Index: /branches/fc15-dev/host/debian/scripts-syslog-ng-config/d_zroot.pl =================================================================== --- /branches/fc15-dev/host/debian/scripts-syslog-ng-config/d_zroot.pl (revision 1973) +++ /branches/fc15-dev/host/debian/scripts-syslog-ng-config/d_zroot.pl (revision 1973) @@ -0,0 +1,134 @@ +#!/usr/bin/perl + +use strict; +use warnings; +use Sys::Hostname; +use Time::HiRes qw(ualarm); +use File::Temp; + +our $ZCLASS = "scripts-auto"; +our @USERS = qw/root logview/; +my $k5login; +open $k5login, '/root/.k5login'; +our @RECIPIENTS = map {chomp; m|([^/@]*)| && $1} <$k5login>; +close $k5login; + +our %USERS; +@USERS{@USERS} = undef; + +sub zwrite($;$$@) { + my ($message, $class, $instance, @recipients) = @_; + $class ||= $ZCLASS; + $instance ||= 'root.'.hostname; + open(ZWRITE, "|-", qw|/usr/bin/zwrite -d -n -O log -c|, $class, '-i', $instance, '-s', hostname, @recipients) or die "Couldn't open zwrite"; + print ZWRITE $message; + close(ZWRITE); +} + +my %toclass; + +my %sshkeys; + +sub buildKeyMap($) { + my ($file) = @_; + open (KEYS, $file) or (warn "Couldn't open $file: $!\n" and return); + while () { + chomp; + my ($fingerprint, $comment) = parseKey($_); + $sshkeys{$fingerprint} = $comment; + } + close(KEYS); +} + +sub parseKey($) { + my ($key) = @_; + my $tmp = new File::Temp; + print $tmp $key; + close $tmp; + open (KEYGEN, "-|", qw(/usr/bin/ssh-keygen -l -f), $tmp) or die "Couldn't call ssh-keygen: $!"; + my ($line) = ; + close(KEYGEN); + my (undef, $fingerprint, undef) = split(' ', $line, 3); + my (undef, undef, $comment) = split(' ', $key, 3); + #print "$fingerprint $comment"; + return ($fingerprint, $comment); +} + +buildKeyMap("/root/.ssh/authorized_keys"); +buildKeyMap("/root/.ssh/authorized_keys2"); + +my @message; + +while (my $line = <>) { + @message = $line; + eval { + local $SIG{ALRM} = sub { die "alarm\n" }; # NB: \n required + ualarm(500*1000); + while (<>) { push @message, $_; } + }; + chomp @message; + map { s/^(.*?): // } @message; + %toclass = (); + foreach my $message (@message) { + sub sendmsg ($;$) { + my ($message, $class) = @_; + $class ||= $ZCLASS; + $toclass{$class} .= $message."\n"; + } + if ($message =~ m|Accepted (\S+) for (\S+)|) { + sendmsg($message) if exists $USERS{$2} + } elsif ($message =~ m|Authorized to (\S+),|) { + sendmsg($message) if exists $USERS{$1}; + } elsif ($message =~ m|Root (\S+) shell|) { + sendmsg($message); + } elsif ($message =~ m|pam_unix\(([^:]+):session\): session \S+ for user (\S+)|) { + sendmsg($message) if $1 ne "cron" and exists $USERS{$2}; + } elsif ($message =~ m|^Found matching (\w+) key: (\S+)|) { + if ($sshkeys{$2}) { + sendmsg($message." (".$sshkeys{$2}.")"); + } else { + sendmsg($message." (UNKNOWN KEY)"); + } + } elsif ($message =~ m|^Out of memory:|) { + sendmsg($message); + } elsif ($message =~ m|^giving \S+ admin rights|) { + sendmsg($message); + } elsif ($message =~ m|^Connection closed|) { + # Do nothing + } elsif ($message =~ m|^Closing connection to |) { + } elsif ($message =~ m|^Connection from (\S+) port (\S+)|) { + } elsif ($message =~ m|^Invalid user|) { + } elsif ($message =~ m|^input_userauth_request: invalid user|) { + } elsif ($message =~ m|^Received disconnect from|) { + } elsif ($message =~ m|^Postponed keyboard-interactive|) { + } elsif ($message =~ m|^Failed keyboard-interactive/pam|) { + } elsif ($message =~ m|^fatal: Read from socket failed: Connection reset by peer$|) { + } elsif ($message =~ m|^reverse mapping checking getaddrinfo|) { + } elsif ($message =~ m|^pam_succeed_if\(sshd\:auth\)\:|) { + } elsif ($message =~ m|^error: PAM: Authentication failure|) { + } elsif ($message =~ m|^pam_unix\(sshd:auth\): authentication failure|) { + } elsif ($message =~ m|^pam_unix\(sshd:auth\): check pass; user unknown|) { + } elsif ($message =~ m|^Postponed keyboard-interactive for invalid user |) { + } elsif ($message =~ m|^Failed keyboard-interactive/pam for invalid user |) { + } elsif ($message =~ m|^Postponed gssapi-with-mic for |) { + } elsif ($message =~ m|^Address \S+ maps to \S+, but this does not map back to the address|) { + } elsif ($message =~ m|^Nasty PTR record .* is set up for .*, ignoring|) { + } elsif ($message =~ m|^User child is on pid \d+$|) { + } elsif ($message =~ m|^Transferred: sent \d+, received \d+ bytes$|) { + } elsif ($message =~ m|^Setting tty modes failed: Invalid argument$|) { + } elsif ($message =~ m|^ *nrpe .* COMMAND=/etc/nagios/check_ldap_mmr.real$|) { + } elsif ($message =~ m|^ *root : TTY=|) { + } elsif ($message =~ m|^Set /proc/self/oom_adj to |) { + } else { + sendmsg($message, "scripts-spew"); + } + } + + foreach my $class (keys %toclass) { + if ($class eq "scripts-auto") { + zwrite($toclass{$class}, $class); + } else { + zwrite($toclass{$class}, $class, undef, @RECIPIENTS); + } + } +} Index: /branches/fc15-dev/host/debian/scripts-syslog-ng-config/debian/changelog =================================================================== --- /branches/fc15-dev/host/debian/scripts-syslog-ng-config/debian/changelog (revision 1973) +++ /branches/fc15-dev/host/debian/scripts-syslog-ng-config/debian/changelog (revision 1973) @@ -0,0 +1,12 @@ +scripts-syslog-ng-config (0.2) stable; urgency=low + + * Move d_zroot into /usr/lib + + -- Quentin Smith Mon, 05 Sep 2011 15:01:04 -0400 + +scripts-syslog-ng-config (0.1) stable; urgency=low + + * Initial release + + -- Alexander Chernyakhovsky Mon, 05 Sep 2011 14:45:27 -0400 + Index: /branches/fc15-dev/host/debian/scripts-syslog-ng-config/debian/compat =================================================================== --- /branches/fc15-dev/host/debian/scripts-syslog-ng-config/debian/compat (revision 1973) +++ /branches/fc15-dev/host/debian/scripts-syslog-ng-config/debian/compat (revision 1973) @@ -0,0 +1,1 @@ +7 Index: /branches/fc15-dev/host/debian/scripts-syslog-ng-config/debian/control =================================================================== --- /branches/fc15-dev/host/debian/scripts-syslog-ng-config/debian/control (revision 1973) +++ /branches/fc15-dev/host/debian/scripts-syslog-ng-config/debian/control (revision 1973) @@ -0,0 +1,14 @@ +Source: scripts-syslog-ng-config +Section: misc +Priority: extra +Maintainer: scripts team +Build-Depends: cdbs, debhelper (>= 7.0.50~), config-package-dev, syslog-ng, +Standards-Version: 3.9.1 +Homepage: http://scripts.mit.edu/ + +Package: scripts-syslog-ng-config +Architecture: all +Depends: ${misc:Depends}, + syslog-ng, +Description: Configures syslog-ng for zephyr logging + Configures a machine to log messages sent to syslog-ng to zephyr. Index: /branches/fc15-dev/host/debian/scripts-syslog-ng-config/debian/copyright =================================================================== --- /branches/fc15-dev/host/debian/scripts-syslog-ng-config/debian/copyright (revision 1973) +++ /branches/fc15-dev/host/debian/scripts-syslog-ng-config/debian/copyright (revision 1973) @@ -0,0 +1,22 @@ +This work was packaged for Debian by: + + Alexander Chernyakhovsky on Mon, 05 Sep 2011 14:42:37 -0400 + +It was downloaded from: + + http://scripts.mit.edu + +Copyright: + + Copyright (C) 2011 Alexander Chernyakhovsky + +License: + + GPLv2+ + +The Debian packaging is: + + Copyright (C) 2011 Alexander Chernyakhovsky + +and is licensed under the GPL version 2 +see "/usr/share/common-licenses/GPL-2". Index: /branches/fc15-dev/host/debian/scripts-syslog-ng-config/debian/rules =================================================================== --- /branches/fc15-dev/host/debian/scripts-syslog-ng-config/debian/rules (revision 1973) +++ /branches/fc15-dev/host/debian/scripts-syslog-ng-config/debian/rules (revision 1973) @@ -0,0 +1,7 @@ +#!/usr/bin/make -f + +DEB_TRANSFORM_FILES_scripts-syslog-ng-config = /etc/syslog-ng/syslog-ng.conf.divert + +include /usr/share/cdbs/1/rules/debhelper.mk +include /usr/share/cdbs/1/rules/config-package.mk + Index: /branches/fc15-dev/host/debian/scripts-syslog-ng-config/debian/scripts-syslog-ng-config.install =================================================================== --- /branches/fc15-dev/host/debian/scripts-syslog-ng-config/debian/scripts-syslog-ng-config.install (revision 1973) +++ /branches/fc15-dev/host/debian/scripts-syslog-ng-config/debian/scripts-syslog-ng-config.install (revision 1973) @@ -0,0 +1,1 @@ +d_zroot.pl /usr/lib/scripts-syslog-ng-config/ Index: /branches/fc15-dev/host/debian/scripts-syslog-ng-config/debian/scripts-syslog-ng-config.postinst =================================================================== --- /branches/fc15-dev/host/debian/scripts-syslog-ng-config/debian/scripts-syslog-ng-config.postinst (revision 1973) +++ /branches/fc15-dev/host/debian/scripts-syslog-ng-config/debian/scripts-syslog-ng-config.postinst (revision 1973) @@ -0,0 +1,44 @@ +#!/bin/sh +# postinst script for scripts-syslog-ng-config +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `configure' +# * `abort-upgrade' +# * `abort-remove' `in-favour' +# +# * `abort-remove' +# * `abort-deconfigure' `in-favour' +# `removing' +# +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + + +case "$1" in + configure) + if hash invoke-rc.d > /dev/null 2>&1; then + invoke-rc.d syslog-ng restart || : + else + /etc/init.d/syslog-ng restart || : + fi + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 Index: /branches/fc15-dev/host/debian/scripts-syslog-ng-config/debian/transform_syslog-ng.conf.divert =================================================================== --- /branches/fc15-dev/host/debian/scripts-syslog-ng-config/debian/transform_syslog-ng.conf.divert (revision 1973) +++ /branches/fc15-dev/host/debian/scripts-syslog-ng-config/debian/transform_syslog-ng.conf.divert (revision 1973) @@ -0,0 +1,11 @@ +#!/bin/sh + +cat +cat < Mon, 05 Sep 2011 15:19:01 -0400 + +scripts-vm-host (0.3) stable; urgency=low + + * Rebuild for inclusion in Scripts APT repository + + -- Alexander Chernyakhovsky Sun, 04 Sep 2011 20:57:55 -0400 + scripts-vm-host (0.2) unstable; urgency=low Index: /branches/fc15-dev/host/debian/scripts-vm-host/debian/control =================================================================== --- /branches/fc15-dev/host/debian/scripts-vm-host/debian/control (revision 1972) +++ /branches/fc15-dev/host/debian/scripts-vm-host/debian/control (revision 1973) @@ -44,4 +44,5 @@ munin-node, subversion, + scripts-syslog-ng-config, Description: Configures a machine to be a scripts VM host Configures a machine to be a scripts VM host, installing all Index: /branches/fc15-dev/server/doc/install-howto.sh =================================================================== --- /branches/fc15-dev/server/doc/install-howto.sh (revision 1972) +++ /branches/fc15-dev/server/doc/install-howto.sh (revision 1973) @@ -2,4 +2,14 @@ # It is semi-vaguely in the form of a shell script, but is not really # runnable as it stands. + +# Notation +# [PRODUCTION] Production server that will be put into the pool +# [WIZARD] Semi-production server that will only have +# daemon.scripts-security-upd bits, among other +# restricted permissions bits, among other +# restricted permissions bits, among other +# restricted permissions bits, among other +# restricted permissions +# [TESTSERVER] Completely untrusted server set -e -x @@ -20,5 +30,5 @@ # at localhost, and if our server is not setup at that point things # will break. -source_server="cats-whiskers.mit.edu" +source_server="shining-armor.mit.edu" # 'branch' is the current svn branch you are on. You want to @@ -43,19 +53,24 @@ cd /root ls -l .bashrc - ls -l .ldapvirc ls -l .screenrc ls -l .ssh ls -l .vimrc ls -l .k5login + # [PRODUCTION] This rc file has sensitive data on it and should only + # be pushed onto production servers. + ls -l .ldapvirc # Trying to scp from server to server won't work, as scp # will attempt to negotiate a server-to-server connection. # Instead, scp to your trusted machine as a temporary file, # and then push to the other server -scp -r root@$source_server:~/{.bashrc,.ldapvirc,.screenrc,.ssh,.vimrc,.k5login} . -scp -r {.bashrc,.ldapvirc,.screenrc,.ssh,.vimrc,.k5login} root@$server:~ +scp -r root@$source_server:~/{.bashrc,.screenrc,.ssh,.vimrc,.k5login} . +scp -r {.bashrc,.screenrc,.ssh,.vimrc,.k5login} root@$server:~ +# [PRODUCTION] +scp root@$source_server:~/.ldapvirc . +scp .ldapvirc root@$server:~ # Install the initial set of credentials (to get Kerberized logins once # krb5 is installed). Otherwise, SCP'ing things in will be annoying. -# o You probably installed the machine keytab long ago +# o Install the machine keytab. ls -l /etc/krb5.keytab # Use ktutil to combine the host/scripts.mit.edu and @@ -72,5 +87,6 @@ # 2 3 host/scripts-vhosts.mit.edu@ATHENA.MIT.EDU # 3 2 host/scripts.mit.edu@ATHENA.MIT.EDU -# o Replace the ssh host keys with the ones common to all scripts servers (real servers only) +# o [PRODUCTION] Replace the ssh host keys with the ones common to all +# scripts servers (real servers only) ls -l /etc/ssh/*key* # You can do that with: @@ -85,6 +101,7 @@ chmod 0440 /etc/sudoers -# If this is the first time you've installed this hostname, you will -# need to update a bunch of files to add support for it. These include: +# [PRODUCTION] If this is the first time you've installed this hostname, +# you will need to update a bunch of files to add support for it. These +# include: # o Adding all aliases to /etc/httpd/conf.d/scripts-vhost-names.conf # (usually this is hostname, hostname.mit.edu, h-n, h-n.mit.edu, @@ -141,13 +158,16 @@ chkconfig syslog-ng on -# Fix the openafs /usr/vice/etc <-> /etc/openafs mapping. +# [PRODUCTION/WIZARD] Fix the openafs /usr/vice/etc <-> /etc/openafs +# mapping. echo "/afs:/usr/vice/cache:10000000" > /usr/vice/etc/cacheinfo echo "athena.mit.edu" > /usr/vice/etc/ThisCell -# [TEST SERVER] If you're installing a test server, this needs to be +# [TESTSERVER] If you're installing a test server, this needs to be # much smaller; the max filesize on XVM is 10GB. Pick something like # 500000. Also, some of the AFS parameters are kind of retarded (and if # you're low on disk space, will actually exhaust our inodes). Edit # these parameters in /etc/sysconfig/openafs + echo "/afs:/usr/vice/cache:500000" > /usr/vice/etc/cacheinfo + XXX TODO COMMANDS # Test that zephyr is working @@ -176,4 +196,7 @@ # here's a cute script that removes all extra packages yum erase -y $(grep -Fxvf packages.txt newpackages.txt) + # 20101208 - Mysteriously we manage to get these extra packages + # from kickstart: mcelog mobile-broadband-provider-info + # ModemManager PackageKit # We need an upstream version of cgi which we've packaged ourselves, but @@ -219,5 +242,5 @@ # want to be able to write to ~/.python-eggs. (Also makes sourcediving # easier.) -cat /usr/lib/python2.6/site-packages/easy-install.pth | grep "^./" | cut -c3- | cut -f1 -d- . egg.txt +cat /usr/lib/python2.6/site-packages/easy-install.pth | grep "^./" | cut -c3- | cut -f1 -d- > egg.txt cat egg.txt | xargs easy_install -Z # - Look at `gem list` for Ruby gems. @@ -241,14 +264,11 @@ pecl install --nodeps $(pecl list | tail -n +4 | cut -f 1 -d " " | grep -Fxvf - pecl.txt) -# Install the credentials. There are a lot of things to remember here. -# Be sure to make sure the permissions match up (ls -l on an existing -# server!). -scp root@$source_server:{/etc/{sql-mit-edu.cfg.php,daemon.keytab,pki/tls/private/scripts.key,signup-ldap-pw,whoisd-password},/home/logview/.k5login} . -scp daemon.keytab signup-ldap-pw whoisd-password sql-mit-edu.cfg.php root@$server:/etc +# [PRODUCTION] Install the credentials. There are a lot of things to +# remember here. Be sure to make sure the permissions match up (ls -l +# on an existing server!). +scp root@$source_server:{/etc/{sql-mit-edu.cfg.php,pki/tls/private/scripts.key,signup-ldap-pw,whoisd-password},/home/logview/.k5login} . +scp signup-ldap-pw whoisd-password sql-mit-edu.cfg.php root@$server:/etc scp scripts.key root@$server:/etc/pki/tls/private scp .k5login root@$server:/home/logview - chown afsagent:afsagent /etc/daemon.keytab -# o The daemon.scripts keytab (will be daemon.scripts-test for test) - ls -l /etc/daemon.keytab # o The SSL cert private key (real servers only) ls -l /etc/pki/tls/private/scripts.key @@ -260,21 +280,40 @@ cat /home/logview/.k5login +# All types of servers will have an /etc/daemon.keytab file, however, +# different types of server will have different credentials in this +# keytab. +# [PRODUCTION] daemon.scripts +# [WIZARD] daemon.scripts-security-upd +# [TESTSERVER] daemon.scripts-test +k5srvutil list -f daemon.keytab +scp daemon.keytab root@$server:/etc + chown afsagent:afsagent /etc/daemon.keytab +# o The daemon.scripts keytab (will be daemon.scripts-test for test) + ls -l /etc/daemon.keytab + # Spin up OpenAFS. This will fail if there's been a new kernel since # when you last tried. In that case, you can hold on till later to # start OpenAFS. This will take a little bit of time; service openafs-client start - -# Check that fs sysname is correct. You should see, among others, +# Then, check that fs sysname is correct. You should see, among others, # 'amd64_fedoraX_scripts' (vary X) and 'scripts'. If it's not, you # probably did a distro upgrade and should update /etc/sysconfig/openafs. fs sysname -# [TEST SERVER] If you are setting up a test server, pay attention to -# /etc/sysconfig/network-scripts and do not bind scripts' IP address. -# You will also need to modify: +# [WIZARD/TESTSERVER] If you are setting up a non-production server, +# there are some services that it won't provide, and you will need to +# make it talk to a real server instead. In particular: +# - We don't serve the web, so don't bind scripts.mit.edu +# - We don't serve LDAP, so use another server +# This involves editing the following files: +# o /etc/sysconfig/network-scripts/ifcfg-lo:0 +# o /etc/sysconfig/network-scripts/ifcfg-lo:1 +# o /etc/sysconfig/network-scripts/ifcfg-lo:2 +# o /etc/sysconfig/network-scripts/ifcfg-lo:3 + \rm /etc/sysconfig/network-scripts/ifcfg-lo:{0,1,2,3} # o /etc/ldap.conf # add: host scripts.mit.edu -# o /etc/nss-ldapd.conf -# replace: uri ***** +# o /etc/{nss-ldapd,nslcd}.conf +# replace: uri ldapi://%2fvar%2frun%2fdirsrv%2fslapd-scripts.socket/ # with: uri ldap://scripts.mit.edu/ # o /etc/openldap/ldap.conf @@ -282,18 +321,18 @@ # BASE dc=scripts,dc=mit,dc=edu # o /etc/httpd/conf.d/vhost_ldap.conf -# replace: VhostLDAPUrl **** +# replace: VhostLDAPUrl "ldap://127.0.0.1/ou=VirtualHosts,dc=scripts,dc=mit,dc=edu" # with: VhostLDAPUrl "ldap://scripts.mit.edu/ou=VirtualHosts,dc=scripts,dc=mit,dc=edu" # o /etc/postfix/virtual-alias-{domains,maps}-ldap.cf -# replace: server_host ***** +# replace: server_host ldapi://%2fvar%2frun%2fdirsrv%2fslapd-scripts.socket/ # with: server_host = ldap://scripts.mit.edu # to use scripts.mit.edu instead of localhost. # XXX: someone should write sed scripts to do this -# [TEST SERVER] If you are setting up a test server, afsagent's cronjob -# will attempt to be renewing with the wrong credentials -# (daemon.scripts). Change this: +# [WIZARD/TESTSERVER] If you are setting up a non-production server, +# afsagent's cronjob will attempt to be renewing with the wrong +# credentials (daemon.scripts). Change this: vim /home/afsagent/renew # replace all mentions of daemon.scripts.mit.edu -# Set up replication (see ./install-ldap). +# [PRODUCTION] Set up replication (see ./install-ldap). # You'll need the LDAP keytab for this server: be sure to chown it # fedora-ds after you create the fedora-ds user @@ -307,9 +346,15 @@ service nscd start service postfix start - service httpd start - chkconfig dirsrv on chkconfig nslcd on chkconfig nscd on chkconfig postfix on + +# [PRODUCTION] + chkconfig dirsrv on + +# [PRODUCTION/TESTSERVER] +# (Maybe WIZARD too once we start doing strange things to autoupgrade +# installs behind firewalls.) + service httpd start # will fail if AFS is not running chkconfig httpd on @@ -317,5 +362,6 @@ chkconfig nrpe on -# Check sql user credentials (needs to be done after LDAP is setup) +# [PRODUCTION] Check sql user credentials (needs to be done after LDAP +# is setup) chown sql /etc/sql-mit-edu.cfg.php @@ -345,4 +391,6 @@ # Some usual candidates for clobbering include nsswitch.conf and # sysconfig/openafs + # [WIZARD/TEST] Remember that changes you made should not get + # reverted! # ThisCell got clobbered, replace it with athena.mit.edu @@ -357,8 +405,12 @@ # o your lvm thingies; probably don't need to edit -# [TEST SERVER] More stuff for test servers -# - You need a self-signed SSL cert. Generate with: +# [TESTERVER] +# - You need a self-signed SSL cert or Apache will refuse to start +# or do SSL. Generate with: openssl req -new -x509 -keyout /etc/pki/tls/private/scripts.key -out /etc/pki/tls/certs/scripts.cert -nodes -# Also make /etc/pki/tls/certs/ca.pem match up +# Also make /etc/pki/tls/certs/ca.pem match up (XXX what's the +# incant for that?) + +# [TESTSERVER] More stuff for test servers # - Make (/etc/aliases) root mail go to /dev/null, so we don't spam people # - Edit /etc/httpd/conf.d/scripts-vhost-names.conf to have scripts-fX-test.xvm.mit.edu Index: /branches/fc15-dev/server/fedora/config/etc/httpd/vhosts.d/ai6034.conf =================================================================== --- /branches/fc15-dev/server/fedora/config/etc/httpd/vhosts.d/ai6034.conf (revision 1972) +++ /branches/fc15-dev/server/fedora/config/etc/httpd/vhosts.d/ai6034.conf (revision 1973) @@ -19,4 +19,5 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/ai6034.pem + SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -29,4 +30,5 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/ai6034.pem + SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: /branches/fc15-dev/server/fedora/config/etc/httpd/vhosts.d/classof2014.conf =================================================================== --- /branches/fc15-dev/server/fedora/config/etc/httpd/vhosts.d/classof2014.conf (revision 1973) +++ /branches/fc15-dev/server/fedora/config/etc/httpd/vhosts.d/classof2014.conf (revision 1973) @@ -0,0 +1,34 @@ +# do not trailing-slash DocumentRoot + + + ServerName classof2014.mit.edu + ServerAlias classof2014 + DocumentRoot /afs/athena.mit.edu/activity/other/2014/web_scripts + Alias /~2014 /afs/athena.mit.edu/activity/other/2014/web_scripts + SuExecUserGroup 2014 2014 + Include conf.d/vhosts-common.conf + + + + + ServerName classof2014.mit.edu + ServerAlias classof2014 + DocumentRoot /afs/athena.mit.edu/activity/other/2014/web_scripts + Alias /~2014 /afs/athena.mit.edu/activity/other/2014/web_scripts + SuExecUserGroup 2014 2014 + Include conf.d/vhosts-common-ssl.conf + SSLCertificateFile /etc/pki/tls/certs/classof2014.pem + SSLCertificateKeyFile /etc/pki/tls/private/scripts.key + + + ServerName classof2014.mit.edu + ServerAlias classof2014 + DocumentRoot /afs/athena.mit.edu/activity/other/2014/web_scripts + Alias /~2014 /afs/athena.mit.edu/activity/other/2014/web_scripts + SuExecUserGroup 2014 2014 + Include conf.d/vhosts-common-ssl.conf + Include conf.d/vhosts-common-ssl-cert.conf + SSLCertificateFile /etc/pki/tls/certs/classof2014.pem + SSLCertificateKeyFile /etc/pki/tls/private/scripts.key + + Index: /branches/fc15-dev/server/fedora/config/etc/httpd/vhosts.d/isawyou.conf =================================================================== --- /branches/fc15-dev/server/fedora/config/etc/httpd/vhosts.d/isawyou.conf (revision 1972) +++ /branches/fc15-dev/server/fedora/config/etc/httpd/vhosts.d/isawyou.conf (revision 1973) @@ -4,7 +4,7 @@ ServerName isawyou.mit.edu ServerAlias isawyou - DocumentRoot /afs/athena.mit.edu/user/k/e/keone/web_scripts/isawyou - Alias /~keone /afs/athena.mit.edu/user/k/e/keone/web_scripts - SuExecUserGroup keone keone + DocumentRoot /afs/sipb.mit.edu/contrib/isawyou/web_scripts + Alias /~isawyou /afs/sipb.mit.edu/contrib/isawyou/web_scripts + SuExecUserGroup isawyou isawyou Include conf.d/vhosts-common.conf @@ -14,7 +14,7 @@ ServerName isawyou.mit.edu ServerAlias isawyou - DocumentRoot /afs/athena.mit.edu/user/k/e/keone/web_scripts/isawyou - Alias /~keone /afs/athena.mit.edu/user/k/e/keone/web_scripts - SuExecUserGroup keone keone + DocumentRoot /afs/sipb.mit.edu/contrib/isawyou/web_scripts + Alias /~isawyou /afs/sipb.mit.edu/contrib/isawyou/web_scripts + SuExecUserGroup isawyou isawyou Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/isawyou.pem @@ -24,7 +24,7 @@ ServerName isawyou.mit.edu ServerAlias isawyou - DocumentRoot /afs/athena.mit.edu/user/k/e/keone/web_scripts/isawyou - Alias /~keone /afs/athena.mit.edu/user/k/e/keone/web_scripts - SuExecUserGroup keone keone + DocumentRoot /afs/sipb.mit.edu/contrib/isawyou/web_scripts + Alias /~isawyou /afs/sipb.mit.edu/contrib/isawyou/web_scripts + SuExecUserGroup isawyou isawyou Include conf.d/vhosts-common-ssl.conf Include conf.d/vhosts-common-ssl-cert.conf Index: /branches/fc15-dev/server/fedora/config/etc/pki/tls/certs/ai6034.pem =================================================================== --- /branches/fc15-dev/server/fedora/config/etc/pki/tls/certs/ai6034.pem (revision 1972) +++ /branches/fc15-dev/server/fedora/config/etc/pki/tls/certs/ai6034.pem (revision 1973) @@ -1,26 +1,58 @@ +From mitcert@MIT.EDU Fri Aug 19 09:30:50 2011 +Date: Fri, 19 Aug 2011 09:30:48 -0400 +From: "mitcert@MIT.EDU" +To: Alexander Chernyakhovsky +Subject: [help.mit.edu #1702392] certificate renewal for scripts-vhost ai6034.mit.edu + Certificate: Data: Version: 3 (0x2) Serial Number: - fe:8f:cc:2a:7d:76:b9:64:36:c3:e6:ec:48:e1:ee:1f + ab:08:ed:7a:2f:37:38:c3:9f:6c:01:8e:ff:f2:82:40 Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=Massachusetts, O=Massachusetts Institute of Technology, OU=MIT Certification Authority Validity - Not Before: Aug 30 16:00:00 2010 GMT - Not After : Sep 1 16:00:00 2011 GMT + Not Before: Aug 17 16:00:00 2011 GMT + Not After : Aug 16 16:00:00 2012 GMT Subject: C=US, ST=Massachusetts, L=Cambridge, O=Massachusetts Institute of Technology, OU=scripts.mit.edu web hosting service, CN=ai6034.mit.edu/emailAddress=scripts@mit.edu Subject Public Key Info: Public Key Algorithm: rsaEncryption - RSA Public Key: (1024 bit) - Modulus (1024 bit): - 00:b5:3e:21:4d:c1:89:6b:01:8c:47:80:fe:b3:37: - 27:76:f8:52:41:e6:a2:3d:4b:76:78:e5:f2:66:3c: - 0f:b1:ad:fb:97:8f:2e:a2:b6:53:d3:b6:0e:e2:66: - f9:b9:0b:b7:ce:b4:d5:f5:1c:1f:6f:22:7d:48:f5: - 6d:f0:16:cd:8e:48:79:d1:14:4a:14:2f:2f:f8:c4: - bd:1d:87:cf:7d:8b:5c:77:ad:58:24:b0:0e:a1:6d: - d6:0a:c7:d8:bc:2f:67:65:c8:5d:d8:d8:31:c2:67: - 4b:4a:f4:a1:a5:54:82:af:cb:34:08:2a:04:7f:8e: - 7c:4c:b7:db:dc:6a:8a:5d:81 + RSA Public Key: (4096 bit) + Modulus (4096 bit): + 00:bf:a3:f2:7b:98:cc:16:a7:57:e6:92:85:34:56: + f1:e3:62:83:9e:6a:4f:35:9d:f0:cf:89:87:73:e3: + 93:f7:b7:01:57:38:6e:e9:fc:59:4d:24:eb:a7:17: + 47:ca:2c:51:0e:45:c8:b7:68:c9:0e:32:26:e0:91: + d3:06:5c:8c:7c:0e:6c:99:0c:b2:46:05:0f:4d:f1: + b0:c7:5e:35:06:62:fe:2a:d6:0f:1b:2c:b5:02:24: + 4c:c3:06:71:ec:94:ca:1d:aa:af:7e:b9:2d:c0:55: + 4b:cc:bc:51:3d:76:68:5b:d3:ed:35:d0:03:ba:1b: + 6c:f3:a0:d8:d3:dc:6b:44:b0:5e:01:51:d3:02:cc: + 4a:da:52:12:de:35:31:69:16:5a:48:8b:0f:ce:ad: + 4d:e4:d5:8b:11:36:7f:87:1c:fd:84:da:43:2e:87: + 2f:41:70:ac:ad:df:54:c0:ed:f6:21:51:fa:c5:06: + f0:1b:eb:a1:b0:bf:4d:1c:42:34:8a:d5:6f:f7:25: + 66:73:8f:60:c4:d7:8d:33:91:f4:46:3a:97:09:59: + 01:ff:c3:64:94:40:48:30:68:f0:6e:03:26:74:c2: + a1:b3:d7:cb:94:fc:6e:53:8a:2a:9e:fd:b1:4f:c4: + 74:56:25:63:1f:aa:bd:95:25:78:9c:45:46:1b:0c: + 21:71:eb:84:94:d0:b2:f1:da:52:f6:d1:7f:63:1d: + 08:23:52:5f:c2:f9:4d:ac:a4:44:e5:9a:54:70:fc: + c9:fc:d4:d4:b7:1d:75:95:00:e3:bf:3e:4c:f3:43: + c3:96:c7:09:2a:29:45:12:d2:31:d6:79:4c:8a:e7: + 54:27:22:c6:80:ae:87:23:56:f1:8d:49:9b:c8:fa: + ed:33:5b:5f:56:76:c8:0f:7e:85:14:69:c4:48:31: + 07:39:a5:34:81:f2:6b:15:50:22:fb:bb:2c:ad:4b: + 84:ea:55:64:f7:de:56:9d:d0:b6:d0:7d:1e:1b:51: + 50:37:44:94:e6:c4:15:eb:45:31:f1:b3:ec:0f:b3: + a9:0c:f8:1c:47:c7:51:00:05:ef:ee:b0:3d:9f:7e: + 07:a7:38:e8:83:4c:3d:db:34:b6:24:0c:90:57:c0: + f9:d0:64:14:8a:93:47:9b:41:f5:a3:14:1d:9e:18: + 5d:d5:d8:66:af:f5:f3:c8:2f:bc:a7:02:a7:ef:dc: + f0:0e:c7:47:8d:2e:d6:a8:62:42:93:5b:7c:f5:35: + f8:31:10:7b:38:d4:40:24:68:81:13:27:cb:fb:76: + 0e:d1:99:14:d8:d5:eb:f7:69:64:8f:af:8f:82:bb: + 24:29:f9:d4:29:1d:ce:e6:14:ba:4c:8b:09:ff:46: + ce:8b:6d Exponent: 65537 (0x10001) X509v3 extensions: @@ -34,36 +66,45 @@ Digital Signature, Non Repudiation, Key Encipherment X509v3 Subject Key Identifier: - 54:11:7C:09:55:44:1C:94:45:A9:A2:76:46:2B:2C:24:26:6A:44:E8 + CB:11:B7:01:5F:86:55:4F:45:5E:AB:27:69:BE:E1:3C:89:7A:55:62 X509v3 CRL Distribution Points: URI:http://ca.mit.edu/ca/mitserver.crl Signature Algorithm: sha1WithRSAEncryption - 73:aa:4b:65:bf:b3:28:bd:80:f2:b8:80:55:5f:73:c0:93:49: - 38:d3:7d:53:e7:33:4b:07:df:f0:b9:2f:47:7a:c6:41:02:f2: - 1d:82:b4:e0:f2:84:3a:d1:43:75:48:ae:6e:31:e7:85:45:0c: - cd:a2:95:51:b1:5a:3b:eb:a0:e6:5d:bb:57:3d:b4:27:a6:f1: - c5:49:96:44:67:da:7a:f4:99:19:60:4f:ef:02:79:e9:c8:f6: - 3b:3f:fa:0a:37:ce:1c:ec:c6:63:20:26:b6:44:a6:20:7d:06: - 00:8e:e9:4a:94:fa:58:3d:42:17:6a:99:cc:8f:23:7c:28:ef: - 1c:d7 + 0e:54:0f:38:76:76:1a:05:e4:2c:b7:55:b3:ae:08:0d:2a:b7: + 94:67:e5:0b:37:cd:1f:7b:0e:70:70:a6:9a:0f:2b:ed:24:66: + 00:90:35:d0:7d:98:78:68:9e:73:8a:98:43:db:63:c8:10:63: + ce:45:d5:f5:31:69:bf:56:25:92:f3:0c:83:a5:a9:58:94:b9: + 99:25:7a:db:a5:ca:22:47:20:de:f4:3c:b1:73:ae:9f:7b:17: + 86:7f:0b:ca:52:cd:55:8a:05:1d:5d:87:61:d1:cf:c7:af:43: + 7c:e1:d4:9b:8d:31:ce:ef:51:ec:fe:f7:63:38:d8:63:cd:5a: + ff:ef -----BEGIN CERTIFICATE----- -MIIDfjCCAuegAwIBAgIRAP6PzCp9drlkNsPm7Ejh7h8wDQYJKoZIhvcNAQEFBQAw +MIIFAjCCBGugAwIBAgIRAKsI7XovNzjDn2wBjv/ygkAwDQYJKoZIhvcNAQEFBQAw ezELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxLjAsBgNVBAoT JU1hc3NhY2h1c2V0dHMgSW5zdGl0dXRlIG9mIFRlY2hub2xvZ3kxJDAiBgNVBAsT -G01JVCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xMDA4MzAxNjAwMDBaFw0x -MTA5MDExNjAwMDBaMIHQMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVz +G01JVCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xMTA4MTcxNjAwMDBaFw0x +MjA4MTYxNjAwMDBaMIHQMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVz ZXR0czESMBAGA1UEBxMJQ2FtYnJpZGdlMS4wLAYDVQQKEyVNYXNzYWNodXNldHRz IEluc3RpdHV0ZSBvZiBUZWNobm9sb2d5MSwwKgYDVQQLEyNzY3JpcHRzLm1pdC5l ZHUgd2ViIGhvc3Rpbmcgc2VydmljZTEXMBUGA1UEAxMOYWk2MDM0Lm1pdC5lZHUx -HjAcBgkqhkiG9w0BCQEWD3NjcmlwdHNAbWl0LmVkdTCBnzANBgkqhkiG9w0BAQEF -AAOBjQAwgYkCgYEAtT4hTcGJawGMR4D+szcndvhSQeaiPUt2eOXyZjwPsa37l48u -orZT07YO4mb5uQu3zrTV9RwfbyJ9SPVt8BbNjkh50RRKFC8v+MS9HYfPfYtcd61Y -JLAOoW3WCsfYvC9nZchd2NgxwmdLSvShpVSCr8s0CCoEf458TLfb3GqKXYECAwEA -AaOBqzCBqDAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIF4DAnBgNVHSUEIDAe -BggrBgEFBQcDAQYIKwYBBQUHAwQGCCsGAQUFBwMCMAsGA1UdDwQEAwIF4DAdBgNV -HQ4EFgQUVBF8CVVEHJRFqaJ2RissJCZqROgwMwYDVR0fBCwwKjAooCagJIYiaHR0 -cDovL2NhLm1pdC5lZHUvY2EvbWl0c2VydmVyLmNybDANBgkqhkiG9w0BAQUFAAOB -gQBzqktlv7MovYDyuIBVX3PAk0k4031T5zNLB9/wuS9HesZBAvIdgrTg8oQ60UN1 -SK5uMeeFRQzNopVRsVo766DmXbtXPbQnpvHFSZZEZ9p69JkZYE/vAnnpyPY7P/oK -N84c7MZjICa2RKYgfQYAjulKlPpYPUIXapnMjyN8KO8c1w== +HjAcBgkqhkiG9w0BCQEWD3NjcmlwdHNAbWl0LmVkdTCCAiIwDQYJKoZIhvcNAQEB +BQADggIPADCCAgoCggIBAL+j8nuYzBanV+aShTRW8eNig55qTzWd8M+Jh3Pjk/e3 +AVc4bun8WU0k66cXR8osUQ5FyLdoyQ4yJuCR0wZcjHwObJkMskYFD03xsMdeNQZi +/irWDxsstQIkTMMGceyUyh2qr365LcBVS8y8UT12aFvT7TXQA7obbPOg2NPca0Sw +XgFR0wLMStpSEt41MWkWWkiLD86tTeTVixE2f4cc/YTaQy6HL0FwrK3fVMDt9iFR ++sUG8BvrobC/TRxCNIrVb/clZnOPYMTXjTOR9EY6lwlZAf/DZJRASDBo8G4DJnTC +obPXy5T8blOKKp79sU/EdFYlYx+qvZUleJxFRhsMIXHrhJTQsvHaUvbRf2MdCCNS +X8L5TaykROWaVHD8yfzU1LcddZUA478+TPNDw5bHCSopRRLSMdZ5TIrnVCcixoCu +hyNW8Y1Jm8j67TNbX1Z2yA9+hRRpxEgxBzmlNIHyaxVQIvu7LK1LhOpVZPfeVp3Q +ttB9HhtRUDdElObEFetFMfGz7A+zqQz4HEfHUQAF7+6wPZ9+B6c46INMPds0tiQM +kFfA+dBkFIqTR5tB9aMUHZ4YXdXYZq/188gvvKcCp+/c8A7HR40u1qhiQpNbfPU1 ++DEQezjUQCRogRMny/t2DtGZFNjV6/dpZI+vj4K7JCn51CkdzuYUukyLCf9Gzott +AgMBAAGjgaswgagwCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBeAwJwYDVR0l +BCAwHgYIKwYBBQUHAwEGCCsGAQUFBwMEBggrBgEFBQcDAjALBgNVHQ8EBAMCBeAw +HQYDVR0OBBYEFMsRtwFfhlVPRV6rJ2m+4TyJelViMDMGA1UdHwQsMCowKKAmoCSG +Imh0dHA6Ly9jYS5taXQuZWR1L2NhL21pdHNlcnZlci5jcmwwDQYJKoZIhvcNAQEF +BQADgYEADlQPOHZ2GgXkLLdVs64IDSq3lGflCzfNH3sOcHCmmg8r7SRmAJA10H2Y +eGiec4qYQ9tjyBBjzkXV9TFpv1YlkvMMg6WpWJS5mSV626XKIkcg3vQ8sXOun3sX +hn8LylLNVYoFHV2HYdHPx69DfOHUm40xzu9R7P73YzjYY81a/+8= -----END CERTIFICATE----- + Index: /branches/fc15-dev/server/fedora/config/etc/pki/tls/certs/classof2014.pem =================================================================== --- /branches/fc15-dev/server/fedora/config/etc/pki/tls/certs/classof2014.pem (revision 1973) +++ /branches/fc15-dev/server/fedora/config/etc/pki/tls/certs/classof2014.pem (revision 1973) @@ -0,0 +1,110 @@ +From mitcert@MIT.EDU Fri Aug 19 09:33:03 2011 +Date: Fri, 19 Aug 2011 09:33:02 -0400 +From: "mitcert@MIT.EDU" +To: Alexander Chernyakhovsky +Subject: [help.mit.edu #1702218] certificate signing request for scripts-vhost classof2014.mit.edu + +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 7e:98:f3:19:0a:aa:5a:1b:7d:81:60:3e:b4:fe:90:87 + Signature Algorithm: sha1WithRSAEncryption + Issuer: C=US, ST=Massachusetts, O=Massachusetts Institute of Technology, OU=MIT Certification Authority + Validity + Not Before: Aug 17 16:00:00 2011 GMT + Not After : Aug 16 16:00:00 2012 GMT + Subject: C=US, ST=Massachusetts, L=Cambridge, O=Massachusetts Institute of Technology, OU=scripts.mit.edu web hosting service, CN=classof2014.mit.edu/emailAddress=scripts@mit.edu + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (4096 bit) + Modulus (4096 bit): + 00:bf:a3:f2:7b:98:cc:16:a7:57:e6:92:85:34:56: + f1:e3:62:83:9e:6a:4f:35:9d:f0:cf:89:87:73:e3: + 93:f7:b7:01:57:38:6e:e9:fc:59:4d:24:eb:a7:17: + 47:ca:2c:51:0e:45:c8:b7:68:c9:0e:32:26:e0:91: + d3:06:5c:8c:7c:0e:6c:99:0c:b2:46:05:0f:4d:f1: + b0:c7:5e:35:06:62:fe:2a:d6:0f:1b:2c:b5:02:24: + 4c:c3:06:71:ec:94:ca:1d:aa:af:7e:b9:2d:c0:55: + 4b:cc:bc:51:3d:76:68:5b:d3:ed:35:d0:03:ba:1b: + 6c:f3:a0:d8:d3:dc:6b:44:b0:5e:01:51:d3:02:cc: + 4a:da:52:12:de:35:31:69:16:5a:48:8b:0f:ce:ad: + 4d:e4:d5:8b:11:36:7f:87:1c:fd:84:da:43:2e:87: + 2f:41:70:ac:ad:df:54:c0:ed:f6:21:51:fa:c5:06: + f0:1b:eb:a1:b0:bf:4d:1c:42:34:8a:d5:6f:f7:25: + 66:73:8f:60:c4:d7:8d:33:91:f4:46:3a:97:09:59: + 01:ff:c3:64:94:40:48:30:68:f0:6e:03:26:74:c2: + a1:b3:d7:cb:94:fc:6e:53:8a:2a:9e:fd:b1:4f:c4: + 74:56:25:63:1f:aa:bd:95:25:78:9c:45:46:1b:0c: + 21:71:eb:84:94:d0:b2:f1:da:52:f6:d1:7f:63:1d: + 08:23:52:5f:c2:f9:4d:ac:a4:44:e5:9a:54:70:fc: + c9:fc:d4:d4:b7:1d:75:95:00:e3:bf:3e:4c:f3:43: + c3:96:c7:09:2a:29:45:12:d2:31:d6:79:4c:8a:e7: + 54:27:22:c6:80:ae:87:23:56:f1:8d:49:9b:c8:fa: + ed:33:5b:5f:56:76:c8:0f:7e:85:14:69:c4:48:31: + 07:39:a5:34:81:f2:6b:15:50:22:fb:bb:2c:ad:4b: + 84:ea:55:64:f7:de:56:9d:d0:b6:d0:7d:1e:1b:51: + 50:37:44:94:e6:c4:15:eb:45:31:f1:b3:ec:0f:b3: + a9:0c:f8:1c:47:c7:51:00:05:ef:ee:b0:3d:9f:7e: + 07:a7:38:e8:83:4c:3d:db:34:b6:24:0c:90:57:c0: + f9:d0:64:14:8a:93:47:9b:41:f5:a3:14:1d:9e:18: + 5d:d5:d8:66:af:f5:f3:c8:2f:bc:a7:02:a7:ef:dc: + f0:0e:c7:47:8d:2e:d6:a8:62:42:93:5b:7c:f5:35: + f8:31:10:7b:38:d4:40:24:68:81:13:27:cb:fb:76: + 0e:d1:99:14:d8:d5:eb:f7:69:64:8f:af:8f:82:bb: + 24:29:f9:d4:29:1d:ce:e6:14:ba:4c:8b:09:ff:46: + ce:8b:6d + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + Netscape Cert Type: + SSL Client, SSL Server, S/MIME + X509v3 Extended Key Usage: + TLS Web Server Authentication, E-mail Protection, TLS Web Client Authentication + X509v3 Key Usage: + Digital Signature, Non Repudiation, Key Encipherment + X509v3 Subject Key Identifier: + CB:11:B7:01:5F:86:55:4F:45:5E:AB:27:69:BE:E1:3C:89:7A:55:62 + X509v3 CRL Distribution Points: + URI:http://ca.mit.edu/ca/mitserver.crl + + Signature Algorithm: sha1WithRSAEncryption + 64:3a:a1:b9:8b:2c:f7:a8:7b:3d:97:bf:7b:58:5f:4e:f7:83: + 8d:4a:a7:28:8b:ec:15:59:4b:29:3d:97:e6:f8:3f:c5:54:89: + 1b:5c:0c:0c:5c:13:4d:59:63:01:99:4d:d4:b8:cf:9f:c6:c5: + 13:70:df:cb:38:78:72:1c:8f:89:c7:26:ff:d0:43:e8:e2:8f: + 87:2b:dc:3c:80:4b:cf:bc:49:45:d3:d0:f1:0c:90:00:f8:16: + d5:70:f5:23:c3:13:5c:b6:09:bd:e4:75:9e:b4:b3:24:d2:a5: + da:d5:68:32:75:55:46:b7:b6:5a:1a:32:87:80:2c:73:a9:6e: + 08:6b +-----BEGIN CERTIFICATE----- +MIIFBjCCBG+gAwIBAgIQfpjzGQqqWht9gWA+tP6QhzANBgkqhkiG9w0BAQUFADB7 +MQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czEuMCwGA1UEChMl +TWFzc2FjaHVzZXR0cyBJbnN0aXR1dGUgb2YgVGVjaG5vbG9neTEkMCIGA1UECxMb +TUlUIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTExMDgxNzE2MDAwMFoXDTEy +MDgxNjE2MDAwMFowgdUxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNl +dHRzMRIwEAYDVQQHEwlDYW1icmlkZ2UxLjAsBgNVBAoTJU1hc3NhY2h1c2V0dHMg +SW5zdGl0dXRlIG9mIFRlY2hub2xvZ3kxLDAqBgNVBAsTI3NjcmlwdHMubWl0LmVk +dSB3ZWIgaG9zdGluZyBzZXJ2aWNlMRwwGgYDVQQDExNjbGFzc29mMjAxNC5taXQu +ZWR1MR4wHAYJKoZIhvcNAQkBFg9zY3JpcHRzQG1pdC5lZHUwggIiMA0GCSqGSIb3 +DQEBAQUAA4ICDwAwggIKAoICAQC/o/J7mMwWp1fmkoU0VvHjYoOeak81nfDPiYdz +45P3twFXOG7p/FlNJOunF0fKLFEORci3aMkOMibgkdMGXIx8DmyZDLJGBQ9N8bDH +XjUGYv4q1g8bLLUCJEzDBnHslModqq9+uS3AVUvMvFE9dmhb0+010AO6G2zzoNjT +3GtEsF4BUdMCzEraUhLeNTFpFlpIiw/OrU3k1YsRNn+HHP2E2kMuhy9BcKyt31TA +7fYhUfrFBvAb66Gwv00cQjSK1W/3JWZzj2DE140zkfRGOpcJWQH/w2SUQEgwaPBu +AyZ0wqGz18uU/G5Tiiqe/bFPxHRWJWMfqr2VJXicRUYbDCFx64SU0LLx2lL20X9j +HQgjUl/C+U2spETlmlRw/Mn81NS3HXWVAOO/PkzzQ8OWxwkqKUUS0jHWeUyK51Qn +IsaArocjVvGNSZvI+u0zW19WdsgPfoUUacRIMQc5pTSB8msVUCL7uyytS4TqVWT3 +3lad0LbQfR4bUVA3RJTmxBXrRTHxs+wPs6kM+BxHx1EABe/usD2ffgenOOiDTD3b +NLYkDJBXwPnQZBSKk0ebQfWjFB2eGF3V2Gav9fPIL7ynAqfv3PAOx0eNLtaoYkKT +W3z1NfgxEHs41EAkaIETJ8v7dg7RmRTY1ev3aWSPr4+CuyQp+dQpHc7mFLpMiwn/ +Rs6LbQIDAQABo4GrMIGoMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgXgMCcG +A1UdJQQgMB4GCCsGAQUFBwMBBggrBgEFBQcDBAYIKwYBBQUHAwIwCwYDVR0PBAQD +AgXgMB0GA1UdDgQWBBTLEbcBX4ZVT0VeqydpvuE8iXpVYjAzBgNVHR8ELDAqMCig +JqAkhiJodHRwOi8vY2EubWl0LmVkdS9jYS9taXRzZXJ2ZXIuY3JsMA0GCSqGSIb3 +DQEBBQUAA4GBAGQ6obmLLPeoez2Xv3tYX073g41KpyiL7BVZSyk9l+b4P8VUiRtc +DAxcE01ZYwGZTdS4z5/GxRNw38s4eHIcj4nHJv/QQ+jij4cr3DyAS8+8SUXT0PEM +kAD4FtVw9SPDE1y2Cb3kdZ60syTSpdrVaDJ1VUa3tloaMoeALHOpbghr +-----END CERTIFICATE----- +