From a68d2cdb3e4860052387c6e631b951d826337c95 Mon Sep 17 00:00:00 2001
From: Alex Dehnert <adehnert@mit.edu>
Date: Tue, 17 Oct 2017 02:22:35 -0400
Subject: [PATCH 001/111] prune-mailq: Add an option to prune by regex

---
 server/fedora/config/etc/scripts/prune-mailq | 30 +++++++++++++++++++-
 1 file changed, 29 insertions(+), 1 deletion(-)

diff --git a/server/fedora/config/etc/scripts/prune-mailq b/server/fedora/config/etc/scripts/prune-mailq
index ca683e74..04d3b399 100755
--- a/server/fedora/config/etc/scripts/prune-mailq
+++ b/server/fedora/config/etc/scripts/prune-mailq
@@ -9,7 +9,9 @@ usage="Usage:
     $0 show-rand [from regex|to regex]
     $0 email lockers...
     $0 purge-from lockers...
-    $0 purge-to lockers..."
+    $0 purge-from-re regexes...
+    $0 purge-to lockers...
+    $0 purge-to-re regexes..."
 
 usage() {
     echo "$usage" >&2;
@@ -102,6 +104,18 @@ purge_from() {
     done
 }
 
+purge_from_re() {
+    if [[ $# -eq 0 ]]; then
+        echo "Please specify a regex to purge emails from" >&2
+        exit 1
+    fi
+    for re in "$@"; do
+        echo "$re"
+        mailq | tail -n +2 | grep -v '^ *(' | awk "BEGIN { RS = \"\" } (\$7 ~ \"$re\") { print \$1 }" | tr -d '*!' | postsuper -d -
+        echo
+    done
+}
+
 purge_to() {
     if [[ $# -eq 0 ]]; then
         echo "Please specify a locker to purge emails to" >&2
@@ -115,6 +129,18 @@ purge_to() {
     done
 }
 
+purge_to_re() {
+    if [[ $# -eq 0 ]]; then
+        echo "Please specify a regex to purge emails to" >&2
+        exit 1
+    fi
+    for re in "$@"; do
+        echo "$re"
+        mailq | tail -n +2 | grep -v '^ *(' | awk "BEGIN { RS = \"\" } (\$8 ~ \"$re\" && \$9 == \"\") { print \$1 }" | tr -d '*!' | postsuper -d -
+        echo
+    done
+}
+
 op=${1:-}
 
 # We want to go ahead and show the usage message if there are no args, so
@@ -127,7 +153,9 @@ case "$op" in
     show-rand) show_rand "$@";;
     email) tmpl_email "$@";;
     purge-from) purge_from "$@";;
+    purge-from-re) purge_from_re "$@";;
     purge-to) purge_to "$@";;
+    purge-to-re) purge_to_re "$@";;
     *)
 	usage
         ;;

From ae28dd032c81b24d99a1852299b211742ee564e7 Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Sun, 25 Feb 2018 19:54:32 -0500
Subject: [PATCH 002/111] Remove net.ifnames=0

We use NAME= in ifcfg-* to rename the interfaces anyway.

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 server/fedora/config/etc/default/grub | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/fedora/config/etc/default/grub b/server/fedora/config/etc/default/grub
index 394dcc40..18fbbdcf 100644
--- a/server/fedora/config/etc/default/grub
+++ b/server/fedora/config/etc/default/grub
@@ -3,4 +3,4 @@ GRUB_DISTRIBUTOR="Fedora"
 GRUB_DEFAULT=saved
 GRUB_TERMINAL="serial console"
 GRUB_SERIAL_COMMAND="serial"
-GRUB_CMDLINE_LINUX="rd.md=0 rd.lvm=0 rd.dm=0 KEYTABLE=us rd.luks=0 SYSFONT=True LANG=en_US.UTF-8 net.ifnames=0 crashkernel=128M"
+GRUB_CMDLINE_LINUX="rd.md=0 rd.lvm=0 rd.dm=0 KEYTABLE=us rd.luks=0 SYSFONT=True LANG=en_US.UTF-8 crashkernel=128M"

From eedce78d900b0edcfc5f3073fd03bc07112477f5 Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Sun, 25 Feb 2018 19:55:25 -0500
Subject: [PATCH 003/111] Bind new addresses on SIPB-486

Signed-off-by: root <root@pancake-bunny.mit.edu>
---
 .../fedora/config/etc/sysconfig/network-scripts/ifcfg-lo:5   | 5 +++++
 .../fedora/config/etc/sysconfig/network-scripts/ifcfg-lo:6   | 5 +++++
 .../fedora/config/etc/sysconfig/network-scripts/ifcfg-lo:7   | 5 +++++
 .../fedora/config/etc/sysconfig/network-scripts/ifcfg-lo:8   | 5 +++++
 4 files changed, 20 insertions(+)
 create mode 100644 server/fedora/config/etc/sysconfig/network-scripts/ifcfg-lo:5
 create mode 100644 server/fedora/config/etc/sysconfig/network-scripts/ifcfg-lo:6
 create mode 100644 server/fedora/config/etc/sysconfig/network-scripts/ifcfg-lo:7
 create mode 100644 server/fedora/config/etc/sysconfig/network-scripts/ifcfg-lo:8

diff --git a/server/fedora/config/etc/sysconfig/network-scripts/ifcfg-lo:5 b/server/fedora/config/etc/sysconfig/network-scripts/ifcfg-lo:5
new file mode 100644
index 00000000..5f9c7302
--- /dev/null
+++ b/server/fedora/config/etc/sysconfig/network-scripts/ifcfg-lo:5
@@ -0,0 +1,5 @@
+DEVICE=lo:5
+IPADDR=18.4.86.46
+NETMASK=255.255.255.255
+NETWORK=18.4.86.0
+ONBOOT=yes
diff --git a/server/fedora/config/etc/sysconfig/network-scripts/ifcfg-lo:6 b/server/fedora/config/etc/sysconfig/network-scripts/ifcfg-lo:6
new file mode 100644
index 00000000..06f75d2e
--- /dev/null
+++ b/server/fedora/config/etc/sysconfig/network-scripts/ifcfg-lo:6
@@ -0,0 +1,5 @@
+DEVICE=lo:6
+IPADDR=18.4.86.50
+NETMASK=255.255.255.255
+NETWORK=18.4.86.0
+ONBOOT=yes
diff --git a/server/fedora/config/etc/sysconfig/network-scripts/ifcfg-lo:7 b/server/fedora/config/etc/sysconfig/network-scripts/ifcfg-lo:7
new file mode 100644
index 00000000..bcf5795a
--- /dev/null
+++ b/server/fedora/config/etc/sysconfig/network-scripts/ifcfg-lo:7
@@ -0,0 +1,5 @@
+DEVICE=lo:7
+IPADDR=18.4.86.43
+NETMASK=255.255.255.255
+NETWORK=18.4.86.0
+ONBOOT=yes
diff --git a/server/fedora/config/etc/sysconfig/network-scripts/ifcfg-lo:8 b/server/fedora/config/etc/sysconfig/network-scripts/ifcfg-lo:8
new file mode 100644
index 00000000..83ae62a6
--- /dev/null
+++ b/server/fedora/config/etc/sysconfig/network-scripts/ifcfg-lo:8
@@ -0,0 +1,5 @@
+DEVICE=lo:8
+IPADDR=18.4.86.29
+NETMASK=255.255.255.255
+NETWORK=18.4.86.0
+ONBOOT=yes

From 742c0d2cfa47f4bc07106e8dd7a6a0eef58d1837 Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Sun, 25 Feb 2018 21:56:50 -0500
Subject: [PATCH 004/111] Remove manually created default routes

We can specify these with GATEWAY= (not GATEWAY0=) and METRIC= in the
ifcfg-* files.

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 server/fedora/config/etc/sysconfig/network-scripts/route-vlan181 | 1 -
 server/fedora/config/etc/sysconfig/network-scripts/route-vlan486 | 1 -
 2 files changed, 2 deletions(-)

diff --git a/server/fedora/config/etc/sysconfig/network-scripts/route-vlan181 b/server/fedora/config/etc/sysconfig/network-scripts/route-vlan181
index 5fa63419..11adbec1 100644
--- a/server/fedora/config/etc/sysconfig/network-scripts/route-vlan181
+++ b/server/fedora/config/etc/sysconfig/network-scripts/route-vlan181
@@ -1,2 +1 @@
-default via 18.181.0.1 metric 1
 default table 181 via 18.181.0.1
diff --git a/server/fedora/config/etc/sysconfig/network-scripts/route-vlan486 b/server/fedora/config/etc/sysconfig/network-scripts/route-vlan486
index d82804b5..38f5abd0 100644
--- a/server/fedora/config/etc/sysconfig/network-scripts/route-vlan486
+++ b/server/fedora/config/etc/sysconfig/network-scripts/route-vlan486
@@ -1,2 +1 @@
-default via 18.4.86.1 metric 2
 default table 486 via 18.4.86.1

From 176ef383266a9935cdf2786a50de6f9ddf7a0386 Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Mon, 26 Feb 2018 02:08:17 -0500
Subject: [PATCH 005/111] Add missing routes to tables 181, 486

Without this, packets for the local networks made an unnecessary trip
through the gateway.

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 server/fedora/config/etc/sysconfig/network-scripts/route-vlan181 | 1 +
 server/fedora/config/etc/sysconfig/network-scripts/route-vlan486 | 1 +
 2 files changed, 2 insertions(+)

diff --git a/server/fedora/config/etc/sysconfig/network-scripts/route-vlan181 b/server/fedora/config/etc/sysconfig/network-scripts/route-vlan181
index 11adbec1..4f147ccb 100644
--- a/server/fedora/config/etc/sysconfig/network-scripts/route-vlan181
+++ b/server/fedora/config/etc/sysconfig/network-scripts/route-vlan181
@@ -1 +1,2 @@
+18.181.0.0/16 table 181 dev vlan181
 default table 181 via 18.181.0.1
diff --git a/server/fedora/config/etc/sysconfig/network-scripts/route-vlan486 b/server/fedora/config/etc/sysconfig/network-scripts/route-vlan486
index 38f5abd0..452cab0a 100644
--- a/server/fedora/config/etc/sysconfig/network-scripts/route-vlan486
+++ b/server/fedora/config/etc/sysconfig/network-scripts/route-vlan486
@@ -1 +1,2 @@
+18.4.86.0/24 table 486 dev vlan486
 default table 486 via 18.4.86.1

From af5c1bae7e122748ca2e2093a17cd2a4f697c2c5 Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Mon, 26 Feb 2018 02:51:15 -0500
Subject: [PATCH 006/111] Also add backend routes to tables 181, 486

Connections from realservers to each other get routed over the backend
(vlan461).  Without this, the replies, destined for 172.21.0.0/16,
were getting blasted off into 18.181.0.1, never to be seen again.

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 server/fedora/config/etc/sysconfig/network-scripts/route-vlan181 | 1 +
 server/fedora/config/etc/sysconfig/network-scripts/route-vlan486 | 1 +
 2 files changed, 2 insertions(+)

diff --git a/server/fedora/config/etc/sysconfig/network-scripts/route-vlan181 b/server/fedora/config/etc/sysconfig/network-scripts/route-vlan181
index 4f147ccb..808ae094 100644
--- a/server/fedora/config/etc/sysconfig/network-scripts/route-vlan181
+++ b/server/fedora/config/etc/sysconfig/network-scripts/route-vlan181
@@ -1,2 +1,3 @@
 18.181.0.0/16 table 181 dev vlan181
+172.21.0.0/16 table 181 dev vlan461
 default table 181 via 18.181.0.1
diff --git a/server/fedora/config/etc/sysconfig/network-scripts/route-vlan486 b/server/fedora/config/etc/sysconfig/network-scripts/route-vlan486
index 452cab0a..7be1166d 100644
--- a/server/fedora/config/etc/sysconfig/network-scripts/route-vlan486
+++ b/server/fedora/config/etc/sysconfig/network-scripts/route-vlan486
@@ -1,2 +1,3 @@
 18.4.86.0/24 table 486 dev vlan486
+172.21.0.0/16 table 181 dev vlan461
 default table 486 via 18.4.86.1

From 13892008afd0a999639e945692159596ba94d048 Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Mon, 26 Feb 2018 03:04:01 -0500
Subject: [PATCH 007/111] =?UTF-8?q?=E2=80=A6=20minus=20a=20dumb=20copy=20a?=
 =?UTF-8?q?nd=20paste=20mistake?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 .../fedora/config/etc/sysconfig/network-scripts/route-vlan486   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/fedora/config/etc/sysconfig/network-scripts/route-vlan486 b/server/fedora/config/etc/sysconfig/network-scripts/route-vlan486
index 7be1166d..73d67b91 100644
--- a/server/fedora/config/etc/sysconfig/network-scripts/route-vlan486
+++ b/server/fedora/config/etc/sysconfig/network-scripts/route-vlan486
@@ -1,3 +1,3 @@
 18.4.86.0/24 table 486 dev vlan486
-172.21.0.0/16 table 181 dev vlan461
+172.21.0.0/16 table 486 dev vlan461
 default table 486 via 18.4.86.1

From c028215981a465fed1298d56ab25c932b4883fde Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Fri, 2 Mar 2018 23:46:45 -0500
Subject: [PATCH 008/111] Move routes to the right files

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 .../sysconfig/network-scripts/route-vlan181   |  3 +-
 .../sysconfig/network-scripts/route-vlan461   | 36 ++++++++++---------
 .../sysconfig/network-scripts/route-vlan486   |  3 +-
 3 files changed, 21 insertions(+), 21 deletions(-)

diff --git a/server/fedora/config/etc/sysconfig/network-scripts/route-vlan181 b/server/fedora/config/etc/sysconfig/network-scripts/route-vlan181
index 808ae094..fe43a835 100644
--- a/server/fedora/config/etc/sysconfig/network-scripts/route-vlan181
+++ b/server/fedora/config/etc/sysconfig/network-scripts/route-vlan181
@@ -1,3 +1,2 @@
 18.181.0.0/16 table 181 dev vlan181
-172.21.0.0/16 table 181 dev vlan461
-default table 181 via 18.181.0.1
+default table 181 via 18.181.0.1 dev vlan181
diff --git a/server/fedora/config/etc/sysconfig/network-scripts/route-vlan461 b/server/fedora/config/etc/sysconfig/network-scripts/route-vlan461
index 8e1b55af..26bc785f 100644
--- a/server/fedora/config/etc/sysconfig/network-scripts/route-vlan461
+++ b/server/fedora/config/etc/sysconfig/network-scripts/route-vlan461
@@ -1,17 +1,19 @@
-18.181.0.47 via 172.21.0.47
-18.181.0.55 via 172.21.0.55
-18.181.0.56 via 172.21.0.56
-18.181.0.52 via 172.21.0.52
-18.181.0.57 via 172.21.0.57
-18.181.0.53 via 172.21.0.53
-18.181.0.167 via 172.21.0.167
-18.181.0.228 via 172.21.0.228
-18.181.0.236 via 172.21.0.236
-18.181.0.237 via 172.21.0.237
-18.181.0.234 via 172.21.0.234
-18.181.0.235 via 172.21.0.235
-18.181.0.135 via 172.21.0.135
-18.181.0.141 via 172.21.0.141
-18.181.0.199 via 172.21.0.199
-18.181.0.203 via 172.21.0.203
-18.181.0.204 via 172.21.0.204
\ No newline at end of file
+172.21.0.0/16 table 181 dev vlan461
+172.21.0.0/16 table 486 dev vlan461
+18.181.0.47 via 172.21.0.47 dev vlan461
+18.181.0.55 via 172.21.0.55 dev vlan461
+18.181.0.56 via 172.21.0.56 dev vlan461
+18.181.0.52 via 172.21.0.52 dev vlan461
+18.181.0.57 via 172.21.0.57 dev vlan461
+18.181.0.53 via 172.21.0.53 dev vlan461
+18.181.0.167 via 172.21.0.167 dev vlan461
+18.181.0.228 via 172.21.0.228 dev vlan461
+18.181.0.236 via 172.21.0.236 dev vlan461
+18.181.0.237 via 172.21.0.237 dev vlan461
+18.181.0.234 via 172.21.0.234 dev vlan461
+18.181.0.235 via 172.21.0.235 dev vlan461
+18.181.0.135 via 172.21.0.135 dev vlan461
+18.181.0.141 via 172.21.0.141 dev vlan461
+18.181.0.199 via 172.21.0.199 dev vlan461
+18.181.0.203 via 172.21.0.203 dev vlan461
+18.181.0.204 via 172.21.0.204 dev vlan461
diff --git a/server/fedora/config/etc/sysconfig/network-scripts/route-vlan486 b/server/fedora/config/etc/sysconfig/network-scripts/route-vlan486
index 73d67b91..b3458de7 100644
--- a/server/fedora/config/etc/sysconfig/network-scripts/route-vlan486
+++ b/server/fedora/config/etc/sysconfig/network-scripts/route-vlan486
@@ -1,3 +1,2 @@
 18.4.86.0/24 table 486 dev vlan486
-172.21.0.0/16 table 486 dev vlan461
-default table 486 via 18.4.86.1
+default table 486 via 18.4.86.1 dev vlan486

From 4e43d05a00742135b24395addc305c7650a5fb65 Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Wed, 7 Mar 2018 01:35:30 -0500
Subject: [PATCH 009/111] Add missing addresses to /etc/openafs/NetRestrict

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 server/fedora/config/etc/openafs/NetRestrict | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/server/fedora/config/etc/openafs/NetRestrict b/server/fedora/config/etc/openafs/NetRestrict
index 308ae359..0d13750f 100644
--- a/server/fedora/config/etc/openafs/NetRestrict
+++ b/server/fedora/config/etc/openafs/NetRestrict
@@ -2,6 +2,7 @@
 18.181.0.50
 18.181.0.49
 18.181.0.43
+18.181.0.29
 172.21.0.57
 172.21.0.53
 172.21.0.167
@@ -10,3 +11,7 @@
 172.21.0.237
 172.21.0.234
 172.21.0.235
+172.21.0.135
+172.21.0.141
+172.21.0.203
+172.21.0.204

From f837b288c33260317db6048f09490ec5f396c5be Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Wed, 7 Mar 2018 01:36:27 -0500
Subject: [PATCH 010/111] Add missing backend route to foreign-key

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 .../fedora/config/etc/sysconfig/network-scripts/route-vlan461  | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/server/fedora/config/etc/sysconfig/network-scripts/route-vlan461 b/server/fedora/config/etc/sysconfig/network-scripts/route-vlan461
index 26bc785f..7f5d427b 100644
--- a/server/fedora/config/etc/sysconfig/network-scripts/route-vlan461
+++ b/server/fedora/config/etc/sysconfig/network-scripts/route-vlan461
@@ -4,6 +4,8 @@
 18.181.0.55 via 172.21.0.55 dev vlan461
 18.181.0.56 via 172.21.0.56 dev vlan461
 18.181.0.52 via 172.21.0.52 dev vlan461
+18.181.0.199 via 172.21.0.199 dev vlan461
+18.181.0.200 via 172.21.0.200 dev vlan461
 18.181.0.57 via 172.21.0.57 dev vlan461
 18.181.0.53 via 172.21.0.53 dev vlan461
 18.181.0.167 via 172.21.0.167 dev vlan461
@@ -14,6 +16,5 @@
 18.181.0.235 via 172.21.0.235 dev vlan461
 18.181.0.135 via 172.21.0.135 dev vlan461
 18.181.0.141 via 172.21.0.141 dev vlan461
-18.181.0.199 via 172.21.0.199 dev vlan461
 18.181.0.203 via 172.21.0.203 dev vlan461
 18.181.0.204 via 172.21.0.204 dev vlan461

From c8449d1e1d3eed1cee00b90e3c8b8f547c17dda0 Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Wed, 7 Mar 2018 01:34:26 -0500
Subject: [PATCH 011/111] Forget about sx-blade-4 and not-backward (as
 realservers)

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 server/fedora/config/etc/hosts                                | 4 +---
 .../fedora/config/etc/httpd/conf.d/scripts-vhost-names.conf   | 2 +-
 .../fedora/config/etc/sysconfig/network-scripts/route-vlan461 | 1 -
 3 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/server/fedora/config/etc/hosts b/server/fedora/config/etc/hosts
index ad732f2d..51ead2dd 100644
--- a/server/fedora/config/etc/hosts
+++ b/server/fedora/config/etc/hosts
@@ -11,7 +11,7 @@
 
 18.181.0.57	better-mousetrap.mit.edu better-mousetrap scripts1.mit.edu scripts1
 18.181.0.53	old-faithful.mit.edu old-faithful scripts2.mit.edu scripts2
-18.181.0.167	bees-knees.mit.edu bees-knees sx-blade-4.mit.edu sx-blade-4 scripts3.mit.edu scripts3
+18.181.0.167	bees-knees.mit.edu bees-knees scripts3.mit.edu scripts3
 18.181.0.228	cats-whiskers.mit.edu cats-whiskers scripts4.mit.edu scripts4
 18.181.0.236	whole-enchilada.mit.edu whole-enchilada scripts5.mit.edu scripts5
 18.181.0.237	pancake-bunny.mit.edu pancake-bunny scripts6.mit.edu scripts6
@@ -21,7 +21,6 @@
 18.181.0.141	golden-egg.mit.edu golden-egg scripts10.mit.edu scripts10
 18.181.0.203	miracle-cure.mit.edu miracle-cure scripts11.mit.edu scripts11
 18.181.0.204	lucky-star.mit.edu lucky-star scripts12.mit.edu scripts12
-18.181.0.55	not-backward.mit.edu not-backward
 
 172.21.0.57	better-mousetrap.mit.edu
 172.21.0.53	old-faithful.mit.edu
@@ -35,4 +34,3 @@
 172.21.0.141	golden-egg.mit.edu
 172.21.0.203	miracle-cure.mit.edu
 172.21.0.204	lucky-star.mit.edu
-172.21.0.55	not-backward.mit.edu
diff --git a/server/fedora/config/etc/httpd/conf.d/scripts-vhost-names.conf b/server/fedora/config/etc/httpd/conf.d/scripts-vhost-names.conf
index 94884ac7..86f1cbdd 100644
--- a/server/fedora/config/etc/httpd/conf.d/scripts-vhost-names.conf
+++ b/server/fedora/config/etc/httpd/conf.d/scripts-vhost-names.conf
@@ -5,7 +5,7 @@ ServerAlias \
     scripts-test.mit.edu scripts-test 18.181.0.229 \
     better-mousetrap.mit.edu better-mousetrap b-m.mit.edu b-m scripts1.mit.edu scripts1 18.181.0.57 \
     old-faithful.mit.edu old-faithful o-f.mit.edu o-f scripts2.mit.edu scripts2 18.181.0.53 \
-    bees-knees.mit.edu bees-knees b-k.mit.edu b-k sx-blade-4.mit.edu sx-blade-4 scripts3.mit.edu scripts3 18.181.0.167 \
+    bees-knees.mit.edu bees-knees b-k.mit.edu b-k scripts3.mit.edu scripts3 18.181.0.167 \
     cats-whiskers.mit.edu cats-whiskers c-w.mit.edu c-w scripts4.mit.edu scripts4 18.181.0.228 \
     whole-enchilada.mit.edu whole-enchilada w-e.mit.edu w-e scripts5.mit.edu scripts5 18.181.0.236 \
     pancake-bunny.mit.edu pancake-bunny p-b.mit.edu p-b scripts6.mit.edu scripts6 18.181.0.237 \
diff --git a/server/fedora/config/etc/sysconfig/network-scripts/route-vlan461 b/server/fedora/config/etc/sysconfig/network-scripts/route-vlan461
index 7f5d427b..b91964ad 100644
--- a/server/fedora/config/etc/sysconfig/network-scripts/route-vlan461
+++ b/server/fedora/config/etc/sysconfig/network-scripts/route-vlan461
@@ -1,7 +1,6 @@
 172.21.0.0/16 table 181 dev vlan461
 172.21.0.0/16 table 486 dev vlan461
 18.181.0.47 via 172.21.0.47 dev vlan461
-18.181.0.55 via 172.21.0.55 dev vlan461
 18.181.0.56 via 172.21.0.56 dev vlan461
 18.181.0.52 via 172.21.0.52 dev vlan461
 18.181.0.199 via 172.21.0.199 dev vlan461

From 027f38017e917ea2f18fcc13c021ee0ae02e2eb5 Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Wed, 7 Mar 2018 01:37:24 -0500
Subject: [PATCH 012/111] Transitional configuration for new IP addresses on
 SIPB-486

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 server/fedora/config/etc/hosts                | 31 +++++++++++++++++++
 .../etc/httpd/conf.d/scripts-vhost-names.conf | 15 +++++++++
 .../fedora/config/etc/httpd/conf/httpd.conf   |  8 ++---
 .../etc/httpd/statistics_log_mitonly.sh       |  4 +--
 server/fedora/config/etc/openafs/NetRestrict  |  4 +++
 server/fedora/config/etc/postfix/main.cf      |  2 +-
 server/fedora/config/etc/postfix/virtual      |  1 +
 server/fedora/config/etc/ssh/ssh_known_hosts  | 24 +++++++-------
 .../sysconfig/network-scripts/route-vlan461   | 12 +++++++
 9 files changed, 82 insertions(+), 19 deletions(-)

diff --git a/server/fedora/config/etc/hosts b/server/fedora/config/etc/hosts
index 51ead2dd..56329755 100644
--- a/server/fedora/config/etc/hosts
+++ b/server/fedora/config/etc/hosts
@@ -34,3 +34,34 @@
 172.21.0.141	golden-egg.mit.edu
 172.21.0.203	miracle-cure.mit.edu
 172.21.0.204	lucky-star.mit.edu
+
+18.4.86.43	scripts-new.mit.edu scripts-new
+18.4.86.46	scripts-vhosts-new.mit.edu scripts-vhosts-new
+18.4.86.50	scripts-cert-new.mit.edu scripts-cert-new
+18.4.86.229	scripts-test-new.mit.edu scripts-test-new
+
+18.4.86.57	better-mousetrap-new.mit.edu better-mousetrap-new scripts1-new.mit.edu scripts1-new
+18.4.86.53	old-faithful-new.mit.edu old-faithful-new scripts2-new.mit.edu scripts2-new
+18.4.86.167	bees-knees-new.mit.edu bees-knees-new scripts3-new.mit.edu scripts3-new
+18.4.86.228	cats-whiskers-new.mit.edu cats-whiskers-new scripts4-new.mit.edu scripts4-new
+18.4.86.236	whole-enchilada-new.mit.edu whole-enchilada-new scripts5-new.mit.edu scripts5-new
+18.4.86.237	pancake-bunny-new.mit.edu pancake-bunny-new scripts6-new.mit.edu scripts6-new
+18.4.86.234	busy-beaver-new.mit.edu busy-beaver-new scripts7-new.mit.edu scripts7-new
+18.4.86.235	real-mccoy-new.mit.edu real-mccoy-new scripts8-new.mit.edu scripts8-new
+18.4.86.135	shining-armor-new.mit.edu shining-armor-new scripts9-new.mit.edu scripts9-new
+18.4.86.141	golden-egg-new.mit.edu golden-egg-new scripts10-new.mit.edu scripts10-new
+18.4.86.203	miracle-cure-new.mit.edu miracle-cure-new scripts11-new.mit.edu scripts11-new
+18.4.86.204	lucky-star-new.mit.edu lucky-star-new scripts12-new.mit.edu scripts12-new
+
+172.21.0.57	better-mousetrap-new.mit.edu
+172.21.0.53	old-faithful-new.mit.edu
+172.21.0.167	bees-knees-new.mit.edu
+172.21.0.228	cats-whiskers-new.mit.edu
+172.21.0.236	whole-enchilada-new.mit.edu
+172.21.0.237	pancake-bunny-new.mit.edu
+172.21.0.234	busy-beaver-new.mit.edu
+172.21.0.235	real-mccoy-new.mit.edu
+172.21.0.135	shining-armor-new.mit.edu
+172.21.0.141	golden-egg-new.mit.edu
+172.21.0.203	miracle-cure-new.mit.edu
+172.21.0.204	lucky-star-new.mit.edu
diff --git a/server/fedora/config/etc/httpd/conf.d/scripts-vhost-names.conf b/server/fedora/config/etc/httpd/conf.d/scripts-vhost-names.conf
index 86f1cbdd..3d9e05ef 100644
--- a/server/fedora/config/etc/httpd/conf.d/scripts-vhost-names.conf
+++ b/server/fedora/config/etc/httpd/conf.d/scripts-vhost-names.conf
@@ -15,4 +15,19 @@ ServerAlias \
     golden-egg.mit.edu golden-egg g-e.mit.edu g-e scripts10.mit.edu scripts10 18.181.0.141 \
     miracle-cure.mit.edu miracle-cure m-c.mit.edu m-c scripts11.mit.edu scripts11 18.181.0.203 \
     lucky-star.mit.edu lucky-star l-s.mit.edu l-s scripts12.mit.edu scripts12 18.181.0.204 \
+    scripts-new.mit.edu scripts-new 18.4.86.43 \
+    scripts-vhosts-new.mit.edu scripts-vhosts-new 18.4.86.46 \
+    scripts-test-new.mit.edu scripts-test-new 18.4.86.229 \
+    better-mousetrap-new.mit.edu better-mousetrap-new 18.4.86.57 \
+    old-faithful-new.mit.edu old-faithful-new 18.4.86.53 \
+    bees-knees-new.mit.edu bees-knees-new 18.4.86.167 \
+    cats-whiskers-new.mit.edu cats-whiskers-new 18.4.86.228 \
+    whole-enchilada-new.mit.edu whole-enchilada-new 18.4.86.236 \
+    pancake-bunny-new.mit.edu pancake-bunny-new 18.4.86.237 \
+    busy-beaver-new.mit.edu busy-beaver-new 18.4.86.234 \
+    real-mccoy-new.mit.edu real-mccoy-new 18.4.86.235 \
+    shining-armor-new.mit.edu shining-armor-new 18.4.86.135 \
+    golden-egg-new.mit.edu golden-egg-new 18.4.86.141 \
+    miracle-cure-new.mit.edu miracle-cure-new 18.4.86.203 \
+    lucky-star-new.mit.edu lucky-star-new 18.4.86.204 \
     localhost 127.0.0.1 ::1
diff --git a/server/fedora/config/etc/httpd/conf/httpd.conf b/server/fedora/config/etc/httpd/conf/httpd.conf
index 00ecd641..e5ce222c 100644
--- a/server/fedora/config/etc/httpd/conf/httpd.conf
+++ b/server/fedora/config/etc/httpd/conf/httpd.conf
@@ -273,7 +273,7 @@ ProxyRequests Off
     ErrorDocument 404 "No favicon.ico.
 </Location>
 
-<VirtualHost 18.181.0.50:80>
+<VirtualHost 18.181.0.50:80 18.4.86.50:80>
     ServerName scripts-cert.mit.edu
     ServerAlias scripts-cert
     Include conf.d/scripts-vhost.conf
@@ -320,7 +320,7 @@ ProxyRequests Off
     SSLHonorCipherOrder on
     SSLCompression off
 
-    <VirtualHost 18.181.0.50:443 18.181.0.50:444>
+    <VirtualHost 18.181.0.50:443 18.181.0.50:444 18.4.86.50:443 18.4.86.50:444>
         ServerName scripts-cert.mit.edu
         ServerAlias scripts-cert
         Include conf.d/scripts-vhost.conf
@@ -329,14 +329,14 @@ ProxyRequests Off
         SSLCertificateKeyFile /etc/pki/tls/private/scripts-2048.key
         Include conf.d/vhosts-common-ssl-cert.conf
     </VirtualHost>
-    <VirtualHost 18.181.0.43:443>
+    <VirtualHost 18.181.0.43:443 18.4.86.43:443>
         Include conf.d/scripts-vhost-names.conf
         Include conf.d/scripts-vhost.conf
         Include conf.d/vhosts-common-ssl.conf
         SSLCertificateFile /etc/pki/tls/certs/scripts.pem
         SSLCertificateKeyFile /etc/pki/tls/private/scripts-2048.key
     </VirtualHost>
-    <VirtualHost 18.181.0.43:444>
+    <VirtualHost 18.181.0.43:444 18.4.86.43:444>
         Include conf.d/scripts-vhost-names.conf
         Include conf.d/scripts-vhost.conf
         Include conf.d/vhosts-common-ssl.conf
diff --git a/server/fedora/config/etc/httpd/statistics_log_mitonly.sh b/server/fedora/config/etc/httpd/statistics_log_mitonly.sh
index 1f9a5e6a..8a03ce56 100755
--- a/server/fedora/config/etc/httpd/statistics_log_mitonly.sh
+++ b/server/fedora/config/etc/httpd/statistics_log_mitonly.sh
@@ -1,11 +1,11 @@
 #!/bin/sh
 perl -ne 'BEGIN { $| = 1 }
 next unless /^18\./;
-next if /^18\.181\./;
+next if /^18\.181\.|^18\.4\.86\./;
 chomp; split;
 if ($_[1] eq "scripts.mit.edu" && $_[2] =~ m|/(~[^/]+)/|) {
 print "$1\n";
 } else {
 print "$_[1]\n";
 }' >> /var/log/httpd/statistics_log
-#awk '/^18\./ && ! /^18.181/ { print $2; fflush() }' >> /var/log/httpd/statistics_log
+#awk '/^18\./ && ! /^18\.181\.|^18\.4\.86\./ { print $2; fflush() }' >> /var/log/httpd/statistics_log
diff --git a/server/fedora/config/etc/openafs/NetRestrict b/server/fedora/config/etc/openafs/NetRestrict
index 0d13750f..557f6824 100644
--- a/server/fedora/config/etc/openafs/NetRestrict
+++ b/server/fedora/config/etc/openafs/NetRestrict
@@ -3,6 +3,10 @@
 18.181.0.49
 18.181.0.43
 18.181.0.29
+18.4.86.46
+18.4.86.50
+18.4.86.43
+18.4.86.29
 172.21.0.57
 172.21.0.53
 172.21.0.167
diff --git a/server/fedora/config/etc/postfix/main.cf b/server/fedora/config/etc/postfix/main.cf
index 92aee6be..7d2f6845 100644
--- a/server/fedora/config/etc/postfix/main.cf
+++ b/server/fedora/config/etc/postfix/main.cf
@@ -16,7 +16,7 @@ mailbox_command_maps = ldap:/etc/postfix/mailbox-command-maps-ldap.cf
 mailbox_size_limit = 0
 message_size_limit = 41943040
 recipient_delimiter = +
-inet_interfaces = $myhostname, scripts.mit.edu, scripts-vhosts.mit.edu
+inet_interfaces = $myhostname, scripts.mit.edu, scripts-vhosts.mit.edu, scripts-new.mit.edu, scripts-vhosts-new.mit.edu
 readme_directory = /usr/share/doc/postfix/README_FILES
 sample_directory = /usr/share/doc/postfix/samples
 sendmail_path = /usr/sbin/sendmail
diff --git a/server/fedora/config/etc/postfix/virtual b/server/fedora/config/etc/postfix/virtual
index 9f427519..0252e4e8 100644
--- a/server/fedora/config/etc/postfix/virtual
+++ b/server/fedora/config/etc/postfix/virtual
@@ -4,5 +4,6 @@ webmaster@webzephyr.mit.edu jdaniel@mit.edu
 @webzephyr.mit.edu webzephyr
 # Domains also match here
 scripts-vhosts.mit.edu true
+scripts-vhosts-new.mit.edu true
 szs.mit.edu true
 webzephyr.mit.edu true
diff --git a/server/fedora/config/etc/ssh/ssh_known_hosts b/server/fedora/config/etc/ssh/ssh_known_hosts
index 15b9738a..7c6a004f 100644
--- a/server/fedora/config/etc/ssh/ssh_known_hosts
+++ b/server/fedora/config/etc/ssh/ssh_known_hosts
@@ -1,12 +1,12 @@
-real-mccoy.mit.edu,real-mccoy,r-m.mit.edu,r-m,scripts8.mit.edu,scripts8,18.181.0.235,172.21.0.235 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuEpkEgaIgjK7F1gV81lLSYTwSqIZX/9IJs37VaJCsJFv3D86uuJSdfI3Y94fPn2OH6AxfdaqGNksVdi27mKQfzvCB4ogjQgxmM391MIDLd+izZDY0YvCb4DqJLMJUpX49cNUMkj+/rJg1O0K2w/lb8DGr7wdoLSPKCUJNJv5WMMDxpFL253lPELsmnds4T+R6LpTt6W9+FalHl84me51sEjV9PbmhcTaNwuoJStAjhrKPfgHHDIKNyCUvaVkoHPXEsdzz00yY7i57djyZlzPV/jM7LKar+Xw2LB0Z3098IQcdbD8zmz2DdakPTlShxavNPC6kZDZ3WVqziC+bszaSQ==
-busy-beaver.mit.edu,busy-beaver,b-b.mit.edu,b-b,scripts7.mit.edu,scripts7,18.181.0.234,172.21.0.234 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFDzAEXlTb1hcGBgfuteR9xdB/jZCe+lf+GOBWz4UthUpJKal+x20MVZr3R7u+BkbX4NNa5PC2QUpAZwTOI8Izw=
-pancake-bunny.mit.edu,pancake-bunny,p-b.mit.edu,p-b,scripts6.mit.edu,scripts6,18.181.0.237,172.21.0.237 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOWBC+fWZjJf4YzjAr/uc8kZOewcjJ8b/YampOTw/Tut73drvDfUzg9Xevgvb4Q2hi9VuW0IZQnT+pGwD1zj7pQ=
-cats-whiskers.mit.edu,cats-whiskers,c-w.mit.edu,c-w,scripts4.mit.edu,scripts4,18.181.0.228,172.21.0.228 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOWBC+fWZjJf4YzjAr/uc8kZOewcjJ8b/YampOTw/Tut73drvDfUzg9Xevgvb4Q2hi9VuW0IZQnT+pGwD1zj7pQ=
-bees-knees.mit.edu,bees-knees,b-k.mit.edu,b-k,scripts3.mit.edu,scripts3,18.181.0.167,172.21.0.167 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOWBC+fWZjJf4YzjAr/uc8kZOewcjJ8b/YampOTw/Tut73drvDfUzg9Xevgvb4Q2hi9VuW0IZQnT+pGwD1zj7pQ=
-better-mousetrap.mit.edu,better-mousetrap,b-m.mit.edu,b-m,scripts1.mit.edu,scripts1,18.181.0.57,172.21.0.57 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuEpkEgaIgjK7F1gV81lLSYTwSqIZX/9IJs37VaJCsJFv3D86uuJSdfI3Y94fPn2OH6AxfdaqGNksVdi27mKQfzvCB4ogjQgxmM391MIDLd+izZDY0YvCb4DqJLMJUpX49cNUMkj+/rJg1O0K2w/lb8DGr7wdoLSPKCUJNJv5WMMDxpFL253lPELsmnds4T+R6LpTt6W9+FalHl84me51sEjV9PbmhcTaNwuoJStAjhrKPfgHHDIKNyCUvaVkoHPXEsdzz00yY7i57djyZlzPV/jM7LKar+Xw2LB0Z3098IQcdbD8zmz2DdakPTlShxavNPC6kZDZ3WVqziC+bszaSQ==
-old-faithful.mit.edu,old-faithful,o-f.mit.edu,o-f,scripts2.mit.edu,scripts2,18.181.0.53,172.21.0.53 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuEpkEgaIgjK7F1gV81lLSYTwSqIZX/9IJs37VaJCsJFv3D86uuJSdfI3Y94fPn2OH6AxfdaqGNksVdi27mKQfzvCB4ogjQgxmM391MIDLd+izZDY0YvCb4DqJLMJUpX49cNUMkj+/rJg1O0K2w/lb8DGr7wdoLSPKCUJNJv5WMMDxpFL253lPELsmnds4T+R6LpTt6W9+FalHl84me51sEjV9PbmhcTaNwuoJStAjhrKPfgHHDIKNyCUvaVkoHPXEsdzz00yY7i57djyZlzPV/jM7LKar+Xw2LB0Z3098IQcdbD8zmz2DdakPTlShxavNPC6kZDZ3WVqziC+bszaSQ==
-whole-enchilada.mit.edu,whole-enchilada,w-e.mit.edu,w-e,scripts5.mit.edu,scripts5,18.181.0.236,172.21.0.236 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuEpkEgaIgjK7F1gV81lLSYTwSqIZX/9IJs37VaJCsJFv3D86uuJSdfI3Y94fPn2OH6AxfdaqGNksVdi27mKQfzvCB4ogjQgxmM391MIDLd+izZDY0YvCb4DqJLMJUpX49cNUMkj+/rJg1O0K2w/lb8DGr7wdoLSPKCUJNJv5WMMDxpFL253lPELsmnds4T+R6LpTt6W9+FalHl84me51sEjV9PbmhcTaNwuoJStAjhrKPfgHHDIKNyCUvaVkoHPXEsdzz00yY7i57djyZlzPV/jM7LKar+Xw2LB0Z3098IQcdbD8zmz2DdakPTlShxavNPC6kZDZ3WVqziC+bszaSQ==
-shining-armor.mit.edu,shining-armor,s-a.mit.edu,s-a,scripts9.mit.edu,scripts9,18.181.0.135,172.21.0.135 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOWBC+fWZjJf4YzjAr/uc8kZOewcjJ8b/YampOTw/Tut73drvDfUzg9Xevgvb4Q2hi9VuW0IZQnT+pGwD1zj7pQ=
-golden-egg.mit.edu,golden-egg,g-e.mit.edu,g-e,scripts10.mit.edu,scripts10,18.181.0.141,172.21.0.141 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuEpkEgaIgjK7F1gV81lLSYTwSqIZX/9IJs37VaJCsJFv3D86uuJSdfI3Y94fPn2OH6AxfdaqGNksVdi27mKQfzvCB4ogjQgxmM391MIDLd+izZDY0YvCb4DqJLMJUpX49cNUMkj+/rJg1O0K2w/lb8DGr7wdoLSPKCUJNJv5WMMDxpFL253lPELsmnds4T+R6LpTt6W9+FalHl84me51sEjV9PbmhcTaNwuoJStAjhrKPfgHHDIKNyCUvaVkoHPXEsdzz00yY7i57djyZlzPV/jM7LKar+Xw2LB0Z3098IQcdbD8zmz2DdakPTlShxavNPC6kZDZ3WVqziC+bszaSQ==
-miracle-cure.mit.edu,miracle-cure,m-c.mit.edu,m-c,scripts11.mit.edu,scripts11,18.181.0.203,172.21.0.203 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuEpkEgaIgjK7F1gV81lLSYTwSqIZX/9IJs37VaJCsJFv3D86uuJSdfI3Y94fPn2OH6AxfdaqGNksVdi27mKQfzvCB4ogjQgxmM391MIDLd+izZDY0YvCb4DqJLMJUpX49cNUMkj+/rJg1O0K2w/lb8DGr7wdoLSPKCUJNJv5WMMDxpFL253lPELsmnds4T+R6LpTt6W9+FalHl84me51sEjV9PbmhcTaNwuoJStAjhrKPfgHHDIKNyCUvaVkoHPXEsdzz00yY7i57djyZlzPV/jM7LKar+Xw2LB0Z3098IQcdbD8zmz2DdakPTlShxavNPC6kZDZ3WVqziC+bszaSQ==
-lucky-star.mit.edu,lucky-star,l-s.mit.edu,l-s,scripts12.mit.edu,scripts12,18.181.0.204,172.21.0.204 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuEpkEgaIgjK7F1gV81lLSYTwSqIZX/9IJs37VaJCsJFv3D86uuJSdfI3Y94fPn2OH6AxfdaqGNksVdi27mKQfzvCB4ogjQgxmM391MIDLd+izZDY0YvCb4DqJLMJUpX49cNUMkj+/rJg1O0K2w/lb8DGr7wdoLSPKCUJNJv5WMMDxpFL253lPELsmnds4T+R6LpTt6W9+FalHl84me51sEjV9PbmhcTaNwuoJStAjhrKPfgHHDIKNyCUvaVkoHPXEsdzz00yY7i57djyZlzPV/jM7LKar+Xw2LB0Z3098IQcdbD8zmz2DdakPTlShxavNPC6kZDZ3WVqziC+bszaSQ==
+real-mccoy.mit.edu,real-mccoy,real-mccoy-new.mit.edu,real-mccoy-new,r-m.mit.edu,r-m,scripts8.mit.edu,scripts8,18.181.0.235,18.4.86.235,172.21.0.235 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuEpkEgaIgjK7F1gV81lLSYTwSqIZX/9IJs37VaJCsJFv3D86uuJSdfI3Y94fPn2OH6AxfdaqGNksVdi27mKQfzvCB4ogjQgxmM391MIDLd+izZDY0YvCb4DqJLMJUpX49cNUMkj+/rJg1O0K2w/lb8DGr7wdoLSPKCUJNJv5WMMDxpFL253lPELsmnds4T+R6LpTt6W9+FalHl84me51sEjV9PbmhcTaNwuoJStAjhrKPfgHHDIKNyCUvaVkoHPXEsdzz00yY7i57djyZlzPV/jM7LKar+Xw2LB0Z3098IQcdbD8zmz2DdakPTlShxavNPC6kZDZ3WVqziC+bszaSQ==
+busy-beaver.mit.edu,busy-beaver,busy-beaver-new.mit.edu,busy-beaver-new,b-b.mit.edu,b-b,scripts7.mit.edu,scripts7,18.181.0.234,18.4.86.234,172.21.0.234 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFDzAEXlTb1hcGBgfuteR9xdB/jZCe+lf+GOBWz4UthUpJKal+x20MVZr3R7u+BkbX4NNa5PC2QUpAZwTOI8Izw=
+pancake-bunny.mit.edu,pancake-bunny,pancake-bunny-new.mit.edu,pancake-bunny-new,p-b.mit.edu,p-b,scripts6.mit.edu,scripts6,18.181.0.237,18.4.86.237,172.21.0.237 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOWBC+fWZjJf4YzjAr/uc8kZOewcjJ8b/YampOTw/Tut73drvDfUzg9Xevgvb4Q2hi9VuW0IZQnT+pGwD1zj7pQ=
+cats-whiskers.mit.edu,cats-whiskers,cats-whiskers-new.mit.edu,cats-whiskers-new,c-w.mit.edu,c-w,scripts4.mit.edu,scripts4,18.181.0.228,18.4.86.228,172.21.0.228 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOWBC+fWZjJf4YzjAr/uc8kZOewcjJ8b/YampOTw/Tut73drvDfUzg9Xevgvb4Q2hi9VuW0IZQnT+pGwD1zj7pQ=
+bees-knees.mit.edu,bees-knees,bees-knees-new.mit.edu,bees-knees-new,b-k.mit.edu,b-k,scripts3.mit.edu,scripts3,18.181.0.167,18.4.86.167,172.21.0.167 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOWBC+fWZjJf4YzjAr/uc8kZOewcjJ8b/YampOTw/Tut73drvDfUzg9Xevgvb4Q2hi9VuW0IZQnT+pGwD1zj7pQ=
+better-mousetrap.mit.edu,better-mousetrap,better-mousetrap-new.mit.edu,better-mousetrap-new,b-m.mit.edu,b-m,scripts1.mit.edu,scripts1,18.181.0.57,18.4.86.57,172.21.0.57 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuEpkEgaIgjK7F1gV81lLSYTwSqIZX/9IJs37VaJCsJFv3D86uuJSdfI3Y94fPn2OH6AxfdaqGNksVdi27mKQfzvCB4ogjQgxmM391MIDLd+izZDY0YvCb4DqJLMJUpX49cNUMkj+/rJg1O0K2w/lb8DGr7wdoLSPKCUJNJv5WMMDxpFL253lPELsmnds4T+R6LpTt6W9+FalHl84me51sEjV9PbmhcTaNwuoJStAjhrKPfgHHDIKNyCUvaVkoHPXEsdzz00yY7i57djyZlzPV/jM7LKar+Xw2LB0Z3098IQcdbD8zmz2DdakPTlShxavNPC6kZDZ3WVqziC+bszaSQ==
+old-faithful.mit.edu,old-faithful,old-faithful-new.mit.edu,old-faithful-new,o-f.mit.edu,o-f,scripts2.mit.edu,scripts2,18.181.0.53,18.4.86.53,172.21.0.53 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuEpkEgaIgjK7F1gV81lLSYTwSqIZX/9IJs37VaJCsJFv3D86uuJSdfI3Y94fPn2OH6AxfdaqGNksVdi27mKQfzvCB4ogjQgxmM391MIDLd+izZDY0YvCb4DqJLMJUpX49cNUMkj+/rJg1O0K2w/lb8DGr7wdoLSPKCUJNJv5WMMDxpFL253lPELsmnds4T+R6LpTt6W9+FalHl84me51sEjV9PbmhcTaNwuoJStAjhrKPfgHHDIKNyCUvaVkoHPXEsdzz00yY7i57djyZlzPV/jM7LKar+Xw2LB0Z3098IQcdbD8zmz2DdakPTlShxavNPC6kZDZ3WVqziC+bszaSQ==
+whole-enchilada.mit.edu,whole-enchilada,whole-enchilada-new.mit.edu,whole-enchilada-new,w-e.mit.edu,w-e,scripts5.mit.edu,scripts5,18.181.0.236,18.4.86.236,172.21.0.236 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuEpkEgaIgjK7F1gV81lLSYTwSqIZX/9IJs37VaJCsJFv3D86uuJSdfI3Y94fPn2OH6AxfdaqGNksVdi27mKQfzvCB4ogjQgxmM391MIDLd+izZDY0YvCb4DqJLMJUpX49cNUMkj+/rJg1O0K2w/lb8DGr7wdoLSPKCUJNJv5WMMDxpFL253lPELsmnds4T+R6LpTt6W9+FalHl84me51sEjV9PbmhcTaNwuoJStAjhrKPfgHHDIKNyCUvaVkoHPXEsdzz00yY7i57djyZlzPV/jM7LKar+Xw2LB0Z3098IQcdbD8zmz2DdakPTlShxavNPC6kZDZ3WVqziC+bszaSQ==
+shining-armor.mit.edu,shining-armor,shining-armor-new.mit.edu,shining-armor-new,s-a.mit.edu,s-a,scripts9.mit.edu,scripts9,18.181.0.135,18.4.86.135,172.21.0.135 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOWBC+fWZjJf4YzjAr/uc8kZOewcjJ8b/YampOTw/Tut73drvDfUzg9Xevgvb4Q2hi9VuW0IZQnT+pGwD1zj7pQ=
+golden-egg.mit.edu,golden-egg,golden-egg-new.mit.edu,golden-egg-new,g-e.mit.edu,g-e,scripts10.mit.edu,scripts10,18.181.0.141,18.4.86.141,172.21.0.141 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuEpkEgaIgjK7F1gV81lLSYTwSqIZX/9IJs37VaJCsJFv3D86uuJSdfI3Y94fPn2OH6AxfdaqGNksVdi27mKQfzvCB4ogjQgxmM391MIDLd+izZDY0YvCb4DqJLMJUpX49cNUMkj+/rJg1O0K2w/lb8DGr7wdoLSPKCUJNJv5WMMDxpFL253lPELsmnds4T+R6LpTt6W9+FalHl84me51sEjV9PbmhcTaNwuoJStAjhrKPfgHHDIKNyCUvaVkoHPXEsdzz00yY7i57djyZlzPV/jM7LKar+Xw2LB0Z3098IQcdbD8zmz2DdakPTlShxavNPC6kZDZ3WVqziC+bszaSQ==
+miracle-cure.mit.edu,miracle-cure,miracle-cure-new.mit.edu,miracle-cure-new,m-c.mit.edu,m-c,scripts11.mit.edu,scripts11,18.181.0.203,18.4.86.203,172.21.0.203 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuEpkEgaIgjK7F1gV81lLSYTwSqIZX/9IJs37VaJCsJFv3D86uuJSdfI3Y94fPn2OH6AxfdaqGNksVdi27mKQfzvCB4ogjQgxmM391MIDLd+izZDY0YvCb4DqJLMJUpX49cNUMkj+/rJg1O0K2w/lb8DGr7wdoLSPKCUJNJv5WMMDxpFL253lPELsmnds4T+R6LpTt6W9+FalHl84me51sEjV9PbmhcTaNwuoJStAjhrKPfgHHDIKNyCUvaVkoHPXEsdzz00yY7i57djyZlzPV/jM7LKar+Xw2LB0Z3098IQcdbD8zmz2DdakPTlShxavNPC6kZDZ3WVqziC+bszaSQ==
+lucky-star.mit.edu,lucky-star,lucky-star-new.mit.edu,lucky-star-new,l-s.mit.edu,l-s,scripts12.mit.edu,scripts12,18.181.0.204,18.4.86.204,172.21.0.204 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuEpkEgaIgjK7F1gV81lLSYTwSqIZX/9IJs37VaJCsJFv3D86uuJSdfI3Y94fPn2OH6AxfdaqGNksVdi27mKQfzvCB4ogjQgxmM391MIDLd+izZDY0YvCb4DqJLMJUpX49cNUMkj+/rJg1O0K2w/lb8DGr7wdoLSPKCUJNJv5WMMDxpFL253lPELsmnds4T+R6LpTt6W9+FalHl84me51sEjV9PbmhcTaNwuoJStAjhrKPfgHHDIKNyCUvaVkoHPXEsdzz00yY7i57djyZlzPV/jM7LKar+Xw2LB0Z3098IQcdbD8zmz2DdakPTlShxavNPC6kZDZ3WVqziC+bszaSQ==
diff --git a/server/fedora/config/etc/sysconfig/network-scripts/route-vlan461 b/server/fedora/config/etc/sysconfig/network-scripts/route-vlan461
index b91964ad..b0116cf3 100644
--- a/server/fedora/config/etc/sysconfig/network-scripts/route-vlan461
+++ b/server/fedora/config/etc/sysconfig/network-scripts/route-vlan461
@@ -17,3 +17,15 @@
 18.181.0.141 via 172.21.0.141 dev vlan461
 18.181.0.203 via 172.21.0.203 dev vlan461
 18.181.0.204 via 172.21.0.204 dev vlan461
+18.4.86.57 via 172.21.0.57 dev vlan461
+18.4.86.53 via 172.21.0.53 dev vlan461
+18.4.86.167 via 172.21.0.167 dev vlan461
+18.4.86.228 via 172.21.0.228 dev vlan461
+18.4.86.236 via 172.21.0.236 dev vlan461
+18.4.86.237 via 172.21.0.237 dev vlan461
+18.4.86.234 via 172.21.0.234 dev vlan461
+18.4.86.235 via 172.21.0.235 dev vlan461
+18.4.86.135 via 172.21.0.135 dev vlan461
+18.4.86.141 via 172.21.0.141 dev vlan461
+18.4.86.203 via 172.21.0.203 dev vlan461
+18.4.86.204 via 172.21.0.204 dev vlan461

From 29afb3ba14da139045bdb3dfc530a8400f109ebe Mon Sep 17 00:00:00 2001
From: Quentin Smith <quentin@mit.edu>
Date: Sat, 14 Apr 2018 06:02:13 -0400
Subject: [PATCH 013/111] Log connection attempts to the Eitest sinkhole

---
 server/fedora/config/etc/sysconfig/iptables | 1 +
 1 file changed, 1 insertion(+)

diff --git a/server/fedora/config/etc/sysconfig/iptables b/server/fedora/config/etc/sysconfig/iptables
index 5e3d7e99..deeb6d27 100644
--- a/server/fedora/config/etc/sysconfig/iptables
+++ b/server/fedora/config/etc/sysconfig/iptables
@@ -14,4 +14,5 @@
 # 18.9.28.100=outgoing.mit.edu
 -A log-smtp -d 18.9.28.100 -j RETURN
 -A log-smtp -j REJECT --reject-with icmp-admin-prohibited
+-A OUTPUT -d 192.42.116.41 -j LOG --log-prefix "Eitest sinkhole " --log-uid
 COMMIT

From 54fdeb5a2af09b8ef6fe6fdf72ddfe7a52802b34 Mon Sep 17 00:00:00 2001
From: Alexander Chernyakhovsky <achernya@mit.edu>
Date: Wed, 18 Apr 2018 23:12:25 -0400
Subject: [PATCH 014/111] Only append .mit.edu to hostnames without a ".".

---
 server/fedora/config/etc/pki/tls/gencsr | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/fedora/config/etc/pki/tls/gencsr b/server/fedora/config/etc/pki/tls/gencsr
index 6e21ffc2..4a295e5e 100755
--- a/server/fedora/config/etc/pki/tls/gencsr
+++ b/server/fedora/config/etc/pki/tls/gencsr
@@ -71,7 +71,7 @@ if __name__=="__main__":
         exit(1)
 
     hostname = sys.argv[1].lower()
-    if not hostname.endswith(".mit.edu"):
+    if not hostname.endswith(".mit.edu") and '.' not in hostname:
         hostname += ".mit.edu"
 
     print generate_csr(hostname, [hostname]),  # with subjectAltName

From 2b1e3b2893809a818f5f1ecd55969630771ff20f Mon Sep 17 00:00:00 2001
From: Quentin Smith <quentin@mit.edu>
Date: Thu, 19 Apr 2018 12:18:09 -0400
Subject: [PATCH 015/111] Log requests to matsnu as well

---
 server/fedora/config/etc/sysconfig/iptables | 1 +
 1 file changed, 1 insertion(+)

diff --git a/server/fedora/config/etc/sysconfig/iptables b/server/fedora/config/etc/sysconfig/iptables
index deeb6d27..b40ecd39 100644
--- a/server/fedora/config/etc/sysconfig/iptables
+++ b/server/fedora/config/etc/sysconfig/iptables
@@ -15,4 +15,5 @@
 -A log-smtp -d 18.9.28.100 -j RETURN
 -A log-smtp -j REJECT --reject-with icmp-admin-prohibited
 -A OUTPUT -d 192.42.116.41 -j LOG --log-prefix "Eitest sinkhole " --log-uid
+-A OUTPUT -d 216.218.185.162 -j LOG --log-prefix "matsnu sinkhole " --log-uid
 COMMIT

From 38c6efddfd81d3fbe39b3980bc1af87e96eed818 Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Tue, 24 Apr 2018 02:39:52 -0400
Subject: [PATCH 016/111] Update hosts and routes for future new sql addresses

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 server/fedora/config/etc/hosts                                | 2 ++
 .../fedora/config/etc/sysconfig/network-scripts/route-vlan461 | 4 +++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/server/fedora/config/etc/hosts b/server/fedora/config/etc/hosts
index 56329755..45aec582 100644
--- a/server/fedora/config/etc/hosts
+++ b/server/fedora/config/etc/hosts
@@ -35,6 +35,8 @@
 172.21.0.203	miracle-cure.mit.edu
 172.21.0.204	lucky-star.mit.edu
 
+18.4.60.52	sql-new.mit.edu sql-new
+
 18.4.86.43	scripts-new.mit.edu scripts-new
 18.4.86.46	scripts-vhosts-new.mit.edu scripts-vhosts-new
 18.4.86.50	scripts-cert-new.mit.edu scripts-cert-new
diff --git a/server/fedora/config/etc/sysconfig/network-scripts/route-vlan461 b/server/fedora/config/etc/sysconfig/network-scripts/route-vlan461
index b0116cf3..095b3a18 100644
--- a/server/fedora/config/etc/sysconfig/network-scripts/route-vlan461
+++ b/server/fedora/config/etc/sysconfig/network-scripts/route-vlan461
@@ -1,6 +1,5 @@
 172.21.0.0/16 table 181 dev vlan461
 172.21.0.0/16 table 486 dev vlan461
-18.181.0.47 via 172.21.0.47 dev vlan461
 18.181.0.56 via 172.21.0.56 dev vlan461
 18.181.0.52 via 172.21.0.52 dev vlan461
 18.181.0.199 via 172.21.0.199 dev vlan461
@@ -17,6 +16,9 @@
 18.181.0.141 via 172.21.0.141 dev vlan461
 18.181.0.203 via 172.21.0.203 dev vlan461
 18.181.0.204 via 172.21.0.204 dev vlan461
+18.4.60.52 via 172.21.0.52 dev vlan461
+18.4.60.199 via 172.21.0.199 dev vlan461
+18.4.60.200 via 172.21.0.200 dev vlan461
 18.4.86.57 via 172.21.0.57 dev vlan461
 18.4.86.53 via 172.21.0.53 dev vlan461
 18.4.86.167 via 172.21.0.167 dev vlan461

From e5504988325b2b191a7fa9ac41a9494284ab4b20 Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Wed, 25 Apr 2018 01:53:43 -0400
Subject: [PATCH 017/111] Update SIPB-NOC addresses

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 host/debian/scripts-vm-host/debian/changelog                | 6 ++++++
 .../debian/transform_munin-node.conf.scripts                | 3 ++-
 ldap/el/config/etc/nagios/nrpe.cfg                          | 2 +-
 lvs/debian/config/etc/munin/munin-node.conf                 | 3 ++-
 lvs/debian/config/etc/nagios/nrpe.cfg                       | 2 +-
 server/fedora/config/etc/munin/munin-node.conf              | 2 +-
 server/fedora/config/etc/nagios/nrpe.cfg                    | 2 +-
 7 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/host/debian/scripts-vm-host/debian/changelog b/host/debian/scripts-vm-host/debian/changelog
index 3362751f..c64b87c2 100644
--- a/host/debian/scripts-vm-host/debian/changelog
+++ b/host/debian/scripts-vm-host/debian/changelog
@@ -1,3 +1,9 @@
+scripts-vm-host (0.9) UNRELEASED; urgency=medium
+
+  * Update SIPB-NOC addresses.
+
+ -- Anders Kaseorg <andersk@mit.edu>  Wed, 25 Apr 2018 01:52:41 -0400
+
 scripts-vm-host (0.8) wheezy; urgency=low
 
   * Take into account config-package-dev now needs .transform files
diff --git a/host/debian/scripts-vm-host/debian/transform_munin-node.conf.scripts b/host/debian/scripts-vm-host/debian/transform_munin-node.conf.scripts
index 404c91ce..26e7ced6 100644
--- a/host/debian/scripts-vm-host/debian/transform_munin-node.conf.scripts
+++ b/host/debian/scripts-vm-host/debian/transform_munin-node.conf.scripts
@@ -3,7 +3,8 @@
 cat
 cat <<EOF
 allow ^127\.0\.0\.1$
-allow ^18\.187\.1\.128$
 allow ^18\.181\.0\.65$
+allow ^18\.4\.60\.65$
 allow ^18\.181\.0\.51$
+allow ^18\.4\.60\.51$
 EOF
diff --git a/ldap/el/config/etc/nagios/nrpe.cfg b/ldap/el/config/etc/nagios/nrpe.cfg
index 819e7daa..96a0f5d3 100644
--- a/ldap/el/config/etc/nagios/nrpe.cfg
+++ b/ldap/el/config/etc/nagios/nrpe.cfg
@@ -76,7 +76,7 @@ nrpe_group=nrpe
 #
 # NOTE: This option is ignored if NRPE is running under either inetd or xinetd
 
-allowed_hosts=18.181.0.61,18.181.0.65,18.181.0.51
+allowed_hosts=18.181.0.61,18.4.60.61,18.181.0.65,18.4.60.65,18.181.0.51,18.4.60.51
  
 
 
diff --git a/lvs/debian/config/etc/munin/munin-node.conf b/lvs/debian/config/etc/munin/munin-node.conf
index 9e8733d4..597c14f8 100644
--- a/lvs/debian/config/etc/munin/munin-node.conf
+++ b/lvs/debian/config/etc/munin/munin-node.conf
@@ -36,6 +36,7 @@ ignore_file \.pod$
 # the allow line as many times as you'd like
 
 allow ^127\.0\.0\.1$
-allow ^18\.187\.1\.128$
 allow ^18\.181\.0\.65$
+allow ^18\.4\.60\.65$
 allow ^18\.181\.0\.51$
+allow ^18\.4\.60\.51$
diff --git a/lvs/debian/config/etc/nagios/nrpe.cfg b/lvs/debian/config/etc/nagios/nrpe.cfg
index 9c7a3768..923a5837 100644
--- a/lvs/debian/config/etc/nagios/nrpe.cfg
+++ b/lvs/debian/config/etc/nagios/nrpe.cfg
@@ -56,7 +56,7 @@ server_port=5666
 #
 # NOTE: This option is ignored if NRPE is running under either inetd or xinetd
 
-allowed_hosts=18.187.1.128,18.181.0.65
+allowed_hosts=18.181.0.65,18.4.60.65
 
 
 
diff --git a/server/fedora/config/etc/munin/munin-node.conf b/server/fedora/config/etc/munin/munin-node.conf
index ba29c40f..d64e762d 100644
--- a/server/fedora/config/etc/munin/munin-node.conf
+++ b/server/fedora/config/etc/munin/munin-node.conf
@@ -33,8 +33,8 @@ ignore_file \.pod$
 # the allow line as many times as you'd like
 
 allow ^127\.0\.0\.1$
-allow ^18\.187\.1\.128$
 allow ^18\.181\.0\.65$
+allow ^18\.4\.60\.65$
 
 # Which address to bind to;
 host *
diff --git a/server/fedora/config/etc/nagios/nrpe.cfg b/server/fedora/config/etc/nagios/nrpe.cfg
index 3e2ede68..85584681 100644
--- a/server/fedora/config/etc/nagios/nrpe.cfg
+++ b/server/fedora/config/etc/nagios/nrpe.cfg
@@ -76,7 +76,7 @@ nrpe_group=nrpe
 #
 # NOTE: This option is ignored if NRPE is running under either inetd or xinetd
 
-allowed_hosts=18.181.0.61,18.181.0.65,18.181.0.51
+allowed_hosts=18.181.0.61,18.4.60.61,18.181.0.65,18.4.60.65,18.181.0.51,18.4.60.51
  
 
 

From a57e12df0f1beabbd8ff2fde23d63f38d16633e2 Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Sat, 28 Apr 2018 23:08:25 -0400
Subject: [PATCH 018/111] =?UTF-8?q?Increase=20sshd=20MaxStartups=20by=205?=
 =?UTF-8?q?=C3=97?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 server/fedora/config/etc/ssh/sshd_config | 1 +
 1 file changed, 1 insertion(+)

diff --git a/server/fedora/config/etc/ssh/sshd_config b/server/fedora/config/etc/ssh/sshd_config
index daa53e2c..7a2adfe1 100644
--- a/server/fedora/config/etc/ssh/sshd_config
+++ b/server/fedora/config/etc/ssh/sshd_config
@@ -15,6 +15,7 @@ X11Forwarding no
 Banner /etc/issue.net
 Subsystem sftp /usr/libexec/openssh/sftp-server
 LogLevel VERBOSE
+MaxStartups 50:30:500
 
 # See trac #23
 HostbasedAuthentication yes

From 5eef8cd461dfd0efd98fd54e220825dd9baeab67 Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Fri, 4 May 2018 04:29:56 -0400
Subject: [PATCH 019/111] Update CellServDB with new sipb cell addresses

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 server/fedora/config/usr/vice/etc/CellServDB.local | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/server/fedora/config/usr/vice/etc/CellServDB.local b/server/fedora/config/usr/vice/etc/CellServDB.local
index 45dd76e8..0bf0dfe6 100644
--- a/server/fedora/config/usr/vice/etc/CellServDB.local
+++ b/server/fedora/config/usr/vice/etc/CellServDB.local
@@ -7,9 +7,9 @@
 18.9.48.15                      #moby.mit.edu
 18.9.48.16                      #springer.mit.edu
 >sipb.mit.edu           #MIT/SIPB cell
-18.181.0.19                     #reynelda.mit.edu
-18.181.0.22                     #rosebud.mit.edu
-18.181.0.23                     #ronald-ann.mit.edu
+18.4.60.19                      #reynelda.mit.edu
+18.4.60.22                      #rosebud.mit.edu
+18.4.60.23                      #ronald-ann.mit.edu
 >grand.central.org      #GCO Public CellServDB 14 Mar 2017
 18.9.48.14                      #grand.mit.edu
 128.2.13.219                    #grand-old-opry.central.org

From 830dc6f51b42c11462ad5d1cbe83e89722a75d02 Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Fri, 4 May 2018 04:32:30 -0400
Subject: [PATCH 020/111] Remove old SIPB-NOC addresses

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 ldap/el/config/etc/nagios/nrpe.cfg       | 2 +-
 lvs/debian/config/etc/nagios/nrpe.cfg    | 2 +-
 server/fedora/config/etc/nagios/nrpe.cfg | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/ldap/el/config/etc/nagios/nrpe.cfg b/ldap/el/config/etc/nagios/nrpe.cfg
index 96a0f5d3..29994858 100644
--- a/ldap/el/config/etc/nagios/nrpe.cfg
+++ b/ldap/el/config/etc/nagios/nrpe.cfg
@@ -76,7 +76,7 @@ nrpe_group=nrpe
 #
 # NOTE: This option is ignored if NRPE is running under either inetd or xinetd
 
-allowed_hosts=18.181.0.61,18.4.60.61,18.181.0.65,18.4.60.65,18.181.0.51,18.4.60.51
+allowed_hosts=18.4.60.61,18.4.60.65,18.4.60.51
  
 
 
diff --git a/lvs/debian/config/etc/nagios/nrpe.cfg b/lvs/debian/config/etc/nagios/nrpe.cfg
index 923a5837..8432af25 100644
--- a/lvs/debian/config/etc/nagios/nrpe.cfg
+++ b/lvs/debian/config/etc/nagios/nrpe.cfg
@@ -56,7 +56,7 @@ server_port=5666
 #
 # NOTE: This option is ignored if NRPE is running under either inetd or xinetd
 
-allowed_hosts=18.181.0.65,18.4.60.65
+allowed_hosts=18.4.60.65
 
 
 
diff --git a/server/fedora/config/etc/nagios/nrpe.cfg b/server/fedora/config/etc/nagios/nrpe.cfg
index 85584681..31edbc11 100644
--- a/server/fedora/config/etc/nagios/nrpe.cfg
+++ b/server/fedora/config/etc/nagios/nrpe.cfg
@@ -76,7 +76,7 @@ nrpe_group=nrpe
 #
 # NOTE: This option is ignored if NRPE is running under either inetd or xinetd
 
-allowed_hosts=18.181.0.61,18.4.60.61,18.181.0.65,18.4.60.65,18.181.0.51,18.4.60.51
+allowed_hosts=18.4.60.61,18.4.60.65,18.4.60.51
  
 
 

From 7e8dd358bb82609a0539f12af290e5420b50170c Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Fri, 4 May 2018 04:33:45 -0400
Subject: [PATCH 021/111] Remove more old SIPB-NOC addresses

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 .../scripts-vm-host/debian/transform_munin-node.conf.scripts    | 2 --
 lvs/debian/config/etc/munin/munin-node.conf                     | 2 --
 server/fedora/config/etc/munin/munin-node.conf                  | 1 -
 3 files changed, 5 deletions(-)

diff --git a/host/debian/scripts-vm-host/debian/transform_munin-node.conf.scripts b/host/debian/scripts-vm-host/debian/transform_munin-node.conf.scripts
index 26e7ced6..934ad942 100644
--- a/host/debian/scripts-vm-host/debian/transform_munin-node.conf.scripts
+++ b/host/debian/scripts-vm-host/debian/transform_munin-node.conf.scripts
@@ -3,8 +3,6 @@
 cat
 cat <<EOF
 allow ^127\.0\.0\.1$
-allow ^18\.181\.0\.65$
 allow ^18\.4\.60\.65$
-allow ^18\.181\.0\.51$
 allow ^18\.4\.60\.51$
 EOF
diff --git a/lvs/debian/config/etc/munin/munin-node.conf b/lvs/debian/config/etc/munin/munin-node.conf
index 597c14f8..04971d2a 100644
--- a/lvs/debian/config/etc/munin/munin-node.conf
+++ b/lvs/debian/config/etc/munin/munin-node.conf
@@ -36,7 +36,5 @@ ignore_file \.pod$
 # the allow line as many times as you'd like
 
 allow ^127\.0\.0\.1$
-allow ^18\.181\.0\.65$
 allow ^18\.4\.60\.65$
-allow ^18\.181\.0\.51$
 allow ^18\.4\.60\.51$
diff --git a/server/fedora/config/etc/munin/munin-node.conf b/server/fedora/config/etc/munin/munin-node.conf
index d64e762d..7d025cac 100644
--- a/server/fedora/config/etc/munin/munin-node.conf
+++ b/server/fedora/config/etc/munin/munin-node.conf
@@ -33,7 +33,6 @@ ignore_file \.pod$
 # the allow line as many times as you'd like
 
 allow ^127\.0\.0\.1$
-allow ^18\.181\.0\.65$
 allow ^18\.4\.60\.65$
 
 # Which address to bind to;

From add84d2af617b086ef2126a13c1c777a9ce796bf Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Mon, 14 May 2018 14:50:30 -0400
Subject: [PATCH 022/111] Remove remainder of obsolete lvs directory

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 lvs/debian/config/etc/iproute2/rt_tables | 12 ---------
 lvs/doc/install-howto                    | 31 ------------------------
 2 files changed, 43 deletions(-)
 delete mode 100644 lvs/debian/config/etc/iproute2/rt_tables
 delete mode 100644 lvs/doc/install-howto

diff --git a/lvs/debian/config/etc/iproute2/rt_tables b/lvs/debian/config/etc/iproute2/rt_tables
deleted file mode 100644
index 0d240a6f..00000000
--- a/lvs/debian/config/etc/iproute2/rt_tables
+++ /dev/null
@@ -1,12 +0,0 @@
-#
-# reserved values
-#
-255	local
-254	main
-253	default
-0	unspec
-#
-# local
-#
-#1	inr.ruhep
-10	sipb
diff --git a/lvs/doc/install-howto b/lvs/doc/install-howto
deleted file mode 100644
index 7d1fe5b2..00000000
--- a/lvs/doc/install-howto
+++ /dev/null
@@ -1,31 +0,0 @@
-- TO TEMPORARILY DISABLE HEARTBEAT: on an existing node, run
-  crm_attribute -n is_managed_default -v false
-- confirm that the change occurred with crm_attribute -n is_managed_default -G
-- Install Debian 4.0 from a minimal Debian install CD
-- aptitude install openssh-server krb5-user krb5-clients
-- dpkg-reconfigure krb5-config
-- Set GSSAPIAuthentication yes in /etc/ssh/sshd_config
-- Add keytab and .k5login
-- Edit lvs/debian/config/etc/ha.d/ha.cf in SVN to add "node foo", where foo is the new machine's hostname as reported by uname -n
-- Synchronize /etc out of SVN by running
-svn co https://scripts.mit.edu:1111/lvs/config/etc /etc
-and moving files/directories out of the way as it checks out.
-- aptitude update; aptitude install heartbeat ldirectord lighttpd-mod-magnet; # should install version >= 2.1.2
-- aptitude install munin-node
-- Copy /etc/ha.d/authkeys from an existing LVS node
-- svn up on each existing LVS node and then run /etc/init.d/heartbeat reload
-- If the node will run LVS, run "dpkg-reconfigure ipvsadm" and configure it to run "both" daemons on the correct network interface
-- Run /etc/init.d/heartbeat start on the new node
-- No services will be allocated to this node. To allocate scripts_LVS to it, run
-cibadmin -M -X '
-       <rsc_location id="rsc_location_scripts_LVS_all" rsc="scripts_LVS">
-         <rule id="prefered_rsc_location_scripts_LVS_all" score="-INFINITY" boolean_op="and">
-           <expression attribute="#uname" id="733286ca-cde9-4941-bab0-59af8bd6b55a" operation="ne" value="rack-forward"/>
-           <expression attribute="#uname" id="55373ba0-9e5e-43de-adf6-ac77bfe5bac6" operation="ne" value="not-backward"/>
-	   <expression attribute="#uname" id="UNIQUE_ID" operation="ne" value="new-node"/>
-         </rule>
-       </rsc_location>
-'
-- TO REENABLE HEARTBEAT, run crm_attribute -n is_managed_default -v true
-- Watch /var/log/messages and /var/log/syslog to make sure heartbeat is working
-- Add machine to noc/munin/munin.conf (syn:/etc/munin/munin.conf)

From 7ac0defdbfaa7acc5193aa9e93baa9a121f94003 Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Mon, 14 May 2018 14:52:19 -0400
Subject: [PATCH 023/111] Update README for Ansible migration

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 README | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/README b/README
index 67da69c3..0d2ec318 100644
--- a/README
+++ b/README
@@ -1,12 +1,10 @@
+ansible:
+  Ansible configuration for LVS directors and syslog servers (and
+  hopefully everything else, in the future)
+
 host:
   files needed to set up a scripts.mit.edu hypervisor (aka VM host)
 
-locker:
-  files associated with the scripts Athena locker
-
-lvs:
-  files needed to set up a scripts.mit.edu director (aka load balancer)
-
 server:
   files needed to run a scripts.mit.edu server (aka realserver)
 

From 0c6c3ee04aeb4f67bdfbb3fac92abd2b475ecfa2 Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Mon, 14 May 2018 16:46:59 -0400
Subject: [PATCH 024/111] =?UTF-8?q?ansible:=20Swap=20the=20directors?=
 =?UTF-8?q?=E2=80=99=20default=20gateway=20to=20VLAN=20486?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 ansible/scripts-directors.yml | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/ansible/scripts-directors.yml b/ansible/scripts-directors.yml
index a6425d66..b5d1a638 100644
--- a/ansible/scripts-directors.yml
+++ b/ansible/scripts-directors.yml
@@ -6,13 +6,8 @@
       hwaddr: "{{ vlan181_hwaddr }}"
       cidr: "{{ vlan181_address }}/16"
       gateway: 18.181.0.1
-      dns_nameservers:
-      - 18.70.0.160
-      - 18.72.0.3
-      - 18.71.0.151
-      dns_search: mit.edu
       options:
-      - metric 1
+      - metric 2
       - up ip route add 18.181.0.0/16 table 181 dev vlan181
       - up ip route add default table 181 via 18.181.0.1 dev vlan181
       - up ip rule add from 18.181.0.0/16 table 181
@@ -21,8 +16,13 @@
       hwaddr: "{{ vlan486_hwaddr }}"
       cidr: "{{ vlan486_address }}/24"
       gateway: 18.4.86.1
+      dns_nameservers:
+      - 18.70.0.160
+      - 18.72.0.3
+      - 18.71.0.151
+      dns_search: mit.edu
       options:
-      - metric 2
+      - metric 1
       - up ip route add 18.4.86.0/24 table 486 dev vlan486
       - up ip route add default table 486 via 18.4.86.1 dev vlan486
       - up ip rule add from 18.4.86.0/24 table 486

From 464af026bfb41a3450ee5e5c7ae673c7281a2c57 Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Fri, 25 May 2018 16:06:45 -0700
Subject: [PATCH 025/111] Add a server information page to
 /__scripts/server.shtml

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 .../config/etc/httpd/scripts-special/hostname |  1 +
 .../etc/httpd/scripts-special/server.shtml    | 21 +++++++++++++++++++
 2 files changed, 22 insertions(+)
 create mode 120000 server/fedora/config/etc/httpd/scripts-special/hostname
 create mode 100644 server/fedora/config/etc/httpd/scripts-special/server.shtml

diff --git a/server/fedora/config/etc/httpd/scripts-special/hostname b/server/fedora/config/etc/httpd/scripts-special/hostname
new file mode 120000
index 00000000..48980ad5
--- /dev/null
+++ b/server/fedora/config/etc/httpd/scripts-special/hostname
@@ -0,0 +1 @@
+/etc/hostname
\ No newline at end of file
diff --git a/server/fedora/config/etc/httpd/scripts-special/server.shtml b/server/fedora/config/etc/httpd/scripts-special/server.shtml
new file mode 100644
index 00000000..3d1bba98
--- /dev/null
+++ b/server/fedora/config/etc/httpd/scripts-special/server.shtml
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="UTF-8" />
+    <title>scripts.mit.edu connection information</title>
+    <style>
+      html { background: #2050A0; }
+      body { margin: 1em auto; border: 1px solid black; background: #FFF; max-width: 60em; padding: 1em; font: 80% 'Lucida Grande', 'Lucida Sans Unicode', Verdana, sans-serif; }
+      summary { cursor: pointer; }
+      pre { white-space: pre-wrap; }
+    </style>
+  </head>
+  <body>
+    <p>Your connection to <!--#echo var="REQUEST_SCHEME" -->://<!--#echo var="HTTP_HOST" --> on <!--#echo var="SERVER_ADDR" -->:<!--#echo var="SERVER_PORT" --> is currently served by <strong><!--#include file="hostname" --></strong> (as of <!--#echo var="DATE_GMT" -->).</p>
+    <details>
+      <summary>Server variables</summary>
+      <pre>
+<!--#printenv --></pre>
+    </details>
+  </body>
+</html>

From b357c7bd99408f678bfe192e23db386c1d7c5f04 Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Sun, 27 May 2018 05:54:26 -0400
Subject: [PATCH 026/111] Put up an annoying interstitial warning page for
 clients on 18.181.0.46

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 .../etc/httpd/conf.d/181-interstitial.conf    |  5 +++
 .../etc/httpd/conf.d/scripts-special.conf     | 11 ++++++
 .../fedora/config/etc/httpd/conf/httpd.conf   | 33 ++++++++++++++--
 .../config/etc/httpd/export-scripts-certs     |  7 +++-
 .../scripts-special/181-interstitial.shtml    | 39 +++++++++++++++++++
 5 files changed, 90 insertions(+), 5 deletions(-)
 create mode 100644 server/fedora/config/etc/httpd/conf.d/181-interstitial.conf
 create mode 100644 server/fedora/config/etc/httpd/scripts-special/181-interstitial.shtml

diff --git a/server/fedora/config/etc/httpd/conf.d/181-interstitial.conf b/server/fedora/config/etc/httpd/conf.d/181-interstitial.conf
new file mode 100644
index 00000000..06d71d85
--- /dev/null
+++ b/server/fedora/config/etc/httpd/conf.d/181-interstitial.conf
@@ -0,0 +1,5 @@
+<If "%{HTTP_COOKIE} !~ /__scripts-dismiss-181-interstitial=1/ && %{HTTP_ACCEPT} =~ m#text/html# && %{REQUEST_URI} !~ m#^/__scripts/#">
+    Header always set Vary "Cookie,Accept"
+    RewriteEngine On
+    RewriteRule ^ /__scripts/181-interstitial%{REQUEST_URI} [R,L]
+</If>
diff --git a/server/fedora/config/etc/httpd/conf.d/scripts-special.conf b/server/fedora/config/etc/httpd/conf.d/scripts-special.conf
index d3d985c2..803501d6 100644
--- a/server/fedora/config/etc/httpd/conf.d/scripts-special.conf
+++ b/server/fedora/config/etc/httpd/conf.d/scripts-special.conf
@@ -55,3 +55,14 @@ ErrorDocument 403 /__scripts/forbidden.shtml
 
 # Generated from http://kb.mit.edu/confluence/x/F4DCAg, 2017-06-27
 SetEnvIf REMOTE_ADDR ^(10|18\.(\d\d?|1([0-2]\d|3[1-57-9]|4[0-369]|5[024-9]|6[135-9]|7[0-46-8]|8[013679]|9[02389])|2(29|3[089]|4[0-578]|5[0-245]))|128\.(3[01]|52))\. SCRIPTS_REMOTE_MITNET
+
+<Location /__scripts/dismiss-181-interstitial>
+    Header always set Set-Cookie "__scripts-dismiss-181-interstitial=1; Path=/; Max-Age=43200"
+    Redirect 303 /__scripts/dismiss-181-interstitial/ /
+</Location>
+
+<Location /__scripts/181-interstitial>
+    Redirect 503 /__scripts/181-interstitial
+    SetEnvIf REQUEST_URI ^/__scripts/181-interstitial(.*)$ ORIGINAL_URI=$1
+    ErrorDocument 503 /__scripts/181-interstitial.shtml
+</Location>
diff --git a/server/fedora/config/etc/httpd/conf/httpd.conf b/server/fedora/config/etc/httpd/conf/httpd.conf
index e5ce222c..54e2fb9f 100644
--- a/server/fedora/config/etc/httpd/conf/httpd.conf
+++ b/server/fedora/config/etc/httpd/conf/httpd.conf
@@ -282,11 +282,19 @@ ProxyRequests Off
 
 # LDAP vhost, w00t w00t
 <VirtualHost *:80>
+    ServerName localhost
     Include conf.d/vhost_ldap.conf
     Include conf.d/vhosts-common.conf
 </VirtualHost>
+# LDAP vhost, w00t w00t
+<VirtualHost 18.181.0.46:80>
+    ServerName localhost
+    Include conf.d/vhost_ldap.conf
+    Include conf.d/vhosts-common.conf
+    Include conf.d/181-interstitial.conf
+</VirtualHost>
 
-<VirtualHost *:80>
+<VirtualHost *:80 18.181.0.46:80>
     Include conf.d/scripts-vhost-names.conf
     Include conf.d/scripts-vhost.conf
     Include conf.d/vhosts-common.conf
@@ -353,6 +361,15 @@ ProxyRequests Off
         Include conf.d/vhosts-common-ssl.conf
     </VirtualHost>
     # LDAP vhost, w00t w00t
+    <VirtualHost 18.181.0.46:443>
+        ServerName localhost
+        SSLCertificateFile /etc/pki/tls/certs/star.scripts.pem
+        SSLCertificateKeyFile /etc/pki/tls/private/scripts-2048.key
+        Include conf.d/vhost_ldap.conf
+        Include conf.d/vhosts-common-ssl.conf
+        Include conf.d/181-interstitial.conf
+    </VirtualHost>
+    # LDAP vhost, w00t w00t
     <VirtualHost *:444>
         ServerName localhost
         SSLCertificateFile /etc/pki/tls/certs/star.scripts.pem
@@ -361,14 +378,24 @@ ProxyRequests Off
         Include conf.d/vhosts-common-ssl.conf
         Include conf.d/vhosts-common-ssl-cert.conf
     </VirtualHost>
-    <VirtualHost *:443>
+    # LDAP vhost, w00t w00t
+    <VirtualHost 18.181.0.46:444>
+        ServerName localhost
+        SSLCertificateFile /etc/pki/tls/certs/star.scripts.pem
+        SSLCertificateKeyFile /etc/pki/tls/private/scripts-2048.key
+        Include conf.d/vhost_ldap.conf
+        Include conf.d/vhosts-common-ssl.conf
+        Include conf.d/vhosts-common-ssl-cert.conf
+        Include conf.d/181-interstitial.conf
+    </VirtualHost>
+    <VirtualHost *:443 18.181.0.46:443>
         SSLCertificateFile /etc/pki/tls/certs/scripts.pem
         SSLCertificateKeyFile /etc/pki/tls/private/scripts-2048.key
         Include conf.d/scripts-vhost-names.conf
         Include conf.d/scripts-vhost.conf
         Include conf.d/vhosts-common-ssl.conf
     </VirtualHost>
-    <VirtualHost *:444>
+    <VirtualHost *:444 18.181.0.46:444>
         SSLCertificateFile /etc/pki/tls/certs/scripts.pem
         SSLCertificateKeyFile /etc/pki/tls/private/scripts-2048.key
         Include conf.d/scripts-vhost-names.conf
diff --git a/server/fedora/config/etc/httpd/export-scripts-certs b/server/fedora/config/etc/httpd/export-scripts-certs
index af577348..808d9629 100755
--- a/server/fedora/config/etc/httpd/export-scripts-certs
+++ b/server/fedora/config/etc/httpd/export-scripts-certs
@@ -4,6 +4,7 @@ import base64
 import errno
 import fcntl
 import hashlib
+import itertools
 import ldap
 import os
 import subprocess
@@ -87,8 +88,8 @@ def conf(vhost):
             cert_file.write(certs_pem)
         os.rename(cert_path + '.new', cert_path)
 
-    for port in 443, 444:
-        yield '<VirtualHost *:{}>\n'.format(port)
+    for ip, port in itertools.product(['*', '18.181.0.46'], [443, 444]):
+        yield '<VirtualHost {}:{}>\n'.format(ip, port)
         yield '\tServerName {}\n'.format(name)
         if aliases:
             yield '\tServerAlias {}\n'.format(' '.join(aliases))
@@ -98,6 +99,8 @@ def conf(vhost):
             yield '\tInclude conf.d/vhosts-common-ssl-cert.conf\n'
         yield '\tSSLCertificateFile {}\n'.format(cert_path)
         yield '\tSSLCertificateKeyFile {}\n'.format(key_path)
+        if ip == '18.181.0.46':
+            yield '\tInclude conf.d/181-interstitial.conf\n'
         yield '</VirtualHost>\n'
 
 with open(os.path.join(CERTS_DIR, '.lock'), 'w') as lock_file:
diff --git a/server/fedora/config/etc/httpd/scripts-special/181-interstitial.shtml b/server/fedora/config/etc/httpd/scripts-special/181-interstitial.shtml
new file mode 100644
index 00000000..db826f52
--- /dev/null
+++ b/server/fedora/config/etc/httpd/scripts-special/181-interstitial.shtml
@@ -0,0 +1,39 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="UTF-8" />
+    <title>scripts.mit.edu connection information</title>
+    <style>
+      html { background: #2050A0; }
+      body { margin: 1em auto; border: 1px solid black; background: #FFF; max-width: 54em; padding: 1em 3em; font: 80%/150% 'Lucida Grande', 'Lucida Sans Unicode', Verdana, sans-serif; }
+      summary { cursor: pointer; }
+      pre { white-space: pre-wrap; }
+      .red { color: #d33; }
+    </style>
+  </head>
+  <body>
+    <h1 class="red">DNS update required for <!--#echo var="SERVER_NAME" --></h1>
+
+    <p><em>This is a message from the scripts.mit.edu team to the owner of <!--#echo var="SERVER_NAME" -->.  If you are not the owner, please pass this message along to them.  (They should have received a copy by email.)</em></p>
+
+    <hr />
+
+    <p><!--#echo var="SERVER_NAME" --> is currently connected to the Scripts server via a DNS A record for 18.181.0.46.  As a result of IS&T selling a large portion of MIT’s IPv4 address space to Amazon, we have been forced to migrate the Scripts server to a new address.  To keep <!--#echo var="SERVER_NAME" --> working, you must update your DNS records to follow this migration.</p>
+
+    <p>Specifically: <strong>you need to update this A record from the old address ‘18.181.0.46’ to the new address ‘18.4.86.46’.</strong></p>
+
+    <p>Alternatively, you may be able to replace the A record with a CNAME record for ‘scripts-vhosts.mit.edu.’, keeping in mind the <a href="https://scripts.mit.edu/faq/14">caveats noted in our FAQ</a>.</p>
+
+    <p>These changes must be made with your domain registrar or external DNS provider.  There is no need to respond to this notice or otherwise contact the Scripts team.</p>
+
+    <p>(The Scripts team does not control your DNS and cannot make the updates for you.  While we may be able to provide advice on a best-effort volunteer basis, keep in mind that we are sending similar notices regarding nearly 300 hostnames, so responses, if any, may be delayed.)</p>
+
+    <p>Both the old and new addresses are functional at present, but you must change to the new address by <strong>June 12</strong>: at that point, the old address 18.181.0.46 will stop pointing to Scripts and might be repurposed by some arbitrary Amazon cloud customer.</p>
+
+    <p>We apologize for any inconvenience.</p>
+
+    <hr />
+
+    <p><a href="/__scripts/dismiss-181-interstitial<!--#echo var="REDIRECT_ORIGINAL_URI" -->">I understand; continue to <!--#echo var="REQUEST_SCHEME" -->://<!--#echo var="HTTP_HOST" --><!--#echo var="REDIRECT_ORIGINAL_URI" --></a></p>
+  </body>
+</html>

From 0ccaf15a6f27fa40ddc8f83d26ddb61eea83abd9 Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Sun, 27 May 2018 06:32:51 -0400
Subject: [PATCH 027/111] 181-interstitial: Fix title

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 .../config/etc/httpd/scripts-special/181-interstitial.shtml     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/fedora/config/etc/httpd/scripts-special/181-interstitial.shtml b/server/fedora/config/etc/httpd/scripts-special/181-interstitial.shtml
index db826f52..4803ce50 100644
--- a/server/fedora/config/etc/httpd/scripts-special/181-interstitial.shtml
+++ b/server/fedora/config/etc/httpd/scripts-special/181-interstitial.shtml
@@ -2,7 +2,7 @@
 <html>
   <head>
     <meta charset="UTF-8" />
-    <title>scripts.mit.edu connection information</title>
+    <title>DNS update required for <!--#echo var="SERVER_NAME" --></title>
     <style>
       html { background: #2050A0; }
       body { margin: 1em auto; border: 1px solid black; background: #FFF; max-width: 54em; padding: 1em 3em; font: 80%/150% 'Lucida Grande', 'Lucida Sans Unicode', Verdana, sans-serif; }

From 21db335cdc78146fd1e31dd07ae23b953108ef76 Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Sun, 27 May 2018 07:27:51 -0400
Subject: [PATCH 028/111] mod_vhost_ldap: Do not reconfigure ServerName
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Apparently this has been failing for some 8 years on every record with
a wildcard as scriptsVhostName, and we never noticed that they were
all 500ing.  We don’t need this because we have UseCanonicalName Off.

[mod_vhost_ldap.c] translate: virtual host not found, trying wildcard *.gssapi.org
AH00526: Syntax error on line 0 of VhostLDAPConf:
Invalid ServerName "*.gssapi.org" use ServerAlias to set multiple server names.

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 server/common/oursrc/httpdmods/mod_vhost_ldap.c | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/server/common/oursrc/httpdmods/mod_vhost_ldap.c b/server/common/oursrc/httpdmods/mod_vhost_ldap.c
index 32c85a71..7fabfab3 100644
--- a/server/common/oursrc/httpdmods/mod_vhost_ldap.c
+++ b/server/common/oursrc/httpdmods/mod_vhost_ldap.c
@@ -661,11 +661,6 @@ static int mod_vhost_ldap_translate_name(request_rec *r)
 	return HTTP_INTERNAL_SERVER_ERROR;
     }
 
-    if ((code = reconfigure_directive(
-             r->pool, server, "ServerName",
-             apr_pstrcat(r->pool, "'", escape(r->pool, reqc->name), "'", (const char *)NULL))) != 0)
-	return code;
-
     char *docroot =
 	strcmp(reqc->directory, ".") == 0 ?
 	apr_pstrcat(r->pool, reqc->home, "/web_scripts", (const char *)NULL) :

From 5a3d505f607e2a2f53e09b1ef304939117d53ad5 Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Sun, 27 May 2018 19:39:19 -0400
Subject: [PATCH 029/111] =?UTF-8?q?181-interstitial:=20Redirect=20away=20i?=
 =?UTF-8?q?f=20we=20aren=E2=80=99t=20on=2018.181.0.46?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

In case someone manually goes back to the interstitial after the
hostname is updated.

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 server/fedora/config/etc/httpd/conf.d/181-interstitial.conf | 6 ++++++
 server/fedora/config/etc/httpd/conf.d/scripts-special.conf  | 6 ++----
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/server/fedora/config/etc/httpd/conf.d/181-interstitial.conf b/server/fedora/config/etc/httpd/conf.d/181-interstitial.conf
index 06d71d85..d31db5d1 100644
--- a/server/fedora/config/etc/httpd/conf.d/181-interstitial.conf
+++ b/server/fedora/config/etc/httpd/conf.d/181-interstitial.conf
@@ -1,3 +1,9 @@
+<Location /__scripts/181-interstitial/>
+    Redirect 503 /__scripts/181-interstitial/
+    SetEnvIf REQUEST_URI ^/__scripts/181-interstitial(.*)$ ORIGINAL_URI=$1
+    ErrorDocument 503 /__scripts/181-interstitial.shtml
+</Location>
+
 <If "%{HTTP_COOKIE} !~ /__scripts-dismiss-181-interstitial=1/ && %{HTTP_ACCEPT} =~ m#text/html# && %{REQUEST_URI} !~ m#^/__scripts/#">
     Header always set Vary "Cookie,Accept"
     RewriteEngine On
diff --git a/server/fedora/config/etc/httpd/conf.d/scripts-special.conf b/server/fedora/config/etc/httpd/conf.d/scripts-special.conf
index 803501d6..e4d15b58 100644
--- a/server/fedora/config/etc/httpd/conf.d/scripts-special.conf
+++ b/server/fedora/config/etc/httpd/conf.d/scripts-special.conf
@@ -61,8 +61,6 @@ SetEnvIf REMOTE_ADDR ^(10|18\.(\d\d?|1([0-2]\d|3[1-57-9]|4[0-369]|5[024-9]|6[135
     Redirect 303 /__scripts/dismiss-181-interstitial/ /
 </Location>
 
-<Location /__scripts/181-interstitial>
-    Redirect 503 /__scripts/181-interstitial
-    SetEnvIf REQUEST_URI ^/__scripts/181-interstitial(.*)$ ORIGINAL_URI=$1
-    ErrorDocument 503 /__scripts/181-interstitial.shtml
+<Location /__scripts/181-interstitial/>
+    Redirect 303 /__scripts/181-interstitial/ /
 </Location>

From af686e010aecb6bff6e48c68f6d67f06a63e440c Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Mon, 28 May 2018 02:29:46 -0400
Subject: [PATCH 030/111] 181-interstitial: Fix line-height

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 .../config/etc/httpd/scripts-special/181-interstitial.shtml     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/fedora/config/etc/httpd/scripts-special/181-interstitial.shtml b/server/fedora/config/etc/httpd/scripts-special/181-interstitial.shtml
index 4803ce50..0e41f758 100644
--- a/server/fedora/config/etc/httpd/scripts-special/181-interstitial.shtml
+++ b/server/fedora/config/etc/httpd/scripts-special/181-interstitial.shtml
@@ -5,7 +5,7 @@
     <title>DNS update required for <!--#echo var="SERVER_NAME" --></title>
     <style>
       html { background: #2050A0; }
-      body { margin: 1em auto; border: 1px solid black; background: #FFF; max-width: 54em; padding: 1em 3em; font: 80%/150% 'Lucida Grande', 'Lucida Sans Unicode', Verdana, sans-serif; }
+      body { margin: 1em auto; border: 1px solid black; background: #FFF; max-width: 54em; padding: 1em 3em; font: 80%/1.5 'Lucida Grande', 'Lucida Sans Unicode', Verdana, sans-serif; }
       summary { cursor: pointer; }
       pre { white-space: pre-wrap; }
       .red { color: #d33; }

From 2e016fbfe0d39887fc0f2405bbca00c6165d6405 Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Mon, 28 May 2018 23:35:21 -0400
Subject: [PATCH 031/111] =?UTF-8?q?181-interstitial:=20Whitelist=20geofft?=
 =?UTF-8?q?=E2=80=99s=20hostnames?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

By geofft’s request [help.mit.edu #4564982].

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 server/fedora/config/etc/httpd/conf.d/181-interstitial.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/fedora/config/etc/httpd/conf.d/181-interstitial.conf b/server/fedora/config/etc/httpd/conf.d/181-interstitial.conf
index d31db5d1..f8f87b01 100644
--- a/server/fedora/config/etc/httpd/conf.d/181-interstitial.conf
+++ b/server/fedora/config/etc/httpd/conf.d/181-interstitial.conf
@@ -4,7 +4,7 @@
     ErrorDocument 503 /__scripts/181-interstitial.shtml
 </Location>
 
-<If "%{HTTP_COOKIE} !~ /__scripts-dismiss-181-interstitial=1/ && %{HTTP_ACCEPT} =~ m#text/html# && %{REQUEST_URI} !~ m#^/__scripts/#">
+<If "%{HTTP_COOKIE} !~ /__scripts-dismiss-181-interstitial=1/ && %{HTTP_ACCEPT} =~ m#text/html# && %{REQUEST_URI} !~ m#^/__scripts/# && %{SERVER_NAME} !~ /(?:^|\.)isyournewbicycle\.csail(?:\.mit\.edu)?$|(?:^|\.)ldpreload\.com$/">
     Header always set Vary "Cookie,Accept"
     RewriteEngine On
     RewriteRule ^ /__scripts/181-interstitial%{REQUEST_URI} [R,L]

From 4bb75f40c6787c3f630bcdda80cb04a22d60d28e Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Wed, 30 May 2018 03:20:27 -0400
Subject: [PATCH 032/111] Update configuration for VIP hostname swaps

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 server/fedora/config/etc/hosts                | 20 +++++++++----------
 .../etc/httpd/conf.d/scripts-vhost-names.conf | 12 +++++------
 server/fedora/config/etc/postfix/main.cf      |  2 +-
 server/fedora/config/etc/postfix/virtual      |  2 +-
 4 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/server/fedora/config/etc/hosts b/server/fedora/config/etc/hosts
index 45aec582..6ad8b435 100644
--- a/server/fedora/config/etc/hosts
+++ b/server/fedora/config/etc/hosts
@@ -3,11 +3,11 @@
 127.0.0.1	localhost.localdomain localhost
 ::1		localhost.localdomain localhost
 
-18.181.0.43	scripts.mit.edu scripts
-18.181.0.46	scripts-vhosts.mit.edu scripts-vhosts
-18.181.0.50	scripts-cert.mit.edu scripts-cert
-18.181.0.52	sql.mit.edu sql
-18.181.0.229	scripts-test.mit.edu scripts-test
+18.181.0.43	scripts-old.mit.edu scripts-old
+18.181.0.46	scripts-vhosts-old.mit.edu scripts-vhosts-old
+18.181.0.50	scripts-cert-old.mit.edu scripts-cert-old
+18.181.0.52	sql-old.mit.edu sql-old
+18.181.0.229	scripts-test-old.mit.edu scripts-test-old
 
 18.181.0.57	better-mousetrap.mit.edu better-mousetrap scripts1.mit.edu scripts1
 18.181.0.53	old-faithful.mit.edu old-faithful scripts2.mit.edu scripts2
@@ -35,12 +35,12 @@
 172.21.0.203	miracle-cure.mit.edu
 172.21.0.204	lucky-star.mit.edu
 
-18.4.60.52	sql-new.mit.edu sql-new
+18.4.60.52	sql.mit.edu sql
 
-18.4.86.43	scripts-new.mit.edu scripts-new
-18.4.86.46	scripts-vhosts-new.mit.edu scripts-vhosts-new
-18.4.86.50	scripts-cert-new.mit.edu scripts-cert-new
-18.4.86.229	scripts-test-new.mit.edu scripts-test-new
+18.4.86.43	scripts.mit.edu scripts
+18.4.86.46	scripts-vhosts.mit.edu scripts-vhosts
+18.4.86.50	scripts-cert.mit.edu scripts-cert
+18.4.86.229	scripts-test.mit.edu scripts-test
 
 18.4.86.57	better-mousetrap-new.mit.edu better-mousetrap-new scripts1-new.mit.edu scripts1-new
 18.4.86.53	old-faithful-new.mit.edu old-faithful-new scripts2-new.mit.edu scripts2-new
diff --git a/server/fedora/config/etc/httpd/conf.d/scripts-vhost-names.conf b/server/fedora/config/etc/httpd/conf.d/scripts-vhost-names.conf
index 3d9e05ef..3f5fad32 100644
--- a/server/fedora/config/etc/httpd/conf.d/scripts-vhost-names.conf
+++ b/server/fedora/config/etc/httpd/conf.d/scripts-vhost-names.conf
@@ -1,8 +1,8 @@
 ServerName scripts.mit.edu
 ServerAlias \
-    scripts 18.181.0.43 \
-    scripts-vhosts.mit.edu scripts-vhosts 18.181.0.46 \
-    scripts-test.mit.edu scripts-test 18.181.0.229 \
+    scripts-old.mit.edu scripts-old 18.181.0.43 \
+    scripts-vhosts-old.mit.edu scripts-vhosts-old 18.181.0.46 \
+    scripts-test-old.mit.edu scripts-test-old 18.181.0.229 \
     better-mousetrap.mit.edu better-mousetrap b-m.mit.edu b-m scripts1.mit.edu scripts1 18.181.0.57 \
     old-faithful.mit.edu old-faithful o-f.mit.edu o-f scripts2.mit.edu scripts2 18.181.0.53 \
     bees-knees.mit.edu bees-knees b-k.mit.edu b-k scripts3.mit.edu scripts3 18.181.0.167 \
@@ -15,9 +15,9 @@ ServerAlias \
     golden-egg.mit.edu golden-egg g-e.mit.edu g-e scripts10.mit.edu scripts10 18.181.0.141 \
     miracle-cure.mit.edu miracle-cure m-c.mit.edu m-c scripts11.mit.edu scripts11 18.181.0.203 \
     lucky-star.mit.edu lucky-star l-s.mit.edu l-s scripts12.mit.edu scripts12 18.181.0.204 \
-    scripts-new.mit.edu scripts-new 18.4.86.43 \
-    scripts-vhosts-new.mit.edu scripts-vhosts-new 18.4.86.46 \
-    scripts-test-new.mit.edu scripts-test-new 18.4.86.229 \
+    scripts 18.4.86.43 \
+    scripts-vhosts.mit.edu scripts-vhosts 18.4.86.46 \
+    scripts-test.mit.edu scripts-test 18.4.86.229 \
     better-mousetrap-new.mit.edu better-mousetrap-new 18.4.86.57 \
     old-faithful-new.mit.edu old-faithful-new 18.4.86.53 \
     bees-knees-new.mit.edu bees-knees-new 18.4.86.167 \
diff --git a/server/fedora/config/etc/postfix/main.cf b/server/fedora/config/etc/postfix/main.cf
index 7d2f6845..3a0eb88c 100644
--- a/server/fedora/config/etc/postfix/main.cf
+++ b/server/fedora/config/etc/postfix/main.cf
@@ -16,7 +16,7 @@ mailbox_command_maps = ldap:/etc/postfix/mailbox-command-maps-ldap.cf
 mailbox_size_limit = 0
 message_size_limit = 41943040
 recipient_delimiter = +
-inet_interfaces = $myhostname, scripts.mit.edu, scripts-vhosts.mit.edu, scripts-new.mit.edu, scripts-vhosts-new.mit.edu
+inet_interfaces = $myhostname, scripts-old.mit.edu, scripts-vhosts-old.mit.edu, scripts.mit.edu, scripts-vhosts.mit.edu
 readme_directory = /usr/share/doc/postfix/README_FILES
 sample_directory = /usr/share/doc/postfix/samples
 sendmail_path = /usr/sbin/sendmail
diff --git a/server/fedora/config/etc/postfix/virtual b/server/fedora/config/etc/postfix/virtual
index 0252e4e8..5c8cb34b 100644
--- a/server/fedora/config/etc/postfix/virtual
+++ b/server/fedora/config/etc/postfix/virtual
@@ -3,7 +3,7 @@ webmaster@webzephyr.mit.edu jdaniel@mit.edu
 @szs.mit.edu webzephyr
 @webzephyr.mit.edu webzephyr
 # Domains also match here
+scripts-vhosts-old.mit.edu true
 scripts-vhosts.mit.edu true
-scripts-vhosts-new.mit.edu true
 szs.mit.edu true
 webzephyr.mit.edu true

From 7c7c2f6ccfd4e692fc583da85bd6a416f593bebd Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Wed, 6 Jun 2018 02:34:19 -0400
Subject: [PATCH 033/111] Filter outgoing mail with spamass-milter

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 server/fedora/config/etc/postfix/main.cf          |  1 +
 server/fedora/config/etc/sysconfig/spamass-milter | 13 +++++++++++++
 server/fedora/config/etc/sysconfig/spamassassin   |  3 +++
 3 files changed, 17 insertions(+)
 create mode 100644 server/fedora/config/etc/sysconfig/spamass-milter
 create mode 100644 server/fedora/config/etc/sysconfig/spamassassin

diff --git a/server/fedora/config/etc/postfix/main.cf b/server/fedora/config/etc/postfix/main.cf
index 3a0eb88c..5aac4e81 100644
--- a/server/fedora/config/etc/postfix/main.cf
+++ b/server/fedora/config/etc/postfix/main.cf
@@ -35,6 +35,7 @@ data_directory = /var/lib/postfix
 authorized_flush_users = fail
 authorized_mailq_users = /etc/postfix/mailq_users
 authorized_submit_users = !/etc/postfix/blocked_users, static:all
+non_smtpd_milters = unix:/run/spamass-milter/postfix/sock
 # "all" is the default, but if we do not specify it, Fedora's packaging
 # will add the wrong value here.
 inet_protocols = all
diff --git a/server/fedora/config/etc/sysconfig/spamass-milter b/server/fedora/config/etc/sysconfig/spamass-milter
new file mode 100644
index 00000000..a35fe384
--- /dev/null
+++ b/server/fedora/config/etc/sysconfig/spamass-milter
@@ -0,0 +1,13 @@
+### Override for your different local config if necessary
+#SOCKET=/run/spamass-milter/spamass-milter.sock
+
+### You may add configuration parameters here, see spamass-milter(1)
+###
+### Note that the -x option for expanding aliases and virtusertable entries
+### only works if spamass-milter is run as root; you will need to use
+### spamass-milter-root.service instead of spamass-milter.service if you
+### wish to do this but otherwise it's best to run as the unprivileged user
+### sa-milt by using the normal spamass-milter.service
+#EXTRA_FLAGS="-m -r 15"
+
+EXTRA_FLAGS="-m -r -1 -- --socket=/run/spamd.socket"
diff --git a/server/fedora/config/etc/sysconfig/spamassassin b/server/fedora/config/etc/sysconfig/spamassassin
new file mode 100644
index 00000000..df366ac4
--- /dev/null
+++ b/server/fedora/config/etc/sysconfig/spamassassin
@@ -0,0 +1,3 @@
+# Options to spamd
+#SPAMDOPTIONS="-c -m5 -H"
+SPAMDOPTIONS="--username=sa-milt --groupname=sa-milt --nouser-config --socketpath=/run/spamd.socket --socketowner=sa-milt --socketgroup=sa-milt --socketmode=0600"

From ffa360522b1254e441e0a330f8c616d526928750 Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Wed, 6 Jun 2018 23:16:46 -0400
Subject: [PATCH 034/111] Increase urgency of 181-interstitial

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 .../scripts-special/181-interstitial.shtml    | 28 +++++++++++++++++--
 1 file changed, 26 insertions(+), 2 deletions(-)

diff --git a/server/fedora/config/etc/httpd/scripts-special/181-interstitial.shtml b/server/fedora/config/etc/httpd/scripts-special/181-interstitial.shtml
index 0e41f758..9553b5c5 100644
--- a/server/fedora/config/etc/httpd/scripts-special/181-interstitial.shtml
+++ b/server/fedora/config/etc/httpd/scripts-special/181-interstitial.shtml
@@ -14,11 +14,13 @@
   <body>
     <h1 class="red">DNS update required for <!--#echo var="SERVER_NAME" --></h1>
 
-    <p><em>This is a message from the scripts.mit.edu team to the owner of <!--#echo var="SERVER_NAME" -->.  If you are not the owner, please pass this message along to them.  (They should have received a copy by email.)</em></p>
+    <h2 id="time"></h2>
+
+    <p><em>This is an urgent message from the scripts.mit.edu team to the owner of <!--#echo var="SERVER_NAME" -->.  If you are not the owner, please pass this message along to them.  (They should have received several copies by email.)</em></p>
 
     <hr />
 
-    <p><!--#echo var="SERVER_NAME" --> is currently connected to the Scripts server via a DNS A record for 18.181.0.46.  As a result of IS&T selling a large portion of MIT’s IPv4 address space to Amazon, we have been forced to migrate the Scripts server to a new address.  To keep <!--#echo var="SERVER_NAME" --> working, you must update your DNS records to follow this migration.</p>
+    <p><!--#echo var="SERVER_NAME" --> is currently connected to the Scripts server via a DNS A record for 18.181.0.46.  As a result of IS&amp;T selling a large portion of MIT’s IPv4 address space to Amazon, we have been forced to migrate the Scripts server to a new address.  To keep <!--#echo var="SERVER_NAME" --> working, you must update your DNS records to follow this migration.</p>
 
     <p>Specifically: <strong>you need to update this A record from the old address ‘18.181.0.46’ to the new address ‘18.4.86.46’.</strong></p>
 
@@ -35,5 +37,27 @@
     <hr />
 
     <p><a href="/__scripts/dismiss-181-interstitial<!--#echo var="REDIRECT_ORIGINAL_URI" -->">I understand; continue to <!--#echo var="REQUEST_SCHEME" -->://<!--#echo var="HTTP_HOST" --><!--#echo var="REDIRECT_ORIGINAL_URI" --></a></p>
+
+    <script>
+      "use strict";
+      document.addEventListener("DOMContentLoaded", function() {
+        var timeElt = document.getElementById("time");
+        (function update() {
+          var left = 1528776000000 - Date.now();
+          var show = Math.ceil(left / 1000);
+          if (show > 0) {
+            timeElt.textContent =
+              "Time remaining: " +
+              Math.floor(show / 86400) + " days " +
+              ("0" + Math.floor((show % 86400) / 3600)).slice(-2) + ":" +
+              ("0" + Math.floor((show % 3600) / 60)).slice(-2) + ":" +
+              ("0" + show % 60).slice(-2);
+            setTimeout(update, left - 1000 * (show - 1));
+          } else {
+            timeElt.textContent = "";
+          }
+        })();
+      });
+    </script>
   </body>
 </html>

From 8c9f497afb8b175f59610837b904d52c22b5e5f0 Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Thu, 7 Jun 2018 04:04:26 -0400
Subject: [PATCH 035/111] ldirectord.cf: Migrate to 18.4.86.0/24 realservers,
 step 1

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 ansible/files/ldirectord.cf | 108 ++++++++++++++++++++++++------------
 1 file changed, 72 insertions(+), 36 deletions(-)

diff --git a/ansible/files/ldirectord.cf b/ansible/files/ldirectord.cf
index 9a511bf9..a6eabd2f 100644
--- a/ansible/files/ldirectord.cf
+++ b/ansible/files/ldirectord.cf
@@ -6,18 +6,30 @@ quiescent=yes
 
 # iptables rules caused SMTP to use FWM 3
 virtual=3
-        #real=18.181.0.53:25  gate 4096 # old-faithful
-        #real=18.181.0.57:25  gate 4096 # better-mousetrap
-        real=18.181.0.167:25 gate 4096 # bees-knees
-	real=18.181.0.228:25 gate 1024 # cats-whiskers
-	real=18.181.0.234:25 gate 4096 # busy-beaver
-	#real=18.181.0.235:25 gate 4096 # real-mccoy
-	real=18.181.0.237:25 gate 4096 # pancake-bunny
-	#real=18.181.0.236:25 gate 1024 # whole-enchilada
-	real=18.181.0.135:25 gate 4096 # shining-armor
-	#real=18.181.0.141:25 gate 4096 # golden-egg
-	#real=18.181.0.203:25 gate 4096 # miracle-cure
-	#real=18.181.0.204:25 gate 4096 # lucky-star
+	#real=18.181.0.53:25  gate 0 # old-faithful
+	#real=18.181.0.57:25  gate 0 # better-mousetrap
+	real=18.181.0.167:25 gate 0 # bees-knees
+	real=18.181.0.228:25 gate 0 # cats-whiskers
+	real=18.181.0.234:25 gate 0 # busy-beaver
+	#real=18.181.0.235:25 gate 0 # real-mccoy
+	real=18.181.0.237:25 gate 0 # pancake-bunny
+	#real=18.181.0.236:25 gate 0 # whole-enchilada
+	real=18.181.0.135:25 gate 0 # shining-armor
+	#real=18.181.0.141:25 gate 0 # golden-egg
+	#real=18.181.0.203:25 gate 0 # miracle-cure
+	#real=18.181.0.204:25 gate 0 # lucky-star
+	#real=18.4.86.53:25  gate 4096 # old-faithful
+	#real=18.4.86.57:25  gate 4096 # better-mousetrap
+	real=18.4.86.167:25 gate 4096 # bees-knees
+	real=18.4.86.228:25 gate 1024 # cats-whiskers
+	real=18.4.86.234:25 gate 4096 # busy-beaver
+	#real=18.4.86.235:25 gate 4096 # real-mccoy
+	real=18.4.86.237:25 gate 4096 # pancake-bunny
+	#real=18.4.86.236:25 gate 1024 # whole-enchilada
+	real=18.4.86.135:25 gate 4096 # shining-armor
+	#real=18.4.86.141:25 gate 4096 # golden-egg
+	#real=18.4.86.203:25 gate 4096 # miracle-cure
+	#real=18.4.86.204:25 gate 4096 # lucky-star
 	service=http
 	request="heartbeat/smtp"
 	virtualhost="scripts.mit.edu"
@@ -32,18 +44,30 @@ virtual=3
 
 # Apache (80, 443, and 444) uses FWM 2
 virtual=2
-	#real=18.181.0.53  gate 4096 # old-faithful
-	#real=18.181.0.57  gate 4096 # better-mousetrap
-	real=18.181.0.167 gate 4096 # bees-knees
-	real=18.181.0.228 gate 1024 # cats-whiskers
-	real=18.181.0.234 gate 4096 # busy-beaver
-	#real=18.181.0.235 gate 4096 # real-mccoy
-	real=18.181.0.237 gate 4096 # pancake-bunny
-	#real=18.181.0.236 gate 1024 # whole-enchilada
-	real=18.181.0.135 gate 4096 # shining-armor
-	#real=18.181.0.141 gate 4096 # golden-egg 
-	#real=18.181.0.203 gate 4096 # miracle-cure
-	#real=18.181.0.204 gate 4096 # lucky-star
+	#real=18.181.0.53  gate 0 # old-faithful
+	#real=18.181.0.57  gate 0 # better-mousetrap
+	real=18.181.0.167 gate 0 # bees-knees
+	real=18.181.0.228 gate 0 # cats-whiskers
+	real=18.181.0.234 gate 0 # busy-beaver
+	#real=18.181.0.235 gate 0 # real-mccoy
+	real=18.181.0.237 gate 0 # pancake-bunny
+	#real=18.181.0.236 gate 0 # whole-enchilada
+	real=18.181.0.135 gate 0 # shining-armor
+	#real=18.181.0.141 gate 0 # golden-egg
+	#real=18.181.0.203 gate 0 # miracle-cure
+	#real=18.181.0.204 gate 0 # lucky-star
+	#real=18.4.86.53  gate 4096 # old-faithful
+	#real=18.4.86.57  gate 4096 # better-mousetrap
+	real=18.4.86.167 gate 4096 # bees-knees
+	real=18.4.86.228 gate 1024 # cats-whiskers
+	real=18.4.86.234 gate 4096 # busy-beaver
+	#real=18.4.86.235 gate 4096 # real-mccoy
+	real=18.4.86.237 gate 4096 # pancake-bunny
+	#real=18.4.86.236 gate 1024 # whole-enchilada
+	real=18.4.86.135 gate 4096 # shining-armor
+	#real=18.4.86.141 gate 4096 # golden-egg
+	#real=18.4.86.203 gate 4096 # miracle-cure
+	#real=18.4.86.204 gate 4096 # lucky-star
 	fallback=127.0.0.1 gate
 	service=http
 	request="heartbeat/http"
@@ -57,18 +81,30 @@ virtual=2
 
 # Everything else uses FWM 1 and gets sent only to the primary
 virtual=1
-        #real=18.181.0.53  gate "heartbeat/services", "1"  # old-faithful
-        #real=18.181.0.57  gate "heartbeat/services", "2"  # better-mousetrap
-        real=18.181.0.167 gate "heartbeat/services", "3"  # bees-knees
-	real=18.181.0.228 gate "heartbeat/services", "4"  # cats-whiskers
-	real=18.181.0.234 gate "heartbeat/services", "5"  # busy-beaver
-	#real=18.181.0.235 gate "heartbeat/services", "6"  # real-mccoy
-	real=18.181.0.237 gate "heartbeat/services", "7"  # pancake-bunny
-	#real=18.181.0.236 gate "heartbeat/services", "8"  # whole-enchilada
-	real=18.181.0.135 gate "heartbeat/services", "9"  # shining-armor
-	#real=18.181.0.141 gate "heartbeat/services", "10" # golden-egg
-	#real=18.181.0.203 gate "heartbeat/services", "11" # miracle-cure
-	#real=18.181.0.204 gate "heartbeat/services", "12" # lucky-star
+	#real=18.181.0.53  gate 0 # old-faithful
+	#real=18.181.0.57  gate 0 # better-mousetrap
+	real=18.181.0.167 gate 0 # bees-knees
+	real=18.181.0.228 gate 0 # cats-whiskers
+	real=18.181.0.234 gate 0 # busy-beaver
+	#real=18.181.0.235 gate 0 # real-mccoy
+	real=18.181.0.237 gate 0 # pancake-bunny
+	#real=18.181.0.236 gate 0 # whole-enchilada
+	real=18.181.0.135 gate 0 # shining-armor
+	#real=18.181.0.141 gate 0 # golden-egg
+	#real=18.181.0.203 gate 0 # miracle-cure
+	#real=18.181.0.204 gate 0 # lucky-star
+	#real=18.4.86.53  gate "heartbeat/services", "1"  # old-faithful
+	#real=18.4.86.57  gate "heartbeat/services", "2"  # better-mousetrap
+	real=18.4.86.167 gate "heartbeat/services", "3"  # bees-knees
+	real=18.4.86.228 gate "heartbeat/services", "4"  # cats-whiskers
+	real=18.4.86.234 gate "heartbeat/services", "5"  # busy-beaver
+	#real=18.4.86.235 gate "heartbeat/services", "6"  # real-mccoy
+	real=18.4.86.237 gate "heartbeat/services", "7"  # pancake-bunny
+	#real=18.4.86.236 gate "heartbeat/services", "8"  # whole-enchilada
+	real=18.4.86.135 gate "heartbeat/services", "9"  # shining-armor
+	#real=18.4.86.141 gate "heartbeat/services", "10" # golden-egg
+	#real=18.4.86.203 gate "heartbeat/services", "11" # miracle-cure
+	#real=18.4.86.204 gate "heartbeat/services", "12" # lucky-star
 	service=http
         scheduler=wrr
         protocol=fwm

From 8f26f10b06261630b12f3bf741800a6c4a076308 Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Thu, 7 Jun 2018 04:11:18 -0400
Subject: [PATCH 036/111] ldirectord.cf: Migrate to 18.4.86.0/24 realservers,
 step 2

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 ansible/files/ldirectord.cf | 36 ------------------------------------
 1 file changed, 36 deletions(-)

diff --git a/ansible/files/ldirectord.cf b/ansible/files/ldirectord.cf
index a6eabd2f..10a150d6 100644
--- a/ansible/files/ldirectord.cf
+++ b/ansible/files/ldirectord.cf
@@ -6,18 +6,6 @@ quiescent=yes
 
 # iptables rules caused SMTP to use FWM 3
 virtual=3
-	#real=18.181.0.53:25  gate 0 # old-faithful
-	#real=18.181.0.57:25  gate 0 # better-mousetrap
-	real=18.181.0.167:25 gate 0 # bees-knees
-	real=18.181.0.228:25 gate 0 # cats-whiskers
-	real=18.181.0.234:25 gate 0 # busy-beaver
-	#real=18.181.0.235:25 gate 0 # real-mccoy
-	real=18.181.0.237:25 gate 0 # pancake-bunny
-	#real=18.181.0.236:25 gate 0 # whole-enchilada
-	real=18.181.0.135:25 gate 0 # shining-armor
-	#real=18.181.0.141:25 gate 0 # golden-egg
-	#real=18.181.0.203:25 gate 0 # miracle-cure
-	#real=18.181.0.204:25 gate 0 # lucky-star
 	#real=18.4.86.53:25  gate 4096 # old-faithful
 	#real=18.4.86.57:25  gate 4096 # better-mousetrap
 	real=18.4.86.167:25 gate 4096 # bees-knees
@@ -44,18 +32,6 @@ virtual=3
 
 # Apache (80, 443, and 444) uses FWM 2
 virtual=2
-	#real=18.181.0.53  gate 0 # old-faithful
-	#real=18.181.0.57  gate 0 # better-mousetrap
-	real=18.181.0.167 gate 0 # bees-knees
-	real=18.181.0.228 gate 0 # cats-whiskers
-	real=18.181.0.234 gate 0 # busy-beaver
-	#real=18.181.0.235 gate 0 # real-mccoy
-	real=18.181.0.237 gate 0 # pancake-bunny
-	#real=18.181.0.236 gate 0 # whole-enchilada
-	real=18.181.0.135 gate 0 # shining-armor
-	#real=18.181.0.141 gate 0 # golden-egg
-	#real=18.181.0.203 gate 0 # miracle-cure
-	#real=18.181.0.204 gate 0 # lucky-star
 	#real=18.4.86.53  gate 4096 # old-faithful
 	#real=18.4.86.57  gate 4096 # better-mousetrap
 	real=18.4.86.167 gate 4096 # bees-knees
@@ -81,18 +57,6 @@ virtual=2
 
 # Everything else uses FWM 1 and gets sent only to the primary
 virtual=1
-	#real=18.181.0.53  gate 0 # old-faithful
-	#real=18.181.0.57  gate 0 # better-mousetrap
-	real=18.181.0.167 gate 0 # bees-knees
-	real=18.181.0.228 gate 0 # cats-whiskers
-	real=18.181.0.234 gate 0 # busy-beaver
-	#real=18.181.0.235 gate 0 # real-mccoy
-	real=18.181.0.237 gate 0 # pancake-bunny
-	#real=18.181.0.236 gate 0 # whole-enchilada
-	real=18.181.0.135 gate 0 # shining-armor
-	#real=18.181.0.141 gate 0 # golden-egg
-	#real=18.181.0.203 gate 0 # miracle-cure
-	#real=18.181.0.204 gate 0 # lucky-star
 	#real=18.4.86.53  gate "heartbeat/services", "1"  # old-faithful
 	#real=18.4.86.57  gate "heartbeat/services", "2"  # better-mousetrap
 	real=18.4.86.167 gate "heartbeat/services", "3"  # bees-knees

From b5ec5f54fe86826b841d340f6f136bf4bbe894d7 Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Thu, 7 Jun 2018 07:43:34 -0400
Subject: [PATCH 037/111] shosts.equiv: Add transitional hostnames

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 server/fedora/config/etc/ssh/shosts.equiv | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/server/fedora/config/etc/ssh/shosts.equiv b/server/fedora/config/etc/ssh/shosts.equiv
index f522f435..c25ac176 100644
--- a/server/fedora/config/etc/ssh/shosts.equiv
+++ b/server/fedora/config/etc/ssh/shosts.equiv
@@ -10,6 +10,18 @@ whole-enchilada.mit.edu
 golden-egg.mit.edu
 miracle-cure.mit.edu
 lucky-star.mit.edu
+better-mousetrap-new.mit.edu
+old-faithful-new.mit.edu
+bees-knees-new.mit.edu
+cats-whiskers-new.mit.edu
+pancake-bunny-new.mit.edu
+busy-beaver-new.mit.edu
+real-mccoy-new.mit.edu
+shining-armor-new.mit.edu
+whole-enchilada-new.mit.edu
+golden-egg-new.mit.edu
+miracle-cure-new.mit.edu
+lucky-star-new.mit.edu
 172.21.0.53
 172.21.0.57
 172.21.0.167

From 3432d81ad257b29e592608e407764f6e219cc5ae Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Thu, 7 Jun 2018 20:45:34 -0400
Subject: [PATCH 038/111] 181-interstitial: Remove Accept: text/html filter and
 geofft whitelist

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 server/fedora/config/etc/httpd/conf.d/181-interstitial.conf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/server/fedora/config/etc/httpd/conf.d/181-interstitial.conf b/server/fedora/config/etc/httpd/conf.d/181-interstitial.conf
index f8f87b01..aea34b58 100644
--- a/server/fedora/config/etc/httpd/conf.d/181-interstitial.conf
+++ b/server/fedora/config/etc/httpd/conf.d/181-interstitial.conf
@@ -4,8 +4,8 @@
     ErrorDocument 503 /__scripts/181-interstitial.shtml
 </Location>
 
-<If "%{HTTP_COOKIE} !~ /__scripts-dismiss-181-interstitial=1/ && %{HTTP_ACCEPT} =~ m#text/html# && %{REQUEST_URI} !~ m#^/__scripts/# && %{SERVER_NAME} !~ /(?:^|\.)isyournewbicycle\.csail(?:\.mit\.edu)?$|(?:^|\.)ldpreload\.com$/">
-    Header always set Vary "Cookie,Accept"
+<If "%{HTTP_COOKIE} !~ /__scripts-dismiss-181-interstitial=1/ && %{REQUEST_URI} !~ m#^/__scripts/#">
+    Header always set Vary "Cookie"
     RewriteEngine On
     RewriteRule ^ /__scripts/181-interstitial%{REQUEST_URI} [R,L]
 </If>

From 01f29afca09a4c8d58fc4b66e24e0978f4563488 Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Thu, 7 Jun 2018 22:41:59 -0400
Subject: [PATCH 039/111] ansible: Update one host at a time

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 ansible/scripts-directors-cib.yml | 1 +
 ansible/scripts-directors.yml     | 1 +
 ansible/scripts-syslog.yml        | 1 +
 3 files changed, 3 insertions(+)

diff --git a/ansible/scripts-directors-cib.yml b/ansible/scripts-directors-cib.yml
index 62527bbd..9bd38783 100644
--- a/ansible/scripts-directors-cib.yml
+++ b/ansible/scripts-directors-cib.yml
@@ -1,4 +1,5 @@
 - hosts: scripts-directors[0]
+  serial: 1
 
   vars:
   - dynamic_property_names:
diff --git a/ansible/scripts-directors.yml b/ansible/scripts-directors.yml
index b5d1a638..1cf3a8fe 100644
--- a/ansible/scripts-directors.yml
+++ b/ansible/scripts-directors.yml
@@ -1,4 +1,5 @@
 - hosts: scripts-directors
+  serial: 1
   vars:
     network_allow_service_restart: false
     network_ether_interfaces:
diff --git a/ansible/scripts-syslog.yml b/ansible/scripts-syslog.yml
index 39475f36..90d3b0c6 100644
--- a/ansible/scripts-syslog.yml
+++ b/ansible/scripts-syslog.yml
@@ -1,4 +1,5 @@
 - hosts: scripts-syslogs
+  serial: 1
   tasks:
   - name: Configure Kerberos
     debconf: name=krb5-config question=krb5-config/default_realm vtype=string value=ATHENA.MIT.EDU

From 793d0839c8ea043934d42c2c2aca3f5f1993215b Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Thu, 7 Jun 2018 22:27:26 -0400
Subject: [PATCH 040/111] Remove special support for webzephyr
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This account has been disabled for two years.  It can be revived if
its maintainers regain interest, but for now it’s more convenient not
to have to worry about it.

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 ansible/inventory.yml                                      | 4 ----
 ansible/roles/lvs-iptables/files/scripts-iptables.rules.v4 | 4 ----
 server/fedora/config/etc/openafs/NetRestrict               | 1 -
 server/fedora/config/etc/postfix/virtual                   | 7 -------
 .../fedora/config/etc/sysconfig/network-scripts/ifcfg-lo:2 | 5 -----
 5 files changed, 21 deletions(-)
 delete mode 100644 server/fedora/config/etc/sysconfig/network-scripts/ifcfg-lo:2

diff --git a/ansible/inventory.yml b/ansible/inventory.yml
index 588de87a..e6aa6686 100644
--- a/ansible/inventory.yml
+++ b/ansible/inventory.yml
@@ -62,10 +62,6 @@ all:
       ip: 18.4.86.29
       cidr_netmask: 24
       nic: vlan486
-    - host: webzephyr.mit.edu
-      ip: 18.181.0.49
-      cidr_netmask: 16
-      nic: vlan181
 
     rsyslogs:
     - 18.4.86.15  # log-flume
diff --git a/ansible/roles/lvs-iptables/files/scripts-iptables.rules.v4 b/ansible/roles/lvs-iptables/files/scripts-iptables.rules.v4
index dff37643..36018bbc 100644
--- a/ansible/roles/lvs-iptables/files/scripts-iptables.rules.v4
+++ b/ansible/roles/lvs-iptables/files/scripts-iptables.rules.v4
@@ -31,10 +31,6 @@
 # Send everything else to FWM 1 (primary)
 -A scripts -m mark --mark 0 -j MARK --set-mark 1
 
-# webzephyr.mit.edu is special because its SMTP needs to always go to the primary (FWM 1)
--A PREROUTING -m tcp -m multiport -p tcp -d 18.181.0.49 --dports 80,443,444 -j MARK --set-mark 2
--A PREROUTING -m mark --mark 0 -d 18.181.0.49 -j MARK --set-mark 1
-
 # scripts-primary.mit.edu goes to the primary (FWM 1) on all ports
 -A PREROUTING -d 18.181.0.182 -j MARK --set-mark 1
 -A PREROUTING -d 18.4.86.182 -j MARK --set-mark 1
diff --git a/server/fedora/config/etc/openafs/NetRestrict b/server/fedora/config/etc/openafs/NetRestrict
index 557f6824..bea76146 100644
--- a/server/fedora/config/etc/openafs/NetRestrict
+++ b/server/fedora/config/etc/openafs/NetRestrict
@@ -1,6 +1,5 @@
 18.181.0.46
 18.181.0.50
-18.181.0.49
 18.181.0.43
 18.181.0.29
 18.4.86.46
diff --git a/server/fedora/config/etc/postfix/virtual b/server/fedora/config/etc/postfix/virtual
index 5c8cb34b..2e3123bd 100644
--- a/server/fedora/config/etc/postfix/virtual
+++ b/server/fedora/config/etc/postfix/virtual
@@ -1,9 +1,2 @@
-webmaster@szs.mit.edu jdaniel@mit.edu
-webmaster@webzephyr.mit.edu jdaniel@mit.edu
-@szs.mit.edu webzephyr
-@webzephyr.mit.edu webzephyr
-# Domains also match here
 scripts-vhosts-old.mit.edu true
 scripts-vhosts.mit.edu true
-szs.mit.edu true
-webzephyr.mit.edu true
diff --git a/server/fedora/config/etc/sysconfig/network-scripts/ifcfg-lo:2 b/server/fedora/config/etc/sysconfig/network-scripts/ifcfg-lo:2
deleted file mode 100644
index beee4e38..00000000
--- a/server/fedora/config/etc/sysconfig/network-scripts/ifcfg-lo:2
+++ /dev/null
@@ -1,5 +0,0 @@
-DEVICE=lo:2
-IPADDR=18.181.0.49
-NETMASK=255.255.255.255
-NETWORK=18.181.0.0
-ONBOOT=yes

From ee42b1b4107f8c2af71d80cbb391e4c2039a45b6 Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Thu, 7 Jun 2018 22:30:44 -0400
Subject: [PATCH 041/111] postfix: Move static virtual table from hash: to
 texthash:

This way, edits just require us to do the obvious thing (service
postfix reload), not a weird thing (postmap /etc/postfix/virtual).

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 server/fedora/config/etc/postfix/main.cf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/server/fedora/config/etc/postfix/main.cf b/server/fedora/config/etc/postfix/main.cf
index 5aac4e81..fb2c6f9b 100644
--- a/server/fedora/config/etc/postfix/main.cf
+++ b/server/fedora/config/etc/postfix/main.cf
@@ -29,8 +29,8 @@ newaliases_path = /usr/bin/newaliases
 mailq_path = /usr/bin/mailq
 queue_directory = /var/spool/postfix
 mail_owner = postfix
-virtual_alias_domains = hash:/etc/postfix/virtual, regexp:/etc/postfix/virtual_re, ldap:/etc/postfix/virtual-alias-domains-ldap.cf
-virtual_alias_maps = hash:/etc/postfix/virtual, regexp:/etc/postfix/virtual_re, ldap:/etc/postfix/virtual-alias-maps-ldap-reserved.cf, ldap:/etc/postfix/virtual-alias-maps-ldap.cf
+virtual_alias_domains = texthash:/etc/postfix/virtual, regexp:/etc/postfix/virtual_re, ldap:/etc/postfix/virtual-alias-domains-ldap.cf
+virtual_alias_maps = texthash:/etc/postfix/virtual, regexp:/etc/postfix/virtual_re, ldap:/etc/postfix/virtual-alias-maps-ldap-reserved.cf, ldap:/etc/postfix/virtual-alias-maps-ldap.cf
 data_directory = /var/lib/postfix
 authorized_flush_users = fail
 authorized_mailq_users = /etc/postfix/mailq_users

From 19a7bb0d67bf440b5410dfd56b9fb045bdf44836 Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Thu, 7 Jun 2018 23:58:30 -0400
Subject: [PATCH 042/111] postfix: Extend automatic address tagging to
 non-*.scripts.mit.edu hosts
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

We previously delivered tag@locker.scripts.mit.edu ↦
locker+tag@scripts.mit.edu.  Extend this to tag@any-domain ↦
locker+tag@scripts.mit.edu, not because this is a particularly
important feature, but mostly because this reduces the amount of
special-case configuration.

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 server/fedora/config/etc/postfix/main.cf      |  4 +--
 server/fedora/config/etc/postfix/virtual      |  2 --
 .../etc/postfix/virtual-alias-maps-ldap.cf    | 26 +++++++++----------
 server/fedora/config/etc/postfix/virtual_re   |  4 ---
 4 files changed, 15 insertions(+), 21 deletions(-)
 delete mode 100644 server/fedora/config/etc/postfix/virtual_re

diff --git a/server/fedora/config/etc/postfix/main.cf b/server/fedora/config/etc/postfix/main.cf
index fb2c6f9b..38fae8bf 100644
--- a/server/fedora/config/etc/postfix/main.cf
+++ b/server/fedora/config/etc/postfix/main.cf
@@ -29,8 +29,8 @@ newaliases_path = /usr/bin/newaliases
 mailq_path = /usr/bin/mailq
 queue_directory = /var/spool/postfix
 mail_owner = postfix
-virtual_alias_domains = texthash:/etc/postfix/virtual, regexp:/etc/postfix/virtual_re, ldap:/etc/postfix/virtual-alias-domains-ldap.cf
-virtual_alias_maps = texthash:/etc/postfix/virtual, regexp:/etc/postfix/virtual_re, ldap:/etc/postfix/virtual-alias-maps-ldap-reserved.cf, ldap:/etc/postfix/virtual-alias-maps-ldap.cf
+virtual_alias_domains = !scripts.mit.edu, !scripts, !$myhostname, !scripts-test.mit.edu, !scripts-test, !localhost, scripts-vhosts.mit.edu, scripts-vhosts-old.mit.edu, ldap:/etc/postfix/virtual-alias-domains-ldap.cf
+virtual_alias_maps = ldap:/etc/postfix/virtual-alias-maps-ldap-reserved.cf, ldap:/etc/postfix/virtual-alias-maps-ldap.cf
 data_directory = /var/lib/postfix
 authorized_flush_users = fail
 authorized_mailq_users = /etc/postfix/mailq_users
diff --git a/server/fedora/config/etc/postfix/virtual b/server/fedora/config/etc/postfix/virtual
index 2e3123bd..e69de29b 100644
--- a/server/fedora/config/etc/postfix/virtual
+++ b/server/fedora/config/etc/postfix/virtual
@@ -1,2 +0,0 @@
-scripts-vhosts-old.mit.edu true
-scripts-vhosts.mit.edu true
diff --git a/server/fedora/config/etc/postfix/virtual-alias-maps-ldap.cf b/server/fedora/config/etc/postfix/virtual-alias-maps-ldap.cf
index 25034d2f..56c5973d 100644
--- a/server/fedora/config/etc/postfix/virtual-alias-maps-ldap.cf
+++ b/server/fedora/config/etc/postfix/virtual-alias-maps-ldap.cf
@@ -1,22 +1,22 @@
-# Find any vhost with a name or alias matching the domain of the e-mail
-# address.  We're queried with an entire e-mail address, but are only
-# interested in checking whether the domain portion corresponds to a
-# vhost; we'll simply deliver any mail for the vhost to its owner, regardless
-# of the lefthand side of the address.  %d extracts only the domain.
-# We don't match the scripts.mit.edu vhost here because we don't want
-# to first resolve an arbitrary address to a scripts account, and then
-# end up sending their mail to the owners of the scripts.mit.edu vhost.
-# Once we've found the scriptsVhost object corresponding to the domain
-# the e-mail is for, we recursively search the suffix for the vhost's
-# scriptsVhostAccount, and take the uid from that object.  This uid is
-# the name of the locker that owns the vhost.  Protocol version 3 is
+# Find any vhost with a name or alias matching the domain of the
+# e-mail address.  We're queried with an entire e-mail address, but
+# are only interested in checking whether the domain portion
+# corresponds to a vhost; we'll simply deliver any mail for the vhost
+# to its owner, appending the original lefthand side of the address as
+# an extension.  %d extracts only the domain.  We don't match the
+# scripts.mit.edu vhost here because we don't want to first resolve an
+# arbitrary address to a scripts account, and then end up sending
+# their mail to the owners of the scripts.mit.edu vhost.  The uid
+# attribute, generated by the CoS template
+# cn=vhostOwnerCoS,ou=VirtualHosts,dc=scripts,dc=mit,dc=edu, is the
+# name of the locker that owns the vhost.  Protocol version 3 is
 # necessary to use ldapi.
 
 server_host = ldapi://%2fvar%2frun%2fslapd-scripts.socket/
 search_base = ou=VirtualHosts,dc=scripts,dc=mit,dc=edu
 query_filter = (&(objectClass=scriptsVhost)(|(scriptsVhostName=%d)(scriptsVhostAlias=%d))(!(scriptsVhostName=scripts.mit.edu)))
 result_attribute = uid
-special_result_attribute = scriptsVhostAccount
+result_format = %s+%U
 bind = no
 version = 3
 
diff --git a/server/fedora/config/etc/postfix/virtual_re b/server/fedora/config/etc/postfix/virtual_re
deleted file mode 100644
index 4c4a9beb..00000000
--- a/server/fedora/config/etc/postfix/virtual_re
+++ /dev/null
@@ -1,4 +0,0 @@
-/^(.*)@scripts\.mit\.edu$/ $1@scripts.mit.edu
-/^(abuse|hostmaster|noc|postmaster|security)@[^@]*\.scripts\.mit\.edu$/ $1@scripts.mit.edu
-/^(.*)@([^@]*)\.scripts\.mit\.edu$/ $2+$1
-/^([^@]*)\.scripts\.mit\.edu$/ true

From e0b213fd811f111a5aef574b245d03c4a19cead0 Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Mon, 11 Jun 2018 08:45:23 -0400
Subject: [PATCH 043/111] Out with the -new, in with the -old

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 server/fedora/config/etc/hosts                | 90 +++++++++----------
 .../etc/httpd/conf.d/scripts-vhost-names.conf | 48 +++++-----
 server/fedora/config/etc/ssh/shosts.equiv     | 12 +++
 3 files changed, 81 insertions(+), 69 deletions(-)

diff --git a/server/fedora/config/etc/hosts b/server/fedora/config/etc/hosts
index 6ad8b435..b5cd3dba 100644
--- a/server/fedora/config/etc/hosts
+++ b/server/fedora/config/etc/hosts
@@ -9,18 +9,51 @@
 18.181.0.52	sql-old.mit.edu sql-old
 18.181.0.229	scripts-test-old.mit.edu scripts-test-old
 
-18.181.0.57	better-mousetrap.mit.edu better-mousetrap scripts1.mit.edu scripts1
-18.181.0.53	old-faithful.mit.edu old-faithful scripts2.mit.edu scripts2
-18.181.0.167	bees-knees.mit.edu bees-knees scripts3.mit.edu scripts3
-18.181.0.228	cats-whiskers.mit.edu cats-whiskers scripts4.mit.edu scripts4
-18.181.0.236	whole-enchilada.mit.edu whole-enchilada scripts5.mit.edu scripts5
-18.181.0.237	pancake-bunny.mit.edu pancake-bunny scripts6.mit.edu scripts6
-18.181.0.234	busy-beaver.mit.edu busy-beaver scripts7.mit.edu scripts7
-18.181.0.235	real-mccoy.mit.edu real-mccoy scripts8.mit.edu scripts8
-18.181.0.135	shining-armor.mit.edu shining-armor scripts9.mit.edu scripts9
-18.181.0.141	golden-egg.mit.edu golden-egg scripts10.mit.edu scripts10
-18.181.0.203	miracle-cure.mit.edu miracle-cure scripts11.mit.edu scripts11
-18.181.0.204	lucky-star.mit.edu lucky-star scripts12.mit.edu scripts12
+18.181.0.57	better-mousetrap-old.mit.edu better-mousetrap-old
+18.181.0.53	old-faithful-old.mit.edu old-faithful-old
+18.181.0.167	bees-knees-old.mit.edu bees-knees-old
+18.181.0.228	cats-whiskers-old.mit.edu cats-whiskers-old
+18.181.0.236	whole-enchilada-old.mit.edu whole-enchilada-old
+18.181.0.237	pancake-bunny-old.mit.edu pancake-bunny-old
+18.181.0.234	busy-beaver-old.mit.edu busy-beaver-old
+18.181.0.235	real-mccoy-old.mit.edu real-mccoy-old
+18.181.0.135	shining-armor-old.mit.edu shining-armor-old
+18.181.0.141	golden-egg-old.mit.edu golden-egg-old
+18.181.0.203	miracle-cure-old.mit.edu miracle-cure-old
+18.181.0.204	lucky-star-old.mit.edu lucky-star-old
+
+172.21.0.57	better-mousetrap-old.mit.edu
+172.21.0.53	old-faithful-old.mit.edu
+172.21.0.167	bees-knees-old.mit.edu
+172.21.0.228	cats-whiskers-old.mit.edu
+172.21.0.236	whole-enchilada-old.mit.edu
+172.21.0.237	pancake-bunny-old.mit.edu
+172.21.0.234	busy-beaver-old.mit.edu
+172.21.0.235	real-mccoy-old.mit.edu
+172.21.0.135	shining-armor-old.mit.edu
+172.21.0.141	golden-egg-old.mit.edu
+172.21.0.203	miracle-cure-old.mit.edu
+172.21.0.204	lucky-star-old.mit.edu
+
+18.4.60.52	sql.mit.edu sql
+
+18.4.86.43	scripts.mit.edu scripts
+18.4.86.46	scripts-vhosts.mit.edu scripts-vhosts
+18.4.86.50	scripts-cert.mit.edu scripts-cert
+18.4.86.229	scripts-test.mit.edu scripts-test
+
+18.4.86.57	better-mousetrap.mit.edu better-mousetrap scripts1.mit.edu scripts1
+18.4.86.53	old-faithful.mit.edu old-faithful scripts2.mit.edu scripts2
+18.4.86.167	bees-knees.mit.edu bees-knees scripts3.mit.edu scripts3
+18.4.86.228	cats-whiskers.mit.edu cats-whiskers scripts4.mit.edu scripts4
+18.4.86.236	whole-enchilada.mit.edu whole-enchilada scripts5.mit.edu scripts5
+18.4.86.237	pancake-bunny.mit.edu pancake-bunny scripts6.mit.edu scripts6
+18.4.86.234	busy-beaver.mit.edu busy-beaver scripts7.mit.edu scripts7
+18.4.86.235	real-mccoy.mit.edu real-mccoy scripts8.mit.edu scripts8
+18.4.86.135	shining-armor.mit.edu shining-armor scripts9.mit.edu scripts9
+18.4.86.141	golden-egg.mit.edu golden-egg scripts10.mit.edu scripts10
+18.4.86.203	miracle-cure.mit.edu miracle-cure scripts11.mit.edu scripts11
+18.4.86.204	lucky-star.mit.edu lucky-star scripts12.mit.edu scripts12
 
 172.21.0.57	better-mousetrap.mit.edu
 172.21.0.53	old-faithful.mit.edu
@@ -34,36 +67,3 @@
 172.21.0.141	golden-egg.mit.edu
 172.21.0.203	miracle-cure.mit.edu
 172.21.0.204	lucky-star.mit.edu
-
-18.4.60.52	sql.mit.edu sql
-
-18.4.86.43	scripts.mit.edu scripts
-18.4.86.46	scripts-vhosts.mit.edu scripts-vhosts
-18.4.86.50	scripts-cert.mit.edu scripts-cert
-18.4.86.229	scripts-test.mit.edu scripts-test
-
-18.4.86.57	better-mousetrap-new.mit.edu better-mousetrap-new scripts1-new.mit.edu scripts1-new
-18.4.86.53	old-faithful-new.mit.edu old-faithful-new scripts2-new.mit.edu scripts2-new
-18.4.86.167	bees-knees-new.mit.edu bees-knees-new scripts3-new.mit.edu scripts3-new
-18.4.86.228	cats-whiskers-new.mit.edu cats-whiskers-new scripts4-new.mit.edu scripts4-new
-18.4.86.236	whole-enchilada-new.mit.edu whole-enchilada-new scripts5-new.mit.edu scripts5-new
-18.4.86.237	pancake-bunny-new.mit.edu pancake-bunny-new scripts6-new.mit.edu scripts6-new
-18.4.86.234	busy-beaver-new.mit.edu busy-beaver-new scripts7-new.mit.edu scripts7-new
-18.4.86.235	real-mccoy-new.mit.edu real-mccoy-new scripts8-new.mit.edu scripts8-new
-18.4.86.135	shining-armor-new.mit.edu shining-armor-new scripts9-new.mit.edu scripts9-new
-18.4.86.141	golden-egg-new.mit.edu golden-egg-new scripts10-new.mit.edu scripts10-new
-18.4.86.203	miracle-cure-new.mit.edu miracle-cure-new scripts11-new.mit.edu scripts11-new
-18.4.86.204	lucky-star-new.mit.edu lucky-star-new scripts12-new.mit.edu scripts12-new
-
-172.21.0.57	better-mousetrap-new.mit.edu
-172.21.0.53	old-faithful-new.mit.edu
-172.21.0.167	bees-knees-new.mit.edu
-172.21.0.228	cats-whiskers-new.mit.edu
-172.21.0.236	whole-enchilada-new.mit.edu
-172.21.0.237	pancake-bunny-new.mit.edu
-172.21.0.234	busy-beaver-new.mit.edu
-172.21.0.235	real-mccoy-new.mit.edu
-172.21.0.135	shining-armor-new.mit.edu
-172.21.0.141	golden-egg-new.mit.edu
-172.21.0.203	miracle-cure-new.mit.edu
-172.21.0.204	lucky-star-new.mit.edu
diff --git a/server/fedora/config/etc/httpd/conf.d/scripts-vhost-names.conf b/server/fedora/config/etc/httpd/conf.d/scripts-vhost-names.conf
index 3f5fad32..da491e2d 100644
--- a/server/fedora/config/etc/httpd/conf.d/scripts-vhost-names.conf
+++ b/server/fedora/config/etc/httpd/conf.d/scripts-vhost-names.conf
@@ -3,31 +3,31 @@ ServerAlias \
     scripts-old.mit.edu scripts-old 18.181.0.43 \
     scripts-vhosts-old.mit.edu scripts-vhosts-old 18.181.0.46 \
     scripts-test-old.mit.edu scripts-test-old 18.181.0.229 \
-    better-mousetrap.mit.edu better-mousetrap b-m.mit.edu b-m scripts1.mit.edu scripts1 18.181.0.57 \
-    old-faithful.mit.edu old-faithful o-f.mit.edu o-f scripts2.mit.edu scripts2 18.181.0.53 \
-    bees-knees.mit.edu bees-knees b-k.mit.edu b-k scripts3.mit.edu scripts3 18.181.0.167 \
-    cats-whiskers.mit.edu cats-whiskers c-w.mit.edu c-w scripts4.mit.edu scripts4 18.181.0.228 \
-    whole-enchilada.mit.edu whole-enchilada w-e.mit.edu w-e scripts5.mit.edu scripts5 18.181.0.236 \
-    pancake-bunny.mit.edu pancake-bunny p-b.mit.edu p-b scripts6.mit.edu scripts6 18.181.0.237 \
-    busy-beaver.mit.edu busy-beaver b-b.mit.edu b-b scripts7.mit.edu scripts7 18.181.0.234 \
-    real-mccoy.mit.edu real-mccoy r-m.mit.edu r-m scripts8.mit.edu scripts8 18.181.0.235 \
-    shining-armor.mit.edu shining-armor s-a.mit.edu s-a scripts9.mit.edu scripts9 18.181.0.135 \
-    golden-egg.mit.edu golden-egg g-e.mit.edu g-e scripts10.mit.edu scripts10 18.181.0.141 \
-    miracle-cure.mit.edu miracle-cure m-c.mit.edu m-c scripts11.mit.edu scripts11 18.181.0.203 \
-    lucky-star.mit.edu lucky-star l-s.mit.edu l-s scripts12.mit.edu scripts12 18.181.0.204 \
+    better-mousetrap-old.mit.edu better-mousetrap-old 18.181.0.57 \
+    old-faithful-old.mit.edu old-faithful-old 18.181.0.53 \
+    bees-knees-old.mit.edu bees-knees-old 18.181.0.167 \
+    cats-whiskers-old.mit.edu cats-whiskers-old 18.181.0.228 \
+    whole-enchilada-old.mit.edu whole-enchilada-old 18.181.0.236 \
+    pancake-bunny-old.mit.edu pancake-bunny-old 18.181.0.237 \
+    busy-beaver-old.mit.edu busy-beaver-old 18.181.0.234 \
+    real-mccoy-old.mit.edu real-mccoy-old 18.181.0.235 \
+    shining-armor-old.mit.edu shining-armor-old 18.181.0.135 \
+    golden-egg-old.mit.edu golden-egg-old 18.181.0.141 \
+    miracle-cure-old.mit.edu miracle-cure-old 18.181.0.203 \
+    lucky-star-old.mit.edu lucky-star-old 18.181.0.204 \
     scripts 18.4.86.43 \
     scripts-vhosts.mit.edu scripts-vhosts 18.4.86.46 \
     scripts-test.mit.edu scripts-test 18.4.86.229 \
-    better-mousetrap-new.mit.edu better-mousetrap-new 18.4.86.57 \
-    old-faithful-new.mit.edu old-faithful-new 18.4.86.53 \
-    bees-knees-new.mit.edu bees-knees-new 18.4.86.167 \
-    cats-whiskers-new.mit.edu cats-whiskers-new 18.4.86.228 \
-    whole-enchilada-new.mit.edu whole-enchilada-new 18.4.86.236 \
-    pancake-bunny-new.mit.edu pancake-bunny-new 18.4.86.237 \
-    busy-beaver-new.mit.edu busy-beaver-new 18.4.86.234 \
-    real-mccoy-new.mit.edu real-mccoy-new 18.4.86.235 \
-    shining-armor-new.mit.edu shining-armor-new 18.4.86.135 \
-    golden-egg-new.mit.edu golden-egg-new 18.4.86.141 \
-    miracle-cure-new.mit.edu miracle-cure-new 18.4.86.203 \
-    lucky-star-new.mit.edu lucky-star-new 18.4.86.204 \
+    better-mousetrap.mit.edu better-mousetrap b-m.mit.edu b-m scripts1.mit.edu scripts1 18.4.86.57 \
+    old-faithful.mit.edu old-faithful o-f.mit.edu o-f scripts2.mit.edu scripts2 18.4.86.53 \
+    bees-knees.mit.edu bees-knees b-k.mit.edu b-k scripts3.mit.edu scripts3 18.4.86.167 \
+    cats-whiskers.mit.edu cats-whiskers c-w.mit.edu c-w scripts4.mit.edu scripts4 18.4.86.228 \
+    whole-enchilada.mit.edu whole-enchilada w-e.mit.edu w-e scripts5.mit.edu scripts5 18.4.86.236 \
+    pancake-bunny.mit.edu pancake-bunny p-b.mit.edu p-b scripts6.mit.edu scripts6 18.4.86.237 \
+    busy-beaver.mit.edu busy-beaver b-b.mit.edu b-b scripts7.mit.edu scripts7 18.4.86.234 \
+    real-mccoy.mit.edu real-mccoy r-m.mit.edu r-m scripts8.mit.edu scripts8 18.4.86.235 \
+    shining-armor.mit.edu shining-armor s-a.mit.edu s-a scripts9.mit.edu scripts9 18.4.86.135 \
+    golden-egg.mit.edu golden-egg g-e.mit.edu g-e scripts10.mit.edu scripts10 18.4.86.141 \
+    miracle-cure.mit.edu miracle-cure m-c.mit.edu m-c scripts11.mit.edu scripts11 18.4.86.203 \
+    lucky-star.mit.edu lucky-star l-s.mit.edu l-s scripts12.mit.edu scripts12 18.4.86.204 \
     localhost 127.0.0.1 ::1
diff --git a/server/fedora/config/etc/ssh/shosts.equiv b/server/fedora/config/etc/ssh/shosts.equiv
index c25ac176..62612cc9 100644
--- a/server/fedora/config/etc/ssh/shosts.equiv
+++ b/server/fedora/config/etc/ssh/shosts.equiv
@@ -10,6 +10,18 @@ whole-enchilada.mit.edu
 golden-egg.mit.edu
 miracle-cure.mit.edu
 lucky-star.mit.edu
+better-mousetrap-old.mit.edu
+old-faithful-old.mit.edu
+bees-knees-old.mit.edu
+cats-whiskers-old.mit.edu
+pancake-bunny-old.mit.edu
+busy-beaver-old.mit.edu
+real-mccoy-old.mit.edu
+shining-armor-old.mit.edu
+whole-enchilada-old.mit.edu
+golden-egg-old.mit.edu
+miracle-cure-old.mit.edu
+lucky-star-old.mit.edu
 better-mousetrap-new.mit.edu
 old-faithful-new.mit.edu
 bees-knees-new.mit.edu

From 72a3afba17afc466c42d7d7a22df42d6cd09fbf6 Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Mon, 11 Jun 2018 08:54:20 -0400
Subject: [PATCH 044/111] Hack up /etc/hosts to get Postfix to listen on all
 IPs

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 server/fedora/config/etc/hosts | 64 +++++++++++++++++-----------------
 1 file changed, 32 insertions(+), 32 deletions(-)

diff --git a/server/fedora/config/etc/hosts b/server/fedora/config/etc/hosts
index b5cd3dba..cf785545 100644
--- a/server/fedora/config/etc/hosts
+++ b/server/fedora/config/etc/hosts
@@ -3,38 +3,6 @@
 127.0.0.1	localhost.localdomain localhost
 ::1		localhost.localdomain localhost
 
-18.181.0.43	scripts-old.mit.edu scripts-old
-18.181.0.46	scripts-vhosts-old.mit.edu scripts-vhosts-old
-18.181.0.50	scripts-cert-old.mit.edu scripts-cert-old
-18.181.0.52	sql-old.mit.edu sql-old
-18.181.0.229	scripts-test-old.mit.edu scripts-test-old
-
-18.181.0.57	better-mousetrap-old.mit.edu better-mousetrap-old
-18.181.0.53	old-faithful-old.mit.edu old-faithful-old
-18.181.0.167	bees-knees-old.mit.edu bees-knees-old
-18.181.0.228	cats-whiskers-old.mit.edu cats-whiskers-old
-18.181.0.236	whole-enchilada-old.mit.edu whole-enchilada-old
-18.181.0.237	pancake-bunny-old.mit.edu pancake-bunny-old
-18.181.0.234	busy-beaver-old.mit.edu busy-beaver-old
-18.181.0.235	real-mccoy-old.mit.edu real-mccoy-old
-18.181.0.135	shining-armor-old.mit.edu shining-armor-old
-18.181.0.141	golden-egg-old.mit.edu golden-egg-old
-18.181.0.203	miracle-cure-old.mit.edu miracle-cure-old
-18.181.0.204	lucky-star-old.mit.edu lucky-star-old
-
-172.21.0.57	better-mousetrap-old.mit.edu
-172.21.0.53	old-faithful-old.mit.edu
-172.21.0.167	bees-knees-old.mit.edu
-172.21.0.228	cats-whiskers-old.mit.edu
-172.21.0.236	whole-enchilada-old.mit.edu
-172.21.0.237	pancake-bunny-old.mit.edu
-172.21.0.234	busy-beaver-old.mit.edu
-172.21.0.235	real-mccoy-old.mit.edu
-172.21.0.135	shining-armor-old.mit.edu
-172.21.0.141	golden-egg-old.mit.edu
-172.21.0.203	miracle-cure-old.mit.edu
-172.21.0.204	lucky-star-old.mit.edu
-
 18.4.60.52	sql.mit.edu sql
 
 18.4.86.43	scripts.mit.edu scripts
@@ -67,3 +35,35 @@
 172.21.0.141	golden-egg.mit.edu
 172.21.0.203	miracle-cure.mit.edu
 172.21.0.204	lucky-star.mit.edu
+
+18.181.0.43	scripts-old.mit.edu scripts-old
+18.181.0.46	scripts-vhosts-old.mit.edu scripts-vhosts-old
+18.181.0.50	scripts-cert-old.mit.edu scripts-cert-old
+18.181.0.52	sql-old.mit.edu sql-old
+18.181.0.229	scripts-test-old.mit.edu scripts-test-old
+
+18.181.0.57	better-mousetrap-old.mit.edu better-mousetrap.mit.edu better-mousetrap-old
+18.181.0.53	old-faithful-old.mit.edu old-faithful.mit.edu old-faithful-old
+18.181.0.167	bees-knees-old.mit.edu bees-knees.mit.edu bees-knees-old
+18.181.0.228	cats-whiskers-old.mit.edu cats-whiskers.mit.edu cats-whiskers-old
+18.181.0.236	whole-enchilada-old.mit.edu whole-enchilada.mit.edu whole-enchilada-old
+18.181.0.237	pancake-bunny-old.mit.edu pancake-bunny.mit.edu pancake-bunny-old
+18.181.0.234	busy-beaver-old.mit.edu busy-beaver.mit.edu busy-beaver-old
+18.181.0.235	real-mccoy-old.mit.edu real-mccoy.mit.edu real-mccoy-old
+18.181.0.135	shining-armor-old.mit.edu shining-armor.mit.edu shining-armor-old
+18.181.0.141	golden-egg-old.mit.edu golden-egg.mit.edu golden-egg-old
+18.181.0.203	miracle-cure-old.mit.edu miracle-cure.mit.edu miracle-cure-old
+18.181.0.204	lucky-star-old.mit.edu lucky-star.mit.edu lucky-star-old
+
+172.21.0.57	better-mousetrap-old.mit.edu
+172.21.0.53	old-faithful-old.mit.edu
+172.21.0.167	bees-knees-old.mit.edu
+172.21.0.228	cats-whiskers-old.mit.edu
+172.21.0.236	whole-enchilada-old.mit.edu
+172.21.0.237	pancake-bunny-old.mit.edu
+172.21.0.234	busy-beaver-old.mit.edu
+172.21.0.235	real-mccoy-old.mit.edu
+172.21.0.135	shining-armor-old.mit.edu
+172.21.0.141	golden-egg-old.mit.edu
+172.21.0.203	miracle-cure-old.mit.edu
+172.21.0.204	lucky-star-old.mit.edu

From 65262f7b4ed9f300a470c431c7270369ad24e55d Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Tue, 12 Jun 2018 00:55:15 -0400
Subject: [PATCH 045/111] Goodbye, 18.181.0.0/16

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 ansible/inventory.yml                         | 26 --------
 .../files/scripts-iptables.rules.v4           |  6 --
 ansible/scripts-directors.yml                 | 10 ---
 server/fedora/config/etc/hosts                | 32 ----------
 .../etc/httpd/conf.d/181-interstitial.conf    | 11 ----
 .../etc/httpd/conf.d/scripts-special.conf     |  9 ---
 .../etc/httpd/conf.d/scripts-vhost-names.conf | 15 -----
 .../fedora/config/etc/httpd/conf/httpd.conf   | 40 +++---------
 .../config/etc/httpd/export-scripts-certs     |  4 +-
 .../scripts-special/181-interstitial.shtml    | 63 -------------------
 server/fedora/config/etc/openafs/NetRestrict  |  4 --
 server/fedora/config/etc/ssh/ssh_known_hosts  | 24 +++----
 .../etc/sysconfig/network-scripts/ifcfg-lo:0  |  5 --
 .../etc/sysconfig/network-scripts/ifcfg-lo:1  |  5 --
 .../etc/sysconfig/network-scripts/ifcfg-lo:3  |  5 --
 .../etc/sysconfig/network-scripts/ifcfg-lo:4  |  5 --
 .../sysconfig/network-scripts/route-vlan181   |  2 -
 .../sysconfig/network-scripts/route-vlan461   | 17 -----
 .../sysconfig/network-scripts/rule-vlan181    |  1 -
 19 files changed, 20 insertions(+), 264 deletions(-)
 delete mode 100644 server/fedora/config/etc/httpd/conf.d/181-interstitial.conf
 delete mode 100644 server/fedora/config/etc/httpd/scripts-special/181-interstitial.shtml
 delete mode 100644 server/fedora/config/etc/sysconfig/network-scripts/ifcfg-lo:0
 delete mode 100644 server/fedora/config/etc/sysconfig/network-scripts/ifcfg-lo:1
 delete mode 100644 server/fedora/config/etc/sysconfig/network-scripts/ifcfg-lo:3
 delete mode 100644 server/fedora/config/etc/sysconfig/network-scripts/ifcfg-lo:4
 delete mode 100644 server/fedora/config/etc/sysconfig/network-scripts/route-vlan181
 delete mode 100644 server/fedora/config/etc/sysconfig/network-scripts/rule-vlan181

diff --git a/ansible/inventory.yml b/ansible/inventory.yml
index e6aa6686..94d2a439 100644
--- a/ansible/inventory.yml
+++ b/ansible/inventory.yml
@@ -18,34 +18,18 @@ all:
     - username: vasilvv
 
     vips:
-    - host: scripts-director.mit.edu
-      ip: 18.181.0.132
-      cidr_netmask: 16
-      nic: vlan181
     - host: scripts-director-new.mit.edu
       ip: 18.4.86.132
       cidr_netmask: 24
       nic: vlan486
-    - host: scripts.mit.edu
-      ip: 18.181.0.43
-      cidr_netmask: 16
-      nic: vlan181
     - host: scripts-new.mit.edu
       ip: 18.4.86.43
       cidr_netmask: 24
       nic: vlan486
-    - host: scripts-cert.mit.edu
-      ip: 18.181.0.50
-      cidr_netmask: 16
-      nic: vlan181
     - host: scripts-cert-new.mit.edu
       ip: 18.4.86.50
       cidr_netmask: 24
       nic: vlan486
-    - host: scripts-vhosts.mit.edu
-      ip: 18.181.0.46
-      cidr_netmask: 16
-      nic: vlan181
     - host: scripts-vhosts-new.mit.edu
       ip: 18.4.86.46
       cidr_netmask: 24
@@ -54,10 +38,6 @@ all:
       ip: 18.4.86.229
       cidr_netmask: 24
       nic: vlan486
-    - host: sipb.mit.edu
-      ip: 18.181.0.29
-      cidr_netmask: 16
-      nic: vlan181
     - host: sipb-new.mit.edu
       ip: 18.4.86.29
       cidr_netmask: 24
@@ -71,18 +51,12 @@ all:
     scripts-directors:
       hosts:
         george-lucas.mit.edu:
-          vlan181_address: 18.181.0.220
-          vlan181_hwaddr: 00:50:56:87:9b:7d
           vlan486_address: 18.4.86.220
           vlan486_hwaddr: 00:50:56:87:03:c5
         joss-whedon.mit.edu:
-          vlan181_address: 18.181.0.226
-          vlan181_hwaddr: 00:50:56:87:2c:8e
           vlan486_address: 18.4.86.226
           vlan486_hwaddr: 00:50:56:87:c2:23
         christopher-nolan.mit.edu:
-          vlan181_address: 18.181.0.111
-          vlan181_hwaddr: 00:50:56:87:07:a0
           vlan486_address: 18.4.86.111
           vlan486_hwaddr: 00:50:56:87:d4:4e
 
diff --git a/ansible/roles/lvs-iptables/files/scripts-iptables.rules.v4 b/ansible/roles/lvs-iptables/files/scripts-iptables.rules.v4
index 36018bbc..9abb3756 100644
--- a/ansible/roles/lvs-iptables/files/scripts-iptables.rules.v4
+++ b/ansible/roles/lvs-iptables/files/scripts-iptables.rules.v4
@@ -13,13 +13,10 @@
 :scripts - [0:0]
 
 # scripts-vhosts.mit.edu
--A PREROUTING -d 18.181.0.46 -j scripts
 -A PREROUTING -d 18.4.86.46 -j scripts
 # scripts.mit.edu
--A PREROUTING -d 18.181.0.43 -j scripts
 -A PREROUTING -d 18.4.86.43 -j scripts
 # scripts-cert.mit.edu
--A PREROUTING -d 18.181.0.50 -j scripts
 -A PREROUTING -d 18.4.86.50 -j scripts
 
 # Send Apache-bound traffic to FWM 2 (load-balanced)
@@ -32,16 +29,13 @@
 -A scripts -m mark --mark 0 -j MARK --set-mark 1
 
 # scripts-primary.mit.edu goes to the primary (FWM 1) on all ports
--A PREROUTING -d 18.181.0.182 -j MARK --set-mark 1
 -A PREROUTING -d 18.4.86.182 -j MARK --set-mark 1
 
 # sipb.mit.edu acts like regular scripts for the web ports, everything else goes to i-hate-penguins.xvm.mit.edu (FWM 4)
--A PREROUTING -m tcp -m multiport -p tcp -d 18.181.0.29 --dports 80,443,444 -j MARK --set-mark 2
 -A PREROUTING -m tcp -m multiport -p tcp -d 18.4.86.29 --dports 80,443,444 -j MARK --set-mark 2
 # Also send port 25 there too because the IP is shared with rtfm.mit.edu (fix this after renaming the machine)
 #-A PREROUTING -m tcp -m multiport -p tcp -d 18.181.0.29 --dports 20,21,25 -j MARK --set-mark 4
 # All else to i-hate-penguins
--A PREROUTING -m mark --mark 0 -d 18.181.0.29 -j MARK --set-mark 4
 -A PREROUTING -m mark --mark 0 -d 18.4.86.29 -j MARK --set-mark 4
 
 COMMIT
diff --git a/ansible/scripts-directors.yml b/ansible/scripts-directors.yml
index 1cf3a8fe..032351f2 100644
--- a/ansible/scripts-directors.yml
+++ b/ansible/scripts-directors.yml
@@ -3,16 +3,6 @@
   vars:
     network_allow_service_restart: false
     network_ether_interfaces:
-    - device: vlan181
-      hwaddr: "{{ vlan181_hwaddr }}"
-      cidr: "{{ vlan181_address }}/16"
-      gateway: 18.181.0.1
-      options:
-      - metric 2
-      - up ip route add 18.181.0.0/16 table 181 dev vlan181
-      - up ip route add default table 181 via 18.181.0.1 dev vlan181
-      - up ip rule add from 18.181.0.0/16 table 181
-      - down ip rule del table 181
     - device: vlan486
       hwaddr: "{{ vlan486_hwaddr }}"
       cidr: "{{ vlan486_address }}/24"
diff --git a/server/fedora/config/etc/hosts b/server/fedora/config/etc/hosts
index cf785545..5695fdb0 100644
--- a/server/fedora/config/etc/hosts
+++ b/server/fedora/config/etc/hosts
@@ -35,35 +35,3 @@
 172.21.0.141	golden-egg.mit.edu
 172.21.0.203	miracle-cure.mit.edu
 172.21.0.204	lucky-star.mit.edu
-
-18.181.0.43	scripts-old.mit.edu scripts-old
-18.181.0.46	scripts-vhosts-old.mit.edu scripts-vhosts-old
-18.181.0.50	scripts-cert-old.mit.edu scripts-cert-old
-18.181.0.52	sql-old.mit.edu sql-old
-18.181.0.229	scripts-test-old.mit.edu scripts-test-old
-
-18.181.0.57	better-mousetrap-old.mit.edu better-mousetrap.mit.edu better-mousetrap-old
-18.181.0.53	old-faithful-old.mit.edu old-faithful.mit.edu old-faithful-old
-18.181.0.167	bees-knees-old.mit.edu bees-knees.mit.edu bees-knees-old
-18.181.0.228	cats-whiskers-old.mit.edu cats-whiskers.mit.edu cats-whiskers-old
-18.181.0.236	whole-enchilada-old.mit.edu whole-enchilada.mit.edu whole-enchilada-old
-18.181.0.237	pancake-bunny-old.mit.edu pancake-bunny.mit.edu pancake-bunny-old
-18.181.0.234	busy-beaver-old.mit.edu busy-beaver.mit.edu busy-beaver-old
-18.181.0.235	real-mccoy-old.mit.edu real-mccoy.mit.edu real-mccoy-old
-18.181.0.135	shining-armor-old.mit.edu shining-armor.mit.edu shining-armor-old
-18.181.0.141	golden-egg-old.mit.edu golden-egg.mit.edu golden-egg-old
-18.181.0.203	miracle-cure-old.mit.edu miracle-cure.mit.edu miracle-cure-old
-18.181.0.204	lucky-star-old.mit.edu lucky-star.mit.edu lucky-star-old
-
-172.21.0.57	better-mousetrap-old.mit.edu
-172.21.0.53	old-faithful-old.mit.edu
-172.21.0.167	bees-knees-old.mit.edu
-172.21.0.228	cats-whiskers-old.mit.edu
-172.21.0.236	whole-enchilada-old.mit.edu
-172.21.0.237	pancake-bunny-old.mit.edu
-172.21.0.234	busy-beaver-old.mit.edu
-172.21.0.235	real-mccoy-old.mit.edu
-172.21.0.135	shining-armor-old.mit.edu
-172.21.0.141	golden-egg-old.mit.edu
-172.21.0.203	miracle-cure-old.mit.edu
-172.21.0.204	lucky-star-old.mit.edu
diff --git a/server/fedora/config/etc/httpd/conf.d/181-interstitial.conf b/server/fedora/config/etc/httpd/conf.d/181-interstitial.conf
deleted file mode 100644
index aea34b58..00000000
--- a/server/fedora/config/etc/httpd/conf.d/181-interstitial.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-<Location /__scripts/181-interstitial/>
-    Redirect 503 /__scripts/181-interstitial/
-    SetEnvIf REQUEST_URI ^/__scripts/181-interstitial(.*)$ ORIGINAL_URI=$1
-    ErrorDocument 503 /__scripts/181-interstitial.shtml
-</Location>
-
-<If "%{HTTP_COOKIE} !~ /__scripts-dismiss-181-interstitial=1/ && %{REQUEST_URI} !~ m#^/__scripts/#">
-    Header always set Vary "Cookie"
-    RewriteEngine On
-    RewriteRule ^ /__scripts/181-interstitial%{REQUEST_URI} [R,L]
-</If>
diff --git a/server/fedora/config/etc/httpd/conf.d/scripts-special.conf b/server/fedora/config/etc/httpd/conf.d/scripts-special.conf
index e4d15b58..d3d985c2 100644
--- a/server/fedora/config/etc/httpd/conf.d/scripts-special.conf
+++ b/server/fedora/config/etc/httpd/conf.d/scripts-special.conf
@@ -55,12 +55,3 @@ ErrorDocument 403 /__scripts/forbidden.shtml
 
 # Generated from http://kb.mit.edu/confluence/x/F4DCAg, 2017-06-27
 SetEnvIf REMOTE_ADDR ^(10|18\.(\d\d?|1([0-2]\d|3[1-57-9]|4[0-369]|5[024-9]|6[135-9]|7[0-46-8]|8[013679]|9[02389])|2(29|3[089]|4[0-578]|5[0-245]))|128\.(3[01]|52))\. SCRIPTS_REMOTE_MITNET
-
-<Location /__scripts/dismiss-181-interstitial>
-    Header always set Set-Cookie "__scripts-dismiss-181-interstitial=1; Path=/; Max-Age=43200"
-    Redirect 303 /__scripts/dismiss-181-interstitial/ /
-</Location>
-
-<Location /__scripts/181-interstitial/>
-    Redirect 303 /__scripts/181-interstitial/ /
-</Location>
diff --git a/server/fedora/config/etc/httpd/conf.d/scripts-vhost-names.conf b/server/fedora/config/etc/httpd/conf.d/scripts-vhost-names.conf
index da491e2d..772be79a 100644
--- a/server/fedora/config/etc/httpd/conf.d/scripts-vhost-names.conf
+++ b/server/fedora/config/etc/httpd/conf.d/scripts-vhost-names.conf
@@ -1,20 +1,5 @@
 ServerName scripts.mit.edu
 ServerAlias \
-    scripts-old.mit.edu scripts-old 18.181.0.43 \
-    scripts-vhosts-old.mit.edu scripts-vhosts-old 18.181.0.46 \
-    scripts-test-old.mit.edu scripts-test-old 18.181.0.229 \
-    better-mousetrap-old.mit.edu better-mousetrap-old 18.181.0.57 \
-    old-faithful-old.mit.edu old-faithful-old 18.181.0.53 \
-    bees-knees-old.mit.edu bees-knees-old 18.181.0.167 \
-    cats-whiskers-old.mit.edu cats-whiskers-old 18.181.0.228 \
-    whole-enchilada-old.mit.edu whole-enchilada-old 18.181.0.236 \
-    pancake-bunny-old.mit.edu pancake-bunny-old 18.181.0.237 \
-    busy-beaver-old.mit.edu busy-beaver-old 18.181.0.234 \
-    real-mccoy-old.mit.edu real-mccoy-old 18.181.0.235 \
-    shining-armor-old.mit.edu shining-armor-old 18.181.0.135 \
-    golden-egg-old.mit.edu golden-egg-old 18.181.0.141 \
-    miracle-cure-old.mit.edu miracle-cure-old 18.181.0.203 \
-    lucky-star-old.mit.edu lucky-star-old 18.181.0.204 \
     scripts 18.4.86.43 \
     scripts-vhosts.mit.edu scripts-vhosts 18.4.86.46 \
     scripts-test.mit.edu scripts-test 18.4.86.229 \
diff --git a/server/fedora/config/etc/httpd/conf/httpd.conf b/server/fedora/config/etc/httpd/conf/httpd.conf
index 54e2fb9f..bd0f358f 100644
--- a/server/fedora/config/etc/httpd/conf/httpd.conf
+++ b/server/fedora/config/etc/httpd/conf/httpd.conf
@@ -273,7 +273,7 @@ ProxyRequests Off
     ErrorDocument 404 "No favicon.ico.
 </Location>
 
-<VirtualHost 18.181.0.50:80 18.4.86.50:80>
+<VirtualHost 18.4.86.50:80>
     ServerName scripts-cert.mit.edu
     ServerAlias scripts-cert
     Include conf.d/scripts-vhost.conf
@@ -286,15 +286,8 @@ ProxyRequests Off
     Include conf.d/vhost_ldap.conf
     Include conf.d/vhosts-common.conf
 </VirtualHost>
-# LDAP vhost, w00t w00t
-<VirtualHost 18.181.0.46:80>
-    ServerName localhost
-    Include conf.d/vhost_ldap.conf
-    Include conf.d/vhosts-common.conf
-    Include conf.d/181-interstitial.conf
-</VirtualHost>
 
-<VirtualHost *:80 18.181.0.46:80>
+<VirtualHost *:80>
     Include conf.d/scripts-vhost-names.conf
     Include conf.d/scripts-vhost.conf
     Include conf.d/vhosts-common.conf
@@ -328,7 +321,7 @@ ProxyRequests Off
     SSLHonorCipherOrder on
     SSLCompression off
 
-    <VirtualHost 18.181.0.50:443 18.181.0.50:444 18.4.86.50:443 18.4.86.50:444>
+    <VirtualHost 18.4.86.50:443 18.4.86.50:444>
         ServerName scripts-cert.mit.edu
         ServerAlias scripts-cert
         Include conf.d/scripts-vhost.conf
@@ -337,14 +330,14 @@ ProxyRequests Off
         SSLCertificateKeyFile /etc/pki/tls/private/scripts-2048.key
         Include conf.d/vhosts-common-ssl-cert.conf
     </VirtualHost>
-    <VirtualHost 18.181.0.43:443 18.4.86.43:443>
+    <VirtualHost 18.4.86.43:443>
         Include conf.d/scripts-vhost-names.conf
         Include conf.d/scripts-vhost.conf
         Include conf.d/vhosts-common-ssl.conf
         SSLCertificateFile /etc/pki/tls/certs/scripts.pem
         SSLCertificateKeyFile /etc/pki/tls/private/scripts-2048.key
     </VirtualHost>
-    <VirtualHost 18.181.0.43:444 18.4.86.43:444>
+    <VirtualHost 18.4.86.43:444>
         Include conf.d/scripts-vhost-names.conf
         Include conf.d/scripts-vhost.conf
         Include conf.d/vhosts-common-ssl.conf
@@ -361,15 +354,6 @@ ProxyRequests Off
         Include conf.d/vhosts-common-ssl.conf
     </VirtualHost>
     # LDAP vhost, w00t w00t
-    <VirtualHost 18.181.0.46:443>
-        ServerName localhost
-        SSLCertificateFile /etc/pki/tls/certs/star.scripts.pem
-        SSLCertificateKeyFile /etc/pki/tls/private/scripts-2048.key
-        Include conf.d/vhost_ldap.conf
-        Include conf.d/vhosts-common-ssl.conf
-        Include conf.d/181-interstitial.conf
-    </VirtualHost>
-    # LDAP vhost, w00t w00t
     <VirtualHost *:444>
         ServerName localhost
         SSLCertificateFile /etc/pki/tls/certs/star.scripts.pem
@@ -378,24 +362,14 @@ ProxyRequests Off
         Include conf.d/vhosts-common-ssl.conf
         Include conf.d/vhosts-common-ssl-cert.conf
     </VirtualHost>
-    # LDAP vhost, w00t w00t
-    <VirtualHost 18.181.0.46:444>
-        ServerName localhost
-        SSLCertificateFile /etc/pki/tls/certs/star.scripts.pem
-        SSLCertificateKeyFile /etc/pki/tls/private/scripts-2048.key
-        Include conf.d/vhost_ldap.conf
-        Include conf.d/vhosts-common-ssl.conf
-        Include conf.d/vhosts-common-ssl-cert.conf
-        Include conf.d/181-interstitial.conf
-    </VirtualHost>
-    <VirtualHost *:443 18.181.0.46:443>
+    <VirtualHost *:443>
         SSLCertificateFile /etc/pki/tls/certs/scripts.pem
         SSLCertificateKeyFile /etc/pki/tls/private/scripts-2048.key
         Include conf.d/scripts-vhost-names.conf
         Include conf.d/scripts-vhost.conf
         Include conf.d/vhosts-common-ssl.conf
     </VirtualHost>
-    <VirtualHost *:444 18.181.0.46:444>
+    <VirtualHost *:444>
         SSLCertificateFile /etc/pki/tls/certs/scripts.pem
         SSLCertificateKeyFile /etc/pki/tls/private/scripts-2048.key
         Include conf.d/scripts-vhost-names.conf
diff --git a/server/fedora/config/etc/httpd/export-scripts-certs b/server/fedora/config/etc/httpd/export-scripts-certs
index 808d9629..4002928e 100755
--- a/server/fedora/config/etc/httpd/export-scripts-certs
+++ b/server/fedora/config/etc/httpd/export-scripts-certs
@@ -88,7 +88,7 @@ def conf(vhost):
             cert_file.write(certs_pem)
         os.rename(cert_path + '.new', cert_path)
 
-    for ip, port in itertools.product(['*', '18.181.0.46'], [443, 444]):
+    for ip, port in itertools.product(['*'], [443, 444]):
         yield '<VirtualHost {}:{}>\n'.format(ip, port)
         yield '\tServerName {}\n'.format(name)
         if aliases:
@@ -99,8 +99,6 @@ def conf(vhost):
             yield '\tInclude conf.d/vhosts-common-ssl-cert.conf\n'
         yield '\tSSLCertificateFile {}\n'.format(cert_path)
         yield '\tSSLCertificateKeyFile {}\n'.format(key_path)
-        if ip == '18.181.0.46':
-            yield '\tInclude conf.d/181-interstitial.conf\n'
         yield '</VirtualHost>\n'
 
 with open(os.path.join(CERTS_DIR, '.lock'), 'w') as lock_file:
diff --git a/server/fedora/config/etc/httpd/scripts-special/181-interstitial.shtml b/server/fedora/config/etc/httpd/scripts-special/181-interstitial.shtml
deleted file mode 100644
index 9553b5c5..00000000
--- a/server/fedora/config/etc/httpd/scripts-special/181-interstitial.shtml
+++ /dev/null
@@ -1,63 +0,0 @@
-<!DOCTYPE html>
-<html>
-  <head>
-    <meta charset="UTF-8" />
-    <title>DNS update required for <!--#echo var="SERVER_NAME" --></title>
-    <style>
-      html { background: #2050A0; }
-      body { margin: 1em auto; border: 1px solid black; background: #FFF; max-width: 54em; padding: 1em 3em; font: 80%/1.5 'Lucida Grande', 'Lucida Sans Unicode', Verdana, sans-serif; }
-      summary { cursor: pointer; }
-      pre { white-space: pre-wrap; }
-      .red { color: #d33; }
-    </style>
-  </head>
-  <body>
-    <h1 class="red">DNS update required for <!--#echo var="SERVER_NAME" --></h1>
-
-    <h2 id="time"></h2>
-
-    <p><em>This is an urgent message from the scripts.mit.edu team to the owner of <!--#echo var="SERVER_NAME" -->.  If you are not the owner, please pass this message along to them.  (They should have received several copies by email.)</em></p>
-
-    <hr />
-
-    <p><!--#echo var="SERVER_NAME" --> is currently connected to the Scripts server via a DNS A record for 18.181.0.46.  As a result of IS&amp;T selling a large portion of MIT’s IPv4 address space to Amazon, we have been forced to migrate the Scripts server to a new address.  To keep <!--#echo var="SERVER_NAME" --> working, you must update your DNS records to follow this migration.</p>
-
-    <p>Specifically: <strong>you need to update this A record from the old address ‘18.181.0.46’ to the new address ‘18.4.86.46’.</strong></p>
-
-    <p>Alternatively, you may be able to replace the A record with a CNAME record for ‘scripts-vhosts.mit.edu.’, keeping in mind the <a href="https://scripts.mit.edu/faq/14">caveats noted in our FAQ</a>.</p>
-
-    <p>These changes must be made with your domain registrar or external DNS provider.  There is no need to respond to this notice or otherwise contact the Scripts team.</p>
-
-    <p>(The Scripts team does not control your DNS and cannot make the updates for you.  While we may be able to provide advice on a best-effort volunteer basis, keep in mind that we are sending similar notices regarding nearly 300 hostnames, so responses, if any, may be delayed.)</p>
-
-    <p>Both the old and new addresses are functional at present, but you must change to the new address by <strong>June 12</strong>: at that point, the old address 18.181.0.46 will stop pointing to Scripts and might be repurposed by some arbitrary Amazon cloud customer.</p>
-
-    <p>We apologize for any inconvenience.</p>
-
-    <hr />
-
-    <p><a href="/__scripts/dismiss-181-interstitial<!--#echo var="REDIRECT_ORIGINAL_URI" -->">I understand; continue to <!--#echo var="REQUEST_SCHEME" -->://<!--#echo var="HTTP_HOST" --><!--#echo var="REDIRECT_ORIGINAL_URI" --></a></p>
-
-    <script>
-      "use strict";
-      document.addEventListener("DOMContentLoaded", function() {
-        var timeElt = document.getElementById("time");
-        (function update() {
-          var left = 1528776000000 - Date.now();
-          var show = Math.ceil(left / 1000);
-          if (show > 0) {
-            timeElt.textContent =
-              "Time remaining: " +
-              Math.floor(show / 86400) + " days " +
-              ("0" + Math.floor((show % 86400) / 3600)).slice(-2) + ":" +
-              ("0" + Math.floor((show % 3600) / 60)).slice(-2) + ":" +
-              ("0" + show % 60).slice(-2);
-            setTimeout(update, left - 1000 * (show - 1));
-          } else {
-            timeElt.textContent = "";
-          }
-        })();
-      });
-    </script>
-  </body>
-</html>
diff --git a/server/fedora/config/etc/openafs/NetRestrict b/server/fedora/config/etc/openafs/NetRestrict
index bea76146..01e6104d 100644
--- a/server/fedora/config/etc/openafs/NetRestrict
+++ b/server/fedora/config/etc/openafs/NetRestrict
@@ -1,7 +1,3 @@
-18.181.0.46
-18.181.0.50
-18.181.0.43
-18.181.0.29
 18.4.86.46
 18.4.86.50
 18.4.86.43
diff --git a/server/fedora/config/etc/ssh/ssh_known_hosts b/server/fedora/config/etc/ssh/ssh_known_hosts
index 7c6a004f..1f5e8e17 100644
--- a/server/fedora/config/etc/ssh/ssh_known_hosts
+++ b/server/fedora/config/etc/ssh/ssh_known_hosts
@@ -1,12 +1,12 @@
-real-mccoy.mit.edu,real-mccoy,real-mccoy-new.mit.edu,real-mccoy-new,r-m.mit.edu,r-m,scripts8.mit.edu,scripts8,18.181.0.235,18.4.86.235,172.21.0.235 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuEpkEgaIgjK7F1gV81lLSYTwSqIZX/9IJs37VaJCsJFv3D86uuJSdfI3Y94fPn2OH6AxfdaqGNksVdi27mKQfzvCB4ogjQgxmM391MIDLd+izZDY0YvCb4DqJLMJUpX49cNUMkj+/rJg1O0K2w/lb8DGr7wdoLSPKCUJNJv5WMMDxpFL253lPELsmnds4T+R6LpTt6W9+FalHl84me51sEjV9PbmhcTaNwuoJStAjhrKPfgHHDIKNyCUvaVkoHPXEsdzz00yY7i57djyZlzPV/jM7LKar+Xw2LB0Z3098IQcdbD8zmz2DdakPTlShxavNPC6kZDZ3WVqziC+bszaSQ==
-busy-beaver.mit.edu,busy-beaver,busy-beaver-new.mit.edu,busy-beaver-new,b-b.mit.edu,b-b,scripts7.mit.edu,scripts7,18.181.0.234,18.4.86.234,172.21.0.234 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFDzAEXlTb1hcGBgfuteR9xdB/jZCe+lf+GOBWz4UthUpJKal+x20MVZr3R7u+BkbX4NNa5PC2QUpAZwTOI8Izw=
-pancake-bunny.mit.edu,pancake-bunny,pancake-bunny-new.mit.edu,pancake-bunny-new,p-b.mit.edu,p-b,scripts6.mit.edu,scripts6,18.181.0.237,18.4.86.237,172.21.0.237 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOWBC+fWZjJf4YzjAr/uc8kZOewcjJ8b/YampOTw/Tut73drvDfUzg9Xevgvb4Q2hi9VuW0IZQnT+pGwD1zj7pQ=
-cats-whiskers.mit.edu,cats-whiskers,cats-whiskers-new.mit.edu,cats-whiskers-new,c-w.mit.edu,c-w,scripts4.mit.edu,scripts4,18.181.0.228,18.4.86.228,172.21.0.228 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOWBC+fWZjJf4YzjAr/uc8kZOewcjJ8b/YampOTw/Tut73drvDfUzg9Xevgvb4Q2hi9VuW0IZQnT+pGwD1zj7pQ=
-bees-knees.mit.edu,bees-knees,bees-knees-new.mit.edu,bees-knees-new,b-k.mit.edu,b-k,scripts3.mit.edu,scripts3,18.181.0.167,18.4.86.167,172.21.0.167 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOWBC+fWZjJf4YzjAr/uc8kZOewcjJ8b/YampOTw/Tut73drvDfUzg9Xevgvb4Q2hi9VuW0IZQnT+pGwD1zj7pQ=
-better-mousetrap.mit.edu,better-mousetrap,better-mousetrap-new.mit.edu,better-mousetrap-new,b-m.mit.edu,b-m,scripts1.mit.edu,scripts1,18.181.0.57,18.4.86.57,172.21.0.57 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuEpkEgaIgjK7F1gV81lLSYTwSqIZX/9IJs37VaJCsJFv3D86uuJSdfI3Y94fPn2OH6AxfdaqGNksVdi27mKQfzvCB4ogjQgxmM391MIDLd+izZDY0YvCb4DqJLMJUpX49cNUMkj+/rJg1O0K2w/lb8DGr7wdoLSPKCUJNJv5WMMDxpFL253lPELsmnds4T+R6LpTt6W9+FalHl84me51sEjV9PbmhcTaNwuoJStAjhrKPfgHHDIKNyCUvaVkoHPXEsdzz00yY7i57djyZlzPV/jM7LKar+Xw2LB0Z3098IQcdbD8zmz2DdakPTlShxavNPC6kZDZ3WVqziC+bszaSQ==
-old-faithful.mit.edu,old-faithful,old-faithful-new.mit.edu,old-faithful-new,o-f.mit.edu,o-f,scripts2.mit.edu,scripts2,18.181.0.53,18.4.86.53,172.21.0.53 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuEpkEgaIgjK7F1gV81lLSYTwSqIZX/9IJs37VaJCsJFv3D86uuJSdfI3Y94fPn2OH6AxfdaqGNksVdi27mKQfzvCB4ogjQgxmM391MIDLd+izZDY0YvCb4DqJLMJUpX49cNUMkj+/rJg1O0K2w/lb8DGr7wdoLSPKCUJNJv5WMMDxpFL253lPELsmnds4T+R6LpTt6W9+FalHl84me51sEjV9PbmhcTaNwuoJStAjhrKPfgHHDIKNyCUvaVkoHPXEsdzz00yY7i57djyZlzPV/jM7LKar+Xw2LB0Z3098IQcdbD8zmz2DdakPTlShxavNPC6kZDZ3WVqziC+bszaSQ==
-whole-enchilada.mit.edu,whole-enchilada,whole-enchilada-new.mit.edu,whole-enchilada-new,w-e.mit.edu,w-e,scripts5.mit.edu,scripts5,18.181.0.236,18.4.86.236,172.21.0.236 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuEpkEgaIgjK7F1gV81lLSYTwSqIZX/9IJs37VaJCsJFv3D86uuJSdfI3Y94fPn2OH6AxfdaqGNksVdi27mKQfzvCB4ogjQgxmM391MIDLd+izZDY0YvCb4DqJLMJUpX49cNUMkj+/rJg1O0K2w/lb8DGr7wdoLSPKCUJNJv5WMMDxpFL253lPELsmnds4T+R6LpTt6W9+FalHl84me51sEjV9PbmhcTaNwuoJStAjhrKPfgHHDIKNyCUvaVkoHPXEsdzz00yY7i57djyZlzPV/jM7LKar+Xw2LB0Z3098IQcdbD8zmz2DdakPTlShxavNPC6kZDZ3WVqziC+bszaSQ==
-shining-armor.mit.edu,shining-armor,shining-armor-new.mit.edu,shining-armor-new,s-a.mit.edu,s-a,scripts9.mit.edu,scripts9,18.181.0.135,18.4.86.135,172.21.0.135 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOWBC+fWZjJf4YzjAr/uc8kZOewcjJ8b/YampOTw/Tut73drvDfUzg9Xevgvb4Q2hi9VuW0IZQnT+pGwD1zj7pQ=
-golden-egg.mit.edu,golden-egg,golden-egg-new.mit.edu,golden-egg-new,g-e.mit.edu,g-e,scripts10.mit.edu,scripts10,18.181.0.141,18.4.86.141,172.21.0.141 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuEpkEgaIgjK7F1gV81lLSYTwSqIZX/9IJs37VaJCsJFv3D86uuJSdfI3Y94fPn2OH6AxfdaqGNksVdi27mKQfzvCB4ogjQgxmM391MIDLd+izZDY0YvCb4DqJLMJUpX49cNUMkj+/rJg1O0K2w/lb8DGr7wdoLSPKCUJNJv5WMMDxpFL253lPELsmnds4T+R6LpTt6W9+FalHl84me51sEjV9PbmhcTaNwuoJStAjhrKPfgHHDIKNyCUvaVkoHPXEsdzz00yY7i57djyZlzPV/jM7LKar+Xw2LB0Z3098IQcdbD8zmz2DdakPTlShxavNPC6kZDZ3WVqziC+bszaSQ==
-miracle-cure.mit.edu,miracle-cure,miracle-cure-new.mit.edu,miracle-cure-new,m-c.mit.edu,m-c,scripts11.mit.edu,scripts11,18.181.0.203,18.4.86.203,172.21.0.203 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuEpkEgaIgjK7F1gV81lLSYTwSqIZX/9IJs37VaJCsJFv3D86uuJSdfI3Y94fPn2OH6AxfdaqGNksVdi27mKQfzvCB4ogjQgxmM391MIDLd+izZDY0YvCb4DqJLMJUpX49cNUMkj+/rJg1O0K2w/lb8DGr7wdoLSPKCUJNJv5WMMDxpFL253lPELsmnds4T+R6LpTt6W9+FalHl84me51sEjV9PbmhcTaNwuoJStAjhrKPfgHHDIKNyCUvaVkoHPXEsdzz00yY7i57djyZlzPV/jM7LKar+Xw2LB0Z3098IQcdbD8zmz2DdakPTlShxavNPC6kZDZ3WVqziC+bszaSQ==
-lucky-star.mit.edu,lucky-star,lucky-star-new.mit.edu,lucky-star-new,l-s.mit.edu,l-s,scripts12.mit.edu,scripts12,18.181.0.204,18.4.86.204,172.21.0.204 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuEpkEgaIgjK7F1gV81lLSYTwSqIZX/9IJs37VaJCsJFv3D86uuJSdfI3Y94fPn2OH6AxfdaqGNksVdi27mKQfzvCB4ogjQgxmM391MIDLd+izZDY0YvCb4DqJLMJUpX49cNUMkj+/rJg1O0K2w/lb8DGr7wdoLSPKCUJNJv5WMMDxpFL253lPELsmnds4T+R6LpTt6W9+FalHl84me51sEjV9PbmhcTaNwuoJStAjhrKPfgHHDIKNyCUvaVkoHPXEsdzz00yY7i57djyZlzPV/jM7LKar+Xw2LB0Z3098IQcdbD8zmz2DdakPTlShxavNPC6kZDZ3WVqziC+bszaSQ==
+real-mccoy.mit.edu,real-mccoy,r-m.mit.edu,r-m,scripts8.mit.edu,scripts8,18.4.86.235,172.21.0.235 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuEpkEgaIgjK7F1gV81lLSYTwSqIZX/9IJs37VaJCsJFv3D86uuJSdfI3Y94fPn2OH6AxfdaqGNksVdi27mKQfzvCB4ogjQgxmM391MIDLd+izZDY0YvCb4DqJLMJUpX49cNUMkj+/rJg1O0K2w/lb8DGr7wdoLSPKCUJNJv5WMMDxpFL253lPELsmnds4T+R6LpTt6W9+FalHl84me51sEjV9PbmhcTaNwuoJStAjhrKPfgHHDIKNyCUvaVkoHPXEsdzz00yY7i57djyZlzPV/jM7LKar+Xw2LB0Z3098IQcdbD8zmz2DdakPTlShxavNPC6kZDZ3WVqziC+bszaSQ==
+busy-beaver.mit.edu,busy-beaver,b-b.mit.edu,b-b,scripts7.mit.edu,scripts7,18.4.86.234,172.21.0.234 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFDzAEXlTb1hcGBgfuteR9xdB/jZCe+lf+GOBWz4UthUpJKal+x20MVZr3R7u+BkbX4NNa5PC2QUpAZwTOI8Izw=
+pancake-bunny.mit.edu,pancake-bunny,p-b.mit.edu,p-b,scripts6.mit.edu,scripts6,18.4.86.237,172.21.0.237 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOWBC+fWZjJf4YzjAr/uc8kZOewcjJ8b/YampOTw/Tut73drvDfUzg9Xevgvb4Q2hi9VuW0IZQnT+pGwD1zj7pQ=
+cats-whiskers.mit.edu,cats-whiskers,c-w.mit.edu,c-w,scripts4.mit.edu,scripts4,18.4.86.228,172.21.0.228 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOWBC+fWZjJf4YzjAr/uc8kZOewcjJ8b/YampOTw/Tut73drvDfUzg9Xevgvb4Q2hi9VuW0IZQnT+pGwD1zj7pQ=
+bees-knees.mit.edu,bees-knees,b-k.mit.edu,b-k,scripts3.mit.edu,scripts3,18.4.86.167,172.21.0.167 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOWBC+fWZjJf4YzjAr/uc8kZOewcjJ8b/YampOTw/Tut73drvDfUzg9Xevgvb4Q2hi9VuW0IZQnT+pGwD1zj7pQ=
+better-mousetrap.mit.edu,better-mousetrap,b-m.mit.edu,b-m,scripts1.mit.edu,scripts1,18.4.86.57,172.21.0.57 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuEpkEgaIgjK7F1gV81lLSYTwSqIZX/9IJs37VaJCsJFv3D86uuJSdfI3Y94fPn2OH6AxfdaqGNksVdi27mKQfzvCB4ogjQgxmM391MIDLd+izZDY0YvCb4DqJLMJUpX49cNUMkj+/rJg1O0K2w/lb8DGr7wdoLSPKCUJNJv5WMMDxpFL253lPELsmnds4T+R6LpTt6W9+FalHl84me51sEjV9PbmhcTaNwuoJStAjhrKPfgHHDIKNyCUvaVkoHPXEsdzz00yY7i57djyZlzPV/jM7LKar+Xw2LB0Z3098IQcdbD8zmz2DdakPTlShxavNPC6kZDZ3WVqziC+bszaSQ==
+old-faithful.mit.edu,old-faithful,o-f.mit.edu,o-f,scripts2.mit.edu,scripts2,18.4.86.53,172.21.0.53 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuEpkEgaIgjK7F1gV81lLSYTwSqIZX/9IJs37VaJCsJFv3D86uuJSdfI3Y94fPn2OH6AxfdaqGNksVdi27mKQfzvCB4ogjQgxmM391MIDLd+izZDY0YvCb4DqJLMJUpX49cNUMkj+/rJg1O0K2w/lb8DGr7wdoLSPKCUJNJv5WMMDxpFL253lPELsmnds4T+R6LpTt6W9+FalHl84me51sEjV9PbmhcTaNwuoJStAjhrKPfgHHDIKNyCUvaVkoHPXEsdzz00yY7i57djyZlzPV/jM7LKar+Xw2LB0Z3098IQcdbD8zmz2DdakPTlShxavNPC6kZDZ3WVqziC+bszaSQ==
+whole-enchilada.mit.edu,whole-enchilada,w-e.mit.edu,w-e,scripts5.mit.edu,scripts5,18.4.86.236,172.21.0.236 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuEpkEgaIgjK7F1gV81lLSYTwSqIZX/9IJs37VaJCsJFv3D86uuJSdfI3Y94fPn2OH6AxfdaqGNksVdi27mKQfzvCB4ogjQgxmM391MIDLd+izZDY0YvCb4DqJLMJUpX49cNUMkj+/rJg1O0K2w/lb8DGr7wdoLSPKCUJNJv5WMMDxpFL253lPELsmnds4T+R6LpTt6W9+FalHl84me51sEjV9PbmhcTaNwuoJStAjhrKPfgHHDIKNyCUvaVkoHPXEsdzz00yY7i57djyZlzPV/jM7LKar+Xw2LB0Z3098IQcdbD8zmz2DdakPTlShxavNPC6kZDZ3WVqziC+bszaSQ==
+shining-armor.mit.edu,shining-armor,s-a.mit.edu,s-a,scripts9.mit.edu,scripts9,18.4.86.135,172.21.0.135 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOWBC+fWZjJf4YzjAr/uc8kZOewcjJ8b/YampOTw/Tut73drvDfUzg9Xevgvb4Q2hi9VuW0IZQnT+pGwD1zj7pQ=
+golden-egg.mit.edu,golden-egg,g-e.mit.edu,g-e,scripts10.mit.edu,scripts10,18.4.86.141,172.21.0.141 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuEpkEgaIgjK7F1gV81lLSYTwSqIZX/9IJs37VaJCsJFv3D86uuJSdfI3Y94fPn2OH6AxfdaqGNksVdi27mKQfzvCB4ogjQgxmM391MIDLd+izZDY0YvCb4DqJLMJUpX49cNUMkj+/rJg1O0K2w/lb8DGr7wdoLSPKCUJNJv5WMMDxpFL253lPELsmnds4T+R6LpTt6W9+FalHl84me51sEjV9PbmhcTaNwuoJStAjhrKPfgHHDIKNyCUvaVkoHPXEsdzz00yY7i57djyZlzPV/jM7LKar+Xw2LB0Z3098IQcdbD8zmz2DdakPTlShxavNPC6kZDZ3WVqziC+bszaSQ==
+miracle-cure.mit.edu,miracle-cure,m-c.mit.edu,m-c,scripts11.mit.edu,scripts11,18.4.86.203,172.21.0.203 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuEpkEgaIgjK7F1gV81lLSYTwSqIZX/9IJs37VaJCsJFv3D86uuJSdfI3Y94fPn2OH6AxfdaqGNksVdi27mKQfzvCB4ogjQgxmM391MIDLd+izZDY0YvCb4DqJLMJUpX49cNUMkj+/rJg1O0K2w/lb8DGr7wdoLSPKCUJNJv5WMMDxpFL253lPELsmnds4T+R6LpTt6W9+FalHl84me51sEjV9PbmhcTaNwuoJStAjhrKPfgHHDIKNyCUvaVkoHPXEsdzz00yY7i57djyZlzPV/jM7LKar+Xw2LB0Z3098IQcdbD8zmz2DdakPTlShxavNPC6kZDZ3WVqziC+bszaSQ==
+lucky-star.mit.edu,lucky-star,l-s.mit.edu,l-s,scripts12.mit.edu,scripts12,18.4.86.204,172.21.0.204 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuEpkEgaIgjK7F1gV81lLSYTwSqIZX/9IJs37VaJCsJFv3D86uuJSdfI3Y94fPn2OH6AxfdaqGNksVdi27mKQfzvCB4ogjQgxmM391MIDLd+izZDY0YvCb4DqJLMJUpX49cNUMkj+/rJg1O0K2w/lb8DGr7wdoLSPKCUJNJv5WMMDxpFL253lPELsmnds4T+R6LpTt6W9+FalHl84me51sEjV9PbmhcTaNwuoJStAjhrKPfgHHDIKNyCUvaVkoHPXEsdzz00yY7i57djyZlzPV/jM7LKar+Xw2LB0Z3098IQcdbD8zmz2DdakPTlShxavNPC6kZDZ3WVqziC+bszaSQ==
diff --git a/server/fedora/config/etc/sysconfig/network-scripts/ifcfg-lo:0 b/server/fedora/config/etc/sysconfig/network-scripts/ifcfg-lo:0
deleted file mode 100644
index df8c23ae..00000000
--- a/server/fedora/config/etc/sysconfig/network-scripts/ifcfg-lo:0
+++ /dev/null
@@ -1,5 +0,0 @@
-DEVICE=lo:0
-IPADDR=18.181.0.46
-NETMASK=255.255.255.255
-NETWORK=18.181.0.0
-ONBOOT=yes
diff --git a/server/fedora/config/etc/sysconfig/network-scripts/ifcfg-lo:1 b/server/fedora/config/etc/sysconfig/network-scripts/ifcfg-lo:1
deleted file mode 100644
index 577f9fa8..00000000
--- a/server/fedora/config/etc/sysconfig/network-scripts/ifcfg-lo:1
+++ /dev/null
@@ -1,5 +0,0 @@
-DEVICE=lo:1
-IPADDR=18.181.0.50
-NETMASK=255.255.255.255
-NETWORK=18.181.0.0
-ONBOOT=yes
diff --git a/server/fedora/config/etc/sysconfig/network-scripts/ifcfg-lo:3 b/server/fedora/config/etc/sysconfig/network-scripts/ifcfg-lo:3
deleted file mode 100644
index 940b9119..00000000
--- a/server/fedora/config/etc/sysconfig/network-scripts/ifcfg-lo:3
+++ /dev/null
@@ -1,5 +0,0 @@
-DEVICE=lo:3
-IPADDR=18.181.0.43
-NETMASK=255.255.255.255
-NETWORK=18.181.0.0
-ONBOOT=yes
diff --git a/server/fedora/config/etc/sysconfig/network-scripts/ifcfg-lo:4 b/server/fedora/config/etc/sysconfig/network-scripts/ifcfg-lo:4
deleted file mode 100644
index b792628e..00000000
--- a/server/fedora/config/etc/sysconfig/network-scripts/ifcfg-lo:4
+++ /dev/null
@@ -1,5 +0,0 @@
-DEVICE=lo:4
-IPADDR=18.181.0.29
-NETMASK=255.255.255.255
-NETWORK=18.181.0.0
-ONBOOT=yes
diff --git a/server/fedora/config/etc/sysconfig/network-scripts/route-vlan181 b/server/fedora/config/etc/sysconfig/network-scripts/route-vlan181
deleted file mode 100644
index fe43a835..00000000
--- a/server/fedora/config/etc/sysconfig/network-scripts/route-vlan181
+++ /dev/null
@@ -1,2 +0,0 @@
-18.181.0.0/16 table 181 dev vlan181
-default table 181 via 18.181.0.1 dev vlan181
diff --git a/server/fedora/config/etc/sysconfig/network-scripts/route-vlan461 b/server/fedora/config/etc/sysconfig/network-scripts/route-vlan461
index 095b3a18..2c7c24ac 100644
--- a/server/fedora/config/etc/sysconfig/network-scripts/route-vlan461
+++ b/server/fedora/config/etc/sysconfig/network-scripts/route-vlan461
@@ -1,21 +1,4 @@
-172.21.0.0/16 table 181 dev vlan461
 172.21.0.0/16 table 486 dev vlan461
-18.181.0.56 via 172.21.0.56 dev vlan461
-18.181.0.52 via 172.21.0.52 dev vlan461
-18.181.0.199 via 172.21.0.199 dev vlan461
-18.181.0.200 via 172.21.0.200 dev vlan461
-18.181.0.57 via 172.21.0.57 dev vlan461
-18.181.0.53 via 172.21.0.53 dev vlan461
-18.181.0.167 via 172.21.0.167 dev vlan461
-18.181.0.228 via 172.21.0.228 dev vlan461
-18.181.0.236 via 172.21.0.236 dev vlan461
-18.181.0.237 via 172.21.0.237 dev vlan461
-18.181.0.234 via 172.21.0.234 dev vlan461
-18.181.0.235 via 172.21.0.235 dev vlan461
-18.181.0.135 via 172.21.0.135 dev vlan461
-18.181.0.141 via 172.21.0.141 dev vlan461
-18.181.0.203 via 172.21.0.203 dev vlan461
-18.181.0.204 via 172.21.0.204 dev vlan461
 18.4.60.52 via 172.21.0.52 dev vlan461
 18.4.60.199 via 172.21.0.199 dev vlan461
 18.4.60.200 via 172.21.0.200 dev vlan461
diff --git a/server/fedora/config/etc/sysconfig/network-scripts/rule-vlan181 b/server/fedora/config/etc/sysconfig/network-scripts/rule-vlan181
deleted file mode 100644
index 8d3ff405..00000000
--- a/server/fedora/config/etc/sysconfig/network-scripts/rule-vlan181
+++ /dev/null
@@ -1 +0,0 @@
-from 18.181.0.0/16 lookup 181

From f36ac814022faa57959daa383d27dc965615fa57 Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Tue, 12 Jun 2018 01:05:24 -0400
Subject: [PATCH 046/111] Out with the -old

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 server/fedora/config/etc/postfix/main.cf  |  4 ++--
 server/fedora/config/etc/ssh/shosts.equiv | 24 -----------------------
 2 files changed, 2 insertions(+), 26 deletions(-)

diff --git a/server/fedora/config/etc/postfix/main.cf b/server/fedora/config/etc/postfix/main.cf
index 38fae8bf..c3b2366b 100644
--- a/server/fedora/config/etc/postfix/main.cf
+++ b/server/fedora/config/etc/postfix/main.cf
@@ -16,7 +16,7 @@ mailbox_command_maps = ldap:/etc/postfix/mailbox-command-maps-ldap.cf
 mailbox_size_limit = 0
 message_size_limit = 41943040
 recipient_delimiter = +
-inet_interfaces = $myhostname, scripts-old.mit.edu, scripts-vhosts-old.mit.edu, scripts.mit.edu, scripts-vhosts.mit.edu
+inet_interfaces = $myhostname, scripts.mit.edu, scripts-vhosts.mit.edu
 readme_directory = /usr/share/doc/postfix/README_FILES
 sample_directory = /usr/share/doc/postfix/samples
 sendmail_path = /usr/sbin/sendmail
@@ -29,7 +29,7 @@ newaliases_path = /usr/bin/newaliases
 mailq_path = /usr/bin/mailq
 queue_directory = /var/spool/postfix
 mail_owner = postfix
-virtual_alias_domains = !scripts.mit.edu, !scripts, !$myhostname, !scripts-test.mit.edu, !scripts-test, !localhost, scripts-vhosts.mit.edu, scripts-vhosts-old.mit.edu, ldap:/etc/postfix/virtual-alias-domains-ldap.cf
+virtual_alias_domains = !scripts.mit.edu, !scripts, !$myhostname, !scripts-test.mit.edu, !scripts-test, !localhost, scripts-vhosts.mit.edu, ldap:/etc/postfix/virtual-alias-domains-ldap.cf
 virtual_alias_maps = ldap:/etc/postfix/virtual-alias-maps-ldap-reserved.cf, ldap:/etc/postfix/virtual-alias-maps-ldap.cf
 data_directory = /var/lib/postfix
 authorized_flush_users = fail
diff --git a/server/fedora/config/etc/ssh/shosts.equiv b/server/fedora/config/etc/ssh/shosts.equiv
index 62612cc9..f522f435 100644
--- a/server/fedora/config/etc/ssh/shosts.equiv
+++ b/server/fedora/config/etc/ssh/shosts.equiv
@@ -10,30 +10,6 @@ whole-enchilada.mit.edu
 golden-egg.mit.edu
 miracle-cure.mit.edu
 lucky-star.mit.edu
-better-mousetrap-old.mit.edu
-old-faithful-old.mit.edu
-bees-knees-old.mit.edu
-cats-whiskers-old.mit.edu
-pancake-bunny-old.mit.edu
-busy-beaver-old.mit.edu
-real-mccoy-old.mit.edu
-shining-armor-old.mit.edu
-whole-enchilada-old.mit.edu
-golden-egg-old.mit.edu
-miracle-cure-old.mit.edu
-lucky-star-old.mit.edu
-better-mousetrap-new.mit.edu
-old-faithful-new.mit.edu
-bees-knees-new.mit.edu
-cats-whiskers-new.mit.edu
-pancake-bunny-new.mit.edu
-busy-beaver-new.mit.edu
-real-mccoy-new.mit.edu
-shining-armor-new.mit.edu
-whole-enchilada-new.mit.edu
-golden-egg-new.mit.edu
-miracle-cure-new.mit.edu
-lucky-star-new.mit.edu
 172.21.0.53
 172.21.0.57
 172.21.0.167

From f89a557fb7b56707250799ec32c4a60865638fc6 Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Tue, 12 Jun 2018 01:56:59 -0400
Subject: [PATCH 047/111] Remove policy routes for dual homing

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 ansible/scripts-directors.yml                               | 6 ------
 .../config/etc/sysconfig/network-scripts/route-vlan461      | 2 +-
 .../config/etc/sysconfig/network-scripts/route-vlan486      | 2 --
 .../config/etc/sysconfig/network-scripts/rule-vlan486       | 1 -
 4 files changed, 1 insertion(+), 10 deletions(-)
 delete mode 100644 server/fedora/config/etc/sysconfig/network-scripts/route-vlan486
 delete mode 100644 server/fedora/config/etc/sysconfig/network-scripts/rule-vlan486

diff --git a/ansible/scripts-directors.yml b/ansible/scripts-directors.yml
index 032351f2..3f94d28e 100644
--- a/ansible/scripts-directors.yml
+++ b/ansible/scripts-directors.yml
@@ -12,12 +12,6 @@
       - 18.72.0.3
       - 18.71.0.151
       dns_search: mit.edu
-      options:
-      - metric 1
-      - up ip route add 18.4.86.0/24 table 486 dev vlan486
-      - up ip route add default table 486 via 18.4.86.1 dev vlan486
-      - up ip rule add from 18.4.86.0/24 table 486
-      - down ip rule del table 486
     pacemaker_corosync_ring_interface: vlan486
     pacemaker_corosync_group: scripts-directors
   pre_tasks:
diff --git a/server/fedora/config/etc/sysconfig/network-scripts/route-vlan461 b/server/fedora/config/etc/sysconfig/network-scripts/route-vlan461
index 2c7c24ac..29409eb2 100644
--- a/server/fedora/config/etc/sysconfig/network-scripts/route-vlan461
+++ b/server/fedora/config/etc/sysconfig/network-scripts/route-vlan461
@@ -1,4 +1,4 @@
-172.21.0.0/16 table 486 dev vlan461
+172.21.0.0/16 dev vlan461
 18.4.60.52 via 172.21.0.52 dev vlan461
 18.4.60.199 via 172.21.0.199 dev vlan461
 18.4.60.200 via 172.21.0.200 dev vlan461
diff --git a/server/fedora/config/etc/sysconfig/network-scripts/route-vlan486 b/server/fedora/config/etc/sysconfig/network-scripts/route-vlan486
deleted file mode 100644
index b3458de7..00000000
--- a/server/fedora/config/etc/sysconfig/network-scripts/route-vlan486
+++ /dev/null
@@ -1,2 +0,0 @@
-18.4.86.0/24 table 486 dev vlan486
-default table 486 via 18.4.86.1 dev vlan486
diff --git a/server/fedora/config/etc/sysconfig/network-scripts/rule-vlan486 b/server/fedora/config/etc/sysconfig/network-scripts/rule-vlan486
deleted file mode 100644
index 3a9f707b..00000000
--- a/server/fedora/config/etc/sysconfig/network-scripts/rule-vlan486
+++ /dev/null
@@ -1 +0,0 @@
-from 18.4.86.0/24 lookup 486

From 93df5b825759acc9ffde692ffef1657656ca72e4 Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Tue, 12 Jun 2018 02:10:30 -0400
Subject: [PATCH 048/111] Remove redundant route

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 server/fedora/config/etc/sysconfig/network-scripts/route-vlan461 | 1 -
 1 file changed, 1 deletion(-)

diff --git a/server/fedora/config/etc/sysconfig/network-scripts/route-vlan461 b/server/fedora/config/etc/sysconfig/network-scripts/route-vlan461
index 29409eb2..6dcbd9ee 100644
--- a/server/fedora/config/etc/sysconfig/network-scripts/route-vlan461
+++ b/server/fedora/config/etc/sysconfig/network-scripts/route-vlan461
@@ -1,4 +1,3 @@
-172.21.0.0/16 dev vlan461
 18.4.60.52 via 172.21.0.52 dev vlan461
 18.4.60.199 via 172.21.0.199 dev vlan461
 18.4.60.200 via 172.21.0.200 dev vlan461

From 2746a6ae675744844abbdaac7112167aba0aa73f Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Thu, 14 Jun 2018 14:54:07 -0400
Subject: [PATCH 049/111] ansible: Quiet down even more over SSH scans

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 ansible/files/scripts-syslog.conf | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ansible/files/scripts-syslog.conf b/ansible/files/scripts-syslog.conf
index 2855b625..8d9fc0bd 100644
--- a/ansible/files/scripts-syslog.conf
+++ b/ansible/files/scripts-syslog.conf
@@ -19,6 +19,8 @@ if \
         $msg startswith ' PAM service(sshd) ignoring max retries; ' \
         or \
         $msg startswith ' error: maximum authentication attempts exceeded for ' \
+        or \
+        $msg startswith ' error: Received disconnect from ' \
     )) \
 then |/run/zephyr-syslog-private;RSYSLOG_SyslogProtocol23Format
 

From 1fedae69162a6630bb5931ac098d756d4d646cd3 Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Thu, 21 Jun 2018 15:11:29 -0400
Subject: [PATCH 050/111] ansible: Extract k5login role

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 ansible/roles/k5login/handlers/main.yml |  2 ++
 ansible/roles/k5login/tasks/main.yml    | 19 +++++++++++++++++++
 ansible/scripts-directors.yml           | 22 +---------------------
 ansible/scripts-syslog.yml              | 23 ++---------------------
 4 files changed, 24 insertions(+), 42 deletions(-)
 create mode 100644 ansible/roles/k5login/handlers/main.yml
 create mode 100644 ansible/roles/k5login/tasks/main.yml

diff --git a/ansible/roles/k5login/handlers/main.yml b/ansible/roles/k5login/handlers/main.yml
new file mode 100644
index 00000000..a5df68bb
--- /dev/null
+++ b/ansible/roles/k5login/handlers/main.yml
@@ -0,0 +1,2 @@
+- name: reload ssh
+  service: name=ssh state=reloaded
diff --git a/ansible/roles/k5login/tasks/main.yml b/ansible/roles/k5login/tasks/main.yml
new file mode 100644
index 00000000..c88cc340
--- /dev/null
+++ b/ansible/roles/k5login/tasks/main.yml
@@ -0,0 +1,19 @@
+- name: Enable GSSAPIAuthentication
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '(?i)^#?\s*GSSAPIAuthentication\s'
+    line: GSSAPIAuthentication yes
+  notify: reload ssh
+- name: Disable PasswordAuthentication
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '(?i)^#?\s*PasswordAuthentication\s'
+    line: PasswordAuthentication no
+  notify: reload ssh
+- name: Update k5login
+  copy:
+    dest: /root/.k5login
+    content: |
+      {% for maintainer in maintainers %}
+      {{ maintainer.username }}/root@ATHENA.MIT.EDU
+      {% endfor %}
diff --git a/ansible/scripts-directors.yml b/ansible/scripts-directors.yml
index 3f94d28e..c26c1ed4 100644
--- a/ansible/scripts-directors.yml
+++ b/ansible/scripts-directors.yml
@@ -48,23 +48,12 @@
       - reconfigure munin-node
       - setup
   roles:
+  - k5login
   - ldirectord-status
   - lvs-iptables
   - lvs-lighttpd
   - munin-node
   tasks:
-  - name: Enable GSSAPIAuthentication
-    lineinfile:
-      path: /etc/ssh/sshd_config
-      regexp: '(?i)^#?\s*GSSAPIAuthentication\s'
-      line: GSSAPIAuthentication yes
-    notify: reload ssh
-  - name: Disable PasswordAuthentication
-    lineinfile:
-      path: /etc/ssh/sshd_config
-      regexp: '(?i)^#?\s*PasswordAuthentication\s'
-      line: PasswordAuthentication no
-    notify: reload ssh
   - name: Configure rsyslog
     copy:
       dest: /etc/rsyslog.d/scripts-syslog-client.conf
@@ -111,13 +100,6 @@
       dest: /etc/nagios/nrpe_local.cfg
       src: files/nrpe_local.cfg
     notify: restart nrpe
-  - name: Update k5login
-    copy:
-      dest: /root/.k5login
-      content: |
-        {% for maintainer in maintainers %}
-        {{ maintainer.username }}/root@ATHENA.MIT.EDU
-        {% endfor %}
   - name: Update /etc/aliases
     lineinfile:
       path: /etc/aliases
@@ -179,8 +161,6 @@
       dest: /etc/ha.d/ldirectord.cf
       src: files/ldirectord.cf
   handlers:
-  - name: reload ssh
-    service: name=ssh state=reloaded
   - name: restart rsyslog
     service: name=rsyslog state=restarted
   - name: newaliases
diff --git a/ansible/scripts-syslog.yml b/ansible/scripts-syslog.yml
index 90d3b0c6..0fa804cd 100644
--- a/ansible/scripts-syslog.yml
+++ b/ansible/scripts-syslog.yml
@@ -1,5 +1,7 @@
 - hosts: scripts-syslogs
   serial: 1
+  roles:
+  - k5login
   tasks:
   - name: Configure Kerberos
     debconf: name=krb5-config question=krb5-config/default_realm vtype=string value=ATHENA.MIT.EDU
@@ -17,25 +19,6 @@
     - libzephyr4-krb5
     - zephyr-clients
     - aptitude
-  - name: Update k5login
-    copy:
-      dest: /root/.k5login
-      content: |
-        {% for maintainer in maintainers %}
-        {{ maintainer.username }}/root@ATHENA.MIT.EDU
-        {% endfor %}
-  - name: Enable GSSAPIAuthentication
-    lineinfile:
-      path: /etc/ssh/sshd_config
-      regexp: '(?i)^#?\s*GSSAPIAuthentication\s'
-      line: GSSAPIAuthentication yes
-    notify: reload ssh
-  - name: Disable PasswordAuthentication
-    lineinfile:
-      path: /etc/ssh/sshd_config
-      regexp: '(?i)^#?\s*PasswordAuthentication\s'
-      line: PasswordAuthentication no
-    notify: reload ssh
   - name: Update /etc/aliases
     lineinfile:
       path: /etc/aliases
@@ -104,8 +87,6 @@
     notify: restart rsyslog
 
   handlers:
-  - name: reload ssh
-    service: name=ssh state=reloaded
   - name: newaliases
     command: newaliases
   - name: reload systemd

From 944e39ee8b31468ffec4d079288139fdad706dad Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Thu, 21 Jun 2018 15:18:17 -0400
Subject: [PATCH 051/111] ansible: Extract syslog-client role

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 ansible/roles/syslog-client/handlers/main.yml |  2 ++
 ansible/roles/syslog-client/tasks/main.yml    | 17 +++++++++++++++++
 ansible/scripts-directors.yml                 | 19 +------------------
 3 files changed, 20 insertions(+), 18 deletions(-)
 create mode 100644 ansible/roles/syslog-client/handlers/main.yml
 create mode 100644 ansible/roles/syslog-client/tasks/main.yml

diff --git a/ansible/roles/syslog-client/handlers/main.yml b/ansible/roles/syslog-client/handlers/main.yml
new file mode 100644
index 00000000..ec7373e3
--- /dev/null
+++ b/ansible/roles/syslog-client/handlers/main.yml
@@ -0,0 +1,2 @@
+- name: restart rsyslog
+  service: name=rsyslog state=restarted
diff --git a/ansible/roles/syslog-client/tasks/main.yml b/ansible/roles/syslog-client/tasks/main.yml
new file mode 100644
index 00000000..ce5b6814
--- /dev/null
+++ b/ansible/roles/syslog-client/tasks/main.yml
@@ -0,0 +1,17 @@
+- name: Install rsyslog-relp
+  apt: name=rsyslog-relp state=present
+- name: Configure rsyslog
+  copy:
+    dest: /etc/rsyslog.d/scripts-syslog-client.conf
+    content: |
+      $ModLoad omrelp
+      {% for rsyslog in rsyslogs %}
+      {% if loop.first %}
+      *.info :omrelp:{{ rsyslog }}:2514
+      $ActionExecOnlyWhenPreviousIsSuspended on
+      {% else %}
+      & :omrelp:{{ rsyslog }}:2514
+      {% endif %}
+      {% endfor %}
+      $ActionExecOnlyWhenPreviousIsSuspended off
+  notify: restart rsyslog
diff --git a/ansible/scripts-directors.yml b/ansible/scripts-directors.yml
index c26c1ed4..594cc328 100644
--- a/ansible/scripts-directors.yml
+++ b/ansible/scripts-directors.yml
@@ -22,7 +22,6 @@
     with_items:
     - open-vm-tools
     - open-vm-tools-dkms
-    - rsyslog-relp
     - exim4-daemon-light
     - resolvconf
     - mlocate
@@ -49,26 +48,12 @@
       - setup
   roles:
   - k5login
+  - syslog-client
   - ldirectord-status
   - lvs-iptables
   - lvs-lighttpd
   - munin-node
   tasks:
-  - name: Configure rsyslog
-    copy:
-      dest: /etc/rsyslog.d/scripts-syslog-client.conf
-      content: |
-        $ModLoad omrelp
-        {% for rsyslog in rsyslogs %}
-        {% if loop.first %}
-        *.info :omrelp:{{ rsyslog }}:2514
-        $ActionExecOnlyWhenPreviousIsSuspended on
-        {% else %}
-        & :omrelp:{{ rsyslog }}:2514
-        {% endif %}
-        {% endfor %}
-        $ActionExecOnlyWhenPreviousIsSuspended off
-    notify: restart rsyslog
   - name: Install munin cps plugin
     copy:
       dest: /etc/munin/plugins/cps_1_0
@@ -161,8 +146,6 @@
       dest: /etc/ha.d/ldirectord.cf
       src: files/ldirectord.cf
   handlers:
-  - name: restart rsyslog
-    service: name=rsyslog state=restarted
   - name: newaliases
     command: newaliases
   - name: load modules

From a5a0c1daec446df0004d02805fc5604e35c14dc6 Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Thu, 21 Jun 2018 15:24:23 -0400
Subject: [PATCH 052/111] ansible: Extract root-aliases role

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 ansible/roles/root-aliases/handlers/main.yml |  2 ++
 ansible/roles/root-aliases/tasks/main.yml    |  9 +++++++++
 ansible/scripts-directors.yml                | 12 +-----------
 ansible/scripts-syslog.yml                   | 12 +-----------
 4 files changed, 13 insertions(+), 22 deletions(-)
 create mode 100644 ansible/roles/root-aliases/handlers/main.yml
 create mode 100644 ansible/roles/root-aliases/tasks/main.yml

diff --git a/ansible/roles/root-aliases/handlers/main.yml b/ansible/roles/root-aliases/handlers/main.yml
new file mode 100644
index 00000000..6223c95a
--- /dev/null
+++ b/ansible/roles/root-aliases/handlers/main.yml
@@ -0,0 +1,2 @@
+- name: newaliases
+  command: newaliases
diff --git a/ansible/roles/root-aliases/tasks/main.yml b/ansible/roles/root-aliases/tasks/main.yml
new file mode 100644
index 00000000..3021def1
--- /dev/null
+++ b/ansible/roles/root-aliases/tasks/main.yml
@@ -0,0 +1,9 @@
+- name: Update /etc/aliases
+  lineinfile:
+    path: /etc/aliases
+    regexp: '^root:'
+    line: |
+      root: {% for maintainer in maintainers|rejectattr('root_mail', 'none') -%}
+      {{ maintainer.root_mail|default(maintainer.username + '@mit.edu') }}{{ '' if loop.last else ', ' }}
+      {%- endfor %}
+  notify: newaliases
diff --git a/ansible/scripts-directors.yml b/ansible/scripts-directors.yml
index 594cc328..cc3adf6c 100644
--- a/ansible/scripts-directors.yml
+++ b/ansible/scripts-directors.yml
@@ -49,6 +49,7 @@
   roles:
   - k5login
   - syslog-client
+  - root-aliases
   - ldirectord-status
   - lvs-iptables
   - lvs-lighttpd
@@ -85,15 +86,6 @@
       dest: /etc/nagios/nrpe_local.cfg
       src: files/nrpe_local.cfg
     notify: restart nrpe
-  - name: Update /etc/aliases
-    lineinfile:
-      path: /etc/aliases
-      regexp: '^root:'
-      line: |
-        root: {% for maintainer in maintainers|rejectattr('root_mail', 'none') -%}
-        {{ maintainer.root_mail|default(maintainer.username + '@mit.edu') }}{{ '' if loop.last else ', ' }}
-        {%- endfor %}
-    notify: newaliases
   - name: Load IPVS modules
     copy:
       dest: /etc/modules-load.d/lvs.conf
@@ -146,8 +138,6 @@
       dest: /etc/ha.d/ldirectord.cf
       src: files/ldirectord.cf
   handlers:
-  - name: newaliases
-    command: newaliases
   - name: load modules
     service: name=systemd-modules-load state=restarted
   - name: reload sysctl
diff --git a/ansible/scripts-syslog.yml b/ansible/scripts-syslog.yml
index 0fa804cd..f5bdb33e 100644
--- a/ansible/scripts-syslog.yml
+++ b/ansible/scripts-syslog.yml
@@ -2,6 +2,7 @@
   serial: 1
   roles:
   - k5login
+  - root-aliases
   tasks:
   - name: Configure Kerberos
     debconf: name=krb5-config question=krb5-config/default_realm vtype=string value=ATHENA.MIT.EDU
@@ -19,15 +20,6 @@
     - libzephyr4-krb5
     - zephyr-clients
     - aptitude
-  - name: Update /etc/aliases
-    lineinfile:
-      path: /etc/aliases
-      regexp: '^root:'
-      line: |
-        root: {% for maintainer in maintainers|rejectattr('root_mail', 'none') -%}
-        {{ maintainer.root_mail|default(maintainer.username + '@mit.edu') }}{{ '' if loop.last else ', ' }}
-        {%- endfor %}
-    notify: newaliases
   - name: Start zhm
     service: name=zhm state=started
   - name: Install zephyr-syslog
@@ -87,8 +79,6 @@
     notify: restart rsyslog
 
   handlers:
-  - name: newaliases
-    command: newaliases
   - name: reload systemd
     systemd: daemon_reload=yes
   - name: restart zephyr-syslog@public.service

From ac365237daafcb5a5e7618fd795e17d0c58b12b2 Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Thu, 21 Jun 2018 15:26:45 -0400
Subject: [PATCH 053/111] ansible: .gitignore *.retry

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 ansible/.gitignore | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 ansible/.gitignore

diff --git a/ansible/.gitignore b/ansible/.gitignore
new file mode 100644
index 00000000..a8b42eb6
--- /dev/null
+++ b/ansible/.gitignore
@@ -0,0 +1 @@
+*.retry

From 03595fae530622b2f48c28a9babe5e707d3c4d2a Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Sat, 30 Jun 2018 16:32:24 -0400
Subject: [PATCH 054/111] And then there were /9

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 .../etc/httpd/conf.d/scripts-special.conf     |   4 +-
 server/fedora/config/etc/named.mit.zones      | 404 +-----------------
 2 files changed, 3 insertions(+), 405 deletions(-)

diff --git a/server/fedora/config/etc/httpd/conf.d/scripts-special.conf b/server/fedora/config/etc/httpd/conf.d/scripts-special.conf
index d3d985c2..048d5481 100644
--- a/server/fedora/config/etc/httpd/conf.d/scripts-special.conf
+++ b/server/fedora/config/etc/httpd/conf.d/scripts-special.conf
@@ -53,5 +53,5 @@ ErrorDocument 403 /__scripts/forbidden.shtml
     ErrorDocument 403 /__scripts/disabled.html
 </Directory>
 
-# Generated from http://kb.mit.edu/confluence/x/F4DCAg, 2017-06-27
-SetEnvIf REMOTE_ADDR ^(10|18\.(\d\d?|1([0-2]\d|3[1-57-9]|4[0-369]|5[024-9]|6[135-9]|7[0-46-8]|8[013679]|9[02389])|2(29|3[089]|4[0-578]|5[0-245]))|128\.(3[01]|52))\. SCRIPTS_REMOTE_MITNET
+# Generated from http://kb.mit.edu/confluence/x/F4DCAg, 2018-06-27
+SetEnvIf REMOTE_ADDR ^(10|18\.(\d\d?|1([01]\d|2[0-7]))|128\.(3[01]|52))\. SCRIPTS_REMOTE_MITNET
diff --git a/server/fedora/config/etc/named.mit.zones b/server/fedora/config/etc/named.mit.zones
index 4d13cc9f..6b54a430 100644
--- a/server/fedora/config/etc/named.mit.zones
+++ b/server/fedora/config/etc/named.mit.zones
@@ -17,7 +17,7 @@ zone "10.in-addr.arpa" IN {
 };
 
 // List of *.18.in-addr.arpa zones generated from
-// http://kb.mit.edu/confluence/x/F4DCAg (2017-06-27)
+// http://kb.mit.edu/confluence/x/F4DCAg (2018-06-27)
 
 zone "0.18.in-addr.arpa" IN {
 	type stub;
@@ -786,405 +786,3 @@ zone "127.18.in-addr.arpa" IN {
 	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
 	file "slaves/127.18.in-addr.arpa.stub";
 };
-
-zone "128.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/128.18.in-addr.arpa.stub";
-};
-
-zone "129.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/129.18.in-addr.arpa.stub";
-};
-
-zone "131.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/131.18.in-addr.arpa.stub";
-};
-
-zone "132.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/132.18.in-addr.arpa.stub";
-};
-
-zone "133.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/133.18.in-addr.arpa.stub";
-};
-
-zone "134.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/134.18.in-addr.arpa.stub";
-};
-
-zone "135.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/135.18.in-addr.arpa.stub";
-};
-
-zone "137.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/137.18.in-addr.arpa.stub";
-};
-
-zone "138.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/138.18.in-addr.arpa.stub";
-};
-
-zone "139.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/139.18.in-addr.arpa.stub";
-};
-
-zone "140.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/140.18.in-addr.arpa.stub";
-};
-
-zone "141.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/141.18.in-addr.arpa.stub";
-};
-
-zone "142.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/142.18.in-addr.arpa.stub";
-};
-
-zone "143.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/143.18.in-addr.arpa.stub";
-};
-
-zone "146.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/146.18.in-addr.arpa.stub";
-};
-
-zone "149.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/149.18.in-addr.arpa.stub";
-};
-
-zone "150.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/150.18.in-addr.arpa.stub";
-};
-
-zone "152.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/152.18.in-addr.arpa.stub";
-};
-
-zone "154.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/154.18.in-addr.arpa.stub";
-};
-
-zone "155.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/155.18.in-addr.arpa.stub";
-};
-
-zone "156.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/156.18.in-addr.arpa.stub";
-};
-
-zone "157.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/157.18.in-addr.arpa.stub";
-};
-
-zone "158.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/158.18.in-addr.arpa.stub";
-};
-
-zone "159.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/159.18.in-addr.arpa.stub";
-};
-
-zone "161.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/161.18.in-addr.arpa.stub";
-};
-
-zone "163.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/163.18.in-addr.arpa.stub";
-};
-
-zone "165.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/165.18.in-addr.arpa.stub";
-};
-
-zone "166.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/166.18.in-addr.arpa.stub";
-};
-
-zone "167.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/167.18.in-addr.arpa.stub";
-};
-
-zone "168.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/168.18.in-addr.arpa.stub";
-};
-
-zone "169.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/169.18.in-addr.arpa.stub";
-};
-
-zone "170.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/170.18.in-addr.arpa.stub";
-};
-
-zone "171.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/171.18.in-addr.arpa.stub";
-};
-
-zone "172.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/172.18.in-addr.arpa.stub";
-};
-
-zone "173.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/173.18.in-addr.arpa.stub";
-};
-
-zone "174.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/174.18.in-addr.arpa.stub";
-};
-
-zone "176.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/176.18.in-addr.arpa.stub";
-};
-
-zone "177.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/177.18.in-addr.arpa.stub";
-};
-
-zone "178.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/178.18.in-addr.arpa.stub";
-};
-
-zone "180.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/180.18.in-addr.arpa.stub";
-};
-
-zone "181.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/181.18.in-addr.arpa.stub";
-};
-
-zone "183.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/183.18.in-addr.arpa.stub";
-};
-
-zone "186.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/186.18.in-addr.arpa.stub";
-};
-
-zone "187.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/187.18.in-addr.arpa.stub";
-};
-
-zone "189.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/189.18.in-addr.arpa.stub";
-};
-
-zone "190.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/190.18.in-addr.arpa.stub";
-};
-
-zone "192.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/192.18.in-addr.arpa.stub";
-};
-
-zone "193.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/193.18.in-addr.arpa.stub";
-};
-
-zone "198.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/198.18.in-addr.arpa.stub";
-};
-
-zone "199.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/199.18.in-addr.arpa.stub";
-};
-
-zone "229.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/229.18.in-addr.arpa.stub";
-};
-
-zone "230.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/230.18.in-addr.arpa.stub";
-};
-
-zone "238.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/238.18.in-addr.arpa.stub";
-};
-
-zone "239.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/239.18.in-addr.arpa.stub";
-};
-
-zone "240.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/240.18.in-addr.arpa.stub";
-};
-
-zone "241.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/241.18.in-addr.arpa.stub";
-};
-
-zone "242.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/242.18.in-addr.arpa.stub";
-};
-
-zone "243.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/243.18.in-addr.arpa.stub";
-};
-
-zone "244.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/244.18.in-addr.arpa.stub";
-};
-
-zone "245.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/245.18.in-addr.arpa.stub";
-};
-
-zone "247.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/247.18.in-addr.arpa.stub";
-};
-
-zone "248.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/248.18.in-addr.arpa.stub";
-};
-
-zone "250.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/250.18.in-addr.arpa.stub";
-};
-
-zone "251.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/251.18.in-addr.arpa.stub";
-};
-
-zone "252.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/252.18.in-addr.arpa.stub";
-};
-
-zone "254.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/254.18.in-addr.arpa.stub";
-};
-
-zone "255.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/255.18.in-addr.arpa.stub";
-};

From ef7489c7f4dba821fda5a2fe2f8fe268fe896b6c Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Mon, 19 Nov 2018 17:13:05 -0800
Subject: [PATCH 055/111] ansible: Add cela as maintainer

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 ansible/inventory.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ansible/inventory.yml b/ansible/inventory.yml
index 94d2a439..d7b3ef32 100644
--- a/ansible/inventory.yml
+++ b/ansible/inventory.yml
@@ -7,6 +7,7 @@ all:
     - username: andersk
     - username: btidor
       root_mail: btidor-scripts@mit.edu
+    - username: cela
     - username: cereslee
     - username: ezyang
     - username: geofft

From 32ccf3ddd6e47904ca64e0e192222e01c974dee2 Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Mon, 19 Nov 2018 17:22:27 -0800
Subject: [PATCH 056/111] ansible: Unfork ansible.network_interface

Upstream merged our changes, and also fixed some deprecation warnings.

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 .gitmodules                     | 2 +-
 ansible/roles/network_interface | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.gitmodules b/.gitmodules
index f5677f5c..26e5463e 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -3,7 +3,7 @@
 	url = https://github.com/jtyr/ansible-udev_rename_netiface.git
 [submodule "ansible/roles/network_interface"]
 	path = ansible/roles/network_interface
-	url = https://github.com/mit-scripts/ansible.network_interface.git
+	url = https://github.com/MartinVerges/ansible.network_interface.git
 [submodule "ansible/roles/pacemaker-corosync"]
 	path = ansible/roles/pacemaker-corosync
 	url = https://github.com/mit-scripts/ansible-pacemaker-corosync.git
diff --git a/ansible/roles/network_interface b/ansible/roles/network_interface
index 734cc64d..abc5f4e0 160000
--- a/ansible/roles/network_interface
+++ b/ansible/roles/network_interface
@@ -1 +1 @@
-Subproject commit 734cc64d9e96e32ecbbaef68e6868e956c6e3d9f
+Subproject commit abc5f4e04d9ef309f7ca5133f0e0bcc807e926f5

From c1381260179140d6fd8b75a0373f5612a985f1ea Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Sun, 30 Dec 2018 15:37:01 -0800
Subject: [PATCH 057/111] Direct root@scripts mail through procmail so it gets
 spam filtered

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 server/fedora/config/etc/aliases                      | 2 +-
 server/fedora/config/etc/postfix/mailbox_command_maps | 1 +
 server/fedora/config/etc/postfix/main.cf              | 4 +++-
 server/fedora/config/etc/scripts/root-procmailrc      | 2 ++
 4 files changed, 7 insertions(+), 2 deletions(-)
 create mode 100644 server/fedora/config/etc/postfix/mailbox_command_maps
 create mode 100644 server/fedora/config/etc/scripts/root-procmailrc

diff --git a/server/fedora/config/etc/aliases b/server/fedora/config/etc/aliases
index 14940037..40541d6c 100644
--- a/server/fedora/config/etc/aliases
+++ b/server/fedora/config/etc/aliases
@@ -88,7 +88,7 @@ hostmaster:	root
 decode:		root
 
 # Person who should get root's mail
-root:		andersk@mit.edu, quentin@mit.edu, mitchb@mit.edu, ezyang@mit.edu, xavid@mit.edu, adehnert-sipb@mit.edu, achernya@mit.edu, glasgall@mit.edu, tboning@mit.edu, cereslee@mit.edu, btidor-scripts@mit.edu, vasilvv@mit.edu
+# root: (moved to /etc/scripts/root-procmailrc so this mail gets spam filtered)
 
 scripts:	root
 signup:		root
diff --git a/server/fedora/config/etc/postfix/mailbox_command_maps b/server/fedora/config/etc/postfix/mailbox_command_maps
new file mode 100644
index 00000000..8f1753b9
--- /dev/null
+++ b/server/fedora/config/etc/postfix/mailbox_command_maps
@@ -0,0 +1 @@
+root		/usr/bin/procmail /etc/scripts/root-procmailrc
diff --git a/server/fedora/config/etc/postfix/main.cf b/server/fedora/config/etc/postfix/main.cf
index c3b2366b..e679cfd6 100644
--- a/server/fedora/config/etc/postfix/main.cf
+++ b/server/fedora/config/etc/postfix/main.cf
@@ -12,7 +12,9 @@ myorigin = scripts.mit.edu
 mydestination = scripts.mit.edu, scripts, $myhostname, scripts-test.mit.edu, scripts-test, localhost
 relayhost =
 mynetworks_style = host
-mailbox_command_maps = ldap:/etc/postfix/mailbox-command-maps-ldap.cf
+mailbox_command_maps =
+    texthash:/etc/postfix/mailbox_command_maps,
+    ldap:/etc/postfix/mailbox-command-maps-ldap.cf
 mailbox_size_limit = 0
 message_size_limit = 41943040
 recipient_delimiter = +
diff --git a/server/fedora/config/etc/scripts/root-procmailrc b/server/fedora/config/etc/scripts/root-procmailrc
new file mode 100644
index 00000000..334320cf
--- /dev/null
+++ b/server/fedora/config/etc/scripts/root-procmailrc
@@ -0,0 +1,2 @@
+:0
+! andersk@mit.edu, quentin@mit.edu, mitchb@mit.edu, ezyang@mit.edu, xavid@mit.edu, adehnert-sipb@mit.edu, achernya@mit.edu, glasgall@mit.edu, tboning@mit.edu, cereslee@mit.edu, btidor-scripts@mit.edu, vasilvv@mit.edu

From cc80862b39a399cb70602dc926ae41d915a3ccbf Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Tue, 8 Jan 2019 00:03:48 -0800
Subject: [PATCH 058/111] check_mail_dnsrbl: Stop querying njabl.org
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

It’s not a thing anymore.

https://en.wikipedia.org/wiki/Not_Just_Another_Bogus_List

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 server/fedora/config/etc/nagios/check_mail_dnsrbl | 2 --
 1 file changed, 2 deletions(-)

diff --git a/server/fedora/config/etc/nagios/check_mail_dnsrbl b/server/fedora/config/etc/nagios/check_mail_dnsrbl
index 5c809880..b17ad9da 100755
--- a/server/fedora/config/etc/nagios/check_mail_dnsrbl
+++ b/server/fedora/config/etc/nagios/check_mail_dnsrbl
@@ -44,7 +44,6 @@ serverlist = [
     "0spam.fusionzero.com",
     "access.redhawk.org",
     "b.barracudacentral.org",
-    "bhnc.njabl.org",
     "bl.deadbeef.com",
     "bl.spamcannibal.org",
     "bl.spamcop.net",
@@ -65,7 +64,6 @@ serverlist = [
     "dnsbl.cyberlogic.net",
     "dnsbl.inps.de",
     "dnsbl.kempt.net",
-    "dnsbl.njabl.org",
     "dnsbl.solid.net",
     "dnsbl.sorbs.net",
     "drone.abuse.ch",

From fb8654fb94b61f8f324e6ca252b6271c0e84eafb Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Wed, 6 Feb 2019 23:16:05 -0800
Subject: [PATCH 059/111] Drop scripts.mit.edu branding from
 /__scripts/needcerts error page

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 .../httpd/scripts-special/unauthorized.html   | 109 ++----------------
 1 file changed, 12 insertions(+), 97 deletions(-)

diff --git a/server/fedora/config/etc/httpd/scripts-special/unauthorized.html b/server/fedora/config/etc/httpd/scripts-special/unauthorized.html
index 87ccf372..ab7651ee 100644
--- a/server/fedora/config/etc/httpd/scripts-special/unauthorized.html
+++ b/server/fedora/config/etc/httpd/scripts-special/unauthorized.html
@@ -1,97 +1,12 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
-        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
-<head>
-<meta http-equiv="content-type" content="text/html; charset=utf-8" />
-<link rel="stylesheet" href="//scripts.mit.edu/style.css" type="text/css" />
-<link rel="stylesheet" href="//scripts.mit.edu/server.css" type="text/css" />
-<title>scripts.mit.edu: 401 Authorization Required</title>
-</head>
-<body>
-<div id="farouter">
-    <div id="outer">
-            <div id="masthead">
-
-                <h1 id="header"><a rel="home" href="http://scripts.mit.edu/">scripts.mit.edu</a></h1>
-                <h2 id="tagline">MIT SIPB Script Services for Athena</h2>
-            </div>
-            <div id="hmenu">
-                <div id="hnav">
-                    <ul id="navlist">
-                        <li><a href="http://scripts.mit.edu/">home</a></li>
-
-    <li><a href="http://scripts.mit.edu/start/">quick-start</a></li>
-                        <li><a href="http://scripts.mit.edu/web/">web scripts</a></li>
-                        <li><a href="http://scripts.mit.edu/mysql/">mysql databases</a></li>
-                        <li><a href="http://scripts.mit.edu/mail/">mail scripts</a></li>
-                        <li><a href="http://scripts.mit.edu/cron/">cron</a></li>
-                        <li><a href="http://scripts.mit.edu/news/">blog</a></li>
-    <li><a href="http://scripts.mit.edu/faq/">faq</a></li>
-
-                    </ul>
-                </div>
-            </div>
-        <div id="rap">
-            <div id="main">
-                <div id="content">
-
-<h3 class="storytitle"><a>Authorization Required</a></h3>
-    <p>This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.</p>
-<div class="feedback">
-</div>
-<div align="center"><img src="//scripts.mit.edu/images/1.gif" style="height:1px;width:400px" class="divider" alt="" /></div>
-
-
-
-<p>
-
-
-</p>
-
-
-
-                </div>
-                <div id="menu">
-
-                    <div id="nav">
-
-
-
-
-
-
-
-                        <h2>Contact</h2>
-                        <ul><li><a href="mailto:scripts@mit.edu">scripts@mit.edu</a></li>
-                        </ul>
-
-Feel free to contact us with any questions, comments, or suggestions.
-                        <h2>Search</h2>
-                        <ul>
-                            <li><form action="//scripts.mit.edu/" method="get"><p>Search<br /><input type="text" name="q" value="" size="15" /></p></form></li>
-                        </ul>
-                        <h2>Feeds</h2>
-                        <ul>
-                            <li><a href="http://scripts.mit.edu/rss/?section=special" title="RSS Feed">RSS</a></li> <li><a href="http://scripts.mit.edu/atom/?section=special" title="Atom Feed">Atom</a></li>
-
-                        </ul>
-
-<a class="nobutt" href="//scripts.mit.edu/faq/45/"><img src="//scripts.mit.edu/media/powered_by-trans.gif" alt="Powered by scripts" /></a>
-
-                    </div>
-                </div>
-		    <div id="clearer">&nbsp;</div>
-            </div>
-        </div>
-        <div id="foot">&nbsp;</div>
-
-<!--
-        <div id="footer">
-            <p class="credit">Originally "Blue Horizon" by <a href="http://kaushalsheth.com">Kaushal Sheth</a>. Mangled for scripts.mit.edu by <a href="/~presbrey/">Joe Presbrey</a><br />
-            </p>
-        </div>
--->
-    </div>
-</div>
-</body>
-</html>
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
+<html><head>
+<title>401 Unauthorized</title>
+</head><body>
+<h1>Unauthorized</h1>
+<p>This server could not verify that you
+are authorized to access the document
+requested.  Either you supplied the wrong
+credentials (e.g., bad password), or your
+browser doesn't understand how to supply
+the credentials required.</p>
+</body></html>

From 2069bc00e03a44b515235618044ca452b8e16a05 Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Fri, 9 Aug 2019 01:24:46 -0700
Subject: [PATCH 060/111] =?UTF-8?q?Renumberin=E2=80=99?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 ansible/scripts-directors.yml                 |   6 +-
 .../etc/httpd/conf.d/scripts-special.conf     |   4 +-
 server/fedora/config/etc/named.mit.zones      | 440 ++++--------------
 3 files changed, 93 insertions(+), 357 deletions(-)

diff --git a/ansible/scripts-directors.yml b/ansible/scripts-directors.yml
index cc3adf6c..337c60b1 100644
--- a/ansible/scripts-directors.yml
+++ b/ansible/scripts-directors.yml
@@ -8,9 +8,9 @@
       cidr: "{{ vlan486_address }}/24"
       gateway: 18.4.86.1
       dns_nameservers:
-      - 18.70.0.160
-      - 18.72.0.3
-      - 18.71.0.151
+      - 18.0.70.160
+      - 18.0.72.3
+      - 18.0.71.151
       dns_search: mit.edu
     pacemaker_corosync_ring_interface: vlan486
     pacemaker_corosync_group: scripts-directors
diff --git a/server/fedora/config/etc/httpd/conf.d/scripts-special.conf b/server/fedora/config/etc/httpd/conf.d/scripts-special.conf
index 048d5481..b5872ecc 100644
--- a/server/fedora/config/etc/httpd/conf.d/scripts-special.conf
+++ b/server/fedora/config/etc/httpd/conf.d/scripts-special.conf
@@ -53,5 +53,5 @@ ErrorDocument 403 /__scripts/forbidden.shtml
     ErrorDocument 403 /__scripts/disabled.html
 </Directory>
 
-# Generated from http://kb.mit.edu/confluence/x/F4DCAg, 2018-06-27
-SetEnvIf REMOTE_ADDR ^(10|18\.(\d\d?|1([01]\d|2[0-7]))|128\.(3[01]|52))\. SCRIPTS_REMOTE_MITNET
+# Generated from https://whois.arin.net/rest/org/MIT-2/nets, 2019-08-09
+SetEnvIf REMOTE_ADDR ^(10|18\.(0\d?|1(0[012]?|1[0345]?|2[3457]?|[3-9])?|2\d?|3[0-48]?|4[02579]?|5[013-68]?|6[0-39]?|7[0124-9]?|8[0-35789]?|9[035]?)|128\.(3[01]|52))\. SCRIPTS_REMOTE_MITNET
diff --git a/server/fedora/config/etc/named.mit.zones b/server/fedora/config/etc/named.mit.zones
index 6b54a430..0b27a202 100644
--- a/server/fedora/config/etc/named.mit.zones
+++ b/server/fedora/config/etc/named.mit.zones
@@ -1,788 +1,524 @@
 zone "mit.edu" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/mit.edu.stub";
 };
 
 zone "0.4.3.0.6.2.ip6.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/0.4.3.0.6.2.ip6.arpa.stub";
 };
 
 zone "10.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/10.in-addr.arpa.stub";
 };
 
 // List of *.18.in-addr.arpa zones generated from
-// http://kb.mit.edu/confluence/x/F4DCAg (2018-06-27)
+// https://whois.arin.net/rest/org/MIT-2/nets (2019-08-09)
 
 zone "0.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/0.18.in-addr.arpa.stub";
 };
 
 zone "1.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/1.18.in-addr.arpa.stub";
 };
 
 zone "2.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/2.18.in-addr.arpa.stub";
 };
 
 zone "3.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/3.18.in-addr.arpa.stub";
 };
 
 zone "4.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/4.18.in-addr.arpa.stub";
 };
 
 zone "5.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/5.18.in-addr.arpa.stub";
 };
 
 zone "6.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/6.18.in-addr.arpa.stub";
 };
 
 zone "7.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/7.18.in-addr.arpa.stub";
 };
 
 zone "8.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/8.18.in-addr.arpa.stub";
 };
 
 zone "9.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/9.18.in-addr.arpa.stub";
 };
 
 zone "10.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/10.18.in-addr.arpa.stub";
 };
 
 zone "11.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/11.18.in-addr.arpa.stub";
 };
 
 zone "12.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/12.18.in-addr.arpa.stub";
 };
 
 zone "13.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/13.18.in-addr.arpa.stub";
 };
 
 zone "14.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/14.18.in-addr.arpa.stub";
 };
 
 zone "15.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/15.18.in-addr.arpa.stub";
 };
 
 zone "16.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/16.18.in-addr.arpa.stub";
 };
 
 zone "17.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/17.18.in-addr.arpa.stub";
 };
 
 zone "18.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/18.18.in-addr.arpa.stub";
 };
 
 zone "19.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/19.18.in-addr.arpa.stub";
 };
 
 zone "20.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/20.18.in-addr.arpa.stub";
 };
 
 zone "21.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/21.18.in-addr.arpa.stub";
 };
 
 zone "22.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/22.18.in-addr.arpa.stub";
 };
 
 zone "23.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/23.18.in-addr.arpa.stub";
 };
 
 zone "24.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/24.18.in-addr.arpa.stub";
 };
 
 zone "25.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/25.18.in-addr.arpa.stub";
 };
 
 zone "26.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/26.18.in-addr.arpa.stub";
 };
 
 zone "27.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/27.18.in-addr.arpa.stub";
 };
 
 zone "28.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/28.18.in-addr.arpa.stub";
 };
 
 zone "29.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/29.18.in-addr.arpa.stub";
 };
 
 zone "30.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/30.18.in-addr.arpa.stub";
 };
 
 zone "31.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/31.18.in-addr.arpa.stub";
 };
 
 zone "32.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/32.18.in-addr.arpa.stub";
 };
 
 zone "33.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/33.18.in-addr.arpa.stub";
 };
 
 zone "34.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/34.18.in-addr.arpa.stub";
 };
 
-zone "35.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/35.18.in-addr.arpa.stub";
-};
-
-zone "36.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/36.18.in-addr.arpa.stub";
-};
-
-zone "37.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/37.18.in-addr.arpa.stub";
-};
-
 zone "38.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/38.18.in-addr.arpa.stub";
 };
 
-zone "39.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/39.18.in-addr.arpa.stub";
-};
-
 zone "40.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/40.18.in-addr.arpa.stub";
 };
 
-zone "41.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/41.18.in-addr.arpa.stub";
-};
-
 zone "42.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/42.18.in-addr.arpa.stub";
 };
 
-zone "43.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/43.18.in-addr.arpa.stub";
-};
-
-zone "44.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/44.18.in-addr.arpa.stub";
-};
-
 zone "45.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/45.18.in-addr.arpa.stub";
 };
 
-zone "46.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/46.18.in-addr.arpa.stub";
-};
-
 zone "47.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/47.18.in-addr.arpa.stub";
 };
 
-zone "48.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/48.18.in-addr.arpa.stub";
-};
-
 zone "49.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/49.18.in-addr.arpa.stub";
 };
 
 zone "50.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/50.18.in-addr.arpa.stub";
 };
 
 zone "51.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/51.18.in-addr.arpa.stub";
 };
 
-zone "52.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/52.18.in-addr.arpa.stub";
-};
-
 zone "53.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/53.18.in-addr.arpa.stub";
 };
 
 zone "54.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/54.18.in-addr.arpa.stub";
 };
 
 zone "55.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/55.18.in-addr.arpa.stub";
 };
 
 zone "56.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/56.18.in-addr.arpa.stub";
 };
 
-zone "57.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/57.18.in-addr.arpa.stub";
-};
-
 zone "58.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/58.18.in-addr.arpa.stub";
 };
 
-zone "59.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/59.18.in-addr.arpa.stub";
-};
-
 zone "60.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/60.18.in-addr.arpa.stub";
 };
 
 zone "61.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/61.18.in-addr.arpa.stub";
 };
 
 zone "62.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/62.18.in-addr.arpa.stub";
 };
 
 zone "63.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/63.18.in-addr.arpa.stub";
 };
 
-zone "64.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/64.18.in-addr.arpa.stub";
-};
-
-zone "65.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/65.18.in-addr.arpa.stub";
-};
-
-zone "66.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/66.18.in-addr.arpa.stub";
-};
-
-zone "67.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/67.18.in-addr.arpa.stub";
-};
-
-zone "68.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/68.18.in-addr.arpa.stub";
-};
-
 zone "69.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/69.18.in-addr.arpa.stub";
 };
 
 zone "70.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/70.18.in-addr.arpa.stub";
 };
 
 zone "71.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/71.18.in-addr.arpa.stub";
 };
 
 zone "72.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/72.18.in-addr.arpa.stub";
 };
 
-zone "73.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/73.18.in-addr.arpa.stub";
-};
-
 zone "74.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/74.18.in-addr.arpa.stub";
 };
 
 zone "75.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/75.18.in-addr.arpa.stub";
 };
 
 zone "76.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/76.18.in-addr.arpa.stub";
 };
 
 zone "77.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/77.18.in-addr.arpa.stub";
 };
 
 zone "78.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/78.18.in-addr.arpa.stub";
 };
 
 zone "79.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/79.18.in-addr.arpa.stub";
 };
 
 zone "80.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/80.18.in-addr.arpa.stub";
 };
 
 zone "81.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/81.18.in-addr.arpa.stub";
 };
 
 zone "82.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/82.18.in-addr.arpa.stub";
 };
 
 zone "83.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/83.18.in-addr.arpa.stub";
 };
 
-zone "84.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/84.18.in-addr.arpa.stub";
-};
-
 zone "85.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/85.18.in-addr.arpa.stub";
 };
 
-zone "86.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/86.18.in-addr.arpa.stub";
-};
-
 zone "87.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/87.18.in-addr.arpa.stub";
 };
 
 zone "88.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/88.18.in-addr.arpa.stub";
 };
 
 zone "89.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/89.18.in-addr.arpa.stub";
 };
 
 zone "90.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/90.18.in-addr.arpa.stub";
 };
 
-zone "91.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/91.18.in-addr.arpa.stub";
-};
-
-zone "92.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/92.18.in-addr.arpa.stub";
-};
-
 zone "93.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/93.18.in-addr.arpa.stub";
 };
 
-zone "94.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/94.18.in-addr.arpa.stub";
-};
-
 zone "95.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/95.18.in-addr.arpa.stub";
 };
 
-zone "96.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/96.18.in-addr.arpa.stub";
-};
-
-zone "97.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/97.18.in-addr.arpa.stub";
-};
-
-zone "98.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/98.18.in-addr.arpa.stub";
-};
-
-zone "99.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/99.18.in-addr.arpa.stub";
-};
-
 zone "100.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/100.18.in-addr.arpa.stub";
 };
 
 zone "101.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/101.18.in-addr.arpa.stub";
 };
 
 zone "102.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/102.18.in-addr.arpa.stub";
 };
 
-zone "103.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/103.18.in-addr.arpa.stub";
-};
-
-zone "104.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/104.18.in-addr.arpa.stub";
-};
-
-zone "105.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/105.18.in-addr.arpa.stub";
-};
-
-zone "106.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/106.18.in-addr.arpa.stub";
-};
-
-zone "107.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/107.18.in-addr.arpa.stub";
-};
-
-zone "108.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/108.18.in-addr.arpa.stub";
-};
-
-zone "109.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/109.18.in-addr.arpa.stub";
-};
-
 zone "110.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/110.18.in-addr.arpa.stub";
 };
 
-zone "111.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/111.18.in-addr.arpa.stub";
-};
-
-zone "112.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/112.18.in-addr.arpa.stub";
-};
-
 zone "113.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/113.18.in-addr.arpa.stub";
 };
 
 zone "114.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/114.18.in-addr.arpa.stub";
 };
 
 zone "115.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/115.18.in-addr.arpa.stub";
 };
 
-zone "116.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/116.18.in-addr.arpa.stub";
-};
-
-zone "117.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/117.18.in-addr.arpa.stub";
-};
-
-zone "118.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/118.18.in-addr.arpa.stub";
-};
-
-zone "119.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/119.18.in-addr.arpa.stub";
-};
-
-zone "120.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/120.18.in-addr.arpa.stub";
-};
-
-zone "121.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/121.18.in-addr.arpa.stub";
-};
-
-zone "122.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/122.18.in-addr.arpa.stub";
-};
-
 zone "123.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/123.18.in-addr.arpa.stub";
 };
 
 zone "124.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/124.18.in-addr.arpa.stub";
 };
 
 zone "125.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/125.18.in-addr.arpa.stub";
 };
 
-zone "126.18.in-addr.arpa" IN {
-	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
-	file "slaves/126.18.in-addr.arpa.stub";
-};
-
 zone "127.18.in-addr.arpa" IN {
 	type stub;
-	masters { 18.70.0.160; 18.71.0.151; 18.72.0.3; };
+	masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; };
 	file "slaves/127.18.in-addr.arpa.stub";
 };

From 854f63948ddd5df8066a6be6a9dacc6f4cc43a99 Mon Sep 17 00:00:00 2001
From: Quentin Smith <quentin@mit.edu>
Date: Thu, 5 Sep 2019 03:38:16 -0400
Subject: [PATCH 061/111] Allow comments on scriptsAccount entries

---
 .../config/etc/dirsrv/slapd-scripts/schema/98scripts-vhost.ldif | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ldap/el/config/etc/dirsrv/slapd-scripts/schema/98scripts-vhost.ldif b/ldap/el/config/etc/dirsrv/slapd-scripts/schema/98scripts-vhost.ldif
index 88e4e398..5ea5ea6f 100644
--- a/ldap/el/config/etc/dirsrv/slapd-scripts/schema/98scripts-vhost.ldif
+++ b/ldap/el/config/etc/dirsrv/slapd-scripts/schema/98scripts-vhost.ldif
@@ -27,4 +27,4 @@ attributeTypes: ( 1.2.840.113554.4.2.1.5 NAME 'scriptsVhostCertificate' DESC 'Ce
 attributeTypes: ( 1.2.840.113554.4.2.1.6 NAME 'scriptsVhostCertificateKeyFile' DESC 'Filename of certificate private key' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'scripts.mit.edu' )
 attributeTypes: ( 1.2.840.113554.4.2.1.7 NAME 'scriptsMailboxCommand' DESC 'Command to use when delivering mail' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'scripts.mit.edu' )
 objectClasses: ( 1.2.840.113554.4.2.2.1 NAME 'scriptsVhost' DESC 'Configuration for a Scripts virtual host' SUP top AUXILIARY MUST ( scriptsVhostName $ scriptsVhostDirectory $ scriptsVhostAccount ) MAY ( scriptsVhostAlias $ scriptsVhostCertificate $ scriptsVhostCertificateKeyFile ) X-ORIGIN 'scripts.mit.edu' )
-objectClasses: ( 1.2.840.113554.4.2.2.2 NAME 'scriptsAccount' DESC 'Configuration for a Scripts account' SUP posixAccount AUXILIARY MAY ( scriptsMailboxCommand ) X-ORIGIN 'scripts.mit.edu' )
+objectClasses: ( 1.2.840.113554.4.2.2.2 NAME 'scriptsAccount' DESC 'Configuration for a Scripts account' SUP posixAccount AUXILIARY MAY ( scriptsMailboxCommand $ ntUserComment ) X-ORIGIN 'scripts.mit.edu' )

From 4b1d1120091ab87c7ca3cebf9be114a712d282a0 Mon Sep 17 00:00:00 2001
From: Quentin Smith <quentin@mit.edu>
Date: Thu, 5 Sep 2019 03:55:02 -0400
Subject: [PATCH 062/111] Teach realservers about ntUserComment

---
 .../config/etc/dirsrv/slapd-scripts/schema/98scripts-vhost.ldif | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/fedora/config/etc/dirsrv/slapd-scripts/schema/98scripts-vhost.ldif b/server/fedora/config/etc/dirsrv/slapd-scripts/schema/98scripts-vhost.ldif
index 88e4e398..5ea5ea6f 100644
--- a/server/fedora/config/etc/dirsrv/slapd-scripts/schema/98scripts-vhost.ldif
+++ b/server/fedora/config/etc/dirsrv/slapd-scripts/schema/98scripts-vhost.ldif
@@ -27,4 +27,4 @@ attributeTypes: ( 1.2.840.113554.4.2.1.5 NAME 'scriptsVhostCertificate' DESC 'Ce
 attributeTypes: ( 1.2.840.113554.4.2.1.6 NAME 'scriptsVhostCertificateKeyFile' DESC 'Filename of certificate private key' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'scripts.mit.edu' )
 attributeTypes: ( 1.2.840.113554.4.2.1.7 NAME 'scriptsMailboxCommand' DESC 'Command to use when delivering mail' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'scripts.mit.edu' )
 objectClasses: ( 1.2.840.113554.4.2.2.1 NAME 'scriptsVhost' DESC 'Configuration for a Scripts virtual host' SUP top AUXILIARY MUST ( scriptsVhostName $ scriptsVhostDirectory $ scriptsVhostAccount ) MAY ( scriptsVhostAlias $ scriptsVhostCertificate $ scriptsVhostCertificateKeyFile ) X-ORIGIN 'scripts.mit.edu' )
-objectClasses: ( 1.2.840.113554.4.2.2.2 NAME 'scriptsAccount' DESC 'Configuration for a Scripts account' SUP posixAccount AUXILIARY MAY ( scriptsMailboxCommand ) X-ORIGIN 'scripts.mit.edu' )
+objectClasses: ( 1.2.840.113554.4.2.2.2 NAME 'scriptsAccount' DESC 'Configuration for a Scripts account' SUP posixAccount AUXILIARY MAY ( scriptsMailboxCommand $ ntUserComment ) X-ORIGIN 'scripts.mit.edu' )

From 9326201a3f9b406e8f27a5f6d08a58a8f7fbdf6a Mon Sep 17 00:00:00 2001
From: Quentin Smith <quentin@mit.edu>
Date: Thu, 5 Sep 2019 04:35:28 -0400
Subject: [PATCH 063/111] Track ability to submit mail in LDAP

---
 .../etc/dirsrv/slapd-scripts/schema/98scripts-vhost.ldif       | 3 ++-
 .../etc/dirsrv/slapd-scripts/schema/98scripts-vhost.ldif       | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/ldap/el/config/etc/dirsrv/slapd-scripts/schema/98scripts-vhost.ldif b/ldap/el/config/etc/dirsrv/slapd-scripts/schema/98scripts-vhost.ldif
index 5ea5ea6f..1c8639fe 100644
--- a/ldap/el/config/etc/dirsrv/slapd-scripts/schema/98scripts-vhost.ldif
+++ b/ldap/el/config/etc/dirsrv/slapd-scripts/schema/98scripts-vhost.ldif
@@ -26,5 +26,6 @@ attributeTypes: ( 1.2.840.113554.4.2.1.4 NAME 'scriptsVhostAccount' DESC 'User a
 attributeTypes: ( 1.2.840.113554.4.2.1.5 NAME 'scriptsVhostCertificate' DESC 'Certificate chain, as a space-separated list of base64 encoded DER' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'scripts.mit.edu' )
 attributeTypes: ( 1.2.840.113554.4.2.1.6 NAME 'scriptsVhostCertificateKeyFile' DESC 'Filename of certificate private key' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'scripts.mit.edu' )
 attributeTypes: ( 1.2.840.113554.4.2.1.7 NAME 'scriptsMailboxCommand' DESC 'Command to use when delivering mail' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'scripts.mit.edu' )
+attributeTypes: ( 1.2.840.113554.4.2.1.8 NAME 'scriptsBlockMailSubmit' DESC 'Block outgoing mail' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'scripts.mit.edu' )
 objectClasses: ( 1.2.840.113554.4.2.2.1 NAME 'scriptsVhost' DESC 'Configuration for a Scripts virtual host' SUP top AUXILIARY MUST ( scriptsVhostName $ scriptsVhostDirectory $ scriptsVhostAccount ) MAY ( scriptsVhostAlias $ scriptsVhostCertificate $ scriptsVhostCertificateKeyFile ) X-ORIGIN 'scripts.mit.edu' )
-objectClasses: ( 1.2.840.113554.4.2.2.2 NAME 'scriptsAccount' DESC 'Configuration for a Scripts account' SUP posixAccount AUXILIARY MAY ( scriptsMailboxCommand $ ntUserComment ) X-ORIGIN 'scripts.mit.edu' )
+objectClasses: ( 1.2.840.113554.4.2.2.2 NAME 'scriptsAccount' DESC 'Configuration for a Scripts account' SUP posixAccount AUXILIARY MAY ( scriptsMailboxCommand $ scriptsBlockMailSubmit $ ntUserComment ) X-ORIGIN 'scripts.mit.edu' )
diff --git a/server/fedora/config/etc/dirsrv/slapd-scripts/schema/98scripts-vhost.ldif b/server/fedora/config/etc/dirsrv/slapd-scripts/schema/98scripts-vhost.ldif
index 5ea5ea6f..1c8639fe 100644
--- a/server/fedora/config/etc/dirsrv/slapd-scripts/schema/98scripts-vhost.ldif
+++ b/server/fedora/config/etc/dirsrv/slapd-scripts/schema/98scripts-vhost.ldif
@@ -26,5 +26,6 @@ attributeTypes: ( 1.2.840.113554.4.2.1.4 NAME 'scriptsVhostAccount' DESC 'User a
 attributeTypes: ( 1.2.840.113554.4.2.1.5 NAME 'scriptsVhostCertificate' DESC 'Certificate chain, as a space-separated list of base64 encoded DER' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'scripts.mit.edu' )
 attributeTypes: ( 1.2.840.113554.4.2.1.6 NAME 'scriptsVhostCertificateKeyFile' DESC 'Filename of certificate private key' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'scripts.mit.edu' )
 attributeTypes: ( 1.2.840.113554.4.2.1.7 NAME 'scriptsMailboxCommand' DESC 'Command to use when delivering mail' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'scripts.mit.edu' )
+attributeTypes: ( 1.2.840.113554.4.2.1.8 NAME 'scriptsBlockMailSubmit' DESC 'Block outgoing mail' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'scripts.mit.edu' )
 objectClasses: ( 1.2.840.113554.4.2.2.1 NAME 'scriptsVhost' DESC 'Configuration for a Scripts virtual host' SUP top AUXILIARY MUST ( scriptsVhostName $ scriptsVhostDirectory $ scriptsVhostAccount ) MAY ( scriptsVhostAlias $ scriptsVhostCertificate $ scriptsVhostCertificateKeyFile ) X-ORIGIN 'scripts.mit.edu' )
-objectClasses: ( 1.2.840.113554.4.2.2.2 NAME 'scriptsAccount' DESC 'Configuration for a Scripts account' SUP posixAccount AUXILIARY MAY ( scriptsMailboxCommand $ ntUserComment ) X-ORIGIN 'scripts.mit.edu' )
+objectClasses: ( 1.2.840.113554.4.2.2.2 NAME 'scriptsAccount' DESC 'Configuration for a Scripts account' SUP posixAccount AUXILIARY MAY ( scriptsMailboxCommand $ scriptsBlockMailSubmit $ ntUserComment ) X-ORIGIN 'scripts.mit.edu' )

From 6656bad7720cf809bdf61594fb03338e6d7265f5 Mon Sep 17 00:00:00 2001
From: Mitchell E Berger <mitchb@mit.edu>
Date: Thu, 21 Nov 2019 02:42:34 -0500
Subject: [PATCH 064/111] Cel should actually get mail...

---
 server/fedora/config/etc/scripts/root-procmailrc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/fedora/config/etc/scripts/root-procmailrc b/server/fedora/config/etc/scripts/root-procmailrc
index 334320cf..1a0984bf 100644
--- a/server/fedora/config/etc/scripts/root-procmailrc
+++ b/server/fedora/config/etc/scripts/root-procmailrc
@@ -1,2 +1,2 @@
 :0
-! andersk@mit.edu, quentin@mit.edu, mitchb@mit.edu, ezyang@mit.edu, xavid@mit.edu, adehnert-sipb@mit.edu, achernya@mit.edu, glasgall@mit.edu, tboning@mit.edu, cereslee@mit.edu, btidor-scripts@mit.edu, vasilvv@mit.edu
+! andersk@mit.edu, quentin@mit.edu, mitchb@mit.edu, ezyang@mit.edu, xavid@mit.edu, adehnert-sipb@mit.edu, achernya@mit.edu, glasgall@mit.edu, tboning@mit.edu, cereslee@mit.edu, btidor-scripts@mit.edu, vasilvv@mit.edu cela@mit.edu

From 5729fba107936ea50a3fcfcf5d9604265d379a55 Mon Sep 17 00:00:00 2001
From: Mitchell E Berger <mitchb@mit.edu>
Date: Thu, 21 Nov 2019 03:00:37 -0500
Subject: [PATCH 065/111] Now with correct formatting...

---
 server/fedora/config/etc/scripts/root-procmailrc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/fedora/config/etc/scripts/root-procmailrc b/server/fedora/config/etc/scripts/root-procmailrc
index 1a0984bf..3a986cd0 100644
--- a/server/fedora/config/etc/scripts/root-procmailrc
+++ b/server/fedora/config/etc/scripts/root-procmailrc
@@ -1,2 +1,2 @@
 :0
-! andersk@mit.edu, quentin@mit.edu, mitchb@mit.edu, ezyang@mit.edu, xavid@mit.edu, adehnert-sipb@mit.edu, achernya@mit.edu, glasgall@mit.edu, tboning@mit.edu, cereslee@mit.edu, btidor-scripts@mit.edu, vasilvv@mit.edu cela@mit.edu
+! andersk@mit.edu, quentin@mit.edu, mitchb@mit.edu, ezyang@mit.edu, xavid@mit.edu, adehnert-sipb@mit.edu, achernya@mit.edu, glasgall@mit.edu, tboning@mit.edu, cereslee@mit.edu, btidor-scripts@mit.edu, vasilvv@mit.edu, cela@mit.edu

From e7776082d1a40acc66c1b33f3053fad4905ff5b9 Mon Sep 17 00:00:00 2001
From: Mitchell E Berger <mitchb@mit.edu>
Date: Wed, 27 Nov 2019 19:43:14 -0500
Subject: [PATCH 066/111] Block another spamming user

---
 server/fedora/config/etc/postfix/blocked_users | 1 +
 1 file changed, 1 insertion(+)

diff --git a/server/fedora/config/etc/postfix/blocked_users b/server/fedora/config/etc/postfix/blocked_users
index 62b3d0c5..1474b53c 100644
--- a/server/fedora/config/etc/postfix/blocked_users
+++ b/server/fedora/config/etc/postfix/blocked_users
@@ -26,3 +26,4 @@ game
 lebanon
 crpg
 scioly
+wheats

From cf299766f8a7c1dd028b1c479aaf8125473198f0 Mon Sep 17 00:00:00 2001
From: Miriam Rittenberg <rittenberg.miriam@gmail.com>
Date: Thu, 9 Jan 2020 23:13:56 -0500
Subject: [PATCH 067/111] Add new schema attributes for checking which load
 balancer pool a vhost is in

---
 .../etc/dirsrv/slapd-scripts/schema/98scripts-vhost.ldif     | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/ldap/el/config/etc/dirsrv/slapd-scripts/schema/98scripts-vhost.ldif b/ldap/el/config/etc/dirsrv/slapd-scripts/schema/98scripts-vhost.ldif
index 1c8639fe..4ae1f0e8 100644
--- a/ldap/el/config/etc/dirsrv/slapd-scripts/schema/98scripts-vhost.ldif
+++ b/ldap/el/config/etc/dirsrv/slapd-scripts/schema/98scripts-vhost.ldif
@@ -27,5 +27,8 @@ attributeTypes: ( 1.2.840.113554.4.2.1.5 NAME 'scriptsVhostCertificate' DESC 'Ce
 attributeTypes: ( 1.2.840.113554.4.2.1.6 NAME 'scriptsVhostCertificateKeyFile' DESC 'Filename of certificate private key' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'scripts.mit.edu' )
 attributeTypes: ( 1.2.840.113554.4.2.1.7 NAME 'scriptsMailboxCommand' DESC 'Command to use when delivering mail' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'scripts.mit.edu' )
 attributeTypes: ( 1.2.840.113554.4.2.1.8 NAME 'scriptsBlockMailSubmit' DESC 'Block outgoing mail' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'scripts.mit.edu' )
-objectClasses: ( 1.2.840.113554.4.2.2.1 NAME 'scriptsVhost' DESC 'Configuration for a Scripts virtual host' SUP top AUXILIARY MUST ( scriptsVhostName $ scriptsVhostDirectory $ scriptsVhostAccount ) MAY ( scriptsVhostAlias $ scriptsVhostCertificate $ scriptsVhostCertificateKeyFile ) X-ORIGIN 'scripts.mit.edu' )
+attributeTypes: ( 1.2.840.113554.4.2.1.9 NAME 'scriptsVhostPoolIPv4' DESC 'IP for load balancer pool' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'scripts.mit.edu' )
+attributeTypes: ( 1.2.840.113554.4.2.1.10 NAME 'scriptsVhostPoolDNSRecordType' DESC 'DNS record type for scriptsVhostPoolIPv4' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'scripts.mit.edu' )
+attributeTypes: ( 1.2.840.113554.4.2.1.11 NAME 'scriptsVhostPoolTTL' DESC 'TTL for DNS record' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'scripts.mit.edu' )
+objectClasses: ( 1.2.840.113554.4.2.2.1 NAME 'scriptsVhost' DESC 'Configuration for a Scripts virtual host' SUP top AUXILIARY MUST ( scriptsVhostName $ scriptsVhostDirectory $ scriptsVhostAccount ) MAY ( scriptsVhostAlias $ scriptsVhostCertificate $ scriptsVhostCertificateKeyFile $ scriptsVhostPoolIPv4 $ scriptsVhostPoolDNSRecordType $ scriptsVhostPoolTTL ) X-ORIGIN 'scripts.mit.edu' )
 objectClasses: ( 1.2.840.113554.4.2.2.2 NAME 'scriptsAccount' DESC 'Configuration for a Scripts account' SUP posixAccount AUXILIARY MAY ( scriptsMailboxCommand $ scriptsBlockMailSubmit $ ntUserComment ) X-ORIGIN 'scripts.mit.edu' )

From 75e99697e9adda3619ed4644f5371c4615bd777b Mon Sep 17 00:00:00 2001
From: Miriam Rittenberg <rittenberg.miriam@gmail.com>
Date: Fri, 10 Jan 2020 01:40:53 -0500
Subject: [PATCH 068/111] Sync realserver schema with ldap server schema

---
 .../etc/dirsrv/slapd-scripts/schema/98scripts-vhost.ldif     | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/server/fedora/config/etc/dirsrv/slapd-scripts/schema/98scripts-vhost.ldif b/server/fedora/config/etc/dirsrv/slapd-scripts/schema/98scripts-vhost.ldif
index 1c8639fe..4ae1f0e8 100644
--- a/server/fedora/config/etc/dirsrv/slapd-scripts/schema/98scripts-vhost.ldif
+++ b/server/fedora/config/etc/dirsrv/slapd-scripts/schema/98scripts-vhost.ldif
@@ -27,5 +27,8 @@ attributeTypes: ( 1.2.840.113554.4.2.1.5 NAME 'scriptsVhostCertificate' DESC 'Ce
 attributeTypes: ( 1.2.840.113554.4.2.1.6 NAME 'scriptsVhostCertificateKeyFile' DESC 'Filename of certificate private key' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'scripts.mit.edu' )
 attributeTypes: ( 1.2.840.113554.4.2.1.7 NAME 'scriptsMailboxCommand' DESC 'Command to use when delivering mail' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'scripts.mit.edu' )
 attributeTypes: ( 1.2.840.113554.4.2.1.8 NAME 'scriptsBlockMailSubmit' DESC 'Block outgoing mail' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'scripts.mit.edu' )
-objectClasses: ( 1.2.840.113554.4.2.2.1 NAME 'scriptsVhost' DESC 'Configuration for a Scripts virtual host' SUP top AUXILIARY MUST ( scriptsVhostName $ scriptsVhostDirectory $ scriptsVhostAccount ) MAY ( scriptsVhostAlias $ scriptsVhostCertificate $ scriptsVhostCertificateKeyFile ) X-ORIGIN 'scripts.mit.edu' )
+attributeTypes: ( 1.2.840.113554.4.2.1.9 NAME 'scriptsVhostPoolIPv4' DESC 'IP for load balancer pool' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'scripts.mit.edu' )
+attributeTypes: ( 1.2.840.113554.4.2.1.10 NAME 'scriptsVhostPoolDNSRecordType' DESC 'DNS record type for scriptsVhostPoolIPv4' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'scripts.mit.edu' )
+attributeTypes: ( 1.2.840.113554.4.2.1.11 NAME 'scriptsVhostPoolTTL' DESC 'TTL for DNS record' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'scripts.mit.edu' )
+objectClasses: ( 1.2.840.113554.4.2.2.1 NAME 'scriptsVhost' DESC 'Configuration for a Scripts virtual host' SUP top AUXILIARY MUST ( scriptsVhostName $ scriptsVhostDirectory $ scriptsVhostAccount ) MAY ( scriptsVhostAlias $ scriptsVhostCertificate $ scriptsVhostCertificateKeyFile $ scriptsVhostPoolIPv4 $ scriptsVhostPoolDNSRecordType $ scriptsVhostPoolTTL ) X-ORIGIN 'scripts.mit.edu' )
 objectClasses: ( 1.2.840.113554.4.2.2.2 NAME 'scriptsAccount' DESC 'Configuration for a Scripts account' SUP posixAccount AUXILIARY MAY ( scriptsMailboxCommand $ scriptsBlockMailSubmit $ ntUserComment ) X-ORIGIN 'scripts.mit.edu' )

From cac9b5434439840eb1dc246b0f3d80676a546615 Mon Sep 17 00:00:00 2001
From: Quentin Smith <quentin@mit.edu>
Date: Fri, 10 Jan 2020 01:54:26 -0500
Subject: [PATCH 069/111] Disable strict acceptor checks

---
 ldap/el/config/etc/krb5.conf | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/ldap/el/config/etc/krb5.conf b/ldap/el/config/etc/krb5.conf
index 1449b6bd..e0636dc0 100644
--- a/ldap/el/config/etc/krb5.conf
+++ b/ldap/el/config/etc/krb5.conf
@@ -1,9 +1,13 @@
+# Other applications require this directory to perform krb5 configuration.
+includedir /etc/krb5.conf.d/
+
 [libdefaults]
 	allow_weak_crypto = false
 	default_realm = ATHENA.MIT.EDU
 # The following krb5.conf variables are only for MIT Kerberos.
 	krb4_config = /etc/krb.conf
 	krb4_realms = /etc/krb.realms
+	ignore_acceptor_hostname = true
 	kdc_timesync = 1
 	ccache_type = 4
 	forwardable = true

From 592a09be73c8c5ef3f367ce6559d59e9daa6c196 Mon Sep 17 00:00:00 2001
From: Quentin Smith <quentin@mit.edu>
Date: Fri, 10 Jan 2020 01:55:38 -0500
Subject: [PATCH 070/111] New nrpe config (unknown origin)

---
 ldap/el/config/etc/nagios/nrpe.cfg | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/ldap/el/config/etc/nagios/nrpe.cfg b/ldap/el/config/etc/nagios/nrpe.cfg
index 29994858..c6f45810 100644
--- a/ldap/el/config/etc/nagios/nrpe.cfg
+++ b/ldap/el/config/etc/nagios/nrpe.cfg
@@ -122,7 +122,7 @@ dont_blame_nrpe=0
 # syslog facility.
 # Values: 0=debugging off, 1=debugging on
 
-debug=0
+debug=1
 
 
 
@@ -209,14 +209,10 @@ connection_timeout=300
 # config file is set to '1'.  This poses a potential security risk, so
 # make sure you read the SECURITY file before doing this.
 
-command[check_users]=/usr/lib64/nagios/plugins/check_users -w 25 -c 50
 command[check_load]=/usr/lib64/nagios/plugins/check_load -w 50:50:50 -c 100:50:50
 command[check_disk]=/usr/lib64/nagios/plugins/check_disk -w 10% -c 5% -A -i ^/mnt -i ^/sys
 command[check_procs_cpu]=/usr/lib64/nagios/plugins/check_procs -w 4 -c 6 -P 50
-command[check_procs_crond]=/usr/lib64/nagios/plugins/check_procs -w 1: -c 1: -C crond
-command[check_procs_nscd]=/usr/lib64/nagios/plugins/check_procs -w 1:256 -c 1:512 -u nscd
 command[check_procs_postfix]=/usr/lib64/nagios/plugins/check_procs -w 1:128 -c 1:256 -u postfix
 command[check_postfix_mailq]=/usr/lib64/nagios/plugins/check_mailq -w 500 -c 1000 -M postfix
-command[check_cron_working]=/etc/nagios/check_cron_working
 command[check_ldap_mmr]=/etc/nagios/check_ldap_mmr
 command[check_kern_taint]=/etc/nagios/check_kern_taint

From d2f8a094e704c3adbadd98af02350ccab067c190 Mon Sep 17 00:00:00 2001
From: Quentin Smith <quentin@mit.edu>
Date: Fri, 10 Jan 2020 01:56:02 -0500
Subject: [PATCH 071/111] New upstream dirsrv config

---
 ldap/el/config/etc/sysconfig/dirsrv | 58 ++++++++++++++---------------
 1 file changed, 28 insertions(+), 30 deletions(-)

diff --git a/ldap/el/config/etc/sysconfig/dirsrv b/ldap/el/config/etc/sysconfig/dirsrv
index 86983636..c25bab96 100644
--- a/ldap/el/config/etc/sysconfig/dirsrv
+++ b/ldap/el/config/etc/sysconfig/dirsrv
@@ -7,38 +7,36 @@
 
 # This file is in systemd EnvironmentFile format - see man systemd.exec
 
-# In order to make more file descriptors available
-# to the directory server, first make sure the system
-# hard limits are raised, then use ulimit - uncomment
-# out the following line and change the value to the
-# desired value
-# ulimit -n 8192
-# note - if using systemd, ulimit won't work -  you must edit
-# the systemd unit file for directory server to add the 
-# LimitNOFILE option - see man systemd.exec for more info
-
-# A per instance keytab does not make much sense for servers.
-# Kerberos clients use the machine FQDN to obtain a ticket like ldap/FQDN, there
-# is nothing that can make a client understand how to get a per-instance ticket.
-# Therefore by default a keytab should be considered a per server option.
-
-# Also this file is sourced for all instances, so again all
-# instances would ultimately get the same keytab.
+# In order to make more file descriptors available to the directory server,
+# first make sure the system hard limits are raised, then use ulimit -
+# uncomment out the following line and change the value to the desired value
+#ulimit -n 8192
+# note - if using systemd, ulimit won't work -  you must edit the systemd unit
+# file for directory server to add the LimitNOFILE option - see "man
+# systemd.exec" for more info
 
+# A per instance keytab does not make much sense for servers.  Kerberos clients
+# use the machine FQDN to obtain a ticket like ldap/FQDN, there is nothing that
+# can make a client understand how to get a per-instance ticket.  Therefore by
+# default a keytab should be considered a per server option.
+#
+# Also this file is sourced for all instances, so again all instances would
+# ultimately get the same keytab.
+#
 # Finally a keytab is normally named either krb5.keytab or <service>.keytab
+#
+# In order to use SASL/GSSAPI (Kerberos) the directory server needs to know
+# where to find its keytab file - uncomment the following line and set the
+# path and filename appropriately.
+# If using systemd, omit the "; export VARNAME" at the end.
+#KRB5_KTNAME=/etc/dirsrv/myname.keytab ; export KRB5_KTNAME
 
-# In order to use SASL/GSSAPI (Kerberos) the directory
-# server needs to know where to find its keytab
-# file - uncomment the following line and set
-# the path and filename appropriately
-# if using systemd, omit the "; export VARNAME" at the end
-# KRB5_KTNAME=/etc/dirsrv/myname.keytab ; export KRB5_KTNAME
-
-# how many seconds to wait for the startpid file to show
-# up before we assume there is a problem and fail to start
-# if using systemd, omit the "; export VARNAME" at the end
+# How many seconds to wait for the startpid file to show up before we assume
+# there is a problem and fail to start.
+# If using systemd, omit the "; export STARTPID_TIME" at the end.
 #STARTPID_TIME=10 ; export STARTPID_TIME
-# how many seconds to wait for the pid file to show
-# up before we assume there is a problem and fail to start
-# if using systemd, omit the "; export VARNAME" at the end
+
+# How many seconds to wait for the pid file to show up before we assume there
+# is a problem and fail to start.
+# If using systemd, omit the "; export PID_TIME" at the end.
 #PID_TIME=600 ; export PID_TIME

From 94d39770c036e20c0322971b861e416b3121e1f4 Mon Sep 17 00:00:00 2001
From: Mitchell E Berger <mitchb@mit.edu>
Date: Tue, 14 Jan 2020 03:02:47 -0500
Subject: [PATCH 072/111] Bind new LVS distro-specific address on loopback
 interface

---
 .../fedora/config/etc/sysconfig/network-scripts/ifcfg-lo:9   | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 server/fedora/config/etc/sysconfig/network-scripts/ifcfg-lo:9

diff --git a/server/fedora/config/etc/sysconfig/network-scripts/ifcfg-lo:9 b/server/fedora/config/etc/sysconfig/network-scripts/ifcfg-lo:9
new file mode 100644
index 00000000..9e384b25
--- /dev/null
+++ b/server/fedora/config/etc/sysconfig/network-scripts/ifcfg-lo:9
@@ -0,0 +1,5 @@
+DEVICE=lo:9
+IPADDR=18.4.86.22
+NETMASK=255.255.255.255
+NETWORK=18.4.86.0
+ONBOOT=yes

From 94d3c00958c6a5872ea19618ba6091fc7a1bd653 Mon Sep 17 00:00:00 2001
From: Mitchell E Berger <mitchb@mit.edu>
Date: Tue, 14 Jan 2020 03:06:16 -0500
Subject: [PATCH 073/111] NetRestrict the new F20 LVS pool IP

---
 server/fedora/config/etc/openafs/NetRestrict | 1 +
 1 file changed, 1 insertion(+)

diff --git a/server/fedora/config/etc/openafs/NetRestrict b/server/fedora/config/etc/openafs/NetRestrict
index 01e6104d..dd464417 100644
--- a/server/fedora/config/etc/openafs/NetRestrict
+++ b/server/fedora/config/etc/openafs/NetRestrict
@@ -2,6 +2,7 @@
 18.4.86.50
 18.4.86.43
 18.4.86.29
+18.4.86.22
 172.21.0.57
 172.21.0.53
 172.21.0.167

From c464c45bfef319876905fc8471bd0ac9a1a4a8b3 Mon Sep 17 00:00:00 2001
From: Mitchell E Berger <mitchb@mit.edu>
Date: Tue, 14 Jan 2020 03:19:54 -0500
Subject: [PATCH 074/111] Add new distro-specific LVS pool addresses/names to
 the scripts vhost

---
 server/fedora/config/etc/httpd/conf.d/scripts-vhost-names.conf | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/server/fedora/config/etc/httpd/conf.d/scripts-vhost-names.conf b/server/fedora/config/etc/httpd/conf.d/scripts-vhost-names.conf
index 772be79a..9114fab5 100644
--- a/server/fedora/config/etc/httpd/conf.d/scripts-vhost-names.conf
+++ b/server/fedora/config/etc/httpd/conf.d/scripts-vhost-names.conf
@@ -2,6 +2,8 @@ ServerName scripts.mit.edu
 ServerAlias \
     scripts 18.4.86.43 \
     scripts-vhosts.mit.edu scripts-vhosts 18.4.86.46 \
+    scripts-f20.mit.edu scripts-f20 18.4.86.22 \
+    scripts-f30.mit.edu scripts-f30 18.4.86.30 \
     scripts-test.mit.edu scripts-test 18.4.86.229 \
     better-mousetrap.mit.edu better-mousetrap b-m.mit.edu b-m scripts1.mit.edu scripts1 18.4.86.57 \
     old-faithful.mit.edu old-faithful o-f.mit.edu o-f scripts2.mit.edu scripts2 18.4.86.53 \

From 24c8a550e03423c7b679a80de9b448063cc9c923 Mon Sep 17 00:00:00 2001
From: Mitchell E Berger <mitchb@mit.edu>
Date: Thu, 16 Jan 2020 22:51:21 -0500
Subject: [PATCH 075/111] Inundate Miriam with e-mail

---
 server/fedora/config/etc/scripts/root-procmailrc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/fedora/config/etc/scripts/root-procmailrc b/server/fedora/config/etc/scripts/root-procmailrc
index 3a986cd0..7881c120 100644
--- a/server/fedora/config/etc/scripts/root-procmailrc
+++ b/server/fedora/config/etc/scripts/root-procmailrc
@@ -1,2 +1,2 @@
 :0
-! andersk@mit.edu, quentin@mit.edu, mitchb@mit.edu, ezyang@mit.edu, xavid@mit.edu, adehnert-sipb@mit.edu, achernya@mit.edu, glasgall@mit.edu, tboning@mit.edu, cereslee@mit.edu, btidor-scripts@mit.edu, vasilvv@mit.edu, cela@mit.edu
+! andersk@mit.edu, quentin@mit.edu, mitchb@mit.edu, ezyang@mit.edu, xavid@mit.edu, adehnert-sipb@mit.edu, achernya@mit.edu, glasgall@mit.edu, tboning@mit.edu, cereslee@mit.edu, btidor-scripts@mit.edu, vasilvv@mit.edu, cela@mit.edu, mrittenb@mit.edu

From 2fdaaf696d52ab8eaf9a5af67436961d5fa368c7 Mon Sep 17 00:00:00 2001
From: Mitchell E Berger <mitchb@mit.edu>
Date: Fri, 17 Jan 2020 02:28:31 -0500
Subject: [PATCH 076/111] Scripts has (vos) moved!  Come visit us at our new
 location...

---
 server/fedora/config/etc/nagios/check_afs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/fedora/config/etc/nagios/check_afs b/server/fedora/config/etc/nagios/check_afs
index dd6c8828..eb3cea73 100755
--- a/server/fedora/config/etc/nagios/check_afs
+++ b/server/fedora/config/etc/nagios/check_afs
@@ -16,7 +16,7 @@ STATUS=$?
 $ECHO "$CHECKS"
 
 if [ $STATUS -gt 0 ]; then
-    if $ECHO "$CHECKS" | grep -i STYX >/dev/null; then
+    if $ECHO "$CHECKS" | grep -i ARTEMIS >/dev/null; then
 	exit $STATE_CRITICAL;
     else
 	exit $STATE_WARNING;

From 6edd2b4b19327a2865e604665c2298f506d9ac9d Mon Sep 17 00:00:00 2001
From: Mitchell E Berger <mitchb@mit.edu>
Date: Sat, 1 Feb 2020 02:56:45 -0500
Subject: [PATCH 077/111] Configure the F20 realservers to respond to the new
 proxy infrastructure

For the moment, this only works for traffic coming from the test
proxies, because the production ones don't exist yet.
---
 server/fedora/config/etc/modules-load.d/iptables.conf          | 2 ++
 server/fedora/config/etc/sysconfig/iptables                    | 3 +++
 .../fedora/config/etc/sysconfig/network-scripts/route-vlan486  | 3 +++
 .../fedora/config/etc/sysconfig/network-scripts/rule-vlan486   | 3 +++
 server/fedora/config/etc/sysctl.conf                           | 1 +
 5 files changed, 12 insertions(+)
 create mode 100644 server/fedora/config/etc/sysconfig/network-scripts/route-vlan486
 create mode 100644 server/fedora/config/etc/sysconfig/network-scripts/rule-vlan486

diff --git a/server/fedora/config/etc/modules-load.d/iptables.conf b/server/fedora/config/etc/modules-load.d/iptables.conf
index 76183f1c..b8c5696f 100644
--- a/server/fedora/config/etc/modules-load.d/iptables.conf
+++ b/server/fedora/config/etc/modules-load.d/iptables.conf
@@ -5,3 +5,5 @@ ip6_tables
 ip6table_filter
 ip6t_REJECT
 nf_log_ipv6
+ipt_MARK
+ipt_dscp
diff --git a/server/fedora/config/etc/sysconfig/iptables b/server/fedora/config/etc/sysconfig/iptables
index b40ecd39..c93221c0 100644
--- a/server/fedora/config/etc/sysconfig/iptables
+++ b/server/fedora/config/etc/sysconfig/iptables
@@ -4,6 +4,9 @@
 :OUTPUT ACCEPT [0:0]
 :log-smtp - [0:0]
 -A INPUT -p udp -m udp --dport 161 ! -s 18.0.0.0/8 -j REJECT
+-A INPUT -m dscp --dscp 11 -j MARK --set-mark 11
+-A INPUT -m dscp --dscp 12 -j MARK --set-mark 12
+-A INPUT -m dscp --dscp 13 -j MARK --set-mark 13
 -A OUTPUT -p tcp -m tcp --dport 25 --syn -j log-smtp
 -A log-smtp -m owner --uid-owner postfix -j RETURN
 -A log-smtp -m owner --uid-owner nrpe -o lo -d 127.0.0.1 -j RETURN
diff --git a/server/fedora/config/etc/sysconfig/network-scripts/route-vlan486 b/server/fedora/config/etc/sysconfig/network-scripts/route-vlan486
new file mode 100644
index 00000000..c53b1845
--- /dev/null
+++ b/server/fedora/config/etc/sysconfig/network-scripts/route-vlan486
@@ -0,0 +1,3 @@
+default via 18.4.86.187 dev vlan486 table 11
+default via 18.4.86.192 dev vlan486 table 12
+default via 18.4.86.194 dev vlan486 table 13
diff --git a/server/fedora/config/etc/sysconfig/network-scripts/rule-vlan486 b/server/fedora/config/etc/sysconfig/network-scripts/rule-vlan486
new file mode 100644
index 00000000..cb13a7e5
--- /dev/null
+++ b/server/fedora/config/etc/sysconfig/network-scripts/rule-vlan486
@@ -0,0 +1,3 @@
+fwmark 11 lookup 11
+fwmark 12 lookup 12
+fwmark 13 lookup 13
diff --git a/server/fedora/config/etc/sysctl.conf b/server/fedora/config/etc/sysctl.conf
index c8d601c7..01a3dc49 100644
--- a/server/fedora/config/etc/sysctl.conf
+++ b/server/fedora/config/etc/sysctl.conf
@@ -1,6 +1,7 @@
 net.ipv4.ip_forward = 1
 net.ipv4.conf.all.rp_filter = 2
 net.ipv4.conf.default.accept_source_route = 0
+net.ipv4.tcp_fwmark_accept = 1
 kernel.panic = 5
 kernel.panic_on_oops = 1
 kernel.sysrq = 1

From a733d63945de822fd27709952ee225035f9c5abc Mon Sep 17 00:00:00 2001
From: Quentin Smith <quentin@mit.edu>
Date: Sat, 1 Feb 2020 03:33:57 -0500
Subject: [PATCH 078/111] Bind postfix on the scripts-f20 VIP

---
 server/fedora/config/etc/postfix/main.cf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/fedora/config/etc/postfix/main.cf b/server/fedora/config/etc/postfix/main.cf
index e679cfd6..1b6fdea5 100644
--- a/server/fedora/config/etc/postfix/main.cf
+++ b/server/fedora/config/etc/postfix/main.cf
@@ -18,7 +18,7 @@ mailbox_command_maps =
 mailbox_size_limit = 0
 message_size_limit = 41943040
 recipient_delimiter = +
-inet_interfaces = $myhostname, scripts.mit.edu, scripts-vhosts.mit.edu
+inet_interfaces = $myhostname, scripts.mit.edu, scripts-vhosts.mit.edu, scripts-f20.mit.edu
 readme_directory = /usr/share/doc/postfix/README_FILES
 sample_directory = /usr/share/doc/postfix/samples
 sendmail_path = /usr/sbin/sendmail

From c18b79c3bd0d8a598b4f4143d766c47f71875747 Mon Sep 17 00:00:00 2001
From: rihn <mushu0mushi@gmail.com>
Date: Thu, 6 Feb 2020 23:10:35 -0500
Subject: [PATCH 079/111] Added scriptsVhostPoolUserSelectable and
 scriptsVhostPoolHumanReadable attributes and scriptsVhostPool object to
 schema.

---
 .../etc/dirsrv/slapd-scripts/schema/98scripts-vhost.ldif       | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/ldap/el/config/etc/dirsrv/slapd-scripts/schema/98scripts-vhost.ldif b/ldap/el/config/etc/dirsrv/slapd-scripts/schema/98scripts-vhost.ldif
index 4ae1f0e8..a3be723f 100644
--- a/ldap/el/config/etc/dirsrv/slapd-scripts/schema/98scripts-vhost.ldif
+++ b/ldap/el/config/etc/dirsrv/slapd-scripts/schema/98scripts-vhost.ldif
@@ -30,5 +30,8 @@ attributeTypes: ( 1.2.840.113554.4.2.1.8 NAME 'scriptsBlockMailSubmit' DESC 'Blo
 attributeTypes: ( 1.2.840.113554.4.2.1.9 NAME 'scriptsVhostPoolIPv4' DESC 'IP for load balancer pool' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'scripts.mit.edu' )
 attributeTypes: ( 1.2.840.113554.4.2.1.10 NAME 'scriptsVhostPoolDNSRecordType' DESC 'DNS record type for scriptsVhostPoolIPv4' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'scripts.mit.edu' )
 attributeTypes: ( 1.2.840.113554.4.2.1.11 NAME 'scriptsVhostPoolTTL' DESC 'TTL for DNS record' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'scripts.mit.edu' )
+attributeTypes: ( 1.2.840.113554.4.2.1.12 NAME 'scriptsVhostPoolHumanReadable' DESC 'Describes VhostPool in layperson's terms' SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 SINGLE-VALUE X-ORIGIN 'scripts.mit.edu' )
+attributeTypes: ( 1.2.840.113554.4.2.1.13 NAME 'scriptsVhostPoolUserSelectable' DESC 'Determines if user may select this pool' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'scripts.mit.edu' )
 objectClasses: ( 1.2.840.113554.4.2.2.1 NAME 'scriptsVhost' DESC 'Configuration for a Scripts virtual host' SUP top AUXILIARY MUST ( scriptsVhostName $ scriptsVhostDirectory $ scriptsVhostAccount ) MAY ( scriptsVhostAlias $ scriptsVhostCertificate $ scriptsVhostCertificateKeyFile $ scriptsVhostPoolIPv4 $ scriptsVhostPoolDNSRecordType $ scriptsVhostPoolTTL ) X-ORIGIN 'scripts.mit.edu' )
 objectClasses: ( 1.2.840.113554.4.2.2.2 NAME 'scriptsAccount' DESC 'Configuration for a Scripts account' SUP posixAccount AUXILIARY MAY ( scriptsMailboxCommand $ scriptsBlockMailSubmit $ ntUserComment ) X-ORIGIN 'scripts.mit.edu' )
+objectClasses: ( 1.2.840.113554.4.2.2.3 NAME 'scriptsVhostPool' DESC 'Configuration for Scripts Vhost Pool' SUP top AUXILIARY MUST ( scriptsVhostPoolIPv4 $ scriptsVhostPoolHumanReadable $ scriptsVhostPoolUserSelectable ) X-ORIGIN 'scripts.mit.edu' )

From 231a47eab810e2cfb648b63a08480d1c83c5942f Mon Sep 17 00:00:00 2001
From: rihn <mushu0mushi@gmail.com>
Date: Mon, 10 Feb 2020 22:11:43 -0500
Subject: [PATCH 080/111] Deleted attribute HumanReadable and replaced it with
 already existing attributes cn and description in the object class instead.

---
 .../etc/dirsrv/slapd-scripts/schema/98scripts-vhost.ldif     | 5 ++---
 .../etc/dirsrv/slapd-scripts/schema/98scripts-vhost.ldif     | 2 ++
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/ldap/el/config/etc/dirsrv/slapd-scripts/schema/98scripts-vhost.ldif b/ldap/el/config/etc/dirsrv/slapd-scripts/schema/98scripts-vhost.ldif
index a3be723f..318b7ea0 100644
--- a/ldap/el/config/etc/dirsrv/slapd-scripts/schema/98scripts-vhost.ldif
+++ b/ldap/el/config/etc/dirsrv/slapd-scripts/schema/98scripts-vhost.ldif
@@ -30,8 +30,7 @@ attributeTypes: ( 1.2.840.113554.4.2.1.8 NAME 'scriptsBlockMailSubmit' DESC 'Blo
 attributeTypes: ( 1.2.840.113554.4.2.1.9 NAME 'scriptsVhostPoolIPv4' DESC 'IP for load balancer pool' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'scripts.mit.edu' )
 attributeTypes: ( 1.2.840.113554.4.2.1.10 NAME 'scriptsVhostPoolDNSRecordType' DESC 'DNS record type for scriptsVhostPoolIPv4' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'scripts.mit.edu' )
 attributeTypes: ( 1.2.840.113554.4.2.1.11 NAME 'scriptsVhostPoolTTL' DESC 'TTL for DNS record' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'scripts.mit.edu' )
-attributeTypes: ( 1.2.840.113554.4.2.1.12 NAME 'scriptsVhostPoolHumanReadable' DESC 'Describes VhostPool in layperson's terms' SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 SINGLE-VALUE X-ORIGIN 'scripts.mit.edu' )
-attributeTypes: ( 1.2.840.113554.4.2.1.13 NAME 'scriptsVhostPoolUserSelectable' DESC 'Determines if user may select this pool' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'scripts.mit.edu' )
+attributeTypes: ( 1.2.840.113554.4.2.1.12 NAME 'scriptsVhostPoolUserSelectable' DESC 'Determines if user may select this pool' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'scripts.mit.edu' )
 objectClasses: ( 1.2.840.113554.4.2.2.1 NAME 'scriptsVhost' DESC 'Configuration for a Scripts virtual host' SUP top AUXILIARY MUST ( scriptsVhostName $ scriptsVhostDirectory $ scriptsVhostAccount ) MAY ( scriptsVhostAlias $ scriptsVhostCertificate $ scriptsVhostCertificateKeyFile $ scriptsVhostPoolIPv4 $ scriptsVhostPoolDNSRecordType $ scriptsVhostPoolTTL ) X-ORIGIN 'scripts.mit.edu' )
 objectClasses: ( 1.2.840.113554.4.2.2.2 NAME 'scriptsAccount' DESC 'Configuration for a Scripts account' SUP posixAccount AUXILIARY MAY ( scriptsMailboxCommand $ scriptsBlockMailSubmit $ ntUserComment ) X-ORIGIN 'scripts.mit.edu' )
-objectClasses: ( 1.2.840.113554.4.2.2.3 NAME 'scriptsVhostPool' DESC 'Configuration for Scripts Vhost Pool' SUP top AUXILIARY MUST ( scriptsVhostPoolIPv4 $ scriptsVhostPoolHumanReadable $ scriptsVhostPoolUserSelectable ) X-ORIGIN 'scripts.mit.edu' )
+objectClasses: ( 1.2.840.113554.4.2.2.3 NAME 'scriptsVhostPool' DESC 'Configuration for Scripts Vhost Pool' SUP top AUXILIARY MUST ( scriptsVhostPoolIPv4 $ cn $ description $ scriptsVhostPoolUserSelectable ) X-ORIGIN 'scripts.mit.edu' )
diff --git a/server/fedora/config/etc/dirsrv/slapd-scripts/schema/98scripts-vhost.ldif b/server/fedora/config/etc/dirsrv/slapd-scripts/schema/98scripts-vhost.ldif
index 4ae1f0e8..318b7ea0 100644
--- a/server/fedora/config/etc/dirsrv/slapd-scripts/schema/98scripts-vhost.ldif
+++ b/server/fedora/config/etc/dirsrv/slapd-scripts/schema/98scripts-vhost.ldif
@@ -30,5 +30,7 @@ attributeTypes: ( 1.2.840.113554.4.2.1.8 NAME 'scriptsBlockMailSubmit' DESC 'Blo
 attributeTypes: ( 1.2.840.113554.4.2.1.9 NAME 'scriptsVhostPoolIPv4' DESC 'IP for load balancer pool' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'scripts.mit.edu' )
 attributeTypes: ( 1.2.840.113554.4.2.1.10 NAME 'scriptsVhostPoolDNSRecordType' DESC 'DNS record type for scriptsVhostPoolIPv4' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'scripts.mit.edu' )
 attributeTypes: ( 1.2.840.113554.4.2.1.11 NAME 'scriptsVhostPoolTTL' DESC 'TTL for DNS record' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'scripts.mit.edu' )
+attributeTypes: ( 1.2.840.113554.4.2.1.12 NAME 'scriptsVhostPoolUserSelectable' DESC 'Determines if user may select this pool' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'scripts.mit.edu' )
 objectClasses: ( 1.2.840.113554.4.2.2.1 NAME 'scriptsVhost' DESC 'Configuration for a Scripts virtual host' SUP top AUXILIARY MUST ( scriptsVhostName $ scriptsVhostDirectory $ scriptsVhostAccount ) MAY ( scriptsVhostAlias $ scriptsVhostCertificate $ scriptsVhostCertificateKeyFile $ scriptsVhostPoolIPv4 $ scriptsVhostPoolDNSRecordType $ scriptsVhostPoolTTL ) X-ORIGIN 'scripts.mit.edu' )
 objectClasses: ( 1.2.840.113554.4.2.2.2 NAME 'scriptsAccount' DESC 'Configuration for a Scripts account' SUP posixAccount AUXILIARY MAY ( scriptsMailboxCommand $ scriptsBlockMailSubmit $ ntUserComment ) X-ORIGIN 'scripts.mit.edu' )
+objectClasses: ( 1.2.840.113554.4.2.2.3 NAME 'scriptsVhostPool' DESC 'Configuration for Scripts Vhost Pool' SUP top AUXILIARY MUST ( scriptsVhostPoolIPv4 $ cn $ description $ scriptsVhostPoolUserSelectable ) X-ORIGIN 'scripts.mit.edu' )

From 0dfb7620e05fd067ac205060bf2bfe4c319f1242 Mon Sep 17 00:00:00 2001
From: Quentin Smith <quentin@mit.edu>
Date: Tue, 25 Feb 2020 23:33:07 -0500
Subject: [PATCH 081/111] Configure the F20 realservers to respond to the new
 production proxy servers

---
 server/fedora/config/etc/sysconfig/iptables                    | 3 +++
 .../fedora/config/etc/sysconfig/network-scripts/route-vlan486  | 3 +++
 .../fedora/config/etc/sysconfig/network-scripts/rule-vlan486   | 3 +++
 3 files changed, 9 insertions(+)

diff --git a/server/fedora/config/etc/sysconfig/iptables b/server/fedora/config/etc/sysconfig/iptables
index c93221c0..5267d44d 100644
--- a/server/fedora/config/etc/sysconfig/iptables
+++ b/server/fedora/config/etc/sysconfig/iptables
@@ -4,6 +4,9 @@
 :OUTPUT ACCEPT [0:0]
 :log-smtp - [0:0]
 -A INPUT -p udp -m udp --dport 161 ! -s 18.0.0.0/8 -j REJECT
+-A INPUT -m dscp --dscp 1 -j MARK --set-mark 1
+-A INPUT -m dscp --dscp 2 -j MARK --set-mark 2
+-A INPUT -m dscp --dscp 3 -j MARK --set-mark 3
 -A INPUT -m dscp --dscp 11 -j MARK --set-mark 11
 -A INPUT -m dscp --dscp 12 -j MARK --set-mark 12
 -A INPUT -m dscp --dscp 13 -j MARK --set-mark 13
diff --git a/server/fedora/config/etc/sysconfig/network-scripts/route-vlan486 b/server/fedora/config/etc/sysconfig/network-scripts/route-vlan486
index c53b1845..c29e8739 100644
--- a/server/fedora/config/etc/sysconfig/network-scripts/route-vlan486
+++ b/server/fedora/config/etc/sysconfig/network-scripts/route-vlan486
@@ -1,3 +1,6 @@
+default via 18.4.86.23 dev vlan486 table 1
+default via 18.4.86.24 dev vlan486 table 2
+default via 18.4.86.25 dev vlan486 table 3
 default via 18.4.86.187 dev vlan486 table 11
 default via 18.4.86.192 dev vlan486 table 12
 default via 18.4.86.194 dev vlan486 table 13
diff --git a/server/fedora/config/etc/sysconfig/network-scripts/rule-vlan486 b/server/fedora/config/etc/sysconfig/network-scripts/rule-vlan486
index cb13a7e5..bc27b353 100644
--- a/server/fedora/config/etc/sysconfig/network-scripts/rule-vlan486
+++ b/server/fedora/config/etc/sysconfig/network-scripts/rule-vlan486
@@ -1,3 +1,6 @@
+fwmark 1 lookup 1
+fwmark 2 lookup 2
+fwmark 3 lookup 3
 fwmark 11 lookup 11
 fwmark 12 lookup 12
 fwmark 13 lookup 13

From 930c8607abf1ce08e9d049024f505aa54aa99a2f Mon Sep 17 00:00:00 2001
From: Quentin Smith <quentin@mit.edu>
Date: Wed, 4 Mar 2020 00:41:36 -0500
Subject: [PATCH 082/111] Serve scripts-cert.mit.edu with SNI-based and
 name-based virtual hosting.

When traffic is going through the proxies, IP-based virtual hosting is
no longer an option.
---
 .../fedora/config/etc/httpd/conf/httpd.conf   | 34 ++++++++++---------
 1 file changed, 18 insertions(+), 16 deletions(-)

diff --git a/server/fedora/config/etc/httpd/conf/httpd.conf b/server/fedora/config/etc/httpd/conf/httpd.conf
index bd0f358f..d79755ca 100644
--- a/server/fedora/config/etc/httpd/conf/httpd.conf
+++ b/server/fedora/config/etc/httpd/conf/httpd.conf
@@ -273,13 +273,6 @@ ProxyRequests Off
     ErrorDocument 404 "No favicon.ico.
 </Location>
 
-<VirtualHost 18.4.86.50:80>
-    ServerName scripts-cert.mit.edu
-    ServerAlias scripts-cert
-    Include conf.d/scripts-vhost.conf
-    Include conf.d/vhosts-common.conf
-</VirtualHost>
-
 # LDAP vhost, w00t w00t
 <VirtualHost *:80>
     ServerName localhost
@@ -293,6 +286,14 @@ ProxyRequests Off
     Include conf.d/vhosts-common.conf
 </VirtualHost>
 
+# scripts-cert.mit.edu; must be listed below the default vhost
+<VirtualHost 18.4.86.50:80 *:80>
+    ServerName scripts-cert.mit.edu
+    ServerAlias scripts-cert
+    Include conf.d/scripts-vhost.conf
+    Include conf.d/vhosts-common.conf
+</VirtualHost>
+
 <IfModule ssl_module>
     Listen 443
     Listen 444
@@ -321,15 +322,6 @@ ProxyRequests Off
     SSLHonorCipherOrder on
     SSLCompression off
 
-    <VirtualHost 18.4.86.50:443 18.4.86.50:444>
-        ServerName scripts-cert.mit.edu
-        ServerAlias scripts-cert
-        Include conf.d/scripts-vhost.conf
-        Include conf.d/vhosts-common-ssl.conf
-        SSLCertificateFile /etc/pki/tls/certs/scripts-cert.pem
-        SSLCertificateKeyFile /etc/pki/tls/private/scripts-2048.key
-        Include conf.d/vhosts-common-ssl-cert.conf
-    </VirtualHost>
     <VirtualHost 18.4.86.43:443>
         Include conf.d/scripts-vhost-names.conf
         Include conf.d/scripts-vhost.conf
@@ -377,6 +369,16 @@ ProxyRequests Off
         Include conf.d/vhosts-common-ssl.conf
         Include conf.d/vhosts-common-ssl-cert.conf
     </VirtualHost>
+    # scripts-cert.mit.edu; must be listed below the default vhost
+    <VirtualHost 18.4.86.50:443 18.4.86.50:444 *:443 *:444>
+        ServerName scripts-cert.mit.edu
+        ServerAlias scripts-cert
+        Include conf.d/scripts-vhost.conf
+        Include conf.d/vhosts-common-ssl.conf
+        SSLCertificateFile /etc/pki/tls/certs/scripts-cert.pem
+        SSLCertificateKeyFile /etc/pki/tls/private/scripts-2048.key
+        Include conf.d/vhosts-common-ssl-cert.conf
+    </VirtualHost>
     Include /var/lib/scripts-certs/vhosts.conf
 </IfModule>
 

From cb2bb62ec19a7293460466b585037fb30dd2d720 Mon Sep 17 00:00:00 2001
From: Miriam Rittenberg <mrittenb@mit.edu>
Date: Fri, 6 Mar 2020 00:50:31 -0500
Subject: [PATCH 083/111] Block user's spam wordpress comment emails

---
 server/fedora/config/etc/postfix/blocked_users | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/server/fedora/config/etc/postfix/blocked_users b/server/fedora/config/etc/postfix/blocked_users
index 1474b53c..9ca997a2 100644
--- a/server/fedora/config/etc/postfix/blocked_users
+++ b/server/fedora/config/etc/postfix/blocked_users
@@ -27,3 +27,5 @@ lebanon
 crpg
 scioly
 wheats
+4.330
+open

From 876aa7c0832bd19658a0e68a5e9ac9284ee92965 Mon Sep 17 00:00:00 2001
From: Miriam Rittenberg <mrittenb@mit.edu>
Date: Sat, 7 Mar 2020 11:28:01 -0500
Subject: [PATCH 084/111] More spam

---
 server/fedora/config/etc/postfix/blocked_users | 1 +
 1 file changed, 1 insertion(+)

diff --git a/server/fedora/config/etc/postfix/blocked_users b/server/fedora/config/etc/postfix/blocked_users
index 9ca997a2..cd703ed5 100644
--- a/server/fedora/config/etc/postfix/blocked_users
+++ b/server/fedora/config/etc/postfix/blocked_users
@@ -29,3 +29,4 @@ scioly
 wheats
 4.330
 open
+11.s942

From dd28bbf4ff1073b9d8d29a3f5669abec5973d00d Mon Sep 17 00:00:00 2001
From: Miriam Rittenberg <mrittenb@mit.edu>
Date: Tue, 10 Mar 2020 01:21:21 -0400
Subject: [PATCH 085/111] Sort expired certificates by how recently they
 expired

---
 server/fedora/config/etc/pki/tls/certs/check.pl | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/server/fedora/config/etc/pki/tls/certs/check.pl b/server/fedora/config/etc/pki/tls/certs/check.pl
index 363b06a7..29dc57b8 100755
--- a/server/fedora/config/etc/pki/tls/certs/check.pl
+++ b/server/fedora/config/etc/pki/tls/certs/check.pl
@@ -18,6 +18,7 @@
 
 use constant WARNING => 60*60*24*14; # Warn if a cert is expiring within 14 days
 
+my @expired;
 foreach my $cert (glob("*.pem"), glob("/var/lib/scripts-certs/*.pem")) {
   open(CERT, "<", $cert);
   my $ins = do {local $/; <CERT>};
@@ -40,10 +41,16 @@
     my $time = str2time($exp);
 
     if ($verbose || ($time - $now) <= WARNING) {
-      printf "Certificate expiring in %.2f days: %s for ", (($time - $now) / (60.0*60*24)), $cert;
-      open(IN, '|-', qw(openssl x509 -subject -noout));
-      print IN $in;
-      close(IN);
+      push @expired, [$time - $now, $cert, $in];
     }
   }
 }
+
+@expired = reverse sort {$a->[0] <=> $b->[0]} @expired;
+foreach my $expired_cert (@expired) {
+  my ($age, $cert, $in) = @$expired_cert;
+  printf "Certificate expiring in %.2f days: %s for ", ($age / (60.0*60*24)), $cert;
+  open(IN, '|-', qw(openssl x509 -subject -noout));
+  print IN $in;
+  close(IN);
+}

From b06360d3e3d3dd60deff29a5323786cd43912610 Mon Sep 17 00:00:00 2001
From: Quentin Smith <quentin@mit.edu>
Date: Sun, 22 Mar 2020 04:49:50 -0400
Subject: [PATCH 086/111] Teach mbash to route SSH connections to the user's
 default pool

---
 server/common/oursrc/accountadm/mbash.in | 99 +++++++++++++++++++++++-
 1 file changed, 97 insertions(+), 2 deletions(-)

diff --git a/server/common/oursrc/accountadm/mbash.in b/server/common/oursrc/accountadm/mbash.in
index 8ba0fe98..5f252bb9 100644
--- a/server/common/oursrc/accountadm/mbash.in
+++ b/server/common/oursrc/accountadm/mbash.in
@@ -1,3 +1,98 @@
-#!/bin/sh
+#!/usr/bin/env python
 
-exec @bash_path@ --rcfile /usr/local/etc/mbashrc "$@"
+from __future__ import (absolute_import, division, print_function)
+
+import os
+import sys
+import getpass
+import subprocess
+import ldap
+import ldap.filter
+
+def get_pool(username):
+    ldap_uri = ldap.get_option(ldap.OPT_URI)
+
+    ll = ldap.initialize(ldap_uri)
+
+    users = ll.search_s(
+        'dc=scripts,dc=mit,dc=edu',
+        ldap.SCOPE_SUBTREE,
+        ldap.filter.filter_format('(&(objectClass=posixAccount)(uid=%s))', [username]),
+        [],
+    )
+    if not users:
+        return None, None
+    user_dn = users[0][0]
+
+    pool_ips = set()
+    vhost_pools = {}
+    for dn, attrs in ll.search_s(
+        'dc=scripts,dc=mit,dc=edu',
+        ldap.SCOPE_SUBTREE,
+        ldap.filter.filter_format('(&(objectClass=scriptsVhost)(scriptsVhostAccount=%s))', [user_dn]),
+        ['scriptsVhostName', 'scriptsVhostPoolIPv4'],
+    ):
+        vhost_pools[attrs['scriptsVhostName'][0]] = attrs['scriptsVhostPoolIPv4'][0]
+        pool_ips.add(attrs['scriptsVhostPoolIPv4'][0])
+
+    pool_names = {}
+    for dn, attrs in ll.search_s(
+            'dc=scripts,dc=mit,dc=edu',
+            ldap.SCOPE_SUBTREE,
+            '(&(objectClass=scriptsVhostPool)(|'+''.join(ldap.filter.filter_format('(scriptsVhostPoolIPv4=%s)', [ip]) for ip in pool_ips)+'))',
+            ['cn', 'scriptsVhostPoolIPv4'],
+    ):
+        pool_names[attrs['scriptsVhostPoolIPv4'][0]] = attrs['cn'][0]
+
+    main_pool = vhost_pools.get(username + '.scripts.mit.edu')
+    other_pools = None
+    if len(pool_ips) > 1:
+        other_pools = sorted((pool_names.get(pool, pool), vhost) for vhost, pool in vhost_pools.items())
+    return main_pool, other_pools
+
+def should_forward():
+    ssh_connection = os.environ.get('SSH_CONNECTION')
+    if not ssh_connection:
+        return False
+    _, _, laddr, _ = ssh_connection.split(' ')
+    try:
+        with open('/etc/scripts/mbash-vips') as f:
+            if laddr in [l.strip() for l in f]:
+                return True
+    except IOError:
+        return False
+    return False
+
+def has_pool(ip):
+    return len(subprocess.check_output(['/sbin/ip', 'addr', 'show', 'to', ip])) > 0
+
+def maybe_forward():
+    if not should_forward():
+        return
+    command = None
+    if len(sys.argv) == 3 and sys.argv[1] == '-c':
+        command = sys.argv[2]
+    elif len(sys.argv) != 1:
+        print("Unexpected shell invocation; not forwarding.", file=sys.stderr)
+        return
+    user = getpass.getuser()
+    main_pool, other_pools = get_pool(user)
+    forward = main_pool and not has_pool(main_pool)
+    if forward:
+        # TODO: Check if we're already on the right server.
+        print("Forwarding to the server for %s.scripts.mit.edu." % (user,), file=sys.stderr)
+    if other_pools:
+        print("Your account has virtual hosts on multiple server pools; to connect to a server for a particular host, connect to a specific server:", file=sys.stderr)
+        print(file=sys.stderr)
+        for name, vhost in other_pools:
+            print("%s - ssh %s" % (vhost, name), file=sys.stderr)
+        print(file=sys.stderr)
+    if forward:
+        args = ['ssh', main_pool, '--']
+        if command is not None:
+            args.append(command)
+        os.execv('/usr/bin/ssh', args)
+
+maybe_forward()
+
+os.execv("@bash_path@", ["bash", "--rcfile", "/usr/local/etc/mbashrc"] + sys.argv[1:])

From 2ecf5fc6a311da97134fdd743f9e9e7ade79cef0 Mon Sep 17 00:00:00 2001
From: Quentin Smith <quentin@mit.edu>
Date: Sun, 22 Mar 2020 17:21:38 -0400
Subject: [PATCH 087/111] Lint and review comments

---
 server/common/oursrc/accountadm/mbash.in | 55 +++++++++++++++++-------
 1 file changed, 40 insertions(+), 15 deletions(-)

diff --git a/server/common/oursrc/accountadm/mbash.in b/server/common/oursrc/accountadm/mbash.in
index 5f252bb9..f68d9f7c 100644
--- a/server/common/oursrc/accountadm/mbash.in
+++ b/server/common/oursrc/accountadm/mbash.in
@@ -2,20 +2,28 @@
 
 from __future__ import (absolute_import, division, print_function)
 
-import os
-import sys
 import getpass
+import os
 import subprocess
+import sys
+
 import ldap
 import ldap.filter
 
+BASE_DN = 'dc=scripts,dc=mit,dc=edu'
+
 def get_pool(username):
+    """
+    Check what pool(s) a locker is on.
+
+    Returns: (default vhost pool IP, [(pool name, vhost name)] if multiple pools)
+    """
     ldap_uri = ldap.get_option(ldap.OPT_URI)
 
     ll = ldap.initialize(ldap_uri)
 
     users = ll.search_s(
-        'dc=scripts,dc=mit,dc=edu',
+        BASE_DN,
         ldap.SCOPE_SUBTREE,
         ldap.filter.filter_format('(&(objectClass=posixAccount)(uid=%s))', [username]),
         [],
@@ -26,20 +34,25 @@ def get_pool(username):
 
     pool_ips = set()
     vhost_pools = {}
-    for dn, attrs in ll.search_s(
-        'dc=scripts,dc=mit,dc=edu',
-        ldap.SCOPE_SUBTREE,
-        ldap.filter.filter_format('(&(objectClass=scriptsVhost)(scriptsVhostAccount=%s))', [user_dn]),
-        ['scriptsVhostName', 'scriptsVhostPoolIPv4'],
+    for _, attrs in ll.search_s(
+            BASE_DN,
+            ldap.SCOPE_SUBTREE,
+            ldap.filter.filter_format(
+                '(&(objectClass=scriptsVhost)(scriptsVhostAccount=%s))',
+                [user_dn]),
+            ['scriptsVhostName', 'scriptsVhostPoolIPv4'],
     ):
         vhost_pools[attrs['scriptsVhostName'][0]] = attrs['scriptsVhostPoolIPv4'][0]
         pool_ips.add(attrs['scriptsVhostPoolIPv4'][0])
 
     pool_names = {}
     for dn, attrs in ll.search_s(
-            'dc=scripts,dc=mit,dc=edu',
+            BASE_DN,
             ldap.SCOPE_SUBTREE,
-            '(&(objectClass=scriptsVhostPool)(|'+''.join(ldap.filter.filter_format('(scriptsVhostPoolIPv4=%s)', [ip]) for ip in pool_ips)+'))',
+            '(&(objectClass=scriptsVhostPool)(|'+''.join(
+                ldap.filter.filter_format('(scriptsVhostPoolIPv4=%s)', [ip])
+                for ip in pool_ips
+            )+'))',
             ['cn', 'scriptsVhostPoolIPv4'],
     ):
         pool_names[attrs['scriptsVhostPoolIPv4'][0]] = attrs['cn'][0]
@@ -47,10 +60,14 @@ def get_pool(username):
     main_pool = vhost_pools.get(username + '.scripts.mit.edu')
     other_pools = None
     if len(pool_ips) > 1:
-        other_pools = sorted((pool_names.get(pool, pool), vhost) for vhost, pool in vhost_pools.items())
+        other_pools = sorted(
+            (pool_names.get(pool, pool), vhost)
+            for vhost, pool in vhost_pools.items()
+        )
     return main_pool, other_pools
 
 def should_forward():
+    """Check if we were invoked by ssh on a vip that requires forwarding."""
     ssh_connection = os.environ.get('SSH_CONNECTION')
     if not ssh_connection:
         return False
@@ -64,9 +81,15 @@ def should_forward():
     return False
 
 def has_pool(ip):
+    """Check if the current machine is binding a vip."""
     return len(subprocess.check_output(['/sbin/ip', 'addr', 'show', 'to', ip])) > 0
 
 def maybe_forward():
+    """
+    Forward the invocation if appropriate.
+
+    exec's when forwarding, so returning means we should run locally.
+    """
     if not should_forward():
         return
     command = None
@@ -79,10 +102,11 @@ def maybe_forward():
     main_pool, other_pools = get_pool(user)
     forward = main_pool and not has_pool(main_pool)
     if forward:
-        # TODO: Check if we're already on the right server.
         print("Forwarding to the server for %s.scripts.mit.edu." % (user,), file=sys.stderr)
     if other_pools:
-        print("Your account has virtual hosts on multiple server pools; to connect to a server for a particular host, connect to a specific server:", file=sys.stderr)
+        print("Your account has virtual hosts on multiple server pools; "
+              "to connect to a server for a particular host, "
+              "connect to a specific server:", file=sys.stderr)
         print(file=sys.stderr)
         for name, vhost in other_pools:
             print("%s - ssh %s" % (vhost, name), file=sys.stderr)
@@ -93,6 +117,7 @@ def maybe_forward():
             args.append(command)
         os.execv('/usr/bin/ssh', args)
 
-maybe_forward()
+if __name__ == '__main__':
+    maybe_forward()
 
-os.execv("@bash_path@", ["bash", "--rcfile", "/usr/local/etc/mbashrc"] + sys.argv[1:])
+    os.execv("@bash_path@", ["bash", "--rcfile", "/usr/local/etc/mbashrc"] + sys.argv[1:])

From f5b239d90a4439a873d1f9e16fbfec7c74c93630 Mon Sep 17 00:00:00 2001
From: Quentin Smith <quentin@mit.edu>
Date: Tue, 24 Mar 2020 18:46:25 -0400
Subject: [PATCH 088/111] Save 150ms startup time by only importing ldap when
 necessary

---
 server/common/oursrc/accountadm/mbash.in | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/server/common/oursrc/accountadm/mbash.in b/server/common/oursrc/accountadm/mbash.in
index f68d9f7c..18db083b 100644
--- a/server/common/oursrc/accountadm/mbash.in
+++ b/server/common/oursrc/accountadm/mbash.in
@@ -7,9 +7,6 @@ import os
 import subprocess
 import sys
 
-import ldap
-import ldap.filter
-
 BASE_DN = 'dc=scripts,dc=mit,dc=edu'
 
 def get_pool(username):
@@ -18,6 +15,9 @@ def get_pool(username):
 
     Returns: (default vhost pool IP, [(pool name, vhost name)] if multiple pools)
     """
+    import ldap
+    import ldap.filter
+
     ldap_uri = ldap.get_option(ldap.OPT_URI)
 
     ll = ldap.initialize(ldap_uri)

From 3f35188ff63640c1b8ba3a9a190299e98e55653b Mon Sep 17 00:00:00 2001
From: Quentin Smith <quentin@mit.edu>
Date: Thu, 26 Mar 2020 14:21:00 -0400
Subject: [PATCH 089/111] Prevent ssh from touching ~/.ssh.

This drastically improves the speed of hostbased ssh because ~/.ssh is
typically not readable/writable by scripts accounts.
---
 server/common/oursrc/accountadm/mbash.in | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/server/common/oursrc/accountadm/mbash.in b/server/common/oursrc/accountadm/mbash.in
index 18db083b..fa1d273c 100644
--- a/server/common/oursrc/accountadm/mbash.in
+++ b/server/common/oursrc/accountadm/mbash.in
@@ -112,7 +112,14 @@ def maybe_forward():
             print("%s - ssh %s" % (vhost, name), file=sys.stderr)
         print(file=sys.stderr)
     if forward:
-        args = ['ssh', main_pool, '--']
+        args = [
+            'ssh',
+            '-F', '/etc/ssh/ssh_config',
+            '-o', 'IdentityFile=none',
+            '-o', 'UserKnownHostsFile=none',
+            main_pool,
+            '--',
+        ]
         if command is not None:
             args.append(command)
         os.execv('/usr/bin/ssh', args)

From d67e1e195af589e31ce7f773b306397dab7010f3 Mon Sep 17 00:00:00 2001
From: Quentin Smith <quentin@mit.edu>
Date: Thu, 26 Mar 2020 14:28:48 -0400
Subject: [PATCH 090/111] Configure mbash to forward ssh to the user's pool

---
 server/fedora/config/etc/scripts/mbash-vips  | 4 ++++
 server/fedora/config/etc/ssh/shosts.equiv    | 1 +
 server/fedora/config/etc/ssh/ssh_known_hosts | 1 +
 3 files changed, 6 insertions(+)
 create mode 100644 server/fedora/config/etc/scripts/mbash-vips

diff --git a/server/fedora/config/etc/scripts/mbash-vips b/server/fedora/config/etc/scripts/mbash-vips
new file mode 100644
index 00000000..e16c726d
--- /dev/null
+++ b/server/fedora/config/etc/scripts/mbash-vips
@@ -0,0 +1,4 @@
+18.4.86.43
+18.4.86.50
+18.4.86.46
+18.4.86.29
diff --git a/server/fedora/config/etc/ssh/shosts.equiv b/server/fedora/config/etc/ssh/shosts.equiv
index f522f435..c8d53c98 100644
--- a/server/fedora/config/etc/ssh/shosts.equiv
+++ b/server/fedora/config/etc/ssh/shosts.equiv
@@ -10,6 +10,7 @@ whole-enchilada.mit.edu
 golden-egg.mit.edu
 miracle-cure.mit.edu
 lucky-star.mit.edu
+scripts-f30.mit.edu
 172.21.0.53
 172.21.0.57
 172.21.0.167
diff --git a/server/fedora/config/etc/ssh/ssh_known_hosts b/server/fedora/config/etc/ssh/ssh_known_hosts
index 1f5e8e17..c598ee10 100644
--- a/server/fedora/config/etc/ssh/ssh_known_hosts
+++ b/server/fedora/config/etc/ssh/ssh_known_hosts
@@ -10,3 +10,4 @@ shining-armor.mit.edu,shining-armor,s-a.mit.edu,s-a,scripts9.mit.edu,scripts9,18
 golden-egg.mit.edu,golden-egg,g-e.mit.edu,g-e,scripts10.mit.edu,scripts10,18.4.86.141,172.21.0.141 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuEpkEgaIgjK7F1gV81lLSYTwSqIZX/9IJs37VaJCsJFv3D86uuJSdfI3Y94fPn2OH6AxfdaqGNksVdi27mKQfzvCB4ogjQgxmM391MIDLd+izZDY0YvCb4DqJLMJUpX49cNUMkj+/rJg1O0K2w/lb8DGr7wdoLSPKCUJNJv5WMMDxpFL253lPELsmnds4T+R6LpTt6W9+FalHl84me51sEjV9PbmhcTaNwuoJStAjhrKPfgHHDIKNyCUvaVkoHPXEsdzz00yY7i57djyZlzPV/jM7LKar+Xw2LB0Z3098IQcdbD8zmz2DdakPTlShxavNPC6kZDZ3WVqziC+bszaSQ==
 miracle-cure.mit.edu,miracle-cure,m-c.mit.edu,m-c,scripts11.mit.edu,scripts11,18.4.86.203,172.21.0.203 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuEpkEgaIgjK7F1gV81lLSYTwSqIZX/9IJs37VaJCsJFv3D86uuJSdfI3Y94fPn2OH6AxfdaqGNksVdi27mKQfzvCB4ogjQgxmM391MIDLd+izZDY0YvCb4DqJLMJUpX49cNUMkj+/rJg1O0K2w/lb8DGr7wdoLSPKCUJNJv5WMMDxpFL253lPELsmnds4T+R6LpTt6W9+FalHl84me51sEjV9PbmhcTaNwuoJStAjhrKPfgHHDIKNyCUvaVkoHPXEsdzz00yY7i57djyZlzPV/jM7LKar+Xw2LB0Z3098IQcdbD8zmz2DdakPTlShxavNPC6kZDZ3WVqziC+bszaSQ==
 lucky-star.mit.edu,lucky-star,l-s.mit.edu,l-s,scripts12.mit.edu,scripts12,18.4.86.204,172.21.0.204 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuEpkEgaIgjK7F1gV81lLSYTwSqIZX/9IJs37VaJCsJFv3D86uuJSdfI3Y94fPn2OH6AxfdaqGNksVdi27mKQfzvCB4ogjQgxmM391MIDLd+izZDY0YvCb4DqJLMJUpX49cNUMkj+/rJg1O0K2w/lb8DGr7wdoLSPKCUJNJv5WMMDxpFL253lPELsmnds4T+R6LpTt6W9+FalHl84me51sEjV9PbmhcTaNwuoJStAjhrKPfgHHDIKNyCUvaVkoHPXEsdzz00yY7i57djyZlzPV/jM7LKar+Xw2LB0Z3098IQcdbD8zmz2DdakPTlShxavNPC6kZDZ3WVqziC+bszaSQ==
+scripts-f30.mit.edu,scripts-f30,18.4.86.30,172.21.0.30 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuEpkEgaIgjK7F1gV81lLSYTwSqIZX/9IJs37VaJCsJFv3D86uuJSdfI3Y94fPn2OH6AxfdaqGNksVdi27mKQfzvCB4ogjQgxmM391MIDLd+izZDY0YvCb4DqJLMJUpX49cNUMkj+/rJg1O0K2w/lb8DGr7wdoLSPKCUJNJv5WMMDxpFL253lPELsmnds4T+R6LpTt6W9+FalHl84me51sEjV9PbmhcTaNwuoJStAjhrKPfgHHDIKNyCUvaVkoHPXEsdzz00yY7i57djyZlzPV/jM7LKar+Xw2LB0Z3098IQcdbD8zmz2DdakPTlShxavNPC6kZDZ3WVqziC+bszaSQ==

From a4e0820abecd5f2614b4165df73a6147ceea5b71 Mon Sep 17 00:00:00 2001
From: Quentin Smith <quentin@mit.edu>
Date: Thu, 26 Mar 2020 16:16:54 -0400
Subject: [PATCH 091/111] Block port forwarding on VIPs

---
 server/fedora/config/etc/ssh/sshd_config | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/server/fedora/config/etc/ssh/sshd_config b/server/fedora/config/etc/ssh/sshd_config
index 7a2adfe1..19221641 100644
--- a/server/fedora/config/etc/ssh/sshd_config
+++ b/server/fedora/config/etc/ssh/sshd_config
@@ -22,3 +22,8 @@ HostbasedAuthentication yes
 IgnoreRhosts yes
 IgnoreUserKnownHosts yes
 DenyUsers root@old-faithful.mit.edu root@better-mousetrap.mit.edu root@bees-knees.mit.edu root@cats-whiskers.mit.edu root@pancake-bunny.mit.edu root@busy-beaver.mit.edu root@real-mccoy.mit.edu root@whole-enchilada.mit.edu root@shining-armor.mit.edu root@golden-egg.mit.edu root@miracle-cure.mit.edu root@lucky-star.mit.edu
+
+# Must come last because F20 sshd doesn't support "Match All"
+Match LocalAddress 18.4.86.43,18.4.86.50,18.4.86.46,18.4.86.29
+AllowAgentForwarding no
+AllowTcpForwarding no

From 71a28074263b822a56814288a34de8bb55eeb843 Mon Sep 17 00:00:00 2001
From: Quentin Smith <quentin@mit.edu>
Date: Thu, 26 Mar 2020 18:18:00 -0400
Subject: [PATCH 092/111] Forward with a TTY if called with a TTY

---
 server/common/oursrc/accountadm/mbash.in | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/server/common/oursrc/accountadm/mbash.in b/server/common/oursrc/accountadm/mbash.in
index fa1d273c..4b8a3468 100644
--- a/server/common/oursrc/accountadm/mbash.in
+++ b/server/common/oursrc/accountadm/mbash.in
@@ -118,9 +118,11 @@ def maybe_forward():
             '-o', 'IdentityFile=none',
             '-o', 'UserKnownHostsFile=none',
             main_pool,
-            '--',
         ]
+        if os.isatty(sys.stdin.fileno()):
+            args.append('-t')
         if command is not None:
+            args.append('--')
             args.append(command)
         os.execv('/usr/bin/ssh', args)
 

From 73aa28c215d516a4961d3f2055b37fdf5c191d45 Mon Sep 17 00:00:00 2001
From: Quentin Smith <quentin@mit.edu>
Date: Sat, 4 Apr 2020 04:39:31 -0400
Subject: [PATCH 093/111] Block some more SSH spew

---
 server/fedora/config/etc/syslog-ng/d_zroot.pl | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/server/fedora/config/etc/syslog-ng/d_zroot.pl b/server/fedora/config/etc/syslog-ng/d_zroot.pl
index dec99985..4285e7e6 100755
--- a/server/fedora/config/etc/syslog-ng/d_zroot.pl
+++ b/server/fedora/config/etc/syslog-ng/d_zroot.pl
@@ -114,9 +114,10 @@ ($)
 	} elsif ($message =~ m|^Invalid user|) {
 	} elsif ($message =~ m|^input_userauth_request: invalid user|) {
 	} elsif ($message =~ m|^Received disconnect from|) {
+	} elsif ($message =~ m|^Did not receive identification string from|) {
 	} elsif ($message =~ m|^Postponed keyboard-interactive|) {
 	} elsif ($message =~ m|^Failed keyboard-interactive/pam|) {
-	} elsif ($message =~ m|^fatal: Read from socket failed: Connection reset by peer$|) {
+	} elsif ($message =~ m|^fatal: Read from socket failed: Connection reset by peer|) {
 	} elsif ($message =~ m|^reverse mapping checking getaddrinfo|) {
 	} elsif ($message =~ m|^pam_succeed_if\(sshd\:auth\)\:|) {
 	} elsif ($message =~ m|^error: PAM: Authentication failure|) {

From 2075630e7bcece17347dba5a7a6a5bc19f775ad4 Mon Sep 17 00:00:00 2001
From: Quentin Smith <quentin@mit.edu>
Date: Mon, 4 May 2020 22:31:13 -0400
Subject: [PATCH 094/111] Increase FastCGI request size limit to 400MiB

---
 server/fedora/config/etc/httpd/conf/httpd.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/fedora/config/etc/httpd/conf/httpd.conf b/server/fedora/config/etc/httpd/conf/httpd.conf
index d79755ca..4b5cf10b 100644
--- a/server/fedora/config/etc/httpd/conf/httpd.conf
+++ b/server/fedora/config/etc/httpd/conf/httpd.conf
@@ -390,7 +390,7 @@ AddHandler fcgid-script fcgi
 SocketPath /var/run/mod_fcgid
 SharememPath /var/run/mod_fcgid/fcgid_shm
 IPCCommTimeout 300
-FcgidMaxRequestLen 209715200
+FcgidMaxRequestLen 419430400
 FcgidIdleTimeout 600
 FcgidMaxProcessesPerClass 10
 FcgidMinProcessesPerClass 0

From 82b629da3ac4006134c0afa478fa016cbd6d597f Mon Sep 17 00:00:00 2001
From: Miriam Rittenberg <mrittenb@mit.edu>
Date: Tue, 2 Jun 2020 13:50:31 -0400
Subject: [PATCH 095/111] Update USERTrust certificates

---
 .../config/etc/pki/tls/certs/scripts-cert.pem | 60 +++++++++----------
 .../config/etc/pki/tls/certs/scripts.pem      | 60 +++++++++----------
 .../config/etc/pki/tls/certs/star.scripts.pem | 60 +++++++++----------
 3 files changed, 90 insertions(+), 90 deletions(-)

diff --git a/server/fedora/config/etc/pki/tls/certs/scripts-cert.pem b/server/fedora/config/etc/pki/tls/certs/scripts-cert.pem
index 619cf235..53937c57 100644
--- a/server/fedora/config/etc/pki/tls/certs/scripts-cert.pem
+++ b/server/fedora/config/etc/pki/tls/certs/scripts-cert.pem
@@ -66,34 +66,34 @@ oJ8ifsCnSbu0GB9L06Yqh7lcyvKDTEADslIaeSEINxhO2Y1fmcYFX/Fqrrp1WnhH
 OjplXuXE0OPa0utaKC25Aplgom88L2Z8mEWcyfoB7zKOfD759AN7JKZWCYwk
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIIFdzCCBF+gAwIBAgIQE+oocFv07O0MNmMJgGFDNjANBgkqhkiG9w0BAQwFADBv
-MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
-ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
-eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow
-gYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtK
-ZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYD
-VQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjAN
-BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sIs9CsVw127c0n00yt
-UINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnGvDoZtF+mvX2do2NC
-tnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQIjy8/hPwhxR79uQf
-jtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfbIWax1Jt4A8BQOujM
-8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0tyA9yn8iNK5+O2hm
-AUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97Exwzf4TKuzJM7UXiV
-Z4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNVicQNwZNUMBkTrNN9
-N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5D9kCnusSTJV882sF
-qV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJWBp/kjbmUZIO8yZ9
-HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ5lhCLkMaTLTwJUdZ
-+gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzGKAgEJTm4Diup8kyX
-HAc/DVL17e8vgg8CAwEAAaOB9DCB8TAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTv
-A73gJMtUGjAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/
-BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAGBgRVHSAAMEQGA1Ud
-HwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4
-dGVybmFsQ0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0
-dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEMBQADggEBAJNl9jeD
-lQ9ew4IcH9Z35zyKwKoJ8OkLJvHgwmp1ocd5yblSYMgpEg7wrQPWCcR23+WmgZWn
-RtqCV6mVksW2jwMibDN3wXsyF24HzloUQToFJBv2FAY7qCUkDrvMKnXduXBBP3zQ
-YzYhBx9G/2CkkeFnvN4ffhkUyWNnkepnB2u0j4vAbkN9w6GAbLIevFOFfdyQoaS8
-Le9Gclc1Bb+7RrtubTeZtv8jkpHGbkD4jylW6l/VXxRTrPBPYer3IsynVgviuDQf
-Jtl7GQVoP7o81DgGotPmjw7jtHFtQELFhLRAlSv0ZaBIefYdgWOWnU914Ph85I6p
-0fKtirOMxyHNwu8=
+MIIFgTCCBGmgAwIBAgIQOXJEOvkit1HX02wQ3TE1lTANBgkqhkiG9w0BAQwFADB7
+MQswCQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD
+VQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UE
+AwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTE5MDMxMjAwMDAwMFoXDTI4
+MTIzMTIzNTk1OVowgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5
+MRQwEgYDVQQHEwtKZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBO
+ZXR3b3JrMS4wLAYDVQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0
+aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sI
+s9CsVw127c0n00ytUINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnG
+vDoZtF+mvX2do2NCtnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQ
+Ijy8/hPwhxR79uQfjtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfb
+IWax1Jt4A8BQOujM8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0
+tyA9yn8iNK5+O2hmAUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97E
+xwzf4TKuzJM7UXiVZ4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNV
+icQNwZNUMBkTrNN9N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5
+D9kCnusSTJV882sFqV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJ
+WBp/kjbmUZIO8yZ9HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ
+5lhCLkMaTLTwJUdZ+gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzG
+KAgEJTm4Diup8kyXHAc/DVL17e8vgg8CAwEAAaOB8jCB7zAfBgNVHSMEGDAWgBSg
+EQojPpbxB+zirynvgqV/0DCktDAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rID
+ZsswDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAG
+BgRVHSAAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwuY29tb2RvY2EuY29t
+L0FBQUNlcnRpZmljYXRlU2VydmljZXMuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggr
+BgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMA0GCSqGSIb3DQEBDAUA
+A4IBAQAYh1HcdCE9nIrgJ7cz0C7M7PDmy14R3iJvm3WOnnL+5Nb+qh+cli3vA0p+
+rvSNb3I8QzvAP+u431yqqcau8vzY7qN7Q/aGNnwU4M309z/+3ri0ivCRlv79Q2R+
+/czSAaF9ffgZGclCKxO/WIu6pKJmBHaIkU4MiRTOok3JMrO66BQavHHxW/BBC5gA
+CiIDEOUMsfnNkjcZ7Tvx5Dq2+UUTJnWvu6rvP3t3O9LEApE9GQDTF1w52z97GA1F
+zZOFli9d31kWTz9RvdVFGD/tSo7oBmF0Ixa1DVBzJ0RHfxBdiSprhTEUxOipakyA
+vGp4z7h/jnZymQyd/teRCBaho1+V
 -----END CERTIFICATE-----
diff --git a/server/fedora/config/etc/pki/tls/certs/scripts.pem b/server/fedora/config/etc/pki/tls/certs/scripts.pem
index 1daeb107..a09c55ab 100644
--- a/server/fedora/config/etc/pki/tls/certs/scripts.pem
+++ b/server/fedora/config/etc/pki/tls/certs/scripts.pem
@@ -66,34 +66,34 @@ oJ8ifsCnSbu0GB9L06Yqh7lcyvKDTEADslIaeSEINxhO2Y1fmcYFX/Fqrrp1WnhH
 OjplXuXE0OPa0utaKC25Aplgom88L2Z8mEWcyfoB7zKOfD759AN7JKZWCYwk
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIIFdzCCBF+gAwIBAgIQE+oocFv07O0MNmMJgGFDNjANBgkqhkiG9w0BAQwFADBv
-MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
-ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
-eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow
-gYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtK
-ZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYD
-VQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjAN
-BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sIs9CsVw127c0n00yt
-UINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnGvDoZtF+mvX2do2NC
-tnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQIjy8/hPwhxR79uQf
-jtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfbIWax1Jt4A8BQOujM
-8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0tyA9yn8iNK5+O2hm
-AUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97Exwzf4TKuzJM7UXiV
-Z4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNVicQNwZNUMBkTrNN9
-N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5D9kCnusSTJV882sF
-qV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJWBp/kjbmUZIO8yZ9
-HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ5lhCLkMaTLTwJUdZ
-+gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzGKAgEJTm4Diup8kyX
-HAc/DVL17e8vgg8CAwEAAaOB9DCB8TAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTv
-A73gJMtUGjAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/
-BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAGBgRVHSAAMEQGA1Ud
-HwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4
-dGVybmFsQ0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0
-dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEMBQADggEBAJNl9jeD
-lQ9ew4IcH9Z35zyKwKoJ8OkLJvHgwmp1ocd5yblSYMgpEg7wrQPWCcR23+WmgZWn
-RtqCV6mVksW2jwMibDN3wXsyF24HzloUQToFJBv2FAY7qCUkDrvMKnXduXBBP3zQ
-YzYhBx9G/2CkkeFnvN4ffhkUyWNnkepnB2u0j4vAbkN9w6GAbLIevFOFfdyQoaS8
-Le9Gclc1Bb+7RrtubTeZtv8jkpHGbkD4jylW6l/VXxRTrPBPYer3IsynVgviuDQf
-Jtl7GQVoP7o81DgGotPmjw7jtHFtQELFhLRAlSv0ZaBIefYdgWOWnU914Ph85I6p
-0fKtirOMxyHNwu8=
+MIIFgTCCBGmgAwIBAgIQOXJEOvkit1HX02wQ3TE1lTANBgkqhkiG9w0BAQwFADB7
+MQswCQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD
+VQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UE
+AwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTE5MDMxMjAwMDAwMFoXDTI4
+MTIzMTIzNTk1OVowgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5
+MRQwEgYDVQQHEwtKZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBO
+ZXR3b3JrMS4wLAYDVQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0
+aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sI
+s9CsVw127c0n00ytUINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnG
+vDoZtF+mvX2do2NCtnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQ
+Ijy8/hPwhxR79uQfjtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfb
+IWax1Jt4A8BQOujM8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0
+tyA9yn8iNK5+O2hmAUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97E
+xwzf4TKuzJM7UXiVZ4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNV
+icQNwZNUMBkTrNN9N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5
+D9kCnusSTJV882sFqV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJ
+WBp/kjbmUZIO8yZ9HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ
+5lhCLkMaTLTwJUdZ+gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzG
+KAgEJTm4Diup8kyXHAc/DVL17e8vgg8CAwEAAaOB8jCB7zAfBgNVHSMEGDAWgBSg
+EQojPpbxB+zirynvgqV/0DCktDAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rID
+ZsswDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAG
+BgRVHSAAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwuY29tb2RvY2EuY29t
+L0FBQUNlcnRpZmljYXRlU2VydmljZXMuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggr
+BgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMA0GCSqGSIb3DQEBDAUA
+A4IBAQAYh1HcdCE9nIrgJ7cz0C7M7PDmy14R3iJvm3WOnnL+5Nb+qh+cli3vA0p+
+rvSNb3I8QzvAP+u431yqqcau8vzY7qN7Q/aGNnwU4M309z/+3ri0ivCRlv79Q2R+
+/czSAaF9ffgZGclCKxO/WIu6pKJmBHaIkU4MiRTOok3JMrO66BQavHHxW/BBC5gA
+CiIDEOUMsfnNkjcZ7Tvx5Dq2+UUTJnWvu6rvP3t3O9LEApE9GQDTF1w52z97GA1F
+zZOFli9d31kWTz9RvdVFGD/tSo7oBmF0Ixa1DVBzJ0RHfxBdiSprhTEUxOipakyA
+vGp4z7h/jnZymQyd/teRCBaho1+V
 -----END CERTIFICATE-----
diff --git a/server/fedora/config/etc/pki/tls/certs/star.scripts.pem b/server/fedora/config/etc/pki/tls/certs/star.scripts.pem
index 9544a7e6..33e5a0b3 100644
--- a/server/fedora/config/etc/pki/tls/certs/star.scripts.pem
+++ b/server/fedora/config/etc/pki/tls/certs/star.scripts.pem
@@ -66,34 +66,34 @@ oJ8ifsCnSbu0GB9L06Yqh7lcyvKDTEADslIaeSEINxhO2Y1fmcYFX/Fqrrp1WnhH
 OjplXuXE0OPa0utaKC25Aplgom88L2Z8mEWcyfoB7zKOfD759AN7JKZWCYwk
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIIFdzCCBF+gAwIBAgIQE+oocFv07O0MNmMJgGFDNjANBgkqhkiG9w0BAQwFADBv
-MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
-ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
-eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow
-gYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtK
-ZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYD
-VQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjAN
-BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sIs9CsVw127c0n00yt
-UINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnGvDoZtF+mvX2do2NC
-tnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQIjy8/hPwhxR79uQf
-jtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfbIWax1Jt4A8BQOujM
-8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0tyA9yn8iNK5+O2hm
-AUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97Exwzf4TKuzJM7UXiV
-Z4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNVicQNwZNUMBkTrNN9
-N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5D9kCnusSTJV882sF
-qV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJWBp/kjbmUZIO8yZ9
-HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ5lhCLkMaTLTwJUdZ
-+gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzGKAgEJTm4Diup8kyX
-HAc/DVL17e8vgg8CAwEAAaOB9DCB8TAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTv
-A73gJMtUGjAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/
-BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAGBgRVHSAAMEQGA1Ud
-HwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4
-dGVybmFsQ0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0
-dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEMBQADggEBAJNl9jeD
-lQ9ew4IcH9Z35zyKwKoJ8OkLJvHgwmp1ocd5yblSYMgpEg7wrQPWCcR23+WmgZWn
-RtqCV6mVksW2jwMibDN3wXsyF24HzloUQToFJBv2FAY7qCUkDrvMKnXduXBBP3zQ
-YzYhBx9G/2CkkeFnvN4ffhkUyWNnkepnB2u0j4vAbkN9w6GAbLIevFOFfdyQoaS8
-Le9Gclc1Bb+7RrtubTeZtv8jkpHGbkD4jylW6l/VXxRTrPBPYer3IsynVgviuDQf
-Jtl7GQVoP7o81DgGotPmjw7jtHFtQELFhLRAlSv0ZaBIefYdgWOWnU914Ph85I6p
-0fKtirOMxyHNwu8=
+MIIFgTCCBGmgAwIBAgIQOXJEOvkit1HX02wQ3TE1lTANBgkqhkiG9w0BAQwFADB7
+MQswCQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD
+VQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UE
+AwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTE5MDMxMjAwMDAwMFoXDTI4
+MTIzMTIzNTk1OVowgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5
+MRQwEgYDVQQHEwtKZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBO
+ZXR3b3JrMS4wLAYDVQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0
+aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sI
+s9CsVw127c0n00ytUINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnG
+vDoZtF+mvX2do2NCtnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQ
+Ijy8/hPwhxR79uQfjtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfb
+IWax1Jt4A8BQOujM8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0
+tyA9yn8iNK5+O2hmAUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97E
+xwzf4TKuzJM7UXiVZ4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNV
+icQNwZNUMBkTrNN9N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5
+D9kCnusSTJV882sFqV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJ
+WBp/kjbmUZIO8yZ9HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ
+5lhCLkMaTLTwJUdZ+gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzG
+KAgEJTm4Diup8kyXHAc/DVL17e8vgg8CAwEAAaOB8jCB7zAfBgNVHSMEGDAWgBSg
+EQojPpbxB+zirynvgqV/0DCktDAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rID
+ZsswDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAG
+BgRVHSAAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwuY29tb2RvY2EuY29t
+L0FBQUNlcnRpZmljYXRlU2VydmljZXMuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggr
+BgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMA0GCSqGSIb3DQEBDAUA
+A4IBAQAYh1HcdCE9nIrgJ7cz0C7M7PDmy14R3iJvm3WOnnL+5Nb+qh+cli3vA0p+
+rvSNb3I8QzvAP+u431yqqcau8vzY7qN7Q/aGNnwU4M309z/+3ri0ivCRlv79Q2R+
+/czSAaF9ffgZGclCKxO/WIu6pKJmBHaIkU4MiRTOok3JMrO66BQavHHxW/BBC5gA
+CiIDEOUMsfnNkjcZ7Tvx5Dq2+UUTJnWvu6rvP3t3O9LEApE9GQDTF1w52z97GA1F
+zZOFli9d31kWTz9RvdVFGD/tSo7oBmF0Ixa1DVBzJ0RHfxBdiSprhTEUxOipakyA
+vGp4z7h/jnZymQyd/teRCBaho1+V
 -----END CERTIFICATE-----

From c1e9dd54b236533084bbcc8ceb2b7712d7779046 Mon Sep 17 00:00:00 2001
From: Miriam Rittenberg <mrittenb@mit.edu>
Date: Tue, 22 Sep 2020 21:19:36 -0400
Subject: [PATCH 096/111] Update *.scripts.mit.edu and scripts.mit.edu
 certificates

---
 .../config/etc/pki/tls/certs/scripts.pem      | 154 +++++++++++-------
 .../config/etc/pki/tls/certs/star.scripts.pem | 154 +++++++++++-------
 2 files changed, 184 insertions(+), 124 deletions(-)

diff --git a/server/fedora/config/etc/pki/tls/certs/scripts.pem b/server/fedora/config/etc/pki/tls/certs/scripts.pem
index a09c55ab..c8d27671 100644
--- a/server/fedora/config/etc/pki/tls/certs/scripts.pem
+++ b/server/fedora/config/etc/pki/tls/certs/scripts.pem
@@ -1,35 +1,59 @@
 -----BEGIN CERTIFICATE-----
-MIIFozCCBIugAwIBAgIQSX1zBsEKwqwAwpl2eUXc7TANBgkqhkiG9w0BAQsFADB2
-MQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUkxEjAQBgNVBAcTCUFubiBBcmJvcjES
-MBAGA1UEChMJSW50ZXJuZXQyMREwDwYDVQQLEwhJbkNvbW1vbjEfMB0GA1UEAxMW
-SW5Db21tb24gUlNBIFNlcnZlciBDQTAeFw0xNzEwMDUwMDAwMDBaFw0yMDEwMDQy
-MzU5NTlaMIHdMQswCQYDVQQGEwJVUzEOMAwGA1UEERMFMDIxMzkxFjAUBgNVBAgT
-DU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcTCUNhbWJyaWRnZTEdMBsGA1UECRMUNzcg
-TWFzc2FjaHVzZXR0cyBBdmUxLjAsBgNVBAoTJU1hc3NhY2h1c2V0dHMgSW5zdGl0
-dXRlIG9mIFRlY2hub2xvZ3kxKTAnBgNVBAsMIEluZm9ybWF0aW9uIFN5c3RlbXMg
-JiBUZWNobm9sb2d5MRgwFgYDVQQDEw9zY3JpcHRzLm1pdC5lZHUwggEiMA0GCSqG
-SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDEmjwcPrd6LWamQ0ZBW/fBdcatBSIM43UW
-GwnqJiIIWbGY4o28Wyw+VDjy4gEkE0KouHwSSaeZ5xIjmQM+UMbL+uraVkLs6tJ9
-yw3NM/19ceLmS9ig5Lpe5W4t//IOCWntP/upysw9dfgoENxogucQf1jwt6DxQFV/
-bEaBIX497rahNHsFfz6D1NRSnql3Jx3CvokLAlpEqeiTKzYKSxjI6VV05kHJXRlU
-dmNULi47CfvYZ8skR2eLvBhnvq2BZdbZzWXePT3AvjsF8G0Ordb1JOR7kdLZJG9a
-H9Ta0MsjM76bMFHWauST6CzxcYL3X2MVdDMGoM2uZSau1PpitIAfAgMBAAGjggHD
-MIIBvzAfBgNVHSMEGDAWgBQeBaN3j2yW4luHS6a0hqxxAAznODAdBgNVHQ4EFgQU
-+6gmNOIMhks3Q8zr8o3tqTIHDWQwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQC
-MAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGcGA1UdIARgMF4wUgYM
-KwYBBAGuIwEEAwEBMEIwQAYIKwYBBQUHAgEWNGh0dHBzOi8vd3d3LmluY29tbW9u
-Lm9yZy9jZXJ0L3JlcG9zaXRvcnkvY3BzX3NzbC5wZGYwCAYGZ4EMAQICMEQGA1Ud
-HwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwuaW5jb21tb24tcnNhLm9yZy9JbkNvbW1v
-blJTQVNlcnZlckNBLmNybDB1BggrBgEFBQcBAQRpMGcwPgYIKwYBBQUHMAKGMmh0
-dHA6Ly9jcnQudXNlcnRydXN0LmNvbS9JbkNvbW1vblJTQVNlcnZlckNBXzIuY3J0
-MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC51c2VydHJ1c3QuY29tMBoGA1UdEQQT
-MBGCD3NjcmlwdHMubWl0LmVkdTANBgkqhkiG9w0BAQsFAAOCAQEAZsb1PNl/QrYU
-P/E6LmGpViz+t41wat8sJJIczKQwqx5vxWJJ3Z7BhDw0C7pXmNcz4EUefyRoCGxC
-gl+FztD4L9GjsTU4EMHtak655hzW8I5dBVVuXrbOZlit+6WHGotd8etSbYeGHUM9
-pHw/bVqfwsog/QQTwViayKlDx0xWsomTwDJkurFvKDwi9fMiSSqJt4XktY40j2gD
-nJx350NZF6EbpIakhXxX1hjGYZ5Mz14PNwWeHxIsdDtnL06dEkLKOfvozpR9Vvsw
-qt6mwW/F4M5+1evm4vJN/btgxUoh/6oSgWDNorWDgA22e6wIbSkIqekkX6ouDQGL
-yHVj/3Ztfw==
+MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEb
+MBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRow
+GAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmlj
+YXRlIFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAwMFoXDTI4MTIzMTIzNTk1OVowezEL
+MAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE
+BwwHU2FsZm9yZDEaMBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMM
+GEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAL5AnfRu4ep2hxxNRUSOvkbIgwadwSr+GB+O5AL686tdUIoWMQua
+BtDFcCLNSS1UY8y2bmhGC1Pqy0wkwLxyTurxFa70VJoSCsN6sjNg4tqJVfMiWPPe
+3M/vg4aijJRPn2jymJBGhCfHdr/jzDUsi14HZGWCwEiwqJH5YZ92IFCokcdmtet4
+YgNW8IoaE+oxox6gmf049vYnMlhvB/VruPsUK6+3qszWY19zjNoFmag4qMsXeDZR
+rOme9Hg6jc8P2ULimAyrL58OAd7vn5lJ8S3frHRNG5i1R8XlKdH5kBjHYpy+g8cm
+ez6KJcfA3Z3mNWgQIJ2P2N7Sw4ScDV7oL8kCAwEAAaOBwDCBvTAdBgNVHQ4EFgQU
+oBEKIz6W8Qfs4q8p74Klf9AwpLQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQF
+MAMBAf8wewYDVR0fBHQwcjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5jb20v
+QUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29t
+b2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNybDANBgkqhkiG9w0BAQUF
+AAOCAQEACFb8AvCb6P+k+tZ7xkSAzk/ExfYAWMymtrwUSWgEdujm7l3sAg9g1o1Q
+GE8mTgHj5rCl7r+8dFRBv/38ErjHT1r0iWAFf2C3BUrz9vHCv8S5dIa2LX1rzNLz
+Rt0vxuBqw8M0Ayx9lt1awg6nCpnBBYurDC/zXDrPbDdVCYfeU0BsWO/8tqtlbgT2
+G9w84FoVxp7Z8VlIMCFlA2zs6SFz7JsDoeA3raAVGI/6ugLOpyypEBMs1OUIJqsi
+l2D4kF501KKaU73yqWjgom7C12yxow+ev+to51byrvLjKzg6CYG1a4XXvi3tPxq3
+smPi9WIsgtRqAEFQ8TmDn5XpNpaYbg==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFgTCCBGmgAwIBAgIQOXJEOvkit1HX02wQ3TE1lTANBgkqhkiG9w0BAQwFADB7
+MQswCQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD
+VQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UE
+AwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTE5MDMxMjAwMDAwMFoXDTI4
+MTIzMTIzNTk1OVowgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5
+MRQwEgYDVQQHEwtKZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBO
+ZXR3b3JrMS4wLAYDVQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0
+aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sI
+s9CsVw127c0n00ytUINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnG
+vDoZtF+mvX2do2NCtnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQ
+Ijy8/hPwhxR79uQfjtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfb
+IWax1Jt4A8BQOujM8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0
+tyA9yn8iNK5+O2hmAUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97E
+xwzf4TKuzJM7UXiVZ4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNV
+icQNwZNUMBkTrNN9N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5
+D9kCnusSTJV882sFqV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJ
+WBp/kjbmUZIO8yZ9HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ
+5lhCLkMaTLTwJUdZ+gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzG
+KAgEJTm4Diup8kyXHAc/DVL17e8vgg8CAwEAAaOB8jCB7zAfBgNVHSMEGDAWgBSg
+EQojPpbxB+zirynvgqV/0DCktDAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rID
+ZsswDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAG
+BgRVHSAAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwuY29tb2RvY2EuY29t
+L0FBQUNlcnRpZmljYXRlU2VydmljZXMuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggr
+BgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMA0GCSqGSIb3DQEBDAUA
+A4IBAQAYh1HcdCE9nIrgJ7cz0C7M7PDmy14R3iJvm3WOnnL+5Nb+qh+cli3vA0p+
+rvSNb3I8QzvAP+u431yqqcau8vzY7qN7Q/aGNnwU4M309z/+3ri0ivCRlv79Q2R+
+/czSAaF9ffgZGclCKxO/WIu6pKJmBHaIkU4MiRTOok3JMrO66BQavHHxW/BBC5gA
+CiIDEOUMsfnNkjcZ7Tvx5Dq2+UUTJnWvu6rvP3t3O9LEApE9GQDTF1w52z97GA1F
+zZOFli9d31kWTz9RvdVFGD/tSo7oBmF0Ixa1DVBzJ0RHfxBdiSprhTEUxOipakyA
+vGp4z7h/jnZymQyd/teRCBaho1+V
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIF+TCCA+GgAwIBAgIQRyDQ+oVGGn4XoWQCkYRjdDANBgkqhkiG9w0BAQwFADCB
@@ -66,34 +90,40 @@ oJ8ifsCnSbu0GB9L06Yqh7lcyvKDTEADslIaeSEINxhO2Y1fmcYFX/Fqrrp1WnhH
 OjplXuXE0OPa0utaKC25Aplgom88L2Z8mEWcyfoB7zKOfD759AN7JKZWCYwk
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIIFgTCCBGmgAwIBAgIQOXJEOvkit1HX02wQ3TE1lTANBgkqhkiG9w0BAQwFADB7
-MQswCQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD
-VQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UE
-AwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTE5MDMxMjAwMDAwMFoXDTI4
-MTIzMTIzNTk1OVowgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5
-MRQwEgYDVQQHEwtKZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBO
-ZXR3b3JrMS4wLAYDVQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0
-aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sI
-s9CsVw127c0n00ytUINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnG
-vDoZtF+mvX2do2NCtnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQ
-Ijy8/hPwhxR79uQfjtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfb
-IWax1Jt4A8BQOujM8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0
-tyA9yn8iNK5+O2hmAUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97E
-xwzf4TKuzJM7UXiVZ4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNV
-icQNwZNUMBkTrNN9N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5
-D9kCnusSTJV882sFqV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJ
-WBp/kjbmUZIO8yZ9HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ
-5lhCLkMaTLTwJUdZ+gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzG
-KAgEJTm4Diup8kyXHAc/DVL17e8vgg8CAwEAAaOB8jCB7zAfBgNVHSMEGDAWgBSg
-EQojPpbxB+zirynvgqV/0DCktDAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rID
-ZsswDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAG
-BgRVHSAAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwuY29tb2RvY2EuY29t
-L0FBQUNlcnRpZmljYXRlU2VydmljZXMuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggr
-BgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMA0GCSqGSIb3DQEBDAUA
-A4IBAQAYh1HcdCE9nIrgJ7cz0C7M7PDmy14R3iJvm3WOnnL+5Nb+qh+cli3vA0p+
-rvSNb3I8QzvAP+u431yqqcau8vzY7qN7Q/aGNnwU4M309z/+3ri0ivCRlv79Q2R+
-/czSAaF9ffgZGclCKxO/WIu6pKJmBHaIkU4MiRTOok3JMrO66BQavHHxW/BBC5gA
-CiIDEOUMsfnNkjcZ7Tvx5Dq2+UUTJnWvu6rvP3t3O9LEApE9GQDTF1w52z97GA1F
-zZOFli9d31kWTz9RvdVFGD/tSo7oBmF0Ixa1DVBzJ0RHfxBdiSprhTEUxOipakyA
-vGp4z7h/jnZymQyd/teRCBaho1+V
------END CERTIFICATE-----
+MIIGqzCCBZOgAwIBAgIQX8TzyVPIynd0BlWHRib4LTANBgkqhkiG9w0BAQsFADB2
+MQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUkxEjAQBgNVBAcTCUFubiBBcmJvcjES
+MBAGA1UEChMJSW50ZXJuZXQyMREwDwYDVQQLEwhJbkNvbW1vbjEfMB0GA1UEAxMW
+SW5Db21tb24gUlNBIFNlcnZlciBDQTAeFw0yMDA5MjIwMDAwMDBaFw0yMTA5MjIy
+MzU5NTlaMIHdMQswCQYDVQQGEwJVUzEOMAwGA1UEERMFMDIxMzkxFjAUBgNVBAgT
+DU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcTCUNhbWJyaWRnZTEdMBsGA1UECRMUNzcg
+TWFzc2FjaHVzZXR0cyBBdmUxLjAsBgNVBAoTJU1hc3NhY2h1c2V0dHMgSW5zdGl0
+dXRlIG9mIFRlY2hub2xvZ3kxKTAnBgNVBAsMIEluZm9ybWF0aW9uIFN5c3RlbXMg
+JiBUZWNobm9sb2d5MRgwFgYDVQQDEw9zY3JpcHRzLm1pdC5lZHUwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDEmjwcPrd6LWamQ0ZBW/fBdcatBSIM43UW
+GwnqJiIIWbGY4o28Wyw+VDjy4gEkE0KouHwSSaeZ5xIjmQM+UMbL+uraVkLs6tJ9
+yw3NM/19ceLmS9ig5Lpe5W4t//IOCWntP/upysw9dfgoENxogucQf1jwt6DxQFV/
+bEaBIX497rahNHsFfz6D1NRSnql3Jx3CvokLAlpEqeiTKzYKSxjI6VV05kHJXRlU
+dmNULi47CfvYZ8skR2eLvBhnvq2BZdbZzWXePT3AvjsF8G0Ordb1JOR7kdLZJG9a
+H9Ta0MsjM76bMFHWauST6CzxcYL3X2MVdDMGoM2uZSau1PpitIAfAgMBAAGjggLL
+MIICxzAfBgNVHSMEGDAWgBQeBaN3j2yW4luHS6a0hqxxAAznODAdBgNVHQ4EFgQU
++6gmNOIMhks3Q8zr8o3tqTIHDWQwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQC
+MAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGcGA1UdIARgMF4wUgYM
+KwYBBAGuIwEEAwEBMEIwQAYIKwYBBQUHAgEWNGh0dHBzOi8vd3d3LmluY29tbW9u
+Lm9yZy9jZXJ0L3JlcG9zaXRvcnkvY3BzX3NzbC5wZGYwCAYGZ4EMAQICMEQGA1Ud
+HwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwuaW5jb21tb24tcnNhLm9yZy9JbkNvbW1v
+blJTQVNlcnZlckNBLmNybDB1BggrBgEFBQcBAQRpMGcwPgYIKwYBBQUHMAKGMmh0
+dHA6Ly9jcnQudXNlcnRydXN0LmNvbS9JbkNvbW1vblJTQVNlcnZlckNBXzIuY3J0
+MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC51c2VydHJ1c3QuY29tMBoGA1UdEQQT
+MBGCD3NjcmlwdHMubWl0LmVkdTCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB3AH0+
+8viP/4hVaCTCwMqeUol5K8UOeAl/LmqXaJl+IvDXAAABdLZK9wIAAAQDAEgwRgIh
+AKMk8teUE5lXEXR8Wssm40C7LHZ2t1PZceH7HHS+5pazAiEAyZcZx7IKtany9XGp
+X5BpNIqit1pW+E9pocfpZ+JvckcAdQCUILwejtWNbIhzH4KLIiwN0dpNXmxPlD1h
+204vWE2iwgAAAXS2SvcqAAAEAwBGMEQCICImDybUXMg7ZakcO1zyDQPxd8O+isIn
+e5O8QQztwDBrAiB4gA9aikHNq4rBt5/kqwxl/L7zbba9odpcAeSfEpn7fjANBgkq
+hkiG9w0BAQsFAAOCAQEAhHNC2PfYhCFTwXEDj4hdREb6jBPuNTFaUfgI5uqDBKuD
+QsWg2Fl1/NTKaENihH65UVJDDmcGiKCsOnwFKWPUZ67QVrq2EdKNEyGUye6ER3OJ
+2kLCCkJ3rMM1+OV1NanvZArWHNKNhFc2c5EadZTVCRSLwrqWIeD/Z5lXRqFgQUvI
+bU9k7781FP5iH40MlafV/A3UfLX4RUx8Ifg+X16DtPTYijnorHwSi8VAjwFLfJ6d
+laFCmdoEJCXwf2+elFs12L94FLlWrxv3fo+EiB7dsZNYZowFsYIAXFbLg73ha7Z7
+Snc6XQHR/53e3DEHsZiuANCXzaQREWZwamaEiFlnow==
+-----END CERTIFICATE-----
\ No newline at end of file
diff --git a/server/fedora/config/etc/pki/tls/certs/star.scripts.pem b/server/fedora/config/etc/pki/tls/certs/star.scripts.pem
index 33e5a0b3..df449bfe 100644
--- a/server/fedora/config/etc/pki/tls/certs/star.scripts.pem
+++ b/server/fedora/config/etc/pki/tls/certs/star.scripts.pem
@@ -1,35 +1,59 @@
 -----BEGIN CERTIFICATE-----
-MIIFpzCCBI+gAwIBAgIQMx1Pzz2yUuH8l8h7iIwGHDANBgkqhkiG9w0BAQsFADB2
-MQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUkxEjAQBgNVBAcTCUFubiBBcmJvcjES
-MBAGA1UEChMJSW50ZXJuZXQyMREwDwYDVQQLEwhJbkNvbW1vbjEfMB0GA1UEAxMW
-SW5Db21tb24gUlNBIFNlcnZlciBDQTAeFw0xNzEwMDUwMDAwMDBaFw0yMDEwMDQy
-MzU5NTlaMIHfMQswCQYDVQQGEwJVUzEOMAwGA1UEERMFMDIxMzkxFjAUBgNVBAgT
-DU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcTCUNhbWJyaWRnZTEdMBsGA1UECRMUNzcg
-TWFzc2FjaHVzZXR0cyBBdmUxLjAsBgNVBAoTJU1hc3NhY2h1c2V0dHMgSW5zdGl0
-dXRlIG9mIFRlY2hub2xvZ3kxKTAnBgNVBAsMIEluZm9ybWF0aW9uIFN5c3RlbXMg
-JiBUZWNobm9sb2d5MRowGAYDVQQDDBEqLnNjcmlwdHMubWl0LmVkdTCCASIwDQYJ
-KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMSaPBw+t3otZqZDRkFb98F1xq0FIgzj
-dRYbCeomIghZsZjijbxbLD5UOPLiASQTQqi4fBJJp5nnEiOZAz5Qxsv66tpWQuzq
-0n3LDc0z/X1x4uZL2KDkul7lbi3/8g4Jae0/+6nKzD11+CgQ3GiC5xB/WPC3oPFA
-VX9sRoEhfj3utqE0ewV/PoPU1FKeqXcnHcK+iQsCWkSp6JMrNgpLGMjpVXTmQcld
-GVR2Y1QuLjsJ+9hnyyRHZ4u8GGe+rYFl1tnNZd49PcC+OwXwbQ6t1vUk5HuR0tkk
-b1of1NrQyyMzvpswUdZq5JPoLPFxgvdfYxV0Mwagza5lJq7U+mK0gB8CAwEAAaOC
-AcUwggHBMB8GA1UdIwQYMBaAFB4Fo3ePbJbiW4dLprSGrHEADOc4MB0GA1UdDgQW
-BBT7qCY04gyGSzdDzOvyje2pMgcNZDAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/
-BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwZwYDVR0gBGAwXjBS
-BgwrBgEEAa4jAQQDAQEwQjBABggrBgEFBQcCARY0aHR0cHM6Ly93d3cuaW5jb21t
-b24ub3JnL2NlcnQvcmVwb3NpdG9yeS9jcHNfc3NsLnBkZjAIBgZngQwBAgIwRAYD
-VR0fBD0wOzA5oDegNYYzaHR0cDovL2NybC5pbmNvbW1vbi1yc2Eub3JnL0luQ29t
-bW9uUlNBU2VydmVyQ0EuY3JsMHUGCCsGAQUFBwEBBGkwZzA+BggrBgEFBQcwAoYy
-aHR0cDovL2NydC51c2VydHJ1c3QuY29tL0luQ29tbW9uUlNBU2VydmVyQ0FfMi5j
-cnQwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wHAYDVR0R
-BBUwE4IRKi5zY3JpcHRzLm1pdC5lZHUwDQYJKoZIhvcNAQELBQADggEBAIzQbUx7
-K6ZZ1MHmvEw3aX9UYh+Rp+vM5TxJFj4z8XnhrL27RhAlDcFpF9vEWxUN+MrRNrtM
-AGCtZSlJMioCkNihIjrfPCUGSDTHB29865uYVL9g59IjKOIukeHkBnzxjns7Qvwo
-PAzC1Zpyky3IJv9x5yuK0+wMx2FoQ9UiVeSZozAwGTyii5NpTJIs3qx9aIZXL9X1
-8sJdC1YCOG8wLJ1aix7YmbD2ppgXIv7qu9HPP6YYdux4HI+fY/tCcEq8gozc/S2x
-QMfDuK23bnA8pjc/rb7sFjZmkL4uKt0z7xfVFN7Cpb8hX8v2dtFgmxK2URZd77ot
-V4hJIMR/thFsq7E=
+MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEb
+MBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRow
+GAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmlj
+YXRlIFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAwMFoXDTI4MTIzMTIzNTk1OVowezEL
+MAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE
+BwwHU2FsZm9yZDEaMBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMM
+GEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAL5AnfRu4ep2hxxNRUSOvkbIgwadwSr+GB+O5AL686tdUIoWMQua
+BtDFcCLNSS1UY8y2bmhGC1Pqy0wkwLxyTurxFa70VJoSCsN6sjNg4tqJVfMiWPPe
+3M/vg4aijJRPn2jymJBGhCfHdr/jzDUsi14HZGWCwEiwqJH5YZ92IFCokcdmtet4
+YgNW8IoaE+oxox6gmf049vYnMlhvB/VruPsUK6+3qszWY19zjNoFmag4qMsXeDZR
+rOme9Hg6jc8P2ULimAyrL58OAd7vn5lJ8S3frHRNG5i1R8XlKdH5kBjHYpy+g8cm
+ez6KJcfA3Z3mNWgQIJ2P2N7Sw4ScDV7oL8kCAwEAAaOBwDCBvTAdBgNVHQ4EFgQU
+oBEKIz6W8Qfs4q8p74Klf9AwpLQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQF
+MAMBAf8wewYDVR0fBHQwcjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5jb20v
+QUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29t
+b2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNybDANBgkqhkiG9w0BAQUF
+AAOCAQEACFb8AvCb6P+k+tZ7xkSAzk/ExfYAWMymtrwUSWgEdujm7l3sAg9g1o1Q
+GE8mTgHj5rCl7r+8dFRBv/38ErjHT1r0iWAFf2C3BUrz9vHCv8S5dIa2LX1rzNLz
+Rt0vxuBqw8M0Ayx9lt1awg6nCpnBBYurDC/zXDrPbDdVCYfeU0BsWO/8tqtlbgT2
+G9w84FoVxp7Z8VlIMCFlA2zs6SFz7JsDoeA3raAVGI/6ugLOpyypEBMs1OUIJqsi
+l2D4kF501KKaU73yqWjgom7C12yxow+ev+to51byrvLjKzg6CYG1a4XXvi3tPxq3
+smPi9WIsgtRqAEFQ8TmDn5XpNpaYbg==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFgTCCBGmgAwIBAgIQOXJEOvkit1HX02wQ3TE1lTANBgkqhkiG9w0BAQwFADB7
+MQswCQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD
+VQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UE
+AwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTE5MDMxMjAwMDAwMFoXDTI4
+MTIzMTIzNTk1OVowgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5
+MRQwEgYDVQQHEwtKZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBO
+ZXR3b3JrMS4wLAYDVQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0
+aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sI
+s9CsVw127c0n00ytUINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnG
+vDoZtF+mvX2do2NCtnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQ
+Ijy8/hPwhxR79uQfjtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfb
+IWax1Jt4A8BQOujM8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0
+tyA9yn8iNK5+O2hmAUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97E
+xwzf4TKuzJM7UXiVZ4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNV
+icQNwZNUMBkTrNN9N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5
+D9kCnusSTJV882sFqV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJ
+WBp/kjbmUZIO8yZ9HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ
+5lhCLkMaTLTwJUdZ+gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzG
+KAgEJTm4Diup8kyXHAc/DVL17e8vgg8CAwEAAaOB8jCB7zAfBgNVHSMEGDAWgBSg
+EQojPpbxB+zirynvgqV/0DCktDAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rID
+ZsswDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAG
+BgRVHSAAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwuY29tb2RvY2EuY29t
+L0FBQUNlcnRpZmljYXRlU2VydmljZXMuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggr
+BgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMA0GCSqGSIb3DQEBDAUA
+A4IBAQAYh1HcdCE9nIrgJ7cz0C7M7PDmy14R3iJvm3WOnnL+5Nb+qh+cli3vA0p+
+rvSNb3I8QzvAP+u431yqqcau8vzY7qN7Q/aGNnwU4M309z/+3ri0ivCRlv79Q2R+
+/czSAaF9ffgZGclCKxO/WIu6pKJmBHaIkU4MiRTOok3JMrO66BQavHHxW/BBC5gA
+CiIDEOUMsfnNkjcZ7Tvx5Dq2+UUTJnWvu6rvP3t3O9LEApE9GQDTF1w52z97GA1F
+zZOFli9d31kWTz9RvdVFGD/tSo7oBmF0Ixa1DVBzJ0RHfxBdiSprhTEUxOipakyA
+vGp4z7h/jnZymQyd/teRCBaho1+V
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIF+TCCA+GgAwIBAgIQRyDQ+oVGGn4XoWQCkYRjdDANBgkqhkiG9w0BAQwFADCB
@@ -66,34 +90,40 @@ oJ8ifsCnSbu0GB9L06Yqh7lcyvKDTEADslIaeSEINxhO2Y1fmcYFX/Fqrrp1WnhH
 OjplXuXE0OPa0utaKC25Aplgom88L2Z8mEWcyfoB7zKOfD759AN7JKZWCYwk
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIIFgTCCBGmgAwIBAgIQOXJEOvkit1HX02wQ3TE1lTANBgkqhkiG9w0BAQwFADB7
-MQswCQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD
-VQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UE
-AwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTE5MDMxMjAwMDAwMFoXDTI4
-MTIzMTIzNTk1OVowgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5
-MRQwEgYDVQQHEwtKZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBO
-ZXR3b3JrMS4wLAYDVQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0
-aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sI
-s9CsVw127c0n00ytUINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnG
-vDoZtF+mvX2do2NCtnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQ
-Ijy8/hPwhxR79uQfjtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfb
-IWax1Jt4A8BQOujM8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0
-tyA9yn8iNK5+O2hmAUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97E
-xwzf4TKuzJM7UXiVZ4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNV
-icQNwZNUMBkTrNN9N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5
-D9kCnusSTJV882sFqV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJ
-WBp/kjbmUZIO8yZ9HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ
-5lhCLkMaTLTwJUdZ+gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzG
-KAgEJTm4Diup8kyXHAc/DVL17e8vgg8CAwEAAaOB8jCB7zAfBgNVHSMEGDAWgBSg
-EQojPpbxB+zirynvgqV/0DCktDAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rID
-ZsswDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAG
-BgRVHSAAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwuY29tb2RvY2EuY29t
-L0FBQUNlcnRpZmljYXRlU2VydmljZXMuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggr
-BgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMA0GCSqGSIb3DQEBDAUA
-A4IBAQAYh1HcdCE9nIrgJ7cz0C7M7PDmy14R3iJvm3WOnnL+5Nb+qh+cli3vA0p+
-rvSNb3I8QzvAP+u431yqqcau8vzY7qN7Q/aGNnwU4M309z/+3ri0ivCRlv79Q2R+
-/czSAaF9ffgZGclCKxO/WIu6pKJmBHaIkU4MiRTOok3JMrO66BQavHHxW/BBC5gA
-CiIDEOUMsfnNkjcZ7Tvx5Dq2+UUTJnWvu6rvP3t3O9LEApE9GQDTF1w52z97GA1F
-zZOFli9d31kWTz9RvdVFGD/tSo7oBmF0Ixa1DVBzJ0RHfxBdiSprhTEUxOipakyA
-vGp4z7h/jnZymQyd/teRCBaho1+V
------END CERTIFICATE-----
+MIIGsDCCBZigAwIBAgIQH42Lq3XSuDl3qXyd7YA0mjANBgkqhkiG9w0BAQsFADB2
+MQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUkxEjAQBgNVBAcTCUFubiBBcmJvcjES
+MBAGA1UEChMJSW50ZXJuZXQyMREwDwYDVQQLEwhJbkNvbW1vbjEfMB0GA1UEAxMW
+SW5Db21tb24gUlNBIFNlcnZlciBDQTAeFw0yMDA5MjIwMDAwMDBaFw0yMTA5MjIy
+MzU5NTlaMIHfMQswCQYDVQQGEwJVUzEOMAwGA1UEERMFMDIxMzkxFjAUBgNVBAgT
+DU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcTCUNhbWJyaWRnZTEdMBsGA1UECRMUNzcg
+TWFzc2FjaHVzZXR0cyBBdmUxLjAsBgNVBAoTJU1hc3NhY2h1c2V0dHMgSW5zdGl0
+dXRlIG9mIFRlY2hub2xvZ3kxKTAnBgNVBAsMIEluZm9ybWF0aW9uIFN5c3RlbXMg
+JiBUZWNobm9sb2d5MRowGAYDVQQDDBEqLnNjcmlwdHMubWl0LmVkdTCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMSaPBw+t3otZqZDRkFb98F1xq0FIgzj
+dRYbCeomIghZsZjijbxbLD5UOPLiASQTQqi4fBJJp5nnEiOZAz5Qxsv66tpWQuzq
+0n3LDc0z/X1x4uZL2KDkul7lbi3/8g4Jae0/+6nKzD11+CgQ3GiC5xB/WPC3oPFA
+VX9sRoEhfj3utqE0ewV/PoPU1FKeqXcnHcK+iQsCWkSp6JMrNgpLGMjpVXTmQcld
+GVR2Y1QuLjsJ+9hnyyRHZ4u8GGe+rYFl1tnNZd49PcC+OwXwbQ6t1vUk5HuR0tkk
+b1of1NrQyyMzvpswUdZq5JPoLPFxgvdfYxV0Mwagza5lJq7U+mK0gB8CAwEAAaOC
+As4wggLKMB8GA1UdIwQYMBaAFB4Fo3ePbJbiW4dLprSGrHEADOc4MB0GA1UdDgQW
+BBT7qCY04gyGSzdDzOvyje2pMgcNZDAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/
+BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwZwYDVR0gBGAwXjBS
+BgwrBgEEAa4jAQQDAQEwQjBABggrBgEFBQcCARY0aHR0cHM6Ly93d3cuaW5jb21t
+b24ub3JnL2NlcnQvcmVwb3NpdG9yeS9jcHNfc3NsLnBkZjAIBgZngQwBAgIwRAYD
+VR0fBD0wOzA5oDegNYYzaHR0cDovL2NybC5pbmNvbW1vbi1yc2Eub3JnL0luQ29t
+bW9uUlNBU2VydmVyQ0EuY3JsMHUGCCsGAQUFBwEBBGkwZzA+BggrBgEFBQcwAoYy
+aHR0cDovL2NydC51c2VydHJ1c3QuY29tL0luQ29tbW9uUlNBU2VydmVyQ0FfMi5j
+cnQwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wHAYDVR0R
+BBUwE4IRKi5zY3JpcHRzLm1pdC5lZHUwggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEA
+dwB9PvL4j/+IVWgkwsDKnlKJeSvFDngJfy5ql2iZfiLw1wAAAXS2SvcIAAAEAwBI
+MEYCIQDLjM4EShaa2gcJ2LA68fITFbcvaIlbQ1nUoRNDA1cdhgIhAPEPmp0+ExS7
+NL8Pkmf699iP+dFIUhDbdH3mcIPk9t4KAHYAlCC8Ho7VjWyIcx+CiyIsDdHaTV5s
+T5Q9YdtOL1hNosIAAAF0tkr3lAAABAMARzBFAiAWmGBjS7DW+tK30Liy8xMJRYug
+8GaOSYGTc0amkEhQAgIhAOIE0kMdOO2vmz+vIA4AnACyGDjQbwoF98TOiaRF+uLt
+MA0GCSqGSIb3DQEBCwUAA4IBAQBXeGjFp85r7Tf+kxv1/bsaGEIsCdRblCQOGZ3+
++0Wi8ozsTdR2FzSDi0hXS2p2cWa1VXKzvzKrNGgcGMAzhhQC94S8cOh4B0ABcqVi
+pEI+hUramGZmE4O5e3bBa1MzVoxOLsyNJi1sj2j3WCrxOuHsdsmwWjhZ46D6EZma
+x64ZMqSSCoittXdy103tJaLRVlKsDItDDSQOSIIzcuirtUY195RPf5oO7+sVknTz
+ZZeR7ur4ng07ooJOAS6gMUPltn5RXabwSYfMgvwOG2S3P77l2UU4zAqn7QAN1Rvu
+kOt4ITwYpq/+Iwgxolzwfj/h51A4QT15m9V6AvbFiQ763tkf
+-----END CERTIFICATE-----
\ No newline at end of file

From c4f18eccce145f0b4dae4487d38875927580cfa5 Mon Sep 17 00:00:00 2001
From: Quentin Smith <quentin@mit.edu>
Date: Tue, 22 Sep 2020 22:25:30 -0400
Subject: [PATCH 097/111] Fix ordering of certificates in the chain

---
 .../config/etc/pki/tls/certs/scripts.pem      | 159 ++++++++----------
 .../config/etc/pki/tls/certs/star.scripts.pem | 159 ++++++++----------
 2 files changed, 134 insertions(+), 184 deletions(-)

diff --git a/server/fedora/config/etc/pki/tls/certs/scripts.pem b/server/fedora/config/etc/pki/tls/certs/scripts.pem
index c8d27671..a27e6b8e 100644
--- a/server/fedora/config/etc/pki/tls/certs/scripts.pem
+++ b/server/fedora/config/etc/pki/tls/certs/scripts.pem
@@ -1,95 +1,4 @@
 -----BEGIN CERTIFICATE-----
-MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEb
-MBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRow
-GAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmlj
-YXRlIFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAwMFoXDTI4MTIzMTIzNTk1OVowezEL
-MAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE
-BwwHU2FsZm9yZDEaMBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMM
-GEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBAL5AnfRu4ep2hxxNRUSOvkbIgwadwSr+GB+O5AL686tdUIoWMQua
-BtDFcCLNSS1UY8y2bmhGC1Pqy0wkwLxyTurxFa70VJoSCsN6sjNg4tqJVfMiWPPe
-3M/vg4aijJRPn2jymJBGhCfHdr/jzDUsi14HZGWCwEiwqJH5YZ92IFCokcdmtet4
-YgNW8IoaE+oxox6gmf049vYnMlhvB/VruPsUK6+3qszWY19zjNoFmag4qMsXeDZR
-rOme9Hg6jc8P2ULimAyrL58OAd7vn5lJ8S3frHRNG5i1R8XlKdH5kBjHYpy+g8cm
-ez6KJcfA3Z3mNWgQIJ2P2N7Sw4ScDV7oL8kCAwEAAaOBwDCBvTAdBgNVHQ4EFgQU
-oBEKIz6W8Qfs4q8p74Klf9AwpLQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQF
-MAMBAf8wewYDVR0fBHQwcjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5jb20v
-QUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29t
-b2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNybDANBgkqhkiG9w0BAQUF
-AAOCAQEACFb8AvCb6P+k+tZ7xkSAzk/ExfYAWMymtrwUSWgEdujm7l3sAg9g1o1Q
-GE8mTgHj5rCl7r+8dFRBv/38ErjHT1r0iWAFf2C3BUrz9vHCv8S5dIa2LX1rzNLz
-Rt0vxuBqw8M0Ayx9lt1awg6nCpnBBYurDC/zXDrPbDdVCYfeU0BsWO/8tqtlbgT2
-G9w84FoVxp7Z8VlIMCFlA2zs6SFz7JsDoeA3raAVGI/6ugLOpyypEBMs1OUIJqsi
-l2D4kF501KKaU73yqWjgom7C12yxow+ev+to51byrvLjKzg6CYG1a4XXvi3tPxq3
-smPi9WIsgtRqAEFQ8TmDn5XpNpaYbg==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIFgTCCBGmgAwIBAgIQOXJEOvkit1HX02wQ3TE1lTANBgkqhkiG9w0BAQwFADB7
-MQswCQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD
-VQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UE
-AwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTE5MDMxMjAwMDAwMFoXDTI4
-MTIzMTIzNTk1OVowgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5
-MRQwEgYDVQQHEwtKZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBO
-ZXR3b3JrMS4wLAYDVQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0
-aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sI
-s9CsVw127c0n00ytUINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnG
-vDoZtF+mvX2do2NCtnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQ
-Ijy8/hPwhxR79uQfjtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfb
-IWax1Jt4A8BQOujM8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0
-tyA9yn8iNK5+O2hmAUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97E
-xwzf4TKuzJM7UXiVZ4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNV
-icQNwZNUMBkTrNN9N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5
-D9kCnusSTJV882sFqV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJ
-WBp/kjbmUZIO8yZ9HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ
-5lhCLkMaTLTwJUdZ+gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzG
-KAgEJTm4Diup8kyXHAc/DVL17e8vgg8CAwEAAaOB8jCB7zAfBgNVHSMEGDAWgBSg
-EQojPpbxB+zirynvgqV/0DCktDAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rID
-ZsswDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAG
-BgRVHSAAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwuY29tb2RvY2EuY29t
-L0FBQUNlcnRpZmljYXRlU2VydmljZXMuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggr
-BgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMA0GCSqGSIb3DQEBDAUA
-A4IBAQAYh1HcdCE9nIrgJ7cz0C7M7PDmy14R3iJvm3WOnnL+5Nb+qh+cli3vA0p+
-rvSNb3I8QzvAP+u431yqqcau8vzY7qN7Q/aGNnwU4M309z/+3ri0ivCRlv79Q2R+
-/czSAaF9ffgZGclCKxO/WIu6pKJmBHaIkU4MiRTOok3JMrO66BQavHHxW/BBC5gA
-CiIDEOUMsfnNkjcZ7Tvx5Dq2+UUTJnWvu6rvP3t3O9LEApE9GQDTF1w52z97GA1F
-zZOFli9d31kWTz9RvdVFGD/tSo7oBmF0Ixa1DVBzJ0RHfxBdiSprhTEUxOipakyA
-vGp4z7h/jnZymQyd/teRCBaho1+V
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIF+TCCA+GgAwIBAgIQRyDQ+oVGGn4XoWQCkYRjdDANBgkqhkiG9w0BAQwFADCB
-iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
-cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
-BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQx
-MDA2MDAwMDAwWhcNMjQxMDA1MjM1OTU5WjB2MQswCQYDVQQGEwJVUzELMAkGA1UE
-CBMCTUkxEjAQBgNVBAcTCUFubiBBcmJvcjESMBAGA1UEChMJSW50ZXJuZXQyMREw
-DwYDVQQLEwhJbkNvbW1vbjEfMB0GA1UEAxMWSW5Db21tb24gUlNBIFNlcnZlciBD
-QTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJwb8bsvf2MYFVFRVA+e
-xU5NEFj6MJsXKZDmMwysE1N8VJG06thum4ltuzM+j9INpun5uukNDBqeso7JcC7v
-HgV9lestjaKpTbOc5/MZNrun8XzmCB5hJ0R6lvSoNNviQsil2zfVtefkQnI/tBPP
-iwckRR6MkYNGuQmm/BijBgLsNI0yZpUn6uGX6Ns1oytW61fo8BBZ321wDGZq0GTl
-qKOYMa0dYtX6kuOaQ80tNfvZnjNbRX3EhigsZhLI2w8ZMA0/6fDqSl5AB8f2IHpT
-eIFken5FahZv9JNYyWL7KSd9oX8hzudPR9aKVuDjZvjs3YncJowZaDuNi+L7RyML
-fzcCAwEAAaOCAW4wggFqMB8GA1UdIwQYMBaAFFN5v1qqK0rPVIDh2JvAnfKyA2bL
-MB0GA1UdDgQWBBQeBaN3j2yW4luHS6a0hqxxAAznODAOBgNVHQ8BAf8EBAMCAYYw
-EgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
-AwIwGwYDVR0gBBQwEjAGBgRVHSAAMAgGBmeBDAECAjBQBgNVHR8ESTBHMEWgQ6BB
-hj9odHRwOi8vY3JsLnVzZXJ0cnVzdC5jb20vVVNFUlRydXN0UlNBQ2VydGlmaWNh
-dGlvbkF1dGhvcml0eS5jcmwwdgYIKwYBBQUHAQEEajBoMD8GCCsGAQUFBzAChjNo
-dHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20vVVNFUlRydXN0UlNBQWRkVHJ1c3RDQS5j
-cnQwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZI
-hvcNAQEMBQADggIBAC0RBjjW29dYaK+qOGcXjeIT16MUJNkGE+vrkS/fT2ctyNMU
-11ZlUp5uH5gIjppIG8GLWZqjV5vbhvhZQPwZsHURKsISNrqOcooGTie3jVgU0W+0
-+Wj8mN2knCVANt69F2YrA394gbGAdJ5fOrQmL2pIhDY0jqco74fzYefbZ/VS29fR
-5jBxu4uj1P+5ZImem4Gbj1e4ZEzVBhmO55GFfBjRidj26h1oFBHZ7heDH1Bjzw72
-hipu47Gkyfr2NEx3KoCGMLCj3Btx7ASn5Ji8FoU+hCazwOU1VX55mKPU1I2250Lo
-RCASN18JyfsD5PVldJbtyrmz9gn/TKbRXTr80U2q5JhyvjhLf4lOJo/UzL5WCXED
-Smyj4jWG3R7Z8TED9xNNCxGBMXnMete+3PvzdhssvbORDwBZByogQ9xL2LUZFI/i
-eoQp0UM/L8zfP527vWjEzuDN5xwxMnhi+vCToh7J159o5ah29mP+aJnvujbXEnGa
-nrNxHzu+AGOePV8hwrGGG7hOIcPDQwkuYwzN/xT29iLp/cqf9ZhEtkGcQcIImH3b
-oJ8ifsCnSbu0GB9L06Yqh7lcyvKDTEADslIaeSEINxhO2Y1fmcYFX/Fqrrp1WnhH
-OjplXuXE0OPa0utaKC25Aplgom88L2Z8mEWcyfoB7zKOfD759AN7JKZWCYwk
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
 MIIGqzCCBZOgAwIBAgIQX8TzyVPIynd0BlWHRib4LTANBgkqhkiG9w0BAQsFADB2
 MQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUkxEjAQBgNVBAcTCUFubiBBcmJvcjES
 MBAGA1UEChMJSW50ZXJuZXQyMREwDwYDVQQLEwhJbkNvbW1vbjEfMB0GA1UEAxMW
@@ -126,4 +35,70 @@ QsWg2Fl1/NTKaENihH65UVJDDmcGiKCsOnwFKWPUZ67QVrq2EdKNEyGUye6ER3OJ
 bU9k7781FP5iH40MlafV/A3UfLX4RUx8Ifg+X16DtPTYijnorHwSi8VAjwFLfJ6d
 laFCmdoEJCXwf2+elFs12L94FLlWrxv3fo+EiB7dsZNYZowFsYIAXFbLg73ha7Z7
 Snc6XQHR/53e3DEHsZiuANCXzaQREWZwamaEiFlnow==
------END CERTIFICATE-----
\ No newline at end of file
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIF+TCCA+GgAwIBAgIQRyDQ+oVGGn4XoWQCkYRjdDANBgkqhkiG9w0BAQwFADCB
+iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
+cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
+BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQx
+MDA2MDAwMDAwWhcNMjQxMDA1MjM1OTU5WjB2MQswCQYDVQQGEwJVUzELMAkGA1UE
+CBMCTUkxEjAQBgNVBAcTCUFubiBBcmJvcjESMBAGA1UEChMJSW50ZXJuZXQyMREw
+DwYDVQQLEwhJbkNvbW1vbjEfMB0GA1UEAxMWSW5Db21tb24gUlNBIFNlcnZlciBD
+QTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJwb8bsvf2MYFVFRVA+e
+xU5NEFj6MJsXKZDmMwysE1N8VJG06thum4ltuzM+j9INpun5uukNDBqeso7JcC7v
+HgV9lestjaKpTbOc5/MZNrun8XzmCB5hJ0R6lvSoNNviQsil2zfVtefkQnI/tBPP
+iwckRR6MkYNGuQmm/BijBgLsNI0yZpUn6uGX6Ns1oytW61fo8BBZ321wDGZq0GTl
+qKOYMa0dYtX6kuOaQ80tNfvZnjNbRX3EhigsZhLI2w8ZMA0/6fDqSl5AB8f2IHpT
+eIFken5FahZv9JNYyWL7KSd9oX8hzudPR9aKVuDjZvjs3YncJowZaDuNi+L7RyML
+fzcCAwEAAaOCAW4wggFqMB8GA1UdIwQYMBaAFFN5v1qqK0rPVIDh2JvAnfKyA2bL
+MB0GA1UdDgQWBBQeBaN3j2yW4luHS6a0hqxxAAznODAOBgNVHQ8BAf8EBAMCAYYw
+EgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
+AwIwGwYDVR0gBBQwEjAGBgRVHSAAMAgGBmeBDAECAjBQBgNVHR8ESTBHMEWgQ6BB
+hj9odHRwOi8vY3JsLnVzZXJ0cnVzdC5jb20vVVNFUlRydXN0UlNBQ2VydGlmaWNh
+dGlvbkF1dGhvcml0eS5jcmwwdgYIKwYBBQUHAQEEajBoMD8GCCsGAQUFBzAChjNo
+dHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20vVVNFUlRydXN0UlNBQWRkVHJ1c3RDQS5j
+cnQwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZI
+hvcNAQEMBQADggIBAC0RBjjW29dYaK+qOGcXjeIT16MUJNkGE+vrkS/fT2ctyNMU
+11ZlUp5uH5gIjppIG8GLWZqjV5vbhvhZQPwZsHURKsISNrqOcooGTie3jVgU0W+0
++Wj8mN2knCVANt69F2YrA394gbGAdJ5fOrQmL2pIhDY0jqco74fzYefbZ/VS29fR
+5jBxu4uj1P+5ZImem4Gbj1e4ZEzVBhmO55GFfBjRidj26h1oFBHZ7heDH1Bjzw72
+hipu47Gkyfr2NEx3KoCGMLCj3Btx7ASn5Ji8FoU+hCazwOU1VX55mKPU1I2250Lo
+RCASN18JyfsD5PVldJbtyrmz9gn/TKbRXTr80U2q5JhyvjhLf4lOJo/UzL5WCXED
+Smyj4jWG3R7Z8TED9xNNCxGBMXnMete+3PvzdhssvbORDwBZByogQ9xL2LUZFI/i
+eoQp0UM/L8zfP527vWjEzuDN5xwxMnhi+vCToh7J159o5ah29mP+aJnvujbXEnGa
+nrNxHzu+AGOePV8hwrGGG7hOIcPDQwkuYwzN/xT29iLp/cqf9ZhEtkGcQcIImH3b
+oJ8ifsCnSbu0GB9L06Yqh7lcyvKDTEADslIaeSEINxhO2Y1fmcYFX/Fqrrp1WnhH
+OjplXuXE0OPa0utaKC25Aplgom88L2Z8mEWcyfoB7zKOfD759AN7JKZWCYwk
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFgTCCBGmgAwIBAgIQOXJEOvkit1HX02wQ3TE1lTANBgkqhkiG9w0BAQwFADB7
+MQswCQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD
+VQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UE
+AwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTE5MDMxMjAwMDAwMFoXDTI4
+MTIzMTIzNTk1OVowgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5
+MRQwEgYDVQQHEwtKZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBO
+ZXR3b3JrMS4wLAYDVQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0
+aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sI
+s9CsVw127c0n00ytUINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnG
+vDoZtF+mvX2do2NCtnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQ
+Ijy8/hPwhxR79uQfjtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfb
+IWax1Jt4A8BQOujM8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0
+tyA9yn8iNK5+O2hmAUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97E
+xwzf4TKuzJM7UXiVZ4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNV
+icQNwZNUMBkTrNN9N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5
+D9kCnusSTJV882sFqV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJ
+WBp/kjbmUZIO8yZ9HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ
+5lhCLkMaTLTwJUdZ+gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzG
+KAgEJTm4Diup8kyXHAc/DVL17e8vgg8CAwEAAaOB8jCB7zAfBgNVHSMEGDAWgBSg
+EQojPpbxB+zirynvgqV/0DCktDAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rID
+ZsswDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAG
+BgRVHSAAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwuY29tb2RvY2EuY29t
+L0FBQUNlcnRpZmljYXRlU2VydmljZXMuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggr
+BgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMA0GCSqGSIb3DQEBDAUA
+A4IBAQAYh1HcdCE9nIrgJ7cz0C7M7PDmy14R3iJvm3WOnnL+5Nb+qh+cli3vA0p+
+rvSNb3I8QzvAP+u431yqqcau8vzY7qN7Q/aGNnwU4M309z/+3ri0ivCRlv79Q2R+
+/czSAaF9ffgZGclCKxO/WIu6pKJmBHaIkU4MiRTOok3JMrO66BQavHHxW/BBC5gA
+CiIDEOUMsfnNkjcZ7Tvx5Dq2+UUTJnWvu6rvP3t3O9LEApE9GQDTF1w52z97GA1F
+zZOFli9d31kWTz9RvdVFGD/tSo7oBmF0Ixa1DVBzJ0RHfxBdiSprhTEUxOipakyA
+vGp4z7h/jnZymQyd/teRCBaho1+V
+-----END CERTIFICATE-----
diff --git a/server/fedora/config/etc/pki/tls/certs/star.scripts.pem b/server/fedora/config/etc/pki/tls/certs/star.scripts.pem
index df449bfe..9a5acaf2 100644
--- a/server/fedora/config/etc/pki/tls/certs/star.scripts.pem
+++ b/server/fedora/config/etc/pki/tls/certs/star.scripts.pem
@@ -1,95 +1,4 @@
 -----BEGIN CERTIFICATE-----
-MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEb
-MBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRow
-GAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmlj
-YXRlIFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAwMFoXDTI4MTIzMTIzNTk1OVowezEL
-MAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE
-BwwHU2FsZm9yZDEaMBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMM
-GEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBAL5AnfRu4ep2hxxNRUSOvkbIgwadwSr+GB+O5AL686tdUIoWMQua
-BtDFcCLNSS1UY8y2bmhGC1Pqy0wkwLxyTurxFa70VJoSCsN6sjNg4tqJVfMiWPPe
-3M/vg4aijJRPn2jymJBGhCfHdr/jzDUsi14HZGWCwEiwqJH5YZ92IFCokcdmtet4
-YgNW8IoaE+oxox6gmf049vYnMlhvB/VruPsUK6+3qszWY19zjNoFmag4qMsXeDZR
-rOme9Hg6jc8P2ULimAyrL58OAd7vn5lJ8S3frHRNG5i1R8XlKdH5kBjHYpy+g8cm
-ez6KJcfA3Z3mNWgQIJ2P2N7Sw4ScDV7oL8kCAwEAAaOBwDCBvTAdBgNVHQ4EFgQU
-oBEKIz6W8Qfs4q8p74Klf9AwpLQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQF
-MAMBAf8wewYDVR0fBHQwcjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5jb20v
-QUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29t
-b2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNybDANBgkqhkiG9w0BAQUF
-AAOCAQEACFb8AvCb6P+k+tZ7xkSAzk/ExfYAWMymtrwUSWgEdujm7l3sAg9g1o1Q
-GE8mTgHj5rCl7r+8dFRBv/38ErjHT1r0iWAFf2C3BUrz9vHCv8S5dIa2LX1rzNLz
-Rt0vxuBqw8M0Ayx9lt1awg6nCpnBBYurDC/zXDrPbDdVCYfeU0BsWO/8tqtlbgT2
-G9w84FoVxp7Z8VlIMCFlA2zs6SFz7JsDoeA3raAVGI/6ugLOpyypEBMs1OUIJqsi
-l2D4kF501KKaU73yqWjgom7C12yxow+ev+to51byrvLjKzg6CYG1a4XXvi3tPxq3
-smPi9WIsgtRqAEFQ8TmDn5XpNpaYbg==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIFgTCCBGmgAwIBAgIQOXJEOvkit1HX02wQ3TE1lTANBgkqhkiG9w0BAQwFADB7
-MQswCQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD
-VQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UE
-AwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTE5MDMxMjAwMDAwMFoXDTI4
-MTIzMTIzNTk1OVowgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5
-MRQwEgYDVQQHEwtKZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBO
-ZXR3b3JrMS4wLAYDVQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0
-aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sI
-s9CsVw127c0n00ytUINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnG
-vDoZtF+mvX2do2NCtnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQ
-Ijy8/hPwhxR79uQfjtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfb
-IWax1Jt4A8BQOujM8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0
-tyA9yn8iNK5+O2hmAUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97E
-xwzf4TKuzJM7UXiVZ4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNV
-icQNwZNUMBkTrNN9N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5
-D9kCnusSTJV882sFqV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJ
-WBp/kjbmUZIO8yZ9HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ
-5lhCLkMaTLTwJUdZ+gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzG
-KAgEJTm4Diup8kyXHAc/DVL17e8vgg8CAwEAAaOB8jCB7zAfBgNVHSMEGDAWgBSg
-EQojPpbxB+zirynvgqV/0DCktDAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rID
-ZsswDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAG
-BgRVHSAAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwuY29tb2RvY2EuY29t
-L0FBQUNlcnRpZmljYXRlU2VydmljZXMuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggr
-BgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMA0GCSqGSIb3DQEBDAUA
-A4IBAQAYh1HcdCE9nIrgJ7cz0C7M7PDmy14R3iJvm3WOnnL+5Nb+qh+cli3vA0p+
-rvSNb3I8QzvAP+u431yqqcau8vzY7qN7Q/aGNnwU4M309z/+3ri0ivCRlv79Q2R+
-/czSAaF9ffgZGclCKxO/WIu6pKJmBHaIkU4MiRTOok3JMrO66BQavHHxW/BBC5gA
-CiIDEOUMsfnNkjcZ7Tvx5Dq2+UUTJnWvu6rvP3t3O9LEApE9GQDTF1w52z97GA1F
-zZOFli9d31kWTz9RvdVFGD/tSo7oBmF0Ixa1DVBzJ0RHfxBdiSprhTEUxOipakyA
-vGp4z7h/jnZymQyd/teRCBaho1+V
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIF+TCCA+GgAwIBAgIQRyDQ+oVGGn4XoWQCkYRjdDANBgkqhkiG9w0BAQwFADCB
-iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
-cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
-BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQx
-MDA2MDAwMDAwWhcNMjQxMDA1MjM1OTU5WjB2MQswCQYDVQQGEwJVUzELMAkGA1UE
-CBMCTUkxEjAQBgNVBAcTCUFubiBBcmJvcjESMBAGA1UEChMJSW50ZXJuZXQyMREw
-DwYDVQQLEwhJbkNvbW1vbjEfMB0GA1UEAxMWSW5Db21tb24gUlNBIFNlcnZlciBD
-QTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJwb8bsvf2MYFVFRVA+e
-xU5NEFj6MJsXKZDmMwysE1N8VJG06thum4ltuzM+j9INpun5uukNDBqeso7JcC7v
-HgV9lestjaKpTbOc5/MZNrun8XzmCB5hJ0R6lvSoNNviQsil2zfVtefkQnI/tBPP
-iwckRR6MkYNGuQmm/BijBgLsNI0yZpUn6uGX6Ns1oytW61fo8BBZ321wDGZq0GTl
-qKOYMa0dYtX6kuOaQ80tNfvZnjNbRX3EhigsZhLI2w8ZMA0/6fDqSl5AB8f2IHpT
-eIFken5FahZv9JNYyWL7KSd9oX8hzudPR9aKVuDjZvjs3YncJowZaDuNi+L7RyML
-fzcCAwEAAaOCAW4wggFqMB8GA1UdIwQYMBaAFFN5v1qqK0rPVIDh2JvAnfKyA2bL
-MB0GA1UdDgQWBBQeBaN3j2yW4luHS6a0hqxxAAznODAOBgNVHQ8BAf8EBAMCAYYw
-EgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
-AwIwGwYDVR0gBBQwEjAGBgRVHSAAMAgGBmeBDAECAjBQBgNVHR8ESTBHMEWgQ6BB
-hj9odHRwOi8vY3JsLnVzZXJ0cnVzdC5jb20vVVNFUlRydXN0UlNBQ2VydGlmaWNh
-dGlvbkF1dGhvcml0eS5jcmwwdgYIKwYBBQUHAQEEajBoMD8GCCsGAQUFBzAChjNo
-dHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20vVVNFUlRydXN0UlNBQWRkVHJ1c3RDQS5j
-cnQwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZI
-hvcNAQEMBQADggIBAC0RBjjW29dYaK+qOGcXjeIT16MUJNkGE+vrkS/fT2ctyNMU
-11ZlUp5uH5gIjppIG8GLWZqjV5vbhvhZQPwZsHURKsISNrqOcooGTie3jVgU0W+0
-+Wj8mN2knCVANt69F2YrA394gbGAdJ5fOrQmL2pIhDY0jqco74fzYefbZ/VS29fR
-5jBxu4uj1P+5ZImem4Gbj1e4ZEzVBhmO55GFfBjRidj26h1oFBHZ7heDH1Bjzw72
-hipu47Gkyfr2NEx3KoCGMLCj3Btx7ASn5Ji8FoU+hCazwOU1VX55mKPU1I2250Lo
-RCASN18JyfsD5PVldJbtyrmz9gn/TKbRXTr80U2q5JhyvjhLf4lOJo/UzL5WCXED
-Smyj4jWG3R7Z8TED9xNNCxGBMXnMete+3PvzdhssvbORDwBZByogQ9xL2LUZFI/i
-eoQp0UM/L8zfP527vWjEzuDN5xwxMnhi+vCToh7J159o5ah29mP+aJnvujbXEnGa
-nrNxHzu+AGOePV8hwrGGG7hOIcPDQwkuYwzN/xT29iLp/cqf9ZhEtkGcQcIImH3b
-oJ8ifsCnSbu0GB9L06Yqh7lcyvKDTEADslIaeSEINxhO2Y1fmcYFX/Fqrrp1WnhH
-OjplXuXE0OPa0utaKC25Aplgom88L2Z8mEWcyfoB7zKOfD759AN7JKZWCYwk
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
 MIIGsDCCBZigAwIBAgIQH42Lq3XSuDl3qXyd7YA0mjANBgkqhkiG9w0BAQsFADB2
 MQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUkxEjAQBgNVBAcTCUFubiBBcmJvcjES
 MBAGA1UEChMJSW50ZXJuZXQyMREwDwYDVQQLEwhJbkNvbW1vbjEfMB0GA1UEAxMW
@@ -126,4 +35,70 @@ pEI+hUramGZmE4O5e3bBa1MzVoxOLsyNJi1sj2j3WCrxOuHsdsmwWjhZ46D6EZma
 x64ZMqSSCoittXdy103tJaLRVlKsDItDDSQOSIIzcuirtUY195RPf5oO7+sVknTz
 ZZeR7ur4ng07ooJOAS6gMUPltn5RXabwSYfMgvwOG2S3P77l2UU4zAqn7QAN1Rvu
 kOt4ITwYpq/+Iwgxolzwfj/h51A4QT15m9V6AvbFiQ763tkf
------END CERTIFICATE-----
\ No newline at end of file
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIF+TCCA+GgAwIBAgIQRyDQ+oVGGn4XoWQCkYRjdDANBgkqhkiG9w0BAQwFADCB
+iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
+cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
+BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQx
+MDA2MDAwMDAwWhcNMjQxMDA1MjM1OTU5WjB2MQswCQYDVQQGEwJVUzELMAkGA1UE
+CBMCTUkxEjAQBgNVBAcTCUFubiBBcmJvcjESMBAGA1UEChMJSW50ZXJuZXQyMREw
+DwYDVQQLEwhJbkNvbW1vbjEfMB0GA1UEAxMWSW5Db21tb24gUlNBIFNlcnZlciBD
+QTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJwb8bsvf2MYFVFRVA+e
+xU5NEFj6MJsXKZDmMwysE1N8VJG06thum4ltuzM+j9INpun5uukNDBqeso7JcC7v
+HgV9lestjaKpTbOc5/MZNrun8XzmCB5hJ0R6lvSoNNviQsil2zfVtefkQnI/tBPP
+iwckRR6MkYNGuQmm/BijBgLsNI0yZpUn6uGX6Ns1oytW61fo8BBZ321wDGZq0GTl
+qKOYMa0dYtX6kuOaQ80tNfvZnjNbRX3EhigsZhLI2w8ZMA0/6fDqSl5AB8f2IHpT
+eIFken5FahZv9JNYyWL7KSd9oX8hzudPR9aKVuDjZvjs3YncJowZaDuNi+L7RyML
+fzcCAwEAAaOCAW4wggFqMB8GA1UdIwQYMBaAFFN5v1qqK0rPVIDh2JvAnfKyA2bL
+MB0GA1UdDgQWBBQeBaN3j2yW4luHS6a0hqxxAAznODAOBgNVHQ8BAf8EBAMCAYYw
+EgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
+AwIwGwYDVR0gBBQwEjAGBgRVHSAAMAgGBmeBDAECAjBQBgNVHR8ESTBHMEWgQ6BB
+hj9odHRwOi8vY3JsLnVzZXJ0cnVzdC5jb20vVVNFUlRydXN0UlNBQ2VydGlmaWNh
+dGlvbkF1dGhvcml0eS5jcmwwdgYIKwYBBQUHAQEEajBoMD8GCCsGAQUFBzAChjNo
+dHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20vVVNFUlRydXN0UlNBQWRkVHJ1c3RDQS5j
+cnQwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZI
+hvcNAQEMBQADggIBAC0RBjjW29dYaK+qOGcXjeIT16MUJNkGE+vrkS/fT2ctyNMU
+11ZlUp5uH5gIjppIG8GLWZqjV5vbhvhZQPwZsHURKsISNrqOcooGTie3jVgU0W+0
++Wj8mN2knCVANt69F2YrA394gbGAdJ5fOrQmL2pIhDY0jqco74fzYefbZ/VS29fR
+5jBxu4uj1P+5ZImem4Gbj1e4ZEzVBhmO55GFfBjRidj26h1oFBHZ7heDH1Bjzw72
+hipu47Gkyfr2NEx3KoCGMLCj3Btx7ASn5Ji8FoU+hCazwOU1VX55mKPU1I2250Lo
+RCASN18JyfsD5PVldJbtyrmz9gn/TKbRXTr80U2q5JhyvjhLf4lOJo/UzL5WCXED
+Smyj4jWG3R7Z8TED9xNNCxGBMXnMete+3PvzdhssvbORDwBZByogQ9xL2LUZFI/i
+eoQp0UM/L8zfP527vWjEzuDN5xwxMnhi+vCToh7J159o5ah29mP+aJnvujbXEnGa
+nrNxHzu+AGOePV8hwrGGG7hOIcPDQwkuYwzN/xT29iLp/cqf9ZhEtkGcQcIImH3b
+oJ8ifsCnSbu0GB9L06Yqh7lcyvKDTEADslIaeSEINxhO2Y1fmcYFX/Fqrrp1WnhH
+OjplXuXE0OPa0utaKC25Aplgom88L2Z8mEWcyfoB7zKOfD759AN7JKZWCYwk
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFgTCCBGmgAwIBAgIQOXJEOvkit1HX02wQ3TE1lTANBgkqhkiG9w0BAQwFADB7
+MQswCQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD
+VQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UE
+AwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTE5MDMxMjAwMDAwMFoXDTI4
+MTIzMTIzNTk1OVowgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5
+MRQwEgYDVQQHEwtKZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBO
+ZXR3b3JrMS4wLAYDVQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0
+aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sI
+s9CsVw127c0n00ytUINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnG
+vDoZtF+mvX2do2NCtnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQ
+Ijy8/hPwhxR79uQfjtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfb
+IWax1Jt4A8BQOujM8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0
+tyA9yn8iNK5+O2hmAUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97E
+xwzf4TKuzJM7UXiVZ4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNV
+icQNwZNUMBkTrNN9N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5
+D9kCnusSTJV882sFqV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJ
+WBp/kjbmUZIO8yZ9HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ
+5lhCLkMaTLTwJUdZ+gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzG
+KAgEJTm4Diup8kyXHAc/DVL17e8vgg8CAwEAAaOB8jCB7zAfBgNVHSMEGDAWgBSg
+EQojPpbxB+zirynvgqV/0DCktDAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rID
+ZsswDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAG
+BgRVHSAAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwuY29tb2RvY2EuY29t
+L0FBQUNlcnRpZmljYXRlU2VydmljZXMuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggr
+BgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMA0GCSqGSIb3DQEBDAUA
+A4IBAQAYh1HcdCE9nIrgJ7cz0C7M7PDmy14R3iJvm3WOnnL+5Nb+qh+cli3vA0p+
+rvSNb3I8QzvAP+u431yqqcau8vzY7qN7Q/aGNnwU4M309z/+3ri0ivCRlv79Q2R+
+/czSAaF9ffgZGclCKxO/WIu6pKJmBHaIkU4MiRTOok3JMrO66BQavHHxW/BBC5gA
+CiIDEOUMsfnNkjcZ7Tvx5Dq2+UUTJnWvu6rvP3t3O9LEApE9GQDTF1w52z97GA1F
+zZOFli9d31kWTz9RvdVFGD/tSo7oBmF0Ixa1DVBzJ0RHfxBdiSprhTEUxOipakyA
+vGp4z7h/jnZymQyd/teRCBaho1+V
+-----END CERTIFICATE-----

From 39dafaa2bf871d1c9ec03d5484d8cf968dd846be Mon Sep 17 00:00:00 2001
From: Quentin Smith <quentin@mit.edu>
Date: Fri, 25 Sep 2020 22:13:49 -0400
Subject: [PATCH 098/111] Add 18.4.86.50 as an alias for scripts-cert so that
 SNI works with the IP address (since the proxies broke IP-based virtual
 hosting)

---
 server/fedora/config/etc/httpd/conf/httpd.conf | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/server/fedora/config/etc/httpd/conf/httpd.conf b/server/fedora/config/etc/httpd/conf/httpd.conf
index 4b5cf10b..6cc5e42e 100644
--- a/server/fedora/config/etc/httpd/conf/httpd.conf
+++ b/server/fedora/config/etc/httpd/conf/httpd.conf
@@ -290,6 +290,7 @@ ProxyRequests Off
 <VirtualHost 18.4.86.50:80 *:80>
     ServerName scripts-cert.mit.edu
     ServerAlias scripts-cert
+    ServerAlias 18.4.86.50
     Include conf.d/scripts-vhost.conf
     Include conf.d/vhosts-common.conf
 </VirtualHost>
@@ -373,6 +374,7 @@ ProxyRequests Off
     <VirtualHost 18.4.86.50:443 18.4.86.50:444 *:443 *:444>
         ServerName scripts-cert.mit.edu
         ServerAlias scripts-cert
+        ServerAlias 18.4.86.50
         Include conf.d/scripts-vhost.conf
         Include conf.d/vhosts-common-ssl.conf
         SSLCertificateFile /etc/pki/tls/certs/scripts-cert.pem

From 40aaee344bce6a96603ece7fc26f58c4f4b7f954 Mon Sep 17 00:00:00 2001
From: Miriam Rittenberg <mrittenb@mit.edu>
Date: Wed, 30 Sep 2020 00:03:49 -0400
Subject: [PATCH 099/111] Update scripts-cert cert

---
 .../config/etc/pki/tls/certs/scripts-cert.pem | 25 +++++++++++--------
 1 file changed, 15 insertions(+), 10 deletions(-)

diff --git a/server/fedora/config/etc/pki/tls/certs/scripts-cert.pem b/server/fedora/config/etc/pki/tls/certs/scripts-cert.pem
index 53937c57..e12f8a99 100644
--- a/server/fedora/config/etc/pki/tls/certs/scripts-cert.pem
+++ b/server/fedora/config/etc/pki/tls/certs/scripts-cert.pem
@@ -1,8 +1,8 @@
 -----BEGIN CERTIFICATE-----
-MIIFrjCCBJagAwIBAgIRAJXnIJdmkRa2S6lxzTTbNucwDQYJKoZIhvcNAQELBQAw
+MIIGuDCCBaCgAwIBAgIRAJeSWrjH0PnrtPKKY4YhHKYwDQYJKoZIhvcNAQELBQAw
 djELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1JMRIwEAYDVQQHEwlBbm4gQXJib3Ix
 EjAQBgNVBAoTCUludGVybmV0MjERMA8GA1UECxMISW5Db21tb24xHzAdBgNVBAMT
-FkluQ29tbW9uIFJTQSBTZXJ2ZXIgQ0EwHhcNMTcxMDA2MDAwMDAwWhcNMjAxMDA1
+FkluQ29tbW9uIFJTQSBTZXJ2ZXIgQ0EwHhcNMjAwOTI4MDAwMDAwWhcNMjEwOTI4
 MjM1OTU5WjCB4jELMAkGA1UEBhMCVVMxDjAMBgNVBBETBTAyMTM5MRYwFAYDVQQI
 Ew1NYXNzYWNodXNldHRzMRIwEAYDVQQHEwlDYW1icmlkZ2UxHTAbBgNVBAkTFDc3
 IE1hc3NhY2h1c2V0dHMgQXZlMS4wLAYDVQQKEyVNYXNzYWNodXNldHRzIEluc3Rp
@@ -14,7 +14,7 @@ VkLs6tJ9yw3NM/19ceLmS9ig5Lpe5W4t//IOCWntP/upysw9dfgoENxogucQf1jw
 t6DxQFV/bEaBIX497rahNHsFfz6D1NRSnql3Jx3CvokLAlpEqeiTKzYKSxjI6VV0
 5kHJXRlUdmNULi47CfvYZ8skR2eLvBhnvq2BZdbZzWXePT3AvjsF8G0Ordb1JOR7
 kdLZJG9aH9Ta0MsjM76bMFHWauST6CzxcYL3X2MVdDMGoM2uZSau1PpitIAfAgMB
-AAGjggHIMIIBxDAfBgNVHSMEGDAWgBQeBaN3j2yW4luHS6a0hqxxAAznODAdBgNV
+AAGjggLSMIICzjAfBgNVHSMEGDAWgBQeBaN3j2yW4luHS6a0hqxxAAznODAdBgNV
 HQ4EFgQU+6gmNOIMhks3Q8zr8o3tqTIHDWQwDgYDVR0PAQH/BAQDAgWgMAwGA1Ud
 EwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGcGA1UdIARg
 MF4wUgYMKwYBBAGuIwEEAwEBMEIwQAYIKwYBBQUHAgEWNGh0dHBzOi8vd3d3Lmlu
@@ -23,13 +23,18 @@ MEQGA1UdHwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwuaW5jb21tb24tcnNhLm9yZy9J
 bkNvbW1vblJTQVNlcnZlckNBLmNybDB1BggrBgEFBQcBAQRpMGcwPgYIKwYBBQUH
 MAKGMmh0dHA6Ly9jcnQudXNlcnRydXN0LmNvbS9JbkNvbW1vblJTQVNlcnZlckNB
 XzIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC51c2VydHJ1c3QuY29tMB8G
-A1UdEQQYMBaCFHNjcmlwdHMtY2VydC5taXQuZWR1MA0GCSqGSIb3DQEBCwUAA4IB
-AQBWmcsNXk6HkzmdziAilLJpnsMUwSJ+gysG61e9COVraXZahcqfLbkpa8TXz0ew
-sjCWaGxbl42Xow2bttQeAoAQajFdk157SU17ykmSy+/QEj8O9BGQG5yebtXXm+T/
-ZPMaYlXs9sWzvXu8d8cjZAyU/YA0fghHhF26x+/yWrFKfm/HLogfI4TERk4614cI
-TJjiNr7TvwRXaHDR6lkGpiueU08SvViRSsGwjp1W/m2ycAbgx1ptofGgtpDbzAsw
-P9J1BqWNvNnBbWUD27RuGuntZdyMzdj58d6aTBvzaDH3rHRq9IiTygQQSmEk4E2Y
-IUYcBNzw295YzcXyzoSMHbUI
+A1UdEQQYMBaCFHNjcmlwdHMtY2VydC5taXQuZWR1MIIBBgYKKwYBBAHWeQIEAgSB
+9wSB9ADyAHcAfT7y+I//iFVoJMLAyp5SiXkrxQ54CX8uapdomX4i8NcAAAF01gXv
+7AAABAMASDBGAiEAiTC/rcIa+Uxzk48X/Tut8G5eoDdWyYPD05KB0IYJvmgCIQDa
+EYDeNpj7OeIOxHhrHVXga/NkC2M/tvSHbtZUk68D0AB3AJQgvB6O1Y1siHMfgosi
+LA3R2k1ebE+UPWHbTi9YTaLCAAABdNYF8BQAAAQDAEgwRgIhAKS4zbTbGtzXaMwC
+AIEosNpN0xs8tw3kPgv2qr8auAmeAiEA8521AXUfzGhR7nSh1YX+YRNRmwms5E2J
+p/xw0sSKM3owDQYJKoZIhvcNAQELBQADggEBAAcNMF17shjx1kkjC4In2KFSeG3I
+tyAsalCprAkLC9Gb12naPgDcslS2gti0Q5y61WCQ9arqcH12Mo42sNaX8VkM5aZm
+AO6uA4uBz772jEjHouTa1upI6fgcdlTIm7XgkndSOTUZKTuI4G1gshXLyIuQmYaC
+B5oR1voi0y7Bd0IZB/uU+D5KG5iL+Bs727Ge36sjCzGR14INoBkx+SyM7x1b4ocM
+8XpdqmYaIynKgVz2wdeBLqeGiC9ZbLi7HYEZoNx7VrIXOzW+sb2u88Yjwz/Fxm81
+YXxNLmRXLbtpBmmuJ1p0yIIXrtqXl9ZzV8mnWMxP1lMxe9uf66xWp6cJMws=
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIF+TCCA+GgAwIBAgIQRyDQ+oVGGn4XoWQCkYRjdDANBgkqhkiG9w0BAQwFADCB

From b7db527430259146f2401f2e3b5518bc04020f05 Mon Sep 17 00:00:00 2001
From: Quentin Smith <quentin@mit.edu>
Date: Mon, 3 May 2021 05:44:17 -0400
Subject: [PATCH 100/111] Add scripts-f20 to /etc/hosts to withstand transient
 DNS failures

---
 server/fedora/config/etc/hosts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/server/fedora/config/etc/hosts b/server/fedora/config/etc/hosts
index 5695fdb0..6d1d16d6 100644
--- a/server/fedora/config/etc/hosts
+++ b/server/fedora/config/etc/hosts
@@ -9,6 +9,7 @@
 18.4.86.46	scripts-vhosts.mit.edu scripts-vhosts
 18.4.86.50	scripts-cert.mit.edu scripts-cert
 18.4.86.229	scripts-test.mit.edu scripts-test
+18.4.86.22	scripts-f20.mit.edu scripts-f20
 
 18.4.86.57	better-mousetrap.mit.edu better-mousetrap scripts1.mit.edu scripts1
 18.4.86.53	old-faithful.mit.edu old-faithful scripts2.mit.edu scripts2

From 16d7b4d49f07fcc7f8fa55720ccca9f36531341c Mon Sep 17 00:00:00 2001
From: Quentin Smith <quentin@mit.edu>
Date: Wed, 1 Sep 2021 16:34:03 -0400
Subject: [PATCH 101/111] Fix Logwatch parsing of kernel logs

---
 .../etc/logwatch/conf/services/kernel.conf    | 44 +++++++++++++++++++
 1 file changed, 44 insertions(+)
 create mode 100644 server/fedora/config/etc/logwatch/conf/services/kernel.conf

diff --git a/server/fedora/config/etc/logwatch/conf/services/kernel.conf b/server/fedora/config/etc/logwatch/conf/services/kernel.conf
new file mode 100644
index 00000000..67028cc9
--- /dev/null
+++ b/server/fedora/config/etc/logwatch/conf/services/kernel.conf
@@ -0,0 +1,44 @@
+###########################################################################
+# $Id: kernel.conf 149 2013-06-18 22:18:12Z mtremaine $
+###########################################################################
+
+# You can put comments anywhere you want to.  They are effective for the
+# rest of the line.
+
+# this is in the format of <name> = <value>.  Whitespace at the beginning
+# and end of the lines is removed.  Whitespace before and after the = sign
+# is removed.  Everything is case *insensitive*.
+
+# Yes = True  = On  = 1
+# No  = False = Off = 0
+
+Title = "Kernel"
+
+# Which logfile group...
+LogFile = messages
+
+# Only give lines pertaining to the kernel service...
+*OnlyService = (kernel|SUNW,[-\w]+?)
+*RemoveHeaders
+
+# Remove kernel timestamp
+*RemoveHeaders = "^(: )?\[ *\d+\.\d+\]:? "
+
+# Ignore segfaults and general protection faults in the listed programs
+# The value is a regular expression that the executable name is matched
+# against.  Separate multiple executables with |
+# $ignore_faults = npviewer.bin
+
+# Ignore Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server
+# messages which often occur when kerberos tickets expire
+# $ignore_rpcsec_expired = Yes
+
+########################################################
+# This was written and is maintained by:
+#    Kirk Bauer <kirk@kaybee.org>
+#
+# Please send all comments, suggestions, bug reports,
+#    etc, to kirk@kaybee.org.
+########################################################
+
+# vi: shiftwidth=3 tabstop=3 et

From edef52ced45a12530fe90d1a09af6da23708e71c Mon Sep 17 00:00:00 2001
From: Quentin Smith <quentin@mit.edu>
Date: Mon, 13 Sep 2021 17:18:09 -0400
Subject: [PATCH 102/111] Update SSL certificates for 2022

---
 .../config/etc/pki/tls/certs/scripts-cert.pem | 42 ++++++-----
 .../config/etc/pki/tls/certs/scripts.pem      | 74 ++++++++++---------
 .../config/etc/pki/tls/certs/star.scripts.pem | 70 +++++++++---------
 3 files changed, 96 insertions(+), 90 deletions(-)

diff --git a/server/fedora/config/etc/pki/tls/certs/scripts-cert.pem b/server/fedora/config/etc/pki/tls/certs/scripts-cert.pem
index e12f8a99..f60913b1 100644
--- a/server/fedora/config/etc/pki/tls/certs/scripts-cert.pem
+++ b/server/fedora/config/etc/pki/tls/certs/scripts-cert.pem
@@ -1,11 +1,10 @@
 -----BEGIN CERTIFICATE-----
-MIIGuDCCBaCgAwIBAgIRAJeSWrjH0PnrtPKKY4YhHKYwDQYJKoZIhvcNAQELBQAw
-djELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1JMRIwEAYDVQQHEwlBbm4gQXJib3Ix
-EjAQBgNVBAoTCUludGVybmV0MjERMA8GA1UECxMISW5Db21tb24xHzAdBgNVBAMT
-FkluQ29tbW9uIFJTQSBTZXJ2ZXIgQ0EwHhcNMjAwOTI4MDAwMDAwWhcNMjEwOTI4
-MjM1OTU5WjCB4jELMAkGA1UEBhMCVVMxDjAMBgNVBBETBTAyMTM5MRYwFAYDVQQI
-Ew1NYXNzYWNodXNldHRzMRIwEAYDVQQHEwlDYW1icmlkZ2UxHTAbBgNVBAkTFDc3
-IE1hc3NhY2h1c2V0dHMgQXZlMS4wLAYDVQQKEyVNYXNzYWNodXNldHRzIEluc3Rp
+MIIHADCCBeigAwIBAgIQC3WXPXO9n3fijWDzhwZ8tDANBgkqhkiG9w0BAQsFADB2
+MQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUkxEjAQBgNVBAcTCUFubiBBcmJvcjES
+MBAGA1UEChMJSW50ZXJuZXQyMREwDwYDVQQLEwhJbkNvbW1vbjEfMB0GA1UEAxMW
+SW5Db21tb24gUlNBIFNlcnZlciBDQTAeFw0yMTA5MTMwMDAwMDBaFw0yMjA5MTMy
+MzU5NTlaMIGzMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czES
+MBAGA1UEBxMJQ2FtYnJpZGdlMS4wLAYDVQQKEyVNYXNzYWNodXNldHRzIEluc3Rp
 dHV0ZSBvZiBUZWNobm9sb2d5MSkwJwYDVQQLDCBJbmZvcm1hdGlvbiBTeXN0ZW1z
 ICYgVGVjaG5vbG9neTEdMBsGA1UEAxMUc2NyaXB0cy1jZXJ0Lm1pdC5lZHUwggEi
 MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDEmjwcPrd6LWamQ0ZBW/fBdcat
@@ -14,7 +13,7 @@ VkLs6tJ9yw3NM/19ceLmS9ig5Lpe5W4t//IOCWntP/upysw9dfgoENxogucQf1jw
 t6DxQFV/bEaBIX497rahNHsFfz6D1NRSnql3Jx3CvokLAlpEqeiTKzYKSxjI6VV0
 5kHJXRlUdmNULi47CfvYZ8skR2eLvBhnvq2BZdbZzWXePT3AvjsF8G0Ordb1JOR7
 kdLZJG9aH9Ta0MsjM76bMFHWauST6CzxcYL3X2MVdDMGoM2uZSau1PpitIAfAgMB
-AAGjggLSMIICzjAfBgNVHSMEGDAWgBQeBaN3j2yW4luHS6a0hqxxAAznODAdBgNV
+AAGjggNKMIIDRjAfBgNVHSMEGDAWgBQeBaN3j2yW4luHS6a0hqxxAAznODAdBgNV
 HQ4EFgQU+6gmNOIMhks3Q8zr8o3tqTIHDWQwDgYDVR0PAQH/BAQDAgWgMAwGA1Ud
 EwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGcGA1UdIARg
 MF4wUgYMKwYBBAGuIwEEAwEBMEIwQAYIKwYBBQUHAgEWNGh0dHBzOi8vd3d3Lmlu
@@ -23,18 +22,21 @@ MEQGA1UdHwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwuaW5jb21tb24tcnNhLm9yZy9J
 bkNvbW1vblJTQVNlcnZlckNBLmNybDB1BggrBgEFBQcBAQRpMGcwPgYIKwYBBQUH
 MAKGMmh0dHA6Ly9jcnQudXNlcnRydXN0LmNvbS9JbkNvbW1vblJTQVNlcnZlckNB
 XzIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC51c2VydHJ1c3QuY29tMB8G
-A1UdEQQYMBaCFHNjcmlwdHMtY2VydC5taXQuZWR1MIIBBgYKKwYBBAHWeQIEAgSB
-9wSB9ADyAHcAfT7y+I//iFVoJMLAyp5SiXkrxQ54CX8uapdomX4i8NcAAAF01gXv
-7AAABAMASDBGAiEAiTC/rcIa+Uxzk48X/Tut8G5eoDdWyYPD05KB0IYJvmgCIQDa
-EYDeNpj7OeIOxHhrHVXga/NkC2M/tvSHbtZUk68D0AB3AJQgvB6O1Y1siHMfgosi
-LA3R2k1ebE+UPWHbTi9YTaLCAAABdNYF8BQAAAQDAEgwRgIhAKS4zbTbGtzXaMwC
-AIEosNpN0xs8tw3kPgv2qr8auAmeAiEA8521AXUfzGhR7nSh1YX+YRNRmwms5E2J
-p/xw0sSKM3owDQYJKoZIhvcNAQELBQADggEBAAcNMF17shjx1kkjC4In2KFSeG3I
-tyAsalCprAkLC9Gb12naPgDcslS2gti0Q5y61WCQ9arqcH12Mo42sNaX8VkM5aZm
-AO6uA4uBz772jEjHouTa1upI6fgcdlTIm7XgkndSOTUZKTuI4G1gshXLyIuQmYaC
-B5oR1voi0y7Bd0IZB/uU+D5KG5iL+Bs727Ge36sjCzGR14INoBkx+SyM7x1b4ocM
-8XpdqmYaIynKgVz2wdeBLqeGiC9ZbLi7HYEZoNx7VrIXOzW+sb2u88Yjwz/Fxm81
-YXxNLmRXLbtpBmmuJ1p0yIIXrtqXl9ZzV8mnWMxP1lMxe9uf66xWp6cJMws=
+A1UdEQQYMBaCFHNjcmlwdHMtY2VydC5taXQuZWR1MIIBfgYKKwYBBAHWeQIEAgSC
+AW4EggFqAWgAdwBGpVXrdfqRIDC1oolp9PN9ESxBdL79SbiFq/L8cP5tRwAAAXvg
+3nh8AAAEAwBIMEYCIQDwQ17jiQJ/p4VAcTQucOuQXUKaUBeNMse8Z+TWDry0vAIh
+AK8P36FvUzjQM1v0cbGsWHNCQW3juCR9O0Xms1JW4CJvAHYAQcjKsd8iRkoQxqE6
+CUKHXk4xixsD6+tLx2jwkGKWBvYAAAF74N54RAAABAMARzBFAiEAuXYbyN0fq5TA
+x+n/jDZNyFM5XNvzb2p4ctWDgeP1vE8CIDQKVKrt09xWppPOU7q+/rEB9CHj2srC
+DrbDpMNQvAEKAHUAKXm+8J45OSHwVnOfY6V35b5XfZxgCvj5TV0mXCVdx4QAAAF7
+4N54EgAABAMARjBEAiBQwi4mnWp31boOfs1XYtf7nDL5ap45bV1ID0WXc/9tEwIg
+d0dCwMoIZnQhjqiFa7QYQDyUSm9WmMjsr7wnqi5x008wDQYJKoZIhvcNAQELBQAD
+ggEBACa3VZ15vFHa4QFBAsov8U7INN5iQ/+uCOm9XM8VnH+Z2jpLICBHHAMegmlX
+DqaGQb2rY3TEpVEJr1a5rOmI6BaB2/KHaAJgrTITnceRBiT9VLQceR1Y7JMqKgRI
+8jgbtNPv8Nfr/uJMM9i2uD+hI4wuFF2LBCJxOriA8wlO/V3MRYtVvbUo8wMgwLU0
+d6n380QIFwLnyCckhFgaxdd4nIVmL7gdO5REcS0bmE7mbwf852hpsUqi+Uw/r/UZ
+KgjGCxlLVDQPhhCd3IzN5nebsC1x0XjhTrzeuWJPF/LhagHURM/OlSQIDsvapaNb
+Wjg+j499Cef2z41fkZuMnyWab9I=
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIF+TCCA+GgAwIBAgIQRyDQ+oVGGn4XoWQCkYRjdDANBgkqhkiG9w0BAQwFADCB
diff --git a/server/fedora/config/etc/pki/tls/certs/scripts.pem b/server/fedora/config/etc/pki/tls/certs/scripts.pem
index a27e6b8e..ef317f2a 100644
--- a/server/fedora/config/etc/pki/tls/certs/scripts.pem
+++ b/server/fedora/config/etc/pki/tls/certs/scripts.pem
@@ -1,40 +1,42 @@
 -----BEGIN CERTIFICATE-----
-MIIGqzCCBZOgAwIBAgIQX8TzyVPIynd0BlWHRib4LTANBgkqhkiG9w0BAQsFADB2
-MQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUkxEjAQBgNVBAcTCUFubiBBcmJvcjES
-MBAGA1UEChMJSW50ZXJuZXQyMREwDwYDVQQLEwhJbkNvbW1vbjEfMB0GA1UEAxMW
-SW5Db21tb24gUlNBIFNlcnZlciBDQTAeFw0yMDA5MjIwMDAwMDBaFw0yMTA5MjIy
-MzU5NTlaMIHdMQswCQYDVQQGEwJVUzEOMAwGA1UEERMFMDIxMzkxFjAUBgNVBAgT
-DU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcTCUNhbWJyaWRnZTEdMBsGA1UECRMUNzcg
-TWFzc2FjaHVzZXR0cyBBdmUxLjAsBgNVBAoTJU1hc3NhY2h1c2V0dHMgSW5zdGl0
-dXRlIG9mIFRlY2hub2xvZ3kxKTAnBgNVBAsMIEluZm9ybWF0aW9uIFN5c3RlbXMg
-JiBUZWNobm9sb2d5MRgwFgYDVQQDEw9zY3JpcHRzLm1pdC5lZHUwggEiMA0GCSqG
-SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDEmjwcPrd6LWamQ0ZBW/fBdcatBSIM43UW
-GwnqJiIIWbGY4o28Wyw+VDjy4gEkE0KouHwSSaeZ5xIjmQM+UMbL+uraVkLs6tJ9
-yw3NM/19ceLmS9ig5Lpe5W4t//IOCWntP/upysw9dfgoENxogucQf1jwt6DxQFV/
-bEaBIX497rahNHsFfz6D1NRSnql3Jx3CvokLAlpEqeiTKzYKSxjI6VV05kHJXRlU
-dmNULi47CfvYZ8skR2eLvBhnvq2BZdbZzWXePT3AvjsF8G0Ordb1JOR7kdLZJG9a
-H9Ta0MsjM76bMFHWauST6CzxcYL3X2MVdDMGoM2uZSau1PpitIAfAgMBAAGjggLL
-MIICxzAfBgNVHSMEGDAWgBQeBaN3j2yW4luHS6a0hqxxAAznODAdBgNVHQ4EFgQU
-+6gmNOIMhks3Q8zr8o3tqTIHDWQwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQC
-MAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGcGA1UdIARgMF4wUgYM
-KwYBBAGuIwEEAwEBMEIwQAYIKwYBBQUHAgEWNGh0dHBzOi8vd3d3LmluY29tbW9u
-Lm9yZy9jZXJ0L3JlcG9zaXRvcnkvY3BzX3NzbC5wZGYwCAYGZ4EMAQICMEQGA1Ud
-HwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwuaW5jb21tb24tcnNhLm9yZy9JbkNvbW1v
-blJTQVNlcnZlckNBLmNybDB1BggrBgEFBQcBAQRpMGcwPgYIKwYBBQUHMAKGMmh0
-dHA6Ly9jcnQudXNlcnRydXN0LmNvbS9JbkNvbW1vblJTQVNlcnZlckNBXzIuY3J0
-MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC51c2VydHJ1c3QuY29tMBoGA1UdEQQT
-MBGCD3NjcmlwdHMubWl0LmVkdTCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB3AH0+
-8viP/4hVaCTCwMqeUol5K8UOeAl/LmqXaJl+IvDXAAABdLZK9wIAAAQDAEgwRgIh
-AKMk8teUE5lXEXR8Wssm40C7LHZ2t1PZceH7HHS+5pazAiEAyZcZx7IKtany9XGp
-X5BpNIqit1pW+E9pocfpZ+JvckcAdQCUILwejtWNbIhzH4KLIiwN0dpNXmxPlD1h
-204vWE2iwgAAAXS2SvcqAAAEAwBGMEQCICImDybUXMg7ZakcO1zyDQPxd8O+isIn
-e5O8QQztwDBrAiB4gA9aikHNq4rBt5/kqwxl/L7zbba9odpcAeSfEpn7fjANBgkq
-hkiG9w0BAQsFAAOCAQEAhHNC2PfYhCFTwXEDj4hdREb6jBPuNTFaUfgI5uqDBKuD
-QsWg2Fl1/NTKaENihH65UVJDDmcGiKCsOnwFKWPUZ67QVrq2EdKNEyGUye6ER3OJ
-2kLCCkJ3rMM1+OV1NanvZArWHNKNhFc2c5EadZTVCRSLwrqWIeD/Z5lXRqFgQUvI
-bU9k7781FP5iH40MlafV/A3UfLX4RUx8Ifg+X16DtPTYijnorHwSi8VAjwFLfJ6d
-laFCmdoEJCXwf2+elFs12L94FLlWrxv3fo+EiB7dsZNYZowFsYIAXFbLg73ha7Z7
-Snc6XQHR/53e3DEHsZiuANCXzaQREWZwamaEiFlnow==
+MIIG9TCCBd2gAwIBAgIRANbgheZc8PYVB5TGEXPPtlYwDQYJKoZIhvcNAQELBQAw
+djELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1JMRIwEAYDVQQHEwlBbm4gQXJib3Ix
+EjAQBgNVBAoTCUludGVybmV0MjERMA8GA1UECxMISW5Db21tb24xHzAdBgNVBAMT
+FkluQ29tbW9uIFJTQSBTZXJ2ZXIgQ0EwHhcNMjEwOTEzMDAwMDAwWhcNMjIwOTEz
+MjM1OTU5WjCBrjELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMx
+EjAQBgNVBAcTCUNhbWJyaWRnZTEuMCwGA1UEChMlTWFzc2FjaHVzZXR0cyBJbnN0
+aXR1dGUgb2YgVGVjaG5vbG9neTEpMCcGA1UECwwgSW5mb3JtYXRpb24gU3lzdGVt
+cyAmIFRlY2hub2xvZ3kxGDAWBgNVBAMTD3NjcmlwdHMubWl0LmVkdTCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMSaPBw+t3otZqZDRkFb98F1xq0FIgzj
+dRYbCeomIghZsZjijbxbLD5UOPLiASQTQqi4fBJJp5nnEiOZAz5Qxsv66tpWQuzq
+0n3LDc0z/X1x4uZL2KDkul7lbi3/8g4Jae0/+6nKzD11+CgQ3GiC5xB/WPC3oPFA
+VX9sRoEhfj3utqE0ewV/PoPU1FKeqXcnHcK+iQsCWkSp6JMrNgpLGMjpVXTmQcld
+GVR2Y1QuLjsJ+9hnyyRHZ4u8GGe+rYFl1tnNZd49PcC+OwXwbQ6t1vUk5HuR0tkk
+b1of1NrQyyMzvpswUdZq5JPoLPFxgvdfYxV0Mwagza5lJq7U+mK0gB8CAwEAAaOC
+A0MwggM/MB8GA1UdIwQYMBaAFB4Fo3ePbJbiW4dLprSGrHEADOc4MB0GA1UdDgQW
+BBT7qCY04gyGSzdDzOvyje2pMgcNZDAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/
+BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwZwYDVR0gBGAwXjBS
+BgwrBgEEAa4jAQQDAQEwQjBABggrBgEFBQcCARY0aHR0cHM6Ly93d3cuaW5jb21t
+b24ub3JnL2NlcnQvcmVwb3NpdG9yeS9jcHNfc3NsLnBkZjAIBgZngQwBAgIwRAYD
+VR0fBD0wOzA5oDegNYYzaHR0cDovL2NybC5pbmNvbW1vbi1yc2Eub3JnL0luQ29t
+bW9uUlNBU2VydmVyQ0EuY3JsMHUGCCsGAQUFBwEBBGkwZzA+BggrBgEFBQcwAoYy
+aHR0cDovL2NydC51c2VydHJ1c3QuY29tL0luQ29tbW9uUlNBU2VydmVyQ0FfMi5j
+cnQwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wGgYDVR0R
+BBMwEYIPc2NyaXB0cy5taXQuZWR1MIIBfAYKKwYBBAHWeQIEAgSCAWwEggFoAWYA
+dgBGpVXrdfqRIDC1oolp9PN9ESxBdL79SbiFq/L8cP5tRwAAAXvg3l7UAAAEAwBH
+MEUCIDnZQUdVR2A6uvmrVQcW5y2uYoKagvzB+HJwpPZxguZbAiEA7EnaUer8bCQH
+3ph3D+AFoAXf4Ql7jlgRzTHle6fAPacAdQBByMqx3yJGShDGoToJQodeTjGLGwPr
+60vHaPCQYpYG9gAAAXvg3l6BAAAEAwBGMEQCIDL9pvdwHn6gNa7ojFkr+rrUM9Oo
+0NlGO9p1qRm9pOS/AiA3oIv3i5PrECJenveh+Yg+XCnjBddM2BSv815OJew3tAB1
+ACl5vvCeOTkh8FZzn2Old+W+V32cYAr4+U1dJlwlXceEAAABe+DeXmIAAAQDAEYw
+RAIgIlEZq5PznNkyjnszpNBjNcjvIPW2prok0+uB4Amld7ICIFWy6Hi5KosMO7c3
+ffYMsnsJgauFxxrdMf8wemR8N8mcMA0GCSqGSIb3DQEBCwUAA4IBAQBk/yHKHUUo
+gjSlElAKq+uSXBFl88HevoE/ILs11i4KsvXlbYwE2sranY8dvZM7V7bgtVUApj9v
+XOzzfh3idFM3yKmKawWwpFmk09zEnp/L0xA1daokGJ7FpDfwnCBsE48eL7Msgky2
+MUaED4Zi7rykG01Bpg7iERQuY7qsUbh8X73eIdqEL5GKbPmB2xsf0uBVBfRqI/bV
+kvqMOlx5G8QY6uDgwTFQQIPzGtUCHf4+r/yEbuVU9yoGSryP4zsoGrxtThO8JY/z
+nF8YikheCSarKxw2/aItThWp6TqIsxpVdcDUcHZ3pwGzKZjcDPnyEtOjNIPdRYuP
+pq4GBy18YDMD
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIF+TCCA+GgAwIBAgIQRyDQ+oVGGn4XoWQCkYRjdDANBgkqhkiG9w0BAQwFADCB
diff --git a/server/fedora/config/etc/pki/tls/certs/star.scripts.pem b/server/fedora/config/etc/pki/tls/certs/star.scripts.pem
index 9a5acaf2..9f9e3e44 100644
--- a/server/fedora/config/etc/pki/tls/certs/star.scripts.pem
+++ b/server/fedora/config/etc/pki/tls/certs/star.scripts.pem
@@ -1,40 +1,42 @@
 -----BEGIN CERTIFICATE-----
-MIIGsDCCBZigAwIBAgIQH42Lq3XSuDl3qXyd7YA0mjANBgkqhkiG9w0BAQsFADB2
+MIIG+TCCBeGgAwIBAgIQDW1xSCQBzMoZz/LOV7exVjANBgkqhkiG9w0BAQsFADB2
 MQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUkxEjAQBgNVBAcTCUFubiBBcmJvcjES
 MBAGA1UEChMJSW50ZXJuZXQyMREwDwYDVQQLEwhJbkNvbW1vbjEfMB0GA1UEAxMW
-SW5Db21tb24gUlNBIFNlcnZlciBDQTAeFw0yMDA5MjIwMDAwMDBaFw0yMTA5MjIy
-MzU5NTlaMIHfMQswCQYDVQQGEwJVUzEOMAwGA1UEERMFMDIxMzkxFjAUBgNVBAgT
-DU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcTCUNhbWJyaWRnZTEdMBsGA1UECRMUNzcg
-TWFzc2FjaHVzZXR0cyBBdmUxLjAsBgNVBAoTJU1hc3NhY2h1c2V0dHMgSW5zdGl0
-dXRlIG9mIFRlY2hub2xvZ3kxKTAnBgNVBAsMIEluZm9ybWF0aW9uIFN5c3RlbXMg
-JiBUZWNobm9sb2d5MRowGAYDVQQDDBEqLnNjcmlwdHMubWl0LmVkdTCCASIwDQYJ
-KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMSaPBw+t3otZqZDRkFb98F1xq0FIgzj
-dRYbCeomIghZsZjijbxbLD5UOPLiASQTQqi4fBJJp5nnEiOZAz5Qxsv66tpWQuzq
-0n3LDc0z/X1x4uZL2KDkul7lbi3/8g4Jae0/+6nKzD11+CgQ3GiC5xB/WPC3oPFA
-VX9sRoEhfj3utqE0ewV/PoPU1FKeqXcnHcK+iQsCWkSp6JMrNgpLGMjpVXTmQcld
-GVR2Y1QuLjsJ+9hnyyRHZ4u8GGe+rYFl1tnNZd49PcC+OwXwbQ6t1vUk5HuR0tkk
-b1of1NrQyyMzvpswUdZq5JPoLPFxgvdfYxV0Mwagza5lJq7U+mK0gB8CAwEAAaOC
-As4wggLKMB8GA1UdIwQYMBaAFB4Fo3ePbJbiW4dLprSGrHEADOc4MB0GA1UdDgQW
-BBT7qCY04gyGSzdDzOvyje2pMgcNZDAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/
-BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwZwYDVR0gBGAwXjBS
-BgwrBgEEAa4jAQQDAQEwQjBABggrBgEFBQcCARY0aHR0cHM6Ly93d3cuaW5jb21t
-b24ub3JnL2NlcnQvcmVwb3NpdG9yeS9jcHNfc3NsLnBkZjAIBgZngQwBAgIwRAYD
-VR0fBD0wOzA5oDegNYYzaHR0cDovL2NybC5pbmNvbW1vbi1yc2Eub3JnL0luQ29t
-bW9uUlNBU2VydmVyQ0EuY3JsMHUGCCsGAQUFBwEBBGkwZzA+BggrBgEFBQcwAoYy
-aHR0cDovL2NydC51c2VydHJ1c3QuY29tL0luQ29tbW9uUlNBU2VydmVyQ0FfMi5j
-cnQwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wHAYDVR0R
-BBUwE4IRKi5zY3JpcHRzLm1pdC5lZHUwggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEA
-dwB9PvL4j/+IVWgkwsDKnlKJeSvFDngJfy5ql2iZfiLw1wAAAXS2SvcIAAAEAwBI
-MEYCIQDLjM4EShaa2gcJ2LA68fITFbcvaIlbQ1nUoRNDA1cdhgIhAPEPmp0+ExS7
-NL8Pkmf699iP+dFIUhDbdH3mcIPk9t4KAHYAlCC8Ho7VjWyIcx+CiyIsDdHaTV5s
-T5Q9YdtOL1hNosIAAAF0tkr3lAAABAMARzBFAiAWmGBjS7DW+tK30Liy8xMJRYug
-8GaOSYGTc0amkEhQAgIhAOIE0kMdOO2vmz+vIA4AnACyGDjQbwoF98TOiaRF+uLt
-MA0GCSqGSIb3DQEBCwUAA4IBAQBXeGjFp85r7Tf+kxv1/bsaGEIsCdRblCQOGZ3+
-+0Wi8ozsTdR2FzSDi0hXS2p2cWa1VXKzvzKrNGgcGMAzhhQC94S8cOh4B0ABcqVi
-pEI+hUramGZmE4O5e3bBa1MzVoxOLsyNJi1sj2j3WCrxOuHsdsmwWjhZ46D6EZma
-x64ZMqSSCoittXdy103tJaLRVlKsDItDDSQOSIIzcuirtUY195RPf5oO7+sVknTz
-ZZeR7ur4ng07ooJOAS6gMUPltn5RXabwSYfMgvwOG2S3P77l2UU4zAqn7QAN1Rvu
-kOt4ITwYpq/+Iwgxolzwfj/h51A4QT15m9V6AvbFiQ763tkf
+SW5Db21tb24gUlNBIFNlcnZlciBDQTAeFw0yMTA5MTMwMDAwMDBaFw0yMjA5MTMy
+MzU5NTlaMIGwMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czES
+MBAGA1UEBxMJQ2FtYnJpZGdlMS4wLAYDVQQKEyVNYXNzYWNodXNldHRzIEluc3Rp
+dHV0ZSBvZiBUZWNobm9sb2d5MSkwJwYDVQQLDCBJbmZvcm1hdGlvbiBTeXN0ZW1z
+ICYgVGVjaG5vbG9neTEaMBgGA1UEAwwRKi5zY3JpcHRzLm1pdC5lZHUwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDEmjwcPrd6LWamQ0ZBW/fBdcatBSIM
+43UWGwnqJiIIWbGY4o28Wyw+VDjy4gEkE0KouHwSSaeZ5xIjmQM+UMbL+uraVkLs
+6tJ9yw3NM/19ceLmS9ig5Lpe5W4t//IOCWntP/upysw9dfgoENxogucQf1jwt6Dx
+QFV/bEaBIX497rahNHsFfz6D1NRSnql3Jx3CvokLAlpEqeiTKzYKSxjI6VV05kHJ
+XRlUdmNULi47CfvYZ8skR2eLvBhnvq2BZdbZzWXePT3AvjsF8G0Ordb1JOR7kdLZ
+JG9aH9Ta0MsjM76bMFHWauST6CzxcYL3X2MVdDMGoM2uZSau1PpitIAfAgMBAAGj
+ggNGMIIDQjAfBgNVHSMEGDAWgBQeBaN3j2yW4luHS6a0hqxxAAznODAdBgNVHQ4E
+FgQU+6gmNOIMhks3Q8zr8o3tqTIHDWQwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB
+/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGcGA1UdIARgMF4w
+UgYMKwYBBAGuIwEEAwEBMEIwQAYIKwYBBQUHAgEWNGh0dHBzOi8vd3d3LmluY29t
+bW9uLm9yZy9jZXJ0L3JlcG9zaXRvcnkvY3BzX3NzbC5wZGYwCAYGZ4EMAQICMEQG
+A1UdHwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwuaW5jb21tb24tcnNhLm9yZy9JbkNv
+bW1vblJTQVNlcnZlckNBLmNybDB1BggrBgEFBQcBAQRpMGcwPgYIKwYBBQUHMAKG
+Mmh0dHA6Ly9jcnQudXNlcnRydXN0LmNvbS9JbkNvbW1vblJTQVNlcnZlckNBXzIu
+Y3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC51c2VydHJ1c3QuY29tMBwGA1Ud
+EQQVMBOCESouc2NyaXB0cy5taXQuZWR1MIIBfQYKKwYBBAHWeQIEAgSCAW0EggFp
+AWcAdgBGpVXrdfqRIDC1oolp9PN9ESxBdL79SbiFq/L8cP5tRwAAAXvg3oqgAAAE
+AwBHMEUCIFYVf3pUPj9lsS1174YR2Zdg5ZDUl+mdTx2ACXeVxx79AiEAl+RBN7a+
+cObqcIb2hKAAcARLKQoQU4UGx7pLDF3Af98AdgBByMqx3yJGShDGoToJQodeTjGL
+GwPr60vHaPCQYpYG9gAAAXvg3oq1AAAEAwBHMEUCIQDjUSwJyTvraqnytpqOre01
+TZkroXDu7sNi0JQnUagXRwIgNell454ps6vgVTOB0JHOWJ8pzddA6L7TUjPPpuoP
+I/IAdQApeb7wnjk5IfBWc59jpXflvld9nGAK+PlNXSZcJV3HhAAAAXvg3op9AAAE
+AwBGMEQCIFlleEw42z45RFPmADhgyWi0nDaRZnTmbbSj6zsEEeSvAiBIxcH4XRSn
+5+n8epsLqRDdKoDF3cU5Mr1B7OQY4KOI+jANBgkqhkiG9w0BAQsFAAOCAQEAglZR
+9boJ8yhOPMjmNqhxg0X4AJpm7tkID/3LniluzvdfoRZmzs2wgWr6U3JrtuGLu39E
+iYmaEKwFRixM4dV7Xt7fLAvD1QMvUQ5o69PzVXl9JhrOyu3fhpYhqWajv4BazqRO
+aZ1QCWemKaWXKXABguMkNlwYbHcsoj4dQ0TxudXAubIItYtHfzuva4c+9Q3um2nK
+WNYpz3Bm4qS43/gMRrjZjiWnFEzmxMTDqrfyxU84CwPiPDppr5eaC83AzOUNv4dR
+XmPstkQ+YKE4u1/w0QQOcFMsE3LJ8d3hlHbMO0MmOaJ7N5NKE3Tf0IWMsmGINNcT
+XB2avepJkELyym7a4g==
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIF+TCCA+GgAwIBAgIQRyDQ+oVGGn4XoWQCkYRjdDANBgkqhkiG9w0BAQwFADCB

From 3c146cbd96574644339562983849ff88ccb76bc3 Mon Sep 17 00:00:00 2001
From: "Cel A. Skeggs" <cela@mit.edu>
Date: Fri, 21 Jan 2022 00:47:37 -0500
Subject: [PATCH 103/111] Turn off emails to me for at least the time being

---
 ansible/inventory.yml                            | 1 +
 server/fedora/config/etc/scripts/root-procmailrc | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/ansible/inventory.yml b/ansible/inventory.yml
index d7b3ef32..355236a3 100644
--- a/ansible/inventory.yml
+++ b/ansible/inventory.yml
@@ -8,6 +8,7 @@ all:
     - username: btidor
       root_mail: btidor-scripts@mit.edu
     - username: cela
+      root_mail: null
     - username: cereslee
     - username: ezyang
     - username: geofft
diff --git a/server/fedora/config/etc/scripts/root-procmailrc b/server/fedora/config/etc/scripts/root-procmailrc
index 7881c120..bc54d9da 100644
--- a/server/fedora/config/etc/scripts/root-procmailrc
+++ b/server/fedora/config/etc/scripts/root-procmailrc
@@ -1,2 +1,2 @@
 :0
-! andersk@mit.edu, quentin@mit.edu, mitchb@mit.edu, ezyang@mit.edu, xavid@mit.edu, adehnert-sipb@mit.edu, achernya@mit.edu, glasgall@mit.edu, tboning@mit.edu, cereslee@mit.edu, btidor-scripts@mit.edu, vasilvv@mit.edu, cela@mit.edu, mrittenb@mit.edu
+! andersk@mit.edu, quentin@mit.edu, mitchb@mit.edu, ezyang@mit.edu, xavid@mit.edu, adehnert-sipb@mit.edu, achernya@mit.edu, glasgall@mit.edu, tboning@mit.edu, cereslee@mit.edu, btidor-scripts@mit.edu, vasilvv@mit.edu, mrittenb@mit.edu

From 63d943e7bad862b7a2f73cf6811a0efdec96cdbe Mon Sep 17 00:00:00 2001
From: Alex Dehnert <adehnert@mit.edu>
Date: Sun, 11 Sep 2022 12:45:47 -0400
Subject: [PATCH 104/111] Add simple script to generate CSRs for infra certs

---
 .../etc/pki/tls/certs/req-scripts-infra-certs.sh     | 12 ++++++++++++
 1 file changed, 12 insertions(+)
 create mode 100644 server/fedora/config/etc/pki/tls/certs/req-scripts-infra-certs.sh

diff --git a/server/fedora/config/etc/pki/tls/certs/req-scripts-infra-certs.sh b/server/fedora/config/etc/pki/tls/certs/req-scripts-infra-certs.sh
new file mode 100644
index 00000000..e7a1f056
--- /dev/null
+++ b/server/fedora/config/etc/pki/tls/certs/req-scripts-infra-certs.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+set -euf
+set -x
+
+while read HOST FILE; do
+    yes "" | openssl req -key /etc/pki/tls/private/scripts-2048.key -new -sha256 -reqexts SAN -config <(cat /etc/pki/tls/openssl.cnf <(printf "[req_distinguished_name]\ncommonName_default=$HOST\n[SAN]\nsubjectAltName=DNS:$HOST\n")) -out $FILE.csr
+done <<EOF
+scripts.mit.edu          scripts
+scripts-cert.mit.edu     scripts-cert
+*.scripts.mit.edu        star.scripts
+EOF

From b6bd9c60e5a3fbbbadbbba8b05e2b2afe7048224 Mon Sep 17 00:00:00 2001
From: Alex Dehnert <adehnert@mit.edu>
Date: Sun, 11 Sep 2022 15:54:43 -0400
Subject: [PATCH 105/111] Update shared TLS certs for 2023

---
 .../config/etc/pki/tls/certs/scripts-cert.pem | 71 +++++++++----------
 .../config/etc/pki/tls/certs/scripts.pem      | 70 +++++++++---------
 .../config/etc/pki/tls/certs/star.scripts.pem | 70 +++++++++---------
 3 files changed, 103 insertions(+), 108 deletions(-)

diff --git a/server/fedora/config/etc/pki/tls/certs/scripts-cert.pem b/server/fedora/config/etc/pki/tls/certs/scripts-cert.pem
index f60913b1..478b6d11 100644
--- a/server/fedora/config/etc/pki/tls/certs/scripts-cert.pem
+++ b/server/fedora/config/etc/pki/tls/certs/scripts-cert.pem
@@ -1,42 +1,41 @@
 -----BEGIN CERTIFICATE-----
-MIIHADCCBeigAwIBAgIQC3WXPXO9n3fijWDzhwZ8tDANBgkqhkiG9w0BAQsFADB2
+MIIGwjCCBaqgAwIBAgIQK785GRj8EvCTi3L0h+SAmjANBgkqhkiG9w0BAQsFADB2
 MQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUkxEjAQBgNVBAcTCUFubiBBcmJvcjES
 MBAGA1UEChMJSW50ZXJuZXQyMREwDwYDVQQLEwhJbkNvbW1vbjEfMB0GA1UEAxMW
-SW5Db21tb24gUlNBIFNlcnZlciBDQTAeFw0yMTA5MTMwMDAwMDBaFw0yMjA5MTMy
-MzU5NTlaMIGzMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czES
-MBAGA1UEBxMJQ2FtYnJpZGdlMS4wLAYDVQQKEyVNYXNzYWNodXNldHRzIEluc3Rp
-dHV0ZSBvZiBUZWNobm9sb2d5MSkwJwYDVQQLDCBJbmZvcm1hdGlvbiBTeXN0ZW1z
-ICYgVGVjaG5vbG9neTEdMBsGA1UEAxMUc2NyaXB0cy1jZXJ0Lm1pdC5lZHUwggEi
-MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDEmjwcPrd6LWamQ0ZBW/fBdcat
-BSIM43UWGwnqJiIIWbGY4o28Wyw+VDjy4gEkE0KouHwSSaeZ5xIjmQM+UMbL+ura
-VkLs6tJ9yw3NM/19ceLmS9ig5Lpe5W4t//IOCWntP/upysw9dfgoENxogucQf1jw
-t6DxQFV/bEaBIX497rahNHsFfz6D1NRSnql3Jx3CvokLAlpEqeiTKzYKSxjI6VV0
-5kHJXRlUdmNULi47CfvYZ8skR2eLvBhnvq2BZdbZzWXePT3AvjsF8G0Ordb1JOR7
-kdLZJG9aH9Ta0MsjM76bMFHWauST6CzxcYL3X2MVdDMGoM2uZSau1PpitIAfAgMB
-AAGjggNKMIIDRjAfBgNVHSMEGDAWgBQeBaN3j2yW4luHS6a0hqxxAAznODAdBgNV
-HQ4EFgQU+6gmNOIMhks3Q8zr8o3tqTIHDWQwDgYDVR0PAQH/BAQDAgWgMAwGA1Ud
-EwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGcGA1UdIARg
-MF4wUgYMKwYBBAGuIwEEAwEBMEIwQAYIKwYBBQUHAgEWNGh0dHBzOi8vd3d3Lmlu
-Y29tbW9uLm9yZy9jZXJ0L3JlcG9zaXRvcnkvY3BzX3NzbC5wZGYwCAYGZ4EMAQIC
-MEQGA1UdHwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwuaW5jb21tb24tcnNhLm9yZy9J
-bkNvbW1vblJTQVNlcnZlckNBLmNybDB1BggrBgEFBQcBAQRpMGcwPgYIKwYBBQUH
-MAKGMmh0dHA6Ly9jcnQudXNlcnRydXN0LmNvbS9JbkNvbW1vblJTQVNlcnZlckNB
-XzIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC51c2VydHJ1c3QuY29tMB8G
-A1UdEQQYMBaCFHNjcmlwdHMtY2VydC5taXQuZWR1MIIBfgYKKwYBBAHWeQIEAgSC
-AW4EggFqAWgAdwBGpVXrdfqRIDC1oolp9PN9ESxBdL79SbiFq/L8cP5tRwAAAXvg
-3nh8AAAEAwBIMEYCIQDwQ17jiQJ/p4VAcTQucOuQXUKaUBeNMse8Z+TWDry0vAIh
-AK8P36FvUzjQM1v0cbGsWHNCQW3juCR9O0Xms1JW4CJvAHYAQcjKsd8iRkoQxqE6
-CUKHXk4xixsD6+tLx2jwkGKWBvYAAAF74N54RAAABAMARzBFAiEAuXYbyN0fq5TA
-x+n/jDZNyFM5XNvzb2p4ctWDgeP1vE8CIDQKVKrt09xWppPOU7q+/rEB9CHj2srC
-DrbDpMNQvAEKAHUAKXm+8J45OSHwVnOfY6V35b5XfZxgCvj5TV0mXCVdx4QAAAF7
-4N54EgAABAMARjBEAiBQwi4mnWp31boOfs1XYtf7nDL5ap45bV1ID0WXc/9tEwIg
-d0dCwMoIZnQhjqiFa7QYQDyUSm9WmMjsr7wnqi5x008wDQYJKoZIhvcNAQELBQAD
-ggEBACa3VZ15vFHa4QFBAsov8U7INN5iQ/+uCOm9XM8VnH+Z2jpLICBHHAMegmlX
-DqaGQb2rY3TEpVEJr1a5rOmI6BaB2/KHaAJgrTITnceRBiT9VLQceR1Y7JMqKgRI
-8jgbtNPv8Nfr/uJMM9i2uD+hI4wuFF2LBCJxOriA8wlO/V3MRYtVvbUo8wMgwLU0
-d6n380QIFwLnyCckhFgaxdd4nIVmL7gdO5REcS0bmE7mbwf852hpsUqi+Uw/r/UZ
-KgjGCxlLVDQPhhCd3IzN5nebsC1x0XjhTrzeuWJPF/LhagHURM/OlSQIDsvapaNb
-Wjg+j499Cef2z41fkZuMnyWab9I=
+SW5Db21tb24gUlNBIFNlcnZlciBDQTAeFw0yMjA5MDkwMDAwMDBaFw0yMzA5MDky
+MzU5NTlaMHQxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMS4w
+LAYDVQQKEyVNYXNzYWNodXNldHRzIEluc3RpdHV0ZSBvZiBUZWNobm9sb2d5MR0w
+GwYDVQQDExRzY3JpcHRzLWNlcnQubWl0LmVkdTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAMSaPBw+t3otZqZDRkFb98F1xq0FIgzjdRYbCeomIghZsZji
+jbxbLD5UOPLiASQTQqi4fBJJp5nnEiOZAz5Qxsv66tpWQuzq0n3LDc0z/X1x4uZL
+2KDkul7lbi3/8g4Jae0/+6nKzD11+CgQ3GiC5xB/WPC3oPFAVX9sRoEhfj3utqE0
+ewV/PoPU1FKeqXcnHcK+iQsCWkSp6JMrNgpLGMjpVXTmQcldGVR2Y1QuLjsJ+9hn
+yyRHZ4u8GGe+rYFl1tnNZd49PcC+OwXwbQ6t1vUk5HuR0tkkb1of1NrQyyMzvpsw
+UdZq5JPoLPFxgvdfYxV0Mwagza5lJq7U+mK0gB8CAwEAAaOCA0wwggNIMB8GA1Ud
+IwQYMBaAFB4Fo3ePbJbiW4dLprSGrHEADOc4MB0GA1UdDgQWBBT7qCY04gyGSzdD
+zOvyje2pMgcNZDAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUE
+FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwZwYDVR0gBGAwXjBSBgwrBgEEAa4jAQQD
+AQEwQjBABggrBgEFBQcCARY0aHR0cHM6Ly93d3cuaW5jb21tb24ub3JnL2NlcnQv
+cmVwb3NpdG9yeS9jcHNfc3NsLnBkZjAIBgZngQwBAgIwRAYDVR0fBD0wOzA5oDeg
+NYYzaHR0cDovL2NybC5pbmNvbW1vbi1yc2Eub3JnL0luQ29tbW9uUlNBU2VydmVy
+Q0EuY3JsMHUGCCsGAQUFBwEBBGkwZzA+BggrBgEFBQcwAoYyaHR0cDovL2NydC51
+c2VydHJ1c3QuY29tL0luQ29tbW9uUlNBU2VydmVyQ0FfMi5jcnQwJQYIKwYBBQUH
+MAGGGWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wHwYDVR0RBBgwFoIUc2NyaXB0
+cy1jZXJ0Lm1pdC5lZHUwggGABgorBgEEAdZ5AgQCBIIBcASCAWwBagB3AK33vvp8
+/xDIi509nB4+GGq0Zyldz7EMJMqFhjTr3IKKAAABgyN2A74AAAQDAEgwRgIhAKkM
+ietn/Zpd+FtSWtYDW3NfURHQQ1hmJUmU30wiDi7rAiEAr2RKTMLwOTPAKfEG17Lf
+2kJFS84dqxCpTrXKWvWoeVUAdgB6MoxU2LcttiDqOOBSHumEFnAyE4VNO9IrwTpX
+o1LrUgAAAYMjdgOUAAAEAwBHMEUCIQDU2IBW4zn0GBfcmwXfTrxhqm/MdUT8Rs2v
+od7zJe6dRQIgRg5QoJu3ibrsEuz6CTpZJUPpPjadI+zLJdywdQWM0XoAdwDoPtDa
+PvUGNTLnVyi8iWvJA9PL0RFr7Otp4Xd9bQa9bgAAAYMjdgNVAAAEAwBIMEYCIQCX
+LdareBfqaijd/9Dd0GFK2cjz0bP6YanGO0Q2aPFOvQIhAJPfEL2UOrKEqRrMtFJQ
+REaB0W0apIOD9HtkKGa+Cz47MA0GCSqGSIb3DQEBCwUAA4IBAQAI/JMejuSt+Y0r
+yo9dyGlzIFaebycddt8ayvMGrQA9iqQ2DYjiURmS9NltOctMH0ONm6cLSlE7SgIB
+0UgaXKb0wB0MrfqO1hQQzh5mDupnOfv/A1LO2PpS87ZmokifdDI+BarcMWQtljUb
+cBtq7/slEot3KNT0I2/isP2k9Nkptc4sNb1KRunzcGPVrNV6WxqEfdXkO5fKBU5C
+Y/j2nftBn2MJAkhdRGeMGi5GUTcRdbEMPxA5wwVw0TaHJJs1WG1+YUInPVDQ/dvr
+HyJP2YubAsJUK6L7gr1OFAL6dRqq7dhBNNjXv/F4E9KF4U1nqUKaX6qci+WdnAHE
+CAdSblRO
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIF+TCCA+GgAwIBAgIQRyDQ+oVGGn4XoWQCkYRjdDANBgkqhkiG9w0BAQwFADCB
diff --git a/server/fedora/config/etc/pki/tls/certs/scripts.pem b/server/fedora/config/etc/pki/tls/certs/scripts.pem
index ef317f2a..8ecc2265 100644
--- a/server/fedora/config/etc/pki/tls/certs/scripts.pem
+++ b/server/fedora/config/etc/pki/tls/certs/scripts.pem
@@ -1,42 +1,40 @@
 -----BEGIN CERTIFICATE-----
-MIIG9TCCBd2gAwIBAgIRANbgheZc8PYVB5TGEXPPtlYwDQYJKoZIhvcNAQELBQAw
+MIIGujCCBaKgAwIBAgIRAK9AjHlAwPmzNLyuPEfTBsIwDQYJKoZIhvcNAQELBQAw
 djELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1JMRIwEAYDVQQHEwlBbm4gQXJib3Ix
 EjAQBgNVBAoTCUludGVybmV0MjERMA8GA1UECxMISW5Db21tb24xHzAdBgNVBAMT
-FkluQ29tbW9uIFJTQSBTZXJ2ZXIgQ0EwHhcNMjEwOTEzMDAwMDAwWhcNMjIwOTEz
-MjM1OTU5WjCBrjELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMx
-EjAQBgNVBAcTCUNhbWJyaWRnZTEuMCwGA1UEChMlTWFzc2FjaHVzZXR0cyBJbnN0
-aXR1dGUgb2YgVGVjaG5vbG9neTEpMCcGA1UECwwgSW5mb3JtYXRpb24gU3lzdGVt
-cyAmIFRlY2hub2xvZ3kxGDAWBgNVBAMTD3NjcmlwdHMubWl0LmVkdTCCASIwDQYJ
-KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMSaPBw+t3otZqZDRkFb98F1xq0FIgzj
-dRYbCeomIghZsZjijbxbLD5UOPLiASQTQqi4fBJJp5nnEiOZAz5Qxsv66tpWQuzq
-0n3LDc0z/X1x4uZL2KDkul7lbi3/8g4Jae0/+6nKzD11+CgQ3GiC5xB/WPC3oPFA
-VX9sRoEhfj3utqE0ewV/PoPU1FKeqXcnHcK+iQsCWkSp6JMrNgpLGMjpVXTmQcld
-GVR2Y1QuLjsJ+9hnyyRHZ4u8GGe+rYFl1tnNZd49PcC+OwXwbQ6t1vUk5HuR0tkk
-b1of1NrQyyMzvpswUdZq5JPoLPFxgvdfYxV0Mwagza5lJq7U+mK0gB8CAwEAAaOC
-A0MwggM/MB8GA1UdIwQYMBaAFB4Fo3ePbJbiW4dLprSGrHEADOc4MB0GA1UdDgQW
-BBT7qCY04gyGSzdDzOvyje2pMgcNZDAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/
-BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwZwYDVR0gBGAwXjBS
-BgwrBgEEAa4jAQQDAQEwQjBABggrBgEFBQcCARY0aHR0cHM6Ly93d3cuaW5jb21t
-b24ub3JnL2NlcnQvcmVwb3NpdG9yeS9jcHNfc3NsLnBkZjAIBgZngQwBAgIwRAYD
-VR0fBD0wOzA5oDegNYYzaHR0cDovL2NybC5pbmNvbW1vbi1yc2Eub3JnL0luQ29t
-bW9uUlNBU2VydmVyQ0EuY3JsMHUGCCsGAQUFBwEBBGkwZzA+BggrBgEFBQcwAoYy
-aHR0cDovL2NydC51c2VydHJ1c3QuY29tL0luQ29tbW9uUlNBU2VydmVyQ0FfMi5j
-cnQwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wGgYDVR0R
-BBMwEYIPc2NyaXB0cy5taXQuZWR1MIIBfAYKKwYBBAHWeQIEAgSCAWwEggFoAWYA
-dgBGpVXrdfqRIDC1oolp9PN9ESxBdL79SbiFq/L8cP5tRwAAAXvg3l7UAAAEAwBH
-MEUCIDnZQUdVR2A6uvmrVQcW5y2uYoKagvzB+HJwpPZxguZbAiEA7EnaUer8bCQH
-3ph3D+AFoAXf4Ql7jlgRzTHle6fAPacAdQBByMqx3yJGShDGoToJQodeTjGLGwPr
-60vHaPCQYpYG9gAAAXvg3l6BAAAEAwBGMEQCIDL9pvdwHn6gNa7ojFkr+rrUM9Oo
-0NlGO9p1qRm9pOS/AiA3oIv3i5PrECJenveh+Yg+XCnjBddM2BSv815OJew3tAB1
-ACl5vvCeOTkh8FZzn2Old+W+V32cYAr4+U1dJlwlXceEAAABe+DeXmIAAAQDAEYw
-RAIgIlEZq5PznNkyjnszpNBjNcjvIPW2prok0+uB4Amld7ICIFWy6Hi5KosMO7c3
-ffYMsnsJgauFxxrdMf8wemR8N8mcMA0GCSqGSIb3DQEBCwUAA4IBAQBk/yHKHUUo
-gjSlElAKq+uSXBFl88HevoE/ILs11i4KsvXlbYwE2sranY8dvZM7V7bgtVUApj9v
-XOzzfh3idFM3yKmKawWwpFmk09zEnp/L0xA1daokGJ7FpDfwnCBsE48eL7Msgky2
-MUaED4Zi7rykG01Bpg7iERQuY7qsUbh8X73eIdqEL5GKbPmB2xsf0uBVBfRqI/bV
-kvqMOlx5G8QY6uDgwTFQQIPzGtUCHf4+r/yEbuVU9yoGSryP4zsoGrxtThO8JY/z
-nF8YikheCSarKxw2/aItThWp6TqIsxpVdcDUcHZ3pwGzKZjcDPnyEtOjNIPdRYuP
-pq4GBy18YDMD
+FkluQ29tbW9uIFJTQSBTZXJ2ZXIgQ0EwHhcNMjIwOTA5MDAwMDAwWhcNMjMwOTA5
+MjM1OTU5WjBvMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czEu
+MCwGA1UEChMlTWFzc2FjaHVzZXR0cyBJbnN0aXR1dGUgb2YgVGVjaG5vbG9neTEY
+MBYGA1UEAxMPc2NyaXB0cy5taXQuZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAxJo8HD63ei1mpkNGQVv3wXXGrQUiDON1FhsJ6iYiCFmxmOKNvFss
+PlQ48uIBJBNCqLh8EkmnmecSI5kDPlDGy/rq2lZC7OrSfcsNzTP9fXHi5kvYoOS6
+XuVuLf/yDglp7T/7qcrMPXX4KBDcaILnEH9Y8Leg8UBVf2xGgSF+Pe62oTR7BX8+
+g9TUUp6pdycdwr6JCwJaRKnokys2CksYyOlVdOZByV0ZVHZjVC4uOwn72GfLJEdn
+i7wYZ76tgWXW2c1l3j09wL47BfBtDq3W9STke5HS2SRvWh/U2tDLIzO+mzBR1mrk
+k+gs8XGC919jFXQzBqDNrmUmrtT6YrSAHwIDAQABo4IDSDCCA0QwHwYDVR0jBBgw
+FoAUHgWjd49sluJbh0umtIascQAM5zgwHQYDVR0OBBYEFPuoJjTiDIZLN0PM6/KN
+7akyBw1kMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQG
+CCsGAQUFBwMBBggrBgEFBQcDAjBnBgNVHSAEYDBeMFIGDCsGAQQBriMBBAMBATBC
+MEAGCCsGAQUFBwIBFjRodHRwczovL3d3dy5pbmNvbW1vbi5vcmcvY2VydC9yZXBv
+c2l0b3J5L2Nwc19zc2wucGRmMAgGBmeBDAECAjBEBgNVHR8EPTA7MDmgN6A1hjNo
+dHRwOi8vY3JsLmluY29tbW9uLXJzYS5vcmcvSW5Db21tb25SU0FTZXJ2ZXJDQS5j
+cmwwdQYIKwYBBQUHAQEEaTBnMD4GCCsGAQUFBzAChjJodHRwOi8vY3J0LnVzZXJ0
+cnVzdC5jb20vSW5Db21tb25SU0FTZXJ2ZXJDQV8yLmNydDAlBggrBgEFBQcwAYYZ
+aHR0cDovL29jc3AudXNlcnRydXN0LmNvbTAaBgNVHREEEzARgg9zY3JpcHRzLm1p
+dC5lZHUwggGBBgorBgEEAdZ5AgQCBIIBcQSCAW0BawB3AK33vvp8/xDIi509nB4+
+GGq0Zyldz7EMJMqFhjTr3IKKAAABgyN30VAAAAQDAEgwRgIhAJrb6bQjw8Nit9GQ
+LplCIqcVT7oR6SdEalqNj+uOpRbhAiEA95LIm0jfgonrXAJm65LbSg7xD70tQxWq
+bUwp6tI5naUAdwB6MoxU2LcttiDqOOBSHumEFnAyE4VNO9IrwTpXo1LrUgAAAYMj
+d9EgAAAEAwBIMEYCIQD4IhTV6IqYHZyuQzHeLUkvPsjXAfEZOqk0kNknAVFYyAIh
+APRnyYlUjV+JexesXpBx40liCAAmpr1ekjdOUeC1C57WAHcA6D7Q2j71BjUy51co
+vIlryQPTy9ERa+zraeF3fW0GvW4AAAGDI3fQ7AAABAMASDBGAiEAxTx6cBqI56u+
+52mv2fg2aa+talWKAe/9FdKRoKovkz0CIQDYg0w512t17YtuxV9PuTdEZ3dLY05b
+v6BXC+LatU24tjANBgkqhkiG9w0BAQsFAAOCAQEAdVPcCED6j5bz09utxUUWNmxd
+4ccCjIDXCdIyBLs2Ip/g8RxB6uJbBVpwAM3NAP0cXf09S56OtxhbluFkWmu8mpCF
+J3UCCkbL3CQtKLDQwq6CaD6oH1I0C2YM2nT82vlB5tkW9gQat7Dh95qmjEyREYr0
+/LL2CHdXJbCBweMqyvKI7fcXMGtQ0yDICOEIt91J/dJfxtgcOQCYT/HUmR1+SqKP
+u7giLzXGnsMSg33sgE6cQx0HsYVYhOuQTsrlACRiAv0qTx076GVnEj/2MmdEnWqg
+5RSeYaFjhZqM4C8Y/N8HaxhSlQKPmwDMoFbILjsnm0scOmeKOh6oz0VxTSR/Xg==
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIF+TCCA+GgAwIBAgIQRyDQ+oVGGn4XoWQCkYRjdDANBgkqhkiG9w0BAQwFADCB
diff --git a/server/fedora/config/etc/pki/tls/certs/star.scripts.pem b/server/fedora/config/etc/pki/tls/certs/star.scripts.pem
index 9f9e3e44..769e202a 100644
--- a/server/fedora/config/etc/pki/tls/certs/star.scripts.pem
+++ b/server/fedora/config/etc/pki/tls/certs/star.scripts.pem
@@ -1,42 +1,40 @@
 -----BEGIN CERTIFICATE-----
-MIIG+TCCBeGgAwIBAgIQDW1xSCQBzMoZz/LOV7exVjANBgkqhkiG9w0BAQsFADB2
+MIIGvDCCBaSgAwIBAgIQQC7DoGhhSPo3TnlAUTZtDzANBgkqhkiG9w0BAQsFADB2
 MQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUkxEjAQBgNVBAcTCUFubiBBcmJvcjES
 MBAGA1UEChMJSW50ZXJuZXQyMREwDwYDVQQLEwhJbkNvbW1vbjEfMB0GA1UEAxMW
-SW5Db21tb24gUlNBIFNlcnZlciBDQTAeFw0yMTA5MTMwMDAwMDBaFw0yMjA5MTMy
-MzU5NTlaMIGwMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czES
-MBAGA1UEBxMJQ2FtYnJpZGdlMS4wLAYDVQQKEyVNYXNzYWNodXNldHRzIEluc3Rp
-dHV0ZSBvZiBUZWNobm9sb2d5MSkwJwYDVQQLDCBJbmZvcm1hdGlvbiBTeXN0ZW1z
-ICYgVGVjaG5vbG9neTEaMBgGA1UEAwwRKi5zY3JpcHRzLm1pdC5lZHUwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDEmjwcPrd6LWamQ0ZBW/fBdcatBSIM
-43UWGwnqJiIIWbGY4o28Wyw+VDjy4gEkE0KouHwSSaeZ5xIjmQM+UMbL+uraVkLs
-6tJ9yw3NM/19ceLmS9ig5Lpe5W4t//IOCWntP/upysw9dfgoENxogucQf1jwt6Dx
-QFV/bEaBIX497rahNHsFfz6D1NRSnql3Jx3CvokLAlpEqeiTKzYKSxjI6VV05kHJ
-XRlUdmNULi47CfvYZ8skR2eLvBhnvq2BZdbZzWXePT3AvjsF8G0Ordb1JOR7kdLZ
-JG9aH9Ta0MsjM76bMFHWauST6CzxcYL3X2MVdDMGoM2uZSau1PpitIAfAgMBAAGj
-ggNGMIIDQjAfBgNVHSMEGDAWgBQeBaN3j2yW4luHS6a0hqxxAAznODAdBgNVHQ4E
-FgQU+6gmNOIMhks3Q8zr8o3tqTIHDWQwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB
-/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGcGA1UdIARgMF4w
-UgYMKwYBBAGuIwEEAwEBMEIwQAYIKwYBBQUHAgEWNGh0dHBzOi8vd3d3LmluY29t
-bW9uLm9yZy9jZXJ0L3JlcG9zaXRvcnkvY3BzX3NzbC5wZGYwCAYGZ4EMAQICMEQG
-A1UdHwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwuaW5jb21tb24tcnNhLm9yZy9JbkNv
-bW1vblJTQVNlcnZlckNBLmNybDB1BggrBgEFBQcBAQRpMGcwPgYIKwYBBQUHMAKG
-Mmh0dHA6Ly9jcnQudXNlcnRydXN0LmNvbS9JbkNvbW1vblJTQVNlcnZlckNBXzIu
-Y3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC51c2VydHJ1c3QuY29tMBwGA1Ud
-EQQVMBOCESouc2NyaXB0cy5taXQuZWR1MIIBfQYKKwYBBAHWeQIEAgSCAW0EggFp
-AWcAdgBGpVXrdfqRIDC1oolp9PN9ESxBdL79SbiFq/L8cP5tRwAAAXvg3oqgAAAE
-AwBHMEUCIFYVf3pUPj9lsS1174YR2Zdg5ZDUl+mdTx2ACXeVxx79AiEAl+RBN7a+
-cObqcIb2hKAAcARLKQoQU4UGx7pLDF3Af98AdgBByMqx3yJGShDGoToJQodeTjGL
-GwPr60vHaPCQYpYG9gAAAXvg3oq1AAAEAwBHMEUCIQDjUSwJyTvraqnytpqOre01
-TZkroXDu7sNi0JQnUagXRwIgNell454ps6vgVTOB0JHOWJ8pzddA6L7TUjPPpuoP
-I/IAdQApeb7wnjk5IfBWc59jpXflvld9nGAK+PlNXSZcJV3HhAAAAXvg3op9AAAE
-AwBGMEQCIFlleEw42z45RFPmADhgyWi0nDaRZnTmbbSj6zsEEeSvAiBIxcH4XRSn
-5+n8epsLqRDdKoDF3cU5Mr1B7OQY4KOI+jANBgkqhkiG9w0BAQsFAAOCAQEAglZR
-9boJ8yhOPMjmNqhxg0X4AJpm7tkID/3LniluzvdfoRZmzs2wgWr6U3JrtuGLu39E
-iYmaEKwFRixM4dV7Xt7fLAvD1QMvUQ5o69PzVXl9JhrOyu3fhpYhqWajv4BazqRO
-aZ1QCWemKaWXKXABguMkNlwYbHcsoj4dQ0TxudXAubIItYtHfzuva4c+9Q3um2nK
-WNYpz3Bm4qS43/gMRrjZjiWnFEzmxMTDqrfyxU84CwPiPDppr5eaC83AzOUNv4dR
-XmPstkQ+YKE4u1/w0QQOcFMsE3LJ8d3hlHbMO0MmOaJ7N5NKE3Tf0IWMsmGINNcT
-XB2avepJkELyym7a4g==
+SW5Db21tb24gUlNBIFNlcnZlciBDQTAeFw0yMjA5MDkwMDAwMDBaFw0yMzA5MDky
+MzU5NTlaMHExCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMS4w
+LAYDVQQKEyVNYXNzYWNodXNldHRzIEluc3RpdHV0ZSBvZiBUZWNobm9sb2d5MRow
+GAYDVQQDDBEqLnNjcmlwdHMubWl0LmVkdTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAMSaPBw+t3otZqZDRkFb98F1xq0FIgzjdRYbCeomIghZsZjijbxb
+LD5UOPLiASQTQqi4fBJJp5nnEiOZAz5Qxsv66tpWQuzq0n3LDc0z/X1x4uZL2KDk
+ul7lbi3/8g4Jae0/+6nKzD11+CgQ3GiC5xB/WPC3oPFAVX9sRoEhfj3utqE0ewV/
+PoPU1FKeqXcnHcK+iQsCWkSp6JMrNgpLGMjpVXTmQcldGVR2Y1QuLjsJ+9hnyyRH
+Z4u8GGe+rYFl1tnNZd49PcC+OwXwbQ6t1vUk5HuR0tkkb1of1NrQyyMzvpswUdZq
+5JPoLPFxgvdfYxV0Mwagza5lJq7U+mK0gB8CAwEAAaOCA0kwggNFMB8GA1UdIwQY
+MBaAFB4Fo3ePbJbiW4dLprSGrHEADOc4MB0GA1UdDgQWBBT7qCY04gyGSzdDzOvy
+je2pMgcNZDAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAU
+BggrBgEFBQcDAQYIKwYBBQUHAwIwZwYDVR0gBGAwXjBSBgwrBgEEAa4jAQQDAQEw
+QjBABggrBgEFBQcCARY0aHR0cHM6Ly93d3cuaW5jb21tb24ub3JnL2NlcnQvcmVw
+b3NpdG9yeS9jcHNfc3NsLnBkZjAIBgZngQwBAgIwRAYDVR0fBD0wOzA5oDegNYYz
+aHR0cDovL2NybC5pbmNvbW1vbi1yc2Eub3JnL0luQ29tbW9uUlNBU2VydmVyQ0Eu
+Y3JsMHUGCCsGAQUFBwEBBGkwZzA+BggrBgEFBQcwAoYyaHR0cDovL2NydC51c2Vy
+dHJ1c3QuY29tL0luQ29tbW9uUlNBU2VydmVyQ0FfMi5jcnQwJQYIKwYBBQUHMAGG
+GWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wHAYDVR0RBBUwE4IRKi5zY3JpcHRz
+Lm1pdC5lZHUwggGABgorBgEEAdZ5AgQCBIIBcASCAWwBagB3AK33vvp8/xDIi509
+nB4+GGq0Zyldz7EMJMqFhjTr3IKKAAABgyN34GMAAAQDAEgwRgIhALsAdIuHAtle
+5d1T8zlzCoev9tzcgpfmeRKJ3qYC/DwqAiEA8kUgebR/pAP8XTYjEA96jfjuYk13
+UeXPb6rUx4XrnMEAdgB6MoxU2LcttiDqOOBSHumEFnAyE4VNO9IrwTpXo1LrUgAA
+AYMjd+B1AAAEAwBHMEUCIQC4AFf1Tj0UOJxa25Hij7FPYvfTWHD7q25HLWLNZVuu
+/AIgaOZGg0/UaVxzwQ8lro/ArblIp5jQh9npwnRE7IChe6oAdwDoPtDaPvUGNTLn
+Vyi8iWvJA9PL0RFr7Otp4Xd9bQa9bgAAAYMjd+BFAAAEAwBIMEYCIQC75uUDoYmY
+K477gaXVpHDuuA0wkVhGB2cwWVW3zEJs9AIhAJ1QX+M+3s3YyGXObMmRljex8XMF
+6GKcs9jF+J2B8sNbMA0GCSqGSIb3DQEBCwUAA4IBAQBbV8miHfN1ZsG6gowjRFax
+C8ZGeYEiHJ6FgIS1NkrAWWuWLCnASVYjTLgD7Yz2llN0myrLTZpMBfIDOhWApZGe
+MW8+F0txQnilnCDaz+VM6Fk0sJR4v6mSn1dpU6hOdHv2P22Aoy/c7qR5Qto8dQEL
+N2ouFW562Pz6zI+3uJtgAkDZ8MpsJ6Hwz8u0GMdcpicIGyVrcV/kiuSaCwxX68gl
+sdPm8DlF3Hl10vWGSSBJawk+hz45DU1xq+kHmxrHuhRO3GwYey6AweajCvBdnLZb
+scGkeJoktXowDnsv1PlBOPyhJX/AXaz6hXuCMsySuLgqQHNrpw34FAZn+DFiPLd4
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIF+TCCA+GgAwIBAgIQRyDQ+oVGGn4XoWQCkYRjdDANBgkqhkiG9w0BAQwFADCB

From 0b875596a489d24971320eb73aea48f7231842a8 Mon Sep 17 00:00:00 2001
From: Arthur Migdal <amigdal@mit.edu>
Date: Thu, 31 Aug 2023 02:33:04 -0400
Subject: [PATCH 106/111] Update shared TLS certs for 2024.

---
 .../config/etc/pki/tls/certs/scripts-cert.pem | 74 +++++++++----------
 .../config/etc/pki/tls/certs/scripts.pem      | 72 +++++++++---------
 .../config/etc/pki/tls/certs/star.scripts.pem | 34 ++++-----
 3 files changed, 90 insertions(+), 90 deletions(-)

diff --git a/server/fedora/config/etc/pki/tls/certs/scripts-cert.pem b/server/fedora/config/etc/pki/tls/certs/scripts-cert.pem
index 478b6d11..69eb12c9 100644
--- a/server/fedora/config/etc/pki/tls/certs/scripts-cert.pem
+++ b/server/fedora/config/etc/pki/tls/certs/scripts-cert.pem
@@ -1,41 +1,41 @@
 -----BEGIN CERTIFICATE-----
-MIIGwjCCBaqgAwIBAgIQK785GRj8EvCTi3L0h+SAmjANBgkqhkiG9w0BAQsFADB2
-MQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUkxEjAQBgNVBAcTCUFubiBBcmJvcjES
-MBAGA1UEChMJSW50ZXJuZXQyMREwDwYDVQQLEwhJbkNvbW1vbjEfMB0GA1UEAxMW
-SW5Db21tb24gUlNBIFNlcnZlciBDQTAeFw0yMjA5MDkwMDAwMDBaFw0yMzA5MDky
-MzU5NTlaMHQxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMS4w
-LAYDVQQKEyVNYXNzYWNodXNldHRzIEluc3RpdHV0ZSBvZiBUZWNobm9sb2d5MR0w
-GwYDVQQDExRzY3JpcHRzLWNlcnQubWl0LmVkdTCCASIwDQYJKoZIhvcNAQEBBQAD
-ggEPADCCAQoCggEBAMSaPBw+t3otZqZDRkFb98F1xq0FIgzjdRYbCeomIghZsZji
-jbxbLD5UOPLiASQTQqi4fBJJp5nnEiOZAz5Qxsv66tpWQuzq0n3LDc0z/X1x4uZL
-2KDkul7lbi3/8g4Jae0/+6nKzD11+CgQ3GiC5xB/WPC3oPFAVX9sRoEhfj3utqE0
-ewV/PoPU1FKeqXcnHcK+iQsCWkSp6JMrNgpLGMjpVXTmQcldGVR2Y1QuLjsJ+9hn
-yyRHZ4u8GGe+rYFl1tnNZd49PcC+OwXwbQ6t1vUk5HuR0tkkb1of1NrQyyMzvpsw
-UdZq5JPoLPFxgvdfYxV0Mwagza5lJq7U+mK0gB8CAwEAAaOCA0wwggNIMB8GA1Ud
-IwQYMBaAFB4Fo3ePbJbiW4dLprSGrHEADOc4MB0GA1UdDgQWBBT7qCY04gyGSzdD
-zOvyje2pMgcNZDAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUE
-FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwZwYDVR0gBGAwXjBSBgwrBgEEAa4jAQQD
-AQEwQjBABggrBgEFBQcCARY0aHR0cHM6Ly93d3cuaW5jb21tb24ub3JnL2NlcnQv
-cmVwb3NpdG9yeS9jcHNfc3NsLnBkZjAIBgZngQwBAgIwRAYDVR0fBD0wOzA5oDeg
-NYYzaHR0cDovL2NybC5pbmNvbW1vbi1yc2Eub3JnL0luQ29tbW9uUlNBU2VydmVy
-Q0EuY3JsMHUGCCsGAQUFBwEBBGkwZzA+BggrBgEFBQcwAoYyaHR0cDovL2NydC51
-c2VydHJ1c3QuY29tL0luQ29tbW9uUlNBU2VydmVyQ0FfMi5jcnQwJQYIKwYBBQUH
-MAGGGWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wHwYDVR0RBBgwFoIUc2NyaXB0
-cy1jZXJ0Lm1pdC5lZHUwggGABgorBgEEAdZ5AgQCBIIBcASCAWwBagB3AK33vvp8
-/xDIi509nB4+GGq0Zyldz7EMJMqFhjTr3IKKAAABgyN2A74AAAQDAEgwRgIhAKkM
-ietn/Zpd+FtSWtYDW3NfURHQQ1hmJUmU30wiDi7rAiEAr2RKTMLwOTPAKfEG17Lf
-2kJFS84dqxCpTrXKWvWoeVUAdgB6MoxU2LcttiDqOOBSHumEFnAyE4VNO9IrwTpX
-o1LrUgAAAYMjdgOUAAAEAwBHMEUCIQDU2IBW4zn0GBfcmwXfTrxhqm/MdUT8Rs2v
-od7zJe6dRQIgRg5QoJu3ibrsEuz6CTpZJUPpPjadI+zLJdywdQWM0XoAdwDoPtDa
-PvUGNTLnVyi8iWvJA9PL0RFr7Otp4Xd9bQa9bgAAAYMjdgNVAAAEAwBIMEYCIQCX
-LdareBfqaijd/9Dd0GFK2cjz0bP6YanGO0Q2aPFOvQIhAJPfEL2UOrKEqRrMtFJQ
-REaB0W0apIOD9HtkKGa+Cz47MA0GCSqGSIb3DQEBCwUAA4IBAQAI/JMejuSt+Y0r
-yo9dyGlzIFaebycddt8ayvMGrQA9iqQ2DYjiURmS9NltOctMH0ONm6cLSlE7SgIB
-0UgaXKb0wB0MrfqO1hQQzh5mDupnOfv/A1LO2PpS87ZmokifdDI+BarcMWQtljUb
-cBtq7/slEot3KNT0I2/isP2k9Nkptc4sNb1KRunzcGPVrNV6WxqEfdXkO5fKBU5C
-Y/j2nftBn2MJAkhdRGeMGi5GUTcRdbEMPxA5wwVw0TaHJJs1WG1+YUInPVDQ/dvr
-HyJP2YubAsJUK6L7gr1OFAL6dRqq7dhBNNjXv/F4E9KF4U1nqUKaX6qci+WdnAHE
-CAdSblRO
+MIIGwjCCBaqgAwIBAgIRAP8zSUWgl4ZQQ6nfrxcJ7UUwDQYJKoZIhvcNAQELBQAw
+djELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1JMRIwEAYDVQQHEwlBbm4gQXJib3Ix
+EjAQBgNVBAoTCUludGVybmV0MjERMA8GA1UECxMISW5Db21tb24xHzAdBgNVBAMT
+FkluQ29tbW9uIFJTQSBTZXJ2ZXIgQ0EwHhcNMjMwODMxMDAwMDAwWhcNMjQwODMw
+MjM1OTU5WjB0MQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czEu
+MCwGA1UEChMlTWFzc2FjaHVzZXR0cyBJbnN0aXR1dGUgb2YgVGVjaG5vbG9neTEd
+MBsGA1UEAxMUc2NyaXB0cy1jZXJ0Lm1pdC5lZHUwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQDEmjwcPrd6LWamQ0ZBW/fBdcatBSIM43UWGwnqJiIIWbGY
+4o28Wyw+VDjy4gEkE0KouHwSSaeZ5xIjmQM+UMbL+uraVkLs6tJ9yw3NM/19ceLm
+S9ig5Lpe5W4t//IOCWntP/upysw9dfgoENxogucQf1jwt6DxQFV/bEaBIX497rah
+NHsFfz6D1NRSnql3Jx3CvokLAlpEqeiTKzYKSxjI6VV05kHJXRlUdmNULi47CfvY
+Z8skR2eLvBhnvq2BZdbZzWXePT3AvjsF8G0Ordb1JOR7kdLZJG9aH9Ta0MsjM76b
+MFHWauST6CzxcYL3X2MVdDMGoM2uZSau1PpitIAfAgMBAAGjggNLMIIDRzAfBgNV
+HSMEGDAWgBQeBaN3j2yW4luHS6a0hqxxAAznODAdBgNVHQ4EFgQU+6gmNOIMhks3
+Q8zr8o3tqTIHDWQwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0l
+BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGcGA1UdIARgMF4wUgYMKwYBBAGuIwEE
+AwEBMEIwQAYIKwYBBQUHAgEWNGh0dHBzOi8vd3d3LmluY29tbW9uLm9yZy9jZXJ0
+L3JlcG9zaXRvcnkvY3BzX3NzbC5wZGYwCAYGZ4EMAQICMEQGA1UdHwQ9MDswOaA3
+oDWGM2h0dHA6Ly9jcmwuaW5jb21tb24tcnNhLm9yZy9JbkNvbW1vblJTQVNlcnZl
+ckNBLmNybDB1BggrBgEFBQcBAQRpMGcwPgYIKwYBBQUHMAKGMmh0dHA6Ly9jcnQu
+dXNlcnRydXN0LmNvbS9JbkNvbW1vblJTQVNlcnZlckNBXzIuY3J0MCUGCCsGAQUF
+BzABhhlodHRwOi8vb2NzcC51c2VydHJ1c3QuY29tMB8GA1UdEQQYMBaCFHNjcmlw
+dHMtY2VydC5taXQuZWR1MIIBfwYKKwYBBAHWeQIEAgSCAW8EggFrAWkAdgB2/4g/
+Crb7lVHCYcz1h7o0tKTNuyncaEIKn+ZnTFo6dAAAAYpJXi+mAAAEAwBHMEUCIQCW
+hHQFkhsMw9Qvcsnq8eFrObnw1oVQ1RJRLihB8V4jagIgR39Pq3dTNaVwaowiQW7u
+pBvgDlaAPlwZrlnF/MP2lKEAdgDatr9rP7W2Ip+bwrtca+hwkXFsu1GEhTS9pD0w
+SNf7qwAAAYpJXi/3AAAEAwBHMEUCIQC5DnQ6+HgbC+/Qqg0IoFLcDVzdVkMvScKN
+/L0BSKiaRwIgHh4ArTfbqhjvPo+HzCL7mALxDhblgoS5RLb71hQNgrMAdwDuzdBk
+1dsazsVct520zROiModGfLzs3sNRSFlGcR+1mwAAAYpJXi/NAAAEAwBIMEYCIQCx
+B/0e80nuYib6xQwflsPMNw4BKGZdmAErSWz2uVGLOQIhALapJf9lKkVJGlynyLn9
+tPOs22LVQcc13PK/0wgsu8F3MA0GCSqGSIb3DQEBCwUAA4IBAQBbLp6n2z6HQFRb
+76edJVkymC/XNAIglmweAmMbVtBbpxZdPk4N2uhp14Fm9LEobkmyHx/nlh4Dbvmv
+GlQexF+RfNs7Uu/Hci6lJHd9XphNmQ0Vms04fr2cri9sWuhMIBXK3ap/C/il0TKz
+0sCgrQX2L59POweeYdouiCdh8QJHM3vDtRcwfy9Jyf732ryFG/iKpDMw+6C1VvRv
+sWmcT/kotfAreCRSA0W7EQPnVK/BFG7q6rSFCPF114nnxA8kztnc3YC/INCW4/XF
+Qb/ttC5fzIq1FbzHlzDnGcYMMbsfUJz5OcH8udNEq4r3myveEL3AqhNxhvD8a5ON
+KiDDnRBK
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIF+TCCA+GgAwIBAgIQRyDQ+oVGGn4XoWQCkYRjdDANBgkqhkiG9w0BAQwFADCB
diff --git a/server/fedora/config/etc/pki/tls/certs/scripts.pem b/server/fedora/config/etc/pki/tls/certs/scripts.pem
index 8ecc2265..cc30a6ba 100644
--- a/server/fedora/config/etc/pki/tls/certs/scripts.pem
+++ b/server/fedora/config/etc/pki/tls/certs/scripts.pem
@@ -1,40 +1,40 @@
 -----BEGIN CERTIFICATE-----
-MIIGujCCBaKgAwIBAgIRAK9AjHlAwPmzNLyuPEfTBsIwDQYJKoZIhvcNAQELBQAw
-djELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1JMRIwEAYDVQQHEwlBbm4gQXJib3Ix
-EjAQBgNVBAoTCUludGVybmV0MjERMA8GA1UECxMISW5Db21tb24xHzAdBgNVBAMT
-FkluQ29tbW9uIFJTQSBTZXJ2ZXIgQ0EwHhcNMjIwOTA5MDAwMDAwWhcNMjMwOTA5
-MjM1OTU5WjBvMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czEu
-MCwGA1UEChMlTWFzc2FjaHVzZXR0cyBJbnN0aXR1dGUgb2YgVGVjaG5vbG9neTEY
-MBYGA1UEAxMPc2NyaXB0cy5taXQuZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
-MIIBCgKCAQEAxJo8HD63ei1mpkNGQVv3wXXGrQUiDON1FhsJ6iYiCFmxmOKNvFss
-PlQ48uIBJBNCqLh8EkmnmecSI5kDPlDGy/rq2lZC7OrSfcsNzTP9fXHi5kvYoOS6
-XuVuLf/yDglp7T/7qcrMPXX4KBDcaILnEH9Y8Leg8UBVf2xGgSF+Pe62oTR7BX8+
-g9TUUp6pdycdwr6JCwJaRKnokys2CksYyOlVdOZByV0ZVHZjVC4uOwn72GfLJEdn
-i7wYZ76tgWXW2c1l3j09wL47BfBtDq3W9STke5HS2SRvWh/U2tDLIzO+mzBR1mrk
-k+gs8XGC919jFXQzBqDNrmUmrtT6YrSAHwIDAQABo4IDSDCCA0QwHwYDVR0jBBgw
-FoAUHgWjd49sluJbh0umtIascQAM5zgwHQYDVR0OBBYEFPuoJjTiDIZLN0PM6/KN
-7akyBw1kMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQG
-CCsGAQUFBwMBBggrBgEFBQcDAjBnBgNVHSAEYDBeMFIGDCsGAQQBriMBBAMBATBC
-MEAGCCsGAQUFBwIBFjRodHRwczovL3d3dy5pbmNvbW1vbi5vcmcvY2VydC9yZXBv
-c2l0b3J5L2Nwc19zc2wucGRmMAgGBmeBDAECAjBEBgNVHR8EPTA7MDmgN6A1hjNo
-dHRwOi8vY3JsLmluY29tbW9uLXJzYS5vcmcvSW5Db21tb25SU0FTZXJ2ZXJDQS5j
-cmwwdQYIKwYBBQUHAQEEaTBnMD4GCCsGAQUFBzAChjJodHRwOi8vY3J0LnVzZXJ0
-cnVzdC5jb20vSW5Db21tb25SU0FTZXJ2ZXJDQV8yLmNydDAlBggrBgEFBQcwAYYZ
-aHR0cDovL29jc3AudXNlcnRydXN0LmNvbTAaBgNVHREEEzARgg9zY3JpcHRzLm1p
-dC5lZHUwggGBBgorBgEEAdZ5AgQCBIIBcQSCAW0BawB3AK33vvp8/xDIi509nB4+
-GGq0Zyldz7EMJMqFhjTr3IKKAAABgyN30VAAAAQDAEgwRgIhAJrb6bQjw8Nit9GQ
-LplCIqcVT7oR6SdEalqNj+uOpRbhAiEA95LIm0jfgonrXAJm65LbSg7xD70tQxWq
-bUwp6tI5naUAdwB6MoxU2LcttiDqOOBSHumEFnAyE4VNO9IrwTpXo1LrUgAAAYMj
-d9EgAAAEAwBIMEYCIQD4IhTV6IqYHZyuQzHeLUkvPsjXAfEZOqk0kNknAVFYyAIh
-APRnyYlUjV+JexesXpBx40liCAAmpr1ekjdOUeC1C57WAHcA6D7Q2j71BjUy51co
-vIlryQPTy9ERa+zraeF3fW0GvW4AAAGDI3fQ7AAABAMASDBGAiEAxTx6cBqI56u+
-52mv2fg2aa+talWKAe/9FdKRoKovkz0CIQDYg0w512t17YtuxV9PuTdEZ3dLY05b
-v6BXC+LatU24tjANBgkqhkiG9w0BAQsFAAOCAQEAdVPcCED6j5bz09utxUUWNmxd
-4ccCjIDXCdIyBLs2Ip/g8RxB6uJbBVpwAM3NAP0cXf09S56OtxhbluFkWmu8mpCF
-J3UCCkbL3CQtKLDQwq6CaD6oH1I0C2YM2nT82vlB5tkW9gQat7Dh95qmjEyREYr0
-/LL2CHdXJbCBweMqyvKI7fcXMGtQ0yDICOEIt91J/dJfxtgcOQCYT/HUmR1+SqKP
-u7giLzXGnsMSg33sgE6cQx0HsYVYhOuQTsrlACRiAv0qTx076GVnEj/2MmdEnWqg
-5RSeYaFjhZqM4C8Y/N8HaxhSlQKPmwDMoFbILjsnm0scOmeKOh6oz0VxTSR/Xg==
+MIIGtTCCBZ2gAwIBAgIQAfQEWXn9LvciXluk6CL4QTANBgkqhkiG9w0BAQsFADB2
+MQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUkxEjAQBgNVBAcTCUFubiBBcmJvcjES
+MBAGA1UEChMJSW50ZXJuZXQyMREwDwYDVQQLEwhJbkNvbW1vbjEfMB0GA1UEAxMW
+SW5Db21tb24gUlNBIFNlcnZlciBDQTAeFw0yMzA4MzEwMDAwMDBaFw0yNDA4MzAy
+MzU5NTlaMG8xCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMS4w
+LAYDVQQKEyVNYXNzYWNodXNldHRzIEluc3RpdHV0ZSBvZiBUZWNobm9sb2d5MRgw
+FgYDVQQDEw9zY3JpcHRzLm1pdC5lZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQDEmjwcPrd6LWamQ0ZBW/fBdcatBSIM43UWGwnqJiIIWbGY4o28Wyw+
+VDjy4gEkE0KouHwSSaeZ5xIjmQM+UMbL+uraVkLs6tJ9yw3NM/19ceLmS9ig5Lpe
+5W4t//IOCWntP/upysw9dfgoENxogucQf1jwt6DxQFV/bEaBIX497rahNHsFfz6D
+1NRSnql3Jx3CvokLAlpEqeiTKzYKSxjI6VV05kHJXRlUdmNULi47CfvYZ8skR2eL
+vBhnvq2BZdbZzWXePT3AvjsF8G0Ordb1JOR7kdLZJG9aH9Ta0MsjM76bMFHWauST
+6CzxcYL3X2MVdDMGoM2uZSau1PpitIAfAgMBAAGjggNEMIIDQDAfBgNVHSMEGDAW
+gBQeBaN3j2yW4luHS6a0hqxxAAznODAdBgNVHQ4EFgQU+6gmNOIMhks3Q8zr8o3t
+qTIHDWQwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYI
+KwYBBQUHAwEGCCsGAQUFBwMCMGcGA1UdIARgMF4wUgYMKwYBBAGuIwEEAwEBMEIw
+QAYIKwYBBQUHAgEWNGh0dHBzOi8vd3d3LmluY29tbW9uLm9yZy9jZXJ0L3JlcG9z
+aXRvcnkvY3BzX3NzbC5wZGYwCAYGZ4EMAQICMEQGA1UdHwQ9MDswOaA3oDWGM2h0
+dHA6Ly9jcmwuaW5jb21tb24tcnNhLm9yZy9JbkNvbW1vblJTQVNlcnZlckNBLmNy
+bDB1BggrBgEFBQcBAQRpMGcwPgYIKwYBBQUHMAKGMmh0dHA6Ly9jcnQudXNlcnRy
+dXN0LmNvbS9JbkNvbW1vblJTQVNlcnZlckNBXzIuY3J0MCUGCCsGAQUFBzABhhlo
+dHRwOi8vb2NzcC51c2VydHJ1c3QuY29tMBoGA1UdEQQTMBGCD3NjcmlwdHMubWl0
+LmVkdTCCAX0GCisGAQQB1nkCBAIEggFtBIIBaQFnAHYAdv+IPwq2+5VRwmHM9Ye6
+NLSkzbsp3GhCCp/mZ0xaOnQAAAGKSV1v4QAABAMARzBFAiBSisJ3mWIoq99w3p7H
+0mLxBqJPckyQ+n8hTPPzW3QbpAIhAPVfVURTyVWdZzx7KM4qDQuOcChbWaXX5Vl7
+JezTQgm+AHYA2ra/az+1tiKfm8K7XGvocJFxbLtRhIU0vaQ9MEjX+6sAAAGKSV1w
+VwAABAMARzBFAiEAzYecjUFdpwBLncMQouTh02oQnzhxBp2Zx6hgz36MHwMCIBLa
+TBTOfBdv0iww9kxFcocpX6lwo9eJ/O/NFtkqqfCNAHUA7s3QZNXbGs7FXLedtM0T
+ojKHRny87N7DUUhZRnEftZsAAAGKSV1wDgAABAMARjBEAiAl3uSAjrJ5w88mUFgc
+j/8mG69/aks+hqx95+s5jyRbMgIganE0eAK0lJLm/7H5GQbyH2MpI9ALK5U3hwWB
+exDiW1gwDQYJKoZIhvcNAQELBQADggEBAFVtY0J99cXVolNWSSi6QWoTFQ/ufyaF
+oalff+j+I6pTU4HAzb3GJq8xu0XPhnJXYuu2jsg+fx6Y5KrYVAyFkiRR+EdNIjyp
+KVrBw0LTwiRBQ5prxAe0vkp0Q6r7GjUX2wRW1jMO/fn4p/xCJMG/G2Zqj2c7sYao
+LOA3R+HvrHYfffZfhsBIQh6DnLDazjAmbEP4vNSdO0a9Y2oOMKCRdDelamgr3lHr
+uEQ8ysA8zEKPYV7zVzWoiRbrstTRkzbN+zl0s/GN4+F2MZYxQs6NJZJFLub5QX3G
+OLcZmpS4I5mL1LrM95Yhw4gVQ50tcZKEj8KMKtYc7cav41WFs/Nh2ik=
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIF+TCCA+GgAwIBAgIQRyDQ+oVGGn4XoWQCkYRjdDANBgkqhkiG9w0BAQwFADCB
diff --git a/server/fedora/config/etc/pki/tls/certs/star.scripts.pem b/server/fedora/config/etc/pki/tls/certs/star.scripts.pem
index 769e202a..dbc1b496 100644
--- a/server/fedora/config/etc/pki/tls/certs/star.scripts.pem
+++ b/server/fedora/config/etc/pki/tls/certs/star.scripts.pem
@@ -1,8 +1,8 @@
 -----BEGIN CERTIFICATE-----
-MIIGvDCCBaSgAwIBAgIQQC7DoGhhSPo3TnlAUTZtDzANBgkqhkiG9w0BAQsFADB2
+MIIGuTCCBaGgAwIBAgIQd5g5aZGTfBBYfqr6AQJ3YDANBgkqhkiG9w0BAQsFADB2
 MQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUkxEjAQBgNVBAcTCUFubiBBcmJvcjES
 MBAGA1UEChMJSW50ZXJuZXQyMREwDwYDVQQLEwhJbkNvbW1vbjEfMB0GA1UEAxMW
-SW5Db21tb24gUlNBIFNlcnZlciBDQTAeFw0yMjA5MDkwMDAwMDBaFw0yMzA5MDky
+SW5Db21tb24gUlNBIFNlcnZlciBDQTAeFw0yMzA4MzAwMDAwMDBaFw0yNDA4Mjky
 MzU5NTlaMHExCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMS4w
 LAYDVQQKEyVNYXNzYWNodXNldHRzIEluc3RpdHV0ZSBvZiBUZWNobm9sb2d5MRow
 GAYDVQQDDBEqLnNjcmlwdHMubWl0LmVkdTCCASIwDQYJKoZIhvcNAQEBBQADggEP
@@ -11,7 +11,7 @@ LD5UOPLiASQTQqi4fBJJp5nnEiOZAz5Qxsv66tpWQuzq0n3LDc0z/X1x4uZL2KDk
 ul7lbi3/8g4Jae0/+6nKzD11+CgQ3GiC5xB/WPC3oPFAVX9sRoEhfj3utqE0ewV/
 PoPU1FKeqXcnHcK+iQsCWkSp6JMrNgpLGMjpVXTmQcldGVR2Y1QuLjsJ+9hnyyRH
 Z4u8GGe+rYFl1tnNZd49PcC+OwXwbQ6t1vUk5HuR0tkkb1of1NrQyyMzvpswUdZq
-5JPoLPFxgvdfYxV0Mwagza5lJq7U+mK0gB8CAwEAAaOCA0kwggNFMB8GA1UdIwQY
+5JPoLPFxgvdfYxV0Mwagza5lJq7U+mK0gB8CAwEAAaOCA0YwggNCMB8GA1UdIwQY
 MBaAFB4Fo3ePbJbiW4dLprSGrHEADOc4MB0GA1UdDgQWBBT7qCY04gyGSzdDzOvy
 je2pMgcNZDAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAU
 BggrBgEFBQcDAQYIKwYBBQUHAwIwZwYDVR0gBGAwXjBSBgwrBgEEAa4jAQQDAQEw
@@ -21,20 +21,20 @@ aHR0cDovL2NybC5pbmNvbW1vbi1yc2Eub3JnL0luQ29tbW9uUlNBU2VydmVyQ0Eu
 Y3JsMHUGCCsGAQUFBwEBBGkwZzA+BggrBgEFBQcwAoYyaHR0cDovL2NydC51c2Vy
 dHJ1c3QuY29tL0luQ29tbW9uUlNBU2VydmVyQ0FfMi5jcnQwJQYIKwYBBQUHMAGG
 GWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wHAYDVR0RBBUwE4IRKi5zY3JpcHRz
-Lm1pdC5lZHUwggGABgorBgEEAdZ5AgQCBIIBcASCAWwBagB3AK33vvp8/xDIi509
-nB4+GGq0Zyldz7EMJMqFhjTr3IKKAAABgyN34GMAAAQDAEgwRgIhALsAdIuHAtle
-5d1T8zlzCoev9tzcgpfmeRKJ3qYC/DwqAiEA8kUgebR/pAP8XTYjEA96jfjuYk13
-UeXPb6rUx4XrnMEAdgB6MoxU2LcttiDqOOBSHumEFnAyE4VNO9IrwTpXo1LrUgAA
-AYMjd+B1AAAEAwBHMEUCIQC4AFf1Tj0UOJxa25Hij7FPYvfTWHD7q25HLWLNZVuu
-/AIgaOZGg0/UaVxzwQ8lro/ArblIp5jQh9npwnRE7IChe6oAdwDoPtDaPvUGNTLn
-Vyi8iWvJA9PL0RFr7Otp4Xd9bQa9bgAAAYMjd+BFAAAEAwBIMEYCIQC75uUDoYmY
-K477gaXVpHDuuA0wkVhGB2cwWVW3zEJs9AIhAJ1QX+M+3s3YyGXObMmRljex8XMF
-6GKcs9jF+J2B8sNbMA0GCSqGSIb3DQEBCwUAA4IBAQBbV8miHfN1ZsG6gowjRFax
-C8ZGeYEiHJ6FgIS1NkrAWWuWLCnASVYjTLgD7Yz2llN0myrLTZpMBfIDOhWApZGe
-MW8+F0txQnilnCDaz+VM6Fk0sJR4v6mSn1dpU6hOdHv2P22Aoy/c7qR5Qto8dQEL
-N2ouFW562Pz6zI+3uJtgAkDZ8MpsJ6Hwz8u0GMdcpicIGyVrcV/kiuSaCwxX68gl
-sdPm8DlF3Hl10vWGSSBJawk+hz45DU1xq+kHmxrHuhRO3GwYey6AweajCvBdnLZb
-scGkeJoktXowDnsv1PlBOPyhJX/AXaz6hXuCMsySuLgqQHNrpw34FAZn+DFiPLd4
+Lm1pdC5lZHUwggF9BgorBgEEAdZ5AgQCBIIBbQSCAWkBZwB2AHb/iD8KtvuVUcJh
+zPWHujS0pM27KdxoQgqf5mdMWjp0AAABikh1EzMAAAQDAEcwRQIgWeE9wwQY+516
+ntnr6ycyhSpSk66BTCiUw5FK8zymmKsCIQDzOiw9f0GfvF/ugjQ4zkwWXOtQ6gnP
+Riz6QRw5O271lgB1ANq2v2s/tbYin5vCu1xr6HCRcWy7UYSFNL2kPTBI1/urAAAB
+ikh1E3kAAAQDAEYwRAIgZZ05YiK0cEvaX6+NdxTtOk0kGMLuZBVeLZTbPnqr6MQC
+IBJgH7Sq70uofATuIyiBrAA1hd35zI7GLQhf9ia+68BSAHYA7s3QZNXbGs7FXLed
+tM0TojKHRny87N7DUUhZRnEftZsAAAGKSHUTsgAABAMARzBFAiEAmgDTq6SOyZXi
+YFrZ/ZH7un5zxA5k7MZb6KthHamCX48CICNhHN86vyEN7anKBJcOKhB5ffPzsHOE
+B3CBaqIAx1b4MA0GCSqGSIb3DQEBCwUAA4IBAQCUf+ZCldXjPggfbMMkRQ7dI9yW
+pa1K2poov1jEAcP6OXm2EAovktrnQUCw+dcocan1jxEk9T1vVnhgeMKQdLCUKbxl
+gHB088Fvb8OPmz7QTgdIq2xoy8oR/E2Sm7RkBFBehlP1ZnemLWqqjpM86sDARUpo
+xGSTVqD6dLL0fFlvsKCLGDJ5FwW2D5wfyyxMPsRRL76ruicXx3YqDuNv44+Kk6Em
+PURpTpGudbFOM4LnZd+AZ2NV2K86WycOT1gcIOBWbxMls1Xm1sdAVfUGRnwqRdET
+uEMPk3btbPkM+qlgCFAkQPyvh3oxAmU5erlK/SjZjG/S6jpPxHdfTv3JyPrS
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIF+TCCA+GgAwIBAgIQRyDQ+oVGGn4XoWQCkYRjdDANBgkqhkiG9w0BAQwFADCB

From e5cdd7a7f8466afa3f702fa4cfbe29d7bedfacbb Mon Sep 17 00:00:00 2001
From: Arthur Migdal <amigdal@mit.edu>
Date: Thu, 22 Aug 2024 00:54:08 -0400
Subject: [PATCH 107/111] Update shared TLS certs for Aug 2024 to Aug 2025.

---
 .../config/etc/pki/tls/certs/scripts-cert.pem | 140 +++++++++---------
 .../config/etc/pki/tls/certs/scripts.pem      | 139 ++++++++---------
 .../config/etc/pki/tls/certs/star.scripts.pem | 139 ++++++++---------
 3 files changed, 213 insertions(+), 205 deletions(-)

diff --git a/server/fedora/config/etc/pki/tls/certs/scripts-cert.pem b/server/fedora/config/etc/pki/tls/certs/scripts-cert.pem
index 69eb12c9..5f00a86f 100644
--- a/server/fedora/config/etc/pki/tls/certs/scripts-cert.pem
+++ b/server/fedora/config/etc/pki/tls/certs/scripts-cert.pem
@@ -1,75 +1,77 @@
 -----BEGIN CERTIFICATE-----
-MIIGwjCCBaqgAwIBAgIRAP8zSUWgl4ZQQ6nfrxcJ7UUwDQYJKoZIhvcNAQELBQAw
-djELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1JMRIwEAYDVQQHEwlBbm4gQXJib3Ix
-EjAQBgNVBAoTCUludGVybmV0MjERMA8GA1UECxMISW5Db21tb24xHzAdBgNVBAMT
-FkluQ29tbW9uIFJTQSBTZXJ2ZXIgQ0EwHhcNMjMwODMxMDAwMDAwWhcNMjQwODMw
-MjM1OTU5WjB0MQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czEu
-MCwGA1UEChMlTWFzc2FjaHVzZXR0cyBJbnN0aXR1dGUgb2YgVGVjaG5vbG9neTEd
-MBsGA1UEAxMUc2NyaXB0cy1jZXJ0Lm1pdC5lZHUwggEiMA0GCSqGSIb3DQEBAQUA
-A4IBDwAwggEKAoIBAQDEmjwcPrd6LWamQ0ZBW/fBdcatBSIM43UWGwnqJiIIWbGY
-4o28Wyw+VDjy4gEkE0KouHwSSaeZ5xIjmQM+UMbL+uraVkLs6tJ9yw3NM/19ceLm
-S9ig5Lpe5W4t//IOCWntP/upysw9dfgoENxogucQf1jwt6DxQFV/bEaBIX497rah
-NHsFfz6D1NRSnql3Jx3CvokLAlpEqeiTKzYKSxjI6VV05kHJXRlUdmNULi47CfvY
-Z8skR2eLvBhnvq2BZdbZzWXePT3AvjsF8G0Ordb1JOR7kdLZJG9aH9Ta0MsjM76b
-MFHWauST6CzxcYL3X2MVdDMGoM2uZSau1PpitIAfAgMBAAGjggNLMIIDRzAfBgNV
-HSMEGDAWgBQeBaN3j2yW4luHS6a0hqxxAAznODAdBgNVHQ4EFgQU+6gmNOIMhks3
-Q8zr8o3tqTIHDWQwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0l
-BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGcGA1UdIARgMF4wUgYMKwYBBAGuIwEE
-AwEBMEIwQAYIKwYBBQUHAgEWNGh0dHBzOi8vd3d3LmluY29tbW9uLm9yZy9jZXJ0
-L3JlcG9zaXRvcnkvY3BzX3NzbC5wZGYwCAYGZ4EMAQICMEQGA1UdHwQ9MDswOaA3
-oDWGM2h0dHA6Ly9jcmwuaW5jb21tb24tcnNhLm9yZy9JbkNvbW1vblJTQVNlcnZl
-ckNBLmNybDB1BggrBgEFBQcBAQRpMGcwPgYIKwYBBQUHMAKGMmh0dHA6Ly9jcnQu
-dXNlcnRydXN0LmNvbS9JbkNvbW1vblJTQVNlcnZlckNBXzIuY3J0MCUGCCsGAQUF
-BzABhhlodHRwOi8vb2NzcC51c2VydHJ1c3QuY29tMB8GA1UdEQQYMBaCFHNjcmlw
-dHMtY2VydC5taXQuZWR1MIIBfwYKKwYBBAHWeQIEAgSCAW8EggFrAWkAdgB2/4g/
-Crb7lVHCYcz1h7o0tKTNuyncaEIKn+ZnTFo6dAAAAYpJXi+mAAAEAwBHMEUCIQCW
-hHQFkhsMw9Qvcsnq8eFrObnw1oVQ1RJRLihB8V4jagIgR39Pq3dTNaVwaowiQW7u
-pBvgDlaAPlwZrlnF/MP2lKEAdgDatr9rP7W2Ip+bwrtca+hwkXFsu1GEhTS9pD0w
-SNf7qwAAAYpJXi/3AAAEAwBHMEUCIQC5DnQ6+HgbC+/Qqg0IoFLcDVzdVkMvScKN
-/L0BSKiaRwIgHh4ArTfbqhjvPo+HzCL7mALxDhblgoS5RLb71hQNgrMAdwDuzdBk
-1dsazsVct520zROiModGfLzs3sNRSFlGcR+1mwAAAYpJXi/NAAAEAwBIMEYCIQCx
-B/0e80nuYib6xQwflsPMNw4BKGZdmAErSWz2uVGLOQIhALapJf9lKkVJGlynyLn9
-tPOs22LVQcc13PK/0wgsu8F3MA0GCSqGSIb3DQEBCwUAA4IBAQBbLp6n2z6HQFRb
-76edJVkymC/XNAIglmweAmMbVtBbpxZdPk4N2uhp14Fm9LEobkmyHx/nlh4Dbvmv
-GlQexF+RfNs7Uu/Hci6lJHd9XphNmQ0Vms04fr2cri9sWuhMIBXK3ap/C/il0TKz
-0sCgrQX2L59POweeYdouiCdh8QJHM3vDtRcwfy9Jyf732ryFG/iKpDMw+6C1VvRv
-sWmcT/kotfAreCRSA0W7EQPnVK/BFG7q6rSFCPF114nnxA8kztnc3YC/INCW4/XF
-Qb/ttC5fzIq1FbzHlzDnGcYMMbsfUJz5OcH8udNEq4r3myveEL3AqhNxhvD8a5ON
-KiDDnRBK
+MIIG5jCCBU6gAwIBAgIQR6bbR5hDLCHI8kw6EGqhcjANBgkqhkiG9w0BAQwFADBE
+MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSW50ZXJuZXQyMSEwHwYDVQQDExhJbkNv
+bW1vbiBSU0EgU2VydmVyIENBIDIwHhcNMjQwODIwMDAwMDAwWhcNMjUwODIwMjM1
+OTU5WjB0MQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czEuMCwG
+A1UEChMlTWFzc2FjaHVzZXR0cyBJbnN0aXR1dGUgb2YgVGVjaG5vbG9neTEdMBsG
+A1UEAxMUc2NyaXB0cy1jZXJ0Lm1pdC5lZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDEmjwcPrd6LWamQ0ZBW/fBdcatBSIM43UWGwnqJiIIWbGY4o28
+Wyw+VDjy4gEkE0KouHwSSaeZ5xIjmQM+UMbL+uraVkLs6tJ9yw3NM/19ceLmS9ig
+5Lpe5W4t//IOCWntP/upysw9dfgoENxogucQf1jwt6DxQFV/bEaBIX497rahNHsF
+fz6D1NRSnql3Jx3CvokLAlpEqeiTKzYKSxjI6VV05kHJXRlUdmNULi47CfvYZ8sk
+R2eLvBhnvq2BZdbZzWXePT3AvjsF8G0Ordb1JOR7kdLZJG9aH9Ta0MsjM76bMFHW
+auST6CzxcYL3X2MVdDMGoM2uZSau1PpitIAfAgMBAAGjggMiMIIDHjAfBgNVHSME
+GDAWgBTvTACSpvt2Ll6V4slfhxsZ1U3i2TAdBgNVHQ4EFgQU+6gmNOIMhks3Q8zr
+8o3tqTIHDWQwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYw
+FAYIKwYBBQUHAwEGCCsGAQUFBwMCMEkGA1UdIARCMEAwNAYLKwYBBAGyMQECAmcw
+JTAjBggrBgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNvbS9DUFMwCAYGZ4EMAQIC
+MEAGA1UdHwQ5MDcwNaAzoDGGL2h0dHA6Ly9jcmwuc2VjdGlnby5jb20vSW5Db21t
+b25SU0FTZXJ2ZXJDQTIuY3JsMHAGCCsGAQUFBwEBBGQwYjA7BggrBgEFBQcwAoYv
+aHR0cDovL2NydC5zZWN0aWdvLmNvbS9JbkNvbW1vblJTQVNlcnZlckNBMi5jcnQw
+IwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLnNlY3RpZ28uY29tMIIBfQYKKwYBBAHW
+eQIEAgSCAW0EggFpAWcAdgDd3Mo0ldfhFgXnlTL6x5/4PRxQ39sAOhQSdgosrLvI
+KgAAAZFwYF3YAAAEAwBHMEUCIChfT7yesNwlQZYgskyu2TNH1Y/krCG0I8dOyuqH
+g3R5AiEA1yJeUHF8N+r8focZIr+r+twHDDU/H3ivbbmlSCKAH9MAdQAN4fIwK9MN
+wUBiEgnqVS78R3R8sdfpMO8OQh60fk6qNAAAAZFwYF2QAAAEAwBGMEQCIGlhAjyZ
+yrUnPwx22RP1zebUjtlu63fTTTHTgi4I02lwAiB17tOp0higSVt8VBm2hcwn9PdH
+RryhDrsGYXgl3Z10PQB2ABLxTjS9U3JMhAYZw48/ehP457Vih4icbTAFhOvlhiY6
+AAABkXBgXW8AAAQDAEcwRQIhAIDn6B9sOY55h/rrS4bYf2gFKoIm2I04FFZgaTr0
+lYblAiBqCZESSedRVMaEe02ecRgjWjEVBWEvlVqyqqCEmQPtlDAfBgNVHREEGDAW
+ghRzY3JpcHRzLWNlcnQubWl0LmVkdTANBgkqhkiG9w0BAQwFAAOCAYEAUeIpVf7b
+UjmnczXDd78g87nys9LcjfiOuEA+isXI/yDGtn9kbVpXAGTr/N+zBvOm8817e2oK
+1QWsnTLub96cXhSNq64cYdP37yxU+DWIWlWPuPG4X5HGzYoV3LUEH1/2nMcVqE6N
+4pup7h+26k+eGH8v8r57ScUiBEqU2rDumhnqBmcntJEiG/ko9oG3RJGX9L2uMsZD
+y93G5DwnzhN12rT+ssP5ON+bA31mYWQUXaUEmJ3TXa+0F9SPQ73BzqyKsL1DreMa
+oReUgiH/MBMkLtxRuuY2uEQeqmdLCOZ0sw9bHTIUZAOVdujYULF+6BQrMW2ZGyjS
+OT23s5g9ZX3LiLlOnXGj/6Nv/v8oar/nRiCPL4K/zcU62/m6VUhgzs6lYROUqr5V
+OLKqdn18zakll86fvL88LQ29KuER6akE4zrHLceEvKQMwZXjiiUW6UnXhWDnZnFj
+veic0+xEfLbPA7jlACkuG7paV3yQj3tW5o7894ZTWwfZn/yJKvQH/ius
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIIF+TCCA+GgAwIBAgIQRyDQ+oVGGn4XoWQCkYRjdDANBgkqhkiG9w0BAQwFADCB
-iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
-cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
-BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQx
-MDA2MDAwMDAwWhcNMjQxMDA1MjM1OTU5WjB2MQswCQYDVQQGEwJVUzELMAkGA1UE
-CBMCTUkxEjAQBgNVBAcTCUFubiBBcmJvcjESMBAGA1UEChMJSW50ZXJuZXQyMREw
-DwYDVQQLEwhJbkNvbW1vbjEfMB0GA1UEAxMWSW5Db21tb24gUlNBIFNlcnZlciBD
-QTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJwb8bsvf2MYFVFRVA+e
-xU5NEFj6MJsXKZDmMwysE1N8VJG06thum4ltuzM+j9INpun5uukNDBqeso7JcC7v
-HgV9lestjaKpTbOc5/MZNrun8XzmCB5hJ0R6lvSoNNviQsil2zfVtefkQnI/tBPP
-iwckRR6MkYNGuQmm/BijBgLsNI0yZpUn6uGX6Ns1oytW61fo8BBZ321wDGZq0GTl
-qKOYMa0dYtX6kuOaQ80tNfvZnjNbRX3EhigsZhLI2w8ZMA0/6fDqSl5AB8f2IHpT
-eIFken5FahZv9JNYyWL7KSd9oX8hzudPR9aKVuDjZvjs3YncJowZaDuNi+L7RyML
-fzcCAwEAAaOCAW4wggFqMB8GA1UdIwQYMBaAFFN5v1qqK0rPVIDh2JvAnfKyA2bL
-MB0GA1UdDgQWBBQeBaN3j2yW4luHS6a0hqxxAAznODAOBgNVHQ8BAf8EBAMCAYYw
-EgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
-AwIwGwYDVR0gBBQwEjAGBgRVHSAAMAgGBmeBDAECAjBQBgNVHR8ESTBHMEWgQ6BB
-hj9odHRwOi8vY3JsLnVzZXJ0cnVzdC5jb20vVVNFUlRydXN0UlNBQ2VydGlmaWNh
-dGlvbkF1dGhvcml0eS5jcmwwdgYIKwYBBQUHAQEEajBoMD8GCCsGAQUFBzAChjNo
-dHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20vVVNFUlRydXN0UlNBQWRkVHJ1c3RDQS5j
-cnQwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZI
-hvcNAQEMBQADggIBAC0RBjjW29dYaK+qOGcXjeIT16MUJNkGE+vrkS/fT2ctyNMU
-11ZlUp5uH5gIjppIG8GLWZqjV5vbhvhZQPwZsHURKsISNrqOcooGTie3jVgU0W+0
-+Wj8mN2knCVANt69F2YrA394gbGAdJ5fOrQmL2pIhDY0jqco74fzYefbZ/VS29fR
-5jBxu4uj1P+5ZImem4Gbj1e4ZEzVBhmO55GFfBjRidj26h1oFBHZ7heDH1Bjzw72
-hipu47Gkyfr2NEx3KoCGMLCj3Btx7ASn5Ji8FoU+hCazwOU1VX55mKPU1I2250Lo
-RCASN18JyfsD5PVldJbtyrmz9gn/TKbRXTr80U2q5JhyvjhLf4lOJo/UzL5WCXED
-Smyj4jWG3R7Z8TED9xNNCxGBMXnMete+3PvzdhssvbORDwBZByogQ9xL2LUZFI/i
-eoQp0UM/L8zfP527vWjEzuDN5xwxMnhi+vCToh7J159o5ah29mP+aJnvujbXEnGa
-nrNxHzu+AGOePV8hwrGGG7hOIcPDQwkuYwzN/xT29iLp/cqf9ZhEtkGcQcIImH3b
-oJ8ifsCnSbu0GB9L06Yqh7lcyvKDTEADslIaeSEINxhO2Y1fmcYFX/Fqrrp1WnhH
-OjplXuXE0OPa0utaKC25Aplgom88L2Z8mEWcyfoB7zKOfD759AN7JKZWCYwk
+MIIGSjCCBDKgAwIBAgIRAINbdhUgbS1uCX4LbkCf78AwDQYJKoZIhvcNAQEMBQAw
+gYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtK
+ZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYD
+VQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTIy
+MTExNjAwMDAwMFoXDTMyMTExNTIzNTk1OVowRDELMAkGA1UEBhMCVVMxEjAQBgNV
+BAoTCUludGVybmV0MjEhMB8GA1UEAxMYSW5Db21tb24gUlNBIFNlcnZlciBDQSAy
+MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAifBcxDi60DRXr5dVoPQi
+Q/w+GBE62216UiEGMdbUt7eSiIaFj/iZ/xiFop0rWuH4BCFJ3kSvQF+aIhEsOnuX
+R6mViSpUx53HM5ApIzFIVbd4GqY6tgwaPzu/XRI/4Dmz+hoLW/i/zD19iXvS95qf
+NU8qP7/3/USf2/VNSUNmuMKlaRgwkouue0usidYK7V8W3ze+rTFvWR2JtWKNTInc
+NyWD3GhVy/7G09PwTAu7h0qqRyTkETLf+z7FWtc8c12f+SfvmKHKFVqKpNPtgMkr
+wqwaOgOOD4Q00AihVT+UzJ6MmhNPGg+/Xf0BavmXKCGDTv5uzQeOdD35o/Zw16V4
+C4J4toj1WLY7hkVhrzKG+UWJiSn8Hv3dUTj4dkneJBNQrUfcIfTHV3gCtKwXn1eX
+mrxhH+tWu9RVwsDegRG0s28OMdVeOwljZvYrUjRomutNO5GzynveVxJVCn3Cbn7a
+c4L+5vwPNgs04DdOAGzNYdG5t6ryyYPosSLH2B8qDNzxAgMBAAGjggFwMIIBbDAf
+BgNVHSMEGDAWgBRTeb9aqitKz1SA4dibwJ3ysgNmyzAdBgNVHQ4EFgQU70wAkqb7
+di5eleLJX4cbGdVN4tkwDgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8C
+AQAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMCIGA1UdIAQbMBkwDQYL
+KwYBBAGyMQECAmcwCAYGZ4EMAQICMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9j
+cmwudXNlcnRydXN0LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9y
+aXR5LmNybDBxBggrBgEFBQcBAQRlMGMwOgYIKwYBBQUHMAKGLmh0dHA6Ly9jcnQu
+dXNlcnRydXN0LmNvbS9VU0VSVHJ1c3RSU0FBQUFDQS5jcnQwJQYIKwYBBQUHMAGG
+GWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEMBQADggIBACaA
+DTTkHq4ivq8+puKE+ca3JbH32y+odcJqgqzDts5bgsapBswRYypjmXLel11Q2U6w
+rySldlIjBRDZ8Ah8NOs85A6MKJQLaU9qHzRyG6w2UQTzRwx2seY30Mks3ZdIe9rj
+s5rEYliIOh9Dwy8wUTJxXzmYf/A1Gkp4JJp0xIhCVR1gCSOX5JW6185kwid242bs
+Lm0vCQBAA/rQgxvLpItZhC9US/r33lgtX/cYFzB4jGOd+Xs2sEAUlGyu8grLohYh
+kgWN6hqyoFdOpmrl8yu7CSGV7gmVQf9viwVBDIKm+2zLDo/nhRkk8xA0Bb1BqPzy
+bPESSVh4y5rZ5bzB4Lo2YN061HV9+HDnnIDBffNIicACdv4JGyGfpbS6xsi3UCN1
+5ypaG43PJqQ0UnBQDuR60io1ApeSNkYhkaHQ9Tk/0C4A+EM3MW/KFuU53eHLVlX9
+ss1iG2AJfVktaZ2l/SbY7py8JUYMkL/jqZBRjNkD6srsmpJ6utUMmAlt7m1+cTX8
+6/VEBc5Dp9VfuD6hNbNKDSg7YxyEVaBqBEtN5dppj4xSiCrs6LxLHnNo3rG8VJRf
+NVQdgFbMb7dOIBokklzfmU69lS0kgyz2mZMJmW2G/hhEdddJWHh3FcLi2MaeYiOV
+RFrLHtJvXEdf2aEaZ0LOb2Xo3zO6BJvjXldv2woN
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIFgTCCBGmgAwIBAgIQOXJEOvkit1HX02wQ3TE1lTANBgkqhkiG9w0BAQwFADB7
diff --git a/server/fedora/config/etc/pki/tls/certs/scripts.pem b/server/fedora/config/etc/pki/tls/certs/scripts.pem
index cc30a6ba..bc2e2c30 100644
--- a/server/fedora/config/etc/pki/tls/certs/scripts.pem
+++ b/server/fedora/config/etc/pki/tls/certs/scripts.pem
@@ -1,74 +1,77 @@
 -----BEGIN CERTIFICATE-----
-MIIGtTCCBZ2gAwIBAgIQAfQEWXn9LvciXluk6CL4QTANBgkqhkiG9w0BAQsFADB2
-MQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUkxEjAQBgNVBAcTCUFubiBBcmJvcjES
-MBAGA1UEChMJSW50ZXJuZXQyMREwDwYDVQQLEwhJbkNvbW1vbjEfMB0GA1UEAxMW
-SW5Db21tb24gUlNBIFNlcnZlciBDQTAeFw0yMzA4MzEwMDAwMDBaFw0yNDA4MzAy
-MzU5NTlaMG8xCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMS4w
-LAYDVQQKEyVNYXNzYWNodXNldHRzIEluc3RpdHV0ZSBvZiBUZWNobm9sb2d5MRgw
-FgYDVQQDEw9zY3JpcHRzLm1pdC5lZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
-ggEKAoIBAQDEmjwcPrd6LWamQ0ZBW/fBdcatBSIM43UWGwnqJiIIWbGY4o28Wyw+
-VDjy4gEkE0KouHwSSaeZ5xIjmQM+UMbL+uraVkLs6tJ9yw3NM/19ceLmS9ig5Lpe
-5W4t//IOCWntP/upysw9dfgoENxogucQf1jwt6DxQFV/bEaBIX497rahNHsFfz6D
-1NRSnql3Jx3CvokLAlpEqeiTKzYKSxjI6VV05kHJXRlUdmNULi47CfvYZ8skR2eL
-vBhnvq2BZdbZzWXePT3AvjsF8G0Ordb1JOR7kdLZJG9aH9Ta0MsjM76bMFHWauST
-6CzxcYL3X2MVdDMGoM2uZSau1PpitIAfAgMBAAGjggNEMIIDQDAfBgNVHSMEGDAW
-gBQeBaN3j2yW4luHS6a0hqxxAAznODAdBgNVHQ4EFgQU+6gmNOIMhks3Q8zr8o3t
-qTIHDWQwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYI
-KwYBBQUHAwEGCCsGAQUFBwMCMGcGA1UdIARgMF4wUgYMKwYBBAGuIwEEAwEBMEIw
-QAYIKwYBBQUHAgEWNGh0dHBzOi8vd3d3LmluY29tbW9uLm9yZy9jZXJ0L3JlcG9z
-aXRvcnkvY3BzX3NzbC5wZGYwCAYGZ4EMAQICMEQGA1UdHwQ9MDswOaA3oDWGM2h0
-dHA6Ly9jcmwuaW5jb21tb24tcnNhLm9yZy9JbkNvbW1vblJTQVNlcnZlckNBLmNy
-bDB1BggrBgEFBQcBAQRpMGcwPgYIKwYBBQUHMAKGMmh0dHA6Ly9jcnQudXNlcnRy
-dXN0LmNvbS9JbkNvbW1vblJTQVNlcnZlckNBXzIuY3J0MCUGCCsGAQUFBzABhhlo
-dHRwOi8vb2NzcC51c2VydHJ1c3QuY29tMBoGA1UdEQQTMBGCD3NjcmlwdHMubWl0
-LmVkdTCCAX0GCisGAQQB1nkCBAIEggFtBIIBaQFnAHYAdv+IPwq2+5VRwmHM9Ye6
-NLSkzbsp3GhCCp/mZ0xaOnQAAAGKSV1v4QAABAMARzBFAiBSisJ3mWIoq99w3p7H
-0mLxBqJPckyQ+n8hTPPzW3QbpAIhAPVfVURTyVWdZzx7KM4qDQuOcChbWaXX5Vl7
-JezTQgm+AHYA2ra/az+1tiKfm8K7XGvocJFxbLtRhIU0vaQ9MEjX+6sAAAGKSV1w
-VwAABAMARzBFAiEAzYecjUFdpwBLncMQouTh02oQnzhxBp2Zx6hgz36MHwMCIBLa
-TBTOfBdv0iww9kxFcocpX6lwo9eJ/O/NFtkqqfCNAHUA7s3QZNXbGs7FXLedtM0T
-ojKHRny87N7DUUhZRnEftZsAAAGKSV1wDgAABAMARjBEAiAl3uSAjrJ5w88mUFgc
-j/8mG69/aks+hqx95+s5jyRbMgIganE0eAK0lJLm/7H5GQbyH2MpI9ALK5U3hwWB
-exDiW1gwDQYJKoZIhvcNAQELBQADggEBAFVtY0J99cXVolNWSSi6QWoTFQ/ufyaF
-oalff+j+I6pTU4HAzb3GJq8xu0XPhnJXYuu2jsg+fx6Y5KrYVAyFkiRR+EdNIjyp
-KVrBw0LTwiRBQ5prxAe0vkp0Q6r7GjUX2wRW1jMO/fn4p/xCJMG/G2Zqj2c7sYao
-LOA3R+HvrHYfffZfhsBIQh6DnLDazjAmbEP4vNSdO0a9Y2oOMKCRdDelamgr3lHr
-uEQ8ysA8zEKPYV7zVzWoiRbrstTRkzbN+zl0s/GN4+F2MZYxQs6NJZJFLub5QX3G
-OLcZmpS4I5mL1LrM95Yhw4gVQ50tcZKEj8KMKtYc7cav41WFs/Nh2ik=
+MIIG3jCCBUagAwIBAgIQfYRHBz30Tc9DGHng8folrzANBgkqhkiG9w0BAQwFADBE
+MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSW50ZXJuZXQyMSEwHwYDVQQDExhJbkNv
+bW1vbiBSU0EgU2VydmVyIENBIDIwHhcNMjQwODIwMDAwMDAwWhcNMjUwODIwMjM1
+OTU5WjBvMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czEuMCwG
+A1UEChMlTWFzc2FjaHVzZXR0cyBJbnN0aXR1dGUgb2YgVGVjaG5vbG9neTEYMBYG
+A1UEAxMPc2NyaXB0cy5taXQuZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAxJo8HD63ei1mpkNGQVv3wXXGrQUiDON1FhsJ6iYiCFmxmOKNvFssPlQ4
+8uIBJBNCqLh8EkmnmecSI5kDPlDGy/rq2lZC7OrSfcsNzTP9fXHi5kvYoOS6XuVu
+Lf/yDglp7T/7qcrMPXX4KBDcaILnEH9Y8Leg8UBVf2xGgSF+Pe62oTR7BX8+g9TU
+Up6pdycdwr6JCwJaRKnokys2CksYyOlVdOZByV0ZVHZjVC4uOwn72GfLJEdni7wY
+Z76tgWXW2c1l3j09wL47BfBtDq3W9STke5HS2SRvWh/U2tDLIzO+mzBR1mrkk+gs
+8XGC919jFXQzBqDNrmUmrtT6YrSAHwIDAQABo4IDHzCCAxswHwYDVR0jBBgwFoAU
+70wAkqb7di5eleLJX4cbGdVN4tkwHQYDVR0OBBYEFPuoJjTiDIZLN0PM6/KN7aky
+Bw1kMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsG
+AQUFBwMBBggrBgEFBQcDAjBJBgNVHSAEQjBAMDQGCysGAQQBsjEBAgJnMCUwIwYI
+KwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAgGBmeBDAECAjBABgNV
+HR8EOTA3MDWgM6Axhi9odHRwOi8vY3JsLnNlY3RpZ28uY29tL0luQ29tbW9uUlNB
+U2VydmVyQ0EyLmNybDBwBggrBgEFBQcBAQRkMGIwOwYIKwYBBQUHMAKGL2h0dHA6
+Ly9jcnQuc2VjdGlnby5jb20vSW5Db21tb25SU0FTZXJ2ZXJDQTIuY3J0MCMGCCsG
+AQUFBzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTCCAX8GCisGAQQB1nkCBAIE
+ggFvBIIBawFpAHcA3dzKNJXX4RYF55Uy+sef+D0cUN/bADoUEnYKLKy7yCoAAAGR
+cGC9MwAABAMASDBGAiEAkIPk5ll/QXVnIYPdn1WzfqQP67FPmcDgtIY48HYh6BsC
+IQDvektJb8gq7WuHAqUyDDgJorpMMeF1mNbAFgvXJTnTGQB2AA3h8jAr0w3BQGIS
+CepVLvxHdHyx1+kw7w5CHrR+Tqo0AAABkXBgvOkAAAQDAEcwRQIgMstKtyiIAF86
+sPt8mbOxJlKJ91BxeoR6TDeFMZmTC1ACIQCyGG6FdM7S5eZGeX07lx/jN/1FZcgQ
+a+A2sRlukqXDkgB2ABLxTjS9U3JMhAYZw48/ehP457Vih4icbTAFhOvlhiY6AAAB
+kXBgvM0AAAQDAEcwRQIhAJ3050SDwVZfxufHZDflpmos/GdAicen0UNSZWOZwlX3
+AiB2hJpOjt3/KD45FCZRClbf9KlTpn1yurpIEpKpnP3sHzAaBgNVHREEEzARgg9z
+Y3JpcHRzLm1pdC5lZHUwDQYJKoZIhvcNAQEMBQADggGBAGJMkKjL4Zt0F7Ltwi7e
+/wW4zX21lOIlXnN4odFH+FMGvkvKKwGkANwtHVEHS2mxull40ajr1i9qcnufu9I9
+jrYblaMpA1I7RWe8fUV+QfYassve/DyZdK4VLW5hpa6fyj5eqQsLE+K6bRcR3eoV
+TJnzn+zsgQbtXtissGB//Ecz1xV615wuaVLkLHiq4lgalutxcY5o8k6gtSBAhJoI
+VfeoIxXjGldOq2bLS4vk4Pq3y4cxoRzB7NNAjp4SJVbSg76pnjVV7xKj40XT9kY3
+X5YhRj4u6oUq71KxeXDzGExD3Ks8/Gq5u68FxvdfH3mIXcXSfNizxLygQ9R+SQTR
+KbLstk0bJduPLr+de44Y3fkiCyvj6fBiDzlcRLfpD+I7sU3if32r8pFjSEk3tqmb
+u3NNtryi/mrQAcQse/gxF4vfERKzPyEyyew/PSWNLWeIH9RIKT1T31lwEd4r1ky/
+cLnPtL9DZN/g4Id4/wTls5cdoUEs9SSEpLZJ/sbiFrfaLA==
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIIF+TCCA+GgAwIBAgIQRyDQ+oVGGn4XoWQCkYRjdDANBgkqhkiG9w0BAQwFADCB
-iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
-cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
-BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQx
-MDA2MDAwMDAwWhcNMjQxMDA1MjM1OTU5WjB2MQswCQYDVQQGEwJVUzELMAkGA1UE
-CBMCTUkxEjAQBgNVBAcTCUFubiBBcmJvcjESMBAGA1UEChMJSW50ZXJuZXQyMREw
-DwYDVQQLEwhJbkNvbW1vbjEfMB0GA1UEAxMWSW5Db21tb24gUlNBIFNlcnZlciBD
-QTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJwb8bsvf2MYFVFRVA+e
-xU5NEFj6MJsXKZDmMwysE1N8VJG06thum4ltuzM+j9INpun5uukNDBqeso7JcC7v
-HgV9lestjaKpTbOc5/MZNrun8XzmCB5hJ0R6lvSoNNviQsil2zfVtefkQnI/tBPP
-iwckRR6MkYNGuQmm/BijBgLsNI0yZpUn6uGX6Ns1oytW61fo8BBZ321wDGZq0GTl
-qKOYMa0dYtX6kuOaQ80tNfvZnjNbRX3EhigsZhLI2w8ZMA0/6fDqSl5AB8f2IHpT
-eIFken5FahZv9JNYyWL7KSd9oX8hzudPR9aKVuDjZvjs3YncJowZaDuNi+L7RyML
-fzcCAwEAAaOCAW4wggFqMB8GA1UdIwQYMBaAFFN5v1qqK0rPVIDh2JvAnfKyA2bL
-MB0GA1UdDgQWBBQeBaN3j2yW4luHS6a0hqxxAAznODAOBgNVHQ8BAf8EBAMCAYYw
-EgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
-AwIwGwYDVR0gBBQwEjAGBgRVHSAAMAgGBmeBDAECAjBQBgNVHR8ESTBHMEWgQ6BB
-hj9odHRwOi8vY3JsLnVzZXJ0cnVzdC5jb20vVVNFUlRydXN0UlNBQ2VydGlmaWNh
-dGlvbkF1dGhvcml0eS5jcmwwdgYIKwYBBQUHAQEEajBoMD8GCCsGAQUFBzAChjNo
-dHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20vVVNFUlRydXN0UlNBQWRkVHJ1c3RDQS5j
-cnQwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZI
-hvcNAQEMBQADggIBAC0RBjjW29dYaK+qOGcXjeIT16MUJNkGE+vrkS/fT2ctyNMU
-11ZlUp5uH5gIjppIG8GLWZqjV5vbhvhZQPwZsHURKsISNrqOcooGTie3jVgU0W+0
-+Wj8mN2knCVANt69F2YrA394gbGAdJ5fOrQmL2pIhDY0jqco74fzYefbZ/VS29fR
-5jBxu4uj1P+5ZImem4Gbj1e4ZEzVBhmO55GFfBjRidj26h1oFBHZ7heDH1Bjzw72
-hipu47Gkyfr2NEx3KoCGMLCj3Btx7ASn5Ji8FoU+hCazwOU1VX55mKPU1I2250Lo
-RCASN18JyfsD5PVldJbtyrmz9gn/TKbRXTr80U2q5JhyvjhLf4lOJo/UzL5WCXED
-Smyj4jWG3R7Z8TED9xNNCxGBMXnMete+3PvzdhssvbORDwBZByogQ9xL2LUZFI/i
-eoQp0UM/L8zfP527vWjEzuDN5xwxMnhi+vCToh7J159o5ah29mP+aJnvujbXEnGa
-nrNxHzu+AGOePV8hwrGGG7hOIcPDQwkuYwzN/xT29iLp/cqf9ZhEtkGcQcIImH3b
-oJ8ifsCnSbu0GB9L06Yqh7lcyvKDTEADslIaeSEINxhO2Y1fmcYFX/Fqrrp1WnhH
-OjplXuXE0OPa0utaKC25Aplgom88L2Z8mEWcyfoB7zKOfD759AN7JKZWCYwk
+MIIGSjCCBDKgAwIBAgIRAINbdhUgbS1uCX4LbkCf78AwDQYJKoZIhvcNAQEMBQAw
+gYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtK
+ZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYD
+VQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTIy
+MTExNjAwMDAwMFoXDTMyMTExNTIzNTk1OVowRDELMAkGA1UEBhMCVVMxEjAQBgNV
+BAoTCUludGVybmV0MjEhMB8GA1UEAxMYSW5Db21tb24gUlNBIFNlcnZlciBDQSAy
+MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAifBcxDi60DRXr5dVoPQi
+Q/w+GBE62216UiEGMdbUt7eSiIaFj/iZ/xiFop0rWuH4BCFJ3kSvQF+aIhEsOnuX
+R6mViSpUx53HM5ApIzFIVbd4GqY6tgwaPzu/XRI/4Dmz+hoLW/i/zD19iXvS95qf
+NU8qP7/3/USf2/VNSUNmuMKlaRgwkouue0usidYK7V8W3ze+rTFvWR2JtWKNTInc
+NyWD3GhVy/7G09PwTAu7h0qqRyTkETLf+z7FWtc8c12f+SfvmKHKFVqKpNPtgMkr
+wqwaOgOOD4Q00AihVT+UzJ6MmhNPGg+/Xf0BavmXKCGDTv5uzQeOdD35o/Zw16V4
+C4J4toj1WLY7hkVhrzKG+UWJiSn8Hv3dUTj4dkneJBNQrUfcIfTHV3gCtKwXn1eX
+mrxhH+tWu9RVwsDegRG0s28OMdVeOwljZvYrUjRomutNO5GzynveVxJVCn3Cbn7a
+c4L+5vwPNgs04DdOAGzNYdG5t6ryyYPosSLH2B8qDNzxAgMBAAGjggFwMIIBbDAf
+BgNVHSMEGDAWgBRTeb9aqitKz1SA4dibwJ3ysgNmyzAdBgNVHQ4EFgQU70wAkqb7
+di5eleLJX4cbGdVN4tkwDgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8C
+AQAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMCIGA1UdIAQbMBkwDQYL
+KwYBBAGyMQECAmcwCAYGZ4EMAQICMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9j
+cmwudXNlcnRydXN0LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9y
+aXR5LmNybDBxBggrBgEFBQcBAQRlMGMwOgYIKwYBBQUHMAKGLmh0dHA6Ly9jcnQu
+dXNlcnRydXN0LmNvbS9VU0VSVHJ1c3RSU0FBQUFDQS5jcnQwJQYIKwYBBQUHMAGG
+GWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEMBQADggIBACaA
+DTTkHq4ivq8+puKE+ca3JbH32y+odcJqgqzDts5bgsapBswRYypjmXLel11Q2U6w
+rySldlIjBRDZ8Ah8NOs85A6MKJQLaU9qHzRyG6w2UQTzRwx2seY30Mks3ZdIe9rj
+s5rEYliIOh9Dwy8wUTJxXzmYf/A1Gkp4JJp0xIhCVR1gCSOX5JW6185kwid242bs
+Lm0vCQBAA/rQgxvLpItZhC9US/r33lgtX/cYFzB4jGOd+Xs2sEAUlGyu8grLohYh
+kgWN6hqyoFdOpmrl8yu7CSGV7gmVQf9viwVBDIKm+2zLDo/nhRkk8xA0Bb1BqPzy
+bPESSVh4y5rZ5bzB4Lo2YN061HV9+HDnnIDBffNIicACdv4JGyGfpbS6xsi3UCN1
+5ypaG43PJqQ0UnBQDuR60io1ApeSNkYhkaHQ9Tk/0C4A+EM3MW/KFuU53eHLVlX9
+ss1iG2AJfVktaZ2l/SbY7py8JUYMkL/jqZBRjNkD6srsmpJ6utUMmAlt7m1+cTX8
+6/VEBc5Dp9VfuD6hNbNKDSg7YxyEVaBqBEtN5dppj4xSiCrs6LxLHnNo3rG8VJRf
+NVQdgFbMb7dOIBokklzfmU69lS0kgyz2mZMJmW2G/hhEdddJWHh3FcLi2MaeYiOV
+RFrLHtJvXEdf2aEaZ0LOb2Xo3zO6BJvjXldv2woN
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIFgTCCBGmgAwIBAgIQOXJEOvkit1HX02wQ3TE1lTANBgkqhkiG9w0BAQwFADB7
diff --git a/server/fedora/config/etc/pki/tls/certs/star.scripts.pem b/server/fedora/config/etc/pki/tls/certs/star.scripts.pem
index dbc1b496..74e783c9 100644
--- a/server/fedora/config/etc/pki/tls/certs/star.scripts.pem
+++ b/server/fedora/config/etc/pki/tls/certs/star.scripts.pem
@@ -1,74 +1,77 @@
 -----BEGIN CERTIFICATE-----
-MIIGuTCCBaGgAwIBAgIQd5g5aZGTfBBYfqr6AQJ3YDANBgkqhkiG9w0BAQsFADB2
-MQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUkxEjAQBgNVBAcTCUFubiBBcmJvcjES
-MBAGA1UEChMJSW50ZXJuZXQyMREwDwYDVQQLEwhJbkNvbW1vbjEfMB0GA1UEAxMW
-SW5Db21tb24gUlNBIFNlcnZlciBDQTAeFw0yMzA4MzAwMDAwMDBaFw0yNDA4Mjky
-MzU5NTlaMHExCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMS4w
-LAYDVQQKEyVNYXNzYWNodXNldHRzIEluc3RpdHV0ZSBvZiBUZWNobm9sb2d5MRow
-GAYDVQQDDBEqLnNjcmlwdHMubWl0LmVkdTCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBAMSaPBw+t3otZqZDRkFb98F1xq0FIgzjdRYbCeomIghZsZjijbxb
-LD5UOPLiASQTQqi4fBJJp5nnEiOZAz5Qxsv66tpWQuzq0n3LDc0z/X1x4uZL2KDk
-ul7lbi3/8g4Jae0/+6nKzD11+CgQ3GiC5xB/WPC3oPFAVX9sRoEhfj3utqE0ewV/
-PoPU1FKeqXcnHcK+iQsCWkSp6JMrNgpLGMjpVXTmQcldGVR2Y1QuLjsJ+9hnyyRH
-Z4u8GGe+rYFl1tnNZd49PcC+OwXwbQ6t1vUk5HuR0tkkb1of1NrQyyMzvpswUdZq
-5JPoLPFxgvdfYxV0Mwagza5lJq7U+mK0gB8CAwEAAaOCA0YwggNCMB8GA1UdIwQY
-MBaAFB4Fo3ePbJbiW4dLprSGrHEADOc4MB0GA1UdDgQWBBT7qCY04gyGSzdDzOvy
-je2pMgcNZDAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAU
-BggrBgEFBQcDAQYIKwYBBQUHAwIwZwYDVR0gBGAwXjBSBgwrBgEEAa4jAQQDAQEw
-QjBABggrBgEFBQcCARY0aHR0cHM6Ly93d3cuaW5jb21tb24ub3JnL2NlcnQvcmVw
-b3NpdG9yeS9jcHNfc3NsLnBkZjAIBgZngQwBAgIwRAYDVR0fBD0wOzA5oDegNYYz
-aHR0cDovL2NybC5pbmNvbW1vbi1yc2Eub3JnL0luQ29tbW9uUlNBU2VydmVyQ0Eu
-Y3JsMHUGCCsGAQUFBwEBBGkwZzA+BggrBgEFBQcwAoYyaHR0cDovL2NydC51c2Vy
-dHJ1c3QuY29tL0luQ29tbW9uUlNBU2VydmVyQ0FfMi5jcnQwJQYIKwYBBQUHMAGG
-GWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wHAYDVR0RBBUwE4IRKi5zY3JpcHRz
-Lm1pdC5lZHUwggF9BgorBgEEAdZ5AgQCBIIBbQSCAWkBZwB2AHb/iD8KtvuVUcJh
-zPWHujS0pM27KdxoQgqf5mdMWjp0AAABikh1EzMAAAQDAEcwRQIgWeE9wwQY+516
-ntnr6ycyhSpSk66BTCiUw5FK8zymmKsCIQDzOiw9f0GfvF/ugjQ4zkwWXOtQ6gnP
-Riz6QRw5O271lgB1ANq2v2s/tbYin5vCu1xr6HCRcWy7UYSFNL2kPTBI1/urAAAB
-ikh1E3kAAAQDAEYwRAIgZZ05YiK0cEvaX6+NdxTtOk0kGMLuZBVeLZTbPnqr6MQC
-IBJgH7Sq70uofATuIyiBrAA1hd35zI7GLQhf9ia+68BSAHYA7s3QZNXbGs7FXLed
-tM0TojKHRny87N7DUUhZRnEftZsAAAGKSHUTsgAABAMARzBFAiEAmgDTq6SOyZXi
-YFrZ/ZH7un5zxA5k7MZb6KthHamCX48CICNhHN86vyEN7anKBJcOKhB5ffPzsHOE
-B3CBaqIAx1b4MA0GCSqGSIb3DQEBCwUAA4IBAQCUf+ZCldXjPggfbMMkRQ7dI9yW
-pa1K2poov1jEAcP6OXm2EAovktrnQUCw+dcocan1jxEk9T1vVnhgeMKQdLCUKbxl
-gHB088Fvb8OPmz7QTgdIq2xoy8oR/E2Sm7RkBFBehlP1ZnemLWqqjpM86sDARUpo
-xGSTVqD6dLL0fFlvsKCLGDJ5FwW2D5wfyyxMPsRRL76ruicXx3YqDuNv44+Kk6Em
-PURpTpGudbFOM4LnZd+AZ2NV2K86WycOT1gcIOBWbxMls1Xm1sdAVfUGRnwqRdET
-uEMPk3btbPkM+qlgCFAkQPyvh3oxAmU5erlK/SjZjG/S6jpPxHdfTv3JyPrS
+MIIG4TCCBUmgAwIBAgIRANvRpZk+1WDiVjLag3VzHoUwDQYJKoZIhvcNAQEMBQAw
+RDELMAkGA1UEBhMCVVMxEjAQBgNVBAoTCUludGVybmV0MjEhMB8GA1UEAxMYSW5D
+b21tb24gUlNBIFNlcnZlciBDQSAyMB4XDTI0MDgyMDAwMDAwMFoXDTI1MDgyMDIz
+NTk1OVowcTELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxLjAs
+BgNVBAoTJU1hc3NhY2h1c2V0dHMgSW5zdGl0dXRlIG9mIFRlY2hub2xvZ3kxGjAY
+BgNVBAMMESouc2NyaXB0cy5taXQuZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAxJo8HD63ei1mpkNGQVv3wXXGrQUiDON1FhsJ6iYiCFmxmOKNvFss
+PlQ48uIBJBNCqLh8EkmnmecSI5kDPlDGy/rq2lZC7OrSfcsNzTP9fXHi5kvYoOS6
+XuVuLf/yDglp7T/7qcrMPXX4KBDcaILnEH9Y8Leg8UBVf2xGgSF+Pe62oTR7BX8+
+g9TUUp6pdycdwr6JCwJaRKnokys2CksYyOlVdOZByV0ZVHZjVC4uOwn72GfLJEdn
+i7wYZ76tgWXW2c1l3j09wL47BfBtDq3W9STke5HS2SRvWh/U2tDLIzO+mzBR1mrk
+k+gs8XGC919jFXQzBqDNrmUmrtT6YrSAHwIDAQABo4IDHzCCAxswHwYDVR0jBBgw
+FoAU70wAkqb7di5eleLJX4cbGdVN4tkwHQYDVR0OBBYEFPuoJjTiDIZLN0PM6/KN
+7akyBw1kMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQG
+CCsGAQUFBwMBBggrBgEFBQcDAjBJBgNVHSAEQjBAMDQGCysGAQQBsjEBAgJnMCUw
+IwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAgGBmeBDAECAjBA
+BgNVHR8EOTA3MDWgM6Axhi9odHRwOi8vY3JsLnNlY3RpZ28uY29tL0luQ29tbW9u
+UlNBU2VydmVyQ0EyLmNybDBwBggrBgEFBQcBAQRkMGIwOwYIKwYBBQUHMAKGL2h0
+dHA6Ly9jcnQuc2VjdGlnby5jb20vSW5Db21tb25SU0FTZXJ2ZXJDQTIuY3J0MCMG
+CCsGAQUFBzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTAcBgNVHREEFTATghEq
+LnNjcmlwdHMubWl0LmVkdTCCAX0GCisGAQQB1nkCBAIEggFtBIIBaQFnAHUA3dzK
+NJXX4RYF55Uy+sef+D0cUN/bADoUEnYKLKy7yCoAAAGRcGEvHQAABAMARjBEAiBS
+3ZKnt3426NfvX4yAQSAfa5piGkOyDnreL59XaXhddQIgOukkj9g7EPVYY4WwSGs+
+fsHPEeG+TQDa889qtr4nt8wAdgAN4fIwK9MNwUBiEgnqVS78R3R8sdfpMO8OQh60
+fk6qNAAAAZFwYS73AAAEAwBHMEUCIQD+wS4rXz9iTaKpHmmrMv82JafDlH+K0YG4
+NUqwRr4uOQIgX0foMKjPedAfqe3WmmwBK9XtuKzM0XxX+yZHWwu04N0AdgAS8U40
+vVNyTIQGGcOPP3oT+Oe1YoeInG0wBYTr5YYmOgAAAZFwYS75AAAEAwBHMEUCIQC7
+kkYE2xmkJ8KUjsz55OORnIrxdNCseRkBXS7iQzHdYwIgV5dCg4FYS7HibfqUcUI/
+4uIeoAhh23a2rttdmYYjv3wwDQYJKoZIhvcNAQEMBQADggGBABl2bsaj6MlrxaIe
+KGiWFOECSkTsDMuUqosthziczF0XNplLCwEBz1MY6MjlQWppNnaZ7h//pDuuZIyE
++CQ/NrlgVsY4Z2lW6I4TnLc5DjnM9MF0/Mv5AfQYEQ9PofzX6jyjF11Du+8jHHjt
+XrVHAfKehi6Ujz9l+1GDiPKizIIgilgXaaIb+3ock9XOUZhWryLTrwAQBU7qGzBx
+FaA9P+e3T7Y/38M43Qe7E6/KlB1QEmdg3VTuD+L8DNZFIdwWfg4v/OYgsXqNM+1k
+IGEKsl2jnhN2O4Sb9Sp8xuMbiPqZAAgH2W7en/wyuytsHYMf5quBKf0qwXti1tcb
+LiItQJfIBwKpkoTwKlMZV4nQyfOh5OZXWlT86Df9H+HfNxay6J2zj2f5x77Wl5Ds
+z70SIEC2SBK9A/97MVMLCujX+qlXfo6LvltFPYezkRETuXmrfvuwKxdcu4b2+N3Y
+Q3DhHbptaDmEYoVf4m1i90qR9KtrdxPS7xoyD5tJu7MlL6Zy+g==
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIIF+TCCA+GgAwIBAgIQRyDQ+oVGGn4XoWQCkYRjdDANBgkqhkiG9w0BAQwFADCB
-iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
-cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
-BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQx
-MDA2MDAwMDAwWhcNMjQxMDA1MjM1OTU5WjB2MQswCQYDVQQGEwJVUzELMAkGA1UE
-CBMCTUkxEjAQBgNVBAcTCUFubiBBcmJvcjESMBAGA1UEChMJSW50ZXJuZXQyMREw
-DwYDVQQLEwhJbkNvbW1vbjEfMB0GA1UEAxMWSW5Db21tb24gUlNBIFNlcnZlciBD
-QTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJwb8bsvf2MYFVFRVA+e
-xU5NEFj6MJsXKZDmMwysE1N8VJG06thum4ltuzM+j9INpun5uukNDBqeso7JcC7v
-HgV9lestjaKpTbOc5/MZNrun8XzmCB5hJ0R6lvSoNNviQsil2zfVtefkQnI/tBPP
-iwckRR6MkYNGuQmm/BijBgLsNI0yZpUn6uGX6Ns1oytW61fo8BBZ321wDGZq0GTl
-qKOYMa0dYtX6kuOaQ80tNfvZnjNbRX3EhigsZhLI2w8ZMA0/6fDqSl5AB8f2IHpT
-eIFken5FahZv9JNYyWL7KSd9oX8hzudPR9aKVuDjZvjs3YncJowZaDuNi+L7RyML
-fzcCAwEAAaOCAW4wggFqMB8GA1UdIwQYMBaAFFN5v1qqK0rPVIDh2JvAnfKyA2bL
-MB0GA1UdDgQWBBQeBaN3j2yW4luHS6a0hqxxAAznODAOBgNVHQ8BAf8EBAMCAYYw
-EgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
-AwIwGwYDVR0gBBQwEjAGBgRVHSAAMAgGBmeBDAECAjBQBgNVHR8ESTBHMEWgQ6BB
-hj9odHRwOi8vY3JsLnVzZXJ0cnVzdC5jb20vVVNFUlRydXN0UlNBQ2VydGlmaWNh
-dGlvbkF1dGhvcml0eS5jcmwwdgYIKwYBBQUHAQEEajBoMD8GCCsGAQUFBzAChjNo
-dHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20vVVNFUlRydXN0UlNBQWRkVHJ1c3RDQS5j
-cnQwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZI
-hvcNAQEMBQADggIBAC0RBjjW29dYaK+qOGcXjeIT16MUJNkGE+vrkS/fT2ctyNMU
-11ZlUp5uH5gIjppIG8GLWZqjV5vbhvhZQPwZsHURKsISNrqOcooGTie3jVgU0W+0
-+Wj8mN2knCVANt69F2YrA394gbGAdJ5fOrQmL2pIhDY0jqco74fzYefbZ/VS29fR
-5jBxu4uj1P+5ZImem4Gbj1e4ZEzVBhmO55GFfBjRidj26h1oFBHZ7heDH1Bjzw72
-hipu47Gkyfr2NEx3KoCGMLCj3Btx7ASn5Ji8FoU+hCazwOU1VX55mKPU1I2250Lo
-RCASN18JyfsD5PVldJbtyrmz9gn/TKbRXTr80U2q5JhyvjhLf4lOJo/UzL5WCXED
-Smyj4jWG3R7Z8TED9xNNCxGBMXnMete+3PvzdhssvbORDwBZByogQ9xL2LUZFI/i
-eoQp0UM/L8zfP527vWjEzuDN5xwxMnhi+vCToh7J159o5ah29mP+aJnvujbXEnGa
-nrNxHzu+AGOePV8hwrGGG7hOIcPDQwkuYwzN/xT29iLp/cqf9ZhEtkGcQcIImH3b
-oJ8ifsCnSbu0GB9L06Yqh7lcyvKDTEADslIaeSEINxhO2Y1fmcYFX/Fqrrp1WnhH
-OjplXuXE0OPa0utaKC25Aplgom88L2Z8mEWcyfoB7zKOfD759AN7JKZWCYwk
+MIIGSjCCBDKgAwIBAgIRAINbdhUgbS1uCX4LbkCf78AwDQYJKoZIhvcNAQEMBQAw
+gYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtK
+ZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYD
+VQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTIy
+MTExNjAwMDAwMFoXDTMyMTExNTIzNTk1OVowRDELMAkGA1UEBhMCVVMxEjAQBgNV
+BAoTCUludGVybmV0MjEhMB8GA1UEAxMYSW5Db21tb24gUlNBIFNlcnZlciBDQSAy
+MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAifBcxDi60DRXr5dVoPQi
+Q/w+GBE62216UiEGMdbUt7eSiIaFj/iZ/xiFop0rWuH4BCFJ3kSvQF+aIhEsOnuX
+R6mViSpUx53HM5ApIzFIVbd4GqY6tgwaPzu/XRI/4Dmz+hoLW/i/zD19iXvS95qf
+NU8qP7/3/USf2/VNSUNmuMKlaRgwkouue0usidYK7V8W3ze+rTFvWR2JtWKNTInc
+NyWD3GhVy/7G09PwTAu7h0qqRyTkETLf+z7FWtc8c12f+SfvmKHKFVqKpNPtgMkr
+wqwaOgOOD4Q00AihVT+UzJ6MmhNPGg+/Xf0BavmXKCGDTv5uzQeOdD35o/Zw16V4
+C4J4toj1WLY7hkVhrzKG+UWJiSn8Hv3dUTj4dkneJBNQrUfcIfTHV3gCtKwXn1eX
+mrxhH+tWu9RVwsDegRG0s28OMdVeOwljZvYrUjRomutNO5GzynveVxJVCn3Cbn7a
+c4L+5vwPNgs04DdOAGzNYdG5t6ryyYPosSLH2B8qDNzxAgMBAAGjggFwMIIBbDAf
+BgNVHSMEGDAWgBRTeb9aqitKz1SA4dibwJ3ysgNmyzAdBgNVHQ4EFgQU70wAkqb7
+di5eleLJX4cbGdVN4tkwDgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8C
+AQAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMCIGA1UdIAQbMBkwDQYL
+KwYBBAGyMQECAmcwCAYGZ4EMAQICMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9j
+cmwudXNlcnRydXN0LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9y
+aXR5LmNybDBxBggrBgEFBQcBAQRlMGMwOgYIKwYBBQUHMAKGLmh0dHA6Ly9jcnQu
+dXNlcnRydXN0LmNvbS9VU0VSVHJ1c3RSU0FBQUFDQS5jcnQwJQYIKwYBBQUHMAGG
+GWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEMBQADggIBACaA
+DTTkHq4ivq8+puKE+ca3JbH32y+odcJqgqzDts5bgsapBswRYypjmXLel11Q2U6w
+rySldlIjBRDZ8Ah8NOs85A6MKJQLaU9qHzRyG6w2UQTzRwx2seY30Mks3ZdIe9rj
+s5rEYliIOh9Dwy8wUTJxXzmYf/A1Gkp4JJp0xIhCVR1gCSOX5JW6185kwid242bs
+Lm0vCQBAA/rQgxvLpItZhC9US/r33lgtX/cYFzB4jGOd+Xs2sEAUlGyu8grLohYh
+kgWN6hqyoFdOpmrl8yu7CSGV7gmVQf9viwVBDIKm+2zLDo/nhRkk8xA0Bb1BqPzy
+bPESSVh4y5rZ5bzB4Lo2YN061HV9+HDnnIDBffNIicACdv4JGyGfpbS6xsi3UCN1
+5ypaG43PJqQ0UnBQDuR60io1ApeSNkYhkaHQ9Tk/0C4A+EM3MW/KFuU53eHLVlX9
+ss1iG2AJfVktaZ2l/SbY7py8JUYMkL/jqZBRjNkD6srsmpJ6utUMmAlt7m1+cTX8
+6/VEBc5Dp9VfuD6hNbNKDSg7YxyEVaBqBEtN5dppj4xSiCrs6LxLHnNo3rG8VJRf
+NVQdgFbMb7dOIBokklzfmU69lS0kgyz2mZMJmW2G/hhEdddJWHh3FcLi2MaeYiOV
+RFrLHtJvXEdf2aEaZ0LOb2Xo3zO6BJvjXldv2woN
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIFgTCCBGmgAwIBAgIQOXJEOvkit1HX02wQ3TE1lTANBgkqhkiG9w0BAQwFADB7

From 22e9dc8f20598717766d0a9ec77c4bcc57d33a4a Mon Sep 17 00:00:00 2001
From: Arthur Migdal <amigdal@mit.edu>
Date: Fri, 11 Oct 2024 20:08:55 -0400
Subject: [PATCH 108/111] Make Apache block some self-identified bots.

While the proxy servers can block by user-agent for plain traffic, they
cannot for TLS connections.
---
 server/fedora/config/etc/httpd/conf/httpd.conf | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/server/fedora/config/etc/httpd/conf/httpd.conf b/server/fedora/config/etc/httpd/conf/httpd.conf
index 6cc5e42e..2764ed6a 100644
--- a/server/fedora/config/etc/httpd/conf/httpd.conf
+++ b/server/fedora/config/etc/httpd/conf/httpd.conf
@@ -110,6 +110,13 @@ UserDir disabled
 <Directory />
     AllowOverride None
     Options FollowSymLinks IncludesNoExec
+
+    # Block some (self-identifying) bots, by giving them a 403.
+    # The proxy servers should catch these (/etc/haproxy/blacklist-agent.txt),
+    # but it can only look at HTTP traffic.  This was added primarily for HTTPS
+    # traffic.
+    Require expr %{HTTP_USER_AGENT} !~ /Bytespider|Bytedance|ClaudeBot/
+
     # The new syntax wasn't added until 2.4,
     # so there's simply no way any deployed sites
     # are already using the new syntax.

From d0a755b63063c8ac153022548161b3199584fe64 Mon Sep 17 00:00:00 2001
From: Mitchell E Berger <mitchb@mit.edu>
Date: Sat, 1 Feb 2025 21:32:52 -0500
Subject: [PATCH 109/111] Do not try to execute programs that are supposed to
 be unreadable

Stock AFS has code that, in the case of an attempt to execute a file,
first asks afs_AccessOK() if the user has permission to read that file,
and then if the answer is "no," overrides that decision if the Unix mode
of the file has the read permission bit set, allowing an attempt to
execute the program anyway.  If the read permission is really absent, in
normal AFS, the AFS server won't provide the file content and will
prevent this from working.  The code may be related to the NFS2AFS
translator, where it might work.

On Scripts, if a user tries to run a program from a volume other than
their own where daemon.scripts has the AFS 'r' and 'l' permissions, the
AFS server will not block this from working, and the result will be that
a user can run (and therefore read) programs they aren't supposed to be
able to, and that the patch we've had since the beginning of time is
trying to deny them permission to do, yet its decision is being overridden.

Remove the logic that allows this to be attempted.
---
 server/common/patches/openafs-scripts.patch | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/server/common/patches/openafs-scripts.patch b/server/common/patches/openafs-scripts.patch
index 7d082c86..88403fe3 100644
--- a/server/common/patches/openafs-scripts.patch
+++ b/server/common/patches/openafs-scripts.patch
@@ -5,6 +5,7 @@
 # and Edward Z. Yang <ezyang@mit.edu>
 # and Benjamin Kaduk <kaduk@mit.edu>
 # and Alexander Chernyakhovsky <achernya@mit.edu>
+# and Mitchell Berger <mitchb@mit.edu>
 #
 # This file is available under both the MIT license and the GPL.
 #
@@ -119,6 +120,24 @@ index 0087073..df3e4ef 100644
  	return ((fileBits & arights) == arights);	/* true if all rights bits are on */
      }
  }
+@@ -305,7 +329,16 @@ afs_access(OSI_VC_DECL(avc), afs_int32 amode,
+ 			if ((avc->f.m.Mode & 0100) == 0)
+ 			    code = 0;
+ 		} else if (avc->f.m.Mode & 0100)
+-		    code = 1;
++		    /* [scripts] Stock AFS sets code to 1 here and allows an
++		     * attempt at execution even if the AFS permissions don't
++		     * allow reading.  If the read permission is really
++		     * missing, the server would prevent this.  Because we
++		     * return 0 from afs_AccessOK when the read permission is
++		     * present but the UID doesn't match the VID, setting code
++		     * to 1 here would allow any user to execute (and
++		     * therefore read) any program Scripts can read, even if
++		     * it's in the wrong volume. */
++		    ;
+ 	    }
+ 	    if (code && (amode & VWRITE)) {
+ 		code = afs_AccessOK(avc, PRSFS_WRITE, treq, CHECK_MODE_BITS);
 diff --git a/src/afs/VNOPS/afs_vnop_attrs.c b/src/afs/VNOPS/afs_vnop_attrs.c
 index 2eb228f..d5d6e4a 100644
 --- a/src/afs/VNOPS/afs_vnop_attrs.c

From 41fbae97b5e0de1aeb3431a665c192c2f3ef9c29 Mon Sep 17 00:00:00 2001
From: Mitchell E Berger <mitchb@mit.edu>
Date: Mon, 17 Feb 2025 18:25:51 -0500
Subject: [PATCH 110/111] Fix check_ldap_mmr's conflict detection

389-ds "helpfully" started hiding replication conflicts some time ago,
causing the plugin to blissfully think there weren't any when in fact
there were.  You need to actively tell it that you want entries of
class ldapSubEntry now in order for them not to be filtered out.
---
 ldap/el/config/etc/nagios/check_ldap_mmr.real | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ldap/el/config/etc/nagios/check_ldap_mmr.real b/ldap/el/config/etc/nagios/check_ldap_mmr.real
index 6fbb3dcf..385f9cd8 100755
--- a/ldap/el/config/etc/nagios/check_ldap_mmr.real
+++ b/ldap/el/config/etc/nagios/check_ldap_mmr.real
@@ -46,7 +46,7 @@ foreach my $entr ( @entries ) {
 }
 print "$nl";
 
-$result=LDAPSearch($ldap,"nsds5ReplConflict=*",["nsds5ReplConflict"],$replicatedBase);
+$result=LDAPSearch($ldap,"(&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))",["nsds5ReplConflict"],$replicatedBase);
 @entries = $result->entries;
 foreach my $entr ( @entries ) {
     my $conflictingDN=$entr->dn();

From 22db5e3d9a42ea633203e8cf433ac497088b172f Mon Sep 17 00:00:00 2001
From: Arthur Migdal <amigdal@mit.edu>
Date: Mon, 18 Aug 2025 11:21:33 -0400
Subject: [PATCH 111/111] Update shared TLS certs for Aug 2025 to Sep 2026.

---
 .../config/etc/pki/tls/certs/scripts-cert.pem | 42 +++++++++----------
 .../config/etc/pki/tls/certs/scripts.pem      | 40 +++++++++---------
 .../config/etc/pki/tls/certs/star.scripts.pem | 38 ++++++++---------
 3 files changed, 60 insertions(+), 60 deletions(-)

diff --git a/server/fedora/config/etc/pki/tls/certs/scripts-cert.pem b/server/fedora/config/etc/pki/tls/certs/scripts-cert.pem
index 5f00a86f..8e79cee4 100644
--- a/server/fedora/config/etc/pki/tls/certs/scripts-cert.pem
+++ b/server/fedora/config/etc/pki/tls/certs/scripts-cert.pem
@@ -1,7 +1,7 @@
 -----BEGIN CERTIFICATE-----
-MIIG5jCCBU6gAwIBAgIQR6bbR5hDLCHI8kw6EGqhcjANBgkqhkiG9w0BAQwFADBE
+MIIG6TCCBVGgAwIBAgIQTQ9yBROoRXob2XUsxRVXPTANBgkqhkiG9w0BAQsFADBE
 MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSW50ZXJuZXQyMSEwHwYDVQQDExhJbkNv
-bW1vbiBSU0EgU2VydmVyIENBIDIwHhcNMjQwODIwMDAwMDAwWhcNMjUwODIwMjM1
+bW1vbiBSU0EgU2VydmVyIENBIDIwHhcNMjUwODE4MDAwMDAwWhcNMjYwOTE4MjM1
 OTU5WjB0MQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czEuMCwG
 A1UEChMlTWFzc2FjaHVzZXR0cyBJbnN0aXR1dGUgb2YgVGVjaG5vbG9neTEdMBsG
 A1UEAxMUc2NyaXB0cy1jZXJ0Lm1pdC5lZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IB
@@ -10,7 +10,7 @@ Wyw+VDjy4gEkE0KouHwSSaeZ5xIjmQM+UMbL+uraVkLs6tJ9yw3NM/19ceLmS9ig
 5Lpe5W4t//IOCWntP/upysw9dfgoENxogucQf1jwt6DxQFV/bEaBIX497rahNHsF
 fz6D1NRSnql3Jx3CvokLAlpEqeiTKzYKSxjI6VV05kHJXRlUdmNULi47CfvYZ8sk
 R2eLvBhnvq2BZdbZzWXePT3AvjsF8G0Ordb1JOR7kdLZJG9aH9Ta0MsjM76bMFHW
-auST6CzxcYL3X2MVdDMGoM2uZSau1PpitIAfAgMBAAGjggMiMIIDHjAfBgNVHSME
+auST6CzxcYL3X2MVdDMGoM2uZSau1PpitIAfAgMBAAGjggMlMIIDITAfBgNVHSME
 GDAWgBTvTACSpvt2Ll6V4slfhxsZ1U3i2TAdBgNVHQ4EFgQU+6gmNOIMhks3Q8zr
 8o3tqTIHDWQwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYw
 FAYIKwYBBQUHAwEGCCsGAQUFBwMCMEkGA1UdIARCMEAwNAYLKwYBBAGyMQECAmcw
@@ -18,24 +18,24 @@ JTAjBggrBgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNvbS9DUFMwCAYGZ4EMAQIC
 MEAGA1UdHwQ5MDcwNaAzoDGGL2h0dHA6Ly9jcmwuc2VjdGlnby5jb20vSW5Db21t
 b25SU0FTZXJ2ZXJDQTIuY3JsMHAGCCsGAQUFBwEBBGQwYjA7BggrBgEFBQcwAoYv
 aHR0cDovL2NydC5zZWN0aWdvLmNvbS9JbkNvbW1vblJTQVNlcnZlckNBMi5jcnQw
-IwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLnNlY3RpZ28uY29tMIIBfQYKKwYBBAHW
-eQIEAgSCAW0EggFpAWcAdgDd3Mo0ldfhFgXnlTL6x5/4PRxQ39sAOhQSdgosrLvI
-KgAAAZFwYF3YAAAEAwBHMEUCIChfT7yesNwlQZYgskyu2TNH1Y/krCG0I8dOyuqH
-g3R5AiEA1yJeUHF8N+r8focZIr+r+twHDDU/H3ivbbmlSCKAH9MAdQAN4fIwK9MN
-wUBiEgnqVS78R3R8sdfpMO8OQh60fk6qNAAAAZFwYF2QAAAEAwBGMEQCIGlhAjyZ
-yrUnPwx22RP1zebUjtlu63fTTTHTgi4I02lwAiB17tOp0higSVt8VBm2hcwn9PdH
-RryhDrsGYXgl3Z10PQB2ABLxTjS9U3JMhAYZw48/ehP457Vih4icbTAFhOvlhiY6
-AAABkXBgXW8AAAQDAEcwRQIhAIDn6B9sOY55h/rrS4bYf2gFKoIm2I04FFZgaTr0
-lYblAiBqCZESSedRVMaEe02ecRgjWjEVBWEvlVqyqqCEmQPtlDAfBgNVHREEGDAW
-ghRzY3JpcHRzLWNlcnQubWl0LmVkdTANBgkqhkiG9w0BAQwFAAOCAYEAUeIpVf7b
-UjmnczXDd78g87nys9LcjfiOuEA+isXI/yDGtn9kbVpXAGTr/N+zBvOm8817e2oK
-1QWsnTLub96cXhSNq64cYdP37yxU+DWIWlWPuPG4X5HGzYoV3LUEH1/2nMcVqE6N
-4pup7h+26k+eGH8v8r57ScUiBEqU2rDumhnqBmcntJEiG/ko9oG3RJGX9L2uMsZD
-y93G5DwnzhN12rT+ssP5ON+bA31mYWQUXaUEmJ3TXa+0F9SPQ73BzqyKsL1DreMa
-oReUgiH/MBMkLtxRuuY2uEQeqmdLCOZ0sw9bHTIUZAOVdujYULF+6BQrMW2ZGyjS
-OT23s5g9ZX3LiLlOnXGj/6Nv/v8oar/nRiCPL4K/zcU62/m6VUhgzs6lYROUqr5V
-OLKqdn18zakll86fvL88LQ29KuER6akE4zrHLceEvKQMwZXjiiUW6UnXhWDnZnFj
-veic0+xEfLbPA7jlACkuG7paV3yQj3tW5o7894ZTWwfZn/yJKvQH/ius
+IwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLnNlY3RpZ28uY29tMB8GA1UdEQQYMBaC
+FHNjcmlwdHMtY2VydC5taXQuZWR1MIIBgAYKKwYBBAHWeQIEAgSCAXAEggFsAWoA
+dwDYCVU7lE96/8gWGW+UT4WrsPj8XodVJg8V0S5yu0VLFAAAAZi9q8XTAAAEAwBI
+MEYCIQCIUujqXuKn0/RwXyHTpcLmbGpo0qHXVpXvzxjuLHZIpQIhAIon6iakNmt+
+LROvscXzuk4BlN1f1jWzJEW0zTGRw+bfAHYArKswcGzr7IQx9BPS9JFfER5CJEOx
+8qaMTzwrO6ceAsMAAAGYvavFkQAABAMARzBFAiAcYCj382gqlYdqB1Stp5SSxLkV
+Z2zFFYjwpAsZkbT1wQIhAKnkilMf8ydzVAvLZiMJaVmkirVBT/wMdC2s5HDARFIx
+AHcA1219ENGn9XfCx+lf1wC/+YLJM1pl4dCzAXMXwMjFaXcAAAGYvavFVgAABAMA
+SDBGAiEAuf2pCLYtWczlinZAbhV9khZiaWPW1vBdr32797OmcbkCIQCutWRg1TGG
+LYPwSVwb1k6R0eF0vXxVHpaR2bW3btN73TANBgkqhkiG9w0BAQsFAAOCAYEAIHYL
+VeADJWHBPFJoy5i4QULOasNfqtqssWzcQ2b7Mq7RMN/HbaKiXj7Af7skVO90NE9l
+0d4oCrbj0foMXdriCH20HPQmnrFXxOlsHMVRL7YKv0qv3fSm4ziRxx3uKdlO3zxM
+HP9F1V/izXb0tEv7pNof1d56wR4TksI2Lib+EKz4y7LBnpknVd9Hsgk0bsxFO3UA
+OrzQ+nwA6enlSZYLjvw4YlKyRm3NPa0si3zQchX4mv5XrAhQOzsBOEWICVOp2cPs
+ZmurkMpx8O3Nw6A7TATj7IEfvLc8HTlN1hUKzAVjOlsporBHbCLqSeYrL7j3Wr43
+Y8g+IQabp7QM+ZudsXu5LA+MjsNgV1tvhmxv/ER8R7FOmjuwZiwsAA+uBJwrArMQ
+r1l2t9QmzkhBX66d2dRCa9mwPkGALCPBHMwOKZ8tQlcBMt8d4gH1lChS9C7ta2Ui
+HtB+wURbflVQGTRrAdTqbK62nXEV+NUujS6lwr17PjwLAp7HaknQzv/OUpyY
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIGSjCCBDKgAwIBAgIRAINbdhUgbS1uCX4LbkCf78AwDQYJKoZIhvcNAQEMBQAw
diff --git a/server/fedora/config/etc/pki/tls/certs/scripts.pem b/server/fedora/config/etc/pki/tls/certs/scripts.pem
index bc2e2c30..8e2769c6 100644
--- a/server/fedora/config/etc/pki/tls/certs/scripts.pem
+++ b/server/fedora/config/etc/pki/tls/certs/scripts.pem
@@ -1,7 +1,7 @@
 -----BEGIN CERTIFICATE-----
-MIIG3jCCBUagAwIBAgIQfYRHBz30Tc9DGHng8folrzANBgkqhkiG9w0BAQwFADBE
+MIIG3jCCBUagAwIBAgIQJyQdLfa79k+DLilfEkimyDANBgkqhkiG9w0BAQsFADBE
 MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSW50ZXJuZXQyMSEwHwYDVQQDExhJbkNv
-bW1vbiBSU0EgU2VydmVyIENBIDIwHhcNMjQwODIwMDAwMDAwWhcNMjUwODIwMjM1
+bW1vbiBSU0EgU2VydmVyIENBIDIwHhcNMjUwODE4MDAwMDAwWhcNMjYwOTE4MjM1
 OTU5WjBvMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czEuMCwG
 A1UEChMlTWFzc2FjaHVzZXR0cyBJbnN0aXR1dGUgb2YgVGVjaG5vbG9neTEYMBYG
 A1UEAxMPc2NyaXB0cy5taXQuZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
@@ -18,24 +18,24 @@ KwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAgGBmeBDAECAjBABgNV
 HR8EOTA3MDWgM6Axhi9odHRwOi8vY3JsLnNlY3RpZ28uY29tL0luQ29tbW9uUlNB
 U2VydmVyQ0EyLmNybDBwBggrBgEFBQcBAQRkMGIwOwYIKwYBBQUHMAKGL2h0dHA6
 Ly9jcnQuc2VjdGlnby5jb20vSW5Db21tb25SU0FTZXJ2ZXJDQTIuY3J0MCMGCCsG
-AQUFBzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTCCAX8GCisGAQQB1nkCBAIE
-ggFvBIIBawFpAHcA3dzKNJXX4RYF55Uy+sef+D0cUN/bADoUEnYKLKy7yCoAAAGR
-cGC9MwAABAMASDBGAiEAkIPk5ll/QXVnIYPdn1WzfqQP67FPmcDgtIY48HYh6BsC
-IQDvektJb8gq7WuHAqUyDDgJorpMMeF1mNbAFgvXJTnTGQB2AA3h8jAr0w3BQGIS
-CepVLvxHdHyx1+kw7w5CHrR+Tqo0AAABkXBgvOkAAAQDAEcwRQIgMstKtyiIAF86
-sPt8mbOxJlKJ91BxeoR6TDeFMZmTC1ACIQCyGG6FdM7S5eZGeX07lx/jN/1FZcgQ
-a+A2sRlukqXDkgB2ABLxTjS9U3JMhAYZw48/ehP457Vih4icbTAFhOvlhiY6AAAB
-kXBgvM0AAAQDAEcwRQIhAJ3050SDwVZfxufHZDflpmos/GdAicen0UNSZWOZwlX3
-AiB2hJpOjt3/KD45FCZRClbf9KlTpn1yurpIEpKpnP3sHzAaBgNVHREEEzARgg9z
-Y3JpcHRzLm1pdC5lZHUwDQYJKoZIhvcNAQEMBQADggGBAGJMkKjL4Zt0F7Ltwi7e
-/wW4zX21lOIlXnN4odFH+FMGvkvKKwGkANwtHVEHS2mxull40ajr1i9qcnufu9I9
-jrYblaMpA1I7RWe8fUV+QfYassve/DyZdK4VLW5hpa6fyj5eqQsLE+K6bRcR3eoV
-TJnzn+zsgQbtXtissGB//Ecz1xV615wuaVLkLHiq4lgalutxcY5o8k6gtSBAhJoI
-VfeoIxXjGldOq2bLS4vk4Pq3y4cxoRzB7NNAjp4SJVbSg76pnjVV7xKj40XT9kY3
-X5YhRj4u6oUq71KxeXDzGExD3Ks8/Gq5u68FxvdfH3mIXcXSfNizxLygQ9R+SQTR
-KbLstk0bJduPLr+de44Y3fkiCyvj6fBiDzlcRLfpD+I7sU3if32r8pFjSEk3tqmb
-u3NNtryi/mrQAcQse/gxF4vfERKzPyEyyew/PSWNLWeIH9RIKT1T31lwEd4r1ky/
-cLnPtL9DZN/g4Id4/wTls5cdoUEs9SSEpLZJ/sbiFrfaLA==
+AQUFBzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTAaBgNVHREEEzARgg9zY3Jp
+cHRzLm1pdC5lZHUwggF/BgorBgEEAdZ5AgQCBIIBbwSCAWsBaQB2ANgJVTuUT3r/
+yBYZb5RPhauw+Pxeh1UmDxXRLnK7RUsUAAABmL2rUgEAAAQDAEcwRQIgEDOitqjN
+GiDPOsTAuQw6EmOjUXtvUW1fgRi6x6EBkwkCIQDqNPRvhUF31aDicDoOHoV3+Aqi
+zTkBzEGJUiH8gp7IGwB2AKyrMHBs6+yEMfQT0vSRXxEeQiRDsfKmjE88KzunHgLD
+AAABmL2rUeYAAAQDAEcwRQIgYiO+VAq8l8trksdp4TFHrg/WvPE6qh014m0Xu2PJ
+vs4CIQCuancsFYIEYDn8Jayt1n8ZeEqbrBDDa4qXtbMbe6SSdQB3ANdtfRDRp/V3
+wsfpX9cAv/mCyTNaZeHQswFzF8DIxWl3AAABmL2rUg0AAAQDAEgwRgIhAOUPrRAt
+yTTtq5HeROTupcMMwpzXsJ28vkTFf9KhhmFTAiEA9OgZuVaTwadS6/b6GaUOIbGE
+4TZJnq0BZ14fZyLsPMUwDQYJKoZIhvcNAQELBQADggGBAH+K8rlGkuWryJyTY8Q6
+yT55d9glFnt3D+CWo2j3itYB0X+BJdIP0HqFxE80JfVbdtKloDPSc/gvm9wBizBS
+UW+3RzRHTcCtjRtFRxAVBnLHmuQrJoLR/DHv973fToGNJ3FqJrrK9gPJWInq+44B
+V3/J7BmcqT7kOzeuZa5wyaFS/7OwED5HN/GBtTWCaHdcEuDBjicHcT9HWBAkTaSM
+nEHRRUZBnpHBvCsU1Nf09di0RYDjJC9Au5F8C/4N0Fv3Zu2n2ygj7eWcRVBM/oRq
+KNL+E1A1BcdSBLzwTLENNO2SBhnX7DHzBft7ZDiAyxi3Wngmgks7QSikeUnZJnTX
+6uZk4+P4r/U0OOq2O5QcvnC60N9eKkEihl0mNvYOLYG4exYBoRGtUe7ZrlVpGjS5
+2ibuOLnFcOScIGoV+N4hUjDEVyGKk5DhrqDFPDh4mC2rdizc92kbhsDnQUPNg0ZM
+OYo2tk9tTQeP806qhg48Dl7O9D74O7SoyZN0ol5HOLkioA==
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIGSjCCBDKgAwIBAgIRAINbdhUgbS1uCX4LbkCf78AwDQYJKoZIhvcNAQEMBQAw
diff --git a/server/fedora/config/etc/pki/tls/certs/star.scripts.pem b/server/fedora/config/etc/pki/tls/certs/star.scripts.pem
index 74e783c9..2b187de2 100644
--- a/server/fedora/config/etc/pki/tls/certs/star.scripts.pem
+++ b/server/fedora/config/etc/pki/tls/certs/star.scripts.pem
@@ -1,7 +1,7 @@
 -----BEGIN CERTIFICATE-----
-MIIG4TCCBUmgAwIBAgIRANvRpZk+1WDiVjLag3VzHoUwDQYJKoZIhvcNAQEMBQAw
+MIIG4TCCBUmgAwIBAgIRANKJKielWl3U2/GKe3jQp6IwDQYJKoZIhvcNAQELBQAw
 RDELMAkGA1UEBhMCVVMxEjAQBgNVBAoTCUludGVybmV0MjEhMB8GA1UEAxMYSW5D
-b21tb24gUlNBIFNlcnZlciBDQSAyMB4XDTI0MDgyMDAwMDAwMFoXDTI1MDgyMDIz
+b21tb24gUlNBIFNlcnZlciBDQSAyMB4XDTI1MDgxODAwMDAwMFoXDTI2MDgxODIz
 NTk1OVowcTELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxLjAs
 BgNVBAoTJU1hc3NhY2h1c2V0dHMgSW5zdGl0dXRlIG9mIFRlY2hub2xvZ3kxGjAY
 BgNVBAMMESouc2NyaXB0cy5taXQuZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
@@ -19,23 +19,23 @@ BgNVHR8EOTA3MDWgM6Axhi9odHRwOi8vY3JsLnNlY3RpZ28uY29tL0luQ29tbW9u
 UlNBU2VydmVyQ0EyLmNybDBwBggrBgEFBQcBAQRkMGIwOwYIKwYBBQUHMAKGL2h0
 dHA6Ly9jcnQuc2VjdGlnby5jb20vSW5Db21tb25SU0FTZXJ2ZXJDQTIuY3J0MCMG
 CCsGAQUFBzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTAcBgNVHREEFTATghEq
-LnNjcmlwdHMubWl0LmVkdTCCAX0GCisGAQQB1nkCBAIEggFtBIIBaQFnAHUA3dzK
-NJXX4RYF55Uy+sef+D0cUN/bADoUEnYKLKy7yCoAAAGRcGEvHQAABAMARjBEAiBS
-3ZKnt3426NfvX4yAQSAfa5piGkOyDnreL59XaXhddQIgOukkj9g7EPVYY4WwSGs+
-fsHPEeG+TQDa889qtr4nt8wAdgAN4fIwK9MNwUBiEgnqVS78R3R8sdfpMO8OQh60
-fk6qNAAAAZFwYS73AAAEAwBHMEUCIQD+wS4rXz9iTaKpHmmrMv82JafDlH+K0YG4
-NUqwRr4uOQIgX0foMKjPedAfqe3WmmwBK9XtuKzM0XxX+yZHWwu04N0AdgAS8U40
-vVNyTIQGGcOPP3oT+Oe1YoeInG0wBYTr5YYmOgAAAZFwYS75AAAEAwBHMEUCIQC7
-kkYE2xmkJ8KUjsz55OORnIrxdNCseRkBXS7iQzHdYwIgV5dCg4FYS7HibfqUcUI/
-4uIeoAhh23a2rttdmYYjv3wwDQYJKoZIhvcNAQEMBQADggGBABl2bsaj6MlrxaIe
-KGiWFOECSkTsDMuUqosthziczF0XNplLCwEBz1MY6MjlQWppNnaZ7h//pDuuZIyE
-+CQ/NrlgVsY4Z2lW6I4TnLc5DjnM9MF0/Mv5AfQYEQ9PofzX6jyjF11Du+8jHHjt
-XrVHAfKehi6Ujz9l+1GDiPKizIIgilgXaaIb+3ock9XOUZhWryLTrwAQBU7qGzBx
-FaA9P+e3T7Y/38M43Qe7E6/KlB1QEmdg3VTuD+L8DNZFIdwWfg4v/OYgsXqNM+1k
-IGEKsl2jnhN2O4Sb9Sp8xuMbiPqZAAgH2W7en/wyuytsHYMf5quBKf0qwXti1tcb
-LiItQJfIBwKpkoTwKlMZV4nQyfOh5OZXWlT86Df9H+HfNxay6J2zj2f5x77Wl5Ds
-z70SIEC2SBK9A/97MVMLCujX+qlXfo6LvltFPYezkRETuXmrfvuwKxdcu4b2+N3Y
-Q3DhHbptaDmEYoVf4m1i90qR9KtrdxPS7xoyD5tJu7MlL6Zy+g==
+LnNjcmlwdHMubWl0LmVkdTCCAX0GCisGAQQB1nkCBAIEggFtBIIBaQFnAHUA2AlV
+O5RPev/IFhlvlE+Fq7D4/F6HVSYPFdEucrtFSxQAAAGYvaxGkQAABAMARjBEAiAX
+bYLzGjv2t+TZr0nEJgIcG/3x9x0lBb/APOFTrnY+xwIgfeQBk4ohkelRdjWuokQH
+pmTHc55SOg3HXXcDTl4lIaIAdgCsqzBwbOvshDH0E9L0kV8RHkIkQ7HypoxPPCs7
+px4CwwAAAZi9rEZTAAAEAwBHMEUCIC+HFMD+YJrNZDLIeyogCoEgOsmnukCaHH08
+ALmaJ7X+AiEAijahYqimxsx8Q+U8mE6nffCHLQ13RdTVTjatb/pEil0AdgDXbX0Q
+0af1d8LH6V/XAL/5gskzWmXh0LMBcxfAyMVpdwAAAZi9rEZCAAAEAwBHMEUCIQC1
+2mus0JQovvTjWze0EpRxEDJZ0uV+30MlI2UrLGM2jQIgRxlP2l6/G2RdFjJCdC45
+6gfLYYlWxiy10MO4f8Nr9eUwDQYJKoZIhvcNAQELBQADggGBAEcXEgOKkcQtnS2x
+sBTvjnDD+QcV06Sz8bne/0AfQJ4DpDgCMwdvC9/Vo+b4h8tochMi+6KlyMzm5xdb
+d7Irc6KKO4z/mI01W4B0lZ5bmf4ZWd/mFi6lJ2s2osDs5JhE3V0kcC0ncglj2rol
+V45+1qsTM/8fs/c34vZeXWfXzhGenfOkNrzcJGo2pwOskHZzV1GoITCSjAzynxTt
+zo1Bz1Lbv5kYk4Jno7OVMhTBbGhyi3fORn6kso5Oa9b8YUhA8/ZdsJD+5wf8kawL
+V6mfj+TjcotH4Jlz6uvUMnK8KaGriqAWjnr2VXKdX9poM1iume8X7GOCLyqFr7gW
+erKfIOYZSxGBvEj1M/ASTJL5+X6Y0jcxb8a4lsFe8QaFbWPfXGlyYx7HvgMxrVIE
++OprP1rG6788nf8eDop4pGpmyc387BPJ1D7u24Ie0tDpteb0V8cXOeOPFG5xGLWX
+Y1CRY8kNXmWJvzOJOqUcma+y+U6o1a9WGUeLZ9mpnOrG881xUg==
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIGSjCCBDKgAwIBAgIRAINbdhUgbS1uCX4LbkCf78AwDQYJKoZIhvcNAQEMBQAw