<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Please keep freeipa-users in CC, I'm quite lost here</p>
<p>ca-error: Server failed request, will retry: -504 (libcurl failed
to execute the HTTP POST transaction. Peer certificate cannot be
authenticated with known CA certificates).</p>
<p>I'm not sure what this does mean, but if this is caused by
invalid httpd certificate, solution might be to set time a week
before 2016-05-28, restart IPA and try to renew certs again<br>
</p>
<p><br>
</p>
<p>Martin^2<br>
</p>
<br>
<div class="moz-cite-prefix">On 14.09.2016 18:38, bahan w wrote:<br>
</div>
<blockquote
cite="mid:CAMJtub+dtAw=sWh7w-TtJR5H-6bReOnm+k75nxu4n2fOsL-pRQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>Ok, I managed to restart the IPA service by adding
this line in the file /etc/httpd/conf.d/nss.conf :<br>
###<br>
NSSEnforceValidCerts off<br>
###<br>
<br>
</div>
But when I do the getcert now I got the following result :<br>
###<br>
# getcert list<br>
Number of certificates and requests being tracked: 8.<br>
Request ID '20140528063903':<br>
status: MONITORING<br>
stuck: no<br>
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='159203530658'<br>
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'<br>
CA: dogtag-ipa-renew-agent<br>
issuer: CN=Certificate Authority,O=<MYREALM><br>
subject: CN=CA Audit,O=<MYREALM><br>
expires: 2018-04-09 11:39:16 UTC<br>
pre-save command:
/usr/lib64/ipa/certmonger/stop_pkicad<br>
post-save command:
/usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert
cert-pki-ca"<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20140528063904':<br>
status: MONITORING<br>
stuck: no<br>
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='159203530658'<br>
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'<br>
CA: dogtag-ipa-renew-agent<br>
issuer: CN=Certificate Authority,O=<MYREALM><br>
subject: CN=OCSP Subsystem,O=<MYREALM><br>
expires: 2018-04-09 11:38:16 UTC<br>
eku: id-kp-OCSPSigning<br>
pre-save command:
/usr/lib64/ipa/certmonger/stop_pkicad<br>
post-save command:
/usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert
cert-pki-ca"<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20140528063905':<br>
status: MONITORING<br>
stuck: no<br>
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='159203530658'<br>
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'<br>
CA: dogtag-ipa-renew-agent<br>
issuer: CN=Certificate Authority,O=<MYREALM><br>
subject: CN=CA Subsystem,O=<MYREALM><br>
expires: 2018-04-09 11:38:16 UTC<br>
eku: id-kp-serverAuth,id-kp-clientAuth<br>
pre-save command:
/usr/lib64/ipa/certmonger/stop_pkicad<br>
post-save command:
/usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert
cert-pki-ca"<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20140528063906':<br>
status: MONITORING<br>
stuck: no<br>
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'<br>
CA: dogtag-ipa-renew-agent<br>
issuer: CN=Certificate Authority,O=<MYREALM><br>
subject: CN=IPA RA,O=<MYREALM><br>
expires: 2018-04-09 11:38:16 UTC<br>
eku: id-kp-serverAuth,id-kp-clientAuth<br>
pre-save command:<br>
post-save command:
/usr/lib64/ipa/certmonger/renew_ra_cert<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20140528063907':<br>
status: MONITORING<br>
stuck: no<br>
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='159203530658'<br>
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'<br>
CA: dogtag-ipa-renew-agent<br>
issuer: CN=Certificate Authority,O=<MYREALM><br>
subject: CN=<IPA SERVER
HOST>,O=<MYREALM><br>
expires: 2018-04-09 11:38:16 UTC<br>
eku: id-kp-serverAuth,id-kp-clientAuth<br>
pre-save command:<br>
post-save command:<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20140528063919':<br>
status: CA_UNREACHABLE<br>
ca-error: Server failed request, will retry: -504
(libcurl failed to execute the HTTP POST transaction.
Peer certificate cannot be authenticated with known CA
certificates).<br>
stuck: yes<br>
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS
Certificate
DB',pinfile='/etc/dirsrv/slapd-<MYREALM>/pwdfile.txt'<br>
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS
Certificate DB'<br>
CA: IPA<br>
issuer: CN=Certificate Authority,O=<MYREALM><br>
subject: CN=<IPA SERVER
HOST>,O=<MYREALM><br>
expires: 2016-05-28 06:39:18 UTC<br>
eku: id-kp-serverAuth,id-kp-clientAuth<br>
pre-save command:<br>
post-save command:
/usr/lib64/ipa/certmonger/restart_dirsrv <MYREALM><br>
track: yes<br>
auto-renew: yes<br>
Request ID '20140528063953':<br>
status: CA_UNREACHABLE<br>
ca-error: Server failed request, will retry: -504
(libcurl failed to execute the HTTP POST transaction.
Peer certificate cannot be authenticated with known CA
certificates).<br>
stuck: yes<br>
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate
DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'<br>
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'<br>
CA: IPA<br>
issuer: CN=Certificate Authority,O=<MYREALM><br>
subject: CN=<IPA SERVER
HOST>,O=<MYREALM><br>
expires: 2016-05-28 06:39:52 UTC<br>
eku: id-kp-serverAuth,id-kp-clientAuth<br>
pre-save command:<br>
post-save command:
/usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20140528064145':<br>
status: CA_UNREACHABLE<br>
ca-error: Server failed request, will retry: -504
(libcurl failed to execute the HTTP POST transaction.
Peer certificate cannot be authenticated with known CA
certificates).<br>
stuck: yes<br>
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'<br>
CA: IPA<br>
issuer: CN=Certificate Authority,O=<MYREALM><br>
subject: CN=<IPA SERVER
HOST>,O=<MYREALM><br>
expires: 2016-05-28 06:41:44 UTC<br>
eku: id-kp-serverAuth,id-kp-clientAuth<br>
pre-save command:<br>
post-save command:
/usr/lib64/ipa/certmonger/restart_httpd<br>
track: yes<br>
auto-renew: yes<br>
###<br>
<br>
</div>
Indeed, the entries outdated are the following :<br>
</div>
- for /etc/dirsrv/slapd-<MYREALM> : 20140528063919<br>
- for /etc/dirsrv/slapd-PKI-IPA : 20140528063953<br>
</div>
- for httpd ? : 20140528064145<br>
<br>
<div>
<div>
<div>
<div>Best regards.<br>
<br>
</div>
<div>Bahan<br>
</div>
</div>
</div>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Sep 14, 2016 at 6:28 PM, bahan
w <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:bahanw042014@gmail.com" target="_blank">bahanw042014@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>
<div>Ok :D <br>
<br>
Because to perform the getcert list command, I need to
have all the ipa services running right ?<br>
<br>
</div>
<div>Here is the result of the command with the ipa
services down.<br>
</div>
<div>###<br>
# getcert list<br>
Number of certificates and requests being tracked: 8.<br>
Request ID '20140528063903':<br>
status: MONITORING<br>
stuck: no<br>
key pair storage:
type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='<wbr>auditSigningCert
cert-pki-ca',token='NSS Certificate
DB',pin='159203530658'<br>
certificate: type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='<wbr>auditSigningCert
cert-pki-ca',token='NSS Certificate DB'<br>
CA: dogtag-ipa-renew-agent<br>
issuer: CN=Certificate
Authority,O=<MYREALM><br>
subject: CN=CA Audit,O=<MYREALM><br>
expires: 2018-04-09 11:39:16 UTC<br>
pre-save command: /usr/lib64/ipa/certmonger/<wbr>stop_pkicad<br>
post-save command: /usr/lib64/ipa/certmonger/<wbr>renew_ca_cert
"auditSigningCert cert-pki-ca"<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20140528063904':<br>
status: MONITORING<br>
stuck: no<br>
key pair storage:
type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='<wbr>ocspSigningCert
cert-pki-ca',token='NSS Certificate
DB',pin='159203530658'<br>
certificate: type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='<wbr>ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'<br>
CA: dogtag-ipa-renew-agent<br>
issuer: CN=Certificate
Authority,O=<MYREALM><br>
subject: CN=OCSP Subsystem,O=<MYREALM><br>
expires: 2018-04-09 11:38:16 UTC<br>
eku: id-kp-OCSPSigning<br>
pre-save command: /usr/lib64/ipa/certmonger/<wbr>stop_pkicad<br>
post-save command: /usr/lib64/ipa/certmonger/<wbr>renew_ca_cert
"ocspSigningCert cert-pki-ca"<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20140528063905':<br>
status: MONITORING<br>
stuck: no<br>
key pair storage:
type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='<wbr>subsystemCert
cert-pki-ca',token='NSS Certificate
DB',pin='159203530658'<br>
certificate: type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='<wbr>subsystemCert
cert-pki-ca',token='NSS Certificate DB'<br>
CA: dogtag-ipa-renew-agent<br>
issuer: CN=Certificate
Authority,O=<MYREALM><br>
subject: CN=CA Subsystem,O=<MYREALM><br>
expires: 2018-04-09 11:38:16 UTC<br>
eku: id-kp-serverAuth,id-kp-<wbr>clientAuth<br>
pre-save command: /usr/lib64/ipa/certmonger/<wbr>stop_pkicad<br>
post-save command: /usr/lib64/ipa/certmonger/<wbr>renew_ca_cert
"subsystemCert cert-pki-ca"<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20140528063906':<br>
status: MONITORING<br>
stuck: no<br>
key pair storage: type=NSSDB,location='/etc/<wbr>httpd/alias',nickname='<wbr>ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/<wbr>pwdfile.txt'<br>
certificate: type=NSSDB,location='/etc/<wbr>httpd/alias',nickname='<wbr>ipaCert',token='NSS
Certificate DB'<br>
CA: dogtag-ipa-renew-agent<br>
issuer: CN=Certificate
Authority,O=<MYREALM><br>
subject: CN=IPA RA,O=<MYREALM><br>
expires: 2018-04-09 11:38:16 UTC<br>
eku: id-kp-serverAuth,id-kp-<wbr>clientAuth<br>
pre-save command:<br>
post-save command: /usr/lib64/ipa/certmonger/<wbr>renew_ra_cert<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20140528063907':<br>
status: MONITORING<br>
stuck: no<br>
key pair storage:
type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='<wbr>Server-Cert
cert-pki-ca',token='NSS Certificate
DB',pin='159203530658'<br>
certificate: type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='<wbr>Server-Cert
cert-pki-ca',token='NSS Certificate DB'<br>
CA: dogtag-ipa-renew-agent<br>
issuer: CN=Certificate
Authority,O=<MYREALM><br>
subject: CN=<IPA SERVER
HOST>,O=<MYREALM><br>
expires: 2018-04-09 11:38:16 UTC<br>
eku: id-kp-serverAuth,id-kp-<wbr>clientAuth<br>
pre-save command:<br>
post-save command:<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20140528063919':<br>
status: MONITORING<br>
ca-error: Error setting up ccache for local
"host" service using default keytab: Cannot contact
any KDC for realm '<MYREALM>'.<br>
stuck: no<br>
key pair storage: type=NSSDB,location='/etc/<wbr>dirsrv/slapd-<MYREALM>',<wbr>nickname='Server-Cert',token='<wbr>NSS
Certificate DB',pinfile='/etc/dirsrv/<wbr>slapd-<MYREALM>/pwdfile.txt'<br>
certificate: type=NSSDB,location='/etc/<wbr>dirsrv/slapd-<MYREALM>',<wbr>nickname='Server-Cert',token='<wbr>NSS
Certificate DB'<br>
CA: IPA<br>
issuer: CN=Certificate
Authority,O=<MYREALM><br>
subject: CN=<IPA SERVER
HOST>,O=<MYREALM><br>
expires: 2016-05-28 06:39:18 UTC<br>
eku: id-kp-serverAuth,id-kp-<wbr>clientAuth<br>
pre-save command:<br>
post-save command: /usr/lib64/ipa/certmonger/<wbr>restart_dirsrv
<MYREALM><br>
track: yes<br>
auto-renew: yes<br>
Request ID '20140528063953':<br>
status: MONITORING<br>
ca-error: Error setting up ccache for local
"host" service using default keytab: Cannot contact
any KDC for realm '<MYREALM>'.<br>
stuck: no<br>
key pair storage: type=NSSDB,location='/etc/<wbr>dirsrv/slapd-PKI-IPA',<wbr>nickname='Server-Cert',token='<wbr>NSS
Certificate DB',pinfile='/etc/dirsrv/<wbr>slapd-PKI-IPA/pwdfile.txt'<br>
certificate: type=NSSDB,location='/etc/<wbr>dirsrv/slapd-PKI-IPA',<wbr>nickname='Server-Cert',token='<wbr>NSS
Certificate DB'<br>
CA: IPA<br>
issuer: CN=Certificate
Authority,O=<MYREALM><br>
subject: CN=<IPA SERVER
HOST>,O=<MYREALM><br>
expires: 2016-05-28 06:39:52 UTC<br>
eku: id-kp-serverAuth,id-kp-<wbr>clientAuth<br>
pre-save command:<br>
post-save command: /usr/lib64/ipa/certmonger/<wbr>restart_dirsrv
PKI-IPA<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20140528064145':<br>
status: MONITORING<br>
ca-error: Error setting up ccache for local
"host" service using default keytab: Cannot contact
any KDC for realm '<MYREALM>'.<br>
stuck: no<br>
key pair storage: type=NSSDB,location='/etc/<wbr>httpd/alias',nickname='Server-<wbr>Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/<wbr>pwdfile.txt'<br>
certificate: type=NSSDB,location='/etc/<wbr>httpd/alias',nickname='Server-<wbr>Cert',token='NSS
Certificate DB'<br>
CA: IPA<br>
issuer: CN=Certificate
Authority,O=<MYREALM><br>
subject: CN=<IPA SERVER
HOST>,O=<MYREALM><br>
expires: 2016-05-28 06:41:44 UTC<br>
eku: id-kp-serverAuth,id-kp-<wbr>clientAuth<br>
pre-save command:<br>
post-save command: /usr/lib64/ipa/certmonger/<wbr>restart_httpd<br>
track: yes<br>
auto-renew: yes<br>
###<br>
<br>
</div>
Best regards.<span class="HOEnZb"><font color="#888888"><br>
<br>
</font></span></div>
<span class="HOEnZb"><font color="#888888">
<div>Bahan<br>
</div>
</font></span></div>
<div class="HOEnZb">
<div class="h5">
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Sep 14, 2016 at 6:21
PM, Martin Basti <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p><br>
</p>
<p>Then you have to start services manually, I
don't know if the same steps will work with
IPA 3.0.0, I don't remember, but you can try
:)<br>
</p>
<div>
<div> <br>
<div>On 14.09.2016 18:18, bahan w wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Oh I forgot to add that my version
of ipa is quite old :<br>
###<br>
# rpm -qa | grep ipa-server<br>
ipa-server-3.0.0-25.el6.x86_64<br>
###<br>
<br>
</div>
When I try the command you gave me I got
the following error :<br>
###<br>
<div># ipactl start --force<br>
Usage: ipactl
start|stop|restart|status<br>
<br>
<br>
ipactl: error: no such option: --force<br>
###<br>
<br>
</div>
<div>Best regards.<br>
<br>
</div>
<div>Bahan<br>
</div>
</div>
</blockquote>
<blockquote type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Sep 14,
2016 at 6:14 PM, Martin Basti <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:mbasti@redhat.com"
target="_blank">mbasti@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF"
text="#000000">
<div>
<div>
<p><br>
</p>
<br>
<div>On 14.09.2016 17:59,
bahan w wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>Hello !<br>
<br>
</div>
I send you this mail
because I cannot
restart my test IPA
server.<br>
<br>
</div>
When I try to start it
with service ipa
start, I got the
following error
message :<br>
###<br>
# service ipa start<br>
Starting Directory
Service<br>
Starting dirsrv:<br>
<MYREALM>...[14/Sep/2016:17:57<wbr>:23
+0200] - SSL alert:
CERT_VerifyCertificateNow:
verify certificate
failed for cert
Server-Cert of family
cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 -
Peer's Certificate has
expired.)<br>
<wbr> [ OK ]<br>
PKI-IPA...[14/Sep/2016:17:57:3<wbr>3
+0200] - SSL alert:
CERT_VerifyCertificateNow:
verify certificate
failed for cert
Server-Cert of family
cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 -
Peer's Certificate has
expired.)<br>
<wbr> [ OK ]<br>
Starting KDC Service<br>
Starting Kerberos 5
KDC: <wbr>
[ OK ]<br>
Starting KPASSWD
Service<br>
Starting Kerberos 5
Admin
Server: <wbr>
[ OK ]<br>
Starting MEMCACHE
Service<br>
Starting
ipa_memcached: <wbr>
[ OK ]<br>
Starting HTTP Service<br>
Starting
httpd: <wbr>
[FAILED]<br>
Failed to start HTTP
Service<br>
Shutting down<br>
Stopping Kerberos 5
KDC: <wbr>
[ OK ]<br>
Stopping Kerberos 5
Admin
Server: <wbr>
[ OK ]<br>
Stopping
ipa_memcached: <wbr>
[ OK ]<br>
Stopping
httpd: <wbr>
[FAILED]<br>
Stopping
pki-ca: <wbr>
[ OK ]<br>
Shutting down dirsrv:<br>
<MYREALM>... <wbr>
[ OK ]<br>
PKI-IPA... <wbr>
[ OK ]<br>
Aborting ipactl<br>
<br>
# service ipa status<br>
Directory Service:
STOPPED<br>
Failed to get list of
services to probe
status:<br>
Directory Server is
stopped<br>
###<br>
<br>
</div>
<div>Do you know how to
renew the SSL
certificate used for
the IPA Server ?<br>
<br>
</div>
<div>Best regards.<br>
<br>
</div>
<div>Bahan<br>
</div>
<br>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
<br>
<br>
</div>
</div>
Hello,<br>
<br>
please run<br>
<br>
# ipactl start --force<br>
# getcert list (to detect which
certificate is outdated, I suspect
DS cert (or to get more info why
it has not been renewed))<br>
<br>
If getcert does work (I'm not sure
if ti is able to work without
httpd), you probable need to move
time back to past where cert is
valid, start IPA and try again.<br>
<br>
Please find ID outdated
certificate and try resubmit it
(CA and DS must be running)<br>
<br>
# getcert resubmit -i
20160914122036 (use you ID :) )<br>
<br>
This should renew cert, check
status with getcert list<br>
<br>
Move time back to future (if
needed)<br>
<br>
Try to restart IPA<br>
<br>
Martin^2<br>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>