 19 Apr 2024 19:33:38 +0200
Message-ID: <ZiKq8hRDctwaYecn@sbose.users.ipa.redhat.com>
In-Reply-To: PRAP251MB0567925D61D0A97D0807FBD5DB0D2@PRAP251MB0567.EURP251.PROD.OUTLOOK.COM

--===============3580088927763873118==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Am Fri, Apr 19, 2024 at 05:03:46PM +0000 schrieb Carlos Lopez:
> Of course. Here it is:
> =

> # PAM configuration for the Secure Shell service
> =

> # Standard Un*x authentication.
> @include common-auth
> =

> # Disallow non-root logins when /etc/nologin exists.
> account    required     pam_nologin.so
> =

> # Uncomment and edit /etc/security/access.conf if you need to set complex
> # access limits that are hard to express in sshd_config.
> # account  required     pam_access.so
> =

> # Standard Un*x authorization.
> @include common-account
> =

> # SELinux needs to be the first session rule.  This ensures that any
> # lingering context has been cleared.  Without this it is possible that a
> # module could execute code in the wrong domain.
> session [success=3Dok ignore=3Dignore module_unknown=3Dignore default=3Db=
ad]        pam_selinux.so close
> =

> # Set the loginuid process attribute.
> session    required     pam_loginuid.so
> =

> # Create a new session keyring.
> session    optional     pam_keyinit.so force revoke
> =

> # Standard Un*x session setup and teardown.
> @include common-session
> =

> # Print the message of the day upon successful login.
> # This includes a dynamically generated part from /run/motd.dynamic
> # and a static (admin-editable) part from /etc/motd.
> session    optional     pam_motd.so  motd=3D/run/motd.dynamic
> session    optional     pam_motd.so noupdate
> =

> # Print the status of the user's mailbox upon successful login.
> session    optional     pam_mail.so standard noenv # [1]
> =

> # Set up user limits from /etc/security/limits.conf.
> session    required     pam_limits.so
> =

> # Read environment variables from /etc/environment and
> # /etc/security/pam_env.conf.
> session    required     pam_env.so # [1]
> # In Debian 4.0 (etch), locale-related environment variables were moved to
> # /etc/default/locale, so read that as well.
> session    required     pam_env.so user_readenv=3D1 envfile=3D/etc/defaul=
t/locale
> =

> # SELinux needs to intervene at login time to ensure that the process sta=
rts
> # in the proper default security context.  Only sessions which are intend=
ed
> # to run in the user's context should be run after this.
> session [success=3Dok ignore=3Dignore module_unknown=3Dignore default=3Db=
ad]        pam_selinux.so open
> =

> # Standard Un*x password updating.
> @include common-password
> =

> and common-account:
> =

> #
> # /etc/pam.d/common-account - authorization settings common to all servic=
es
> #
> # This file is included from other service-specific PAM config files,
> # and should contain a list of the authorization modules that define
> # the central access policy for use on the system.  The default is to
> # only deny service to users whose accounts are expired in /etc/shadow.
> #
> # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
> # To take advantage of this, it is recommended that you configure any
> # local modules either before or after the default block, and use
> # pam-auth-update to manage selection of other modules.  See
> # pam-auth-update(8) for details.
> #
> =

> # here are the per-package modules (the "Primary" block)
> account [success=3D1 new_authtok_reqd=3Ddone default=3Dignore]        pam=
_unix.so
> # here's the fallback if no module succeeds
> account requisite                       pam_deny.so
> # prime the stack with a positive return value if there isn't one already;
> # this avoids us returning an error just because nothing sets a success c=
ode
> # since the modules above will each just jump around
> account required                        pam_permit.so
> # and here are more per-package modules (the "Additional" block)
> # end of pam-auth-update config

Hi,

so pam_sss.so is not called at all which would explain the behavior. I
assume pam_sss.so is listed in common-auth. Did you add it on your own
to common-auth or was it added by a system utility e.g. pam-auth-update?

bye,
Sumit

> =

> Best regards,
> C. L. Martinez
> =

> ________________________________________
> From: Sumit Bose <sbose(a)redhat.com>
> Sent: 19 April 2024 17:46
> To: FreeIPA users list
> Cc: Carlos Lopez
> Subject: Re: [Freeipa-users] Password expired is not requested with Ubunt=
u clients
> =

> Am Fri, Apr 19, 2024 at 08:56:36AM +0000 schrieb Carlos Lopez via FreeIPA=
-users:
> > Good morning,
> >
> > I have configured some Ubuntu clientes to authenticate via Kerberos aga=
inst my RHEL9 IdM server. Everything works correctly: clients are authentic=
ated, etc.
> >
> > The problem comes when a user's password has expired. In the IdM server=
 logs it is clear that the user must change the password:
> >
> > 2024-04-19T08:38:20.946335+00:00 rhelidmsrv01 krb5kdc[21392]: AS_REQ (8=
 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-c=
ts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc=
-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia2=
56-cts-cmac(26)}) 172.19.11.14: REQUIRED PWCHANGE: user1(a)MYDOM.ORG for kr=
btgt/MYDOM.ORG(a)MYDOM.ORG, Password has expired
> > 2024-04-19T08:38:20.946413+00:00 rhelidmsrv01 krb5kdc[21392]: closing d=
own fd 13
> > 2024-04-19T08:38:20.946712+00:00 rhelidmsrv01 krb5kdc[21392]: AS_REQ (8=
 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-c=
ts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc=
-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia2=
56-cts-cmac(26)}) 172.19.11.14: NEEDED_PREAUTH: user1(a)MYDOM.ORG for kadmi=
n/changepw(a)MYDOM.ORG, Additional pre-authentication required
> > 2024-04-19T08:38:20.946747+00:00 rhelidmsrv01 krb5kdc[21392]: closing d=
own fd 13
> > 2024-04-19T08:38:20.950691+00:00 rhelidmsrv01 krb5kdc[21392]: AS_REQ (8=
 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-c=
ts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc=
-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia2=
56-cts-cmac(26)}) 172.19.11.14: ISSUE: authtime 1713515900, etypes {rep=3Da=
es256-cts-hmac-sha1-96(18), tkt=3Daes256-cts-hmac-sha384-192(20), ses=3Daes=
256-cts-hmac-sha1-96(18)}, user1(a)MYDOM.ORG for kadmin/changepw(a)MYDOM.ORG
> >
> > But when accessing to Ubuntu client via ssh, it never prompts to change=
 the password and you can log in.
> =

> Hi,
> =

> can you share your PAM configuration for the sshd service. I'm asking
> because the change of expired passwords in handled in the 'account'
> section and I guess with your configuration (local users with
> authentication by SSSD) pam_sss.so is not called for local users during
> 'account'.
> =

> bye,
> Sumit
> =

> >
> > My sssd's config in Ubuntu client is:
> >
> > [sssd]
> > config_file_version =3D 2
> > services =3D pam
> > domains =3D mydom.org
> >
> > [pam]
> > pam_pwd_expiration_warning =3D 2
> >
> > [domain/mydom.org]
> > id_provider =3D proxy
> > proxy_lib_name =3D files
> > auth_provider =3D krb5
> > chpass_provider =3D krb5
> > krb5_server =3D rhelidmsrv01.mydom.org
> > krb5_kpasswd =3D rhelidmsrv01.mydom.org
> > krb5_realm =3D mydom.org
> > krb5_ccname_template =3D KEYRING:persistent:%U
> > krb5_validate =3D true
> > cache_credentials =3D true
> >
> > What could be the problem?
> >
> > Best regards,
> > C. L. Martinez
> > --
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahoste=
d.org
> > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/co=
de-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-use=
rs(a)lists.fedorahosted.org
> > Do not reply to spam, report it: https://pagure.io/fedora-infrastructur=
e/new_issue
>=20

--===============3580088927763873118==--

From rcritten at redhat.com Fri Apr 19 17:46:10 2024
Content-Type: multipart/mixed; boundary="===============4365289122898447258=="
MIME-Version: 1.0
From: Rob Crittenden <rcritten at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: sudo hbac rule resfues to work for AD users (one
 way trust).
Date: Fri, 19 Apr 2024 13:45:52 -0400
Message-ID: <4ba8f47c-903a-fa9d-33bc-36644701be4e@redhat.com>
In-Reply-To: 20240419125601.30286.62134@mailman01.iad2.fedoraproject.org

--===============4365289122898447258==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

slek kus via FreeIPA-users wrote:
> Must have missed that, changed. Have disabled the compat module, restarte=
d all. Still no sudo working on clients. =

> It looks like sudo is not being handled by sssd (not aware of any rules),=
 but wouldn't know where to look for an issue. All trivial checks and tests=
 done.
> Most is confusing. Reading about nisdomains need to be set correctly to b=
e able to use hostgroups but this has worked before without the need for th=
is. =

> =

> I am lost here. =


Start with https://docs.pagure.org/sssd.sssd/users/sudo_troubleshooting.html

rob

--===============4365289122898447258==--

From Bernard.LHEUREUX at staff.win.be Mon Apr 22 10:58:40 2024
Content-Type: multipart/mixed; boundary="===============5037133020896077646=="
MIME-Version: 1.0
From: LHEUREUX Bernard <Bernard.LHEUREUX at staff.win.be>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Not possible to delete ID views from Default Trust
 View if user is no longer present in AD
Date: Mon, 22 Apr 2024 10:57:49 +0000
Message-ID: <62efb5de5ca840f08cc6acb920996c10@staff.win.be>

--===============5037133020896077646==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Hello,

I=E2=80=99m trying to delete some anchors on Default Trust View on a FreeIP=
A with trust to an AD and, I always get the message =E2=80=9C=E2=80=A6@... =
user not found =C2=BB
Effectively those users are no longer part of the organization and have bee=
n removed from the AD, but how could I clean them in the Default Trust View
Thanks for your help.

---
Bernard Lheureux
Win S.A.


________________________________
1/Conform=C3=A9ment =C3=A0 notre certification ISO 27001, ce message et tou=
te pi=C3=A8ce jointe sont la propri=C3=A9t=C3=A9 exclusive de Win. L=E2=80=
=99information contenue dans cet e- mail peut s=E2=80=99av=C3=A9rer confide=
ntielle et d=C3=A8s lors prot=C3=A9g=C3=A9e de toute divulgation. Si vous a=
vez re=C3=A7u cette communication par erreur, veuillez nous en informer imm=
=C3=A9diatement en r=C3=A9pondant =C3=A0 ce message et en le supprimant de =
votre ordinateur, sans le copier ni le divulguer.
2/L=E2=80=99acceptation de toute offre commerciale (quel qu=E2=80=99en soit=
 le support) emporte l=E2=80=99adh=C3=A9sion aux descriptifs (notamment tec=
hniques) inh=C3=A9rents aux solutions offertes, ainsi qu=E2=80=99aux condit=
ions commerciales g=C3=A9n=C3=A9rales de Win, consultables via https://www.=
win.be/cgv
DISCLAIMER : https://www.win.be/fr-win/disclaimer.htm

--===============5037133020896077646==
Content-Type: text/html
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.html"

PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy
bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt
YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj
cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg
Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv
ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl
PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6
IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m
YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy
IDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWws
IGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBjbTsNCglmb250LXNpemU6MTEuMHB0Ow0KCWZvbnQt
ZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmOw0KCW1zby1mYXJlYXN0LWxhbmd1YWdlOkVOLVVT
O30NCnNwYW4uRW1haWxTdHlsZTE3DQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsLWNvbXBvc2U7
DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7DQoJY29sb3I6d2luZG93dGV4dDt9
DQouTXNvQ2hwRGVmYXVsdA0KCXttc28tc3R5bGUtdHlwZTpleHBvcnQtb25seTsNCglmb250LWZh
bWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsNCgltc28tZmFyZWFzdC1sYW5ndWFnZTpFTi1VUzt9
DQpAcGFnZSBXb3JkU2VjdGlvbjENCgl7c2l6ZTo2MTIuMHB0IDc5Mi4wcHQ7DQoJbWFyZ2luOjcw
Ljg1cHQgNzAuODVwdCA3MC44NXB0IDcwLjg1cHQ7fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdl
OldvcmRTZWN0aW9uMTt9DQotLT48L3N0eWxlPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86
c2hhcGVkZWZhdWx0cyB2OmV4dD0iZWRpdCIgc3BpZG1heD0iMTAyNiIgLz4NCjwveG1sPjwhW2Vu
ZGlmXS0tPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVsYXlvdXQgdjpleHQ9ImVk
aXQiPg0KPG86aWRtYXAgdjpleHQ9ImVkaXQiIGRhdGE9IjEiIC8+DQo8L286c2hhcGVsYXlvdXQ+
PC94bWw+PCFbZW5kaWZdLS0+DQo8L2hlYWQ+DQo8Ym9keSBsYW5nPSJGUi1CRSIgbGluaz0iIzA1
NjNDMSIgdmxpbms9IiM5NTRGNzIiIHN0eWxlPSJ3b3JkLXdyYXA6YnJlYWstd29yZCI+DQo8ZGl2
IGNsYXNzPSJXb3JkU2VjdGlvbjEiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+SGVsbG8sPG86cD48
L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxw
IGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIj5J4oCZbSB0cnlpbmcgdG8gZGVs
ZXRlIHNvbWUgYW5jaG9ycyBvbiBEZWZhdWx0IFRydXN0IFZpZXcgb24gYSBGcmVlSVBBIHdpdGgg
dHJ1c3QgdG8gYW4gQUQgYW5kLCBJIGFsd2F5cyBnZXQgdGhlIG1lc3NhZ2Ug4oCc4oCmQC4uLiB1
c2VyIG5vdCBmb3VuZCZuYnNwO8K7PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1z
b05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiPkVmZmVjdGl2ZWx5IHRob3NlIHVzZXJzIGFyZSBu
byBsb25nZXIgcGFydCBvZiB0aGUgb3JnYW5pemF0aW9uIGFuZCBoYXZlIGJlZW4gcmVtb3ZlZCBm
cm9tIHRoZSBBRCwgYnV0IGhvdyBjb3VsZCBJIGNsZWFuIHRoZW0gaW4gdGhlIERlZmF1bHQgVHJ1
c3QgVmlldzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFu
IGxhbmc9IkVOLVVTIj5UaGFua3MgZm9yIHlvdXIgaGVscC48bzpwPjwvbzpwPjwvc3Bhbj48L3A+
DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyI+PG86cD4mbmJzcDs8L286
cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9Im1zby1mYXJl
YXN0LWxhbmd1YWdlOkZSLUJFIj4tLS08bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0i
TXNvTm9ybWFsIj48c3BhbiBzdHlsZT0ibXNvLWZhcmVhc3QtbGFuZ3VhZ2U6RlItQkUiPkJlcm5h
cmQgTGhldXJldXg8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48
c3BhbiBzdHlsZT0ibXNvLWZhcmVhc3QtbGFuZ3VhZ2U6RlItQkUiPldpbiBTLkEuPG86cD48L286
cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+
DQo8L2Rpdj4NCjxicj4NCjxocj4NCjxmb250IGZhY2U9IkFyaWFsIiBjb2xvcj0iR3JheSIgc2l6
ZT0iMSI+MS9Db25mb3Jtw6ltZW50IMOgIG5vdHJlIGNlcnRpZmljYXRpb24gSVNPIDI3MDAxLCBj
ZSBtZXNzYWdlIGV0IHRvdXRlIHBpw6hjZSBqb2ludGUgc29udCBsYSBwcm9wcmnDqXTDqSBleGNs
dXNpdmUgZGUgV2luLiBM4oCZaW5mb3JtYXRpb24gY29udGVudWUgZGFucyBjZXQgZS0gbWFpbCBw
ZXV0IHPigJlhdsOpcmVyIGNvbmZpZGVudGllbGxlIGV0IGTDqHMgbG9ycyBwcm90w6lnw6llIGRl
IHRvdXRlDQogZGl2dWxnYXRpb24uIFNpIHZvdXMgYXZleiByZcOndSBjZXR0ZSBjb21tdW5pY2F0
aW9uIHBhciBlcnJldXIsIHZldWlsbGV6IG5vdXMgZW4gaW5mb3JtZXIgaW1tw6lkaWF0ZW1lbnQg
ZW4gcsOpcG9uZGFudCDDoCBjZSBtZXNzYWdlIGV0IGVuIGxlIHN1cHByaW1hbnQgZGUgdm90cmUg
b3JkaW5hdGV1ciwgc2FucyBsZSBjb3BpZXIgbmkgbGUgZGl2dWxndWVyLjxicj4NCjIvTOKAmWFj
Y2VwdGF0aW9uIGRlIHRvdXRlIG9mZnJlIGNvbW1lcmNpYWxlIChxdWVsIHF14oCZZW4gc29pdCBs
ZSBzdXBwb3J0KSBlbXBvcnRlIGzigJlhZGjDqXNpb24gYXV4IGRlc2NyaXB0aWZzIChub3RhbW1l
bnQgdGVjaG5pcXVlcykgaW5ow6lyZW50cyBhdXggc29sdXRpb25zIG9mZmVydGVzLCBhaW5zaSBx
deKAmWF1eCBjb25kaXRpb25zIGNvbW1lcmNpYWxlcyBnw6luw6lyYWxlcyBkZSBXaW4sIGNvbnN1
bHRhYmxlcyB2aWEgaHR0cHM6Ly93d3cud2luLmJlL2Nndg0KPGJyPg0KRElTQ0xBSU1FUiA6IGh0
dHBzOi8vd3d3Lndpbi5iZS9mci13aW4vZGlzY2xhaW1lci5odG08YnI+DQo8L2ZvbnQ+DQo8L2Jv
ZHk+DQo8L2h0bWw+DQo=

--===============5037133020896077646==--

From slekkus75 at proton.me Mon Apr 22 12:45:45 2024
Content-Type: multipart/mixed; boundary="===============0710299246048751314=="
MIME-Version: 1.0
From: slek kus <slekkus75 at proton.me>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: sudo hbac rule resfues to work for AD users (one
 way trust).
Date: Mon, 22 Apr 2024 12:45:33 +0000
Message-ID: <20240422124533.9883.99728@mailman01.iad2.fedoraproject.org>
In-Reply-To: 4ba8f47c-903a-fa9d-33bc-36644701be4e@redhat.com

--===============0710299246048751314==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Thanks for that troubleshooting link. Bookmarked.
The issue has been resolved and was totally user mistake, by not understand=
ing the relation between hbac and sudo rules. =

HBAC sets who can access sudo, but one still needs to tell sudo which rules=
 are allowed to execute which where the sudo rules come in.
In my case I had set just the HBAC rule with user group, host group and the=
 service "sudo-i". =


Things work now and hope my understand is correct as stated above.

Greeting!=20
--===============0710299246048751314==--

From cdth at gmx.net Mon Apr 22 13:54:40 2024
Content-Type: multipart/mixed; boundary="===============0544773301997178187=="
MIME-Version: 1.0
From: Thomas Handler <cdth at gmx.net>
To: freeipa-users at lists.fedorahosted.org
Subject: =?utf-8?q?=5BFreeipa-users=5D_Question_regarding_=E2=80=9CSamba__on_an_Id?=
 =?utf-8?q?M_domain_member=E2=80=9D?=
Date: Mon, 22 Apr 2024 15:54:20 +0200
Message-ID: <etPan.66266c11.2b3251af.a99@gmx.net>

--===============0544773301997178187==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable


Hello,

beginning of March I have received support running=C2=A0Samba on an IdM dom=
ain member from Alexander. Back then my problem was what Alexander pinpoint=
s in his text=C2=A0https://vda.li/en/posts/2019/03/24/Kerberos-host-to-real=
m-translation/=C2=A0under "Mixed realm deployments=E2=80=9D where the Linux=
 machine running Samba was in the wrong DNS zone.

After having fixed this things are running fine.

Now it came as it already was obvious back then and what is well noted alre=
ady in the RedHat Docs=C2=A0https://access.redhat.com/documentation/en-en/r=
ed_hat_enterprise_linux/9/html/using_external_red_hat_utilities_with_identi=
ty_management/setting-up-samba-on-an-idm-domain-member_using-external-red-h=
at-utilities-with-idm=C2=A0where is stated =E2=80=9CAD users logged into a =
Windows machine can not access Samba shares hosted on an IdM domain member=
=E2=80=9D.

So the customer has now stumbled exactly over this and I just wanted to con=
firm that my understanding of this section in the docs is correct and that =
there=E2=80=99s no way to ensure that an AD user on a Windows machine can a=
ccess the shares on the Samba machine joined to IdM.=C2=A0


Thank you.


Best regards,

Thomas
--===============0544773301997178187==--

From flo at redhat.com Tue Apr 23 06:31:35 2024
Content-Type: multipart/mixed; boundary="===============3899993962837828058=="
MIME-Version: 1.0
From: Florence Blanc-Renaud <flo at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: pki-tomcat won't start + expired certificates
Date: Tue, 23 Apr 2024 08:31:06 +0200
Message-ID: <CAFDg7JyB6OYR-h+wqTiKNj5Nzg7qkt6ZsOxagkY+1U5PWxSz-g@mail.gmail.com>
In-Reply-To: 20240419161950.13506.9177@mailman01.iad2.fedoraproject.org

--===============3899993962837828058==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Hi,

On Fri, Apr 19, 2024 at 6:20=E2=80=AFPM Basile Pinsard via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:

> Hi!
>
> Here is the output of ipa-cert-fix on the original instance:
>
> ```
>
> The following certificates will be renewed:
>
> Dogtag sslserver certificate:
>   Subject: CN=3Dipa.DOMAIN.COM,O=3DDOMAIN.COM
>   Serial:  3
>   Expires: 2024-03-19 20:36:25
>
> Dogtag subsystem certificate:
>   Subject: CN=3DCA Subsystem,O=3DDOMAIN.COM
>   Serial:  4
>   Expires: 2024-03-19 20:36:27
>
> Dogtag ca_ocsp_signing certificate:
>   Subject: CN=3DOCSP Subsystem,O=3DDOMAIN.COM
>   Serial:  2
>   Expires: 2024-03-19 20:36:24
>
> Dogtag ca_audit_signing certificate:
>   Subject: CN=3DCA Audit,O=3DDOMAIN.COM
>   Serial:  5
>   Expires: 2024-03-19 20:36:30
>
> IPA IPA RA certificate:
>   Subject: CN=3DIPA RA,O=3DDOMAIN.COM
>   Serial:  7
>   Expires: 2024-03-19 20:38:19
>
> IPA KDC certificate:
>   Subject: CN=3Dipa.DOMAIN.COM,O=3DDOMAIN.COM
>   Serial:  10
>   Expires: 2024-03-30 20:40:27
>
> Enter "yes" to proceed: yes
> Proceeding.
> CalledProcessError(Command ['pki-server', 'cert-fix', '--ldapi-socket',
> '/run/slapd-DOMAIN-COM.socket', '--agent-uid', 'ipara', '--cert',
> 'sslserver'
> , '--cert', 'subsystem', '--cert', 'ca_ocsp_signing', '--cert',
> 'ca_audit_signing', '--extra-cert', '7', '--extra-cert', '10'] returned
> non-zero exit stat
> us 1: "INFO: Loading instance: pki-tomcat\nINFO: Loading global Tomcat
> config: /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config:
> /usr/share/pki/et
> c/tomcat.conf\nINFO: Loading instance Tomcat config:
> /etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config:
> /etc/pki/pki-tomcat/password.conf\nIN
> FO: Loading subsystem config:
> /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO: Loading subsystem registry:
> /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO
> : Loading instance registry:
> /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: Fixing the followi=
ng
> system certs: ['sslserver', 'subsystem', 'ca_ocsp
> _signing', 'ca_audit_signing']\nINFO: Renewing the following additional
> certs: ['7', '10']\nINFO: Stopping the instance to proceed with system ce=
rt
> renewa
> l\nINFO: Configuring LDAP connection for CA\nINFO: Setting pkidbuser
> password via ldappasswd\nSASL/EXTERNAL authentication started\nSASL
> username: gidNumb
> er=3D0+uidNumber=3D0,cn=3Dpeercred,cn=3Dexternal,cn=3Dauth\nSASL SSF: 0\n=
INFO:
> Storing subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO:
> Storing regis
> try config: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO: Storing
> subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO: Storing
> registry c
> onfig: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO: Selftests
> disabled for subsystems: ca\nSASL/EXTERNAL authentication started\nSASL
> username: gid
> Number=3D0+uidNumber=3D0,cn=3Dpeercred,cn=3Dexternal,cn=3Dauth\nSASL SSF:=
 0\nINFO:
> Resetting password for uid=3Dipara,ou=3Dpeople,o=3Dipaca\nSASL/EXTERNAL
> authentication
> started\nSASL username:
> gidNumber=3D0+uidNumber=3D0,cn=3Dpeercred,cn=3Dexternal,cn=3Dauth\nSASL S=
SF: 0\nINFO:
> Creating a temporary sslserver cert\nINFO: Getting ssl
> server cert info from CS.cfg\nINFO: Getting sslserver cert info from NSS
> database\nINFO: Trying to create a new temp cert for sslserver.\nINFO:
> Generate t
> emp SSL certificate\nINFO: Getting sslserver cert info from CS.cfg\nINFO:
> Getting sslserver cert info from NSS database\nINFO: CSR for sslserver has
> been
> written to /tmp/tmpydx011j8/sslserver.csr\nINFO: Getting signing cert info
> from CS.cfg\nINFO: Getting signing cert info from NSS database\nINFO: CA
> cert w
> ritten to /tmp/tmpydx011j8/ca_certificate.crt\nINFO: AKI:
> 0x7A0D23C6A1283EB899A0E5A4EFA3F92042F7F6D0\nINFO: Storing subsystem confi=
g:
> /var/lib/pki/pki-tom
> cat/ca/conf/CS.cfg\nINFO: Storing registry config:
> /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO: Selftests enabled for
> subsystems: ca\nINFO: Restori
> ng LDAP connection for CA\nINFO: Storing subsystem config:
> /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO: Storing registry config:
> /var/lib/pki/pki-tomcat/
> ca/conf/registry.cfg\nERROR: Failed to generate CA-signed temp SSL
> certificate. RC: 255\n")
> The ipa-cert-fix command failed.
>
> ```
>
>
> > If you have a backup of the previous http/ldap certs you can put them
> back
> > in place.
>
> Unfortunately, I don't have these anymore.
>
>
> However, I tried the approach I described above on a copy of the data in
> another container, managed to install temporary certs/CA for the ldap/htt=
pd
> servers, pki-tomcat seems to be able to establish the connection to the
> LDAP but crashes at the following error.
>
> `Certificate not found: caSigningCert cert-pki-ca`
>
Do you have the IPA CA cert in  /etc/pki/pki-tomcat/alias/ and
/etc/ipa/ca.crt ?

>
> Not sure what else needs to be fixed.
>
> On this copy, with the hacked temporary certs, if I run `ipa-cert-fix` I
> get the same error as on the original instance. If I run the `pki-server
> cert-fix` command that crashes, but removing `--cert sslserver`, it goes a
> bit further but is still blocked by `pki-tomcat` not being able to start.
>
You can also try to run the pki-server cert-fix command with the additional
arguments --verbose --debug, it may provide you with more information.
flo


>
> Thanks for all the help.
> --
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.=
org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users(a)lists.fedora=
hosted.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>

--===============3899993962837828058==
Content-Type: text/html
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.html"

PGRpdiBkaXI9Imx0ciI+PGRpdiBkaXI9Imx0ciI+PGRpdiBjbGFzcz0iZ21haWxfZGVmYXVsdCIg
c3R5bGU9ImZvbnQtZmFtaWx5OmFyaWFsLHNhbnMtc2VyaWYiPkhpLDwvZGl2PjwvZGl2Pjxicj48
ZGl2IGNsYXNzPSJnbWFpbF9xdW90ZSI+PGRpdiBkaXI9Imx0ciIgY2xhc3M9ImdtYWlsX2F0dHIi
Pk9uIEZyaSwgQXByIDE5LCAyMDI0IGF0IDY6MjDigK9QTSBCYXNpbGUgUGluc2FyZCB2aWEgRnJl
ZUlQQS11c2VycyAmbHQ7PGEgaHJlZj0ibWFpbHRvOmZyZWVpcGEtdXNlcnNAbGlzdHMuZmVkb3Jh
aG9zdGVkLm9yZyI+ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3JnPC9hPiZndDsg
d3JvdGU6PGJyPjwvZGl2PjxibG9ja3F1b3RlIGNsYXNzPSJnbWFpbF9xdW90ZSIgc3R5bGU9Im1h
cmdpbjowcHggMHB4IDBweCAwLjhleDtib3JkZXItbGVmdDoxcHggc29saWQgcmdiKDIwNCwyMDQs
MjA0KTtwYWRkaW5nLWxlZnQ6MWV4Ij5IaSEgPGJyPgo8YnI+CkhlcmUgaXMgdGhlIG91dHB1dCBv
ZiBpcGEtY2VydC1maXggb24gdGhlIG9yaWdpbmFsIGluc3RhbmNlOjxicj4KPGJyPgpgYGA8YnI+
Cjxicj4KVGhlIGZvbGxvd2luZyBjZXJ0aWZpY2F0ZXMgd2lsbCBiZSByZW5ld2VkOjxicj4KPGJy
PgpEb2d0YWcgc3Nsc2VydmVyIGNlcnRpZmljYXRlOjxicj4KwqAgU3ViamVjdDogQ049PGEgaHJl
Zj0iaHR0cDovL2lwYS5ET01BSU4uQ09NIiByZWw9Im5vcmVmZXJyZXIiIHRhcmdldD0iX2JsYW5r
Ij5pcGEuRE9NQUlOLkNPTTwvYT4sTz08YSBocmVmPSJodHRwOi8vRE9NQUlOLkNPTSIgcmVsPSJu
b3JlZmVycmVyIiB0YXJnZXQ9Il9ibGFuayI+RE9NQUlOLkNPTTwvYT48YnI+CsKgIFNlcmlhbDrC
oCAzPGJyPgrCoCBFeHBpcmVzOiAyMDI0LTAzLTE5IDIwOjM2OjI1PGJyPgo8YnI+CkRvZ3RhZyBz
dWJzeXN0ZW0gY2VydGlmaWNhdGU6PGJyPgrCoCBTdWJqZWN0OiBDTj1DQSBTdWJzeXN0ZW0sTz08
YSBocmVmPSJodHRwOi8vRE9NQUlOLkNPTSIgcmVsPSJub3JlZmVycmVyIiB0YXJnZXQ9Il9ibGFu
ayI+RE9NQUlOLkNPTTwvYT48YnI+CsKgIFNlcmlhbDrCoCA0PGJyPgrCoCBFeHBpcmVzOiAyMDI0
LTAzLTE5IDIwOjM2OjI3PGJyPgo8YnI+CkRvZ3RhZyBjYV9vY3NwX3NpZ25pbmcgY2VydGlmaWNh
dGU6PGJyPgrCoCBTdWJqZWN0OiBDTj1PQ1NQIFN1YnN5c3RlbSxPPTxhIGhyZWY9Imh0dHA6Ly9E
T01BSU4uQ09NIiByZWw9Im5vcmVmZXJyZXIiIHRhcmdldD0iX2JsYW5rIj5ET01BSU4uQ09NPC9h
Pjxicj4KwqAgU2VyaWFsOsKgIDI8YnI+CsKgIEV4cGlyZXM6IDIwMjQtMDMtMTkgMjA6MzY6MjQ8
YnI+Cjxicj4KRG9ndGFnIGNhX2F1ZGl0X3NpZ25pbmcgY2VydGlmaWNhdGU6PGJyPgrCoCBTdWJq
ZWN0OiBDTj1DQSBBdWRpdCxPPTxhIGhyZWY9Imh0dHA6Ly9ET01BSU4uQ09NIiByZWw9Im5vcmVm
ZXJyZXIiIHRhcmdldD0iX2JsYW5rIj5ET01BSU4uQ09NPC9hPjxicj4KwqAgU2VyaWFsOsKgIDU8
YnI+CsKgIEV4cGlyZXM6IDIwMjQtMDMtMTkgMjA6MzY6MzA8YnI+Cjxicj4KSVBBIElQQSBSQSBj
ZXJ0aWZpY2F0ZTo8YnI+CsKgIFN1YmplY3Q6IENOPUlQQSBSQSxPPTxhIGhyZWY9Imh0dHA6Ly9E
T01BSU4uQ09NIiByZWw9Im5vcmVmZXJyZXIiIHRhcmdldD0iX2JsYW5rIj5ET01BSU4uQ09NPC9h
Pjxicj4KwqAgU2VyaWFsOsKgIDc8YnI+CsKgIEV4cGlyZXM6IDIwMjQtMDMtMTkgMjA6Mzg6MTk8
YnI+Cjxicj4KSVBBIEtEQyBjZXJ0aWZpY2F0ZTo8YnI+CsKgIFN1YmplY3Q6IENOPTxhIGhyZWY9
Imh0dHA6Ly9pcGEuRE9NQUlOLkNPTSIgcmVsPSJub3JlZmVycmVyIiB0YXJnZXQ9Il9ibGFuayI+
aXBhLkRPTUFJTi5DT008L2E+LE89PGEgaHJlZj0iaHR0cDovL0RPTUFJTi5DT00iIHJlbD0ibm9y
ZWZlcnJlciIgdGFyZ2V0PSJfYmxhbmsiPkRPTUFJTi5DT008L2E+PGJyPgrCoCBTZXJpYWw6wqAg
MTA8YnI+CsKgIEV4cGlyZXM6IDIwMjQtMDMtMzAgMjA6NDA6Mjc8YnI+Cjxicj4KRW50ZXIgJnF1
b3Q7eWVzJnF1b3Q7IHRvIHByb2NlZWQ6IHllczxicj4KUHJvY2VlZGluZy48YnI+CkNhbGxlZFBy
b2Nlc3NFcnJvcihDb21tYW5kIFsmIzM5O3BraS1zZXJ2ZXImIzM5OywgJiMzOTtjZXJ0LWZpeCYj
Mzk7LCAmIzM5Oy0tbGRhcGktc29ja2V0JiMzOTssICYjMzk7L3J1bi9zbGFwZC1ET01BSU4tQ09N
LnNvY2tldCYjMzk7LCAmIzM5Oy0tYWdlbnQtdWlkJiMzOTssICYjMzk7aXBhcmEmIzM5OywgJiMz
OTstLWNlcnQmIzM5OywgJiMzOTtzc2xzZXJ2ZXImIzM5Ozxicj4KLCAmIzM5Oy0tY2VydCYjMzk7
LCAmIzM5O3N1YnN5c3RlbSYjMzk7LCAmIzM5Oy0tY2VydCYjMzk7LCAmIzM5O2NhX29jc3Bfc2ln
bmluZyYjMzk7LCAmIzM5Oy0tY2VydCYjMzk7LCAmIzM5O2NhX2F1ZGl0X3NpZ25pbmcmIzM5Oywg
JiMzOTstLWV4dHJhLWNlcnQmIzM5OywgJiMzOTs3JiMzOTssICYjMzk7LS1leHRyYS1jZXJ0JiMz
OTssICYjMzk7MTAmIzM5O10gcmV0dXJuZWQgbm9uLXplcm8gZXhpdCBzdGF0PGJyPgp1cyAxOiAm
cXVvdDtJTkZPOiBMb2FkaW5nIGluc3RhbmNlOiBwa2ktdG9tY2F0XG5JTkZPOiBMb2FkaW5nIGds
b2JhbCBUb21jYXQgY29uZmlnOiAvZXRjL3RvbWNhdC90b21jYXQuY29uZlxuSU5GTzogTG9hZGlu
ZyBQS0kgVG9tY2F0IGNvbmZpZzogL3Vzci9zaGFyZS9wa2kvZXQ8YnI+CmMvdG9tY2F0LmNvbmZc
bklORk86IExvYWRpbmcgaW5zdGFuY2UgVG9tY2F0IGNvbmZpZzogL2V0Yy9wa2kvcGtpLXRvbWNh
dC90b21jYXQuY29uZlxuSU5GTzogTG9hZGluZyBwYXNzd29yZCBjb25maWc6IC9ldGMvcGtpL3Br
aS10b21jYXQvcGFzc3dvcmQuY29uZlxuSU48YnI+CkZPOiBMb2FkaW5nIHN1YnN5c3RlbSBjb25m
aWc6IC92YXIvbGliL3BraS9wa2ktdG9tY2F0L2NhL2NvbmYvQ1MuY2ZnXG5JTkZPOiBMb2FkaW5n
IHN1YnN5c3RlbSByZWdpc3RyeTogL3Zhci9saWIvcGtpL3BraS10b21jYXQvY2EvY29uZi9yZWdp
c3RyeS5jZmdcbklORk88YnI+CjogTG9hZGluZyBpbnN0YW5jZSByZWdpc3RyeTogL2V0Yy9zeXNj
b25maWcvcGtpL3RvbWNhdC9wa2ktdG9tY2F0L3BraS10b21jYXRcbklORk86IEZpeGluZyB0aGUg
Zm9sbG93aW5nIHN5c3RlbSBjZXJ0czogWyYjMzk7c3Nsc2VydmVyJiMzOTssICYjMzk7c3Vic3lz
dGVtJiMzOTssICYjMzk7Y2Ffb2NzcDxicj4KX3NpZ25pbmcmIzM5OywgJiMzOTtjYV9hdWRpdF9z
aWduaW5nJiMzOTtdXG5JTkZPOiBSZW5ld2luZyB0aGUgZm9sbG93aW5nIGFkZGl0aW9uYWwgY2Vy
dHM6IFsmIzM5OzcmIzM5OywgJiMzOTsxMCYjMzk7XVxuSU5GTzogU3RvcHBpbmcgdGhlIGluc3Rh
bmNlIHRvIHByb2NlZWQgd2l0aCBzeXN0ZW0gY2VydCByZW5ld2E8YnI+CmxcbklORk86IENvbmZp
Z3VyaW5nIExEQVAgY29ubmVjdGlvbiBmb3IgQ0FcbklORk86IFNldHRpbmcgcGtpZGJ1c2VyIHBh
c3N3b3JkIHZpYSBsZGFwcGFzc3dkXG5TQVNML0VYVEVSTkFMIGF1dGhlbnRpY2F0aW9uIHN0YXJ0
ZWRcblNBU0wgdXNlcm5hbWU6IGdpZE51bWI8YnI+CmVyPTArdWlkTnVtYmVyPTAsY249cGVlcmNy
ZWQsY249ZXh0ZXJuYWwsY249YXV0aFxuU0FTTCBTU0Y6IDBcbklORk86IFN0b3Jpbmcgc3Vic3lz
dGVtIGNvbmZpZzogL3Zhci9saWIvcGtpL3BraS10b21jYXQvY2EvY29uZi9DUy5jZmdcbklORk86
IFN0b3JpbmcgcmVnaXM8YnI+CnRyeSBjb25maWc6IC92YXIvbGliL3BraS9wa2ktdG9tY2F0L2Nh
L2NvbmYvcmVnaXN0cnkuY2ZnXG5JTkZPOiBTdG9yaW5nIHN1YnN5c3RlbSBjb25maWc6IC92YXIv
bGliL3BraS9wa2ktdG9tY2F0L2NhL2NvbmYvQ1MuY2ZnXG5JTkZPOiBTdG9yaW5nIHJlZ2lzdHJ5
IGM8YnI+Cm9uZmlnOiAvdmFyL2xpYi9wa2kvcGtpLXRvbWNhdC9jYS9jb25mL3JlZ2lzdHJ5LmNm
Z1xuSU5GTzogU2VsZnRlc3RzIGRpc2FibGVkIGZvciBzdWJzeXN0ZW1zOiBjYVxuU0FTTC9FWFRF
Uk5BTCBhdXRoZW50aWNhdGlvbiBzdGFydGVkXG5TQVNMIHVzZXJuYW1lOiBnaWQ8YnI+Ck51bWJl
cj0wK3VpZE51bWJlcj0wLGNuPXBlZXJjcmVkLGNuPWV4dGVybmFsLGNuPWF1dGhcblNBU0wgU1NG
OiAwXG5JTkZPOiBSZXNldHRpbmcgcGFzc3dvcmQgZm9yIHVpZD1pcGFyYSxvdT1wZW9wbGUsbz1p
cGFjYVxuU0FTTC9FWFRFUk5BTCBhdXRoZW50aWNhdGlvbjxicj4Kc3RhcnRlZFxuU0FTTCB1c2Vy
bmFtZTogZ2lkTnVtYmVyPTArdWlkTnVtYmVyPTAsY249cGVlcmNyZWQsY249ZXh0ZXJuYWwsY249
YXV0aFxuU0FTTCBTU0Y6IDBcbklORk86IENyZWF0aW5nIGEgdGVtcG9yYXJ5IHNzbHNlcnZlciBj
ZXJ0XG5JTkZPOiBHZXR0aW5nIHNzbDxicj4Kc2VydmVyIGNlcnQgaW5mbyBmcm9tIENTLmNmZ1xu
SU5GTzogR2V0dGluZyBzc2xzZXJ2ZXIgY2VydCBpbmZvIGZyb20gTlNTIGRhdGFiYXNlXG5JTkZP
OiBUcnlpbmcgdG8gY3JlYXRlIGEgbmV3IHRlbXAgY2VydCBmb3Igc3Nsc2VydmVyLlxuSU5GTzog
R2VuZXJhdGUgdDxicj4KZW1wIFNTTCBjZXJ0aWZpY2F0ZVxuSU5GTzogR2V0dGluZyBzc2xzZXJ2
ZXIgY2VydCBpbmZvIGZyb20gQ1MuY2ZnXG5JTkZPOiBHZXR0aW5nIHNzbHNlcnZlciBjZXJ0IGlu
Zm8gZnJvbSBOU1MgZGF0YWJhc2VcbklORk86IENTUiBmb3Igc3Nsc2VydmVyIGhhcyBiZWVuPGJy
Pgp3cml0dGVuIHRvIC90bXAvdG1weWR4MDExajgvc3Nsc2VydmVyLmNzclxuSU5GTzogR2V0dGlu
ZyBzaWduaW5nIGNlcnQgaW5mbyBmcm9tIENTLmNmZ1xuSU5GTzogR2V0dGluZyBzaWduaW5nIGNl
cnQgaW5mbyBmcm9tIE5TUyBkYXRhYmFzZVxuSU5GTzogQ0EgY2VydCB3PGJyPgpyaXR0ZW4gdG8g
L3RtcC90bXB5ZHgwMTFqOC9jYV9jZXJ0aWZpY2F0ZS5jcnRcbklORk86IEFLSTogMHg3QTBEMjND
NkExMjgzRUI4OTlBMEU1QTRFRkEzRjkyMDQyRjdGNkQwXG5JTkZPOiBTdG9yaW5nIHN1YnN5c3Rl
bSBjb25maWc6IC92YXIvbGliL3BraS9wa2ktdG9tPGJyPgpjYXQvY2EvY29uZi9DUy5jZmdcbklO
Rk86IFN0b3JpbmcgcmVnaXN0cnkgY29uZmlnOiAvdmFyL2xpYi9wa2kvcGtpLXRvbWNhdC9jYS9j
b25mL3JlZ2lzdHJ5LmNmZ1xuSU5GTzogU2VsZnRlc3RzIGVuYWJsZWQgZm9yIHN1YnN5c3RlbXM6
IGNhXG5JTkZPOiBSZXN0b3JpPGJyPgpuZyBMREFQIGNvbm5lY3Rpb24gZm9yIENBXG5JTkZPOiBT
dG9yaW5nIHN1YnN5c3RlbSBjb25maWc6IC92YXIvbGliL3BraS9wa2ktdG9tY2F0L2NhL2NvbmYv
Q1MuY2ZnXG5JTkZPOiBTdG9yaW5nIHJlZ2lzdHJ5IGNvbmZpZzogL3Zhci9saWIvcGtpL3BraS10
b21jYXQvPGJyPgpjYS9jb25mL3JlZ2lzdHJ5LmNmZ1xuRVJST1I6IEZhaWxlZCB0byBnZW5lcmF0
ZSBDQS1zaWduZWQgdGVtcCBTU0wgY2VydGlmaWNhdGUuIFJDOiAyNTVcbiZxdW90Oyk8YnI+ClRo
ZSBpcGEtY2VydC1maXggY29tbWFuZCBmYWlsZWQuPGJyPgo8YnI+CmBgYDxicj4KPGJyPgo8YnI+
CiZndDsgSWYgeW91IGhhdmUgYSBiYWNrdXAgb2YgdGhlIHByZXZpb3VzIGh0dHAvbGRhcCBjZXJ0
cyB5b3UgY2FuIHB1dCB0aGVtIGJhY2s8YnI+CiZndDsgaW4gcGxhY2UuPGJyPgo8YnI+ClVuZm9y
dHVuYXRlbHksIEkgZG9uJiMzOTt0IGhhdmUgdGhlc2UgYW55bW9yZS48YnI+Cjxicj4KPGJyPgpI
b3dldmVyLCBJIHRyaWVkIHRoZSBhcHByb2FjaCBJIGRlc2NyaWJlZCBhYm92ZSBvbiBhIGNvcHkg
b2YgdGhlIGRhdGEgaW4gYW5vdGhlciBjb250YWluZXIsIG1hbmFnZWQgdG8gaW5zdGFsbCB0ZW1w
b3JhcnkgY2VydHMvQ0EgZm9yIHRoZSBsZGFwL2h0dHBkIHNlcnZlcnMsIHBraS10b21jYXQgc2Vl
bXMgdG8gYmUgYWJsZSB0byBlc3RhYmxpc2ggdGhlIGNvbm5lY3Rpb24gdG8gdGhlIExEQVAgYnV0
IGNyYXNoZXMgYXQgdGhlIGZvbGxvd2luZyBlcnJvci4gPGJyPgo8YnI+CmBDZXJ0aWZpY2F0ZSBu
b3QgZm91bmQ6IGNhU2lnbmluZ0NlcnQgY2VydC1wa2ktY2FgPGJyPjwvYmxvY2txdW90ZT48ZGl2
PjxzcGFuIGNsYXNzPSJnbWFpbF9kZWZhdWx0IiBzdHlsZT0iZm9udC1mYW1pbHk6YXJpYWwsc2Fu
cy1zZXJpZiI+RG8geW91IGhhdmUgdGhlIElQQSBDQSBjZXJ0IGluwqA8L3NwYW4+wqAvZXRjL3Br
aS9wa2ktdG9tY2F0L2FsaWFzLzxzcGFuIGNsYXNzPSJnbWFpbF9kZWZhdWx0IiBzdHlsZT0iZm9u
dC1mYW1pbHk6YXJpYWwsc2Fucy1zZXJpZiI+IGFuZCAvZXRjL2lwYS9jYS5jcnQgPzwvc3Bhbj48
L2Rpdj48YmxvY2txdW90ZSBjbGFzcz0iZ21haWxfcXVvdGUiIHN0eWxlPSJtYXJnaW46MHB4IDBw
eCAwcHggMC44ZXg7Ym9yZGVyLWxlZnQ6MXB4IHNvbGlkIHJnYigyMDQsMjA0LDIwNCk7cGFkZGlu
Zy1sZWZ0OjFleCI+Cjxicj4KTm90IHN1cmUgd2hhdCBlbHNlIG5lZWRzIHRvIGJlIGZpeGVkLjxi
cj4KPGJyPgpPbiB0aGlzIGNvcHksIHdpdGggdGhlIGhhY2tlZCB0ZW1wb3JhcnkgY2VydHMsIGlm
IEkgcnVuIGBpcGEtY2VydC1maXhgIEkgZ2V0IHRoZSBzYW1lIGVycm9yIGFzIG9uIHRoZSBvcmln
aW5hbCBpbnN0YW5jZS4gSWYgSSBydW4gdGhlIGBwa2ktc2VydmVyIGNlcnQtZml4YCBjb21tYW5k
IHRoYXQgY3Jhc2hlcywgYnV0IHJlbW92aW5nIGAtLWNlcnQgc3Nsc2VydmVyYCwgaXQgZ29lcyBh
IGJpdCBmdXJ0aGVyIGJ1dCBpcyBzdGlsbCBibG9ja2VkIGJ5IGBwa2ktdG9tY2F0YCBub3QgYmVp
bmcgYWJsZSB0byBzdGFydC48YnI+PC9ibG9ja3F1b3RlPjxkaXY+PHNwYW4gY2xhc3M9ImdtYWls
X2RlZmF1bHQiIHN0eWxlPSJmb250LWZhbWlseTphcmlhbCxzYW5zLXNlcmlmIj5Zb3UgY2FuIGFs
c28gdHJ5IHRvIHJ1biB0aGUgcGtpLXNlcnZlciBjZXJ0LWZpeCBjb21tYW5kIHdpdGggdGhlIGFk
ZGl0aW9uYWwgYXJndW1lbnRzIC0tdmVyYm9zZSAtLWRlYnVnLCBpdCBtYXkgcHJvdmlkZSB5b3Ug
d2l0aCBtb3JlIGluZm9ybWF0aW9uLjwvc3Bhbj48L2Rpdj48ZGl2PjxzcGFuIGNsYXNzPSJnbWFp
bF9kZWZhdWx0IiBzdHlsZT0iZm9udC1mYW1pbHk6YXJpYWwsc2Fucy1zZXJpZiI+ZmxvPC9zcGFu
PjwvZGl2PjxkaXY+wqA8L2Rpdj48YmxvY2txdW90ZSBjbGFzcz0iZ21haWxfcXVvdGUiIHN0eWxl
PSJtYXJnaW46MHB4IDBweCAwcHggMC44ZXg7Ym9yZGVyLWxlZnQ6MXB4IHNvbGlkIHJnYigyMDQs
MjA0LDIwNCk7cGFkZGluZy1sZWZ0OjFleCI+Cjxicj4KVGhhbmtzIGZvciBhbGwgdGhlIGhlbHAu
IDxicj4KLS08YnI+Cl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fPGJyPgpGcmVlSVBBLXVzZXJzIG1haWxpbmcgbGlzdCAtLSA8YSBocmVmPSJtYWlsdG86ZnJl
ZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3JnIiB0YXJnZXQ9Il9ibGFuayI+ZnJlZWlw
YS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3JnPC9hPjxicj4KVG8gdW5zdWJzY3JpYmUgc2Vu
ZCBhbiBlbWFpbCB0byA8YSBocmVmPSJtYWlsdG86ZnJlZWlwYS11c2Vycy1sZWF2ZUBsaXN0cy5m
ZWRvcmFob3N0ZWQub3JnIiB0YXJnZXQ9Il9ibGFuayI+ZnJlZWlwYS11c2Vycy1sZWF2ZUBsaXN0
cy5mZWRvcmFob3N0ZWQub3JnPC9hPjxicj4KRmVkb3JhIENvZGUgb2YgQ29uZHVjdDogPGEgaHJl
Zj0iaHR0cHM6Ly9kb2NzLmZlZG9yYXByb2plY3Qub3JnL2VuLVVTL3Byb2plY3QvY29kZS1vZi1j
b25kdWN0LyIgcmVsPSJub3JlZmVycmVyIiB0YXJnZXQ9Il9ibGFuayI+aHR0cHM6Ly9kb2NzLmZl
ZG9yYXByb2plY3Qub3JnL2VuLVVTL3Byb2plY3QvY29kZS1vZi1jb25kdWN0LzwvYT48YnI+Ckxp
c3QgR3VpZGVsaW5lczogPGEgaHJlZj0iaHR0cHM6Ly9mZWRvcmFwcm9qZWN0Lm9yZy93aWtpL01h
aWxpbmdfbGlzdF9ndWlkZWxpbmVzIiByZWw9Im5vcmVmZXJyZXIiIHRhcmdldD0iX2JsYW5rIj5o
dHRwczovL2ZlZG9yYXByb2plY3Qub3JnL3dpa2kvTWFpbGluZ19saXN0X2d1aWRlbGluZXM8L2E+
PGJyPgpMaXN0IEFyY2hpdmVzOiA8YSBocmVmPSJodHRwczovL2xpc3RzLmZlZG9yYWhvc3RlZC5v
cmcvYXJjaGl2ZXMvbGlzdC9mcmVlaXBhLXVzZXJzQGxpc3RzLmZlZG9yYWhvc3RlZC5vcmciIHJl
bD0ibm9yZWZlcnJlciIgdGFyZ2V0PSJfYmxhbmsiPmh0dHBzOi8vbGlzdHMuZmVkb3JhaG9zdGVk
Lm9yZy9hcmNoaXZlcy9saXN0L2ZyZWVpcGEtdXNlcnNAbGlzdHMuZmVkb3JhaG9zdGVkLm9yZzwv
YT48YnI+CkRvIG5vdCByZXBseSB0byBzcGFtLCByZXBvcnQgaXQ6IDxhIGhyZWY9Imh0dHBzOi8v
cGFndXJlLmlvL2ZlZG9yYS1pbmZyYXN0cnVjdHVyZS9uZXdfaXNzdWUiIHJlbD0ibm9yZWZlcnJl
ciIgdGFyZ2V0PSJfYmxhbmsiPmh0dHBzOi8vcGFndXJlLmlvL2ZlZG9yYS1pbmZyYXN0cnVjdHVy
ZS9uZXdfaXNzdWU8L2E+PGJyPgo8L2Jsb2NrcXVvdGU+PC9kaXY+PC9kaXY+Cg==

--===============3899993962837828058==--

From gladia2r at gmail.com Tue Apr 23 07:53:38 2024
Content-Type: multipart/mixed; boundary="===============1644956592551744684=="
MIME-Version: 1.0
From: Lee Csk <gladia2r at gmail.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] LDAP conflicts after yum update on Almalinux 8.9
Date: Tue, 23 Apr 2024 07:53:28 +0000
Message-ID: <20240423075328.457.26512@mailman01.iad2.fedoraproject.org>

--===============1644956592551744684==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

After performing a usual Yum update's on multiple IPA servers (not at the s=
ame time, one server reportedly started hanging), we started observing "LDA=
P Conflicts" in multiple IPA replication servers:

az2-replica.noc.net
| LDAP Conflicts | 9 | FAIL |
mi2-replica.noc.net:
| LDAP Conflicts | 9 | FAIL |
mi1-replica.noc.net:
| LDAP Conflicts | 9 | FAIL |
az1-replica.noc.net:
| LDAP Conflicts | 10 | FAIL |
sg1-replicate.noc.net:
| LDAP Conflicts | 3 | FAIL |
sg2-replica.noc.net
| LDAP Conflicts | 3 | FAIL |

The "Replication status" while reports OK, we observe also flapping at time=
s between OK and FAIL too.

We have tried to follow on one of the replication servers: https://access.r=
edhat.com/documentation/en-us/red_hat_directory_server/11/html/administrati=
on_guide/managing_replication-solving_common_replication_conflicts#Solving_=
Common_Replication_Conflicts-Solving_Orphan_Entry_Conflicts
- by removing the orphan entry, however the replication broke completely on=
 it (ipa service couldn't start back up), requiring a full re-install of th=
at specific replica.

]$ sudo -u admin /home/admin/.local/bin/cipa -H localhost |grep "LDAP Confl=
icts"
| LDAP Conflicts     | 0              | OK    |

$ dsconf -D "cn=3DDirectory Manager" ldap://$(hostname) repl-conflict list-=
glue "dc=3Dnoc,dc=3Dnet"
Enter password for cn=3DDirectory Manager on ldap://az1-replica.noc.net: =

dn: cn=3Dsg1-replica.noc.net,cn=3Dmasters,cn=3Dipa,cn=3Detc,dc=3Dnoc,dc=3Dn=
et
cn: sg1-replica.noc.net
ipaLocation: idnsname=3Dsingapore,cn=3Dlocations,cn=3Detc,dc=3Dnoc,dc=3Dnet
ipaMaxDomainLevel: 1
ipaMinDomainLevel: 1
ipaReplTopoManagedSuffix: dc=3Dnoc,dc=3Dnet
nsds5replconflict: deletedEntryHasChildren
objectClass: top
objectClass: nsContainer
objectClass: ipaReplTopoManagedServer
objectClass: ipaConfigObject
objectClass: ipaSupportedDomainLevelConfig
objectClass: ipalocationmember
objectClass: extensibleobject
objectClass: glue

$ ldapsearch -H ldaps://$(hostname) -W -D 'cn=3DDirectory Manager' '(&(obje=
ctClass=3DldapSubEntry)(nsds5ReplConflict=3D*))' nsds5ReplConflict
Enter LDAP Password: =

# extended LDIF
#
# LDAPv3
# base <dc=3Dnoc,dc=3Dnet> (default) with scope subtree
# filter: (&(objectClass=3DldapSubEntry)(nsds5ReplConflict=3D*))
# requesting: nsds5ReplConflict =

#

# sg1-replica.noc.net + 039c4293-257f11ed-a255f732-cfd01100, masters, ipa, =
etc, noc.net
dn: cn=3Dsg1-replica.noc.net+nsuniqueid=3D039c4293-257f11ed-a255f732-cfd011=
00,cn=3Dmasters,cn=3Dipa,cn=3Detc,dc=3Dnoc,dc=3Dnet
nsds5ReplConflict: namingConflict (ADD) cn=3Dsg1-replica.noc.net,cn=3Dmaste=
rs,cn=3Dipa,cn=3Detc,dc=3Dnoc,dc=3Dnet

# HTTP/mi1-replica.noc.net(a)noc.NET + 0264df8b-fca611ee-a3cba8b9-8a6b8039,=
services, accounts, noc.net
dn: krbprincipalname=3DHTTP/mi1-replica.noc.net(a)NOC.NET+nsuniqueid=3D0264=
df8b-fca611ee-a3cba8b9-8a6b8039,cn=3Dservices,cn=3Daccounts,dc=3Dnoc,dc=3Dn=
et
nsds5ReplConflict: namingConflict (ADD) krbprincipalname=3Dhttp/mi1-ipaca.n=
oc.net(a)noc.net,cn=3Dservices,cn=3Daccounts,dc=3Dnoc,dc=3Dnet

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

OR:

az1-replica.noc.net:/$ ldapsearch -H ldap://$(hostname) -D "cn=3DDirectory =
Manager" -W -b "dc=3Dnoc,dc=3Dnet" "(&(objectClass=3DldapSubEntry)(nsds5Rep=
lConflict=3D*))" \* nsds5ReplConflict
Enter LDAP Password: =

# extended LDIF
#
# LDAPv3
# base <dc=3Dnoc,dc=3Dnet> with scope subtree
# filter: (&(objectClass=3DldapSubEntry)(nsds5ReplConflict=3D*))
# requesting: * nsds5ReplConflict =

#

# sg1-replica.noc.net + 039c4293-257f11ed-a255f732-cfd01100, masters, ipa,
  etc, noc.net
dn: cn=3Dsg1-replica.noc.net+nsuniqueid=3D039c4293-257f11ed-a255f732-cfd011=
00
 ,cn=3Dmasters,cn=3Dipa,cn=3Detc,dc=3Dnoc,dc=3Dnet
ipaLocation: idnsname=3Dsingapore,cn=3Dlocations,cn=3Detc,dc=3Dnoc,dc=3Dnet
objectClass: top
objectClass: nsContainer
objectClass: ipaReplTopoManagedServer
objectClass: ipaConfigObject
objectClass: ipaSupportedDomainLevelConfig
objectClass: ldapsubentry
objectClass: ipalocationmember
cn: sg1-replica.noc.net
ipaReplTopoManagedSuffix: dc=3Dnoc,dc=3Dnet
ipaMinDomainLevel: 1
ipaMaxDomainLevel: 1
nsds5ReplConflict: namingConflict (ADD) cn=3Dsg1-replica.noc.net,cn=3Dmaste=
rs
 ,cn=3Dipa,cn=3Detc,dc=3Dnoc,dc=3Dnet

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

We expect: | LDAP Conflicts | 0 | OK |

Running versions:
ipa-server-4.9.12-14.module_el8.9.0+3785+2238a12a.alma.1.x86_64
ipa-client-4.9.12-14.module_el8.9.0+3785+2238a12a.alma.1.x86_64
389-ds-base-1.4.3.37-2.module_el8.9.0+3710+3183c30a.alma.1.x86_64
krb5-server-1.18.2-26.el8_9.x86_64

The yum update happened from:
ipa-server-4.9.12-11.module_el8.9.0+3715+e4197dc9.alma.1.x86_64
to:
ipa-server-4.9.12-14.module_el8.9.0+3785+2238a12a.alma.1.x86_64

Please advise, how its best to resolve these "LDAP Conflicts".
How to remove, or retain if its the case?

Thanks,
Lee
--===============1644956592551744684==--

From abokovoy at redhat.com Tue Apr 23 08:19:01 2024
Content-Type: multipart/mixed; boundary="===============7390503135100346437=="
MIME-Version: 1.0
From: Alexander Bokovoy <abokovoy at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: =?utf-8?q?=5BFreeipa-users=5D_Re=3A_Question_regarding_=E2=80=9CSamba__on?=
 =?utf-8?q?_an_IdM_domain_member=E2=80=9D?=
Date: Tue, 23 Apr 2024 11:18:42 +0300
Message-ID: <Zidu4tEImZW65g9V@redhat.com>
In-Reply-To: etPan.66266c11.2b3251af.a99@gmx.net

--===============7390503135100346437==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

On =D0=9F=D0=B0=D0=BD, 22 =D0=BA=D1=80=D0=B0 2024, Thomas Handler via FreeI=
PA-users wrote:
>
>Hello,
>
>beginning of March I have received support running=C2=A0Samba on an IdM
>domain member from Alexander. Back then my problem was what Alexander
>pinpoints in his
>text=C2=A0https://vda.li/en/posts/2019/03/24/Kerberos-host-to-realm-transl=
ation/=C2=A0under
>"Mixed realm deployments=E2=80=9D where the Linux machine running Samba wa=
s in
>the wrong DNS zone.
>
>After having fixed this things are running fine.
>
>Now it came as it already was obvious back then and what is well noted
>already in the RedHat
>Docs=C2=A0https://access.redhat.com/documentation/en-en/red_hat_enterprise=
_linux/9/html/using_external_red_hat_utilities_with_identity_management/set=
ting-up-samba-on-an-idm-domain-member_using-external-red-hat-utilities-with=
-idm=C2=A0where
>is stated =E2=80=9CAD users logged into a Windows machine can not access S=
amba
>shares hosted on an IdM domain member=E2=80=9D.
>
>So the customer has now stumbled exactly over this and I just wanted to
>confirm that my understanding of this section in the docs is correct
>and that there=E2=80=99s no way to ensure that an AD user on a Windows mac=
hine
>can access the shares on the Samba machine joined to IdM.=C2=A0

Short answer: yes, the documentation is up to date.


-- =

/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

--===============7390503135100346437==--

From flo at redhat.com Tue Apr 23 08:19:23 2024
Content-Type: multipart/mixed; boundary="===============1285815130535106453=="
MIME-Version: 1.0
From: Florence Blanc-Renaud <flo at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: LDAP conflicts after yum update on Almalinux 8.9
Date: Tue, 23 Apr 2024 10:18:55 +0200
Message-ID: <CAFDg7Jxe6zPJ39PY++g4CfPF7Jtj9zSe+Fr1dFHPnZH4o=Qc6A@mail.gmail.com>
In-Reply-To: 20240423075328.457.26512@mailman01.iad2.fedoraproject.org

--===============1285815130535106453==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Hi,

On Tue, Apr 23, 2024 at 9:53=E2=80=AFAM Lee Csk via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:

> After performing a usual Yum update's on multiple IPA servers (not at the
> same time, one server reportedly started hanging), we started observing
> "LDAP Conflicts" in multiple IPA replication servers:
>
> az2-replica.noc.net
> | LDAP Conflicts | 9 | FAIL |
> mi2-replica.noc.net:
> | LDAP Conflicts | 9 | FAIL |
> mi1-replica.noc.net:
> | LDAP Conflicts | 9 | FAIL |
> az1-replica.noc.net:
> | LDAP Conflicts | 10 | FAIL |
> sg1-replicate.noc.net:
> | LDAP Conflicts | 3 | FAIL |
> sg2-replica.noc.net
> | LDAP Conflicts | 3 | FAIL |
>
> The "Replication status" while reports OK, we observe also flapping at
> times between OK and FAIL too.
>
> We have tried to follow on one of the replication servers:
> https://access.redhat.com/documentation/en-us/red_hat_directory_server/11=
/html/administration_guide/managing_replication-solving_common_replication_=
conflicts#Solving_Common_Replication_Conflicts-Solving_Orphan_Entry_Conflic=
ts
> - by removing the orphan entry, however the replication broke completely
> on it (ipa service couldn't start back up), requiring a full re-install of
> that specific replica.
>
> ]$ sudo -u admin /home/admin/.local/bin/cipa -H localhost |grep "LDAP
> Conflicts"
> | LDAP Conflicts     | 0              | OK    |
>
> $ dsconf -D "cn=3DDirectory Manager" ldap://$(hostname) repl-conflict
> list-glue "dc=3Dnoc,dc=3Dnet"
> Enter password for cn=3DDirectory Manager on ldap://az1-replica.noc.net:
> dn: cn=3Dsg1-replica.noc.net,cn=3Dmasters,cn=3Dipa,cn=3Detc,dc=3Dnoc,dc=
=3Dnet
> cn: sg1-replica.noc.net
> ipaLocation: idnsname=3Dsingapore,cn=3Dlocations,cn=3Detc,dc=3Dnoc,dc=3Dn=
et
> ipaMaxDomainLevel: 1
> ipaMinDomainLevel: 1
> ipaReplTopoManagedSuffix: dc=3Dnoc,dc=3Dnet
> nsds5replconflict: deletedEntryHasChildren
> objectClass: top
> objectClass: nsContainer
> objectClass: ipaReplTopoManagedServer
> objectClass: ipaConfigObject
> objectClass: ipaSupportedDomainLevelConfig
> objectClass: ipalocationmember
> objectClass: extensibleobject
> objectClass: glue
>
> $ ldapsearch -H ldaps://$(hostname) -W -D 'cn=3DDirectory Manager'
> '(&(objectClass=3DldapSubEntry)(nsds5ReplConflict=3D*))' nsds5ReplConflict
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <dc=3Dnoc,dc=3Dnet> (default) with scope subtree
> # filter: (&(objectClass=3DldapSubEntry)(nsds5ReplConflict=3D*))
> # requesting: nsds5ReplConflict
> #
>
> # sg1-replica.noc.net + 039c4293-257f11ed-a255f732-cfd01100, masters,
> ipa, etc, noc.net
> dn: cn=3Dsg1-replica.noc.net
> +nsuniqueid=3D039c4293-257f11ed-a255f732-cfd01100,cn=3Dmasters,cn=3Dipa,c=
n=3Detc,dc=3Dnoc,dc=3Dnet
> nsds5ReplConflict: namingConflict (ADD) cn=3Dsg1-replica.noc.net
> ,cn=3Dmasters,cn=3Dipa,cn=3Detc,dc=3Dnoc,dc=3Dnet
>
> # HTTP/mi1-replica.noc.net(a)noc.NET +
> 0264df8b-fca611ee-a3cba8b9-8a6b8039,services, accounts, noc.net
> dn: krbprincipalname=3DHTTP/mi1-replica.noc.net(a)NOC.NET
> +nsuniqueid=3D0264df8b-fca611ee-a3cba8b9-8a6b8039,cn=3Dservices,cn=3Dacco=
unts,dc=3Dnoc,dc=3Dnet
> nsds5ReplConflict: namingConflict (ADD) krbprincipalname=3Dhttp/
> mi1-ipaca.noc.net(a)noc.net,cn=3Dservices,cn=3Daccounts,dc=3Dnoc,dc=3Dnet
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 3
> # numEntries: 2
>
> OR:
>
> az1-replica.noc.net:/$ ldapsearch -H ldap://$(hostname) -D "cn=3DDirectory
> Manager" -W -b "dc=3Dnoc,dc=3Dnet"
> "(&(objectClass=3DldapSubEntry)(nsds5ReplConflict=3D*))" \* nsds5ReplConf=
lict
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <dc=3Dnoc,dc=3Dnet> with scope subtree
> # filter: (&(objectClass=3DldapSubEntry)(nsds5ReplConflict=3D*))
> # requesting: * nsds5ReplConflict
> #
>
> # sg1-replica.noc.net + 039c4293-257f11ed-a255f732-cfd01100, masters, ipa,
>   etc, noc.net
> dn: cn=3Dsg1-replica.noc.net+nsuniqueid=3D039c4293-257f11ed-a255f732-cfd0=
1100
>  ,cn=3Dmasters,cn=3Dipa,cn=3Detc,dc=3Dnoc,dc=3Dnet
> ipaLocation: idnsname=3Dsingapore,cn=3Dlocations,cn=3Detc,dc=3Dnoc,dc=3Dn=
et
> objectClass: top
> objectClass: nsContainer
> objectClass: ipaReplTopoManagedServer
> objectClass: ipaConfigObject
> objectClass: ipaSupportedDomainLevelConfig
> objectClass: ldapsubentry
> objectClass: ipalocationmember
> cn: sg1-replica.noc.net
> ipaReplTopoManagedSuffix: dc=3Dnoc,dc=3Dnet
> ipaMinDomainLevel: 1
> ipaMaxDomainLevel: 1
> nsds5ReplConflict: namingConflict (ADD) cn=3Dsg1-replica.noc.net,cn=3Dmas=
ters
>  ,cn=3Dipa,cn=3Detc,dc=3Dnoc,dc=3Dnet
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
> We expect: | LDAP Conflicts | 0 | OK |
>
> Running versions:
> ipa-server-4.9.12-14.module_el8.9.0+3785+2238a12a.alma.1.x86_64
> ipa-client-4.9.12-14.module_el8.9.0+3785+2238a12a.alma.1.x86_64
> 389-ds-base-1.4.3.37-2.module_el8.9.0+3710+3183c30a.alma.1.x86_64
> krb5-server-1.18.2-26.el8_9.x86_64
>
> The yum update happened from:
> ipa-server-4.9.12-11.module_el8.9.0+3715+e4197dc9.alma.1.x86_64
> to:
> ipa-server-4.9.12-14.module_el8.9.0+3785+2238a12a.alma.1.x86_64
>

ipa-server-4.9.12-14 fixes this issue:
https://issues.redhat.com/browse/RHEL-28847 and must be installed with the
corresponding bind update that fixes
https://issues.redhat.com/browse/RHEL-25648: bind-9.11.36-11.el8_9.1
Do you have the right bind version?

flo

>
> Please advise, how its best to resolve these "LDAP Conflicts".
> How to remove, or retain if its the case?
>
> Thanks,
> Lee
> --
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.=
org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users(a)lists.fedora=
hosted.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>

--===============1285815130535106453==
Content-Type: text/html
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.html"

PGRpdiBkaXI9Imx0ciI+PGRpdiBkaXI9Imx0ciI+PGRpdiBjbGFzcz0iZ21haWxfZGVmYXVsdCIg
c3R5bGU9ImZvbnQtZmFtaWx5OmFyaWFsLHNhbnMtc2VyaWYiPkhpLDwvZGl2PjwvZGl2Pjxicj48
ZGl2IGNsYXNzPSJnbWFpbF9xdW90ZSI+PGRpdiBkaXI9Imx0ciIgY2xhc3M9ImdtYWlsX2F0dHIi
Pk9uIFR1ZSwgQXByIDIzLCAyMDI0IGF0IDk6NTPigK9BTSBMZWUgQ3NrIHZpYSBGcmVlSVBBLXVz
ZXJzICZsdDs8YSBocmVmPSJtYWlsdG86ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQu
b3JnIj5mcmVlaXBhLXVzZXJzQGxpc3RzLmZlZG9yYWhvc3RlZC5vcmc8L2E+Jmd0OyB3cm90ZTo8
YnI+PC9kaXY+PGJsb2NrcXVvdGUgY2xhc3M9ImdtYWlsX3F1b3RlIiBzdHlsZT0ibWFyZ2luOjBw
eCAwcHggMHB4IDAuOGV4O2JvcmRlci1sZWZ0OjFweCBzb2xpZCByZ2IoMjA0LDIwNCwyMDQpO3Bh
ZGRpbmctbGVmdDoxZXgiPkFmdGVyIHBlcmZvcm1pbmcgYSB1c3VhbCBZdW0gdXBkYXRlJiMzOTtz
IG9uIG11bHRpcGxlIElQQSBzZXJ2ZXJzIChub3QgYXQgdGhlIHNhbWUgdGltZSwgb25lIHNlcnZl
ciByZXBvcnRlZGx5IHN0YXJ0ZWQgaGFuZ2luZyksIHdlIHN0YXJ0ZWQgb2JzZXJ2aW5nICZxdW90
O0xEQVAgQ29uZmxpY3RzJnF1b3Q7IGluIG11bHRpcGxlIElQQSByZXBsaWNhdGlvbiBzZXJ2ZXJz
Ojxicj4KPGJyPgo8YSBocmVmPSJodHRwOi8vYXoyLXJlcGxpY2Eubm9jLm5ldCIgcmVsPSJub3Jl
ZmVycmVyIiB0YXJnZXQ9Il9ibGFuayI+YXoyLXJlcGxpY2Eubm9jLm5ldDwvYT48YnI+CnwgTERB
UCBDb25mbGljdHMgfCA5IHwgRkFJTCB8PGJyPgo8YSBocmVmPSJodHRwOi8vbWkyLXJlcGxpY2Eu
bm9jLm5ldCIgcmVsPSJub3JlZmVycmVyIiB0YXJnZXQ9Il9ibGFuayI+bWkyLXJlcGxpY2Eubm9j
Lm5ldDwvYT46PGJyPgp8IExEQVAgQ29uZmxpY3RzIHwgOSB8IEZBSUwgfDxicj4KPGEgaHJlZj0i
aHR0cDovL21pMS1yZXBsaWNhLm5vYy5uZXQiIHJlbD0ibm9yZWZlcnJlciIgdGFyZ2V0PSJfYmxh
bmsiPm1pMS1yZXBsaWNhLm5vYy5uZXQ8L2E+Ojxicj4KfCBMREFQIENvbmZsaWN0cyB8IDkgfCBG
QUlMIHw8YnI+CjxhIGhyZWY9Imh0dHA6Ly9hejEtcmVwbGljYS5ub2MubmV0IiByZWw9Im5vcmVm
ZXJyZXIiIHRhcmdldD0iX2JsYW5rIj5hejEtcmVwbGljYS5ub2MubmV0PC9hPjo8YnI+CnwgTERB
UCBDb25mbGljdHMgfCAxMCB8IEZBSUwgfDxicj4KPGEgaHJlZj0iaHR0cDovL3NnMS1yZXBsaWNh
dGUubm9jLm5ldCIgcmVsPSJub3JlZmVycmVyIiB0YXJnZXQ9Il9ibGFuayI+c2cxLXJlcGxpY2F0
ZS5ub2MubmV0PC9hPjo8YnI+CnwgTERBUCBDb25mbGljdHMgfCAzIHwgRkFJTCB8PGJyPgo8YSBo
cmVmPSJodHRwOi8vc2cyLXJlcGxpY2Eubm9jLm5ldCIgcmVsPSJub3JlZmVycmVyIiB0YXJnZXQ9
Il9ibGFuayI+c2cyLXJlcGxpY2Eubm9jLm5ldDwvYT48YnI+CnwgTERBUCBDb25mbGljdHMgfCAz
IHwgRkFJTCB8PGJyPgo8YnI+ClRoZSAmcXVvdDtSZXBsaWNhdGlvbiBzdGF0dXMmcXVvdDsgd2hp
bGUgcmVwb3J0cyBPSywgd2Ugb2JzZXJ2ZSBhbHNvIGZsYXBwaW5nIGF0IHRpbWVzIGJldHdlZW4g
T0sgYW5kIEZBSUwgdG9vLjxicj4KPGJyPgpXZSBoYXZlIHRyaWVkIHRvIGZvbGxvdyBvbiBvbmUg
b2YgdGhlIHJlcGxpY2F0aW9uIHNlcnZlcnM6IDxhIGhyZWY9Imh0dHBzOi8vYWNjZXNzLnJlZGhh
dC5jb20vZG9jdW1lbnRhdGlvbi9lbi11cy9yZWRfaGF0X2RpcmVjdG9yeV9zZXJ2ZXIvMTEvaHRt
bC9hZG1pbmlzdHJhdGlvbl9ndWlkZS9tYW5hZ2luZ19yZXBsaWNhdGlvbi1zb2x2aW5nX2NvbW1v
bl9yZXBsaWNhdGlvbl9jb25mbGljdHMjU29sdmluZ19Db21tb25fUmVwbGljYXRpb25fQ29uZmxp
Y3RzLVNvbHZpbmdfT3JwaGFuX0VudHJ5X0NvbmZsaWN0cyIgcmVsPSJub3JlZmVycmVyIiB0YXJn
ZXQ9Il9ibGFuayI+aHR0cHM6Ly9hY2Nlc3MucmVkaGF0LmNvbS9kb2N1bWVudGF0aW9uL2VuLXVz
L3JlZF9oYXRfZGlyZWN0b3J5X3NlcnZlci8xMS9odG1sL2FkbWluaXN0cmF0aW9uX2d1aWRlL21h
bmFnaW5nX3JlcGxpY2F0aW9uLXNvbHZpbmdfY29tbW9uX3JlcGxpY2F0aW9uX2NvbmZsaWN0cyNT
b2x2aW5nX0NvbW1vbl9SZXBsaWNhdGlvbl9Db25mbGljdHMtU29sdmluZ19PcnBoYW5fRW50cnlf
Q29uZmxpY3RzPC9hPjxicj4KLSBieSByZW1vdmluZyB0aGUgb3JwaGFuIGVudHJ5LCBob3dldmVy
IHRoZSByZXBsaWNhdGlvbiBicm9rZSBjb21wbGV0ZWx5IG9uIGl0IChpcGEgc2VydmljZSBjb3Vs
ZG4mIzM5O3Qgc3RhcnQgYmFjayB1cCksIHJlcXVpcmluZyBhIGZ1bGwgcmUtaW5zdGFsbCBvZiB0
aGF0IHNwZWNpZmljIHJlcGxpY2EuPGJyPgo8YnI+Cl0kIHN1ZG8gLXUgYWRtaW4gL2hvbWUvYWRt
aW4vLmxvY2FsL2Jpbi9jaXBhIC1IIGxvY2FsaG9zdCB8Z3JlcCAmcXVvdDtMREFQIENvbmZsaWN0
cyZxdW90Ozxicj4KfCBMREFQIENvbmZsaWN0c8KgIMKgIMKgfCAwwqAgwqAgwqAgwqAgwqAgwqAg
wqAgfCBPS8KgIMKgIHw8YnI+Cjxicj4KJCBkc2NvbmYgLUQgJnF1b3Q7Y249RGlyZWN0b3J5IE1h
bmFnZXImcXVvdDsgbGRhcDovLyQoaG9zdG5hbWUpIHJlcGwtY29uZmxpY3QgbGlzdC1nbHVlICZx
dW90O2RjPW5vYyxkYz1uZXQmcXVvdDs8YnI+CkVudGVyIHBhc3N3b3JkIGZvciBjbj1EaXJlY3Rv
cnkgTWFuYWdlciBvbiBsZGFwOi8vPGEgaHJlZj0iaHR0cDovL2F6MS1yZXBsaWNhLm5vYy5uZXQi
IHJlbD0ibm9yZWZlcnJlciIgdGFyZ2V0PSJfYmxhbmsiPmF6MS1yZXBsaWNhLm5vYy5uZXQ8L2E+
OiA8YnI+CmRuOiBjbj08YSBocmVmPSJodHRwOi8vc2cxLXJlcGxpY2Eubm9jLm5ldCIgcmVsPSJu
b3JlZmVycmVyIiB0YXJnZXQ9Il9ibGFuayI+c2cxLXJlcGxpY2Eubm9jLm5ldDwvYT4sY249bWFz
dGVycyxjbj1pcGEsY249ZXRjLGRjPW5vYyxkYz1uZXQ8YnI+CmNuOiA8YSBocmVmPSJodHRwOi8v
c2cxLXJlcGxpY2Eubm9jLm5ldCIgcmVsPSJub3JlZmVycmVyIiB0YXJnZXQ9Il9ibGFuayI+c2cx
LXJlcGxpY2Eubm9jLm5ldDwvYT48YnI+CmlwYUxvY2F0aW9uOiBpZG5zbmFtZT1zaW5nYXBvcmUs
Y249bG9jYXRpb25zLGNuPWV0YyxkYz1ub2MsZGM9bmV0PGJyPgppcGFNYXhEb21haW5MZXZlbDog
MTxicj4KaXBhTWluRG9tYWluTGV2ZWw6IDE8YnI+CmlwYVJlcGxUb3BvTWFuYWdlZFN1ZmZpeDog
ZGM9bm9jLGRjPW5ldDxicj4KbnNkczVyZXBsY29uZmxpY3Q6IGRlbGV0ZWRFbnRyeUhhc0NoaWxk
cmVuPGJyPgpvYmplY3RDbGFzczogdG9wPGJyPgpvYmplY3RDbGFzczogbnNDb250YWluZXI8YnI+
Cm9iamVjdENsYXNzOiBpcGFSZXBsVG9wb01hbmFnZWRTZXJ2ZXI8YnI+Cm9iamVjdENsYXNzOiBp
cGFDb25maWdPYmplY3Q8YnI+Cm9iamVjdENsYXNzOiBpcGFTdXBwb3J0ZWREb21haW5MZXZlbENv
bmZpZzxicj4Kb2JqZWN0Q2xhc3M6IGlwYWxvY2F0aW9ubWVtYmVyPGJyPgpvYmplY3RDbGFzczog
ZXh0ZW5zaWJsZW9iamVjdDxicj4Kb2JqZWN0Q2xhc3M6IGdsdWU8YnI+Cjxicj4KJCBsZGFwc2Vh
cmNoIC1IIGxkYXBzOi8vJChob3N0bmFtZSkgLVcgLUQgJiMzOTtjbj1EaXJlY3RvcnkgTWFuYWdl
ciYjMzk7ICYjMzk7KCZhbXA7KG9iamVjdENsYXNzPWxkYXBTdWJFbnRyeSkobnNkczVSZXBsQ29u
ZmxpY3Q9KikpJiMzOTsgbnNkczVSZXBsQ29uZmxpY3Q8YnI+CkVudGVyIExEQVAgUGFzc3dvcmQ6
IDxicj4KIyBleHRlbmRlZCBMRElGPGJyPgojPGJyPgojIExEQVB2Mzxicj4KIyBiYXNlICZsdDtk
Yz1ub2MsZGM9bmV0Jmd0OyAoZGVmYXVsdCkgd2l0aCBzY29wZSBzdWJ0cmVlPGJyPgojIGZpbHRl
cjogKCZhbXA7KG9iamVjdENsYXNzPWxkYXBTdWJFbnRyeSkobnNkczVSZXBsQ29uZmxpY3Q9Kikp
PGJyPgojIHJlcXVlc3Rpbmc6IG5zZHM1UmVwbENvbmZsaWN0IDxicj4KIzxicj4KPGJyPgojIDxh
IGhyZWY9Imh0dHA6Ly9zZzEtcmVwbGljYS5ub2MubmV0IiByZWw9Im5vcmVmZXJyZXIiIHRhcmdl
dD0iX2JsYW5rIj5zZzEtcmVwbGljYS5ub2MubmV0PC9hPiArIDAzOWM0MjkzLTI1N2YxMWVkLWEy
NTVmNzMyLWNmZDAxMTAwLCBtYXN0ZXJzLCBpcGEsIGV0YywgPGEgaHJlZj0iaHR0cDovL25vYy5u
ZXQiIHJlbD0ibm9yZWZlcnJlciIgdGFyZ2V0PSJfYmxhbmsiPm5vYy5uZXQ8L2E+PGJyPgpkbjog
Y249PGEgaHJlZj0iaHR0cDovL3NnMS1yZXBsaWNhLm5vYy5uZXQiIHJlbD0ibm9yZWZlcnJlciIg
dGFyZ2V0PSJfYmxhbmsiPnNnMS1yZXBsaWNhLm5vYy5uZXQ8L2E+K25zdW5pcXVlaWQ9MDM5YzQy
OTMtMjU3ZjExZWQtYTI1NWY3MzItY2ZkMDExMDAsY249bWFzdGVycyxjbj1pcGEsY249ZXRjLGRj
PW5vYyxkYz1uZXQ8YnI+Cm5zZHM1UmVwbENvbmZsaWN0OiBuYW1pbmdDb25mbGljdCAoQUREKSBj
bj08YSBocmVmPSJodHRwOi8vc2cxLXJlcGxpY2Eubm9jLm5ldCIgcmVsPSJub3JlZmVycmVyIiB0
YXJnZXQ9Il9ibGFuayI+c2cxLXJlcGxpY2Eubm9jLm5ldDwvYT4sY249bWFzdGVycyxjbj1pcGEs
Y249ZXRjLGRjPW5vYyxkYz1uZXQ8YnI+Cjxicj4KIyBIVFRQL21pMS1yZXBsaWNhLm5vYy5uZXRA
bm9jLk5FVCArIDAyNjRkZjhiLWZjYTYxMWVlLWEzY2JhOGI5LThhNmI4MDM5LHNlcnZpY2VzLCBh
Y2NvdW50cywgPGEgaHJlZj0iaHR0cDovL25vYy5uZXQiIHJlbD0ibm9yZWZlcnJlciIgdGFyZ2V0
PSJfYmxhbmsiPm5vYy5uZXQ8L2E+PGJyPgpkbjoga3JicHJpbmNpcGFsbmFtZT1IVFRQLzxhIGhy
ZWY9Im1haWx0bzptaTEtcmVwbGljYS5ub2MubmV0QE5PQy5ORVQiIHRhcmdldD0iX2JsYW5rIj5t
aTEtcmVwbGljYS5ub2MubmV0QE5PQy5ORVQ8L2E+K25zdW5pcXVlaWQ9MDI2NGRmOGItZmNhNjEx
ZWUtYTNjYmE4YjktOGE2YjgwMzksY249c2VydmljZXMsY249YWNjb3VudHMsZGM9bm9jLGRjPW5l
dDxicj4KbnNkczVSZXBsQ29uZmxpY3Q6IG5hbWluZ0NvbmZsaWN0IChBREQpIGtyYnByaW5jaXBh
bG5hbWU9aHR0cC88YSBocmVmPSJtYWlsdG86bWkxLWlwYWNhLm5vYy5uZXRAbm9jLm5ldCIgdGFy
Z2V0PSJfYmxhbmsiPm1pMS1pcGFjYS5ub2MubmV0QG5vYy5uZXQ8L2E+LGNuPXNlcnZpY2VzLGNu
PWFjY291bnRzLGRjPW5vYyxkYz1uZXQ8YnI+Cjxicj4KIyBzZWFyY2ggcmVzdWx0PGJyPgpzZWFy
Y2g6IDI8YnI+CnJlc3VsdDogMCBTdWNjZXNzPGJyPgo8YnI+CiMgbnVtUmVzcG9uc2VzOiAzPGJy
PgojIG51bUVudHJpZXM6IDI8YnI+Cjxicj4KT1I6PGJyPgo8YnI+CmF6MS1yZXBsaWNhLm5vYy5u
ZXQ6LyQgbGRhcHNlYXJjaCAtSCBsZGFwOi8vJChob3N0bmFtZSkgLUQgJnF1b3Q7Y249RGlyZWN0
b3J5IE1hbmFnZXImcXVvdDsgLVcgLWIgJnF1b3Q7ZGM9bm9jLGRjPW5ldCZxdW90OyAmcXVvdDso
JmFtcDsob2JqZWN0Q2xhc3M9bGRhcFN1YkVudHJ5KShuc2RzNVJlcGxDb25mbGljdD0qKSkmcXVv
dDsgXCogbnNkczVSZXBsQ29uZmxpY3Q8YnI+CkVudGVyIExEQVAgUGFzc3dvcmQ6IDxicj4KIyBl
eHRlbmRlZCBMRElGPGJyPgojPGJyPgojIExEQVB2Mzxicj4KIyBiYXNlICZsdDtkYz1ub2MsZGM9
bmV0Jmd0OyB3aXRoIHNjb3BlIHN1YnRyZWU8YnI+CiMgZmlsdGVyOiAoJmFtcDsob2JqZWN0Q2xh
c3M9bGRhcFN1YkVudHJ5KShuc2RzNVJlcGxDb25mbGljdD0qKSk8YnI+CiMgcmVxdWVzdGluZzog
KiBuc2RzNVJlcGxDb25mbGljdCA8YnI+CiM8YnI+Cjxicj4KIyA8YSBocmVmPSJodHRwOi8vc2cx
LXJlcGxpY2Eubm9jLm5ldCIgcmVsPSJub3JlZmVycmVyIiB0YXJnZXQ9Il9ibGFuayI+c2cxLXJl
cGxpY2Eubm9jLm5ldDwvYT4gKyAwMzljNDI5My0yNTdmMTFlZC1hMjU1ZjczMi1jZmQwMTEwMCwg
bWFzdGVycywgaXBhLDxicj4KwqAgZXRjLCA8YSBocmVmPSJodHRwOi8vbm9jLm5ldCIgcmVsPSJu
b3JlZmVycmVyIiB0YXJnZXQ9Il9ibGFuayI+bm9jLm5ldDwvYT48YnI+CmRuOiBjbj08YSBocmVm
PSJodHRwOi8vc2cxLXJlcGxpY2Eubm9jLm5ldCIgcmVsPSJub3JlZmVycmVyIiB0YXJnZXQ9Il9i
bGFuayI+c2cxLXJlcGxpY2Eubm9jLm5ldDwvYT4rbnN1bmlxdWVpZD0wMzljNDI5My0yNTdmMTFl
ZC1hMjU1ZjczMi1jZmQwMTEwMDxicj4KwqAsY249bWFzdGVycyxjbj1pcGEsY249ZXRjLGRjPW5v
YyxkYz1uZXQ8YnI+CmlwYUxvY2F0aW9uOiBpZG5zbmFtZT1zaW5nYXBvcmUsY249bG9jYXRpb25z
LGNuPWV0YyxkYz1ub2MsZGM9bmV0PGJyPgpvYmplY3RDbGFzczogdG9wPGJyPgpvYmplY3RDbGFz
czogbnNDb250YWluZXI8YnI+Cm9iamVjdENsYXNzOiBpcGFSZXBsVG9wb01hbmFnZWRTZXJ2ZXI8
YnI+Cm9iamVjdENsYXNzOiBpcGFDb25maWdPYmplY3Q8YnI+Cm9iamVjdENsYXNzOiBpcGFTdXBw
b3J0ZWREb21haW5MZXZlbENvbmZpZzxicj4Kb2JqZWN0Q2xhc3M6IGxkYXBzdWJlbnRyeTxicj4K
b2JqZWN0Q2xhc3M6IGlwYWxvY2F0aW9ubWVtYmVyPGJyPgpjbjogPGEgaHJlZj0iaHR0cDovL3Nn
MS1yZXBsaWNhLm5vYy5uZXQiIHJlbD0ibm9yZWZlcnJlciIgdGFyZ2V0PSJfYmxhbmsiPnNnMS1y
ZXBsaWNhLm5vYy5uZXQ8L2E+PGJyPgppcGFSZXBsVG9wb01hbmFnZWRTdWZmaXg6IGRjPW5vYyxk
Yz1uZXQ8YnI+CmlwYU1pbkRvbWFpbkxldmVsOiAxPGJyPgppcGFNYXhEb21haW5MZXZlbDogMTxi
cj4KbnNkczVSZXBsQ29uZmxpY3Q6IG5hbWluZ0NvbmZsaWN0IChBREQpIGNuPTxhIGhyZWY9Imh0
dHA6Ly9zZzEtcmVwbGljYS5ub2MubmV0IiByZWw9Im5vcmVmZXJyZXIiIHRhcmdldD0iX2JsYW5r
Ij5zZzEtcmVwbGljYS5ub2MubmV0PC9hPixjbj1tYXN0ZXJzPGJyPgrCoCxjbj1pcGEsY249ZXRj
LGRjPW5vYyxkYz1uZXQ8YnI+Cjxicj4KIyBzZWFyY2ggcmVzdWx0PGJyPgpzZWFyY2g6IDI8YnI+
CnJlc3VsdDogMCBTdWNjZXNzPGJyPgo8YnI+CiMgbnVtUmVzcG9uc2VzOiAyPGJyPgojIG51bUVu
dHJpZXM6IDE8YnI+Cjxicj4KV2UgZXhwZWN0OiB8IExEQVAgQ29uZmxpY3RzIHwgMCB8IE9LIHw8
YnI+Cjxicj4KUnVubmluZyB2ZXJzaW9uczo8YnI+CmlwYS1zZXJ2ZXItNC45LjEyLTE0Lm1vZHVs
ZV9lbDguOS4wKzM3ODUrMjIzOGExMmEuYWxtYS4xLng4Nl82NDxicj4KaXBhLWNsaWVudC00Ljku
MTItMTQubW9kdWxlX2VsOC45LjArMzc4NSsyMjM4YTEyYS5hbG1hLjEueDg2XzY0PGJyPgozODkt
ZHMtYmFzZS0xLjQuMy4zNy0yLm1vZHVsZV9lbDguOS4wKzM3MTArMzE4M2MzMGEuYWxtYS4xLng4
Nl82NDxicj4Ka3JiNS1zZXJ2ZXItMS4xOC4yLTI2LmVsOF85Lng4Nl82NDxicj4KPGJyPgpUaGUg
eXVtIHVwZGF0ZSBoYXBwZW5lZCBmcm9tOjxicj4KaXBhLXNlcnZlci00LjkuMTItMTEubW9kdWxl
X2VsOC45LjArMzcxNStlNDE5N2RjOS5hbG1hLjEueDg2XzY0PGJyPgp0bzo8YnI+CmlwYS1zZXJ2
ZXItNC45LjEyLTE0Lm1vZHVsZV9lbDguOS4wKzM3ODUrMjIzOGExMmEuYWxtYS4xLng4Nl82NDxi
cj48L2Jsb2NrcXVvdGU+PGRpdj48YnI+PC9kaXY+PGRpdiBjbGFzcz0iZ21haWxfZGVmYXVsdCIg
c3R5bGU9ImZvbnQtZmFtaWx5OmFyaWFsLHNhbnMtc2VyaWYiPmlwYS1zZXJ2ZXItNC45LjEyLTE0
IGZpeGVzIHRoaXMgaXNzdWU6wqA8YSBocmVmPSJodHRwczovL2lzc3Vlcy5yZWRoYXQuY29tL2Jy
b3dzZS9SSEVMLTI4ODQ3Ij5odHRwczovL2lzc3Vlcy5yZWRoYXQuY29tL2Jyb3dzZS9SSEVMLTI4
ODQ3PC9hPiBhbmQgbXVzdCBiZSBpbnN0YWxsZWQgd2l0aCB0aGUgY29ycmVzcG9uZGluZyBiaW5k
IHVwZGF0ZSB0aGF0IGZpeGVzwqA8YSBocmVmPSJodHRwczovL2lzc3Vlcy5yZWRoYXQuY29tL2Jy
b3dzZS9SSEVMLTI1NjQ4Ij5odHRwczovL2lzc3Vlcy5yZWRoYXQuY29tL2Jyb3dzZS9SSEVMLTI1
NjQ4PC9hPjrCoGJpbmQtOS4xMS4zNi0xMS5lbDhfOS4xPC9kaXY+PGRpdiBjbGFzcz0iZ21haWxf
ZGVmYXVsdCIgc3R5bGU9ImZvbnQtZmFtaWx5OmFyaWFsLHNhbnMtc2VyaWYiPkRvIHlvdSBoYXZl
IHRoZSByaWdodCBiaW5kIHZlcnNpb24/PC9kaXY+PGRpdiBjbGFzcz0iZ21haWxfZGVmYXVsdCIg
c3R5bGU9ImZvbnQtZmFtaWx5OmFyaWFsLHNhbnMtc2VyaWYiPjxicj48L2Rpdj48ZGl2IGNsYXNz
PSJnbWFpbF9kZWZhdWx0IiBzdHlsZT0iZm9udC1mYW1pbHk6YXJpYWwsc2Fucy1zZXJpZiI+Zmxv
PC9kaXY+PGJsb2NrcXVvdGUgY2xhc3M9ImdtYWlsX3F1b3RlIiBzdHlsZT0ibWFyZ2luOjBweCAw
cHggMHB4IDAuOGV4O2JvcmRlci1sZWZ0OjFweCBzb2xpZCByZ2IoMjA0LDIwNCwyMDQpO3BhZGRp
bmctbGVmdDoxZXgiPgo8YnI+ClBsZWFzZSBhZHZpc2UsIGhvdyBpdHMgYmVzdCB0byByZXNvbHZl
IHRoZXNlICZxdW90O0xEQVAgQ29uZmxpY3RzJnF1b3Q7Ljxicj4KSG93IHRvIHJlbW92ZSwgb3Ig
cmV0YWluIGlmIGl0cyB0aGUgY2FzZT88YnI+Cjxicj4KVGhhbmtzLDxicj4KTGVlPGJyPgotLTxi
cj4KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX188YnI+CkZy
ZWVJUEEtdXNlcnMgbWFpbGluZyBsaXN0IC0tIDxhIGhyZWY9Im1haWx0bzpmcmVlaXBhLXVzZXJz
QGxpc3RzLmZlZG9yYWhvc3RlZC5vcmciIHRhcmdldD0iX2JsYW5rIj5mcmVlaXBhLXVzZXJzQGxp
c3RzLmZlZG9yYWhvc3RlZC5vcmc8L2E+PGJyPgpUbyB1bnN1YnNjcmliZSBzZW5kIGFuIGVtYWls
IHRvIDxhIGhyZWY9Im1haWx0bzpmcmVlaXBhLXVzZXJzLWxlYXZlQGxpc3RzLmZlZG9yYWhvc3Rl
ZC5vcmciIHRhcmdldD0iX2JsYW5rIj5mcmVlaXBhLXVzZXJzLWxlYXZlQGxpc3RzLmZlZG9yYWhv
c3RlZC5vcmc8L2E+PGJyPgpGZWRvcmEgQ29kZSBvZiBDb25kdWN0OiA8YSBocmVmPSJodHRwczov
L2RvY3MuZmVkb3JhcHJvamVjdC5vcmcvZW4tVVMvcHJvamVjdC9jb2RlLW9mLWNvbmR1Y3QvIiBy
ZWw9Im5vcmVmZXJyZXIiIHRhcmdldD0iX2JsYW5rIj5odHRwczovL2RvY3MuZmVkb3JhcHJvamVj
dC5vcmcvZW4tVVMvcHJvamVjdC9jb2RlLW9mLWNvbmR1Y3QvPC9hPjxicj4KTGlzdCBHdWlkZWxp
bmVzOiA8YSBocmVmPSJodHRwczovL2ZlZG9yYXByb2plY3Qub3JnL3dpa2kvTWFpbGluZ19saXN0
X2d1aWRlbGluZXMiIHJlbD0ibm9yZWZlcnJlciIgdGFyZ2V0PSJfYmxhbmsiPmh0dHBzOi8vZmVk
b3JhcHJvamVjdC5vcmcvd2lraS9NYWlsaW5nX2xpc3RfZ3VpZGVsaW5lczwvYT48YnI+Ckxpc3Qg
QXJjaGl2ZXM6IDxhIGhyZWY9Imh0dHBzOi8vbGlzdHMuZmVkb3JhaG9zdGVkLm9yZy9hcmNoaXZl
cy9saXN0L2ZyZWVpcGEtdXNlcnNAbGlzdHMuZmVkb3JhaG9zdGVkLm9yZyIgcmVsPSJub3JlZmVy
cmVyIiB0YXJnZXQ9Il9ibGFuayI+aHR0cHM6Ly9saXN0cy5mZWRvcmFob3N0ZWQub3JnL2FyY2hp
dmVzL2xpc3QvZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3JnPC9hPjxicj4KRG8g
bm90IHJlcGx5IHRvIHNwYW0sIHJlcG9ydCBpdDogPGEgaHJlZj0iaHR0cHM6Ly9wYWd1cmUuaW8v
ZmVkb3JhLWluZnJhc3RydWN0dXJlL25ld19pc3N1ZSIgcmVsPSJub3JlZmVycmVyIiB0YXJnZXQ9
Il9ibGFuayI+aHR0cHM6Ly9wYWd1cmUuaW8vZmVkb3JhLWluZnJhc3RydWN0dXJlL25ld19pc3N1
ZTwvYT48YnI+CjwvYmxvY2txdW90ZT48L2Rpdj48L2Rpdj4K

--===============1285815130535106453==--

From gladia2r at gmail.com Tue Apr 23 10:07:59 2024
Content-Type: multipart/mixed; boundary="===============7629544398885166897=="
MIME-Version: 1.0
From: Lee Csk <gladia2r at gmail.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: LDAP conflicts after yum update on Almalinux 8.9
Date: Tue, 23 Apr 2024 10:07:48 +0000
Message-ID: <20240423100748.19020.20863@mailman01.iad2.fedoraproject.org>
In-Reply-To: CAFDg7Jxe6zPJ39PY++g4CfPF7Jtj9zSe+Fr1dFHPnZH4o=Qc6A@mail.gmail.com

--===============7629544398885166897==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

> ipa-server-4.9.12-14 fixes this issue:
> https://issues.redhat.com/browse/RHEL-28847 and must be installed with the
> corresponding bind update that fixes
> https://issues.redhat.com/browse/RHEL-25648: bind-9.11.36-11.el8_9.1
> Do you have the right bind version?
> =

> flo

I do not have access to those RHEL issues unfortunately.

That is a good point however, observed that various replica servers running=
 different bind versions.
 Some: bind-9.11.36-11.el8_9.x86_64
 Others: bind-9.11.36-11.el8_9.1.x86_64

We are updating them now slowly, and already updated 2 replica servers to t=
he latest bind version - however the LDAP Conflicts don't disappear.

Thanks,
Lee
--===============7629544398885166897==--

From net.ricky at gmail.com Tue Apr 23 10:45:33 2024
Content-Type: multipart/mixed; boundary="===============5182173304947041638=="
MIME-Version: 1.0
From: Riccardo Rotondo <net.ricky at gmail.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] User Agreement Description Field
Date: Tue, 23 Apr 2024 10:45:21 +0000
Message-ID: <20240423104521.24624.17699@mailman01.iad2.fedoraproject.org>

--===============5182173304947041638==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Hi, =

I defined an Agreement in the web-ui and I can see loaded in noggin. =

I was wondering if the description support html, markdown or any other synt=
ax in order to put an url clickable in the description. =

I made some tests but with no luck.
Thank you in advance. =


Riccardo
--===============5182173304947041638==--

From flo at redhat.com Tue Apr 23 11:43:37 2024
Content-Type: multipart/mixed; boundary="===============1174271718734029432=="
MIME-Version: 1.0
From: Florence Blanc-Renaud <flo at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: Not possible to delete ID views from Default
 Trust View if user is no longer present in AD
Date: Tue, 23 Apr 2024 13:43:11 +0200
Message-ID: <CAFDg7JwJqf4kMVguOc7uw4EWmoLzXTszrWz4mJo-MCo_eibMog@mail.gmail.com>
In-Reply-To: 62efb5de5ca840f08cc6acb920996c10@staff.win.be

--===============1174271718734029432==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Hi,

On Mon, Apr 22, 2024 at 12:58=E2=80=AFPM LHEUREUX Bernard via FreeIPA-users=
 <
freeipa-users(a)lists.fedorahosted.org> wrote:

> Hello,
>
>
>
> I=E2=80=99m trying to delete some anchors on Default Trust View on a Free=
IPA with
> trust to an AD and, I always get the message =E2=80=9C=E2=80=A6@... user =
not found =C2=BB
>
> Effectively those users are no longer part of the organization and have
> been removed from the AD, but how could I clean them in the Default Trust
> View
>
> Thanks for your help.
>

You can use the SID format to delete the idoverride user. For instance, in
my deployment I have setup an idoverrideuser for adposixuser(a)ad.test and
then deleted the entry from Active Directory.
If I try to directly remove the idoverrideuser:
#* ipa idoverrideuser-del "Default Trust View" adposixuser(a)ad.test*
ipa: ERROR: adposixuser(a)ad.test: user not found

But I can find the SID format for the override with:
#* ipa idoverrideuser-find "Default Trust View" --all --raw*
--------------------------
1 User ID override matched
--------------------------
  dn:
ipaanchoruuid=3D:SID:S-1-5-21-3461337807-2625513185-2631243145-1108,cn=3DDe=
fault
Trust View,cn=3Dviews,cn=3Daccounts,dc=3Dipa,dc=3Dtest
  ipaanchoruuid: *:SID:S-1-5-21-3461337807-2625513185-2631243145-1108*
  ipaoriginaluid: *adposixuser(a)ad.test*
  objectClass: ipaOverrideAnchor
  objectClass: top
  objectClass: ipaUserOverride
  objectClass: ipasshuser
  objectClass: ipaSshGroupOfPubKeys
----------------------------
Number of entries returned 1
----------------------------

and then use this format to remove the idoverride user:
# *ipa idoverrideuser-del "Default Trust View"
":SID:S-1-5-21-3461337807-2625513185-2631243145-1108"*
---------------------------------------------------------------------------=
---
Deleted User ID override
":SID:S-1-5-21-3461337807-2625513185-2631243145-1108"
---------------------------------------------------------------------------=
---

HTH,
flo

>
>
> ---
>
> Bernard Lheureux
>
> Win S.A.
>
>
>
> ------------------------------
> 1/Conform=C3=A9ment =C3=A0 notre certification ISO 27001, ce message et t=
oute pi=C3=A8ce
> jointe sont la propri=C3=A9t=C3=A9 exclusive de Win. L=E2=80=99informatio=
n contenue dans cet
> e- mail peut s=E2=80=99av=C3=A9rer confidentielle et d=C3=A8s lors prot=
=C3=A9g=C3=A9e de toute
> divulgation. Si vous avez re=C3=A7u cette communication par erreur, veuil=
lez
> nous en informer imm=C3=A9diatement en r=C3=A9pondant =C3=A0 ce message e=
t en le
> supprimant de votre ordinateur, sans le copier ni le divulguer.
> 2/L=E2=80=99acceptation de toute offre commerciale (quel qu=E2=80=99en so=
it le support)
> emporte l=E2=80=99adh=C3=A9sion aux descriptifs (notamment techniques) in=
h=C3=A9rents aux
> solutions offertes, ainsi qu=E2=80=99aux conditions commerciales g=C3=A9n=
=C3=A9rales de Win,
> consultables via https://www.win.be/cgv
> DISCLAIMER : https://www.win.be/fr-win/disclaimer.htm
> --
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.=
org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users(a)lists.fedora=
hosted.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>

--===============1174271718734029432==
Content-Type: text/html
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.html"

PGRpdiBkaXI9Imx0ciI+PGRpdiBkaXI9Imx0ciI+PGRpdiBjbGFzcz0iZ21haWxfZGVmYXVsdCIg
c3R5bGU9ImZvbnQtZmFtaWx5OmFyaWFsLHNhbnMtc2VyaWYiPkhpLDwvZGl2PjwvZGl2Pjxicj48
ZGl2IGNsYXNzPSJnbWFpbF9xdW90ZSI+PGRpdiBkaXI9Imx0ciIgY2xhc3M9ImdtYWlsX2F0dHIi
Pk9uIE1vbiwgQXByIDIyLCAyMDI0IGF0IDEyOjU44oCvUE0gTEhFVVJFVVggQmVybmFyZCB2aWEg
RnJlZUlQQS11c2VycyAmbHQ7PGEgaHJlZj0ibWFpbHRvOmZyZWVpcGEtdXNlcnNAbGlzdHMuZmVk
b3JhaG9zdGVkLm9yZyI+ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3JnPC9hPiZn
dDsgd3JvdGU6PGJyPjwvZGl2PjxibG9ja3F1b3RlIGNsYXNzPSJnbWFpbF9xdW90ZSIgc3R5bGU9
Im1hcmdpbjowcHggMHB4IDBweCAwLjhleDtib3JkZXItbGVmdDoxcHggc29saWQgcmdiKDIwNCwy
MDQsMjA0KTtwYWRkaW5nLWxlZnQ6MWV4Ij48ZGl2IGNsYXNzPSJtc2ctMjM4NDU1ODYyNzYwNTY2
NDM0NyI+CgoKCgoKPGRpdiBsYW5nPSJGUi1CRSIgc3R5bGU9Im92ZXJmbG93LXdyYXA6IGJyZWFr
LXdvcmQ7Ij4KPGRpdiBjbGFzcz0ibV8tMjM4NDU1ODYyNzYwNTY2NDM0N1dvcmRTZWN0aW9uMSI+
CjxwIGNsYXNzPSJNc29Ob3JtYWwiPkhlbGxvLDx1PjwvdT48dT48L3U+PC9wPgo8cCBjbGFzcz0i
TXNvTm9ybWFsIj48dT48L3U+wqA8dT48L3U+PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3Bh
biBsYW5nPSJFTi1VUyI+SeKAmW0gdHJ5aW5nIHRvIGRlbGV0ZSBzb21lIGFuY2hvcnMgb24gRGVm
YXVsdCBUcnVzdCBWaWV3IG9uIGEgRnJlZUlQQSB3aXRoIHRydXN0IHRvIGFuIEFEIGFuZCwgSSBh
bHdheXMgZ2V0IHRoZSBtZXNzYWdlIOKAnOKApkAuLi4gdXNlciBub3QgZm91bmTCoMK7PHU+PC91
Pjx1PjwvdT48L3NwYW4+PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1V
UyI+RWZmZWN0aXZlbHkgdGhvc2UgdXNlcnMgYXJlIG5vIGxvbmdlciBwYXJ0IG9mIHRoZSBvcmdh
bml6YXRpb24gYW5kIGhhdmUgYmVlbiByZW1vdmVkIGZyb20gdGhlIEFELCBidXQgaG93IGNvdWxk
IEkgY2xlYW4gdGhlbSBpbiB0aGUgRGVmYXVsdCBUcnVzdCBWaWV3PHU+PC91Pjx1PjwvdT48L3Nw
YW4+PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyI+VGhhbmtzIGZv
ciB5b3VyIGhlbHAuPC9zcGFuPjwvcD48L2Rpdj48L2Rpdj48L2Rpdj48L2Jsb2NrcXVvdGU+PGRp
dj48YnI+PC9kaXY+PGRpdiBjbGFzcz0iZ21haWxfZGVmYXVsdCIgc3R5bGU9ImZvbnQtZmFtaWx5
OmFyaWFsLHNhbnMtc2VyaWYiPllvdSBjYW4gdXNlIHRoZSBTSUQgZm9ybWF0IHRvIGRlbGV0ZSB0
aGUgaWRvdmVycmlkZcKgdXNlci4gRm9yIGluc3RhbmNlLCBpbiBteSBkZXBsb3ltZW50IEkgaGF2
ZSBzZXR1cCBhbiBpZG92ZXJyaWRldXNlciBmb3LCoGFkcG9zaXh1c2VyQGFkLnRlc3QgYW5kIHRo
ZW4gZGVsZXRlZCB0aGUgZW50cnkgZnJvbSBBY3RpdmUgRGlyZWN0b3J5LjwvZGl2PjxkaXYgY2xh
c3M9ImdtYWlsX2RlZmF1bHQiIHN0eWxlPSJmb250LWZhbWlseTphcmlhbCxzYW5zLXNlcmlmIj5J
ZiBJIHRyeSB0byBkaXJlY3RseSByZW1vdmUgdGhlIGlkb3ZlcnJpZGV1c2VyOjwvZGl2PjxkaXYg
Y2xhc3M9ImdtYWlsX2RlZmF1bHQiIHN0eWxlPSJmb250LWZhbWlseTphcmlhbCxzYW5zLXNlcmlm
Ij4jPGI+IGlwYSBpZG92ZXJyaWRldXNlci1kZWwgJnF1b3Q7RGVmYXVsdCBUcnVzdCBWaWV3JnF1
b3Q7IGFkcG9zaXh1c2VyQGFkLnRlc3Q8L2I+PGJyPmlwYTogRVJST1I6IGFkcG9zaXh1c2VyQGFk
LnRlc3Q6IHVzZXIgbm90IGZvdW5kPGJyPjwvZGl2PjxkaXYgY2xhc3M9ImdtYWlsX2RlZmF1bHQi
IHN0eWxlPSJmb250LWZhbWlseTphcmlhbCxzYW5zLXNlcmlmIj48YnI+PC9kaXY+PGRpdiBjbGFz
cz0iZ21haWxfZGVmYXVsdCIgc3R5bGU9ImZvbnQtZmFtaWx5OmFyaWFsLHNhbnMtc2VyaWYiPkJ1
dCBJIGNhbiBmaW5kIHRoZSBTSUQgZm9ybWF0IGZvciB0aGUgb3ZlcnJpZGUgd2l0aDo8L2Rpdj48
ZGl2IGNsYXNzPSJnbWFpbF9kZWZhdWx0IiBzdHlsZT0iZm9udC1mYW1pbHk6YXJpYWwsc2Fucy1z
ZXJpZiI+IzxiPiBpcGEgaWRvdmVycmlkZXVzZXItZmluZCAmcXVvdDtEZWZhdWx0IFRydXN0IFZp
ZXcmcXVvdDsgLS1hbGwgLS1yYXc8L2I+PGJyPi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tPGJy
PjEgVXNlciBJRCBvdmVycmlkZSBtYXRjaGVkPGJyPi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
PGJyPsKgIGRuOiBpcGFhbmNob3J1dWlkPTpTSUQ6Uy0xLTUtMjEtMzQ2MTMzNzgwNy0yNjI1NTEz
MTg1LTI2MzEyNDMxNDUtMTEwOCxjbj1EZWZhdWx0IFRydXN0IFZpZXcsY249dmlld3MsY249YWNj
b3VudHMsZGM9aXBhLGRjPXRlc3Q8YnI+wqAgaXBhYW5jaG9ydXVpZDogPGI+OlNJRDpTLTEtNS0y
MS0zNDYxMzM3ODA3LTI2MjU1MTMxODUtMjYzMTI0MzE0NS0xMTA4PC9iPjxicj7CoCBpcGFvcmln
aW5hbHVpZDogPGI+YWRwb3NpeHVzZXJAYWQudGVzdDwvYj48YnI+wqAgb2JqZWN0Q2xhc3M6IGlw
YU92ZXJyaWRlQW5jaG9yPGJyPsKgIG9iamVjdENsYXNzOiB0b3A8YnI+wqAgb2JqZWN0Q2xhc3M6
IGlwYVVzZXJPdmVycmlkZTxicj7CoCBvYmplY3RDbGFzczogaXBhc3NodXNlcjxicj7CoCBvYmpl
Y3RDbGFzczogaXBhU3NoR3JvdXBPZlB1YktleXM8YnI+LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLTxicj5OdW1iZXIgb2YgZW50cmllcyByZXR1cm5lZCAxPGJyPi0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS08YnI+PC9kaXY+PGRpdiBjbGFzcz0iZ21haWxfZGVmYXVsdCIgc3R5bGU9ImZv
bnQtZmFtaWx5OmFyaWFsLHNhbnMtc2VyaWYiPjxicj48L2Rpdj48ZGl2IGNsYXNzPSJnbWFpbF9k
ZWZhdWx0IiBzdHlsZT0iZm9udC1mYW1pbHk6YXJpYWwsc2Fucy1zZXJpZiI+YW5kIHRoZW4gdXNl
IHRoaXMgZm9ybWF0IHRvIHJlbW92ZSB0aGUgaWRvdmVycmlkZcKgdXNlcjo8L2Rpdj48ZGl2IGNs
YXNzPSJnbWFpbF9kZWZhdWx0IiBzdHlsZT0iZm9udC1mYW1pbHk6YXJpYWwsc2Fucy1zZXJpZiI+
IyA8Yj5pcGEgaWRvdmVycmlkZXVzZXItZGVsICZxdW90O0RlZmF1bHQgVHJ1c3QgVmlldyZxdW90
OyAmcXVvdDs6U0lEOlMtMS01LTIxLTM0NjEzMzc4MDctMjYyNTUxMzE4NS0yNjMxMjQzMTQ1LTEx
MDgmcXVvdDs8L2I+PGJyPi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLTxicj5EZWxldGVkIFVzZXIgSUQg
b3ZlcnJpZGUgJnF1b3Q7OlNJRDpTLTEtNS0yMS0zNDYxMzM3ODA3LTI2MjU1MTMxODUtMjYzMTI0
MzE0NS0xMTA4JnF1b3Q7PGJyPi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLTxicj48L2Rpdj48ZGl2IGNs
YXNzPSJnbWFpbF9kZWZhdWx0IiBzdHlsZT0iZm9udC1mYW1pbHk6YXJpYWwsc2Fucy1zZXJpZiI+
PGJyPjwvZGl2PjxkaXYgY2xhc3M9ImdtYWlsX2RlZmF1bHQiIHN0eWxlPSJmb250LWZhbWlseTph
cmlhbCxzYW5zLXNlcmlmIj5IVEgsPC9kaXY+PGRpdiBjbGFzcz0iZ21haWxfZGVmYXVsdCIgc3R5
bGU9ImZvbnQtZmFtaWx5OmFyaWFsLHNhbnMtc2VyaWYiPmZsbzwvZGl2PjxibG9ja3F1b3RlIGNs
YXNzPSJnbWFpbF9xdW90ZSIgc3R5bGU9Im1hcmdpbjowcHggMHB4IDBweCAwLjhleDtib3JkZXIt
bGVmdDoxcHggc29saWQgcmdiKDIwNCwyMDQsMjA0KTtwYWRkaW5nLWxlZnQ6MWV4Ij48ZGl2IGNs
YXNzPSJtc2ctMjM4NDU1ODYyNzYwNTY2NDM0NyI+PGRpdiBsYW5nPSJGUi1CRSIgc3R5bGU9Im92
ZXJmbG93LXdyYXA6IGJyZWFrLXdvcmQ7Ij48ZGl2IGNsYXNzPSJtXy0yMzg0NTU4NjI3NjA1NjY0
MzQ3V29yZFNlY3Rpb24xIj48cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyI+
PHU+PC91Pjx1PjwvdT48L3NwYW4+PC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5n
PSJFTi1VUyI+PHU+PC91PsKgPHU+PC91Pjwvc3Bhbj48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwi
PjxzcGFuPi0tLTx1PjwvdT48dT48L3U+PC9zcGFuPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+
PHNwYW4+QmVybmFyZCBMaGV1cmV1eDx1PjwvdT48dT48L3U+PC9zcGFuPjwvcD4KPHAgY2xhc3M9
Ik1zb05vcm1hbCI+PHNwYW4+V2luIFMuQS48dT48L3U+PHU+PC91Pjwvc3Bhbj48L3A+CjxwIGNs
YXNzPSJNc29Ob3JtYWwiPjx1PjwvdT7CoDx1PjwvdT48L3A+CjwvZGl2Pgo8YnI+Cjxocj4KPGZv
bnQgZmFjZT0iQXJpYWwiIGNvbG9yPSJHcmF5IiBzaXplPSIxIj4xL0NvbmZvcm3DqW1lbnQgw6Ag
bm90cmUgY2VydGlmaWNhdGlvbiBJU08gMjcwMDEsIGNlIG1lc3NhZ2UgZXQgdG91dGUgcGnDqGNl
IGpvaW50ZSBzb250IGxhIHByb3ByacOpdMOpIGV4Y2x1c2l2ZSBkZSBXaW4uIEzigJlpbmZvcm1h
dGlvbiBjb250ZW51ZSBkYW5zIGNldCBlLSBtYWlsIHBldXQgc+KAmWF2w6lyZXIgY29uZmlkZW50
aWVsbGUgZXQgZMOocyBsb3JzIHByb3TDqWfDqWUgZGUgdG91dGUKIGRpdnVsZ2F0aW9uLiBTaSB2
b3VzIGF2ZXogcmXDp3UgY2V0dGUgY29tbXVuaWNhdGlvbiBwYXIgZXJyZXVyLCB2ZXVpbGxleiBu
b3VzIGVuIGluZm9ybWVyIGltbcOpZGlhdGVtZW50IGVuIHLDqXBvbmRhbnQgw6AgY2UgbWVzc2Fn
ZSBldCBlbiBsZSBzdXBwcmltYW50IGRlIHZvdHJlIG9yZGluYXRldXIsIHNhbnMgbGUgY29waWVy
IG5pIGxlIGRpdnVsZ3Vlci48YnI+CjIvTOKAmWFjY2VwdGF0aW9uIGRlIHRvdXRlIG9mZnJlIGNv
bW1lcmNpYWxlIChxdWVsIHF14oCZZW4gc29pdCBsZSBzdXBwb3J0KSBlbXBvcnRlIGzigJlhZGjD
qXNpb24gYXV4IGRlc2NyaXB0aWZzIChub3RhbW1lbnQgdGVjaG5pcXVlcykgaW5ow6lyZW50cyBh
dXggc29sdXRpb25zIG9mZmVydGVzLCBhaW5zaSBxdeKAmWF1eCBjb25kaXRpb25zIGNvbW1lcmNp
YWxlcyBnw6luw6lyYWxlcyBkZSBXaW4sIGNvbnN1bHRhYmxlcyB2aWEgPGEgaHJlZj0iaHR0cHM6
Ly93d3cud2luLmJlL2NndiIgdGFyZ2V0PSJfYmxhbmsiPmh0dHBzOi8vd3d3Lndpbi5iZS9jZ3Y8
L2E+Cjxicj4KRElTQ0xBSU1FUiA6IDxhIGhyZWY9Imh0dHBzOi8vd3d3Lndpbi5iZS9mci13aW4v
ZGlzY2xhaW1lci5odG0iIHRhcmdldD0iX2JsYW5rIj5odHRwczovL3d3dy53aW4uYmUvZnItd2lu
L2Rpc2NsYWltZXIuaHRtPC9hPjxicj4KPC9mb250Pgo8L2Rpdj4KCi0tPGJyPgpfX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXzxicj4KRnJlZUlQQS11c2VycyBt
YWlsaW5nIGxpc3QgLS0gPGEgaHJlZj0ibWFpbHRvOmZyZWVpcGEtdXNlcnNAbGlzdHMuZmVkb3Jh
aG9zdGVkLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPmZyZWVpcGEtdXNlcnNAbGlzdHMuZmVkb3JhaG9z
dGVkLm9yZzwvYT48YnI+ClRvIHVuc3Vic2NyaWJlIHNlbmQgYW4gZW1haWwgdG8gPGEgaHJlZj0i
bWFpbHRvOmZyZWVpcGEtdXNlcnMtbGVhdmVAbGlzdHMuZmVkb3JhaG9zdGVkLm9yZyIgdGFyZ2V0
PSJfYmxhbmsiPmZyZWVpcGEtdXNlcnMtbGVhdmVAbGlzdHMuZmVkb3JhaG9zdGVkLm9yZzwvYT48
YnI+CkZlZG9yYSBDb2RlIG9mIENvbmR1Y3Q6IDxhIGhyZWY9Imh0dHBzOi8vZG9jcy5mZWRvcmFw
cm9qZWN0Lm9yZy9lbi1VUy9wcm9qZWN0L2NvZGUtb2YtY29uZHVjdC8iIHJlbD0ibm9yZWZlcnJl
ciIgdGFyZ2V0PSJfYmxhbmsiPmh0dHBzOi8vZG9jcy5mZWRvcmFwcm9qZWN0Lm9yZy9lbi1VUy9w
cm9qZWN0L2NvZGUtb2YtY29uZHVjdC88L2E+PGJyPgpMaXN0IEd1aWRlbGluZXM6IDxhIGhyZWY9
Imh0dHBzOi8vZmVkb3JhcHJvamVjdC5vcmcvd2lraS9NYWlsaW5nX2xpc3RfZ3VpZGVsaW5lcyIg
cmVsPSJub3JlZmVycmVyIiB0YXJnZXQ9Il9ibGFuayI+aHR0cHM6Ly9mZWRvcmFwcm9qZWN0Lm9y
Zy93aWtpL01haWxpbmdfbGlzdF9ndWlkZWxpbmVzPC9hPjxicj4KTGlzdCBBcmNoaXZlczogPGEg
aHJlZj0iaHR0cHM6Ly9saXN0cy5mZWRvcmFob3N0ZWQub3JnL2FyY2hpdmVzL2xpc3QvZnJlZWlw
YS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3JnIiByZWw9Im5vcmVmZXJyZXIiIHRhcmdldD0i
X2JsYW5rIj5odHRwczovL2xpc3RzLmZlZG9yYWhvc3RlZC5vcmcvYXJjaGl2ZXMvbGlzdC9mcmVl
aXBhLXVzZXJzQGxpc3RzLmZlZG9yYWhvc3RlZC5vcmc8L2E+PGJyPgpEbyBub3QgcmVwbHkgdG8g
c3BhbSwgcmVwb3J0IGl0OiA8YSBocmVmPSJodHRwczovL3BhZ3VyZS5pby9mZWRvcmEtaW5mcmFz
dHJ1Y3R1cmUvbmV3X2lzc3VlIiByZWw9Im5vcmVmZXJyZXIiIHRhcmdldD0iX2JsYW5rIj5odHRw
czovL3BhZ3VyZS5pby9mZWRvcmEtaW5mcmFzdHJ1Y3R1cmUvbmV3X2lzc3VlPC9hPjxicj4KPC9k
aXY+PC9ibG9ja3F1b3RlPjwvZGl2PjwvZGl2Pgo=

--===============1174271718734029432==--

From cheimes at redhat.com Tue Apr 23 12:04:44 2024
Content-Type: multipart/mixed; boundary="===============1699645247217016633=="
MIME-Version: 1.0
From: Christian Heimes <cheimes at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: User Agreement Description Field
Date: Tue, 23 Apr 2024 14:04:21 +0200
Message-ID: <6ee9a326-490a-44af-bacb-968c8a27c0c1@redhat.com>
In-Reply-To: 20240423104521.24624.17699@mailman01.iad2.fedoraproject.org

--===============1699645247217016633==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

On 23/04/2024 12.45, Riccardo Rotondo via FreeIPA-users wrote:
> Hi,
> I defined an Agreement in the web-ui and I can see loaded in noggin.
> I was wondering if the description support html, markdown or any other sy=
ntax in order to put an url clickable in the description.
> I made some tests but with no luck.
> Thank you in advance.

Widgets support raw HTML. HTML rendering is disabled by default, because =

it is a source of XSS vulnerabilities. If you enable HTML mode, then you =

have to validate and sanity any user-controlled input yourself.

Christian

-- =

Christian Heimes
Principal Software Engineer, Identity Management and Platform Security

Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael O'N=
eill

--===============1699645247217016633==--

From joyce at ennexa.com Tue Apr 23 15:04:58 2024
Content-Type: multipart/mixed; boundary="===============4956080064299256310=="
MIME-Version: 1.0
From: Joyce Babu <joyce at ennexa.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Error adding cross trust between FreeIPA and Zentyal
 (Samba)
Date: Tue, 23 Apr 2024 15:04:48 +0000
Message-ID: <20240423150448.31224.50883@mailman01.iad2.fedoraproject.org>

--===============4956080064299256310==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

I am trying to setup cross trust between IPA and Samba. When I try to run

     ipa trust-add --type=3Dad ad.example.org --admin Administrator --passw=
ord --range-type=3Dipa-ad-trust

The command aborts with error

    ipa: ERROR: CIFS server communication error: code "3221225473", message=
 "{Operation Failed} The requested operation was unsuccessful." (both may b=
e "None")


Samba log on the Zentyal server has the following error message

Kerberos: Client (Administrator(a)AD.EXAMPLE.ORG) from ipv4:10.15.5.2:41504=
 has no common enctypes with KDC to use for the session key

--===============4956080064299256310==--

From flo at redhat.com Wed Apr 24 06:32:28 2024
Content-Type: multipart/mixed; boundary="===============5762668047189681593=="
MIME-Version: 1.0
From: Florence Blanc-Renaud <flo at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: LDAP conflicts after yum update on Almalinux 8.9
Date: Wed, 24 Apr 2024 08:32:00 +0200
Message-ID: <CAFDg7Jz397gxe1hpfiX-U1h-BRiaD=Ms3vgLpMqxBYjTi7x5sg@mail.gmail.com>
In-Reply-To: 20240423100748.19020.20863@mailman01.iad2.fedoraproject.org

--===============5762668047189681593==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Hi,

in your first message, the output of
$ dsconf -D "cn=3DDirectory Manager" ldap://$(hostname) repl-conflict
list-glue "dc=3Dnoc,dc=3Dnet"
mentions:
dn: cn=3Dsg1-replica.noc.net,cn=3Dmasters,cn=3Dipa,cn=3Detc,dc=3Dnoc,dc=3Dn=
et
*nsds5replconflict: deletedEntryHasChildren*

It means that the replication tried to delete this entry on 1 server but
there were subentries below that one.
Is this replica sg1-replica.noc.net still present in the topology? If it
has been removed, you can delete the entry and its children. Otherwise you
need to keep it.

The other conflict is dn: krbprincipalname=3DHTTP/mi1-replica.noc.net(a)NOC=
.NET
+nsuniqueid=3D0264df8b-fca611ee-a3cba8b9-8a6b8039,cn=3Dservices,cn=3Daccoun=
ts,dc=3Dnoc,dc=3Dnet

Can you show the content of the entry and the content of the conflict
entry? The differences may help understand why there is a conflict.

ldapsearch -D "cn=3Ddirectory manager" -W -b krbprincipalname=3DHTTP/
mi1-replica.noc.net(a)NOC.NET
+nsuniqueid=3D0264df8b-fca611ee-a3cba8b9-8a6b8039,cn=3Dservices,cn=3Daccoun=
ts,dc=3Dnoc,dc=3Dnet
ldapsearch -D "cn=3Ddirectory manager" -W -b krbprincipalname=3DHTTP/
mi1-replica.noc.net(a)NOC.NET,cn=3Dservices,cn=3Daccounts,dc=3Dnoc,dc=3Dnet

flo


On Tue, Apr 23, 2024 at 12:08=E2=80=AFPM Lee Csk via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:

> > ipa-server-4.9.12-14 fixes this issue:
> > https://issues.redhat.com/browse/RHEL-28847 and must be installed with
> the
> > corresponding bind update that fixes
> > https://issues.redhat.com/browse/RHEL-25648: bind-9.11.36-11.el8_9.1
> > Do you have the right bind version?
> >
> > flo
>
> I do not have access to those RHEL issues unfortunately.
>
> That is a good point however, observed that various replica servers
> running different bind versions.
>  Some: bind-9.11.36-11.el8_9.x86_64
>  Others: bind-9.11.36-11.el8_9.1.x86_64
>
> We are updating them now slowly, and already updated 2 replica servers to
> the latest bind version - however the LDAP Conflicts don't disappear.
>
> Thanks,
> Lee
> --
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.=
org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users(a)lists.fedora=
hosted.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>

--===============5762668047189681593==
Content-Type: text/html
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.html"

PGRpdiBkaXI9Imx0ciI+PGRpdiBjbGFzcz0iZ21haWxfZGVmYXVsdCIgc3R5bGU9ImZvbnQtZmFt
aWx5OmFyaWFsLHNhbnMtc2VyaWYiPkhpLDwvZGl2PjxkaXYgY2xhc3M9ImdtYWlsX2RlZmF1bHQi
IHN0eWxlPSJmb250LWZhbWlseTphcmlhbCxzYW5zLXNlcmlmIj48YnI+PC9kaXY+PGRpdiBjbGFz
cz0iZ21haWxfZGVmYXVsdCIgc3R5bGU9ImZvbnQtZmFtaWx5OmFyaWFsLHNhbnMtc2VyaWYiPmlu
IHlvdXIgZmlyc3QgbWVzc2FnZSwgdGhlIG91dHB1dCBvZjwvZGl2PjxkaXYgY2xhc3M9ImdtYWls
X2RlZmF1bHQiIHN0eWxlPSIiPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTpBcmlhbCxIZWx2ZXRp
Y2Esc2Fucy1zZXJpZiI+JCBkc2NvbmYgLUQgJnF1b3Q7Y249RGlyZWN0b3J5IE1hbmFnZXImcXVv
dDsgbGRhcDovLyQoaG9zdG5hbWUpIHJlcGwtY29uZmxpY3QgbGlzdC1nbHVlICZxdW90O2RjPW5v
YyxkYz1uZXQmcXVvdDs8L3NwYW4+PGJyIHN0eWxlPSJmb250LWZhbWlseTpBcmlhbCxIZWx2ZXRp
Y2Esc2Fucy1zZXJpZiI+bWVudGlvbnM6PC9kaXY+PGRpdiBjbGFzcz0iZ21haWxfZGVmYXVsdCIg
c3R5bGU9IiI+ZG46IGNuPTxhIGhyZWY9Imh0dHA6Ly9zZzEtcmVwbGljYS5ub2MubmV0LyIgcmVs
PSJub3JlZmVycmVyIiB0YXJnZXQ9Il9ibGFuayI+c2cxLXJlcGxpY2Eubm9jLm5ldDwvYT4sY249
bWFzdGVycyxjbj1pcGEsY249ZXRjLGRjPW5vYyxkYz1uZXQ8YnIgc3R5bGU9ImZvbnQtZmFtaWx5
OkFyaWFsLEhlbHZldGljYSxzYW5zLXNlcmlmIj48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6QXJp
YWwsSGVsdmV0aWNhLHNhbnMtc2VyaWYiPjxiPm5zZHM1cmVwbGNvbmZsaWN0OiBkZWxldGVkRW50
cnlIYXNDaGlsZHJlbjwvYj48L3NwYW4+PGJyPjwvZGl2PjxkaXYgY2xhc3M9ImdtYWlsX2RlZmF1
bHQiIHN0eWxlPSIiPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTpBcmlhbCxIZWx2ZXRpY2Esc2Fu
cy1zZXJpZiI+PGI+PGJyPjwvYj48L3NwYW4+PC9kaXY+PGRpdiBjbGFzcz0iZ21haWxfZGVmYXVs
dCIgc3R5bGU9IiI+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OkFyaWFsLEhlbHZldGljYSxzYW5z
LXNlcmlmIj5JdCBtZWFucyB0aGF0IHRoZSByZXBsaWNhdGlvbiB0cmllZCB0byBkZWxldGUgdGhp
cyBlbnRyeSBvbiAxIHNlcnZlciBidXQgdGhlcmUgd2VyZSBzdWJlbnRyaWVzIGJlbG93IHRoYXQg
b25lLjwvc3Bhbj48L2Rpdj48ZGl2IGNsYXNzPSJnbWFpbF9kZWZhdWx0IiBzdHlsZT0iIj48c3Bh
biBzdHlsZT0iZm9udC1mYW1pbHk6QXJpYWwsSGVsdmV0aWNhLHNhbnMtc2VyaWYiPklzIHRoaXMg
cmVwbGljYcKgPC9zcGFuPjxhIGhyZWY9Imh0dHA6Ly9zZzEtcmVwbGljYS5ub2MubmV0LyIgcmVs
PSJub3JlZmVycmVyIiB0YXJnZXQ9Il9ibGFuayI+c2cxLXJlcGxpY2Eubm9jLm5ldDwvYT7CoHN0
aWxsIHByZXNlbnQgaW4gdGhlIHRvcG9sb2d5PyBJZiBpdCBoYXMgYmVlbiByZW1vdmVkLCB5b3Ug
Y2FuIGRlbGV0ZSB0aGUgZW50cnkgYW5kIGl0cyBjaGlsZHJlbi4gT3RoZXJ3aXNlIHlvdSBuZWVk
IHRvIGtlZXAgaXQuPC9kaXY+PGRpdiBjbGFzcz0iZ21haWxfZGVmYXVsdCIgc3R5bGU9IiI+PGJy
PjwvZGl2PjxkaXYgY2xhc3M9ImdtYWlsX2RlZmF1bHQiIHN0eWxlPSIiPlRoZSBvdGhlciBjb25m
bGljdCBpcyBkbjoga3JicHJpbmNpcGFsbmFtZT1IVFRQLzxhIGhyZWY9Im1haWx0bzptaTEtcmVw
bGljYS5ub2MubmV0QE5PQy5ORVQiIHRhcmdldD0iX2JsYW5rIj5taTEtcmVwbGljYS5ub2MubmV0
QE5PQy5ORVQ8L2E+K25zdW5pcXVlaWQ9MDI2NGRmOGItZmNhNjExZWUtYTNjYmE4YjktOGE2Yjgw
MzksY249c2VydmljZXMsY249YWNjb3VudHMsZGM9bm9jLGRjPW5ldDwvZGl2PjxkaXYgY2xhc3M9
ImdtYWlsX2RlZmF1bHQiIHN0eWxlPSIiPjxicj48L2Rpdj48ZGl2IGNsYXNzPSJnbWFpbF9kZWZh
dWx0IiBzdHlsZT0iIj5DYW4geW91IHNob3cgdGhlIGNvbnRlbnQgb2YgdGhlIGVudHJ5IGFuZCB0
aGUgY29udGVudCBvZiB0aGUgY29uZmxpY3QgZW50cnk/IFRoZSBkaWZmZXJlbmNlcyBtYXkgaGVs
cCB1bmRlcnN0YW5kIHdoeSB0aGVyZSBpcyBhIGNvbmZsaWN0LjwvZGl2PjxkaXYgY2xhc3M9Imdt
YWlsX2RlZmF1bHQiIHN0eWxlPSIiPjxicj48L2Rpdj48ZGl2IGNsYXNzPSJnbWFpbF9kZWZhdWx0
IiBzdHlsZT0iIj5sZGFwc2VhcmNoIC1EICZxdW90O2NuPWRpcmVjdG9yeSBtYW5hZ2VyJnF1b3Q7
IC1XIC1iwqBrcmJwcmluY2lwYWxuYW1lPUhUVFAvPGEgaHJlZj0ibWFpbHRvOm1pMS1yZXBsaWNh
Lm5vYy5uZXRATk9DLk5FVCI+bWkxLXJlcGxpY2Eubm9jLm5ldEBOT0MuTkVUPC9hPituc3VuaXF1
ZWlkPTAyNjRkZjhiLWZjYTYxMWVlLWEzY2JhOGI5LThhNmI4MDM5LGNuPXNlcnZpY2VzLGNuPWFj
Y291bnRzLGRjPW5vYyxkYz1uZXQ8L2Rpdj48ZGl2IGNsYXNzPSJnbWFpbF9kZWZhdWx0IiBzdHls
ZT0iIj5sZGFwc2VhcmNoIC1EICZxdW90O2NuPWRpcmVjdG9yeSBtYW5hZ2VyJnF1b3Q7IC1XIC1i
wqBrcmJwcmluY2lwYWxuYW1lPUhUVFAvPGEgaHJlZj0ibWFpbHRvOm1pMS1yZXBsaWNhLm5vYy5u
ZXRATk9DLk5FVCI+bWkxLXJlcGxpY2Eubm9jLm5ldEBOT0MuTkVUPC9hPixjbj1zZXJ2aWNlcyxj
bj1hY2NvdW50cyxkYz1ub2MsZGM9bmV0PC9kaXY+PGRpdiBjbGFzcz0iZ21haWxfZGVmYXVsdCIg
c3R5bGU9IiI+PGJyPjwvZGl2PjxkaXYgY2xhc3M9ImdtYWlsX2RlZmF1bHQiIHN0eWxlPSIiPmZs
bzwvZGl2PjxkaXYgY2xhc3M9ImdtYWlsX2RlZmF1bHQiIHN0eWxlPSIiPjxicj48L2Rpdj48L2Rp
dj48YnI+PGRpdiBjbGFzcz0iZ21haWxfcXVvdGUiPjxkaXYgZGlyPSJsdHIiIGNsYXNzPSJnbWFp
bF9hdHRyIj5PbiBUdWUsIEFwciAyMywgMjAyNCBhdCAxMjowOOKAr1BNIExlZSBDc2sgdmlhIEZy
ZWVJUEEtdXNlcnMgJmx0OzxhIGhyZWY9Im1haWx0bzpmcmVlaXBhLXVzZXJzQGxpc3RzLmZlZG9y
YWhvc3RlZC5vcmciPmZyZWVpcGEtdXNlcnNAbGlzdHMuZmVkb3JhaG9zdGVkLm9yZzwvYT4mZ3Q7
IHdyb3RlOjxicj48L2Rpdj48YmxvY2txdW90ZSBjbGFzcz0iZ21haWxfcXVvdGUiIHN0eWxlPSJt
YXJnaW46MHB4IDBweCAwcHggMC44ZXg7Ym9yZGVyLWxlZnQ6MXB4IHNvbGlkIHJnYigyMDQsMjA0
LDIwNCk7cGFkZGluZy1sZWZ0OjFleCI+Jmd0OyBpcGEtc2VydmVyLTQuOS4xMi0xNCBmaXhlcyB0
aGlzIGlzc3VlOjxicj4KJmd0OyA8YSBocmVmPSJodHRwczovL2lzc3Vlcy5yZWRoYXQuY29tL2Jy
b3dzZS9SSEVMLTI4ODQ3IiByZWw9Im5vcmVmZXJyZXIiIHRhcmdldD0iX2JsYW5rIj5odHRwczov
L2lzc3Vlcy5yZWRoYXQuY29tL2Jyb3dzZS9SSEVMLTI4ODQ3PC9hPiBhbmQgbXVzdCBiZSBpbnN0
YWxsZWQgd2l0aCB0aGU8YnI+CiZndDsgY29ycmVzcG9uZGluZyBiaW5kIHVwZGF0ZSB0aGF0IGZp
eGVzPGJyPgomZ3Q7IDxhIGhyZWY9Imh0dHBzOi8vaXNzdWVzLnJlZGhhdC5jb20vYnJvd3NlL1JI
RUwtMjU2NDgiIHJlbD0ibm9yZWZlcnJlciIgdGFyZ2V0PSJfYmxhbmsiPmh0dHBzOi8vaXNzdWVz
LnJlZGhhdC5jb20vYnJvd3NlL1JIRUwtMjU2NDg8L2E+OiBiaW5kLTkuMTEuMzYtMTEuZWw4Xzku
MTxicj4KJmd0OyBEbyB5b3UgaGF2ZSB0aGUgcmlnaHQgYmluZCB2ZXJzaW9uPzxicj4KJmd0OyA8
YnI+CiZndDsgZmxvPGJyPgo8YnI+CkkgZG8gbm90IGhhdmUgYWNjZXNzIHRvIHRob3NlIFJIRUwg
aXNzdWVzIHVuZm9ydHVuYXRlbHkuPGJyPgo8YnI+ClRoYXQgaXMgYSBnb29kIHBvaW50IGhvd2V2
ZXIsIG9ic2VydmVkIHRoYXQgdmFyaW91cyByZXBsaWNhIHNlcnZlcnMgcnVubmluZyBkaWZmZXJl
bnQgYmluZCB2ZXJzaW9ucy48YnI+CsKgU29tZTogYmluZC05LjExLjM2LTExLmVsOF85Lng4Nl82
NDxicj4KwqBPdGhlcnM6IGJpbmQtOS4xMS4zNi0xMS5lbDhfOS4xLng4Nl82NDxicj4KPGJyPgpX
ZSBhcmUgdXBkYXRpbmcgdGhlbSBub3cgc2xvd2x5LCBhbmQgYWxyZWFkeSB1cGRhdGVkIDIgcmVw
bGljYSBzZXJ2ZXJzIHRvIHRoZSBsYXRlc3QgYmluZCB2ZXJzaW9uIC0gaG93ZXZlciB0aGUgTERB
UCBDb25mbGljdHMgZG9uJiMzOTt0IGRpc2FwcGVhci48YnI+Cjxicj4KVGhhbmtzLDxicj4KTGVl
PGJyPgotLTxicj4KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X188YnI+CkZyZWVJUEEtdXNlcnMgbWFpbGluZyBsaXN0IC0tIDxhIGhyZWY9Im1haWx0bzpmcmVl
aXBhLXVzZXJzQGxpc3RzLmZlZG9yYWhvc3RlZC5vcmciIHRhcmdldD0iX2JsYW5rIj5mcmVlaXBh
LXVzZXJzQGxpc3RzLmZlZG9yYWhvc3RlZC5vcmc8L2E+PGJyPgpUbyB1bnN1YnNjcmliZSBzZW5k
IGFuIGVtYWlsIHRvIDxhIGhyZWY9Im1haWx0bzpmcmVlaXBhLXVzZXJzLWxlYXZlQGxpc3RzLmZl
ZG9yYWhvc3RlZC5vcmciIHRhcmdldD0iX2JsYW5rIj5mcmVlaXBhLXVzZXJzLWxlYXZlQGxpc3Rz
LmZlZG9yYWhvc3RlZC5vcmc8L2E+PGJyPgpGZWRvcmEgQ29kZSBvZiBDb25kdWN0OiA8YSBocmVm
PSJodHRwczovL2RvY3MuZmVkb3JhcHJvamVjdC5vcmcvZW4tVVMvcHJvamVjdC9jb2RlLW9mLWNv
bmR1Y3QvIiByZWw9Im5vcmVmZXJyZXIiIHRhcmdldD0iX2JsYW5rIj5odHRwczovL2RvY3MuZmVk
b3JhcHJvamVjdC5vcmcvZW4tVVMvcHJvamVjdC9jb2RlLW9mLWNvbmR1Y3QvPC9hPjxicj4KTGlz
dCBHdWlkZWxpbmVzOiA8YSBocmVmPSJodHRwczovL2ZlZG9yYXByb2plY3Qub3JnL3dpa2kvTWFp
bGluZ19saXN0X2d1aWRlbGluZXMiIHJlbD0ibm9yZWZlcnJlciIgdGFyZ2V0PSJfYmxhbmsiPmh0
dHBzOi8vZmVkb3JhcHJvamVjdC5vcmcvd2lraS9NYWlsaW5nX2xpc3RfZ3VpZGVsaW5lczwvYT48
YnI+Ckxpc3QgQXJjaGl2ZXM6IDxhIGhyZWY9Imh0dHBzOi8vbGlzdHMuZmVkb3JhaG9zdGVkLm9y
Zy9hcmNoaXZlcy9saXN0L2ZyZWVpcGEtdXNlcnNAbGlzdHMuZmVkb3JhaG9zdGVkLm9yZyIgcmVs
PSJub3JlZmVycmVyIiB0YXJnZXQ9Il9ibGFuayI+aHR0cHM6Ly9saXN0cy5mZWRvcmFob3N0ZWQu
b3JnL2FyY2hpdmVzL2xpc3QvZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3JnPC9h
Pjxicj4KRG8gbm90IHJlcGx5IHRvIHNwYW0sIHJlcG9ydCBpdDogPGEgaHJlZj0iaHR0cHM6Ly9w
YWd1cmUuaW8vZmVkb3JhLWluZnJhc3RydWN0dXJlL25ld19pc3N1ZSIgcmVsPSJub3JlZmVycmVy
IiB0YXJnZXQ9Il9ibGFuayI+aHR0cHM6Ly9wYWd1cmUuaW8vZmVkb3JhLWluZnJhc3RydWN0dXJl
L25ld19pc3N1ZTwvYT48YnI+CjwvYmxvY2txdW90ZT48L2Rpdj4K

--===============5762668047189681593==--

From tmdag at tmdag.com Wed Apr 24 21:51:41 2024
Content-Type: multipart/mixed; boundary="===============6386836901408965782=="
MIME-Version: 1.0
From: Albert Szostkiewicz <tmdag at tmdag.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] autofs freezes system after update to F40.
Date: Wed, 24 Apr 2024 21:51:31 +0000
Message-ID: <20240424215131.32199.40528@mailman01.iad2.fedoraproject.org>

--===============6386836901408965782==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Yesterday I've upgraded F38-F49, all went fine, no issues. Today I tried F3=
9-f40 and system freezes on autofs. Got some sssd errors, and i assume it m=
ight be all related (?).
There are no errors from autofs side itself, only warning:
"autofs.service: Referenced but unset environment variable evaluates to an =
empty string: OPTIONS"
. As soon as I enable autofs, all system is frozen (although my nfs mounts =
are set to 'soft').

I am getting those errors, which I have reported here (https://github.com/S=
SSD/sssd/issues/7314) as I saw something similar being reported year ago:
/var/log/sssd/krb5_child.log
(2024-04-24 14:15:14): [krb5_child[13003]] [sss_krb5_expire_callback_func] =
(0x0020): [RID#97] Time to expire out of range.
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACK=
TRACE:
   *  (2024-04-24 14:15:14): [krb5_child[13003]] [main] (0x0400): [RID#97] =
krb5_child started.
   *  (2024-04-24 14:15:14): [krb5_child[13003]] [unpack_buffer] (0x1000): =
[RID#97] total buffer size: [113]
   *  (2024-04-24 14:15:14): [krb5_child[13003]] [unpack_buffer] (0x0100): =
[RID#97] cmd [241 (auth)] uid [1907400001] gid [1907400001] validate [true]=
 enterprise principal [false] offline [false] UPN [user(a)DOMAIN.COM]
   *  (2024-04-24 14:15:14): [krb5_child[13003]] [unpack_buffer] (0x0100): =
[RID#97] ccname: [KCM:] old_ccname: [KCM:] keytab: [/etc/krb5.keytab]
   *  (2024-04-24 14:15:14): [krb5_child[13003]] [switch_creds] (0x0200): [=
RID#97] Switch workstation(a)domain.com to [1907400001][1907400001].
   *  (2024-04-24 14:15:14): [krb5_child[13003]] [switch_creds] (0x0200): [=
RID#97] Switch workstation(a)domain.com to [0][0].
   *  (2024-04-24 14:15:14): [krb5_child[13003]] [k5c_check_old_ccache] (0x=
4000): [RID#97] Ccache_file is [KCM:] and is  active and TGT is  valid.
   *  (2024-04-24 14:15:14): [krb5_child[13003]] [k5c_setup_fast] (0x0100):=
 [RID#97] Fast principal is set to [host/workstation(a)domain.com]
   *  (2024-04-24 14:15:14): [krb5_child[13003]] [find_principal_in_keytab]=
 (0x4000): [RID#97] Trying to find principal host/workstation(a)domain.com =
in keytab.
   *  (2024-04-24 14:15:14): [krb5_child[13003]] [match_principal] (0x1000)=
: [RID#97] Principal matched to the sample (host/workstation(a)domain.com).
   *  (2024-04-24 14:15:14): [krb5_child[13003]] [check_fast_ccache] (0x020=
0): [RID#97] FAST TGT is still valid.
   *  (2024-04-24 14:15:14): [krb5_child[13003]] [become_workstation(a)doma=
in.com] (0x0200): [RID#97] Trying to become workstation(a)domain.com [19074=
00001][1907400001].
   *  (2024-04-24 14:15:14): [krb5_child[13003]] [main] (0x2000): [RID#97] =
Running as [1907400001][1907400001].
   *  (2024-04-24 14:15:14): [krb5_child[13003]] [set_lifetime_options] (0x=
0100): [RID#97] No specific renewable lifetime requested.
   *  (2024-04-24 14:15:14): [krb5_child[13003]] [set_lifetime_options] (0x=
0100): [RID#97] No specific lifetime requested.
   *  (2024-04-24 14:15:14): [krb5_child[13003]] [set_canonicalize_option] =
(0x0100): [RID#97] Canonicalization is set to [true]
   *  (2024-04-24 14:15:14): [krb5_child[13003]] [main] (0x0400): [RID#97] =
Will perform auth
   *  (2024-04-24 14:15:14): [krb5_child[13003]] [main] (0x0400): [RID#97] =
Will perform online auth
   *  (2024-04-24 14:15:14): [krb5_child[13003]] [tgt_req_child] (0x1000): =
[RID#97] Attempting to get a TGT
   *  (2024-04-24 14:15:14): [krb5_child[13003]] [get_and_save_tgt] (0x0400=
): [RID#97] Attempting kinit for realm [DOMAIN.COM]
   *  (2024-04-24 14:15:14): [krb5_child[13003]] [sss_krb5_responder] (0x40=
00): [RID#97] Got question [password].
   *  (2024-04-24 14:15:14): [krb5_child[13003]] [sss_krb5_expire_callback_=
func] (0x0020): [RID#97] Time to expire out of range.
********************** BACKTRACE DUMP ENDS HERE ***************************=
******

(2024-04-24 14:15:14): [krb5_child[13003]] [sss_extract_pac] (0x0040): [RID=
#97] No PAC authdata available.
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACK=
TRACE:
   *  (2024-04-24 14:15:14): [krb5_child[13003]] [validate_tgt] (0x2000): [=
RID#97] Found keytab entry with the realm of the credential.
   *  (2024-04-24 14:15:14): [krb5_child[13003]] [validate_tgt] (0x0400): [=
RID#97] TGT verified using key for [host/workstation(a)domain.com].
   *  (2024-04-24 14:15:14): [krb5_child[13003]] [sss_extract_pac] (0x0040)=
: [RID#97] No PAC authdata available.
********************** BACKTRACE DUMP ENDS HERE ***************************=
******

(2024-04-24 14:15:14): [krb5_child[13003]] [validate_tgt] (0x0040): [RID#97=
] sss_extract_and_send_pac failed, group membership for workstation(a)domai=
n.com with principal [user(a)DOMAIN.COM] might not be correct.

--===============6386836901408965782==--

From tmdag at tmdag.com Wed Apr 24 22:39:55 2024
Content-Type: multipart/mixed; boundary="===============6362998835409045474=="
MIME-Version: 1.0
From: Albert Szostkiewicz <tmdag at tmdag.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: autofs freezes system after update to F40.
Date: Wed, 24 Apr 2024 22:39:41 +0000
Message-ID: <20240424223941.14388.22835@mailman01.iad2.fedoraproject.org>
In-Reply-To: 20240424215131.32199.40528@mailman01.iad2.fedoraproject.org

--===============6362998835409045474==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

ok, figured out that autofs had nothing to do with this
--===============6362998835409045474==--

From rcritten at redhat.com Thu Apr 25 00:45:52 2024
Content-Type: multipart/mixed; boundary="===============0679580863822144949=="
MIME-Version: 1.0
From: Rob Crittenden <rcritten at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: autofs freezes system after update to F40.
Date: Wed, 24 Apr 2024 20:45:25 -0400
Message-ID: <49dacf99-69f5-1699-8e1d-dc7da273fdd8@redhat.com>
In-Reply-To: 20240424223941.14388.22835@mailman01.iad2.fedoraproject.org

--===============0679580863822144949==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Albert Szostkiewicz via FreeIPA-users wrote:
> ok, figured out that autofs had nothing to do with this

What was the problem? Maybe your solution will help someone else.

thanks

rob

--===============0679580863822144949==--

From tmdag at tmdag.com Thu Apr 25 00:50:43 2024
Content-Type: multipart/mixed; boundary="===============2621142485512338505=="
MIME-Version: 1.0
From: Albert Szostkiewicz <tmdag at tmdag.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: autofs freezes system after update to F40.
Date: Thu, 25 Apr 2024 00:50:25 +0000
Message-ID: <20240425005025.9493.77650@mailman01.iad2.fedoraproject.org>
In-Reply-To: 49dacf99-69f5-1699-8e1d-dc7da273fdd8@redhat.com

--===============2621142485512338505==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

autofs issue was a user error. I have limited access to nfs share per IP. F=
or some reason, after updating fedora to a latest version, my router assign=
ed me different IP than expected, which caused nfs being inaccessible.

But i still wonder about those backtrace dumps i am getting.
--===============2621142485512338505==--

From gladia2r at gmail.com Thu Apr 25 11:49:08 2024
Content-Type: multipart/mixed; boundary="===============7050317029836721429=="
MIME-Version: 1.0
From: Lee Csk <gladia2r at gmail.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: LDAP conflicts after yum update on Almalinux 8.9
Date: Thu, 25 Apr 2024 11:48:56 +0000
Message-ID: <20240425114856.15354.20317@mailman01.iad2.fedoraproject.org>
In-Reply-To: CAFDg7Jz397gxe1hpfiX-U1h-BRiaD=Ms3vgLpMqxBYjTi7x5sg@mail.gmail.com

--===============7050317029836721429==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Hello,

> Hi,
> =

> in your first message, the output of
> $ dsconf -D "cn=3DDirectory Manager" ldap://$(hostname) repl-conflict
> list-glue "dc=3Dnoc,dc=3Dnet"
> mentions:
> dn: cn=3Dsg1-replica.noc.net,cn=3Dmasters,cn=3Dipa,cn=3Detc,dc=3Dnoc,dc=
=3Dnet
> *nsds5replconflict: deletedEntryHasChildren*
> =

> It means that the replication tried to delete this entry on 1 server but
> there were subentries below that one.
> Is this replica sg1-replica.noc.net still present in the topology? If it
> has been removed, you can delete the entry and its children. Otherwise you
> need to keep it.

Yes, that replicate still in the topology, what is the best way to "keep it=
" ?

> The other conflict is dn: krbprincipalname=3DHTTP/mi1-replica.noc.net(a)N=
OC.NET
> +nsuniqueid=3D0264df8b-fca611ee-a3cba8b9-8a6b8039,cn=3Dservices,cn=3Dacco=
unts,dc=3Dnoc,dc=3Dnet
> =

> Can you show the content of the entry and the content of the conflict
> entry? The differences may help understand why there is a conflict.
> =

> ldapsearch -D "cn=3Ddirectory manager" -W -b krbprincipalname=3DHTTP/
> mi1-replica.noc.net(a)NOC.NET
> +nsuniqueid=3D0264df8b-fca611ee-a3cba8b9-8a6b8039,cn=3Dservices,cn=3Dacco=
unts,dc=3Dnoc,dc=3Dnet

This does not seems to result anything:
# extended LDIF
#
# LDAPv3
# base <krbprincipalname=3DHTTP/mi1-replica.noc.net(a)NOC.NET+nsuniqueid=3D=
0264df8b-fca611ee-a3cba8b9-8a6b8039,cn=3Dservices,cn=3Daccounts,dc=3Dnoc,dc=
=3Dnet> with scope subtree
# filter: (objectclass=3D*)
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1


> ldapsearch -D "cn=3Ddirectory manager" -W -b krbprincipalname=3DHTTP/
> mi1-replica.noc.net(a)NOC.NET,cn=3Dservices,cn=3Daccounts,dc=3Dnoc,dc=3Dn=
et

This outputs the following: =

# extended LDIF
#
# LDAPv3
# base <krbprincipalname=3DHTTP/mi1-replica.noc.net(a)NOC.NET,cn=3Dservices=
,cn=3Daccounts,dc=3Dnoc,dc=3Dnet> with scope subtree
# filter: (objectclass=3D*)
# requesting: ALL
#

# HTTP/mi1-replica.noc.net(a)NOC.NET, services, accounts, noc.net
dn: krbprincipalname=3DHTTP/mi1-replica.noc.net(a)NOC.NET,cn=3Dservices,cn=
=3Dacco
 unts,dc=3Dnoc,dc=3Dnet
userCertificate:: MIIFRD...
userCertificate:: MIIFRD...
krbExtraData:: AAIAs...
krbLastPwdChange: 20220428151720Z
krbPrincipalKey:: MIHe...
krbCanonicalName: HTTP/mi1-replica.noc.net(a)NOC.NET
objectClass: krbprincipal
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipaservice
objectClass: pkiuser
objectClass: ipakrbprincipal
objectClass: top
managedBy: fqdn=3Dmi1-replica.noc.net,cn=3Dcomputers,cn=3Daccounts,dc=3Dnoc=
,dc=3Dne
 t
ipaKrbPrincipalAlias: HTTP/mi1-replica.noc.net(a)NOC.NET
krbPrincipalName: HTTP/mi1-replica.noc.net(a)NOC.NET
ipaUniqueID: 4bfed72c-c706-11ec-a9d8-ac1f6bfcc04f
krbPwdPolicyReference: cn=3DDefault Service Password Policy,cn=3Dservices,c=
n=3Daccou
 nts,dc=3Dnoc,dc=3Dnet

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

> flo
> =

> =

> On Tue, Apr 23, 2024 at 12:08=E2=80=AFPM Lee Csk via FreeIPA-users <
> freeipa-users(a)lists.fedorahosted.org&gt; wrote:


Thank you,
Lee
--===============7050317029836721429==--

From slekkus75 at proton.me Thu Apr 25 15:03:54 2024
Content-Type: multipart/mixed; boundary="===============7593279693135026193=="
MIME-Version: 1.0
From: slek kus <slekkus75 at proton.me>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] IPA replica cannot lookup AD trust users (worked
 before)
Date: Thu, 25 Apr 2024 15:03:41 +0000
Message-ID: <20240425150341.14559.84099@mailman01.iad2.fedoraproject.org>

--===============7593279693135026193==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Hi, the only replica cannot retrieve AD trust users (one way trust). Trust =
agent had been installed on this replica.
I noticed this issue, since clients that point to the replica started to fa=
il authenticating users. This replica worked OK before.
All functions and syncs except for the AD user lookup. overrides are synced=
 over but replica cannot find the user. =


Can't get it fixed. Is this repairable? Can I uninstall the replica and rei=
nstall?

[root(a)idm01 ~]# ipa server-role-find
-----------------------
10 server roles matched
-----------------------
  Server name: idm01.linux.redacted.domain
  Role name: AD trust agent
  Role status: enabled

  Server name: idm02.linux.redacted.domain
  Role name: AD trust agent
  Role status: enabled

  Server name: idm01.linux.redacted.domain
  Role name: AD trust controller
  Role status: enabled

  Server name: idm02.linux.redacted.domain
  Role name: AD trust controller
  Role status: enabled

<...>

On the main server, the AD user can be looked up. On the "replica" it retur=
ns empty.

working on main server:
[root(a)idm01 ~]# getent passwd testuser(a)subdoma.redacted.domain
testuser(a)subdomA.redacted.domain:*:683005154:683005154:CHANGED:/home/test=
user:/usr/bin/bash



Checking the sssd_doamin.log of the replica, I see the message that the dom=
ain is not active while fetching ad user. Further in the same log there's m=
ention of another subdomain be inactive. =

The trust is wirth a AD forest with 2 subdomains. =

-----
(2024-04-25 16:40:11): [be[linux.redacted.domain]] [ipa_srv_ad_acct_lookup_=
done] (0x0040): [RID#34] ipa_get_*_acct request failed: [1432158277]: Subdo=
main is inactive.
   *  ... skipping repetitive backtrace ...
   =

<...>

(2024-04-25 16:39:44): [be[linux.redacted.domain]] [resolv_discover_srv_don=
e] (0x0040): [RID#33] SRV query failed [11]: Could not contact DNS servers
   *  ... skipping repetitive backtrace ...
(2024-04-25 16:39:44): [be[linux.redacted.domain]] [fo_discover_servers_pri=
mary_done] (0x0040): [RID#33] Unable to retrieve primary servers [143215823=
8]: SRV lookup error
   *  ... skipping repetitive backtrace ...
(2024-04-25 16:39:44): [be[linux.redacted.domain]] [resolve_srv_done] (0x00=
40): [RID#33] Unable to resolve SRV [1432158238]: SRV lookup error
   *  ... skipping repetitive backtrace ...
(2024-04-25 16:39:44): [be[linux.redacted.domain]] [fo_resolve_service_send=
] (0x0020): [RID#33] No available servers for service 'sd_SUBDOMB.redacted.=
domain'
   *  ... skipping repetitive backtrace ...
(2024-04-25 16:39:44): [be[linux.redacted.domain]] [ipa_srv_ad_acct_lookup_=
done] (0x0040): [RID#33] ipa_get_*_acct request failed: [1432158277]: Subdo=
main is inactive.
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACK=
TRACE:
   *  (2024-04-25 16:39:44): [be[linux.redacted.domain]] [be_resolve_server=
_done] (0x1000): [RID#33] Server [NULL] resolution failed: [5]: Input/outpu=
t error
   *  (2024-04-25 16:39:44): [be[linux.redacted.domain]] [sdap_id_op_connec=
t_done] (0x0400): [RID#33] Failed to connect to server, but ignore mark off=
line is enabled.
   *  (2024-04-25 16:39:44): [be[linux.redacted.domain]] [sdap_id_op_connec=
t_done] (0x4000): [RID#33] notify error to op #1: 5 [Input/output error]
   *  (2024-04-25 16:39:44): [be[linux.redacted.domain]] [be_mark_dom_offli=
ne] (0x1000): [RID#33] Marking subdomain SUBDOMB.redacted.domain offline
   *  (2024-04-25 16:39:44): [be[linux.redacted.domain]] [be_mark_subdom_of=
fline] (0x1000): [RID#33] Marking subdomain SUBDOMB.redacted.domain as inac=
tive
   *  (2024-04-25 16:39:44): [be[linux.redacted.domain]] [ipa_srv_ad_acct_l=
ookup_done] (0x0040): [RID#33] ipa_get_*_acct request failed: [1432158277]:=
 Subdomain is inactive.
********************** BACKTRACE DUMP ENDS HERE ***************************=
******

There are not replication issues:
----
[root(a)idm01 ~]# ipa-healthcheck --source=3Dipahealthcheck.ds.replication
[
  {
    "source": "ipahealthcheck.ds.replication",
    "check": "ReplicationCheck",
    "result": "WARNING",
    "uuid": "4a5341db-bf65-4350-bf2c-c81872db536b",
    "when": "20240425145134Z",
    "duration": "0.391402",
    "kw": {
      "key": "DSREPLLE0002",
      "items": [
        "Replication",
        "Conflict Entries"
      ],
      "msg": "There were 1 conflict entries found under the replication suf=
fix \"dc=3Dlinux,dc=3Dredacted,dc=3Ddomain\"."
    }
  }
]

  =

   =



--===============7593279693135026193==--

From sbose at redhat.com Thu Apr 25 19:10:56 2024
Content-Type: multipart/mixed; boundary="===============3173075081047723861=="
MIME-Version: 1.0
From: Sumit Bose <sbose at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: IPA replica cannot lookup AD trust users (worked
 before)
Date: Thu, 25 Apr 2024 21:10:33 +0200
Message-ID: <ZiqqqZLMboLdsdpZ@sbose.users.ipa.redhat.com>
In-Reply-To: 20240425150341.14559.84099@mailman01.iad2.fedoraproject.org

--===============3173075081047723861==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Am Thu, Apr 25, 2024 at 03:03:41PM -0000 schrieb slek kus via FreeIPA-users:
> Hi, the only replica cannot retrieve AD trust users (one way trust). Trus=
t agent had been installed on this replica.
> I noticed this issue, since clients that point to the replica started to =
fail authenticating users. This replica worked OK before.
> All functions and syncs except for the AD user lookup. overrides are sync=
ed over but replica cannot find the user. =

> =

> Can't get it fixed. Is this repairable? Can I uninstall the replica and r=
einstall?
> =

> [root(a)idm01 ~]# ipa server-role-find
> -----------------------
> 10 server roles matched
> -----------------------
>   Server name: idm01.linux.redacted.domain
>   Role name: AD trust agent
>   Role status: enabled
> =

>   Server name: idm02.linux.redacted.domain
>   Role name: AD trust agent
>   Role status: enabled
> =

>   Server name: idm01.linux.redacted.domain
>   Role name: AD trust controller
>   Role status: enabled
> =

>   Server name: idm02.linux.redacted.domain
>   Role name: AD trust controller
>   Role status: enabled
> =

> <...>
> =

> On the main server, the AD user can be looked up. On the "replica" it ret=
urns empty.
> =

> working on main server:
> [root(a)idm01 ~]# getent passwd testuser(a)subdoma.redacted.domain
> testuser(a)subdomA.redacted.domain:*:683005154:683005154:CHANGED:/home/te=
stuser:/usr/bin/bash
> =

> =

> =

> Checking the sssd_doamin.log of the replica, I see the message that the d=
omain is not active while fetching ad user. Further in the same log there's=
 mention of another subdomain be inactive. =

> The trust is wirth a AD forest with 2 subdomains. =

> -----
> (2024-04-25 16:40:11): [be[linux.redacted.domain]] [ipa_srv_ad_acct_looku=
p_done] (0x0040): [RID#34] ipa_get_*_acct request failed: [1432158277]: Sub=
domain is inactive.
>    *  ... skipping repetitive backtrace ...
>    =

> <...>
> =

> (2024-04-25 16:39:44): [be[linux.redacted.domain]] [resolv_discover_srv_d=
one] (0x0040): [RID#33] SRV query failed [11]: Could not contact DNS servers

Hi,

looks like DNS issues, does

    host -t SRV _ldap._tcp.SUBDOMB.redacted.domain

return anything?

bye,
Sumit
 =

>    *  ... skipping repetitive backtrace ...
> (2024-04-25 16:39:44): [be[linux.redacted.domain]] [fo_discover_servers_p=
rimary_done] (0x0040): [RID#33] Unable to retrieve primary servers [1432158=
238]: SRV lookup error
>    *  ... skipping repetitive backtrace ...
> (2024-04-25 16:39:44): [be[linux.redacted.domain]] [resolve_srv_done] (0x=
0040): [RID#33] Unable to resolve SRV [1432158238]: SRV lookup error
>    *  ... skipping repetitive backtrace ...
> (2024-04-25 16:39:44): [be[linux.redacted.domain]] [fo_resolve_service_se=
nd] (0x0020): [RID#33] No available servers for service 'sd_SUBDOMB.redacte=
d.domain'
>    *  ... skipping repetitive backtrace ...
> (2024-04-25 16:39:44): [be[linux.redacted.domain]] [ipa_srv_ad_acct_looku=
p_done] (0x0040): [RID#33] ipa_get_*_acct request failed: [1432158277]: Sub=
domain is inactive.
> ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BA=
CKTRACE:
>    *  (2024-04-25 16:39:44): [be[linux.redacted.domain]] [be_resolve_serv=
er_done] (0x1000): [RID#33] Server [NULL] resolution failed: [5]: Input/out=
put error
>    *  (2024-04-25 16:39:44): [be[linux.redacted.domain]] [sdap_id_op_conn=
ect_done] (0x0400): [RID#33] Failed to connect to server, but ignore mark o=
ffline is enabled.
>    *  (2024-04-25 16:39:44): [be[linux.redacted.domain]] [sdap_id_op_conn=
ect_done] (0x4000): [RID#33] notify error to op #1: 5 [Input/output error]
>    *  (2024-04-25 16:39:44): [be[linux.redacted.domain]] [be_mark_dom_off=
line] (0x1000): [RID#33] Marking subdomain SUBDOMB.redacted.domain offline
>    *  (2024-04-25 16:39:44): [be[linux.redacted.domain]] [be_mark_subdom_=
offline] (0x1000): [RID#33] Marking subdomain SUBDOMB.redacted.domain as in=
active
>    *  (2024-04-25 16:39:44): [be[linux.redacted.domain]] [ipa_srv_ad_acct=
_lookup_done] (0x0040): [RID#33] ipa_get_*_acct request failed: [1432158277=
]: Subdomain is inactive.
> ********************** BACKTRACE DUMP ENDS HERE *************************=
********
> =

> There are not replication issues:
> ----
> [root(a)idm01 ~]# ipa-healthcheck --source=3Dipahealthcheck.ds.replication
> [
>   {
>     "source": "ipahealthcheck.ds.replication",
>     "check": "ReplicationCheck",
>     "result": "WARNING",
>     "uuid": "4a5341db-bf65-4350-bf2c-c81872db536b",
>     "when": "20240425145134Z",
>     "duration": "0.391402",
>     "kw": {
>       "key": "DSREPLLE0002",
>       "items": [
>         "Replication",
>         "Conflict Entries"
>       ],
>       "msg": "There were 1 conflict entries found under the replication s=
uffix \"dc=3Dlinux,dc=3Dredacted,dc=3Ddomain\"."
>     }
>   }
> ]
> =

>   =

>    =

> =

> --
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.=
org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code=
-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users=
(a)lists.fedorahosted.org
> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/=
new_issue

--===============3173075081047723861==--

From slekkus75 at proton.me Fri Apr 26 07:37:56 2024
Content-Type: multipart/mixed; boundary="===============7373219009705315526=="
MIME-Version: 1.0
From: slek kus <slekkus75 at proton.me>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: IPA replica cannot lookup AD trust users (worked
 before)
Date: Fri, 26 Apr 2024 07:37:44 +0000
Message-ID: <20240426073744.2391.82006@mailman01.iad2.fedoraproject.org>
In-Reply-To: ZiqqqZLMboLdsdpZ@sbose.users.ipa.redhat.com

--===============7373219009705315526==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Hi Sumit, that does not return anything good on the replica. See below. =


On the main IPA node node:
----
 [alma(a)idm01 ~]$ host -t SRV _ldap._tcp.redacted.domain
_ldap._tcp.redacted.domain has SRV record 0 100 389 dc01.redacted.domain.
_ldap._tcp.redacted.domain has SRV record 0 100 389 dc01.redacted.domain.

[alma(a)idm01 ~]$ host -t SRV _ldap._tcp.domaina.redacted.domain
_ldap._tcp.domaina.redacted.domain has SRV record 0 100 389 windc-dc01.doma=
ina.redacted.domain.
_ldap._tcp.domaina.redacted.domain has SRV record 0 100 389 windc-dc02.doma=
ina.redacted.domain.

[alma(a)idm01 ~]$ host -t SRV _ldap._tcp.domainb.redacted.domain
_ldap._tcp.domainb.redacted.domain has SRV record 0 100 389 windc-dc02.doma=
inb.redacted.domain.
_ldap._tcp.domainb.redacted.domain has SRV record 0 100 389 windc-dc01.doma=
inb.redacted.domain.

On the secondary (replica):
----
[alma(a)idm02 ~]$  host -t SRV _ldap._tcp.redacted.domain
Host _ldap._tcp.redacted.domain not found: 2(SERVFAIL)

[alma(a)idm02 ~]$  host -t SRV _ldap._tcp.domainb.redacted.domain
Host _ldap._tcp.domainb.redacted.domain not found: 2(SERVFAIL)

[alma(a)idm02 ~]$  host -t SRV _ldap._tcp.domaina.redacted.domain
Host _ldap._tcp.domaina.redacted.domain not found: 2(SERVFAIL)

The DNS zone seems replicated and OK on the replica. The record is present =
there too.

On the main IPA node node:
----
[alma(a)idm01 ~]$ ipa dnsrecord-find linux.redacted.domain.
Record name: _ldap._tcp
  SRV record: 0 100 389 idm01.linux.redacted.domain., 0 200 389 idm02.linux=
.redacted.domain.

On the secondary (replica):
-----
[alma(a)idm02 ~]$ ipa dnsrecord-find linux.redacted.domain.
Record name: _ldap._tcp
  SRV record: 0 100 389 idm01.linux.redacted.domain., 0 200 389 idm02.linux=
.redacted.domain.
--===============7373219009705315526==--

From abokovoy at redhat.com Fri Apr 26 07:59:17 2024
Content-Type: multipart/mixed; boundary="===============1373605318661737498=="
MIME-Version: 1.0
From: Alexander Bokovoy <abokovoy at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: IPA replica cannot lookup AD trust users (worked
 before)
Date: Fri, 26 Apr 2024 10:57:14 +0300
Message-ID: <ZiteWooHj_XMQjiM@redhat.com>
In-Reply-To: 20240426073744.2391.82006@mailman01.iad2.fedoraproject.org

--===============1373605318661737498==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

On =D0=9F=D1=8F=D1=82, 26 =D0=BA=D1=80=D0=B0 2024, slek kus via FreeIPA-use=
rs wrote:
>Hi Sumit, that does not return anything good on the replica. See below.
>
>On the main IPA node node:
>----
> [alma(a)idm01 ~]$ host -t SRV _ldap._tcp.redacted.domain
>_ldap._tcp.redacted.domain has SRV record 0 100 389 dc01.redacted.domain.
>_ldap._tcp.redacted.domain has SRV record 0 100 389 dc01.redacted.domain.
>
>[alma(a)idm01 ~]$ host -t SRV _ldap._tcp.domaina.redacted.domain
>_ldap._tcp.domaina.redacted.domain has SRV record 0 100 389 windc-dc01.dom=
aina.redacted.domain.
>_ldap._tcp.domaina.redacted.domain has SRV record 0 100 389 windc-dc02.dom=
aina.redacted.domain.
>
>[alma(a)idm01 ~]$ host -t SRV _ldap._tcp.domainb.redacted.domain
>_ldap._tcp.domainb.redacted.domain has SRV record 0 100 389 windc-dc02.dom=
ainb.redacted.domain.
>_ldap._tcp.domainb.redacted.domain has SRV record 0 100 389 windc-dc01.dom=
ainb.redacted.domain.
>
>On the secondary (replica):
>----
>[alma(a)idm02 ~]$  host -t SRV _ldap._tcp.redacted.domain
>Host _ldap._tcp.redacted.domain not found: 2(SERVFAIL)
>
>[alma(a)idm02 ~]$  host -t SRV _ldap._tcp.domainb.redacted.domain
>Host _ldap._tcp.domainb.redacted.domain not found: 2(SERVFAIL)
>
>[alma(a)idm02 ~]$  host -t SRV _ldap._tcp.domaina.redacted.domain
>Host _ldap._tcp.domaina.redacted.domain not found: 2(SERVFAIL)
>
>The DNS zone seems replicated and OK on the replica. The record is present=
 there too.

What is used as a DNS server for the idm02? Are you running idm02 with
an integrated DNS server or it is some other machine that resolves the
queries?

SERVFAIL means DNS server did return an error when processing your
request. Judging that this error happens for IPA domain's DNS zone and
for others too, I wonder if you have a generic DNS resolution issue from
idm02? For example, if idm01 is used as a DNS server there and idm02 is
in a different IP network, then BIND on idm01 will not allow DNS client
from idm02 to perform DNS queries. You'd need to add an ACL to allow
that.

Or it could be a DNSSEC error where a client is configured to have
DNSSEC validation but the DNS server responds without DNSSEC.

>
>On the main IPA node node:
>----
>[alma(a)idm01 ~]$ ipa dnsrecord-find linux.redacted.domain.
>Record name: _ldap._tcp
>  SRV record: 0 100 389 idm01.linux.redacted.domain., 0 200 389 idm02.linu=
x.redacted.domain.
>
>On the secondary (replica):
>-----
>[alma(a)idm02 ~]$ ipa dnsrecord-find linux.redacted.domain.
>Record name: _ldap._tcp
>  SRV record: 0 100 389 idm01.linux.redacted.domain., 0 200 389 idm02.linu=
x.redacted.domain.
>--
>_______________________________________________
>FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.o=
rg
>Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-=
of-conduct/
>List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users(=
a)lists.fedorahosted.org
>Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/n=
ew_issue



-- =

/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

--===============1373605318661737498==--

From clopmz at outlook.com Fri Apr 26 08:08:17 2024
Content-Type: multipart/mixed; boundary="===============3907123792303646727=="
MIME-Version: 1.0
From: Carlos Lopez <clopmz at outlook.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: Password expired is not requested with Ubuntu
 clients
Date: Fri, 26 Apr 2024 08:07:59 +0000
Message-ID: <
 <PRAP251MB05679CEE183BCA945024872CDB162@PRAP251MB0567.EURP251.PROD.OUTLOOK.COM>>
In-Reply-To: ZiKq8hRDctwaYecn@sbose.users.ipa.redhat.com

--===============3907123792303646727==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Sorry for this later response. Problem is solved. The problem was in the co=
mmon-auth file, in the line referring to pam_sss.so that was missing the op=
tion 'use_first_pass'.

Many thanks to all for your help

Regards,
C. L. Martinez

-----Original Message-----
From: Sumit Bose <sbose(a)redhat.com> =

Sent: Friday, April 19, 2024 19:34
To: Carlos Lopez <clopmz(a)outlook.com>
Cc: Sumit Bose <sbose(a)redhat.com>; FreeIPA users list <freeipa-users(a)li=
sts.fedorahosted.org>
Subject: Re: [Freeipa-users] Password expired is not requested with Ubuntu =
clients

Am Fri, Apr 19, 2024 at 05:03:46PM +0000 schrieb Carlos Lopez:
> Of course. Here it is:
> =

> # PAM configuration for the Secure Shell service
> =

> # Standard Un*x authentication.
> @include common-auth
> =

> # Disallow non-root logins when /etc/nologin exists.
> account    required     pam_nologin.so
> =

> # Uncomment and edit /etc/security/access.conf if you need to set =

> complex # access limits that are hard to express in sshd_config.
> # account  required     pam_access.so
> =

> # Standard Un*x authorization.
> @include common-account
> =

> # SELinux needs to be the first session rule.  This ensures that any # =

> lingering context has been cleared.  Without this it is possible that =

> a # module could execute code in the wrong domain.
> session [success=3Dok ignore=3Dignore module_unknown=3Dignore default=3Db=
ad]        pam_selinux.so close
> =

> # Set the loginuid process attribute.
> session    required     pam_loginuid.so
> =

> # Create a new session keyring.
> session    optional     pam_keyinit.so force revoke
> =

> # Standard Un*x session setup and teardown.
> @include common-session
> =

> # Print the message of the day upon successful login.
> # This includes a dynamically generated part from /run/motd.dynamic # =

> and a static (admin-editable) part from /etc/motd.
> session    optional     pam_motd.so  motd=3D/run/motd.dynamic
> session    optional     pam_motd.so noupdate
> =

> # Print the status of the user's mailbox upon successful login.
> session    optional     pam_mail.so standard noenv # [1]
> =

> # Set up user limits from /etc/security/limits.conf.
> session    required     pam_limits.so
> =

> # Read environment variables from /etc/environment and # =

> /etc/security/pam_env.conf.
> session    required     pam_env.so # [1]
> # In Debian 4.0 (etch), locale-related environment variables were =

> moved to # /etc/default/locale, so read that as well.
> session    required     pam_env.so user_readenv=3D1 envfile=3D/etc/defaul=
t/locale
> =

> # SELinux needs to intervene at login time to ensure that the process =

> starts # in the proper default security context.  Only sessions which =

> are intended # to run in the user's context should be run after this.
> session [success=3Dok ignore=3Dignore module_unknown=3Dignore default=3Db=
ad]        pam_selinux.so open
> =

> # Standard Un*x password updating.
> @include common-password
> =

> and common-account:
> =

> #
> # /etc/pam.d/common-account - authorization settings common to all =

> services # # This file is included from other service-specific PAM =

> config files, # and should contain a list of the authorization modules =

> that define # the central access policy for use on the system.  The =

> default is to # only deny service to users whose accounts are expired =

> in /etc/shadow.
> #
> # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
> # To take advantage of this, it is recommended that you configure any =

> # local modules either before or after the default block, and use # =

> pam-auth-update to manage selection of other modules.  See # =

> pam-auth-update(8) for details.
> #
> =

> # here are the per-package modules (the "Primary" block)
> account [success=3D1 new_authtok_reqd=3Ddone default=3Dignore]        pam=
_unix.so
> # here's the fallback if no module succeeds
> account requisite                       pam_deny.so
> # prime the stack with a positive return value if there isn't one =

> already; # this avoids us returning an error just because nothing sets =

> a success code # since the modules above will each just jump around
> account required                        pam_permit.so
> # and here are more per-package modules (the "Additional" block) # end =

> of pam-auth-update config

Hi,

so pam_sss.so is not called at all which would explain the behavior. I assu=
me pam_sss.so is listed in common-auth. Did you add it on your own to commo=
n-auth or was it added by a system utility e.g. pam-auth-update?

bye,
Sumit

> =

> Best regards,
> C. L. Martinez
> =

> ________________________________________
> From: Sumit Bose <sbose(a)redhat.com>
> Sent: 19 April 2024 17:46
> To: FreeIPA users list
> Cc: Carlos Lopez
> Subject: Re: [Freeipa-users] Password expired is not requested with =

> Ubuntu clients
> =

> Am Fri, Apr 19, 2024 at 08:56:36AM +0000 schrieb Carlos Lopez via FreeIPA=
-users:
> > Good morning,
> >
> > I have configured some Ubuntu clientes to authenticate via Kerberos aga=
inst my RHEL9 IdM server. Everything works correctly: clients are authentic=
ated, etc.
> >
> > The problem comes when a user's password has expired. In the IdM server=
 logs it is clear that the user must change the password:
> >
> > 2024-04-19T08:38:20.946335+00:00 rhelidmsrv01 krb5kdc[21392]: AS_REQ =

> > (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), =

> > aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), =

> > DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), =

> > camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 172.19.11.14: =

> > REQUIRED PWCHANGE: user1(a)MYDOM.ORG for krbtgt/MYDOM.ORG(a)MYDOM.ORG, =

> > Password has expired
> > 2024-04-19T08:38:20.946413+00:00 rhelidmsrv01 krb5kdc[21392]: =

> > closing down fd 13
> > 2024-04-19T08:38:20.946712+00:00 rhelidmsrv01 krb5kdc[21392]: AS_REQ =

> > (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), =

> > aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), =

> > DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), =

> > camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 172.19.11.14: =

> > NEEDED_PREAUTH: user1(a)MYDOM.ORG for kadmin/changepw(a)MYDOM.ORG, =

> > Additional pre-authentication required
> > 2024-04-19T08:38:20.946747+00:00 rhelidmsrv01 krb5kdc[21392]: =

> > closing down fd 13
> > 2024-04-19T08:38:20.950691+00:00 rhelidmsrv01 krb5kdc[21392]: AS_REQ =

> > (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), =

> > aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), =

> > DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), =

> > camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 172.19.11.14: =

> > ISSUE: authtime 1713515900, etypes {rep=3Daes256-cts-hmac-sha1-96(18), =

> > tkt=3Daes256-cts-hmac-sha384-192(20), =

> > ses=3Daes256-cts-hmac-sha1-96(18)}, user1(a)MYDOM.ORG for =

> > kadmin/changepw(a)MYDOM.ORG
> >
> > But when accessing to Ubuntu client via ssh, it never prompts to change=
 the password and you can log in.
> =

> Hi,
> =

> can you share your PAM configuration for the sshd service. I'm asking =

> because the change of expired passwords in handled in the 'account'
> section and I guess with your configuration (local users with =

> authentication by SSSD) pam_sss.so is not called for local users =

> during 'account'.
> =

> bye,
> Sumit
> =

> >
> > My sssd's config in Ubuntu client is:
> >
> > [sssd]
> > config_file_version =3D 2
> > services =3D pam
> > domains =3D mydom.org
> >
> > [pam]
> > pam_pwd_expiration_warning =3D 2
> >
> > [domain/mydom.org]
> > id_provider =3D proxy
> > proxy_lib_name =3D files
> > auth_provider =3D krb5
> > chpass_provider =3D krb5
> > krb5_server =3D rhelidmsrv01.mydom.org krb5_kpasswd =3D =

> > rhelidmsrv01.mydom.org krb5_realm =3D mydom.org krb5_ccname_template =
=3D =

> > KEYRING:persistent:%U krb5_validate =3D true cache_credentials =3D true
> >
> > What could be the problem?
> >
> > Best regards,
> > C. L. Martinez
> > --
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to =

> > freeipa-users-leave(a)lists.fedorahosted.org
> > Fedora Code of Conduct: =

> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: =

> > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives: =

> > https://lists.fedorahosted.org/archives/list/freeipa-users(a)lists.fed
> > orahosted.org Do not reply to spam, report it: =

> > https://pagure.io/fedora-infrastructure/new_issue
>=20

--===============3907123792303646727==--

From slekkus75 at proton.me Fri Apr 26 08:17:22 2024
Content-Type: multipart/mixed; boundary="===============5319671784089183127=="
MIME-Version: 1.0
From: slek kus <slekkus75 at proton.me>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: IPA replica cannot lookup AD trust users (worked
 before)
Date: Fri, 26 Apr 2024 08:17:10 +0000
Message-ID: <20240426081710.8605.97879@mailman01.iad2.fedoraproject.org>
In-Reply-To: ZiteWooHj_XMQjiM@redhat.com

--===============5319671784089183127==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Hi Alexander, according to /etc/resolv.conf it is integrated and points to =
localhost, but nmcli says DNS is set to idm01. =

A bit strange, since resolv.conf is generated by networkmanager. =

----
 [root(a)idm02 ~]# nmcli dev show | grep DNS
IP4.DNS[1]:                             172.16.27.10   <---- this is idm01
[root(a)idm02 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search linux.redacted.domain
nameserver 127.0.0.1
----

Both servers are in the same nertwork.

On idm02, I can resolve the ipa domain it is the AD domains that fail:
----
[root(a)idm02 ~]# host -t SRV _ldap._tcp.linux.redacted.domain
_ldap._tcp.linux.redacted.domain has SRV record 0 200 389 idm02.linux.redac=
ted.domain.
_ldap._tcp.linux.redacted.domain has SRV record 0 100 389 idm01.linux.redac=
ted.domain.


--===============5319671784089183127==--

From abokovoy at redhat.com Fri Apr 26 10:00:16 2024
Content-Type: multipart/mixed; boundary="===============0870983227793622629=="
MIME-Version: 1.0
From: Alexander Bokovoy <abokovoy at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: IPA replica cannot lookup AD trust users (worked
 before)
Date: Fri, 26 Apr 2024 12:59:58 +0300
Message-ID: <Zit7Hl2a_VHh-3T8@redhat.com>
In-Reply-To: 20240426081710.8605.97879@mailman01.iad2.fedoraproject.org

--===============0870983227793622629==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

On =D0=9F=D1=8F=D1=82, 26 =D0=BA=D1=80=D0=B0 2024, slek kus via FreeIPA-use=
rs wrote:
>Hi Alexander, according to /etc/resolv.conf it is integrated and points to=
 localhost, but nmcli says DNS is set to idm01.
>A bit strange, since resolv.conf is generated by networkmanager.
>----
> [root(a)idm02 ~]# nmcli dev show | grep DNS
>IP4.DNS[1]:                             172.16.27.10   <---- this is idm01
>[root(a)idm02 ~]# cat /etc/resolv.conf
># Generated by NetworkManager
>search linux.redacted.domain
>nameserver 127.0.0.1
>----
>
>Both servers are in the same nertwork.
>
>On idm02, I can resolve the ipa domain it is the AD domains that fail:
>----
>[root(a)idm02 ~]# host -t SRV _ldap._tcp.linux.redacted.domain
>_ldap._tcp.linux.redacted.domain has SRV record 0 200 389 idm02.linux.reda=
cted.domain.
>_ldap._tcp.linux.redacted.domain has SRV record 0 100 389 idm01.linux.reda=
cted.domain.

Do you have DNSSEC validation enforced on BIND side?

# grep dnssec /etc/named/ipa-options-ext.conf
/* dnssec-enable is obsolete and 'yes' by default */
dnssec-validation no;

If dnssec-validation is set to yes, that would explain because your AD
DNS server most likely is not using DNSSEC at all.

-- =

/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

--===============0870983227793622629==--

From slekkus75 at proton.me Fri Apr 26 11:06:04 2024
Content-Type: multipart/mixed; boundary="===============5323538460842351192=="
MIME-Version: 1.0
From: slek kus <slekkus75 at proton.me>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: IPA replica cannot lookup AD trust users (worked
 before)
Date: Fri, 26 Apr 2024 11:05:54 +0000
Message-ID: <20240426110554.2124.81965@mailman01.iad2.fedoraproject.org>
In-Reply-To: Zit7Hl2a_VHh-3T8@redhat.com

--===============5323538460842351192==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Thanks much. dnssec-validation was set to yes on the replica. No idea how t=
hat happened. Works now.

Something else and not related I wondered about, is why some clients point =
to a certain server (in my case the failing server). =

This is seen with `sssctl domain-status <ipa domain>` under "Active servers=
". Is the weight added to the SRV records only when server/dns service is d=
own and not when misconfigured/malfunctioning?
--===============5323538460842351192==--

From jochen at jochen.org Fri Apr 26 19:02:09 2024
Content-Type: multipart/mixed; boundary="===============4769516172622075609=="
MIME-Version: 1.0
From: Jochen Kellner <jochen at jochen.org>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Fedora 40: new warning in ipa-healthckeck
Date: Fri, 26 Apr 2024 21:01:47 +0200
Message-ID: <83plucosmc.fsf@jochen.org>

--===============4769516172622075609==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable


Hi,

I've upgraded my freeipa server to Fedora 40 (the system was installed
several releases ago). After the upgrade I get the following new warning
from ipa-healthcheck:

  {
    "source": "ipahealthcheck.ds.backends",
    "check": "BackendsCheck",
    "result": "WARNING",
    "uuid": "875db8e3-029c-46f7-87e5-bf9a216d9637",
    "when": "20240426184431Z",
    "duration": "0.031642",
    "kw": {
      "key": "DSBLE0005",
      "items": [
        "nsslapd-dbcachesize",
        "nsslapd-db-logdirectory",
        "nsslapd-db-transaction-wait",
        "nsslapd-db-checkpoint-interval",
        "nsslapd-db-compactdb-interval",
        "nsslapd-db-compactdb-time",
        "nsslapd-db-transaction-batch-val",
        "nsslapd-db-transaction-batch-min-wait",
        "nsslapd-db-transaction-batch-max-wait",
        "nsslapd-db-logbuf-size",
        "nsslapd-db-page-size",
        "nsslapd-db-locks",
        "nsslapd-db-locks-monitoring-enabled",
        "nsslapd-db-locks-monitoring-threshold",
        "nsslapd-db-locks-monitoring-pause",
        "nsslapd-db-private-import-mem",
        "nsslapd-db-deadlock-policy"
      ],
      "msg": "Found configuration attributes that are not applicable for th=
e configured backend type."
    }
  },

According to
https://www.port389.org/docs/389ds/FAQ/Berkeley-DB-deprecation.html the
bdb backend is deprecated. The system was installed with
389-ds-base < 1.4.4.9-1.fc33.x86_64 (I see the upgrade to that version
in /var/log/dnf.rpm.log*. Since 3.0 new installations should use LMBD as
the backend. Is that true for new installations?

What is the desired action that I should take?

I can remove the options from the dirsrv configuration. Should I?

Shall I switch to lmdb manually? Or is that something that
ipa-server-upgrade should be doing?

Otherwise I can suppress the message in ipa-healthcheck for now. But I
guess I should fix my installation before the deprecated support really
gets dropped... Is deploying a new replica and decommisioning the old
server we the preferred action?

Jochen

-- =

This space is intentionally left blank.

--===============4769516172622075609==--

From rcritten at redhat.com Fri Apr 26 19:15:29 2024
Content-Type: multipart/mixed; boundary="===============7387260950092376016=="
MIME-Version: 1.0
From: Rob Crittenden <rcritten at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: Fedora 40: new warning in ipa-healthckeck
Date: Fri, 26 Apr 2024 15:15:13 -0400
Message-ID: <090a1eca-a33e-97cf-a6e3-39e76e905515@redhat.com>
In-Reply-To: 83plucosmc.fsf@jochen.org

--===============7387260950092376016==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Cross-posting this on the 389-users list.

rob

Jochen Kellner via FreeIPA-users wrote:
> =

> Hi,
> =

> I've upgraded my freeipa server to Fedora 40 (the system was installed
> several releases ago). After the upgrade I get the following new warning
> from ipa-healthcheck:
> =

>   {
>     "source": "ipahealthcheck.ds.backends",
>     "check": "BackendsCheck",
>     "result": "WARNING",
>     "uuid": "875db8e3-029c-46f7-87e5-bf9a216d9637",
>     "when": "20240426184431Z",
>     "duration": "0.031642",
>     "kw": {
>       "key": "DSBLE0005",
>       "items": [
>         "nsslapd-dbcachesize",
>         "nsslapd-db-logdirectory",
>         "nsslapd-db-transaction-wait",
>         "nsslapd-db-checkpoint-interval",
>         "nsslapd-db-compactdb-interval",
>         "nsslapd-db-compactdb-time",
>         "nsslapd-db-transaction-batch-val",
>         "nsslapd-db-transaction-batch-min-wait",
>         "nsslapd-db-transaction-batch-max-wait",
>         "nsslapd-db-logbuf-size",
>         "nsslapd-db-page-size",
>         "nsslapd-db-locks",
>         "nsslapd-db-locks-monitoring-enabled",
>         "nsslapd-db-locks-monitoring-threshold",
>         "nsslapd-db-locks-monitoring-pause",
>         "nsslapd-db-private-import-mem",
>         "nsslapd-db-deadlock-policy"
>       ],
>       "msg": "Found configuration attributes that are not applicable for =
the configured backend type."
>     }
>   },
> =

> According to
> https://www.port389.org/docs/389ds/FAQ/Berkeley-DB-deprecation.html the
> bdb backend is deprecated. The system was installed with
> 389-ds-base < 1.4.4.9-1.fc33.x86_64 (I see the upgrade to that version
> in /var/log/dnf.rpm.log*. Since 3.0 new installations should use LMBD as
> the backend. Is that true for new installations?
> =

> What is the desired action that I should take?
> =

> I can remove the options from the dirsrv configuration. Should I?
> =

> Shall I switch to lmdb manually? Or is that something that
> ipa-server-upgrade should be doing?
> =

> Otherwise I can suppress the message in ipa-healthcheck for now. But I
> guess I should fix my installation before the deprecated support really
> gets dropped... Is deploying a new replica and decommisioning the old
> server we the preferred action?
> =

> Jochen
>=20

--===============7387260950092376016==--