Add HTTPS to Sidecar for deployment (#8)

* add traefik config and update cli

* cannot use env variables in traefik.yaml, use static config env variables instead

* must call traefik with sudo to run on these ports

* use traefik cli args instead of env for key/cert

* move key/cert into dynamic_conf

* use different env formatting

* move tls config into a file created in cli command

* fix bug in dynamic_config

* fix bug in dynamic_config

* use different env format

* move dynamic config into cli

* make sure to wrap single quotes around double quotes when needed

* remove single/double quotes, add backticks

* fix ports

* use adjacent subdomains, not nested

* add draft-mpc.vercel.app to CORS domains

* make test data directory before generating it

* adjust ports, not inferred from network.toml

* use https not ws for checking status

* use http not https for checking status

* turn off verify for status check temporarily

* use https for status check

* turn off verification for terminate posts

* use https for terminate posts

* fix traefik bug

* remove tls from helper traefik config

* readd tls from helper traefik config

* try a different approach to not using tls for helpers

* local traefik working. helpers still not working with domains

* server updates, use localhost for ipa connections

* remove unneeded helper_domain from cli

* Update README.md

formating

* use sidecar0 instead of sidecar-coordinator

* removed signed call to /stop. needs to be handled differently

* add multi-threading to compile features for IPA

* add a step to generate the MPC steps file

* typo

* fix script path

* add env option to command

* add -m flag to collect_steps

* add cwd to subclasses of Command

* fix pylint errors

* use mkcert CA with httpx

* update github.tsx to warn if OCTOKIT_GITHUB_API_KEY isn't present

* avoid race condition with getting a query that may be being created

* add -f to git checkout command, as producing steps.txt causes an overwrite

* remove verify=False from httpx requests

* update readme for first use of mkcert

* refresh IPA self signed local_dev keys

* fix bug with test directory not existing, wrap query run in exception handling to call crash on exception

* fix pylint and grammer error

* update TODO in readme

.gitignore

@@ -10,3 +10,7 @@ IGNORE-ME*
 
 # local env files
 .env*
+
+# local certs
+local_dev/config/cert.pem
+local_dev/config/key.pem

README.md

@@ -4,7 +4,7 @@
 draft is a project designed to help test [IPA](https://github.com/private-attribution/ipa) at scale. It contains 2 components:
 
 1. draft-server: a web front end and service that starts queries an displays logs from the MPC helper servers
-2. draft-sidecar: a sidecar back end API that runs next to the IPA binary on helper servers. this include a CLI for setup and running.
+2. draft-sidecar: a sidecar back end API that runs next to the IPA binary on helper servers. This includes a CLI for setup and running.
 
 # Get started
 
@@ -94,11 +94,50 @@ In the output, you'll find an `ANON_KEY`. Update the `server/.env` file one more
 ```
 NEXT_PUBLIC_SUPABASE_URL="http://localhost:54321"
 NEXT_PUBLIC_SUPABASE_ANON_KEY="<ANON_KEY>"
-NEXT_PUBLIC_SITE_URL=http://localhost:3000
+NEXT_PUBLIC_SITE_URL="https://draft.test"
 SUPABASE_AUTH_GITHUB_CLIENT_ID="<CLIENT_ID>"
 SUPABASE_AUTH_GITHUB_SECRET="<CLIENT_SECRET>"
 ```
 
+**Traefik**
+
+install traefik
+
+```
+brew install traefik
+```
+
+update /etc/hosts with (requires sudo)
+
+```
+127.0.0.1 draft.test
+127.0.0.1 sidecar0.draft.test
+127.0.0.1 sidecar1.draft.test
+127.0.0.1 sidecar2.draft.test
+127.0.0.1 sidecar3.draft.test
+```
+
+make local certs
+
+install mkcert with
+
+```
+brew install mkcert
+```
+
+make the cert with
+
+```
+mkcert -cert-file "local_dev/config/cert.pem" -key-file "local_dev/config/key.pem" "draft.test" "*.draft.test"
+```
+
+If you get a warning about the cert not being installed (i.e., it's the first time you've used mkcert), also run:
+```
+mkcert -install
+```
+
+**Run local dev**
+
 You're now ready to install, run, and develop on `draft`!
 
 To start the local development environment:
@@ -113,7 +152,7 @@ draft start-local-dev
 
 If needed, clone this repo:
 ```
-git clone https://github.com/eriktaubeneck/draft.git
+git clone https://github.com/private-attribution/draft.git
 cd draft
 ```
 
@@ -124,6 +163,92 @@ source .venv/bin/activate
 pip install --editable .
 ```
 
+### IPA specific certs
+
+We check in self signed certs that are only for local development (and are not secure! They are in a public repo!)
+
+They will periodically expire. You can regenerate them with a compiled helper binary:
+
+```
+target/release/helper keygen --name localhost --tls-key local_dev/config/h1.key --tls-cert local_dev/config/pub/h1.pem --mk-public-key local_dev/config/pub/h1_mk.pub --mk-private-key local_dev/config/h1_mk.key
+target/release/helper keygen --name localhost --tls-key local_dev/config/h2.key --tls-cert local_dev/config/pub/h2.pem --mk-public-key local_dev/config/pub/h2_mk.pub --mk-private-key local_dev/config/h2_mk.key
+target/release/helper keygen --name localhost --tls-key local_dev/config/h3.key --tls-cert local_dev/config/pub/h3.pem --mk-public-key local_dev/config/pub/h3_mk.pub --mk-private-key local_dev/config/h3_mk.key
+```
+
+The public content will also need to be pasted into `local_dev/config/network.toml` for each helper.
+
+## Deployment
+
+### Requirements
+
+*Instructions for AWS Linux 2023*
+
+1. **Python3.11**: Install with `sudo yum install python3.11`
+2. **git**: Install with `sudo yum install git`
+3. **draft** (this package):
+    1. Clone with `git clone https://github.com/private-attribution/draft.git`
+    2. Enter directory `cd draft`.
+    3. Create virtualenv: `python3.11 -m venv .venv`
+    4. Use virtualeenv: `source .venv/bin/activate`
+    5. Upgrade pip: `pip install --upgrade pip`
+    6. Install: `pip install --editable .`
+4. **traefik**:
+    1. Download version 2.11: `wget https://github.com/traefik/traefik/releases/download/v2.11.0/traefik_v2.11.0_linux_amd64.tar.gz`
+    2. Validate checksum: `sha256sum traefik_v2.11.0_linux_amd64.tar.gz` should print `7f31f1cc566bd094f038579fc36e354fd545cf899523eb507c3cfcbbdb8b9552  traefik_v2.11.0_linux_amd64.tar.gz`
+    3. Extract the binary: `tar -zxvf traefik_v2.11.0_linux_amd64.tar.gz`
+5. **tmux**: `sudo yum install tmux`
+
+
+### Generating TLS certs with Let's Encrypt
+
+You will need a domain name and TLS certificates for the sidecar to properly run over HTTPS. The following instructions assume your domain is `example.com`, please replace with the domain you'd like to use. You will need to create two sub-domains, `sidecar.example.com` and `helper.example.com`. (Note, you could also use a sub-domain as your base domain, e.g., `test.example.com` with two sub-domains of that: `sidecar.test.example.com` and `helper.test.example.com`.)
+
+1. Set up DNS records for `sidecar.example.com` and `helper.example.com` pointing to a server you control.
+2. Make sure you've installed the requirements above, and are using the virtual environment.
+3. Install `certbot`: `pip install certbot`
+4. `sudo .venv/bin/certbot certonly --standalone -m [email protected] -d "sidecar.example.com,helper.example.com"`
+    1. Note that you must point directly to `.venv/bin/certbot` as `sudo` does not operate in the virtualenv.
+5. Accept the [Let's Encrypt terms](https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf).
+
+
+### Make Configuration
+
+For this stage, you'll need to know a few things about the other parties involved:
+1. Their root domain
+2. Their public keys
+3. Everyone's *identity* (e.g., 0, 1, 2, 3)
+
+
+One you know these:
+1. Make a config directory `mkdir config`
+2. Copy the default network config: `cp local_dev/config/network.toml config/.`
+3. Update that file.
+    1. Replace `helper0.draft.test` and `sidecar0.draft.test` with the respective domains for party with identity=0.
+    2. Repeat for identity= 1, 2, and 3.
+    3. Replace respective certificates with their public keys.
+4. Move your Let's Encrypt key and cert into place: `sudo ln -s /etc/letsencrypt/live/sidecar.example.com/fullchain.pem config/cert.pem` and `sudo ln -s /etc/letsencrypt/live/sidecar.example.com/privkey.pem key.pem`
+5. Generate IPA specific keys:
+    1. Compile `ipa` with `cargo build --bin helper --features="web-app real-world-infra compact-gate stall-detection multi-threading" --no-default-features --release`
+    2. Make the keys with `target/release/helper keygen --name localhost --tls-key h1.key --tls-cert h1.pem --mk-public-key h1_mk.pub --mk-private-key h1_mk.key` (replace h1 with for each helper)
+    3. Add the public keys content into `network.toml`
+    4. Add the public keys to `config/pub` (all helpers need all helper public keys).
+    4. For each helper, put their private keys in `config`.
+
+
+### Run draft
+
+You'll want this to continue to run, even if you disconnect from the host, so it's a good idea to start a tmux session:
+
+```
+tmux new -s draft-session
+```
+
+```
+draft start-helper-sidecar --identity <identity> --root_domain example.com --config_path config
+```
+
+
+
 
-## Credit
+# Credit
 [Beer tap icons created by wanicon - Flaticon]("https://www.flaticon.com/free-icons/beer-tap")

local_dev/config/h1.key

@@ -1,5 +1,5 @@
 -----BEGIN PRIVATE KEY-----
-MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgnHorOkrEJyf6LDPr
-0ILtQgWgXL49FX7ceoAouLg3wRuhRANCAAT61P9K+vLXu+dWdjoqKGatzasipb0g
-gLqOHg5OwazEaneNExmv0xLmg25xuwL7eD+EYfq9AXgixs6vODgSPihr
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgNXRbeh+/oz5xv2yY
+uSR0EPFuRratsNNVf9BzoBthCZyhRANCAASa4rehLdFG8wIcRyHg04c8Sj7XGHx9
+hwa65bmXgEEsoNph/7uFVdZIgKswWXX/IQU7UTznqWD8WpXGGnbkj+Eo
 -----END PRIVATE KEY-----

local_dev/config/h1_mk.key

@@ -1 +1 @@
-e07c9bb08f1a70c8a65c82fd70d8cc6421eb52a400690643a45c9d793803d288
+9e98e12742ca6a1b6f7543b6fbe1e40f6ed946bcfaf94eabd8701b2c21c92773

local_dev/config/h2.key

@@ -1,5 +1,5 @@
 -----BEGIN PRIVATE KEY-----
-MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgqzg9oloWvOdlsnLP
-tNtCTbsiN3/9VC3BIjw5jNlXNn6hRANCAATiidzqYon1ecMzoy+gW1ZflyljEVfh
-h0wANWdGQQXJQ8mJqo6RQGgZ95JGPO5cHRIimFZFqS51T5m55VRACVkt
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgpj/IkcF3+K5LvYO3
+rFBGXRLQcIDTITGMwrzH48IwdFqhRANCAARE1EvqrvduIUxdaPPxYgVi68qA8uWH
+vZVNkjywpBcfQ4vevAov5KWzYkR0aCDI82IziNSv1T5PQipvGHmGBwu5
 -----END PRIVATE KEY-----

local_dev/config/h2_mk.key

@@ -1 +1 @@
-17f3ee5d2f28aea3f6ad8c9a4ab448315c0447f85815d6d57599ed559315f353
+baa3cc11f2cfe092eb86acabc028889438735fc667d0c88214185f8802b316a7

local_dev/config/h3.key

@@ -1,5 +1,5 @@
 -----BEGIN PRIVATE KEY-----
-MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgjmstRdmbAtf3JqVq
-0u37RmTGbMn9+wrh0gijKuOKN/uhRANCAATpFEd+whG8LYmTVDpGsFQ5dy8wjIdL
-WyCrCjcKYiJIHih+boD4NeDJB96e51M3nUt9/akdgXvXr5S5qZhA3GwK
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgPEB0qkkpZ1sp44NS
+Ogbiz1MLgvyO/N3uvXgEhEGtKGahRANCAATLqehLL42VKHNmfZtY2BVehHsQNyGq
+fmOrs6V+DXrQ0eKgGF4ad1lrqXxJFMpVg2i1vOm/kq6GlvM6AqqcjuVc
 -----END PRIVATE KEY-----

local_dev/config/network.toml

@@ -1,56 +1,56 @@
 [[peers]]
 certificate = """
 -----BEGIN CERTIFICATE-----
-MIIBZTCCAQugAwIBAgIIHerS5sIdRy4wCgYIKoZIzj0EAwIwFDESMBAGA1UEAwwJ
-bG9jYWxob3N0MB4XDTIzMTIxNTE5NTE1MFoXDTI0MDMxNTE5NTE1MFowFDESMBAG
-A1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE+tT/Svry
-17vnVnY6Kihmrc2rIqW9IIC6jh4OTsGsxGp3jRMZr9MS5oNucbsC+3g/hGH6vQF4
-IsbOrzg4Ej4oa6NHMEUwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA4GA1UdDwEB/wQE
+MIIBZTCCAQugAwIBAgIIRxb0DaIIjkkwCgYIKoZIzj0EAwIwFDESMBAGA1UEAwwJ
+bG9jYWxob3N0MB4XDTI0MDMxNTAxMTI0M1oXDTI0MDYxNDAxMTI0M1owFDESMBAG
+A1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmuK3oS3R
+RvMCHEch4NOHPEo+1xh8fYcGuuW5l4BBLKDaYf+7hVXWSICrMFl1/yEFO1E856lg
+/FqVxhp25I/hKKNHMEUwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA4GA1UdDwEB/wQE
 AwICpDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwCgYIKoZIzj0EAwID
-SAAwRQIgZyp9ReXpjC+ZVx/rZ8lk5kGgWsvNQhvidpE6EPD8wP4CIQD0hZSIXPEC
-N0Gz2XisE0JNL5f0tEyrJf/PwSlnazeMxw==
+SAAwRQIgYgv5V5unp9q0WSnuPttA5fNASFLKrvslL+T0BKfLjRoCIQC4B+fmHpqX
+GVYq2Y0sGz79X+evTPmyJo7X3ye5DlSDeg==
 -----END CERTIFICATE-----
 """
 url = "localhost:7431"
-sidecar_port = "17431"
+sidecar_url = "sidecar1.draft.test"
 
 [peers.hpke]
 public_key = "fde0d0c958db9f49d3f1b49cb6830b867cc810bff9e7d0cbf17c777969f3c23e"
 
 [[peers]]
 certificate = """
 -----BEGIN CERTIFICATE-----
-MIIBZDCCAQugAwIBAgIIVcv1NVaCs0swCgYIKoZIzj0EAwIwFDESMBAGA1UEAwwJ
-bG9jYWxob3N0MB4XDTIzMTIxNTE5NTE1MFoXDTI0MDMxNTE5NTE1MFowFDESMBAG
-A1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE4onc6mKJ
-9XnDM6MvoFtWX5cpYxFX4YdMADVnRkEFyUPJiaqOkUBoGfeSRjzuXB0SIphWRaku
-dU+ZueVUQAlZLaNHMEUwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA4GA1UdDwEB/wQE
+MIIBZDCCAQugAwIBAgIIIHqS6JxF2+AwCgYIKoZIzj0EAwIwFDESMBAGA1UEAwwJ
+bG9jYWxob3N0MB4XDTI0MDMxNTAxMTMyMVoXDTI0MDYxNDAxMTMyMVowFDESMBAG
+A1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAERNRL6q73
+biFMXWjz8WIFYuvKgPLlh72VTZI8sKQXH0OL3rwKL+Sls2JEdGggyPNiM4jUr9U+
+T0Iqbxh5hgcLuaNHMEUwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA4GA1UdDwEB/wQE
 AwICpDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwCgYIKoZIzj0EAwID
-RwAwRAIgaX95X9bgeZHgbTCl73N2j61AnljyS8DXQ7mWb6fsQXECIFgvumh8TASD
-9ylYODUrZag+pK4GCiq2UdjUVMuq/8l1
+RwAwRAIgUBVQLsrbhfoLfg6a2ATU+ulhYmFNvweQ/Xj1M9QgXaECIEbsLs0h4TRG
+loU+/Eo4LOm5CkEd8fPOuSdZTp1s8IGT
 -----END CERTIFICATE-----
 """
 url = "localhost:7432"
-sidecar_port = "17432"
+sidecar_url = "sidecar2.draft.test"
 
 [peers.hpke]
 public_key = "4e8f1cd4114a8ee8adc58a33050782e2f8ded3336a9c65725f35998e765c4e2d"
 
 [[peers]]
 certificate = """
 -----BEGIN CERTIFICATE-----
-MIIBZTCCAQugAwIBAgIITHy0LezBdSAwCgYIKoZIzj0EAwIwFDESMBAGA1UEAwwJ
-bG9jYWxob3N0MB4XDTIzMTIxNTE5NTE1MFoXDTI0MDMxNTE5NTE1MFowFDESMBAG
-A1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE6RRHfsIR
-vC2Jk1Q6RrBUOXcvMIyHS1sgqwo3CmIiSB4ofm6A+DXgyQfenudTN51Lff2pHYF7
-16+UuamYQNxsCqNHMEUwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA4GA1UdDwEB/wQE
-AwICpDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwCgYIKoZIzj0EAwID
-SAAwRQIgDKTyh8M5hbF1k0o5tAFMFd3NeSekm1P4fb6u+jH9LxcCIQDTIPObVtwc
-B6Bgc2gw5JC/G6ahPglwIkjO2ew02/ax6g==
+MIIBYzCCAQqgAwIBAgIHYwBqW8VtbjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDDAls
+b2NhbGhvc3QwHhcNMjQwMzE1MDExMzUyWhcNMjQwNjE0MDExMzUyWjAUMRIwEAYD
+VQQDDAlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATLqehLL42V
+KHNmfZtY2BVehHsQNyGqfmOrs6V+DXrQ0eKgGF4ad1lrqXxJFMpVg2i1vOm/kq6G
+lvM6AqqcjuVco0cwRTAUBgNVHREEDTALgglsb2NhbGhvc3QwDgYDVR0PAQH/BAQD
+AgKkMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAKBggqhkjOPQQDAgNH
+ADBEAiAfszb6imTolbufxqBhMd5gmCRmdxLWVDYCCF3wpa0bLQIgVDzc0X3eqN5U
+Ghgnqau5gaGAljARRWQNo8WVu6juWjs=
 -----END CERTIFICATE-----
 """
 url = "localhost:7433"
-sidecar_port = "17433"
+sidecar_url = "sidecar3.draft.test"
 
 [peers.hpke]
 public_key = "ebedcfa02354a1d17aed80b0ed55028d0616152d5f8971291e030231dc92063d"
@@ -61,14 +61,16 @@ version = "http2"
 
 [coordinator]
 url = "localhost:7430"
-sidecar_port = "17430"
+sidecar_url = "sidecar0.draft.test"
 certificate = """
 -----BEGIN CERTIFICATE-----
-MIIBHDCBwqADAgECAghMfLQt7MF1IDAKBggqhkjOPQQDAjAUMRIwEAYDVQQDDAls
-b2NhbGhvc3QwHhcNMjMxMjE1MTk1MTUwWhcNMjQwMzE1MTk1MTUwWjAUMRIwEAYD
-VQQDDAlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASP4CHXZ0iC
-uuWu0Cl3cczy8kpztvc2thbitqVR4o7G1rbifsTu+Iva9FD7wTWodq3pzvMAsTI8
-2QrGoB6cbELHMAoGCCqGSM49BAMCA0kAMEYCIQDavRFEtYwIR0lFZ0aZz0Pw4ZuJ
-3AOJm90MaoL/Qwd0TAIhAM975+pAXYOZaXJNG3nhPKnXZRtcWLnNO3gXaMg9k6h0
+MIIBZDCCAQugAwIBAgIIechkxwTdoxUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAwwJ
+bG9jYWxob3N0MB4XDTI0MDMxNTAxMTQzNloXDTI0MDYxNDAxMTQzNlowFDESMBAG
+A1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAECDd9DJ5Y
+9+8CGmIxSmFqhL3geQrGBoNwzgz9ohidaFVdh9tzG1X4PdqegHp4KsyIZPjPEewG
+OnIeuQGl0FllcaNHMEUwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA4GA1UdDwEB/wQE
+AwICpDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwCgYIKoZIzj0EAwID
+RwAwRAIgcwd2+uARHJA6GCp5FbUAVJDweRx6cC8QSjjY+aqxr2oCIEhSf5o5lbvj
+01Um1sTpQaLMd0qRgsYs5mINziRFZBap
 -----END CERTIFICATE-----
 """

local_dev/config/pub/h1.pem

@@ -1,10 +1,10 @@
 -----BEGIN CERTIFICATE-----
-MIIBZTCCAQugAwIBAgIIHerS5sIdRy4wCgYIKoZIzj0EAwIwFDESMBAGA1UEAwwJ
-bG9jYWxob3N0MB4XDTIzMTIxNTE5NTE1MFoXDTI0MDMxNTE5NTE1MFowFDESMBAG
-A1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE+tT/Svry
-17vnVnY6Kihmrc2rIqW9IIC6jh4OTsGsxGp3jRMZr9MS5oNucbsC+3g/hGH6vQF4
-IsbOrzg4Ej4oa6NHMEUwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA4GA1UdDwEB/wQE
+MIIBZTCCAQugAwIBAgIIRxb0DaIIjkkwCgYIKoZIzj0EAwIwFDESMBAGA1UEAwwJ
+bG9jYWxob3N0MB4XDTI0MDMxNTAxMTI0M1oXDTI0MDYxNDAxMTI0M1owFDESMBAG
+A1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmuK3oS3R
+RvMCHEch4NOHPEo+1xh8fYcGuuW5l4BBLKDaYf+7hVXWSICrMFl1/yEFO1E856lg
+/FqVxhp25I/hKKNHMEUwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA4GA1UdDwEB/wQE
 AwICpDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwCgYIKoZIzj0EAwID
-SAAwRQIgZyp9ReXpjC+ZVx/rZ8lk5kGgWsvNQhvidpE6EPD8wP4CIQD0hZSIXPEC
-N0Gz2XisE0JNL5f0tEyrJf/PwSlnazeMxw==
+SAAwRQIgYgv5V5unp9q0WSnuPttA5fNASFLKrvslL+T0BKfLjRoCIQC4B+fmHpqX
+GVYq2Y0sGz79X+evTPmyJo7X3ye5DlSDeg==
 -----END CERTIFICATE-----

local_dev/config/pub/h1_mk.pub

@@ -1 +1 @@
-fde0d0c958db9f49d3f1b49cb6830b867cc810bff9e7d0cbf17c777969f3c23e
+008eb82d82def11d250243bc06d96637e9fa73e362de92ae729b6a599cc15b5c

local_dev/config/pub/h2.pem

@@ -1,10 +1,10 @@
 -----BEGIN CERTIFICATE-----
-MIIBZDCCAQugAwIBAgIIVcv1NVaCs0swCgYIKoZIzj0EAwIwFDESMBAGA1UEAwwJ
-bG9jYWxob3N0MB4XDTIzMTIxNTE5NTE1MFoXDTI0MDMxNTE5NTE1MFowFDESMBAG
-A1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE4onc6mKJ
-9XnDM6MvoFtWX5cpYxFX4YdMADVnRkEFyUPJiaqOkUBoGfeSRjzuXB0SIphWRaku
-dU+ZueVUQAlZLaNHMEUwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA4GA1UdDwEB/wQE
+MIIBZDCCAQugAwIBAgIIIHqS6JxF2+AwCgYIKoZIzj0EAwIwFDESMBAGA1UEAwwJ
+bG9jYWxob3N0MB4XDTI0MDMxNTAxMTMyMVoXDTI0MDYxNDAxMTMyMVowFDESMBAG
+A1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAERNRL6q73
+biFMXWjz8WIFYuvKgPLlh72VTZI8sKQXH0OL3rwKL+Sls2JEdGggyPNiM4jUr9U+
+T0Iqbxh5hgcLuaNHMEUwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA4GA1UdDwEB/wQE
 AwICpDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwCgYIKoZIzj0EAwID
-RwAwRAIgaX95X9bgeZHgbTCl73N2j61AnljyS8DXQ7mWb6fsQXECIFgvumh8TASD
-9ylYODUrZag+pK4GCiq2UdjUVMuq/8l1
+RwAwRAIgUBVQLsrbhfoLfg6a2ATU+ulhYmFNvweQ/Xj1M9QgXaECIEbsLs0h4TRG
+loU+/Eo4LOm5CkEd8fPOuSdZTp1s8IGT
 -----END CERTIFICATE-----

local_dev/config/pub/h2_mk.pub

@@ -1 +1 @@
-4e8f1cd4114a8ee8adc58a33050782e2f8ded3336a9c65725f35998e765c4e2d
+d7cdae88176fd5ee2bef524b776a15fc52e4b9c3f986d34fe815c7463e7a425b

local_dev/config/pub/h3.pem

@@ -1,10 +1,10 @@
 -----BEGIN CERTIFICATE-----
-MIIBZTCCAQugAwIBAgIITHy0LezBdSAwCgYIKoZIzj0EAwIwFDESMBAGA1UEAwwJ
-bG9jYWxob3N0MB4XDTIzMTIxNTE5NTE1MFoXDTI0MDMxNTE5NTE1MFowFDESMBAG
-A1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE6RRHfsIR
-vC2Jk1Q6RrBUOXcvMIyHS1sgqwo3CmIiSB4ofm6A+DXgyQfenudTN51Lff2pHYF7
-16+UuamYQNxsCqNHMEUwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA4GA1UdDwEB/wQE
-AwICpDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwCgYIKoZIzj0EAwID
-SAAwRQIgDKTyh8M5hbF1k0o5tAFMFd3NeSekm1P4fb6u+jH9LxcCIQDTIPObVtwc
-B6Bgc2gw5JC/G6ahPglwIkjO2ew02/ax6g==
+MIIBYzCCAQqgAwIBAgIHYwBqW8VtbjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDDAls
+b2NhbGhvc3QwHhcNMjQwMzE1MDExMzUyWhcNMjQwNjE0MDExMzUyWjAUMRIwEAYD
+VQQDDAlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATLqehLL42V
+KHNmfZtY2BVehHsQNyGqfmOrs6V+DXrQ0eKgGF4ad1lrqXxJFMpVg2i1vOm/kq6G
+lvM6AqqcjuVco0cwRTAUBgNVHREEDTALgglsb2NhbGhvc3QwDgYDVR0PAQH/BAQD
+AgKkMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAKBggqhkjOPQQDAgNH
+ADBEAiAfszb6imTolbufxqBhMd5gmCRmdxLWVDYCCF3wpa0bLQIgVDzc0X3eqN5U
+Ghgnqau5gaGAljARRWQNo8WVu6juWjs=
 -----END CERTIFICATE-----

local_dev/config/pub/h3_mk.pub

@@ -1 +1 @@
-ebedcfa02354a1d17aed80b0ed55028d0616152d5f8971291e030231dc92063d
+db0edf0d4148340a36a286c5dfcc99fe42fcbfb3a4d491fd961730adc4ca5545