From 2a1e8421005867818392ae5f8729291d4e60d9f8 Mon Sep 17 00:00:00 2001 From: Andrew Stoltz Date: Mon, 25 May 2026 19:55:38 -0500 Subject: [PATCH] runners: bake step-ca root CA into image (v20260525-stepca) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Without the IAmWorkin step-ca root CA in the runner image's system trust store, .NET HttpClient calls from CI tests against `*.iamworkin.lan` (e.g. `https://selenium.iamworkin.lan/session`) fail with `The remote certificate is invalid because of errors in the certificate chain: PartialChain`. FlowerCore.Print.Web's `WebScreenshotService` unit tests hit this on every build. Drop the step-ca root PEM into `/usr/local/share/ca-certificates/`, run `update-ca-certificates` once during apt install, and let OpenSSL + .NET-on-Linux read the regenerated `/etc/ssl/certs/ca-certificates.crt` automatically — no `SSL_CERT_FILE` env var, no per-Deployment volume mount. Image rebuilt + saved + imported on all 3 schedulable RKE2 nodes (rke2-server, rke2-agent1, rke2-agent2) before this PR — verified with `ctr images list -q | grep stepca` on each node. Co-Authored-By: Claude Opus 4.7 (1M context) --- apps/github-runner/Dockerfile | 10 +++ apps/github-runner/README.md | 30 +++++-- apps/github-runner/github-runner.yaml | 114 +++++++++++++------------- apps/github-runner/step-ca-root.crt | 12 +++ 4 files changed, 100 insertions(+), 66 deletions(-) create mode 100644 apps/github-runner/step-ca-root.crt diff --git a/apps/github-runner/Dockerfile b/apps/github-runner/Dockerfile index 80ba7c5..bc95927 100644 --- a/apps/github-runner/Dockerfile +++ b/apps/github-runner/Dockerfile @@ -12,6 +12,15 @@ ENV PATH="/home/runner/_tool/Ruby/${RUBY_MINOR}/x64/bin:/opt/runner-toolcache/Ru USER root +# Bake the IAmWorkin step-ca root CA into the system trust store. Without +# this, .NET HttpClient calls from CI tests against *.iamworkin.lan +# (e.g. https://selenium.iamworkin.lan/session) fail with `PartialChain` +# because the runner image's default Ubuntu trust bundle doesn't include +# our internal Root CA. update-ca-certificates regenerates +# /etc/ssl/certs/ca-certificates.crt, which OpenSSL + .NET on Linux read +# automatically — no SSL_CERT_FILE env var needed. +COPY step-ca-root.crt /usr/local/share/ca-certificates/iamworkin-step-ca-root.crt + RUN apt-get update \ && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ autoconf \ @@ -31,6 +40,7 @@ RUN apt-get update \ pkg-config \ uuid-dev \ zlib1g-dev \ + && update-ca-certificates \ && curl -fsSL "https://github.com/rbenv/ruby-build/archive/refs/tags/${RUBY_BUILD_VERSION}.tar.gz" -o /tmp/ruby-build.tar.gz \ && mkdir -p /tmp/ruby-build \ && tar -xzf /tmp/ruby-build.tar.gz --strip-components=1 -C /tmp/ruby-build \ diff --git a/apps/github-runner/README.md b/apps/github-runner/README.md index 2b6b370..a2e69dc 100644 --- a/apps/github-runner/README.md +++ b/apps/github-runner/README.md @@ -7,7 +7,7 @@ Deployments with `kubectl`; update this manifest and let ArgoCD reconcile. All repo-scoped Linux runners use: -- `localhost/fc-github-runner:v20260520-ruby3.3.11`, derived from +- `localhost/fc-github-runner:v20260525-ruby3.3.11-stepca`, derived from `myoung34/github-runner:latest` - `ACCESS_TOKEN` from the `github-runner-token` Secret - `RUN_AS_ROOT=false` @@ -40,14 +40,26 @@ still mounts an `emptyDir` over `/home/runner`, so the `setup-runner-home` init container copies the baked toolcache from `/opt/runner-toolcache/Ruby` into `/home/runner/_tool/Ruby` before the runner container starts. +The IAmWorkin step-ca root CA is also baked into the system trust store +(`/usr/local/share/ca-certificates/iamworkin-step-ca-root.crt`, registered by +`update-ca-certificates`). Without it, .NET HttpClient calls from CI tests +against `*.iamworkin.lan` (e.g. `https://selenium.iamworkin.lan/session`) +fail with `PartialChain`. To refresh the bundled cert when the root rotates, +re-extract from the cluster and overwrite `step-ca-root.crt`: + +```bash +kubectl get secret -n cert-manager step-ca-root \ + -o jsonpath='{.data.ca\.crt}' | base64 -d > step-ca-root.crt +``` + ```bash cd apps/github-runner -podman build -t localhost/fc-github-runner:v20260520-ruby3.3.11 . -podman run --rm localhost/fc-github-runner:v20260520-ruby3.3.11 ruby -v -podman run --rm localhost/fc-github-runner:v20260520-ruby3.3.11 \ +podman build -t localhost/fc-github-runner:v20260525-ruby3.3.11-stepca . +podman run --rm localhost/fc-github-runner:v20260525-ruby3.3.11-stepca ruby -v +podman run --rm localhost/fc-github-runner:v20260525-ruby3.3.11-stepca \ test -f /opt/runner-toolcache/Ruby/3.3/x64.complete -podman save localhost/fc-github-runner:v20260520-ruby3.3.11 \ - -o fc-github-runner-v20260520-ruby3.3.11.tar +podman save localhost/fc-github-runner:v20260525-ruby3.3.11-stepca \ + -o fc-github-runner-v20260525-ruby3.3.11-stepca.tar ``` Import the saved image on every schedulable RKE2 node before ArgoCD rolls the @@ -55,9 +67,9 @@ Deployments: ```bash for node in rke2-server rke2-agent1 rke2-agent2; do - scp fc-github-runner-v20260520-ruby3.3.11.tar "$node:/tmp/" - ssh "$node" 'sudo ctr -a /run/k3s/containerd/containerd.sock -n k8s.io images rm localhost/fc-github-runner:v20260520-ruby3.3.11 || true' - ssh "$node" 'sudo ctr -a /run/k3s/containerd/containerd.sock -n k8s.io images import /tmp/fc-github-runner-v20260520-ruby3.3.11.tar' + scp fc-github-runner-v20260525-ruby3.3.11-stepca.tar "$node:/tmp/" + ssh "$node" 'sudo ctr -a /run/k3s/containerd/containerd.sock -n k8s.io images rm localhost/fc-github-runner:v20260525-ruby3.3.11-stepca || true' + ssh "$node" 'sudo ctr -a /run/k3s/containerd/containerd.sock -n k8s.io images import /tmp/fc-github-runner-v20260525-ruby3.3.11-stepca.tar' done ``` diff --git a/apps/github-runner/github-runner.yaml b/apps/github-runner/github-runner.yaml index 40446a4..d588c4c 100644 --- a/apps/github-runner/github-runner.yaml +++ b/apps/github-runner/github-runner.yaml @@ -22,7 +22,7 @@ # NUGET_PACKAGES, XDG_CACHE_HOME, and RUNNER_TOOL_CACHE are all pointed at # writable mounted paths under /home/runner so actions/setup-dotnet does not # attempt to install into /usr/share/dotnet. -# Ruby 3.3.11 is baked into localhost/fc-github-runner:v20260520-ruby3.3.11 +# Ruby 3.3.11 is baked into localhost/fc-github-runner:v20260525-ruby3.3.11-stepca # under /opt/runner-toolcache; setup-runner-home copies it into # /home/runner/_tool because the runner-home emptyDir masks image content # under /home/runner at runtime. @@ -157,7 +157,7 @@ spec: # honors the deeper mount. initContainers: - name: setup-runner-home - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never command: - sh @@ -178,7 +178,7 @@ spec: mountPath: /home/runner containers: - name: runner - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never env: # GitHub org/repo targeting. @@ -334,7 +334,7 @@ spec: # rather than re-applied per repo as flipped lanes land. initContainers: - name: setup-runner-home - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never command: - sh @@ -355,7 +355,7 @@ spec: mountPath: /home/runner containers: - name: runner - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never env: - name: REPO_URL @@ -472,7 +472,7 @@ spec: fsGroup: 1001 initContainers: - name: setup-runner-home - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never command: - sh @@ -493,7 +493,7 @@ spec: mountPath: /home/runner containers: - name: runner - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never env: - name: REPO_URL @@ -604,7 +604,7 @@ spec: fsGroup: 1001 initContainers: - name: setup-runner-home - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never command: - sh @@ -625,7 +625,7 @@ spec: mountPath: /home/runner containers: - name: runner - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never env: - name: REPO_URL @@ -736,7 +736,7 @@ spec: fsGroup: 1001 initContainers: - name: setup-runner-home - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never command: - sh @@ -757,7 +757,7 @@ spec: mountPath: /home/runner containers: - name: runner - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never env: - name: REPO_URL @@ -868,7 +868,7 @@ spec: fsGroup: 1001 initContainers: - name: setup-runner-home - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never command: - sh @@ -889,7 +889,7 @@ spec: mountPath: /home/runner containers: - name: runner - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never env: - name: REPO_URL @@ -1003,7 +1003,7 @@ spec: fsGroup: 1001 initContainers: - name: setup-runner-home - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never command: - sh @@ -1024,7 +1024,7 @@ spec: mountPath: /home/runner containers: - name: runner - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never env: - name: REPO_URL @@ -1135,7 +1135,7 @@ spec: fsGroup: 1001 initContainers: - name: setup-runner-home - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never command: - sh @@ -1156,7 +1156,7 @@ spec: mountPath: /home/runner containers: - name: runner - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never env: - name: REPO_URL @@ -1267,7 +1267,7 @@ spec: fsGroup: 1001 initContainers: - name: setup-runner-home - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never command: - sh @@ -1288,7 +1288,7 @@ spec: mountPath: /home/runner containers: - name: runner - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never env: - name: REPO_URL @@ -1399,7 +1399,7 @@ spec: fsGroup: 1001 initContainers: - name: setup-runner-home - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never command: - sh @@ -1420,7 +1420,7 @@ spec: mountPath: /home/runner containers: - name: runner - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never env: - name: REPO_URL @@ -1533,7 +1533,7 @@ spec: fsGroup: 1001 initContainers: - name: setup-runner-home - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never command: - sh @@ -1554,7 +1554,7 @@ spec: mountPath: /home/runner containers: - name: runner - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never env: - name: REPO_URL @@ -1667,7 +1667,7 @@ spec: fsGroup: 1001 initContainers: - name: setup-runner-home - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never command: - sh @@ -1688,7 +1688,7 @@ spec: mountPath: /home/runner containers: - name: runner - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never env: - name: REPO_URL @@ -1802,7 +1802,7 @@ spec: fsGroup: 1001 initContainers: - name: setup-runner-home - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never command: - sh @@ -1823,7 +1823,7 @@ spec: mountPath: /home/runner containers: - name: runner - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never env: - name: REPO_URL @@ -1936,7 +1936,7 @@ spec: fsGroup: 1001 initContainers: - name: setup-runner-home - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never command: - sh @@ -1957,7 +1957,7 @@ spec: mountPath: /home/runner containers: - name: runner - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never env: - name: REPO_URL @@ -2070,7 +2070,7 @@ spec: fsGroup: 1001 initContainers: - name: setup-runner-home - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never command: - sh @@ -2091,7 +2091,7 @@ spec: mountPath: /home/runner containers: - name: runner - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never env: - name: REPO_URL @@ -2204,7 +2204,7 @@ spec: fsGroup: 1001 initContainers: - name: setup-runner-home - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never command: - sh @@ -2225,7 +2225,7 @@ spec: mountPath: /home/runner containers: - name: runner - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never env: - name: REPO_URL @@ -2337,7 +2337,7 @@ spec: fsGroup: 1001 initContainers: - name: setup-runner-home - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never command: - sh @@ -2358,7 +2358,7 @@ spec: mountPath: /home/runner containers: - name: runner - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never env: - name: REPO_URL @@ -2471,7 +2471,7 @@ spec: fsGroup: 1001 initContainers: - name: setup-runner-home - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never command: - sh @@ -2492,7 +2492,7 @@ spec: mountPath: /home/runner containers: - name: runner - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never env: - name: REPO_URL @@ -2604,7 +2604,7 @@ spec: fsGroup: 1001 initContainers: - name: setup-runner-home - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never command: - sh @@ -2625,7 +2625,7 @@ spec: mountPath: /home/runner containers: - name: runner - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never env: - name: REPO_URL @@ -2737,7 +2737,7 @@ spec: fsGroup: 1001 initContainers: - name: setup-runner-home - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never command: - sh @@ -2758,7 +2758,7 @@ spec: mountPath: /home/runner containers: - name: runner - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never env: - name: REPO_URL @@ -2870,7 +2870,7 @@ spec: fsGroup: 1001 initContainers: - name: setup-runner-home - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never command: - sh @@ -2891,7 +2891,7 @@ spec: mountPath: /home/runner containers: - name: runner - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never env: - name: REPO_URL @@ -3003,7 +3003,7 @@ spec: fsGroup: 1001 initContainers: - name: setup-runner-home - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never command: - sh @@ -3024,7 +3024,7 @@ spec: mountPath: /home/runner containers: - name: runner - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never env: - name: REPO_URL @@ -3136,7 +3136,7 @@ spec: fsGroup: 1001 initContainers: - name: setup-runner-home - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never command: - sh @@ -3157,7 +3157,7 @@ spec: mountPath: /home/runner containers: - name: runner - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never env: - name: REPO_URL @@ -3270,7 +3270,7 @@ spec: fsGroup: 1001 initContainers: - name: setup-runner-home - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never command: - sh @@ -3291,7 +3291,7 @@ spec: mountPath: /home/runner containers: - name: runner - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never env: - name: REPO_URL @@ -3404,7 +3404,7 @@ spec: fsGroup: 1001 initContainers: - name: setup-runner-home - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never command: - sh @@ -3425,7 +3425,7 @@ spec: mountPath: /home/runner containers: - name: runner - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never env: - name: REPO_URL @@ -3538,7 +3538,7 @@ spec: fsGroup: 1001 initContainers: - name: setup-runner-home - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never command: - sh @@ -3559,7 +3559,7 @@ spec: mountPath: /home/runner containers: - name: runner - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never env: - name: REPO_URL @@ -3672,7 +3672,7 @@ spec: fsGroup: 1001 initContainers: - name: setup-runner-home - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never command: - sh @@ -3693,7 +3693,7 @@ spec: mountPath: /home/runner containers: - name: runner - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never env: - name: REPO_URL @@ -3806,7 +3806,7 @@ spec: fsGroup: 1001 initContainers: - name: setup-runner-home - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never command: - sh @@ -3827,7 +3827,7 @@ spec: mountPath: /home/runner containers: - name: runner - image: localhost/fc-github-runner:v20260520-ruby3.3.11 + image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca imagePullPolicy: Never env: - name: REPO_URL diff --git a/apps/github-runner/step-ca-root.crt b/apps/github-runner/step-ca-root.crt new file mode 100644 index 0000000..21546eb --- /dev/null +++ b/apps/github-runner/step-ca-root.crt @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIBxDCCAWqgAwIBAgIRAPY357G6ow6zMAL5+4bS2kkwCgYIKoZIzj0EAwIwQDEa +MBgGA1UEChMRSUFtV29ya2luIEFDTUUgQ0ExIjAgBgNVBAMTGUlBbVdvcmtpbiBB +Q01FIENBIFJvb3QgQ0EwHhcNMjYwMzA4MTgwNzExWhcNMzYwMzA1MTgwNzExWjBA +MRowGAYDVQQKExFJQW1Xb3JraW4gQUNNRSBDQTEiMCAGA1UEAxMZSUFtV29ya2lu +IEFDTUUgQ0EgUm9vdCBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJ2n04X1 +JZo5Zdq/i1Idv8+fqwZyAzBh7whbqj0SWsJL8UWRabCMqYCs7+dXO0xRSzqkwFDL +x+vooOai8RgRNhajRTBDMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/ +AgEBMB0GA1UdDgQWBBRnuPPQR6iM/H6vOluiU3Sygayz8jAKBggqhkjOPQQDAgNI +ADBFAiEArQK9dYPGmAZsdYnjziuFVVE5NKZUcceYvGfGC+tLXUsCIAudF2zJrCRq +3mK50ZZET/fwTkJwiEF4824mjP8p1CKM +-----END CERTIFICATE----- \ No newline at end of file