Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

connect: leaf cert rotation is not reflected on non blocking api queries #10871

Closed
danielehc opened this issue Aug 18, 2021 · 9 comments
Closed

connect: leaf cert rotation is not reflected on non blocking api queries #10871

danielehc opened this issue Aug 18, 2021 · 9 comments
Labels
theme/certificates Related to creating, distributing, and rotating certificates in Consul theme/connect Anything related to Consul Connect, Service Mesh, Side Car Proxies theme/consul-vault Relating to Consul & Vault interactions type/bug Feature does not function as expected

Comments

@danielehc
Copy link
Contributor

Overview of the Issue

Consul datacenter with Connect enabled and Vault used ad Connect CA.

The /agent/connect/ca/leaf/:service endpoint cache never get invalidated and shows old certificates.

Outside from this behavior the Consul datacenter seems to behave properly and all other functionalities work as expected.

Reproduction Steps

  1. Create a cluster with 2 client nodes and 3 server nodes with Connect enabled

    consul members

Node       Address          Status  Type    Build   Protocol  DC   Segment
server-1   172.19.0.4:8301  alive   server  1.10.1  2         dc1  <all>
server-2   172.19.0.5:8301  alive   server  1.10.1  2         dc1  <all>
server-3   172.19.0.6:8301  alive   server  1.10.1  2         dc1  <all>
service-1  172.19.0.7:8301  alive   client  1.10.1  2         dc1  <default>
service-2  172.19.0.8:8301  alive   client  1.10.1  2         dc1  <default>

  2. Check service leaf certificate:

    curl  --header "X-Consul-Token: ${CONSUL_HTTP_TOKEN}"     ${CONSUL_HTTP_ADDR}/v1/agent/connect/ca/leaf/web

    {
  "SerialNumber": "0e",
  "CertPEM": "-----BEGIN CERTIFICATE-----\nMIICPjCCAeOgAwIBAgIBDjAKBggqhkjOPQQDAjAwMS4wLAYDVQQDEyVwcmktMWF4\nbncwbi5jb25zdWwuY2EuMTZjZTg0MTYuY29uc3VsMB4XDTIxMDgxNzExNTMyM1oX\nDTIxMDgxNzEyNTMyM1owKjEoMCYGA1UEAxMfd2ViLnN2Yy5kZWZhdWx0LjE2Y2U4\nNDE2LmNvbnN1bDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABOdZdHsJAgbCVXM4\nM8nlsA8HTJH34266PiwDxesNyCmKzpQlFfQ5LIG8SnO2lNlgaCZzOjZSlE1NORNF\nvlyH4RejgfMwgfAwDgYDVR0PAQH/BAQDAgO4MB0GA1UdJQQWMBQGCCsGAQUFBwMC\nBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMCkGA1UdDgQiBCBoUngfB/45NfX5cEgy\n97gCG7PpNDkEPfbzRWADHIDCuTArBgNVHSMEJDAigCCE+ZG44WVMjEPD/BGTewLD\nRvVpWgcWtJLnAfAGjrZ3gDBZBgNVHREEUjBQhk5zcGlmZmU6Ly8xNmNlODQxNi0x\nMzk4LWMyZmMtZTM1OC1jNWM1OWNkMDI2ZDUuY29uc3VsL25zL2RlZmF1bHQvZGMv\nZGMxL3N2Yy93ZWIwCgYIKoZIzj0EAwIDSQAwRgIhAIfULCHfnMhb5p9vmvbuj4jr\nb8K44EgYt1ou6w0tobU7AiEA8jcdv+4in/BlRw0WiQYoa+qQrmEXjFXNyJ9dntsk\nfcg=\n-----END CERTIFICATE-----\n",
  "PrivateKeyPEM": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEILZounleT8ED/IYW2Bcc3U6o1QUW9GxG+ErYprQ3hnfToAoGCCqGSM49\nAwEHoUQDQgAE51l0ewkCBsJVczgzyeWwDwdMkffjbro+LAPF6w3IKYrOlCUV9Dks\ngbxKc7aU2WBoJnM6NlKUTU05E0W+XIfhFw==\n-----END EC PRIVATE KEY-----\n",
  "Service": "web",
  "ServiceURI": "spiffe://16ce8416-1398-c2fc-e358-c5c59cd026d5.consul/ns/default/dc/dc1/svc/web",
  "ValidAfter": "2021-08-17T11:53:23Z",
  "ValidBefore": "2021-08-17T12:53:23Z",
  "CreateIndex": 67,
  "ModifyIndex": 67
}

  3. Configure Vault as Connect CA

    Configuration:

    {
    "Provider": "vault",
    "Config": {
        "LeafCertTTL": "1h",
        "Address": "http://172.19.0.2:8200",
        "Token": "password",
        "RootPKIPath": "connect-root",
        "IntermediatePKIPath": "connect-intermediate",
        "RotationPeriod": "1h",
        "IntermediateCertTTL": "3h",
        "PrivateKeyType": "rsa",
        "PrivateKeyBits": 2048
    },
    "ForceWithoutCrossSigning": false
}

    Command:

    curl -s \
    --header "X-Consul-Token: ${CONSUL_HTTP_TOKEN}" \
    --request PUT \
     --data @assets/config-connect-ca-provider-vault.json \
    ${CONSUL_HTTP_ADDR}/v1/connect/ca/configuration

    Logs:

    Server:

    2021-08-17T11:54:35.732Z [INFO]  agent.server.connect: CA rotated to new root under provider: provider=vault

    Client:

    2021-08-17T11:54:35.727Z [DEBUG] agent.auto_config: handling a cache update event: correlation_id=roots
2021-08-17T11:54:35.727Z [DEBUG] agent.auto_config: roots watch fired - updating CA certificates
2021-08-17T11:54:35.930Z [DEBUG] agent.envoy.xds: generating cluster for: service_id=web-sidecar-proxy xdsVersion=v3 cluster=api.default.dc1.internal.16ce8416-1398-c2fc-e358-c5c59cd026d5.consul
2021-08-17T11:54:35.930Z [DEBUG] agent.envoy.xds: generating endpoints for: service_id=web-sidecar-proxy xdsVersion=v3 cluster=api.default.dc1.internal.16ce8416-1398-c2fc-e358-c5c59cd026d5.consul

  4. Check for certificate (after waiting for rotation period or any amount o time)

    curl  --header "X-Consul-Token: ${CONSUL_HTTP_TOKEN}"     ${CONSUL_HTTP_ADDR}/v1/agent/connect/ca/leaf/web

    ...
< HTTP/2 200 
< age: 77527
< content-type: application/json
< vary: Accept-Encoding
< x-cache: HIT
< x-consul-default-acl-policy: deny
< x-consul-index: 67
< content-length: 1356
< date: Wed, 18 Aug 2021 09:26:29 GMT
<
... 
 "SerialNumber": "0e",
  "CertPEM": "-----BEGIN CERTIFICATE-----\nMIICPjCCAeOgAwIBAgIBDjAKBggqhkjOPQQDAjAwMS4wLAYDVQQDEyVwcmktMWF4\nbncwbi5jb25zdWwuY2EuMTZjZTg0MTYuY29uc3VsMB4XDTIxMDgxNzExNTMyM1oX\nDTIxMDgxNzEyNTMyM1owKjEoMCYGA1UEAxMfd2ViLnN2Yy5kZWZhdWx0LjE2Y2U4\nNDE2LmNvbnN1bDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABOdZdHsJAgbCVXM4\nM8nlsA8HTJH34266PiwDxesNyCmKzpQlFfQ5LIG8SnO2lNlgaCZzOjZSlE1NORNF\nvlyH4RejgfMwgfAwDgYDVR0PAQH/BAQDAgO4MB0GA1UdJQQWMBQGCCsGAQUFBwMC\nBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMCkGA1UdDgQiBCBoUngfB/45NfX5cEgy\n97gCG7PpNDkEPfbzRWADHIDCuTArBgNVHSMEJDAigCCE+ZG44WVMjEPD/BGTewLD\nRvVpWgcWtJLnAfAGjrZ3gDBZBgNVHREEUjBQhk5zcGlmZmU6Ly8xNmNlODQxNi0x\nMzk4LWMyZmMtZTM1OC1jNWM1OWNkMDI2ZDUuY29uc3VsL25zL2RlZmF1bHQvZGMv\nZGMxL3N2Yy93ZWIwCgYIKoZIzj0EAwIDSQAwRgIhAIfULCHfnMhb5p9vmvbuj4jr\nb8K44EgYt1ou6w0tobU7AiEA8jcdv+4in/BlRw0WiQYoa+qQrmEXjFXNyJ9dntsk\nfcg=\n-----END CERTIFICATE-----\n",
  "PrivateKeyPEM": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEILZounleT8ED/IYW2Bcc3U6o1QUW9GxG+ErYprQ3hnfToAoGCCqGSM49\nAwEHoUQDQgAE51l0ewkCBsJVczgzyeWwDwdMkffjbro+LAPF6w3IKYrOlCUV9Dks\ngbxKc7aU2WBoJnM6NlKUTU05E0W+XIfhFw==\n-----END EC PRIVATE KEY-----\n",
  "Service": "web",
  "ServiceURI": "spiffe://16ce8416-1398-c2fc-e358-c5c59cd026d5.consul/ns/default/dc/dc1/svc/web",
  "ValidAfter": "2021-08-17T11:53:23Z",
  "ValidBefore": "2021-08-17T12:53:23Z",
  "CreateIndex": 67,
  "ModifyIndex": 67
}

In the example the cache shows an age of 77527 seconds that is ~ 21.5 h

  1. Envoy dashboard shows the new certificates properly

    {
 "certificates": [
  {
   "ca_cert": [
    {
     "path": "\u003cinline\u003e",
     "serial_number": "0faf2a51ae5f9992da150afd41f94bb860277dfa",
     "subject_alt_names": [
      {
       "dns": "pri-f7tmb0o.vault.ca.16ce8416.consul"
      },
      {
       "uri": "spiffe://16ce8416-1398-c2fc-e358-c5c59cd026d5.consul"
      }
     ],
     "days_until_expiration": "31",
     "valid_from": "2021-08-17T11:54:05Z",
     "expiration_time": "2021-09-18T11:54:35Z"
    }
   ],
   "cert_chain": [
    {
     "path": "\u003cinline\u003e",
     "serial_number": "1e51c9fdb75f11eba3e615a28a2f362a02a065c6",
     "subject_alt_names": [
      {
       "dns": "web.svc.default.16ce8416.consul"
      },
      {
       "uri": "spiffe://16ce8416-1398-c2fc-e358-c5c59cd026d5.consul/ns/default/dc/dc1/svc/web"
      }
     ],
     "days_until_expiration": "0",
     "valid_from": "2021-08-18T09:53:39Z",
     "expiration_time": "2021-08-18T10:54:09Z"
    }
   ]
  },
  {
   "ca_cert": [
    {
     "path": "\u003cinline\u003e",
     "serial_number": "0faf2a51ae5f9992da150afd41f94bb860277dfa",
     "subject_alt_names": [
      {
       "dns": "pri-f7tmb0o.vault.ca.16ce8416.consul"
      },
      {
       "uri": "spiffe://16ce8416-1398-c2fc-e358-c5c59cd026d5.consul"
      }
     ],
     "days_until_expiration": "31",
     "valid_from": "2021-08-17T11:54:05Z",
     "expiration_time": "2021-09-18T11:54:35Z"
    }
   ],
   "cert_chain": [
    {
     "path": "\u003cinline\u003e",
     "serial_number": "1e1516f3b620bdf5e74fc40516e4a4221468827c",
     "subject_alt_names": [
      {
       "dns": "web.svc.default.16ce8416.consul"
      },
      {
       "uri": "spiffe://16ce8416-1398-c2fc-e358-c5c59cd026d5.consul/ns/default/dc/dc1/svc/web"
      }
     ],
     "days_until_expiration": "0",
     "valid_from": "2021-08-18T10:38:35Z",
     "expiration_time": "2021-08-18T11:39:05Z"
    }
   ]
  },
  {
   "ca_cert": [
    {
     "path": "\u003cinline\u003e",
     "serial_number": "0faf2a51ae5f9992da150afd41f94bb860277dfa",
     "subject_alt_names": [
      {
       "dns": "pri-f7tmb0o.vault.ca.16ce8416.consul"
      },
      {
       "uri": "spiffe://16ce8416-1398-c2fc-e358-c5c59cd026d5.consul"
      }
     ],
     "days_until_expiration": "31",
     "valid_from": "2021-08-17T11:54:05Z",
     "expiration_time": "2021-09-18T11:54:35Z"
    }
   ],
   "cert_chain": [
    {
     "path": "\u003cinline\u003e",
     "serial_number": "1e1516f3b620bdf5e74fc40516e4a4221468827c",
     "subject_alt_names": [
      {
       "dns": "web.svc.default.16ce8416.consul"
      },
      {
       "uri": "spiffe://16ce8416-1398-c2fc-e358-c5c59cd026d5.consul/ns/default/dc/dc1/svc/web"
      }
     ],
     "days_until_expiration": "0",
     "valid_from": "2021-08-18T10:38:35Z",
     "expiration_time": "2021-08-18T11:39:05Z"
    }
   ]
  }
 ]
}

The scenario used for the test can be reproduced using the script at https://github.com/danielehc/consul-docker

Using the same endpoint for a service not checked earlier the certificates are properly shown

Operating system and Environment details

  • Consul nodes are Docker containers running on Linux Ubuntu 18.04.
  • Consul version is 1.10.1
  • Envoy version is 1.18.3

Expected results

The API endpoint should show the new certificates when they are present.

Workaround

  1. Use Envoy admin UI to check the certificates

  2. Using a different Consul node for the API request the cache does not get used so the new certificate is properly shown

    export CONSUL_HTTP_ADDR=https://172.19.0.5:443
curl --header "X-Consul-Token: ${CONSUL_HTTP_TOKEN}"     ${CONSUL_HTTP_ADDR}/v1/agent/connect/ca/leaf/web
    ...
< HTTP/2 200 
< content-type: application/json
< vary: Accept-Encoding
< x-cache: MISS
< x-consul-default-acl-policy: deny
< x-consul-index: 15200
< date: Wed, 18 Aug 2021 10:56:02 GMT
< 
...
{
  "SerialNumber": "63:2a:e2:0f:85:02:87:be:78:93:0e:4f:02:76:46:cb:20:0f:79:fc",
  "CertPEM": "-----BEGIN CERTIFICATE-----\nMIIDDDCCAfSgAwIBAgIUYyriD4UCh754kw5PAnZGyyAPefwwDQYJKoZIhvcNAQEL\nBQAwMDEuMCwGA1UEAxMlcHJpLTFneHp1Mm56LnZhdWx0LmNhLjE2Y2U4NDE2LmNv\nbnN1bDAeFw0yMTA4MTgxMDU1MzJaFw0yMTA4MTgxMTU2MDJaMCoxKDAmBgNVBAMT\nH3dlYi5zdmMuZGVmYXVsdC4xNmNlODQxNi5jb25zdWwwWTATBgcqhkjOPQIBBggq\nhkjOPQMBBwNCAAQqyLiCzoAYxyYXIrK9yEyBbf73u0ZpeyexKMzvxyKWbn5/Ihxm\nh35hMfDzzyY+8YZbg3vIKSklbaK5mkGx2d48o4HuMIHrMA4GA1UdDwEB/wQEAwID\nqDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFO8KYaBV\n1eUqhAHfHgDx2Ohd5Q/4MB8GA1UdIwQYMBaAFLkRRSna+Ads0VbRUPOH1F9TMi6u\nMHoGA1UdEQRzMHGCH3dlYi5zdmMuZGVmYXVsdC4xNmNlODQxNi5jb25zdWyGTnNw\naWZmZTovLzE2Y2U4NDE2LTEzOTgtYzJmYy1lMzU4LWM1YzU5Y2QwMjZkNS5jb25z\ndWwvbnMvZGVmYXVsdC9kYy9kYzEvc3ZjL3dlYjANBgkqhkiG9w0BAQsFAAOCAQEA\nnMSENRs0AWO4ny2aGZ1JL9qi0EeqfA0vHIxqIOB2WH+jvFbUFrfmU4X9ts86qxPH\n2B2gvO/FhSk5oSSz6bx75fBSPUALK8ZD6CUzYRBm/2rptN0zSqXjIRDOlFcF3/D8\n08HT5oxPvnFlV+SQZE0BAAUMpaj8XelVmHhmHyjEXiwrjbFxbSQaAHUzeUZvhSNZ\nTdk2NhkPNm0oHSa4/vdWWFMhJKdVdiSCRMfuddUmlW2Ofb2a6/1fqfHlzAaoyARh\nvlOTvP/HrygTM+VcB55fau6B62Pj+cWANqkGudh+uPVeEKxX8a4QeByVCof9WyJ5\nPHQ6/m0cA+iQEuB1uii5aw==\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIDujCCAqKgAwIBAgIURD5fxNX35TTDYc7V/565IUT1VMMwDQYJKoZIhvcNAQEL\nBQAwLzEtMCsGA1UEAxMkcHJpLWY3dG1iMG8udmF1bHQuY2EuMTZjZTg0MTYuY29u\nc3VsMB4XDTIxMDgxODA5NTI0M1oXDTIxMDgxODEyNTMxM1owMDEuMCwGA1UEAxMl\ncHJpLTFneHp1Mm56LnZhdWx0LmNhLjE2Y2U4NDE2LmNvbnN1bDCCASIwDQYJKoZI\nhvcNAQEBBQADggEPADCCAQoCggEBAJ79JJNH8a5VUisw/MuO+WRbMTe4PfPfTlce\nhSJQAH+Y1RFiLBjIifk9E/z4FqUZwJtmaBRr87pHHGZeIDiHZLLNryD+S1WrznfE\nGuw1VXLvTY0s88sgBhaaHAaxRDeVrKiKB/Zu1z5tEgqKEnvJCsQiJeoKuZwwo8p3\npc5ZrphhMIj5uJIcscoFA6VvHArXDX0BDokRxlENUjmkCB1Qu/1UHvMdmz4H/Dg2\nQOv5MvWIdeVOkiN07pvbP9vlp8Zozs57lN4DGEHDBAqNe0EGhR9c1Cu2JB11KJ0J\nX2BcGGoQ57udgsSMFlLxS6ndgLR+3U+IxI4zSckat3O0uF5oIwMCAwEAAaOBzDCB\nyTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUuRFF\nKdr4B2zRVtFQ84fUX1MyLq4wHwYDVR0jBBgwFoAU5nyL9kdDHhlT/baY7IoOtkxg\n60gwZgYDVR0RBF8wXYIlcHJpLTFneHp1Mm56LnZhdWx0LmNhLjE2Y2U4NDE2LmNv\nbnN1bIY0c3BpZmZlOi8vMTZjZTg0MTYtMTM5OC1jMmZjLWUzNTgtYzVjNTljZDAy\nNmQ1LmNvbnN1bDANBgkqhkiG9w0BAQsFAAOCAQEAV6rOr5vT1wg9p0rgQQVC94uP\ncqatqAygiVucs+zLm8h1cgVXFRFZw8C5Lacu6AmYMdSL/LKjWL70IKCRXK+AkUEo\nY6f0saFMzV8IFGYgEa2gy3wGDb36y5wDJWei/jD4UignXYnyzIg1dqsGXqmel0t0\nY+OLt1bSjjzngk1xoJ9FKkb2JkryYOVC9uqzzPmRxZ5NXRTFFRJlIxFBjUAuCxY9\nJCvqey2p5XUiYIs/W1TSWNC0S0krSQ2Opik5HWP/5ZtT/a/Sy2hmGa5q1ghcaGuO\n82HDC2HFGEgFKbRagdzVxtyPMJQeV5QWL1hQfGCzn0kWTkxzDIM/9fObbAjWbQ==\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIC8jCCApegAwIBAgIBDzAKBggqhkjOPQQDAjAwMS4wLAYDVQQDEyVwcmktMWF4\nbncwbi5jb25zdWwuY2EuMTZjZTg0MTYuY29uc3VsMB4XDTIxMDgxNzExNTMzNVoX\nDTIxMDgyNDExNTMzNVowLzEtMCsGA1UEAxMkcHJpLWY3dG1iMG8udmF1bHQuY2Eu\nMTZjZTg0MTYuY29uc3VsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\nzW8QF5+FVb5oIy3UbU90R8/JxMd4Egy+lg6dfyGqzOU60Z0wZmZTnxmy7DWAwxVy\nLxXPYXwoLF2QsQApa0tjwMDfwvi9mQ9zo/JQszhNHXPnP/pnqcBFs6L53cY/nv9P\nUSLES5McqFqc8snWJP8nqP1lzBxy2GQMvcB/9NSEEQ5SuRP5PIF4HYjIZKQtq+ZL\nRqmA70mNdkVsGvotHon/1t6lSNdM1c77RBCfNPSUL3X2lVyP3r/GHpylgLMuq1qi\n+aQm8qFeIlsKpLGgrs1DgKE/HaZD17dQsT9Vfs8o+7A1QF7DMI2J/Jle388S3UPA\nVJZKUW3ZdkGTpIziZaxGwwIDAQABo4HXMIHUMA4GA1UdDwEB/wQEAwIBBjAPBgNV\nHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTmfIv2R0MeGVP9tpjsig62TGDrSDArBgNV\nHSMEJDAigCCE+ZG44WVMjEPD/BGTewLDRvVpWgcWtJLnAfAGjrZ3gDBlBgNVHREE\nXjBcgiRwcmktZjd0bWIwby52YXVsdC5jYS4xNmNlODQxNi5jb25zdWyGNHNwaWZm\nZTovLzE2Y2U4NDE2LTEzOTgtYzJmYy1lMzU4LWM1YzU5Y2QwMjZkNS5jb25zdWww\nCgYIKoZIzj0EAwIDSQAwRgIhAJLKhLKrsAVgbsxx7tN3wJZsB3MsBLFQxtv722kQ\nrFCwAiEAp+aYySQxqlrWaRVzsHyGBW2jD6Si3uS6K2oyp6oK8l8=\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIDuDCCAqCgAwIBAgIUZvOkutuUGjkMj6BJQsoFp8vm020wDQYJKoZIhvcNAQEL\nBQAwLzEtMCsGA1UEAxMkcHJpLWY3dG1iMG8udmF1bHQuY2EuMTZjZTg0MTYuY29u\nc3VsMB4XDTIxMDgxNzExNTQwNVoXDTIxMDgxNzE0NTQzNVowLzEtMCsGA1UEAxMk\ncHJpLTE0em1icmEudmF1bHQuY2EuMTZjZTg0MTYuY29uc3VsMIIBIjANBgkqhkiG\n9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4Rb9Qj+DrsJ/6j31FDtDakWYdM9Em5t/7nAc\n2OAuTlHr2lTq1IPShx4D7N1GF90OhuB/0Oesys8oua/j2kP9cWDv5MgucIWWcpm9\nUE6SGHE6x8JryOK8Rf3pKh4ZrsNIQnQpXLWVgGaecPVq0yNKxfPQGCesnr74poN4\nyt3pAfU7XoiDUac20YDxXrPvjyhsS2IBnu939dfuuGMOO23N9/lRKDuF5Ib+yh4V\nntrXPk1e0v/e4D331grkssJEpAf74qNDeC3uJ6V7OVe1/RfC1iVXMvccrpc10KVo\nTMh/GdudkndaFEUbZbC0AgV41PK2BHHHKexgW+qhh+jz4ec3zwIDAQABo4HLMIHI\nMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRTN429\nQmhCa+Ypap/GaA0dbjvf6zAfBgNVHSMEGDAWgBTmfIv2R0MeGVP9tpjsig62TGDr\nSDBlBgNVHREEXjBcgiRwcmktMTR6bWJyYS52YXVsdC5jYS4xNmNlODQxNi5jb25z\ndWyGNHNwaWZmZTovLzE2Y2U4NDE2LTEzOTgtYzJmYy1lMzU4LWM1YzU5Y2QwMjZk\nNS5jb25zdWwwDQYJKoZIhvcNAQELBQADggEBAHKXNfcNJY8C++3e031IMIldITf9\nTpi+aAnxIdacGiCaocLT0RNPvk+/MCyCaF/J481VC24y5qYEMrAHsGjS9+LwcU50\n5ZMDh5eL5CiY7qT8MTnVdD0sR3hkay8n0QMsyt9hWI0w+rf0u1fN5KJUPmT0RkCy\nFBYnhrezk30w8ctW5rVV2y6P9tKGRLI+W++cWHdR0BesasF/cbVsRMjNg8cj6SHH\n8v2BAUiQQPDo8F6VSmQZKIv0d8vXTUj6w9tJXGfonoHEt5dWF3rwwm0gwC5TD3gF\novypuLvmLh1gFZznbQsnr0G4t2d9+wNveGXeYCgwbCM4aLnriFqMNs1KQ5U=\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIDujCCAqKgAwIBAgIUeEaM5UYnTAKLx3B0V5iltqvKT/owDQYJKoZIhvcNAQEL\nBQAwLzEtMCsGA1UEAxMkcHJpLWY3dG1iMG8udmF1bHQuY2EuMTZjZTg0MTYuY29u\nc3VsMB4XDTIxMDgxNzEzNTI0MVoXDTIxMDgxNzE2NTMxMVowMDEuMCwGA1UEAxMl\ncHJpLTFqZzBuajY3LnZhdWx0LmNhLjE2Y2U4NDE2LmNvbnN1bDCCASIwDQYJKoZI\nhvcNAQEBBQADggEPADCCAQoCggEBAJnwq/T8AU85Md1JmR9EystoxgTqGU0RFMpw\n7/lvBU/Pv8ABn1f2ttHNNAOoACWtYPefDWPgAZTBEuDUQbfT1Is/b8afNNKPukH7\nIVU84ADpiQ4jWlFHu2NI6vU8EeLiSkIwJTsJaGFK9wdae6Of/wzEBUY3b0imVpAT\nAfz46SO1BmXBVdLY1d7CV9tVLz58+fjyDfkvqx33mXi6iTkANeOwVzN+sdgUSgVc\nZ26wCAM4hMwJxiYeEotujo3fm/TFwbZUn+97+TjtFLcX1CqKJNpluKcB0XLu5DOQ\n0ig+TmyfruGoa9f6IuAmN7Uqk7pDu2+LHbKX32AlJxmyJ9ROsD0CAwEAAaOBzDCB\nyTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUPhuw\n0LqQw3Lt7MqEHGv1oPJLKLQwHwYDVR0jBBgwFoAU5nyL9kdDHhlT/baY7IoOtkxg\n60gwZgYDVR0RBF8wXYIlcHJpLTFqZzBuajY3LnZhdWx0LmNhLjE2Y2U4NDE2LmNv\nbnN1bIY0c3BpZmZlOi8vMTZjZTg0MTYtMTM5OC1jMmZjLWUzNTgtYzVjNTljZDAy\nNmQ1LmNvbnN1bDANBgkqhkiG9w0BAQsFAAOCAQEAm7Cc7fOIgjoc8g0Xm5VUKQJR\nC5WBPr6vyqw6aoqzhjGirrKiJQcJ/Wl7/dzEECBMM8CNoM2sH9mzkNS11/NADo+C\nJgCF8u4Xv/v1PKPkCTpnxX/rjCYma+EtGiBpPZ/q/fpxfr8TZaitEhxuAW/HtZJT\nIZ9ZxcJv+94vnMSXFU7kS8lN9ZorQe+cE6GXi2R1gpTlwA5Hg5uwNCcuriwa8jxO\nep/L6gQ5gkldhDUpTD/ZzY97aApdEgVR5l4CE/mO6Y8O/dEPsDs7Q/jkWO3ki8dj\ny+5U/BIjZ7dOlbRszeuGd3TIYxFm74NZFzkiO8ILWb+Vmb65h3RZ6gXcV+kMOQ==\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIDuDCCAqCgAwIBAgIUbspBw2T4/uUSr4m8Fcz6lonn7v0wDQYJKoZIhvcNAQEL\nBQAwLzEtMCsGA1UEAxMkcHJpLWY3dG1iMG8udmF1bHQuY2EuMTZjZTg0MTYuY29u\nc3VsMB4XDTIxMDgxNzE1NTI0MVoXDTIxMDgxNzE4NTMxMVowLzEtMCsGA1UEAxMk\ncHJpLTE3azB1Y3kudmF1bHQuY2EuMTZjZTg0MTYuY29uc3VsMIIBIjANBgkqhkiG\n9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnUB60NwK14sqjWlkyXpGWGhBcOVuegGoBttl\nlwT6z0lD6MlICIxDYf5XoT727IX6hBdnsO84ScFhk3H6CoVtUa23nnAdsi/fpOwN\nJmya384ghJhfIwGiGBmFCqvwmzN5SFY32d3j17VFwzWFPI6WIFRBIxdaUnGE1g4O\nGK83jL6IlMWcxEQxeosGE4Y1Vc3jqvkAtgNlP/HDXhBEGDbbBihc/BG3Ec0r5qDk\n3dV2fciRcPiUsQcgjNs0rqpD3pINRvUCIBUkyxFC7gP8al/g5+nz99zphWy3LTGZ\nZcEboCNm3pBf4zURVGoXKaZm9Cd8xWWMZG1B7gt1rREehuby4wIDAQABo4HLMIHI\nMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBT2XfIv\nwWQufFG+F4PhOnrJ416jpjAfBgNVHSMEGDAWgBTmfIv2R0MeGVP9tpjsig62TGDr\nSDBlBgNVHREEXjBcgiRwcmktMTdrMHVjeS52YXVsdC5jYS4xNmNlODQxNi5jb25z\ndWyGNHNwaWZmZTovLzE2Y2U4NDE2LTEzOTgtYzJmYy1lMzU4LWM1YzU5Y2QwMjZk\nNS5jb25zdWwwDQYJKoZIhvcNAQELBQADggEBAJUyMEdBo5NqpNufk0JFeo8aQ349\nwGMmLJofcDuVI9HOUK6CiJYbuo4/Mc0cw1Uumh8zxAcn8NLp6qlwuBdfnc0kYgSM\n3ZPEOATlb1dAUxFfnEJajXI9J2dpf1FIYO20V/BQHEIlb/QvM/xtdSxBXC9It4ue\nUMtQK10pULNebt/kYDc6HegP8SNKNsji5iNGB/gbpUu/4A2DmWWo5ANkVGwd+2dj\nAK+SWQaj6BQx98qmxLoFcqC6UOzoMTXbHC/U7Bzj2SnNLuLqhyYymSje1pY/1xBh\nkkm6vTTsFet3Gzx+Cz3O8wZtA7UI8mcHXgODQgRchvW24f/iqqAus5oade4=\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIDuDCCAqCgAwIBAgIUELxgNzVynQ+F6ARSapgcUpcZgvAwDQYJKoZIhvcNAQEL\nBQAwLzEtMCsGA1UEAxMkcHJpLWY3dG1iMG8udmF1bHQuY2EuMTZjZTg0MTYuY29u\nc3VsMB4XDTIxMDgxNzE3NTI0MVoXDTIxMDgxNzIwNTMxMVowLzEtMCsGA1UEAxMk\ncHJpLTFlaWZybHQudmF1bHQuY2EuMTZjZTg0MTYuY29uc3VsMIIBIjANBgkqhkiG\n9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkze9VsuberGGgY5GU9yzlAlm9fPKI7AqHbsH\nczgewDIxmF6HyLnWTAN2ajKR2UMqixXIXg1AealRop6j8F3DUrBhLhuyMI5WYS0d\nxpz5RCc9AFnHR8U20eX4GP+KI8r8JSpcrYKyvwh4SMuaHZjS3J3mk0LjuE0CgTEo\n0rV36lg1Op9UrXIqnJtwkGmzy5pne85rOIq8S1l57G0E8+tWdUfqfdniHw2zAeJU\naND+X+8iG8BPQ48b9FP7m0vRD7WeekSoaPaE1srpsmKJXCUA7t3lEEo66eZNAALW\nvd9KZDEmlGDB6FWQEq9Awry/t8CV1rFnI37qH+R3Ufc5RcWl5QIDAQABo4HLMIHI\nMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBR/Jcgy\nbsiNlGIELHp1RIOOvN6uqzAfBgNVHSMEGDAWgBTmfIv2R0MeGVP9tpjsig62TGDr\nSDBlBgNVHREEXjBcgiRwcmktMWVpZnJsdC52YXVsdC5jYS4xNmNlODQxNi5jb25z\ndWyGNHNwaWZmZTovLzE2Y2U4NDE2LTEzOTgtYzJmYy1lMzU4LWM1YzU5Y2QwMjZk\nNS5jb25zdWwwDQYJKoZIhvcNAQELBQADggEBALa3biw0ixRTjFxWP1qfB+TzWKLh\nuVjNq5VvR5gcPyIq7k+2Zq5xoGJuyxE+4PO9wBmdxvI6NOsxLD3yIxm8v0x+xnrr\nz/C443eBCsNSTopSYqaI1k/NyHKmfa+KWDIxJosI6Ny7OAVLm1mCchLeN0cD3xmJ\nXY6r25KnuzKOKKJbfHSGPn1tLj8xP6ZSTZ3DZ5wePK0gOZFUfiZFjxNnYuvJuIMg\n0KKWOU0YeXeX97ZOOTKcru0kpxBuxnr99v0y7GHHd7Kf1DypBnD6QB/EyUg2gC5z\nUhrtfRo5/d4h8bSMXW/BBDJT1SbwBsz8D5lBB27miJrSwFdKDSX2pch6XEU=\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIDujCCAqKgAwIBAgIUJcfpWKBjprDCsUiuNnpuyQXkJ9wwDQYJKoZIhvcNAQEL\nBQAwLzEtMCsGA1UEAxMkcHJpLWY3dG1iMG8udmF1bHQuY2EuMTZjZTg0MTYuY29u\nc3VsMB4XDTIxMDgxNzE5NTI0MloXDTIxMDgxNzIyNTMxMlowMDEuMCwGA1UEAxMl\ncHJpLTFpZWtobmxvLnZhdWx0LmNhLjE2Y2U4NDE2LmNvbnN1bDCCASIwDQYJKoZI\nhvcNAQEBBQADggEPADCCAQoCggEBALcXxwxYhlcjyB8vp6V9SOkCiDY4KzpbRMdW\nibeZQ5sfla4OtD02vqlz/RZRWvjFMZSZZ+9XZ5RdnbyUyWPJx0i/BbJQAfIDhIXR\nH3HTbCBEM6rs6QPmR9f3Rjf7YvD9WuWTM4y5e3/aAjrWpvZjvM2XAFlpx+z7l8pf\nuAf4X2wiqqsZHNFWfwtoBNyYCMi/txwNGO8P6eUzKuJLKguPzHAEVC6uZCHVRP1G\nIs2iRcneJMvReUTmBqtbOnwnO2XYfMfnjIXG8+NLk9jKtArY+CMxH1zpVgoiLgec\noeoYP22HvsO81ufRmHDFuUI7sKw7kPp6UCPXcwu1D0bD4KI0170CAwEAAaOBzDCB\nyTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUk4dW\nCUW7v9BLth8IV7/q7QZRoD0wHwYDVR0jBBgwFoAU5nyL9kdDHhlT/baY7IoOtkxg\n60gwZgYDVR0RBF8wXYIlcHJpLTFpZWtobmxvLnZhdWx0LmNhLjE2Y2U4NDE2LmNv\nbnN1bIY0c3BpZmZlOi8vMTZjZTg0MTYtMTM5OC1jMmZjLWUzNTgtYzVjNTljZDAy\nNmQ1LmNvbnN1bDANBgkqhkiG9w0BAQsFAAOCAQEApBs/O1wbhjKtQAsHnJfDmRBv\nOyM34V93Sx0PVfCTbxdnPhrmF+li2KwNh+mVTYPFAoULursi/LCwInlTIATttaba\ngtXg/A//AI1Wnnnkcgri4QAFjWxzodLMNte3yIPPh8yy50+cnqCDxpqHvRyl4Dq2\nTfpVQhVOtRUwOgYJH92sERgyOomys2tyDGP3sjoyPzGPWy9G5qvRexO68ua0xLLS\nzmvT5IVBAwKy+jzZZQQmw3tYIHk8Jkgc3j1SKVAU6FPIhz9rpPirC5benPqUX4Ax\n0C2673i1sSdslKRYYm51pJoTtDHEvX1nW6Fn6FxNKomoj/A+Tu3cPBzgytpGmQ==\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIDujCCAqKgAwIBAgIUIyZMrheyr6KWAWPSs0JVXjcY0JcwDQYJKoZIhvcNAQEL\nBQAwLzEtMCsGA1UEAxMkcHJpLWY3dG1iMG8udmF1bHQuY2EuMTZjZTg0MTYuY29u\nc3VsMB4XDTIxMDgxNzIxNTI0MloXDTIxMDgxODAwNTMxMlowMDEuMCwGA1UEAxMl\ncHJpLTEzbXMyZzhxLnZhdWx0LmNhLjE2Y2U4NDE2LmNvbnN1bDCCASIwDQYJKoZI\nhvcNAQEBBQADggEPADCCAQoCggEBANCXbQ5nqNKjFg8C2tjVX1/6LdgD78bM2bcB\nSg5G+6mlkQl9lX3KjbU5QDAUfgeSul8Aqni83pjHnQyFgF9Wlkmkuuaw4Ao0REnE\nhg5AOGyEr4JCPdvHDCdbEfOr4RvLhE9fEib2uYgRW7X+/Jp4N0R9aYPH/p4KkaA7\n++VfLb9ekq3sJQdO8akei9bpiXPk61JbKH0wz+Z6rYFeXg7qVIElwnrcmJq6ecRr\n9SIxQE+GNew9raT/o3EjgeaGPuDSLpxb/wlFHqKKDlZLhZ+9DyED7cNvCuP3Xc+9\nUtTpsgmiGZ2KI+R+Oh89nZVRdfEBXPk75R19MF+O5qBGHY8/11cCAwEAAaOBzDCB\nyTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU7w0r\n52g+v/Lgz3vSaZTCn3zCIQAwHwYDVR0jBBgwFoAU5nyL9kdDHhlT/baY7IoOtkxg\n60gwZgYDVR0RBF8wXYIlcHJpLTEzbXMyZzhxLnZhdWx0LmNhLjE2Y2U4NDE2LmNv\nbnN1bIY0c3BpZmZlOi8vMTZjZTg0MTYtMTM5OC1jMmZjLWUzNTgtYzVjNTljZDAy\nNmQ1LmNvbnN1bDANBgkqhkiG9w0BAQsFAAOCAQEAWXrBaMens9hHXmQ6D0FS7Flw\nDlXxnprnGzzIn9XDGkQjh37mVm0LMP+393TjPXOtfNB951NFrp40v6nPEvV4KyTz\nenOh//Tkjvx7jszfHmxxSh9rUejKD78H4GWaJV/w//rnYq+WdrkjJLzPxl6AYaVR\nWWbQ9Mli/5bpTL0NW2ojeU16IL7jb0zsrIIXyHADZ3rkkPSl+5W+VFnb5MZlDRZY\nWh/kKUzC0ovuuyv/os7rMyLFKkoq5RSotEumhCzfOeVKVWFUK3pE4cdQz6VsMSow\nLnxhap3rzu5hV5sFPnnxlqb4jcmqg+GFvWt1zY95PaW4qMAQ37FYij2RvuLEqQ==\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIDtzCCAp+gAwIBAgITC+T2TDf2vxTybTlPayd59rD6XDANBgkqhkiG9w0BAQsF\nADAvMS0wKwYDVQQDEyRwcmktZjd0bWIwby52YXVsdC5jYS4xNmNlODQxNi5jb25z\ndWwwHhcNMjEwODE3MjM1MjQyWhcNMjEwODE4MDI1MzEyWjAvMS0wKwYDVQQDEyRw\ncmktNnpucDRqeS52YXVsdC5jYS4xNmNlODQxNi5jb25zdWwwggEiMA0GCSqGSIb3\nDQEBAQUAA4IBDwAwggEKAoIBAQDRL0RjTsAxy0C0YTOBKrAB3blAtw8rjhZXS4ZO\nQN2+ScUzUjLs2PzqSmNu6aM1/zWuT812oVOo/NoSzbW4QMVlhdpX6FrluS02SwX6\nEH0JBQxckyO+ExOP8HtM4eSYX4ZATiPKsf9Js7VEy5XLJTBqmI7ldhBjxhwISwpu\no9heU4+8EgTGr+YfFJmBmrQ3+SJwHcEdu9R3kf+ZS/jNynQHCQ/c9Xq/VrLLBh0J\n2iU6RzuC1HgScyDIn5rCpP8PqLfHq4QyH9j0dMxd+CahMF3E/rEsRDQV8UJn2Kok\nO2epJ2UNOHy9FVwAqI3GexBNuSqq2u7adLsXNQcfMAJxQ1hNAgMBAAGjgcswgcgw\nDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFDIeWBUq\nAc9fh9ioBALUin/9o7MLMB8GA1UdIwQYMBaAFOZ8i/ZHQx4ZU/22mOyKDrZMYOtI\nMGUGA1UdEQReMFyCJHByaS02em5wNGp5LnZhdWx0LmNhLjE2Y2U4NDE2LmNvbnN1\nbIY0c3BpZmZlOi8vMTZjZTg0MTYtMTM5OC1jMmZjLWUzNTgtYzVjNTljZDAyNmQ1\nLmNvbnN1bDANBgkqhkiG9w0BAQsFAAOCAQEAGgzV/7a84398HFdRwf08nQBpfv/R\nHt4DHkGKSD5pp9lp1uLPIBWuPwYHffCjcitEx9bmRt6xSEguiayc+SL0tkdsO6pe\neAXmDdsYXurdoT3oV3+8rIcoQo1PP0okTHT0n4Kqs/e340b7NW8wzdBAcVdT2H8y\nZs11ee0rNteZIbHuNE73oO7jqd4Uim4oYPEw6cWCz7NkQuJ8YWpWnoK+9I/Db2zd\n9RZweiI0sJGos3twfZVd+8h1yz0bzHDti/Pr5nZQSKmXL2GwavAbrpsgrD0Kop6Z\nOluSnNSy1FDEPB00XG01+lbwf+P/ABP7d/7keuoV7BlMrtNVfbiuuRLXfg==\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIDujCCAqKgAwIBAgIUEPDcWMbB7849HqGNXwM3da9FmG8wDQYJKoZIhvcNAQEL\nBQAwLzEtMCsGA1UEAxMkcHJpLWY3dG1iMG8udmF1bHQuY2EuMTZjZTg0MTYuY29u\nc3VsMB4XDTIxMDgxODAxNTI0MloXDTIxMDgxODA0NTMxMlowMDEuMCwGA1UEAxMl\ncHJpLWF0Z2M5cTc0LnZhdWx0LmNhLjE2Y2U4NDE2LmNvbnN1bDCCASIwDQYJKoZI\nhvcNAQEBBQADggEPADCCAQoCggEBAPGFZlUF0dJeNfU3uxqE3G1cupHhBaAkzBFm\nlBGYqLN0bxNKRvvk0K1IHGva6cdaz/F2fRpKI9wBEpDyfvADNm5mItPQXY6XkJGk\nyfx9R1aLPL9W5vFLvSKgLRgrK68LTOz3TA9//lOHtqGqHYQZ/91flvn+fAUUbvjg\nxvv3MN99QX8BKf12Xxh302jDVWZjHmpXj5qaP07AhZ7exuvH0NJAAMbPbLegkqM6\nj09hfj3GCuE1HQrKMNmLyNpAwpv5A8Ld1dBD5JIRijXP0vrhhAMMwsA1XVfapcCc\ne4LAQAJxAGRd95Ddns4xZTvaEGAqQRzNhBebCmFy1QSLDaP8+xkCAwEAAaOBzDCB\nyTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUDIyO\nBjeqPD3XvIB2+0QyJj7bKQ8wHwYDVR0jBBgwFoAU5nyL9kdDHhlT/baY7IoOtkxg\n60gwZgYDVR0RBF8wXYIlcHJpLWF0Z2M5cTc0LnZhdWx0LmNhLjE2Y2U4NDE2LmNv\nbnN1bIY0c3BpZmZlOi8vMTZjZTg0MTYtMTM5OC1jMmZjLWUzNTgtYzVjNTljZDAy\nNmQ1LmNvbnN1bDANBgkqhkiG9w0BAQsFAAOCAQEAjShUrSXguQnI4WzqO24IAgO+\n+rv7VlVUKdUCtrOXAQLRLCClO7Eiqpt2xBqQggfCD+04S+gUIH4RFsz9VOwTUf20\nDTc93ndRf1GfctuKGcJ/KLvzAcbKUUcbyZO0h05es1ZJ3S3lY/WRmWlMJOX9jQRp\neqYnqnq6L4+3j5hIfMR5+jngrwCe1jC+gd78hdF5pVZhCc/3B//+/RGaDXyTh1RI\nwfqZ1qL3lqnRhcTri93ZiL9NJVNwH3ovGN+NVqgB7TRZWb3DOcjgh4P7yd3RkDvp\nM1d00+hazFpPmrURxBmYRjo9CXb5LnnALSYEbCZThVFUIStwZh5Eb0rOGXO5TQ==\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIDuDCCAqCgAwIBAgIUcotQhPE1iJ7Dbp6MeYWRUl+9N9MwDQYJKoZIhvcNAQEL\nBQAwLzEtMCsGA1UEAxMkcHJpLWY3dG1iMG8udmF1bHQuY2EuMTZjZTg0MTYuY29u\nc3VsMB4XDTIxMDgxODAzNTI0M1oXDTIxMDgxODA2NTMxM1owLzEtMCsGA1UEAxMk\ncHJpLTFncDB6a24udmF1bHQuY2EuMTZjZTg0MTYuY29uc3VsMIIBIjANBgkqhkiG\n9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp7fmPajTE4vWrZ4BugmqYPXSGrWS5hR5+a7s\n0YT/IAuYQ/vexv7obai8/JHleLF3KoGb4kpKGAjRaGJQtcqqmDAQuSjHmWmHX0RL\npu+4lngDP1/K5UJRJtecv7P1bIOn2xR4jugQk7zc6ED4TRN0Tmc3thehFj/ji0kn\nBBMZtH0ELzSQtJGTcV9JavZvSaS8rORmwbZPNXWL4HanV9iOqgM8VJuyMhVpZRj6\nlsF/xB+Yz2FDxNjFcvD27IboX8JaWT89HXILsQuS2UUWKmwTRnQQotJ8Z7SYtNDe\nrmyntwdatwE+YUJKR07sL9JtjzSSk5cJmBASmfSgYPxRBkO8nQIDAQABo4HLMIHI\nMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQpyyrk\n9FNGrEFz28RrY3vvQwa/KzAfBgNVHSMEGDAWgBTmfIv2R0MeGVP9tpjsig62TGDr\nSDBlBgNVHREEXjBcgiRwcmktMWdwMHprbi52YXVsdC5jYS4xNmNlODQxNi5jb25z\ndWyGNHNwaWZmZTovLzE2Y2U4NDE2LTEzOTgtYzJmYy1lMzU4LWM1YzU5Y2QwMjZk\nNS5jb25zdWwwDQYJKoZIhvcNAQELBQADggEBAKjTBNV+QSiSkOemLvdxbTYoCCPQ\ng3NyuMYU1QlK2+wPvR3lFdUDy4kqYDY6fTD3/aC1SKl64/u7a/Jm2wuKemKG9RqC\n3xY6i8vmdqHg2aNWQNTBRRLiB4sUCwFqnuRU5YRrXGczHukO6huaSmllZ1EpkuR2\nLxJ7dwQRyXNPUdR4GPCZtJ0v2PIBDUcAM0KGP89HeVNDpZl6QC2KmgZDQE9GOCpi\nZPxZKqYDRdeYeVDr6sByreUVNEnS7dY9Gn0x4ubd2UIYa2tcBPjrYpadX6sMWiiq\nwwLGqi57ZfpI3cqnh7HVVazJMxn4WdE2IyX75TP8l5aGicGfk3LqYgyJ2pY=\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIDuDCCAqCgAwIBAgIUd702Jzx1V4VkkzdLkVa7UAUARXgwDQYJKoZIhvcNAQEL\nBQAwLzEtMCsGA1UEAxMkcHJpLWY3dG1iMG8udmF1bHQuY2EuMTZjZTg0MTYuY29u\nc3VsMB4XDTIxMDgxODA1NTI0M1oXDTIxMDgxODA4NTMxM1owLzEtMCsGA1UEAxMk\ncHJpLWR0dWlnNXgudmF1bHQuY2EuMTZjZTg0MTYuY29uc3VsMIIBIjANBgkqhkiG\n9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqp6kc58GlGe5LLou1yXBYZivZotWrFgBBd6O\nsP9xfOe3OVF36e3aVz0IkPd/fb/utrVDgkUv9gTaoXq+ZFwdOEPXskfgd1jaqraQ\njRpJyXE8aSPcyko03VHR3VS3NqEqhgEprsv9nLveAoQlDOkuX90LGb/nsfKjrlpR\nW+MguNCzsnC2Am5PLYSaycubrX4KG8nOEJXaxyx55vxma7GGGE3JNQCR5VV16rx4\nycAnQiirRm1JsKh+BtA897p1xI/VPu0y0axexfUB8w9b3ynVZB0AL8RRg3LPCPxJ\nC7f09Ca9TPV4xmRZ9XxPsYjfQyG/3jQMGf6SNu+AGy1nidbqowIDAQABo4HLMIHI\nMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRuytip\nwak4wrRaBTOxKl4LD8HXwDAfBgNVHSMEGDAWgBTmfIv2R0MeGVP9tpjsig62TGDr\nSDBlBgNVHREEXjBcgiRwcmktZHR1aWc1eC52YXVsdC5jYS4xNmNlODQxNi5jb25z\ndWyGNHNwaWZmZTovLzE2Y2U4NDE2LTEzOTgtYzJmYy1lMzU4LWM1YzU5Y2QwMjZk\nNS5jb25zdWwwDQYJKoZIhvcNAQELBQADggEBADV8E2lQ5LaHzGgiNKLi+LbU8Tot\npFFLdE+OQLZq2AdKKXP9TsoMAZTexF3b7G9cOqRQ1p39QvJErDY6ebd7eKlHh2lW\nCUK5fEpd4PLIR+TZq4jaGbE0gOqnAp2HkAh6WSI28ktyXrrvoR5uddSrS1cJtYlI\nmplLGAy7CCwJrY0qYYdh1nsseDOLo2GFOsN7YlmVf5Vj56OnqDTH8fbTVhETG7K3\n6fuZmYRs05upFE+8TPfNR4+UW4RCls/c5KGhyULD4bTT55QOrVOvtuftaZhuyCYW\nS/MjFhtdKGRdeoVc1QtKaUpfy03vnY2R4Oen41JVVXDtaf0bKOz/gktVZwc=\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIDuDCCAqCgAwIBAgIUAReLeoll9yGj2s0tWJjg09PgEYIwDQYJKoZIhvcNAQEL\nBQAwLzEtMCsGA1UEAxMkcHJpLWY3dG1iMG8udmF1bHQuY2EuMTZjZTg0MTYuY29u\nc3VsMB4XDTIxMDgxODA3NTI0M1oXDTIxMDgxODEwNTMxM1owLzEtMCsGA1UEAxMk\ncHJpLTFrYnFiNWoudmF1bHQuY2EuMTZjZTg0MTYuY29uc3VsMIIBIjANBgkqhkiG\n9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1CCdwwBEVIOZrqlYRxz8c7tmGrnvjxptFshA\nqSifNxvUwPU6/IGZxJGN2FeUQqQ7k9cVzA+vGdtJd3mpnVdr/bGWiHWrdh8Hy5lt\nkVrpVn1N+eMaSlQE6YqT+Oq9sMGcy3y9ybzkYxDH9mjPBBDmNeHQW5/1hCnA/m7K\nOY/AYWB0WVGWXGjqjiDaD6f8coHXZLaY7t44alo6bdimXHDfCJ/1dDDrjcwgEzoL\nPt0jTCC0F4xv7VjhY/QLXcqxfx2jtyCiqRTWveSmtbQ8kvK97wbEs1nu70R/21Hm\nzBWN6nsVj2ATNAcNEJR05DCoiYET21ar3GsDdelQ2a0SbDnpEwIDAQABo4HLMIHI\nMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTlXkYS\n7z75sKKeCfwFwk4qSF1d4jAfBgNVHSMEGDAWgBTmfIv2R0MeGVP9tpjsig62TGDr\nSDBlBgNVHREEXjBcgiRwcmktMWticWI1ai52YXVsdC5jYS4xNmNlODQxNi5jb25z\ndWyGNHNwaWZmZTovLzE2Y2U4NDE2LTEzOTgtYzJmYy1lMzU4LWM1YzU5Y2QwMjZk\nNS5jb25zdWwwDQYJKoZIhvcNAQELBQADggEBADk9EDUVkMWps9J2ecPH1Thk2Q+D\n2F4dYGcb/SMxG2DYyMPk+4Al5lFussxNTj1V1LfSm7QwydOel74n6AHYv+lqkiV+\nGWKAibAasCWhGiCwkqjoJNR/sBvg3OlyDnXa7z1E3+OiYlT/djOJY5iRmM2BvtTI\na/cvlczCmS9ZwbB6gmhKs/uSLLlxKmDtGeA/TsdHT7qSxsEdpzRJtH6XQxStHFCV\nYWJF8pyzdtUXjGS8m6GhK0bHURVp69uWAyFwPfpitVEj7wcKI1FoWT66S4qZmDaq\n9BnT1XOBC9rYbeG3f8r6UeVoba9iAoaBbSJrYv6eoEWbMCwt8IE74UK9U/s=\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIDujCCAqKgAwIBAgIURD5fxNX35TTDYc7V/565IUT1VMMwDQYJKoZIhvcNAQEL\nBQAwLzEtMCsGA1UEAxMkcHJpLWY3dG1iMG8udmF1bHQuY2EuMTZjZTg0MTYuY29u\nc3VsMB4XDTIxMDgxODA5NTI0M1oXDTIxMDgxODEyNTMxM1owMDEuMCwGA1UEAxMl\ncHJpLTFneHp1Mm56LnZhdWx0LmNhLjE2Y2U4NDE2LmNvbnN1bDCCASIwDQYJKoZI\nhvcNAQEBBQADggEPADCCAQoCggEBAJ79JJNH8a5VUisw/MuO+WRbMTe4PfPfTlce\nhSJQAH+Y1RFiLBjIifk9E/z4FqUZwJtmaBRr87pHHGZeIDiHZLLNryD+S1WrznfE\nGuw1VXLvTY0s88sgBhaaHAaxRDeVrKiKB/Zu1z5tEgqKEnvJCsQiJeoKuZwwo8p3\npc5ZrphhMIj5uJIcscoFA6VvHArXDX0BDokRxlENUjmkCB1Qu/1UHvMdmz4H/Dg2\nQOv5MvWIdeVOkiN07pvbP9vlp8Zozs57lN4DGEHDBAqNe0EGhR9c1Cu2JB11KJ0J\nX2BcGGoQ57udgsSMFlLxS6ndgLR+3U+IxI4zSckat3O0uF5oIwMCAwEAAaOBzDCB\nyTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUuRFF\nKdr4B2zRVtFQ84fUX1MyLq4wHwYDVR0jBBgwFoAU5nyL9kdDHhlT/baY7IoOtkxg\n60gwZgYDVR0RBF8wXYIlcHJpLTFneHp1Mm56LnZhdWx0LmNhLjE2Y2U4NDE2LmNv\nbnN1bIY0c3BpZmZlOi8vMTZjZTg0MTYtMTM5OC1jMmZjLWUzNTgtYzVjNTljZDAy\nNmQ1LmNvbnN1bDANBgkqhkiG9w0BAQsFAAOCAQEAV6rOr5vT1wg9p0rgQQVC94uP\ncqatqAygiVucs+zLm8h1cgVXFRFZw8C5Lacu6AmYMdSL/LKjWL70IKCRXK+AkUEo\nY6f0saFMzV8IFGYgEa2gy3wGDb36y5wDJWei/jD4UignXYnyzIg1dqsGXqmel0t0\nY+OLt1bSjjzngk1xoJ9FKkb2JkryYOVC9uqzzPmRxZ5NXRTFFRJlIxFBjUAuCxY9\nJCvqey2p5XUiYIs/W1TSWNC0S0krSQ2Opik5HWP/5ZtT/a/Sy2hmGa5q1ghcaGuO\n82HDC2HFGEgFKbRagdzVxtyPMJQeV5QWL1hQfGCzn0kWTkxzDIM/9fObbAjWbQ==\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIDujCCAqKgAwIBAgIURD5fxNX35TTDYc7V/565IUT1VMMwDQYJKoZIhvcNAQEL\nBQAwLzEtMCsGA1UEAxMkcHJpLWY3dG1iMG8udmF1bHQuY2EuMTZjZTg0MTYuY29u\nc3VsMB4XDTIxMDgxODA5NTI0M1oXDTIxMDgxODEyNTMxM1owMDEuMCwGA1UEAxMl\ncHJpLTFneHp1Mm56LnZhdWx0LmNhLjE2Y2U4NDE2LmNvbnN1bDCCASIwDQYJKoZI\nhvcNAQEBBQADggEPADCCAQoCggEBAJ79JJNH8a5VUisw/MuO+WRbMTe4PfPfTlce\nhSJQAH+Y1RFiLBjIifk9E/z4FqUZwJtmaBRr87pHHGZeIDiHZLLNryD+S1WrznfE\nGuw1VXLvTY0s88sgBhaaHAaxRDeVrKiKB/Zu1z5tEgqKEnvJCsQiJeoKuZwwo8p3\npc5ZrphhMIj5uJIcscoFA6VvHArXDX0BDokRxlENUjmkCB1Qu/1UHvMdmz4H/Dg2\nQOv5MvWIdeVOkiN07pvbP9vlp8Zozs57lN4DGEHDBAqNe0EGhR9c1Cu2JB11KJ0J\nX2BcGGoQ57udgsSMFlLxS6ndgLR+3U+IxI4zSckat3O0uF5oIwMCAwEAAaOBzDCB\nyTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUuRFF\nKdr4B2zRVtFQ84fUX1MyLq4wHwYDVR0jBBgwFoAU5nyL9kdDHhlT/baY7IoOtkxg\n60gwZgYDVR0RBF8wXYIlcHJpLTFneHp1Mm56LnZhdWx0LmNhLjE2Y2U4NDE2LmNv\nbnN1bIY0c3BpZmZlOi8vMTZjZTg0MTYtMTM5OC1jMmZjLWUzNTgtYzVjNTljZDAy\nNmQ1LmNvbnN1bDANBgkqhkiG9w0BAQsFAAOCAQEAV6rOr5vT1wg9p0rgQQVC94uP\ncqatqAygiVucs+zLm8h1cgVXFRFZw8C5Lacu6AmYMdSL/LKjWL70IKCRXK+AkUEo\nY6f0saFMzV8IFGYgEa2gy3wGDb36y5wDJWei/jD4UignXYnyzIg1dqsGXqmel0t0\nY+OLt1bSjjzngk1xoJ9FKkb2JkryYOVC9uqzzPmRxZ5NXRTFFRJlIxFBjUAuCxY9\nJCvqey2p5XUiYIs/W1TSWNC0S0krSQ2Opik5HWP/5ZtT/a/Sy2hmGa5q1ghcaGuO\n82HDC2HFGEgFKbRagdzVxtyPMJQeV5QWL1hQfGCzn0kWTkxzDIM/9fObbAjWbQ==\n-----END CERTIFICATE-----\n",
  "PrivateKeyPEM": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIC7Amsxmgx+FGLvvetxdjymwkD0FCVdwe4upoD3DI5BAoAoGCCqGSM49\nAwEHoUQDQgAEKsi4gs6AGMcmFyKyvchMgW3+97tGaXsnsSjM78cilm5+fyIcZod+\nYTHw888mPvGGW4N7yCkpJW2iuZpBsdnePA==\n-----END EC PRIVATE KEY-----\n",
  "Service": "web",
  "ServiceURI": "spiffe://16ce8416-1398-c2fc-e358-c5c59cd026d5.consul/ns/default/dc/dc1/svc/web",
  "ValidAfter": "2021-08-18T10:55:32Z",
  "ValidBefore": "2021-08-18T11:56:02Z",
  "CreateIndex": 15200,
  "ModifyIndex": 15200
}
@danielehc danielehc added type/bug Feature does not function as expected theme/connect Anything related to Consul Connect, Service Mesh, Side Car Proxies theme/consul-vault Relating to Consul & Vault interactions theme/certificates Related to creating, distributing, and rotating certificates in Consul labels Aug 18, 2021
@blake blake changed the title New service leaf certificates not reflected in API resuls New service leaf certificates not reflected in API results Aug 23, 2021
@mr-miles
Copy link
Contributor

mr-miles commented Sep 13, 2021
edited
Loading

I'm also seeing this behaviour in the http api on consul 1.9.8 (no envoy, just calling the endpoints) - it seems surprisingly easy to reproduce.

What I mean by that is, I'm surprised it's not causing more problems for people.

@dnephin dnephin mentioned this issue Oct 20, 2021
Closed
@dnephin dnephin mentioned this issue Nov 1, 2021
Closed
@acpana
Copy link
Contributor

acpana commented Nov 20, 2021

I've been looking at this in the background.

While I am still new to the code base, I think the issue is mostly isolated to the background caching in the API endpoint. Still investigating how we can make this right.

Today, once a leaf cert is loaded up into the cache, IIUC, no non-blocking query can get the callee a:

  • new leaf cert generated after leaf cert TTL expiry
  • new leaf cert generated after we rotate the CA

Blocking queries will give back the expected result:

#  curl --header "X-Consul-Token: ${CONSUL_HTTP_TOKEN}"  "${CONSUL_HTTP_ADDR}/v1/agent/connect/ca/leaf/web" -v 

#  curl --header "X-Consul-Token: ${CONSUL_HTTP_TOKEN}"  "${CONSUL_HTTP_ADDR}/v1/agent/connect/ca/leaf/web?index=${LAST_CONSUL_INDEX}" -v 

# the above will show different leaf certs on leaf cert TTL expiry and CA rotation

@acpana acpana changed the title New service leaf certificates not reflected in API results connect: leaf cert rotation is not reflected on non blocking api queries Nov 20, 2021
@acpana
Copy link
Contributor

acpana commented Nov 20, 2021

I think this issue and #9862 are the same.

@mr-miles
Copy link
Contributor

Thanks for looking at this. I updated the cluster to 1.9.8 (following one of the linked issues that said some changes in that area might have sorted it in a just-released version) back in the summer and the issue may be solved.

Since then we've had one case of this error, and there was enough other activity going on for it not to be very obvious what the cause could have been. We are increasing usage of it gradually while we build up confidence that it's definitely gone.

@mr-miles
Copy link
Contributor

As expected, making a comment like that was enough to trigger a new occurrence in our uat environment.

It's hard to say anything definitive, but looking at the logs it appears that the agent in question had trouble connecting to the cluster. Either it wasn't able to renew the certificate before it expired and the certificate was then stuck in the expired state, or something about failing to connect caused it to stop trying to refresh it.

I can see log entries like:

2021-11-18T00:13:53.972Z [WARN] agent.cache: handling error in Cache.Notify: cache-type=connect-ca-root error="rpc error making call: EOF" index=57794105
(happened once)

2021-11-20T00:45:20.713Z [ERROR] agent.client: RPC failed to server: method=ConnectCA.Roots server=xxx:8300 error="rpc error making call: rpc error getting client: failed to get conn: dial tcp xxx:0->yyy:8300: connect: connection refused"
(happened a few times over a period but assuming it recovered)

Making the request with the suffix ?index= forced the agent to get a new certificate and it was then fine.

@dnephin
Copy link
Contributor

dnephin commented Nov 22, 2021

Thank you for the details @mr-miles! We believe we have confirmed that #9862 (making a request with index=0) can cause this bug because the cache-entry is never updated.

How are you using this endpoint? Are you not using Envoy at all? How frequently would your applications make requests to this endpoint?

I believe as long as there is at least one process making requests using blocking queries (?index=) it should be sufficient to update the cache entry. Envoy will do this automatically when it uses the xDS API, which is why I ask. But if all the requests are made without index= then it won't refresh the certificate. If you are only making requests without setting index (or setting index=0) I think that confirms this is the same issue as #9862.

After 72 hours of no requests the cache entry should expire, and the next request would properly generate a leaf cert again (if a new one is required). So maybe during normal operation requests are made less frequently than once every 72 hours, but when you went to confirm the issue again you made some extra requests which kept the cache-entry around?

@mr-miles
Copy link
Contributor

Corrsct - we aren't using envoy at all.

We are using the leaf certificate endpoints directly: services request their leaf certificate and can then use that to log in to vault and get cloud or db credentials. Works well for our set up and gives us minimal credentials to manage: the environment is some way off evolving into a full service mesh hence no envoy.

I think what is happening is that we only start requesting a new certificate 6 or 12 hours before, so I guess we're keeping the cache entry alive with that request.

My question is - if I always make the request with a constant hard-coded index, e.g. index=3, when the index is known to be way higher than that, does that fix the problem everywhere? Or do I need to track and use the right modifyIndex?

@acpana acpana mentioned this issue Nov 30, 2021
Merged
3 tasks
@acpana
Copy link
Contributor

acpana commented Dec 3, 2021

hey @danielehc thanks for digging into this and for providing detailed info.

We had a chance to fix this with #11693.

The fix will be in 1.11 and backported to latest 1.9 and 1.10.

@mr-miles -- thanks for your engagement here. Let me try to answer some of your questions:

My question is - if I always make the request with a constant hard-coded index, e.g. index=3, when the index is known to be way higher than that, does that fix the problem everywhere?

No, in general index ~ min query index. So if the current index is 54, queries with index=3 will return the leaf cert w a modify index higher than 3. Let's say the one with 54 in this case.

Without upgrading to any of the new releases above, you can still issue blocking queries to make sure you get an updated leaf cert. But

Or do I need to track and use the right modifyIndex?

yes, you will need to keep track of that.

With the fix in, non blocking queries will always revalidate the leaf cert and if it's not good (expired or ca has been rotated), a new one will be generated and returned.

I'll leave this issue open for a while to offer folks a chance to follow up.

@acpana
Copy link
Contributor

acpana commented Jan 18, 2022

Closing for now. Feel free to open as needed!

@acpana acpana closed this as completed Jan 18, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
theme/certificates Related to creating, distributing, and rotating certificates in Consul theme/connect Anything related to Consul Connect, Service Mesh, Side Car Proxies theme/consul-vault Relating to Consul & Vault interactions type/bug Feature does not function as expected
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dnephin @mr-miles @acpana @danielehc