VPN deployment Successful but cannot connect to certain sites

[awwong1]

OS / Environment (where do you run Algo on)

$ uname -a
Linux Alexanders-Dell-XPS13 4.16.0-2-amd64 #1 SMP Debian 4.16.16-2 (2018-06-22) x86_64 GNU/Linux

I should also note that I do not see these issues on my Android device.

Cloud Provider (where do you deploy Algo to)

Digital Ocean

Summary of the problem

I mentioned this briefly in https://github.com/trailofbits/algo/issues/993 but I figured I'd open a new issue.

I have successfully setup my VPN on Digital Ocean. Connecting to most sites is error free. However, there are at least two sites/web applications that I use frequently that are throwing errors.

The first site is University of Alberta (https://ualberta.ca) and the second is the api server for Signal Messenger's desktop application.

Steps to reproduce the behavior

• Attempt to connect to Signal Messenger and University of Alberta.

  # Signal Application debug log
  INFO  2018-06-25T14:04:45.651Z GET https://textsecure-service.whispersystems.org/v1/attachments/892511161702572301 0 Error

$ curl -v https://textsecure-service.whispersystems.org/v1/attachments/892511161702572301
*   Trying 52.205.21.30...
* TCP_NODELAY set
* Connected to textsecure-service.whispersystems.org (52.205.21.30) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to textsecure-service.whispersystems.org:443 
* stopped the pause stream!
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to textsecure-service.whispersystems.org:443 

# University of Alberta
$ curl -v https://ualberta.ca
* Rebuilt URL to: https://ualberta.ca/
* Could not resolve host: ualberta.ca
* Closing connection 0
curl: (6) Could not resolve host: ualberta.ca

$ wget -v https://ualberta.ca/
--2018-06-25 08:07:16--  https://ualberta.ca/
Resolving ualberta.ca (ualberta.ca)... 52.202.119.65
Connecting to ualberta.ca (ualberta.ca)|52.202.119.65|:443... connected.

# this hangs forever here

Full Log

I've already setup my algo server (using https://github.com/trailofbits/algo/commit/6faac307afe98465a3d8bf9f7ddd6566dd8a6506). This is the output after running. ./algo -update-users.

$ ./algo update-users

Enter the IP address of your server: (or use localhost for local installation)
: 159.89.119.142

What user should we use to login on the server? (note: passwordless login required, or ignore if you're deploying to localhost)
[root]: 

Do you want each user to have their own account for SSH tunneling?
[y/N]: y

Enter the public IP address of your server: (IMPORTANT! This IP is used to verify the certificate)
[159.89.119.142]: 

Enter the password for the private CA key:
[pasted values will not be displayed]
: 
PLAY [localhost] ********************************************************************

TASK [Add the server to the vpn-host group] *****************************************
changed: [localhost]

TASK [Wait until SSH becomes ready...] **********************************************
ok: [localhost -> localhost]

PLAY [User management] **************************************************************

TASK [Gathering Facts] **************************************************************
ok: [159.89.119.142]

TASK [Common pre-tasks] *************************************************************
included: /home/alexander/sandbox/src/github.com/trailofbits/algo/playbooks/common.yml for 159.89.119.142

TASK [Check the system] *************************************************************
changed: [159.89.119.142]

TASK [Ubuntu pre-tasks] *************************************************************
included: /home/alexander/sandbox/src/github.com/trailofbits/algo/playbooks/ubuntu.yml for 159.89.119.142

TASK [Ubuntu | Install prerequisites] ***********************************************
changed: [159.89.119.142] => (item=sleep 10)
changed: [159.89.119.142] => (item=apt-get update -qq)
changed: [159.89.119.142] => (item=apt-get install -qq -y python2.7 sudo)

TASK [Ubuntu | Configure defaults] **************************************************
changed: [159.89.119.142]

TASK [FreeBSD pre-tasks] ************************************************************
skipping: [159.89.119.142]

TASK [include_tasks] ****************************************************************
included: /home/alexander/sandbox/src/github.com/trailofbits/algo/playbooks/facts/main.yml for 159.89.119.142

TASK [Gather Facts] *****************************************************************
ok: [159.89.119.142]

TASK [Ensure the algo ssh key exist on the server] **********************************
ok: [159.89.119.142]

TASK [Check if IPv6 configured] *****************************************************
ok: [159.89.119.142]

TASK [Set facts if the deployment in a cloud] ***************************************
ok: [159.89.119.142]

TASK [Generate password for the CA key] *********************************************
changed: [159.89.119.142 -> localhost]

TASK [Generate p12 export password] *************************************************
changed: [159.89.119.142 -> localhost]

TASK [Define password facts] ********************************************************
ok: [159.89.119.142]

TASK [Define the commonName] ********************************************************
ok: [159.89.119.142]

TASK [ssh_tunneling : Ensure that the sshd_config file has desired options] *********
ok: [159.89.119.142]

TASK [ssh_tunneling : Ensure that the algo group exist] *****************************
ok: [159.89.119.142]

TASK [ssh_tunneling : Ensure that the jail directory exist] *************************
ok: [159.89.119.142]

TASK [ssh_tunneling : Ensure that the SSH users exist] ******************************
ok: [159.89.119.142] => (item=alexander)
ok: [159.89.119.142] => (item=arthur)
ok: [159.89.119.142] => (item=bonnie)
ok: [159.89.119.142] => (item=dan)
ok: [159.89.119.142] => (item=jack)

TASK [ssh_tunneling : The authorized keys file created] *****************************
ok: [159.89.119.142] => (item=alexander)
ok: [159.89.119.142] => (item=arthur)
ok: [159.89.119.142] => (item=bonnie)
ok: [159.89.119.142] => (item=dan)
ok: [159.89.119.142] => (item=jack)

TASK [ssh_tunneling : Generate SSH fingerprints] ************************************
changed: [159.89.119.142]

TASK [ssh_tunneling : Fetch users SSH private keys] *********************************
ok: [159.89.119.142] => (item=alexander)
ok: [159.89.119.142] => (item=arthur)
ok: [159.89.119.142] => (item=bonnie)
ok: [159.89.119.142] => (item=dan)
ok: [159.89.119.142] => (item=jack)

TASK [ssh_tunneling : Change mode for SSH private keys] *****************************
ok: [159.89.119.142 -> localhost] => (item=alexander)
ok: [159.89.119.142 -> localhost] => (item=arthur)
ok: [159.89.119.142 -> localhost] => (item=bonnie)
ok: [159.89.119.142 -> localhost] => (item=dan)
ok: [159.89.119.142 -> localhost] => (item=jack)

TASK [ssh_tunneling : Fetch the known_hosts file] ***********************************
ok: [159.89.119.142 -> localhost]

TASK [ssh_tunneling : Build the client ssh config] **********************************
ok: [159.89.119.142 -> localhost] => (item=alexander)
ok: [159.89.119.142 -> localhost] => (item=arthur)
ok: [159.89.119.142 -> localhost] => (item=bonnie)
ok: [159.89.119.142 -> localhost] => (item=dan)
ok: [159.89.119.142 -> localhost] => (item=jack)

TASK [ssh_tunneling : SSH | Get active system users] ********************************
changed: [159.89.119.142]

TASK [ssh_tunneling : SSH | Delete non-existing users] ******************************
skipping: [159.89.119.142] => (item=alexander) 
skipping: [159.89.119.142] => (item=arthur) 
skipping: [159.89.119.142] => (item=bonnie) 
skipping: [159.89.119.142] => (item=dan) 
skipping: [159.89.119.142] => (item=jack) 

TASK [wireguard : Delete the lock files] ********************************************
skipping: [159.89.119.142] => (item=alexander) 
skipping: [159.89.119.142] => (item=arthur) 
skipping: [159.89.119.142] => (item=bonnie) 
skipping: [159.89.119.142] => (item=dan) 
skipping: [159.89.119.142] => (item=jack) 
skipping: [159.89.119.142] => (item=159.89.119.142) 

TASK [wireguard : Generate private keys] ********************************************
ok: [159.89.119.142] => (item=alexander)
ok: [159.89.119.142] => (item=arthur)
ok: [159.89.119.142] => (item=bonnie)
ok: [159.89.119.142] => (item=dan)
ok: [159.89.119.142] => (item=jack)
ok: [159.89.119.142] => (item=159.89.119.142)
 [WARNING]: As of Ansible 2.4, the parameter 'executable' is no longer supported
with the 'command' module. Not using 'bash'.

TASK [wireguard : Save private keys] ************************************************
skipping: [159.89.119.142] => (item=None) 
skipping: [159.89.119.142] => (item=None) 
skipping: [159.89.119.142] => (item=None) 
skipping: [159.89.119.142] => (item=None) 
skipping: [159.89.119.142] => (item=None) 
skipping: [159.89.119.142] => (item=None) 

TASK [wireguard : Touch the lock file] **********************************************
skipping: [159.89.119.142] => (item=alexander) 
skipping: [159.89.119.142] => (item=arthur) 
skipping: [159.89.119.142] => (item=bonnie) 
skipping: [159.89.119.142] => (item=dan) 
skipping: [159.89.119.142] => (item=jack) 
skipping: [159.89.119.142] => (item=159.89.119.142) 

TASK [wireguard : Generate public keys] *********************************************
ok: [159.89.119.142] => (item=alexander)
ok: [159.89.119.142] => (item=arthur)
ok: [159.89.119.142] => (item=bonnie)
ok: [159.89.119.142] => (item=dan)
ok: [159.89.119.142] => (item=jack)
ok: [159.89.119.142] => (item=159.89.119.142)

TASK [wireguard : Save public keys] *************************************************
ok: [159.89.119.142] => (item=None)
ok: [159.89.119.142] => (item=None)
ok: [159.89.119.142] => (item=None)
ok: [159.89.119.142] => (item=None)
ok: [159.89.119.142] => (item=None)
ok: [159.89.119.142] => (item=None)

TASK [wireguard : WireGuard configured] *********************************************
ok: [159.89.119.142]

TASK [wireguard : WireGuard users config generated] *********************************
ok: [159.89.119.142 -> localhost] => (item=(0, u'alexander'))
ok: [159.89.119.142 -> localhost] => (item=(1, u'arthur'))
ok: [159.89.119.142 -> localhost] => (item=(2, u'bonnie'))
ok: [159.89.119.142 -> localhost] => (item=(3, u'dan'))
ok: [159.89.119.142 -> localhost] => (item=(4, u'jack'))

TASK [vpn : include_tasks] **********************************************************
included: /home/alexander/sandbox/src/github.com/trailofbits/algo/roles/vpn/tasks/openssl.yml for 159.89.119.142

TASK [vpn : Set subjectAltName as a fact] *******************************************
ok: [159.89.119.142 -> localhost]

TASK [vpn : Ensure the pki directory does not exist] ********************************
skipping: [159.89.119.142]

TASK [vpn : Ensure the pki directories exist] ***************************************
ok: [159.89.119.142 -> localhost] => (item=ecparams)
ok: [159.89.119.142 -> localhost] => (item=certs)
ok: [159.89.119.142 -> localhost] => (item=crl)
ok: [159.89.119.142 -> localhost] => (item=newcerts)
ok: [159.89.119.142 -> localhost] => (item=private)
ok: [159.89.119.142 -> localhost] => (item=reqs)

TASK [vpn : Ensure the files exist] *************************************************
changed: [159.89.119.142 -> localhost] => (item=.rnd)
changed: [159.89.119.142 -> localhost] => (item=private/.rnd)
changed: [159.89.119.142 -> localhost] => (item=index.txt)
changed: [159.89.119.142 -> localhost] => (item=index.txt.attr)
changed: [159.89.119.142 -> localhost] => (item=serial)

TASK [vpn : Generate the openssl server configs] ************************************
ok: [159.89.119.142 -> localhost]

TASK [vpn : Build the CA pair] ******************************************************
ok: [159.89.119.142 -> localhost]

TASK [vpn : Copy the CA certificate] ************************************************
ok: [159.89.119.142 -> localhost]

TASK [vpn : Generate the serial number] *********************************************
ok: [159.89.119.142 -> localhost]

TASK [vpn : Build the server pair] **************************************************
ok: [159.89.119.142 -> localhost]

TASK [vpn : Build the client's pair] ************************************************
ok: [159.89.119.142 -> localhost] => (item=alexander)
ok: [159.89.119.142 -> localhost] => (item=arthur)
ok: [159.89.119.142 -> localhost] => (item=bonnie)
ok: [159.89.119.142 -> localhost] => (item=dan)
ok: [159.89.119.142 -> localhost] => (item=jack)

TASK [vpn : Build the client's p12] *************************************************
changed: [159.89.119.142 -> localhost] => (item=alexander)
changed: [159.89.119.142 -> localhost] => (item=arthur)
changed: [159.89.119.142 -> localhost] => (item=bonnie)
changed: [159.89.119.142 -> localhost] => (item=dan)
changed: [159.89.119.142 -> localhost] => (item=jack)

TASK [vpn : Copy the p12 certificates] **********************************************
changed: [159.89.119.142 -> localhost] => (item=alexander)
changed: [159.89.119.142 -> localhost] => (item=arthur)
changed: [159.89.119.142 -> localhost] => (item=bonnie)
changed: [159.89.119.142 -> localhost] => (item=dan)
changed: [159.89.119.142 -> localhost] => (item=jack)

TASK [vpn : Get active users] *******************************************************
changed: [159.89.119.142 -> localhost]

TASK [vpn : Revoke non-existing users] **********************************************
skipping: [159.89.119.142] => (item=alexander) 
skipping: [159.89.119.142] => (item=arthur) 
skipping: [159.89.119.142] => (item=bonnie) 
skipping: [159.89.119.142] => (item=dan) 
skipping: [159.89.119.142] => (item=jack) 

TASK [vpn : Genereate new CRL file] *************************************************
skipping: [159.89.119.142]

TASK [vpn : Copy the CRL to the vpn server] *****************************************
skipping: [159.89.119.142]

TASK [vpn : include_tasks] **********************************************************
included: /home/alexander/sandbox/src/github.com/trailofbits/algo/roles/vpn/tasks/client_configs.yml for 159.89.119.142

TASK [vpn : Register p12 PayloadContent] ********************************************
changed: [159.89.119.142 -> localhost] => (item=alexander)
changed: [159.89.119.142 -> localhost] => (item=arthur)
changed: [159.89.119.142 -> localhost] => (item=bonnie)
changed: [159.89.119.142 -> localhost] => (item=dan)
changed: [159.89.119.142 -> localhost] => (item=jack)

TASK [vpn : Set facts for mobileconfigs] ********************************************
ok: [159.89.119.142 -> localhost]

TASK [vpn : Build the mobileconfigs] ************************************************
changed: [159.89.119.142] => (item=None)
changed: [159.89.119.142] => (item=None)
changed: [159.89.119.142] => (item=None)
changed: [159.89.119.142] => (item=None)
changed: [159.89.119.142] => (item=None)

TASK [vpn : Build the client ipsec config file] *************************************
changed: [159.89.119.142 -> localhost] => (item=alexander)
changed: [159.89.119.142 -> localhost] => (item=arthur)
changed: [159.89.119.142 -> localhost] => (item=bonnie)
changed: [159.89.119.142 -> localhost] => (item=dan)
changed: [159.89.119.142 -> localhost] => (item=jack)

TASK [vpn : Build the client ipsec secret file] *************************************
ok: [159.89.119.142 -> localhost] => (item=alexander)
ok: [159.89.119.142 -> localhost] => (item=arthur)
ok: [159.89.119.142 -> localhost] => (item=bonnie)
ok: [159.89.119.142 -> localhost] => (item=dan)
ok: [159.89.119.142 -> localhost] => (item=jack)

TASK [vpn : Create the windows check file] ******************************************
skipping: [159.89.119.142]

TASK [vpn : Check if the windows check file exists] *********************************
ok: [159.89.119.142 -> localhost]

TASK [vpn : Build the windows client powershell script] *****************************
changed: [159.89.119.142 -> localhost] => (item=[u'alexander', {'_ansible_parsed': True, 'stderr_lines': [], u'cmd': u'cat private/alexander.p12 | base64', u'end': u'2018-06-25 08:22:37.292488', '_ansible_no_log': False, '_ansible_delegated_vars': {'ansible_delegated_host': u'localhost', 'ansible_host': u'localhost'}, '_ansible_item_result': True, u'changed': True, u'stdout': u'MIIEMQIBAzCCA/cGCSqGSIb3DQEHAaCCA+gEggPkMIID4DCCAq8GCSqGSIb3DQEHBqCCAqAwggKc\nAgEAMIIClQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIi6M202SvQ0MCAggAgIICaIBFPBrB\nxVe5DbHD3xAl07qe1toTP4e+GbuXvJHnVPKqOzKedqoqI4eWQBlV5T5829F1H6zYLBv1+82tET/f\nN+7rDJE9ihyHRK+fIl52MW2ZhGrWJmpG+bg+05KIXY/t1eOT7fRStlZiba7562VYGIMWgQ9O646y\nbauGa1ni7SaE0axB7PslR3LohNoyFEAClUj9bfyJ78z+K0e9hhOfU0wdS/+tepd+pQrAV+yhpkwb\nCIsqWDIN2ctc8V3zV7Ff96t1RcsF4oJVNRBmjlEphQoVZ3ybR7aJi/zoXI5a/kBx2XR2pbJIF2eR\n+hln/jrN2i6vqUuKf7Xox+VnUbyVFxsf5emFD6Opw/Aiz1eOjkSQtTwPiwcqVnIO2WyOXItrMKFm\njdwFOj20TGzr6cCvE6ANvxKB1jsCRX7cCUR+e2m6H1I/fdD0iMXNXXpzd7gqWrZRyipTo/0uQZlU\n/sfCqYbaW1FjU85QDUr5vtCWem8GdRx3oLZfmcY71rUFPZm6wHarF2QLjGbMZlr6Zzh7FMl3cYEy\nsmIQoQvbgP8ieozzEgEVrR4oDTq2EXPPtF8UOi24vNgNXMopcQegEPCxYDbSxemxPv4mKGQ0BzcK\nqP2sLqNCfuCCiTaR6A41fCKkqdZG/XUUyaHD2SeJHfrhf+pfGqykUGdVHXequQu7jaUeCaldyEyN\nw3kLL/NDOLDtqMSV49oJbq8A7KAS4VFWvQ4JDLWlR/nPnrBTmNLJZvbD8Wu2XObQETqBaM79qslw\n4B34H5KHo3RljVp7kedGNkej0rNF0iwlFv0e3NPIfefhJS+0GEPktvowggEpBgkqhkiG9w0BBwGg\nggEaBIIBFjCCARIwggEOBgsqhkiG9w0BDAoBAqCBtDCBsTAcBgoqhkiG9w0BDAEDMA4ECBruhmWj\nZ99bAgIIAASBkBip0taeYcP8nxPiF28MYOXDmxk98YilJDqxJDMScjaFSYk5wz4OGfBMPINOUM64\nHRaAkHbka1Xw/ZkEeunNgZcT3pXLZPj/BgwE5ghvqLUtg1jh8g0MChQTNmvVDeiBEUteVW3KXXg5\nNT/EDYHoTgFnwrr0+XVXcrvvG+FV2ffYW9kmQMlRb75NysW1vaEjOTFIMCEGCSqGSIb3DQEJFDEU\nHhIAYQBsAGUAeABhAG4AZABlAHIwIwYJKoZIhvcNAQkVMRYEFHmB7imJBOiM1cD+RWY+NRuCRb18\nMDEwITAJBgUrDgMCGgUABBQxOzgbr8QMkYjPWtCBV+cHoAZahAQIF9znLOjX3+gCAggA', 'item': u'alexander', u'delta': u'0:00:00.003880', u'stderr': u'', u'rc': 0, u'invocation': {u'module_args': {u'warn': True, u'executable': None, u'chdir': u'configs/159.89.119.142/pki/', u'_raw_params': u'cat private/alexander.p12 | base64', u'removes': None, u'creates': None, u'_uses_shell': True, u'stdin': None}}, 'stdout_lines': [u'MIIEMQIBAzCCA/cGCSqGSIb3DQEHAaCCA+gEggPkMIID4DCCAq8GCSqGSIb3DQEHBqCCAqAwggKc', u'AgEAMIIClQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIi6M202SvQ0MCAggAgIICaIBFPBrB', u'xVe5DbHD3xAl07qe1toTP4e+GbuXvJHnVPKqOzKedqoqI4eWQBlV5T5829F1H6zYLBv1+82tET/f', u'N+7rDJE9ihyHRK+fIl52MW2ZhGrWJmpG+bg+05KIXY/t1eOT7fRStlZiba7562VYGIMWgQ9O646y', u'bauGa1ni7SaE0axB7PslR3LohNoyFEAClUj9bfyJ78z+K0e9hhOfU0wdS/+tepd+pQrAV+yhpkwb', u'CIsqWDIN2ctc8V3zV7Ff96t1RcsF4oJVNRBmjlEphQoVZ3ybR7aJi/zoXI5a/kBx2XR2pbJIF2eR', u'+hln/jrN2i6vqUuKf7Xox+VnUbyVFxsf5emFD6Opw/Aiz1eOjkSQtTwPiwcqVnIO2WyOXItrMKFm', u'jdwFOj20TGzr6cCvE6ANvxKB1jsCRX7cCUR+e2m6H1I/fdD0iMXNXXpzd7gqWrZRyipTo/0uQZlU', u'/sfCqYbaW1FjU85QDUr5vtCWem8GdRx3oLZfmcY71rUFPZm6wHarF2QLjGbMZlr6Zzh7FMl3cYEy', u'smIQoQvbgP8ieozzEgEVrR4oDTq2EXPPtF8UOi24vNgNXMopcQegEPCxYDbSxemxPv4mKGQ0BzcK', u'qP2sLqNCfuCCiTaR6A41fCKkqdZG/XUUyaHD2SeJHfrhf+pfGqykUGdVHXequQu7jaUeCaldyEyN', u'w3kLL/NDOLDtqMSV49oJbq8A7KAS4VFWvQ4JDLWlR/nPnrBTmNLJZvbD8Wu2XObQETqBaM79qslw', u'4B34H5KHo3RljVp7kedGNkej0rNF0iwlFv0e3NPIfefhJS+0GEPktvowggEpBgkqhkiG9w0BBwGg', u'ggEaBIIBFjCCARIwggEOBgsqhkiG9w0BDAoBAqCBtDCBsTAcBgoqhkiG9w0BDAEDMA4ECBruhmWj', u'Z99bAgIIAASBkBip0taeYcP8nxPiF28MYOXDmxk98YilJDqxJDMScjaFSYk5wz4OGfBMPINOUM64', u'HRaAkHbka1Xw/ZkEeunNgZcT3pXLZPj/BgwE5ghvqLUtg1jh8g0MChQTNmvVDeiBEUteVW3KXXg5', u'NT/EDYHoTgFnwrr0+XVXcrvvG+FV2ffYW9kmQMlRb75NysW1vaEjOTFIMCEGCSqGSIb3DQEJFDEU', u'HhIAYQBsAGUAeABhAG4AZABlAHIwIwYJKoZIhvcNAQkVMRYEFHmB7imJBOiM1cD+RWY+NRuCRb18', u'MDEwITAJBgUrDgMCGgUABBQxOzgbr8QMkYjPWtCBV+cHoAZahAQIF9znLOjX3+gCAggA'], u'start': u'2018-06-25 08:22:37.288608', '_ansible_ignore_errors': None, 'failed': False}])
changed: [159.89.119.142 -> localhost] => (item=[u'arthur', {'_ansible_parsed': True, 'stderr_lines': [], u'cmd': u'cat private/arthur.p12 | base64', u'end': u'2018-06-25 08:22:37.411583', '_ansible_no_log': False, '_ansible_delegated_vars': {'ansible_delegated_host': u'localhost', 'ansible_host': u'localhost'}, '_ansible_item_result': True, u'changed': True, u'stdout': u'MIIEGwIBAzCCA+EGCSqGSIb3DQEHAaCCA9IEggPOMIIDyjCCAp8GCSqGSIb3DQEHBqCCApAwggKM\nAgEAMIIChQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQI8tKs1sqkgHECAggAgIICWJKCRivM\n2pwKlU2pea4pQGeU3ylckHKFPMuZXFiZzXkjPxyokf36DDjYDahEtq43aJKrqW5ZpRUSikLTNr1o\n7/W1iqqUoxYwZ8t4McWRzC89EGQ0BzaE9nTDhxjqFE8go8v7qipWRlv72WnjTeBRQgCehdv+4fKG\nUcH4E56yxzr+o1ICR8DLLGRDv6RI/PE2Lw+8tyRRwY+lyrTvRu7Q3T32XAEv8xK3Zn43NK35qcdK\nnl2MD0fhqHJh2eJ09VqrpE/6uc8JWIWuj/CvJGY7z3+VYhqofXlLr+z8wTA3ZafhSFCGX9DtvT5x\nSRIU1W0qw4GUJ+ZAG3oK7zGQKkNht9P4Xu22jdUTaoLqWBohuXXL8KTGZsQH7VGAHaiRMd51P0Ip\nAchQne5ePsp8YA8+6SBdOL85WbRjZruCzUwg6shK49/74QsA4YrhmsWJ9wFWIynCehxIN8bVQNW4\npAZufNaZlsSRIlxrQMzt9AdBZjNSOY1sQRt4po15E61hdAGBMdYGDJOFvuWPXXY0mXEoW5w4AKlX\ncBdONvyIzwuUyFLiS+vtFGaQKlLhM6N3nKuAhRfoDACMZsybCA0Pvny5oL2iOte8ihL+88kF8G3/\nSfUMAkg6G8kbcFqpGQvaUM5pwhyJUTQpH2itK7/LUIZQAV1bnm+d82ySL0kYdLTMf3mY0BxSuC6B\nWuU+SKZd9sOMSV0o0Vfb0fZo+FcQuGH1xvPlq1k3z+KXg/GiQnPFcSYtYwamzLrdLH2MDb3PDw7Z\neAjRYWivp5kf2IZgy/Hs30fr5E7u7vqgRjCCASMGCSqGSIb3DQEHAaCCARQEggEQMIIBDDCCAQgG\nCyqGSIb3DQEMCgECoIG0MIGxMBwGCiqGSIb3DQEMAQMwDgQI/jV0UZK38iECAggABIGQHNOMJ6aw\nDC2CwF2iq0d8mDEpPgzLs7pneO52sPuol+ZEQD0K616a+FpXLlrWHXpbQOQPoK3QpdzTVdCp1Nvl\nVXdA+WvUxyQRDci/RvrrQDq15+oLq+Iri6Q4XHGj6hfaNggpBQlPcQcuolJW8oKDlOUe1AYIe9UP\nggTGUjPUzXuuhTdSNuJHOilUlq5Wt0Y3MUIwGwYJKoZIhvcNAQkUMQ4eDABhAHIAdABoAHUAcjAj\nBgkqhkiG9w0BCRUxFgQUlBmUEx1jpsP+zzdLGgHX+fENIkAwMTAhMAkGBSsOAwIaBQAEFH1HjRpF\nCY7ODNgrQGJzMH2khimmBAiJu86BEQI5HgICCAA=', 'item': u'arthur', u'delta': u'0:00:00.002209', u'stderr': u'', u'rc': 0, u'invocation': {u'module_args': {u'warn': True, u'executable': None, u'chdir': u'configs/159.89.119.142/pki/', u'_raw_params': u'cat private/arthur.p12 | base64', u'removes': None, u'creates': None, u'_uses_shell': True, u'stdin': None}}, 'stdout_lines': [u'MIIEGwIBAzCCA+EGCSqGSIb3DQEHAaCCA9IEggPOMIIDyjCCAp8GCSqGSIb3DQEHBqCCApAwggKM', u'AgEAMIIChQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQI8tKs1sqkgHECAggAgIICWJKCRivM', u'2pwKlU2pea4pQGeU3ylckHKFPMuZXFiZzXkjPxyokf36DDjYDahEtq43aJKrqW5ZpRUSikLTNr1o', u'7/W1iqqUoxYwZ8t4McWRzC89EGQ0BzaE9nTDhxjqFE8go8v7qipWRlv72WnjTeBRQgCehdv+4fKG', u'UcH4E56yxzr+o1ICR8DLLGRDv6RI/PE2Lw+8tyRRwY+lyrTvRu7Q3T32XAEv8xK3Zn43NK35qcdK', u'nl2MD0fhqHJh2eJ09VqrpE/6uc8JWIWuj/CvJGY7z3+VYhqofXlLr+z8wTA3ZafhSFCGX9DtvT5x', u'SRIU1W0qw4GUJ+ZAG3oK7zGQKkNht9P4Xu22jdUTaoLqWBohuXXL8KTGZsQH7VGAHaiRMd51P0Ip', u'AchQne5ePsp8YA8+6SBdOL85WbRjZruCzUwg6shK49/74QsA4YrhmsWJ9wFWIynCehxIN8bVQNW4', u'pAZufNaZlsSRIlxrQMzt9AdBZjNSOY1sQRt4po15E61hdAGBMdYGDJOFvuWPXXY0mXEoW5w4AKlX', u'cBdONvyIzwuUyFLiS+vtFGaQKlLhM6N3nKuAhRfoDACMZsybCA0Pvny5oL2iOte8ihL+88kF8G3/', u'SfUMAkg6G8kbcFqpGQvaUM5pwhyJUTQpH2itK7/LUIZQAV1bnm+d82ySL0kYdLTMf3mY0BxSuC6B', u'WuU+SKZd9sOMSV0o0Vfb0fZo+FcQuGH1xvPlq1k3z+KXg/GiQnPFcSYtYwamzLrdLH2MDb3PDw7Z', u'eAjRYWivp5kf2IZgy/Hs30fr5E7u7vqgRjCCASMGCSqGSIb3DQEHAaCCARQEggEQMIIBDDCCAQgG', u'CyqGSIb3DQEMCgECoIG0MIGxMBwGCiqGSIb3DQEMAQMwDgQI/jV0UZK38iECAggABIGQHNOMJ6aw', u'DC2CwF2iq0d8mDEpPgzLs7pneO52sPuol+ZEQD0K616a+FpXLlrWHXpbQOQPoK3QpdzTVdCp1Nvl', u'VXdA+WvUxyQRDci/RvrrQDq15+oLq+Iri6Q4XHGj6hfaNggpBQlPcQcuolJW8oKDlOUe1AYIe9UP', u'ggTGUjPUzXuuhTdSNuJHOilUlq5Wt0Y3MUIwGwYJKoZIhvcNAQkUMQ4eDABhAHIAdABoAHUAcjAj', u'BgkqhkiG9w0BCRUxFgQUlBmUEx1jpsP+zzdLGgHX+fENIkAwMTAhMAkGBSsOAwIaBQAEFH1HjRpF', u'CY7ODNgrQGJzMH2khimmBAiJu86BEQI5HgICCAA='], u'start': u'2018-06-25 08:22:37.409374', '_ansible_ignore_errors': None, 'failed': False}])
changed: [159.89.119.142 -> localhost] => (item=[u'bonnie', {'_ansible_parsed': True, 'stderr_lines': [], u'cmd': u'cat private/bonnie.p12 | base64', u'end': u'2018-06-25 08:22:37.527578', '_ansible_no_log': False, '_ansible_delegated_vars': {'ansible_delegated_host': u'localhost', 'ansible_host': u'localhost'}, '_ansible_item_result': True, u'changed': True, u'stdout': u'MIIEGwIBAzCCA+EGCSqGSIb3DQEHAaCCA9IEggPOMIIDyjCCAp8GCSqGSIb3DQEHBqCCApAwggKM\nAgEAMIIChQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIg3d4kxnAUFcCAggAgIICWGzdKYGd\n3CqTIigq3oKWDRQoBabtGoSsP9x8aSgeumJu6QVppP40h5sRh/A5S35SLgyhP+ugGQC7UsXpssqs\nSrT9CDHBz/RXgZoVjx2LOpXsekdu95A3Fy5/lHPK1Ka8zvzMVtrbf64XStxo7PChRyfua/vYolOq\nvXu8oT0BZjwAJDbe6L0Jjl808QTk1HwBGw4vCXHXTu7tEn27aGiw5JHKpFR6tyrLwOSPWYaKI9ie\nOO0/GuPsAla4rnmzzgHuYWIty1l8tnPtk9xRjwdgKqhlhiVD6QgNSxmortvw/Lh/uCFE1GBKXWda\n132hdAjYk1grdAf/ELrH+52zopnOIFf8y+p2lhyJsrmHl1pKEjIDX9KL5vs6BO82JodqA9ofWXVP\nKForbzXdwECycGsJZEgIaC4F8ckRUzCqhEHcqjIbmfsKSDDQvKVEJ+bu7siaPUmcw+JSN3pk8GnZ\nCausunz1O9HJ/lTMTkSRCNi7WnLsSTj9Tr3+qD5pdffhSEO5bWK0rjUQqJfLn8KbjVcke63oXh5k\nXoytq6Cf9HAv7N9Ip/BDsDuK1Hftdr7eTGNnLyo/ep+tJf++EN1gAojVfQcdJN5UcFC6uPDd/2A3\nBswLP0WI3MK8+kETYGTbC52oVjYOQeuly8zjGATE15GZhGtg7xwyhd9egZ5qSvsCd0kl8d+erZhd\nBQTouNQEyRyeY5tU3JKN2s1ycWcZQzsJW4bRESV5WAXcNnUpWvHKOGUMwEcmePT11Rl9gUCT3Gx8\n4j5k51p1UaduLYDPdSXeL0l1aw3TkQFldjCCASMGCSqGSIb3DQEHAaCCARQEggEQMIIBDDCCAQgG\nCyqGSIb3DQEMCgECoIG0MIGxMBwGCiqGSIb3DQEMAQMwDgQIxbtXw/YMv5ACAggABIGQ6ixeYUGV\npdAuGOxPAY+7gB/2JrMgRBQG69ZyU2rwi1RUTU+G77VB6qAmKKyAvgfrKY9V621fYaAW9SrMavfO\nevPUJtHe1ATpcsIl5wrdNJXUcDjszH7Ymux0cdhXFlOigwGp3lsw8U75362520ezGx+zN7PL4qmD\nLW+n1e8G4tAxyfq/aIyIU+PFeWHlkElKMUIwGwYJKoZIhvcNAQkUMQ4eDABiAG8AbgBuAGkAZTAj\nBgkqhkiG9w0BCRUxFgQUZZzHjJzA3d/LUs+OQlJg7a99qiIwMTAhMAkGBSsOAwIaBQAEFCYZJEGU\niUWIPABWUNLMKA3fNEWbBAgC14SGZCm0ZwICCAA=', 'item': u'bonnie', u'delta': u'0:00:00.002220', u'stderr': u'', u'rc': 0, u'invocation': {u'module_args': {u'warn': True, u'executable': None, u'chdir': u'configs/159.89.119.142/pki/', u'_raw_params': u'cat private/bonnie.p12 | base64', u'removes': None, u'creates': None, u'_uses_shell': True, u'stdin': None}}, 'stdout_lines': [u'MIIEGwIBAzCCA+EGCSqGSIb3DQEHAaCCA9IEggPOMIIDyjCCAp8GCSqGSIb3DQEHBqCCApAwggKM', u'AgEAMIIChQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIg3d4kxnAUFcCAggAgIICWGzdKYGd', u'3CqTIigq3oKWDRQoBabtGoSsP9x8aSgeumJu6QVppP40h5sRh/A5S35SLgyhP+ugGQC7UsXpssqs', u'SrT9CDHBz/RXgZoVjx2LOpXsekdu95A3Fy5/lHPK1Ka8zvzMVtrbf64XStxo7PChRyfua/vYolOq', u'vXu8oT0BZjwAJDbe6L0Jjl808QTk1HwBGw4vCXHXTu7tEn27aGiw5JHKpFR6tyrLwOSPWYaKI9ie', u'OO0/GuPsAla4rnmzzgHuYWIty1l8tnPtk9xRjwdgKqhlhiVD6QgNSxmortvw/Lh/uCFE1GBKXWda', u'132hdAjYk1grdAf/ELrH+52zopnOIFf8y+p2lhyJsrmHl1pKEjIDX9KL5vs6BO82JodqA9ofWXVP', u'KForbzXdwECycGsJZEgIaC4F8ckRUzCqhEHcqjIbmfsKSDDQvKVEJ+bu7siaPUmcw+JSN3pk8GnZ', u'Causunz1O9HJ/lTMTkSRCNi7WnLsSTj9Tr3+qD5pdffhSEO5bWK0rjUQqJfLn8KbjVcke63oXh5k', u'Xoytq6Cf9HAv7N9Ip/BDsDuK1Hftdr7eTGNnLyo/ep+tJf++EN1gAojVfQcdJN5UcFC6uPDd/2A3', u'BswLP0WI3MK8+kETYGTbC52oVjYOQeuly8zjGATE15GZhGtg7xwyhd9egZ5qSvsCd0kl8d+erZhd', u'BQTouNQEyRyeY5tU3JKN2s1ycWcZQzsJW4bRESV5WAXcNnUpWvHKOGUMwEcmePT11Rl9gUCT3Gx8', u'4j5k51p1UaduLYDPdSXeL0l1aw3TkQFldjCCASMGCSqGSIb3DQEHAaCCARQEggEQMIIBDDCCAQgG', u'CyqGSIb3DQEMCgECoIG0MIGxMBwGCiqGSIb3DQEMAQMwDgQIxbtXw/YMv5ACAggABIGQ6ixeYUGV', u'pdAuGOxPAY+7gB/2JrMgRBQG69ZyU2rwi1RUTU+G77VB6qAmKKyAvgfrKY9V621fYaAW9SrMavfO', u'evPUJtHe1ATpcsIl5wrdNJXUcDjszH7Ymux0cdhXFlOigwGp3lsw8U75362520ezGx+zN7PL4qmD', u'LW+n1e8G4tAxyfq/aIyIU+PFeWHlkElKMUIwGwYJKoZIhvcNAQkUMQ4eDABiAG8AbgBuAGkAZTAj', u'BgkqhkiG9w0BCRUxFgQUZZzHjJzA3d/LUs+OQlJg7a99qiIwMTAhMAkGBSsOAwIaBQAEFCYZJEGU', u'iUWIPABWUNLMKA3fNEWbBAgC14SGZCm0ZwICCAA='], u'start': u'2018-06-25 08:22:37.525358', '_ansible_ignore_errors': None, 'failed': False}])
changed: [159.89.119.142 -> localhost] => (item=[u'dan', {'_ansible_parsed': True, 'stderr_lines': [], u'cmd': u'cat private/dan.p12 | base64', u'end': u'2018-06-25 08:22:37.642631', '_ansible_no_log': False, '_ansible_delegated_vars': {'ansible_delegated_host': u'localhost', 'ansible_host': u'localhost'}, '_ansible_item_result': True, u'changed': True, u'stdout': u'MIIEBQIBAzCCA8sGCSqGSIb3DQEHAaCCA7wEggO4MIIDtDCCAo8GCSqGSIb3DQEHBqCCAoAwggJ8\nAgEAMIICdQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIiH/xPWFBbccCAggAgIICSJWNFomL\nKTJTesV7zSAGKVip6m53N0QvFRfaGTHl5GfvXV8eTo8YJItVh6pA+BvYkbIvnFlL3oN9gGGTCJJo\nrXXBGh6gyu1BKDUMtMBzBoRWlCFHBTxwGikDWbjDcu/3VyXyP4FWtGkp9zuMCoZu46yqCMFNsjTl\nJvTLxb3lVNR2wSTd8WCmFzL1qeUFPm62l3ccCFwOomo8nvpxYt+vKY3OnBHOcVtOpO8YyAPffgU+\naxKf+fFQRemsrQXBD9uiRcDM+JvxCyQa4YeXlkKwKCTUdL+KupDs/oYTlu7fBN1C3RAiKIuTEscb\nGpFKAM62fb5j85ZA1Ain3NgAQ21bBtpaAaM9wFZX1Rnozz2WQz30tmwS32MRrUb17hVrLncxmF0y\nTnqIzMSV7fzQI4hwZ3DEdKMdjaidpkz2kQS1QnOrdrOg4AuQBDzJn4pZ3zIcsS/6ajoU2D7apio9\nzYxkjRwsBZDYvyP3clVweikCcRwTZzbTOzVe5xrRxBtCCXi/DN6b7omBiAP+Q4FsksFKlBtzN04/\nqVJdmyPyLgswXlkXBRLaori6Agon5fXNfdozWUJ4AZA+xHIGo3dE+sTzNYTJsx4PCLxa2OP9hbf1\nfeBhAuwZTfCChrhsPNtCev5I+IPNIWXjeQsOfI/9YVS+FxVV68h/IhEg4Mdc6GXuGwU/IHjuDEU0\nxcjKEq3N1rBQzmt//Wthu3r138JO7aTDOe9Wq1sVgUXroIcQlP9bSyJS1mSYQA/wMUAwEww13VtW\nr9k8AA/s6KkLMIIBHQYJKoZIhvcNAQcBoIIBDgSCAQowggEGMIIBAgYLKoZIhvcNAQwKAQKggbQw\ngbEwHAYKKoZIhvcNAQwBAzAOBAjkKv2j7vkXiAICCAAEgZAzqI5nD4Tf/DDbtN3/5NFPBXd4AB8c\nTrbt88Qnn0oHY+hPgUVVmRg0zWrM9qf0XkdAiBMyx8XGlqEmOkdO0ay+K16h0PEj2bOBUSO0GfkV\nTpk4bYCTpb8adFSBBSaS4UYxSNd+7nhjPA401CqO10/lpCVXMXQHvbHEhI+ywXis/Mb7lzUREFca\nlIN4JzyV3eExPDAVBgkqhkiG9w0BCRQxCB4GAGQAYQBuMCMGCSqGSIb3DQEJFTEWBBSOOedTy/uf\n0wrhO+umL+W/OC3h+jAxMCEwCQYFKw4DAhoFAAQUlqyfqVs1BStWmwB9StEJ0jaAXEsECN116p3r\nZv9RAgIIAA==', 'item': u'dan', u'delta': u'0:00:00.002219', u'stderr': u'', u'rc': 0, u'invocation': {u'module_args': {u'warn': True, u'executable': None, u'chdir': u'configs/159.89.119.142/pki/', u'_raw_params': u'cat private/dan.p12 | base64', u'removes': None, u'creates': None, u'_uses_shell': True, u'stdin': None}}, 'stdout_lines': [u'MIIEBQIBAzCCA8sGCSqGSIb3DQEHAaCCA7wEggO4MIIDtDCCAo8GCSqGSIb3DQEHBqCCAoAwggJ8', u'AgEAMIICdQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIiH/xPWFBbccCAggAgIICSJWNFomL', u'KTJTesV7zSAGKVip6m53N0QvFRfaGTHl5GfvXV8eTo8YJItVh6pA+BvYkbIvnFlL3oN9gGGTCJJo', u'rXXBGh6gyu1BKDUMtMBzBoRWlCFHBTxwGikDWbjDcu/3VyXyP4FWtGkp9zuMCoZu46yqCMFNsjTl', u'JvTLxb3lVNR2wSTd8WCmFzL1qeUFPm62l3ccCFwOomo8nvpxYt+vKY3OnBHOcVtOpO8YyAPffgU+', u'axKf+fFQRemsrQXBD9uiRcDM+JvxCyQa4YeXlkKwKCTUdL+KupDs/oYTlu7fBN1C3RAiKIuTEscb', u'GpFKAM62fb5j85ZA1Ain3NgAQ21bBtpaAaM9wFZX1Rnozz2WQz30tmwS32MRrUb17hVrLncxmF0y', u'TnqIzMSV7fzQI4hwZ3DEdKMdjaidpkz2kQS1QnOrdrOg4AuQBDzJn4pZ3zIcsS/6ajoU2D7apio9', u'zYxkjRwsBZDYvyP3clVweikCcRwTZzbTOzVe5xrRxBtCCXi/DN6b7omBiAP+Q4FsksFKlBtzN04/', u'qVJdmyPyLgswXlkXBRLaori6Agon5fXNfdozWUJ4AZA+xHIGo3dE+sTzNYTJsx4PCLxa2OP9hbf1', u'feBhAuwZTfCChrhsPNtCev5I+IPNIWXjeQsOfI/9YVS+FxVV68h/IhEg4Mdc6GXuGwU/IHjuDEU0', u'xcjKEq3N1rBQzmt//Wthu3r138JO7aTDOe9Wq1sVgUXroIcQlP9bSyJS1mSYQA/wMUAwEww13VtW', u'r9k8AA/s6KkLMIIBHQYJKoZIhvcNAQcBoIIBDgSCAQowggEGMIIBAgYLKoZIhvcNAQwKAQKggbQw', u'gbEwHAYKKoZIhvcNAQwBAzAOBAjkKv2j7vkXiAICCAAEgZAzqI5nD4Tf/DDbtN3/5NFPBXd4AB8c', u'Trbt88Qnn0oHY+hPgUVVmRg0zWrM9qf0XkdAiBMyx8XGlqEmOkdO0ay+K16h0PEj2bOBUSO0GfkV', u'Tpk4bYCTpb8adFSBBSaS4UYxSNd+7nhjPA401CqO10/lpCVXMXQHvbHEhI+ywXis/Mb7lzUREFca', u'lIN4JzyV3eExPDAVBgkqhkiG9w0BCRQxCB4GAGQAYQBuMCMGCSqGSIb3DQEJFTEWBBSOOedTy/uf', u'0wrhO+umL+W/OC3h+jAxMCEwCQYFKw4DAhoFAAQUlqyfqVs1BStWmwB9StEJ0jaAXEsECN116p3r', u'Zv9RAgIIAA=='], u'start': u'2018-06-25 08:22:37.640412', '_ansible_ignore_errors': None, 'failed': False}])
changed: [159.89.119.142 -> localhost] => (item=[u'jack', {'_ansible_parsed': True, 'stderr_lines': [], u'cmd': u'cat private/jack.p12 | base64', u'end': u'2018-06-25 08:22:37.788120', '_ansible_no_log': False, '_ansible_delegated_vars': {'ansible_delegated_host': u'localhost', 'ansible_host': u'localhost'}, '_ansible_item_result': True, u'changed': True, u'stdout': u'MIIEDwIBAzCCA9UGCSqGSIb3DQEHAaCCA8YEggPCMIIDvjCCApcGCSqGSIb3DQEHBqCCAogwggKE\nAgEAMIICfQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQI8qVIQgxk17UCAggAgIICUDPv5aHT\ntDDGYX66icTaAWRJtIEEYV2GMeFsozvdONAagpKGYkKYsgMqeWLDxAZgYuBMVZTwb2MkuyKaXxHZ\nA+bDEk3Uk2BWjBAC+rQ53wKCCgf87G4g+DUwyGHitFQZt0Ny3qg5+ln5u4/2wOm14BH/6O182AGc\nZj+IFOgehOjbWLqTbuJ6BDmqM395y+ARjZDC40XqQsREeSiutcU0UrVeBD5g9YsJ0SWihWGbG/UE\nNtlaoex+QPKZq6K579UJ2eHoFqgjuPG5enKvonRwq70fQ4Jrb9aSRZtZWTleh71dpCdighQgArTD\nnvCyVMXY1bWy7R1BGdp5US03X1SXFPkOVhKQH3kNrDuXOjXxP0fJSsfJou7C+E+B4SSMu84sLTT0\nuacj2tFAljdyr+baQBJKu6qbLmvogM5JABabC24bn3oX+51WqgudY41v0g6P5aFjWs6kzBU8T+7G\nF5rxADWFf4yGZiGtMJ3NwQkeSJPwVCV56CWhDCXOS47vj/OsyBGj7Hqmcbm+2tEkOMhhjekd5ahZ\nMq1nfraRfWjADTDdJh9R6APqEb3dWsGd0JouGgLEfRzs0/fOYVEKZjnc7Utb5Crw2Xtfv40m31JI\n2XZr0bauzI9qb3kat8MM07fLYTS0J+gtgs7JIdZ452bIbFYkubGtzRwRj0r7pKm+l087ONneK09p\nFoSWjwERTn2nG/88iXA0/Px4EQxY/QNpZOAQjFOorE6UJDuThgkTIHAY/7A7mBA4dw2PkxJSpNmu\nPptZER75Igz76kL0qOI9xU0wggEfBgkqhkiG9w0BBwGgggEQBIIBDDCCAQgwggEEBgsqhkiG9w0B\nDAoBAqCBtDCBsTAcBgoqhkiG9w0BDAEDMA4ECKXxf9Q349ePAgIIAASBkN+2Je4PAu0TYrmnt1jB\njZHcm+rl4Uol+CGytCREggAy7YIctuHbSq7LQ77WooasHbKAZ6wPQivAaPY9jwjqyG33xtcC88Pe\n3Z2x6uW6DzaD6ppkMA/mLfwD78Uo4mgq6u5PLoJLdlnWt7m2VjnshuhTQAw7AC2BFZZbBczww1JX\nCqGEtn7RYEpwHzEPWX4cJzE+MBcGCSqGSIb3DQEJFDEKHggAagBhAGMAazAjBgkqhkiG9w0BCRUx\nFgQUoVMGEywUa7xwSwtV73poWFvR+5wwMTAhMAkGBSsOAwIaBQAEFBYJrOUiyKCGZYVRo0M7ifby\nDgmKBAiPw8WRWGgf3QICCAA=', 'item': u'jack', u'delta': u'0:00:00.002234', u'stderr': u'', u'rc': 0, u'invocation': {u'module_args': {u'warn': True, u'executable': None, u'chdir': u'configs/159.89.119.142/pki/', u'_raw_params': u'cat private/jack.p12 | base64', u'removes': None, u'creates': None, u'_uses_shell': True, u'stdin': None}}, 'stdout_lines': [u'MIIEDwIBAzCCA9UGCSqGSIb3DQEHAaCCA8YEggPCMIIDvjCCApcGCSqGSIb3DQEHBqCCAogwggKE', u'AgEAMIICfQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQI8qVIQgxk17UCAggAgIICUDPv5aHT', u'tDDGYX66icTaAWRJtIEEYV2GMeFsozvdONAagpKGYkKYsgMqeWLDxAZgYuBMVZTwb2MkuyKaXxHZ', u'A+bDEk3Uk2BWjBAC+rQ53wKCCgf87G4g+DUwyGHitFQZt0Ny3qg5+ln5u4/2wOm14BH/6O182AGc', u'Zj+IFOgehOjbWLqTbuJ6BDmqM395y+ARjZDC40XqQsREeSiutcU0UrVeBD5g9YsJ0SWihWGbG/UE', u'Ntlaoex+QPKZq6K579UJ2eHoFqgjuPG5enKvonRwq70fQ4Jrb9aSRZtZWTleh71dpCdighQgArTD', u'nvCyVMXY1bWy7R1BGdp5US03X1SXFPkOVhKQH3kNrDuXOjXxP0fJSsfJou7C+E+B4SSMu84sLTT0', u'uacj2tFAljdyr+baQBJKu6qbLmvogM5JABabC24bn3oX+51WqgudY41v0g6P5aFjWs6kzBU8T+7G', u'F5rxADWFf4yGZiGtMJ3NwQkeSJPwVCV56CWhDCXOS47vj/OsyBGj7Hqmcbm+2tEkOMhhjekd5ahZ', u'Mq1nfraRfWjADTDdJh9R6APqEb3dWsGd0JouGgLEfRzs0/fOYVEKZjnc7Utb5Crw2Xtfv40m31JI', u'2XZr0bauzI9qb3kat8MM07fLYTS0J+gtgs7JIdZ452bIbFYkubGtzRwRj0r7pKm+l087ONneK09p', u'FoSWjwERTn2nG/88iXA0/Px4EQxY/QNpZOAQjFOorE6UJDuThgkTIHAY/7A7mBA4dw2PkxJSpNmu', u'PptZER75Igz76kL0qOI9xU0wggEfBgkqhkiG9w0BBwGgggEQBIIBDDCCAQgwggEEBgsqhkiG9w0B', u'DAoBAqCBtDCBsTAcBgoqhkiG9w0BDAEDMA4ECKXxf9Q349ePAgIIAASBkN+2Je4PAu0TYrmnt1jB', u'jZHcm+rl4Uol+CGytCREggAy7YIctuHbSq7LQ77WooasHbKAZ6wPQivAaPY9jwjqyG33xtcC88Pe', u'3Z2x6uW6DzaD6ppkMA/mLfwD78Uo4mgq6u5PLoJLdlnWt7m2VjnshuhTQAw7AC2BFZZbBczww1JX', u'CqGEtn7RYEpwHzEPWX4cJzE+MBcGCSqGSIb3DQEJFDEKHggAagBhAGMAazAjBgkqhkiG9w0BCRUx', u'FgQUoVMGEywUa7xwSwtV73poWFvR+5wwMTAhMAkGBSsOAwIaBQAEFBYJrOUiyKCGZYVRo0M7ifby', u'DgmKBAiPw8WRWGgf3QICCAA='], u'start': u'2018-06-25 08:22:37.785886', '_ansible_ignore_errors': None, 'failed': False}])

TASK [vpn : Restrict permissions for the local private directories] *****************
ok: [159.89.119.142 -> localhost] => (item=configs/159.89.119.142)

TASK [debug] ************************************************************************
ok: [159.89.119.142] => {
    "msg": [
        [
            "\"#                          Congratulations!                            #\"", 
            "\"#                     Your Algo server is running.                     #\"", 
            "\"#    Config files and certificates are in the ./configs/ directory.    #\"", 
            "\"#              Go to https://whoer.net/ after connecting               #\"", 
            "\"#        and ensure that all your traffic passes through the VPN.      #\"", 
            "\"#               Local DNS resolver 172.16.0.1              #\"", 
            ""
        ], 
        "    \"#                The p12 and SSH keys password for new users is 934Ao1bt             #\"\n"
    ]
}

PLAY RECAP **************************************************************************
159.89.119.142             : ok=54   changed=15   unreachable=0    failed=0   
localhost                  : ok=2    changed=1    unreachable=0    failed=0 

[jackivanov]

Covered here

[awwong1]

Hi @jackivanov, I believe my MTU is set correctly at 1500?

$ ping -M do -s 1500 www.google.com
PING www.google.com (216.58.216.164) 1500(1528) bytes of data.
ping: local error: Message too long, mtu=1500
ping: local error: Message too long, mtu=1500
^C
--- www.google.com ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1011ms

$ sudo ifconfig
br-1b543be42e96: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.18.0.1  netmask 255.255.0.0  broadcast 172.18.255.255
        inet6 fe80::42:cfff:fead:205e  prefixlen 64  scopeid 0x20<link>
        ether 02:42:cf:ad:20:5e  txqueuelen 0  (Ethernet)
        RX packets 6402  bytes 2202050 (2.1 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 10195  bytes 3341763 (3.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
        ether 02:42:33:64:69:be  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 14826  bytes 5058045 (4.8 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 14826  bytes 5058045 (4.8 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

veth201a7d4: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::fc6d:b4ff:feb4:c001  prefixlen 64  scopeid 0x20<link>
        ether fe:6d:b4:b4:c0:01  txqueuelen 0  (Ethernet)
        RX packets 6060  bytes 2262188 (2.1 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 9997  bytes 3125139 (2.9 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

veth79c38b9: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::c896:7fff:fe35:6516  prefixlen 64  scopeid 0x20<link>
        ether ca:96:7f:35:65:16  txqueuelen 0  (Ethernet)
        RX packets 342  bytes 29490 (28.7 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3971  bytes 921157 (899.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlp58s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.17.247.43  netmask 255.255.252.0  broadcast 172.17.247.255
        inet6 fe80::8be3:58ee:e949:33bc  prefixlen 64  scopeid 0x20<link>
        ether 9c:b6:d0:fe:50:75  txqueuelen 1000  (Ethernet)
        RX packets 3403935  bytes 4681721847 (4.3 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 919980  bytes 92976300 (88.6 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[dguido]

Does this continue to happen if you switch to a different provider? Some services simply block various VPS ranges and there's nothing you can do.

[awwong1]

I'm not sure if this is a provider issue, @dguido, as my mobile device which uses the same Algo instance connects without issues to the listed sites.

I will try again using Amazon and make a comment on this issue.

[awwong1]

Issue still occurs using Amazon as my provider.

$ uname -a
Linux Alexanders-Dell-XPS13 4.16.0-2-amd64 #1 SMP Debian 4.16.16-2 (2018-06-22) x86_64 GNU/Linux
$ apt-cache policy network-manager
network-manager:
  Installed: 1.10.8-1
  Candidate: 1.10.8-1
  Version table:
 *** 1.10.8-1 500
        500 http://ftp.ca.debian.org/debian unstable/main amd64 Packages
        100 /var/lib/dpkg/status
$ apt-cache policy network-manager-strongswan
network-manager-strongswan:
  Installed: 1.4.4-1
  Candidate: 1.4.4-1
  Version table:
 *** 1.4.4-1 500
        500 http://ftp.ca.debian.org/debian unstable/main amd64 Packages
        100 /var/lib/dpkg/status

VPN Works in general, but the same previous sites fail.

$ curl -v https://ipinfo.io
* Rebuilt URL to: https://ipinfo.io/
*   Trying 216.239.34.21...
* TCP_NODELAY set
* Connected to ipinfo.io (216.239.34.21) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=ipinfo.io
*  start date: May  2 02:14:57 2018 GMT
*  expire date: Jul 31 02:14:57 2018 GMT
*  subjectAltName: host "ipinfo.io" matched cert's "ipinfo.io"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x56500702ea80)
> GET / HTTP/2
> Host: ipinfo.io
> User-Agent: curl/7.60.0
> Accept: */*
> 
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 200 
< date: Wed, 27 Jun 2018 13:51:11 GMT
< content-type: application/json; charset=utf-8
< content-length: 243
< vary: Accept-Encoding
< x-powered-by: Express
< x-cloud-trace-context: ee4b70a541e24af9e10a6800cb437b7e/7774641283458459198;o=0
< access-control-allow-origin: *
< x-content-type-options: nosniff
< via: 1.1 google
< 
{
  "ip": "35.161.5.226",
  "hostname": "ec2-35-161-5-226.us-west-2.compute.amazonaws.com",
  "city": "Boardman",
  "region": "Oregon",
  "country": "US",
  "loc": "45.8696,-119.6880",
  "postal": "97818",
  "org": "AS16509 Amazon.com, Inc."
* Connection #0 to host ipinfo.io left intact

$ curl -v https://www.ualberta.ca
* Rebuilt URL to: https://www.ualberta.ca/
*   Trying 54.86.190.74...
* TCP_NODELAY set
* Connected to www.ualberta.ca (54.86.190.74) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
^C

Using the latest source code at commit b061df66310f656ac555c03764bf2f64817d01b5.

What provider would you like to use?
    1. DigitalOcean
    2. Amazon EC2
    3. Microsoft Azure
    4. Google Compute Engine
    5. Scaleway
    6. OpenStack (DreamCompute optimised)
    7. Install to existing Ubuntu 16.04 server (Advanced)

Enter the number of your desired provider
: 2

Enter your aws_access_key (http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html)
Note: Make sure to use an IAM user with an acceptable policy attached (see https://github.com/trailofbits/algo/blob/master/docs/deploy-from-ansible.md).
[pasted values will not be displayed]
[AKIA...]: 

Enter your aws_secret_key (http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html)
[pasted values will not be displayed]
[ABCD...]: 

Name the vpn server:
[algo]: 

  What region should the server be located in?
    1.   us-east-1           US East (N. Virginia)
    2.   us-east-2           US East (Ohio)
    3.   us-west-1           US West (N. California)
    4.   us-west-2           US West (Oregon)
    5.   ca-central-1        Canada (Central)
    6.   eu-central-1        EU (Frankfurt)
    7.   eu-west-1           EU (Ireland)
    8.   eu-west-2           EU (London)
    9.   eu-west-3           EU (Paris)
    10.  ap-northeast-1      Asia Pacific (Tokyo)
    11.  ap-northeast-2      Asia Pacific (Seoul)
    12.  ap-northeast-3      Asia Pacific (Osaka-Local)
    13.  ap-southeast-1      Asia Pacific (Singapore)
    14.  ap-southeast-2      Asia Pacific (Sydney)
    15.  ap-south-1          Asia Pacific (Mumbai)
    16.  sa-east-1           South America (São Paulo)

Enter the number of your desired region:
[1]: 4

Do you want macOS/iOS clients to enable "VPN On Demand" when connected to cellular networks?
[y/N]: y

Do you want macOS/iOS clients to enable "VPN On Demand" when connected to Wi-Fi?
[y/N]: y

List the names of trusted Wi-Fi networks (if any) that macOS/iOS clients exclude from using the VPN (e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi)
: 

Do you want to install a DNS resolver on this VPN server, to block ads while surfing?
[y/N]: N

Do you want each user to have their own account for SSH tunneling?
[y/N]: y

Do you want the VPN to support Windows 10 or Linux Desktop clients? (enables compatible ciphers and key exchange, less secure)
[y/N]: y

Do you want to retain the CA key? (required to add users in the future, but less secure)
[y/N]: y

PLAY [Configure the server] **********************************************************

TASK [Gathering Facts] ***************************************************************
ok: [localhost]

TASK [Local pre-tasks] ***************************************************************
included: /home/alexander/sandbox/src/github.com/trailofbits/algo/playbooks/local.yml for localhost

TASK [Generate the SSH private key] **************************************************
ok: [localhost]

TASK [Generate the SSH public key] ***************************************************
ok: [localhost]

TASK [Change mode for the SSH private key] *******************************************
ok: [localhost]

TASK [Ensure the dynamic inventory exists] *******************************************
ok: [localhost]

TASK [cloud-ec2 : set_fact] **********************************************************
ok: [localhost]

TASK [cloud-ec2 : Locate official AMI for region] ************************************
ok: [localhost]

TASK [cloud-ec2 : set_fact] **********************************************************
ok: [localhost]

TASK [cloud-ec2 : include_tasks] *****************************************************
included: /home/alexander/sandbox/src/github.com/trailofbits/algo/roles/cloud-ec2/tasks/cloudformation.yml for localhost

TASK [cloud-ec2 : Deploy the template] ***********************************************
changed: [localhost]

TASK [cloud-ec2 : Add new instance to host group] ************************************
changed: [localhost]

TASK [cloud-ec2 : set_fact] **********************************************************
ok: [localhost]

TASK [cloud-ec2 : Get EC2 instances] *************************************************
ok: [localhost]

TASK [cloud-ec2 : Ensure the group ec2 exists in the dynamic inventory file] *********
changed: [localhost]

TASK [cloud-ec2 : Populate the dynamic inventory] ************************************
changed: [localhost] => (item={u'root_device_type': u'ebs', u'private_dns_name': u'ip-172-16-255-247.us-west-2.compute.internal', u'cpu_options': {u'core_count': 1, u'threads_per_core': 1}, u'security_groups': [{u'group_id': u'sg-68736819', u'group_name': u'algo-InstanceSecurityGroup-17U3LA7V9HHZK'}], u'monitoring': {u'state': u'disabled'}, u'subnet_id': u'subnet-01089a4a', u'ebs_optimized': False, u'state': {u'code': 16, u'name': u'running'}, u'source_dest_check': True, u'client_token': u'algo-EC2Ins-5GK3EFMO47X7', u'virtualization_type': u'hvm', u'architecture': u'x86_64', u'public_ip_address': u'35.161.5.226', u'tags': {u'Environment': u'Algo', u'aws:cloudformation:stack-name': u'algo', u'aws:cloudformation:logical-id': u'EC2Instance', u'aws:cloudformation:stack-id': u'arn:aws:cloudformation:us-west-2:593583987155:stack/algo/c9afdf30-7a0d-11e8-9cac-0ad5109330ec', u'Name': u'Algo'}, u'image_id': u'ami-39c28c41', u'ena_support': True, u'public_dns_name': u'ec2-35-161-5-226.us-west-2.compute.amazonaws.com', u'block_device_mappings': [{u'device_name': u'/dev/sda1', u'ebs': {u'status': u'attached', u'delete_on_termination': True, u'attach_time': u'2018-06-27T13:28:25+00:00', u'volume_id': u'vol-0e544a040d928337b'}}], u'placement': {u'group_name': u'', u'tenancy': u'default', u'availability_zone': u'us-west-2b'}, u'ami_launch_index': 0, u'hypervisor': u'xen', u'network_interfaces': [{u'status': u'in-use', u'description': u'', u'subnet_id': u'subnet-01089a4a', u'ipv6_addresses': [{u'ipv6_address': u'2600:1f14:8a:a900:5168:b0cb:20a6:d01e'}], u'network_interface_id': u'eni-871d6b7b', u'private_dns_name': u'ip-172-16-255-247.us-west-2.compute.internal', u'attachment': {u'status': u'attached', u'device_index': 0, u'attachment_id': u'eni-attach-89766041', u'delete_on_termination': True, u'attach_time': u'2018-06-27T13:28:24+00:00'}, u'private_ip_addresses': [{u'private_ip_address': u'172.16.255.247', u'private_dns_name': u'ip-172-16-255-247.us-west-2.compute.internal', u'association': {u'public_ip': u'35.161.5.226', u'public_dns_name': u'ec2-35-161-5-226.us-west-2.compute.amazonaws.com', u'ip_owner_id': u'593583987155'}, u'primary': True}], u'mac_address': u'06:22:c8:1f:5e:d6', u'private_ip_address': u'172.16.255.247', u'vpc_id': u'vpc-f58e978c', u'groups': [{u'group_id': u'sg-68736819', u'group_name': u'algo-InstanceSecurityGroup-17U3LA7V9HHZK'}], u'association': {u'public_ip': u'35.161.5.226', u'public_dns_name': u'ec2-35-161-5-226.us-west-2.compute.amazonaws.com', u'ip_owner_id': u'593583987155'}, u'source_dest_check': True, u'owner_id': u'593583987155'}], u'launch_time': u'2018-06-27T13:28:24+00:00', u'instance_id': u'i-0f84464fc85297347', u'instance_type': u't2.micro', u'root_device_name': u'/dev/sda1', u'state_transition_reason': u'', u'private_ip_address': u'172.16.255.247', u'vpc_id': u'vpc-f58e978c', u'product_codes': []})

TASK [Local post-tasks] **************************************************************
included: /home/alexander/sandbox/src/github.com/trailofbits/algo/playbooks/post.yml for localhost

TASK [Wait until SSH becomes ready...] ***********************************************
ok: [localhost]

TASK [A short pause, in order to be sure the instance is ready] **********************
Pausing for 20 seconds
(ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort)
ok: [localhost]

TASK [include_tasks] *****************************************************************
included: /home/alexander/sandbox/src/github.com/trailofbits/algo/playbooks/local_ssh.yml for localhost

TASK [Ensure the local ssh directory is exist] ***************************************
ok: [localhost]

TASK [Copy the algo ssh key to the local ssh directory] ******************************
ok: [localhost]

PLAY [Configure the server and install required software] ****************************

TASK [Common pre-tasks] **************************************************************
included: /home/alexander/sandbox/src/github.com/trailofbits/algo/playbooks/common.yml for 35.161.5.226

TASK [Check the system] **************************************************************
changed: [35.161.5.226]

TASK [Ubuntu pre-tasks] **************************************************************
included: /home/alexander/sandbox/src/github.com/trailofbits/algo/playbooks/ubuntu.yml for 35.161.5.226

TASK [Ubuntu | Install prerequisites] ************************************************
changed: [35.161.5.226] => (item=sleep 10)
changed: [35.161.5.226] => (item=apt-get update -qq)
changed: [35.161.5.226] => (item=apt-get install -qq -y python2.7 sudo)

TASK [Ubuntu | Configure defaults] ***************************************************
changed: [35.161.5.226]

TASK [FreeBSD pre-tasks] *************************************************************
skipping: [35.161.5.226]

TASK [include_tasks] *****************************************************************
included: /home/alexander/sandbox/src/github.com/trailofbits/algo/playbooks/facts/main.yml for 35.161.5.226

TASK [Gather Facts] ******************************************************************
ok: [35.161.5.226]

TASK [Ensure the algo ssh key exist on the server] ***********************************
ok: [35.161.5.226]

TASK [Check if IPv6 configured] ******************************************************
ok: [35.161.5.226]

TASK [Set facts if the deployment in a cloud] ****************************************
ok: [35.161.5.226]

TASK [Generate password for the CA key] **********************************************
changed: [35.161.5.226 -> localhost]

TASK [Generate p12 export password] **************************************************
changed: [35.161.5.226 -> localhost]

TASK [Define password facts] *********************************************************
ok: [35.161.5.226]

TASK [Define the commonName] *********************************************************
ok: [35.161.5.226]

TASK [common : Install tools] ********************************************************

TASK [common : Sysctl tuning] ********************************************************

TASK [common : Install tools] ********************************************************

TASK [common : Sysctl tuning] ********************************************************

TASK [common : include_tasks] ********************************************************
included: /home/alexander/sandbox/src/github.com/trailofbits/algo/roles/common/tasks/ubuntu.yml for 35.161.5.226

TASK [common : Install software updates] *********************************************
changed: [35.161.5.226]

TASK [common : Upgrade the ca certificates] ******************************************
ok: [35.161.5.226]

TASK [common : Check if reboot is required] ******************************************
changed: [35.161.5.226]

TASK [common : Reboot] ***************************************************************
changed: [35.161.5.226]

TASK [common : Wait until SSH becomes ready...] **************************************
ok: [35.161.5.226 -> localhost]

TASK [common : Include unatteded upgrades configuration] *****************************
included: /home/alexander/sandbox/src/github.com/trailofbits/algo/roles/common/tasks/unattended-upgrades.yml for 35.161.5.226

TASK [common : Install unattended-upgrades] ******************************************
ok: [35.161.5.226]

TASK [common : Configure unattended-upgrades] ****************************************
changed: [35.161.5.226]

TASK [common : Periodic upgrades configured] *****************************************
changed: [35.161.5.226]

TASK [common : Disable MOTD on login and SSHD] ***************************************
changed: [35.161.5.226] => (item={u'regexp': u'^session.*optional.*pam_motd.so.*', u'line': u'# MOTD DISABLED', u'file': u'/etc/pam.d/login'})
changed: [35.161.5.226] => (item={u'regexp': u'^session.*optional.*pam_motd.so.*', u'line': u'# MOTD DISABLED', u'file': u'/etc/pam.d/sshd'})

TASK [common : Loopback for services configured] *************************************
changed: [35.161.5.226]

TASK [common : systemd services enabled and started] *********************************
ok: [35.161.5.226] => (item=systemd-networkd)
ok: [35.161.5.226] => (item=systemd-resolved)

RUNNING HANDLER [common : restart systemd-networkd] **********************************
changed: [35.161.5.226]

TASK [common : Check apparmor support] ***********************************************
changed: [35.161.5.226]

TASK [common : set_fact] *************************************************************
ok: [35.161.5.226]

TASK [common : set_fact] *************************************************************
ok: [35.161.5.226]

TASK [common : include_tasks] ********************************************************
skipping: [35.161.5.226]

TASK [common : Install tools] ********************************************************
ok: [35.161.5.226] => (item=git)
ok: [35.161.5.226] => (item=screen)
changed: [35.161.5.226] => (item=apparmor-utils)
ok: [35.161.5.226] => (item=uuid-runtime)
ok: [35.161.5.226] => (item=coreutils)
changed: [35.161.5.226] => (item=iptables-persistent)
changed: [35.161.5.226] => (item=cgroup-tools)
ok: [35.161.5.226] => (item=openssl,linux-headers-4.15.0-1010-aws)

TASK [common : Sysctl tuning] ********************************************************
changed: [35.161.5.226] => (item={u'item': u'net.ipv4.ip_forward', u'value': 1})
changed: [35.161.5.226] => (item={u'item': u'net.ipv4.conf.all.forwarding', u'value': 1})
changed: [35.161.5.226] => (item={u'item': u'net.ipv6.conf.all.forwarding', u'value': 1})

TASK [ssh_tunneling : Ensure that the sshd_config file has desired options] **********
changed: [35.161.5.226]

TASK [ssh_tunneling : Ensure that the algo group exist] ******************************
changed: [35.161.5.226]

TASK [ssh_tunneling : Ensure that the jail directory exist] **************************
changed: [35.161.5.226]

TASK [ssh_tunneling : Ensure that the SSH users exist] *******************************
changed: [35.161.5.226] => (item=alexander)
changed: [35.161.5.226] => (item=arthur)
changed: [35.161.5.226] => (item=bonnie)
changed: [35.161.5.226] => (item=dan)
changed: [35.161.5.226] => (item=jack)

TASK [ssh_tunneling : The authorized keys file created] ******************************
changed: [35.161.5.226] => (item=alexander)
changed: [35.161.5.226] => (item=arthur)
changed: [35.161.5.226] => (item=bonnie)
changed: [35.161.5.226] => (item=dan)
changed: [35.161.5.226] => (item=jack)

TASK [ssh_tunneling : Generate SSH fingerprints] *************************************
changed: [35.161.5.226]

TASK [ssh_tunneling : Fetch users SSH private keys] **********************************
changed: [35.161.5.226] => (item=alexander)
changed: [35.161.5.226] => (item=arthur)
changed: [35.161.5.226] => (item=bonnie)
changed: [35.161.5.226] => (item=dan)
changed: [35.161.5.226] => (item=jack)

TASK [ssh_tunneling : Change mode for SSH private keys] ******************************
changed: [35.161.5.226 -> localhost] => (item=alexander)
changed: [35.161.5.226 -> localhost] => (item=arthur)
changed: [35.161.5.226 -> localhost] => (item=bonnie)
changed: [35.161.5.226 -> localhost] => (item=dan)
changed: [35.161.5.226 -> localhost] => (item=jack)

TASK [ssh_tunneling : Fetch the known_hosts file] ************************************
changed: [35.161.5.226 -> localhost]

TASK [ssh_tunneling : Build the client ssh config] ***********************************
changed: [35.161.5.226 -> localhost] => (item=alexander)
changed: [35.161.5.226 -> localhost] => (item=arthur)
changed: [35.161.5.226 -> localhost] => (item=bonnie)
changed: [35.161.5.226 -> localhost] => (item=dan)
changed: [35.161.5.226 -> localhost] => (item=jack)

TASK [ssh_tunneling : SSH | Get active system users] *********************************
skipping: [35.161.5.226]

TASK [ssh_tunneling : SSH | Delete non-existing users] *******************************
skipping: [35.161.5.226] => (item=null) 

TASK [wireguard : WireGuard repository configured] ***********************************
changed: [35.161.5.226]

TASK [wireguard : WireGuard installed] ***********************************************
changed: [35.161.5.226]

TASK [wireguard : Ensure the required directories exist] *****************************
changed: [35.161.5.226 -> localhost] => (item=private)
changed: [35.161.5.226 -> localhost] => (item=public)

TASK [wireguard : Delete the lock files] *********************************************
skipping: [35.161.5.226] => (item=alexander) 
skipping: [35.161.5.226] => (item=arthur) 
skipping: [35.161.5.226] => (item=bonnie) 
skipping: [35.161.5.226] => (item=dan) 
skipping: [35.161.5.226] => (item=jack) 
skipping: [35.161.5.226] => (item=35.161.5.226) 

TASK [wireguard : Generate private keys] *********************************************
changed: [35.161.5.226] => (item=alexander)
changed: [35.161.5.226] => (item=arthur)
changed: [35.161.5.226] => (item=bonnie)
changed: [35.161.5.226] => (item=dan)
changed: [35.161.5.226] => (item=jack)
changed: [35.161.5.226] => (item=35.161.5.226)

TASK [wireguard : Save private keys] *************************************************
changed: [35.161.5.226] => (item=None)
changed: [35.161.5.226] => (item=None)
changed: [35.161.5.226] => (item=None)
changed: [35.161.5.226] => (item=None)
changed: [35.161.5.226] => (item=None)
changed: [35.161.5.226] => (item=None)

TASK [wireguard : Touch the lock file] ***********************************************
changed: [35.161.5.226] => (item=alexander)
changed: [35.161.5.226] => (item=arthur)
changed: [35.161.5.226] => (item=bonnie)
changed: [35.161.5.226] => (item=dan)
changed: [35.161.5.226] => (item=jack)
changed: [35.161.5.226] => (item=35.161.5.226)

TASK [wireguard : Generate public keys] **********************************************
ok: [35.161.5.226] => (item=alexander)
ok: [35.161.5.226] => (item=arthur)
ok: [35.161.5.226] => (item=bonnie)
ok: [35.161.5.226] => (item=dan)
ok: [35.161.5.226] => (item=jack)
ok: [35.161.5.226] => (item=35.161.5.226)

TASK [wireguard : Save public keys] **************************************************
changed: [35.161.5.226] => (item=None)
changed: [35.161.5.226] => (item=None)
changed: [35.161.5.226] => (item=None)
changed: [35.161.5.226] => (item=None)
changed: [35.161.5.226] => (item=None)
changed: [35.161.5.226] => (item=None)

TASK [wireguard : WireGuard configured] **********************************************
changed: [35.161.5.226]

TASK [wireguard : WireGuard reload-module-on-update] *********************************
changed: [35.161.5.226]

TASK [wireguard : WireGuard users config generated] **********************************
changed: [35.161.5.226 -> localhost] => (item=(0, u'alexander'))
changed: [35.161.5.226 -> localhost] => (item=(1, u'arthur'))
changed: [35.161.5.226 -> localhost] => (item=(2, u'bonnie'))
changed: [35.161.5.226 -> localhost] => (item=(3, u'dan'))
changed: [35.161.5.226 -> localhost] => (item=(4, u'jack'))

TASK [wireguard : WireGuard enabled and started] *************************************
changed: [35.161.5.226]

RUNNING HANDLER [ssh_tunneling : restart ssh] ****************************************
changed: [35.161.5.226]

RUNNING HANDLER [wireguard : restart wireguard] **************************************
changed: [35.161.5.226]

TASK [dns_encryption : Include tasks for Ubuntu] *************************************
included: /home/alexander/sandbox/src/github.com/trailofbits/algo/roles/dns_encryption/tasks/ubuntu.yml for 35.161.5.226

TASK [dns_encryption : Add the repository] *******************************************
changed: [35.161.5.226]

TASK [dns_encryption : Install dnscrypt-proxy] ***************************************
changed: [35.161.5.226]

TASK [dns_encryption : Ubuntu | Unbound profile for apparmor configured] *************
changed: [35.161.5.226]

TASK [dns_encryption : Ubuntu | Enforce the dnscrypt-proxy AppArmor policy] **********
ok: [35.161.5.226]

TASK [dns_encryption : Ubuntu | Ensure that the dnscrypt-proxy service directory exist] ***
changed: [35.161.5.226]

TASK [dns_encryption : Ubuntu | Add capabilities to bind ports] **********************
changed: [35.161.5.226]

TASK [dns_encryption : Include tasks for FreeBSD] ************************************
skipping: [35.161.5.226]

TASK [dns_encryption : dnscrypt-proxy configured] ************************************
changed: [35.161.5.226]

TASK [dns_encryption : dnscrypt-proxy enabled and started] ***************************
ok: [35.161.5.226]

RUNNING HANDLER [dns_encryption : restart dnscrypt-proxy] ****************************
changed: [35.161.5.226]

TASK [vpn : Ensure that the strongswan group exist] **********************************
changed: [35.161.5.226]

TASK [vpn : Ensure that the strongswan user exist] ***********************************
changed: [35.161.5.226]

TASK [vpn : include_tasks] ***********************************************************
included: /home/alexander/sandbox/src/github.com/trailofbits/algo/roles/vpn/tasks/ubuntu.yml for 35.161.5.226

TASK [vpn : set_fact] ****************************************************************
ok: [35.161.5.226]

TASK [vpn : Ubuntu | Install strongSwan] *********************************************
changed: [35.161.5.226]

TASK [vpn : Ubuntu | Enforcing ipsec with apparmor] **********************************
changed: [35.161.5.226] => (item=/usr/lib/ipsec/charon)
changed: [35.161.5.226] => (item=/usr/lib/ipsec/lookip)
changed: [35.161.5.226] => (item=/usr/lib/ipsec/stroke)

TASK [vpn : Ubuntu | Enable services] ************************************************
ok: [35.161.5.226] => (item=apparmor)
ok: [35.161.5.226] => (item=strongswan)
ok: [35.161.5.226] => (item=netfilter-persistent)

TASK [vpn : Ubuntu | Ensure that the strongswan service directory exist] *************
changed: [35.161.5.226]

TASK [vpn : Ubuntu | Setup the cgroup limitations for the ipsec daemon] **************
changed: [35.161.5.226]

TASK [vpn : include_tasks] ***********************************************************
included: /home/alexander/sandbox/src/github.com/trailofbits/algo/roles/vpn/tasks/iptables.yml for 35.161.5.226

TASK [vpn : Iptables configured] *****************************************************
changed: [35.161.5.226] => (item={u'dest': u'/etc/iptables/rules.v4', u'src': u'rules.v4.j2'})

TASK [vpn : Iptables configured] *****************************************************
changed: [35.161.5.226] => (item={u'dest': u'/etc/iptables/rules.v6', u'src': u'rules.v6.j2'})

TASK [vpn : include_tasks] ***********************************************************
skipping: [35.161.5.226]

TASK [vpn : Install strongSwan] ******************************************************
ok: [35.161.5.226]

TASK [vpn : include_tasks] ***********************************************************
included: /home/alexander/sandbox/src/github.com/trailofbits/algo/roles/vpn/tasks/ipsec_configuration.yml for 35.161.5.226

TASK [vpn : Setup the config files from our templates] *******************************
changed: [35.161.5.226] => (item={u'dest': u'/etc/strongswan.conf', u'src': u'strongswan.conf.j2', u'group': u'root', u'mode': u'0644', u'owner': u'root'})
changed: [35.161.5.226] => (item={u'dest': u'/etc/ipsec.conf', u'src': u'ipsec.conf.j2', u'group': u'root', u'mode': u'0644', u'owner': u'root'})
changed: [35.161.5.226] => (item={u'dest': u'/etc/ipsec.secrets', u'src': u'ipsec.secrets.j2', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})

TASK [vpn : Get loaded plugins] ******************************************************
changed: [35.161.5.226]

TASK [vpn : Disable unneeded plugins] ************************************************
changed: [35.161.5.226] => (item=agent)
changed: [35.161.5.226] => (item=counters)
skipping: [35.161.5.226] => (item=revocation) 
skipping: [35.161.5.226] => (item=nonce) 
skipping: [35.161.5.226] => (item=openssl) 
skipping: [35.161.5.226] => (item=aes) 
skipping: [35.161.5.226] => (item=x509) 
changed: [35.161.5.226] => (item=xcbc)
changed: [35.161.5.226] => (item=attr)
skipping: [35.161.5.226] => (item=gcm) 
changed: [35.161.5.226] => (item=sha1)
skipping: [35.161.5.226] => (item=kernel-netlink) 
changed: [35.161.5.226] => (item=mgf1)
skipping: [35.161.5.226] => (item=pkcs12) 
changed: [35.161.5.226] => (item=md4)
changed: [35.161.5.226] => (item=dnskey)
skipping: [35.161.5.226] => (item=pkcs7) 
skipping: [35.161.5.226] => (item=hmac) 
changed: [35.161.5.226] => (item=pkcs1)
skipping: [35.161.5.226] => (item=socket-default) 
skipping: [35.161.5.226] => (item=pgp) 
changed: [35.161.5.226] => (item=updown)
skipping: [35.161.5.226] => (item=stroke) 
changed: [35.161.5.226] => (item=gmp)
changed: [35.161.5.226] => (item=constraints)
changed: [35.161.5.226] => (item=connmark)
changed: [35.161.5.226] => (item=xauth-generic)
skipping: [35.161.5.226] => (item=pkcs8) 
changed: [35.161.5.226] => (item=aesni)
skipping: [35.161.5.226] => (item=random) 
changed: [35.161.5.226] => (item=fips-prf)
changed: [35.161.5.226] => (item=resolve)
changed: [35.161.5.226] => (item=rc2)
skipping: [35.161.5.226] => (item=pem) 
changed: [35.161.5.226] => (item=eap-mschapv2)
changed: [35.161.5.226] => (item=sshkey)
changed: [35.161.5.226] => (item=md5)
changed: [35.161.5.226] => (item=bypass-lan)
skipping: [35.161.5.226] => (item=sha2) 
skipping: [35.161.5.226] => (item=pubkey) 

TASK [vpn : Ensure that required plugins are enabled] ********************************
skipping: [35.161.5.226] => (item=agent) 
skipping: [35.161.5.226] => (item=counters) 
changed: [35.161.5.226] => (item=revocation)
changed: [35.161.5.226] => (item=nonce)
changed: [35.161.5.226] => (item=openssl)
changed: [35.161.5.226] => (item=aes)
changed: [35.161.5.226] => (item=x509)
skipping: [35.161.5.226] => (item=xcbc) 
skipping: [35.161.5.226] => (item=attr) 
changed: [35.161.5.226] => (item=gcm)
skipping: [35.161.5.226] => (item=sha1) 
changed: [35.161.5.226] => (item=kernel-netlink)
skipping: [35.161.5.226] => (item=mgf1) 
changed: [35.161.5.226] => (item=pkcs12)
skipping: [35.161.5.226] => (item=md4) 
skipping: [35.161.5.226] => (item=dnskey) 
changed: [35.161.5.226] => (item=pkcs7)
changed: [35.161.5.226] => (item=hmac)
skipping: [35.161.5.226] => (item=pkcs1) 
changed: [35.161.5.226] => (item=socket-default)
changed: [35.161.5.226] => (item=pgp)
skipping: [35.161.5.226] => (item=updown) 
changed: [35.161.5.226] => (item=stroke)
skipping: [35.161.5.226] => (item=gmp) 
skipping: [35.161.5.226] => (item=constraints) 
skipping: [35.161.5.226] => (item=connmark) 
skipping: [35.161.5.226] => (item=xauth-generic) 
changed: [35.161.5.226] => (item=pkcs8)
skipping: [35.161.5.226] => (item=aesni) 
changed: [35.161.5.226] => (item=random)
skipping: [35.161.5.226] => (item=fips-prf) 
skipping: [35.161.5.226] => (item=resolve) 
skipping: [35.161.5.226] => (item=rc2) 
changed: [35.161.5.226] => (item=pem)
skipping: [35.161.5.226] => (item=eap-mschapv2) 
skipping: [35.161.5.226] => (item=sshkey) 
skipping: [35.161.5.226] => (item=md5) 
skipping: [35.161.5.226] => (item=bypass-lan) 
changed: [35.161.5.226] => (item=sha2)
changed: [35.161.5.226] => (item=pubkey)

TASK [vpn : include_tasks] ***********************************************************
included: /home/alexander/sandbox/src/github.com/trailofbits/algo/roles/vpn/tasks/openssl.yml for 35.161.5.226

TASK [vpn : Set subjectAltName as a fact] ********************************************
ok: [35.161.5.226 -> localhost]

TASK [vpn : Ensure the pki directory does not exist] *********************************
skipping: [35.161.5.226]

TASK [vpn : Ensure the pki directories exist] ****************************************
changed: [35.161.5.226 -> localhost] => (item=ecparams)
changed: [35.161.5.226 -> localhost] => (item=certs)
changed: [35.161.5.226 -> localhost] => (item=crl)
changed: [35.161.5.226 -> localhost] => (item=newcerts)
changed: [35.161.5.226 -> localhost] => (item=private)
changed: [35.161.5.226 -> localhost] => (item=reqs)

TASK [vpn : Ensure the files exist] **************************************************
changed: [35.161.5.226 -> localhost] => (item=.rnd)
changed: [35.161.5.226 -> localhost] => (item=private/.rnd)
changed: [35.161.5.226 -> localhost] => (item=index.txt)
changed: [35.161.5.226 -> localhost] => (item=index.txt.attr)
changed: [35.161.5.226 -> localhost] => (item=serial)

TASK [vpn : Generate the openssl server configs] *************************************
changed: [35.161.5.226 -> localhost]

TASK [vpn : Build the CA pair] *******************************************************
changed: [35.161.5.226 -> localhost]

TASK [vpn : Copy the CA certificate] *************************************************
changed: [35.161.5.226 -> localhost]

TASK [vpn : Generate the serial number] **********************************************
changed: [35.161.5.226 -> localhost]

TASK [vpn : Build the server pair] ***************************************************
changed: [35.161.5.226 -> localhost]

TASK [vpn : Build the client's pair] *************************************************
changed: [35.161.5.226 -> localhost] => (item=alexander)
changed: [35.161.5.226 -> localhost] => (item=arthur)
changed: [35.161.5.226 -> localhost] => (item=bonnie)
changed: [35.161.5.226 -> localhost] => (item=dan)
changed: [35.161.5.226 -> localhost] => (item=jack)

TASK [vpn : Build the client's p12] **************************************************
changed: [35.161.5.226 -> localhost] => (item=alexander)
changed: [35.161.5.226 -> localhost] => (item=arthur)
changed: [35.161.5.226 -> localhost] => (item=bonnie)
changed: [35.161.5.226 -> localhost] => (item=dan)
changed: [35.161.5.226 -> localhost] => (item=jack)

TASK [vpn : Copy the p12 certificates] ***********************************************
changed: [35.161.5.226 -> localhost] => (item=alexander)
changed: [35.161.5.226 -> localhost] => (item=arthur)
changed: [35.161.5.226 -> localhost] => (item=bonnie)
changed: [35.161.5.226 -> localhost] => (item=dan)
changed: [35.161.5.226 -> localhost] => (item=jack)

TASK [vpn : Get active users] ********************************************************
changed: [35.161.5.226 -> localhost]

TASK [vpn : Revoke non-existing users] ***********************************************
skipping: [35.161.5.226] => (item=alexander) 
skipping: [35.161.5.226] => (item=arthur) 
skipping: [35.161.5.226] => (item=bonnie) 
skipping: [35.161.5.226] => (item=dan) 
skipping: [35.161.5.226] => (item=jack) 

TASK [vpn : Genereate new CRL file] **************************************************
skipping: [35.161.5.226]

TASK [vpn : Copy the CRL to the vpn server] ******************************************
skipping: [35.161.5.226]

TASK [vpn : include_tasks] ***********************************************************
included: /home/alexander/sandbox/src/github.com/trailofbits/algo/roles/vpn/tasks/distribute_keys.yml for 35.161.5.226

TASK [vpn : Copy the keys to the strongswan directory] *******************************
changed: [35.161.5.226] => (item={u'dest': u'/etc/ipsec.d/cacerts/ca.crt', u'src': u'configs/35.161.5.226/pki/cacert.pem', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})
changed: [35.161.5.226] => (item={u'dest': u'/etc/ipsec.d/certs/35.161.5.226.crt', u'src': u'configs/35.161.5.226/pki/certs/35.161.5.226.crt', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})
changed: [35.161.5.226] => (item={u'dest': u'/etc/ipsec.d/private/35.161.5.226.key', u'src': u'configs/35.161.5.226/pki/private/35.161.5.226.key', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})

TASK [vpn : include_tasks] ***********************************************************
included: /home/alexander/sandbox/src/github.com/trailofbits/algo/roles/vpn/tasks/client_configs.yml for 35.161.5.226

TASK [vpn : Register p12 PayloadContent] *********************************************
changed: [35.161.5.226 -> localhost] => (item=alexander)
changed: [35.161.5.226 -> localhost] => (item=arthur)
changed: [35.161.5.226 -> localhost] => (item=bonnie)
changed: [35.161.5.226 -> localhost] => (item=dan)
changed: [35.161.5.226 -> localhost] => (item=jack)

TASK [vpn : Set facts for mobileconfigs] *********************************************
ok: [35.161.5.226 -> localhost]

TASK [vpn : Build the mobileconfigs] *************************************************
changed: [35.161.5.226] => (item=None)
changed: [35.161.5.226] => (item=None)
changed: [35.161.5.226] => (item=None)
changed: [35.161.5.226] => (item=None)
changed: [35.161.5.226] => (item=None)

TASK [vpn : Build the client ipsec config file] **************************************
changed: [35.161.5.226 -> localhost] => (item=alexander)
changed: [35.161.5.226 -> localhost] => (item=arthur)
changed: [35.161.5.226 -> localhost] => (item=bonnie)
changed: [35.161.5.226 -> localhost] => (item=dan)
changed: [35.161.5.226 -> localhost] => (item=jack)

TASK [vpn : Build the client ipsec secret file] **************************************
changed: [35.161.5.226 -> localhost] => (item=alexander)
changed: [35.161.5.226 -> localhost] => (item=arthur)
changed: [35.161.5.226 -> localhost] => (item=bonnie)
changed: [35.161.5.226 -> localhost] => (item=dan)
changed: [35.161.5.226 -> localhost] => (item=jack)

TASK [vpn : Create the windows check file] *******************************************
changed: [35.161.5.226 -> localhost]

TASK [vpn : Check if the windows check file exists] **********************************
ok: [35.161.5.226 -> localhost]

TASK [vpn : Build the windows client powershell script] ******************************
changed: [35.161.5.226 -> localhost] => (item=[u'alexander', {'_ansible_parsed': True, 'stderr_lines': [], u'cmd': u'cat private/alexander.p12 | base64', u'end': u'2018-06-27 07:34:34.858898', '_ansible_no_log': False, '_ansible_delegated_vars': {'ansible_delegated_host': u'localhost', 'ansible_host': u'localhost'}, '_ansible_item_result': True, u'changed': True, u'stdout': u'MIIEKQIBAzCCA+8GCSqGSIb3DQEHAaCCA+AEggPcMIID2DCCAqcGCSqGSIb3DQEHBqCCApgwggKU\nAgEAMIICjQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIH0bVvGxF4S0CAggAgIICYNlF8TtD\nmvGYegPzs6hBzWszC+Iyp2WtSwCYqUfnwJXHxldB4jCTQLR22gAvU5YC+2ThXSItcDEzSGjYP+k+\n+mkLghyl/rcJKTbjgoaXUO7wce1FW3WeI0EHb4jkwUUkZmjjTpxNaIshhfBznbT6T1ZhxxB7Jo79\nVuZP5GyxmUNMEkzBmF+/eMRFb+UB1M4mbJF0Re3KwUSz/4tJSRLcpBYuMB1NmBMcF52vacvjr/x7\nBBbavqWmNgnwj8ELVP7G70FtukKjEcpPs+Crh9FO5K/Ka5p5yeDKcQjYlvSPAaefVGZTimAxxPKC\nw2fyObkPzORF/MrbH/mPfph5XkgV3jRudVHFzzb6E0Z+scY1nEuGC0xNOzPESFrUDggbjBjrBZtv\ndr6BjofLEr/p3W3St7kAbqGpzCgyGWz7cBRD5FWrKbrEQHY5Q7BuW+8s57hjV54p5cOfKgdHCtpN\n3wMWT7c4tXtCVKTr2PMqqD8mzp+yzyDh2pf/gsqC3hrKAxlFoq50w2Me0VJBZPbZzMV663ZVDCPS\nh9pWeIOG0wNTX1dlRBWCrR3MzenepmQq7QKjg1wMkSI7s7MSlGXJ8R8n+A6RcNEs7d5nVdEmL6iP\nbehce+3LIs8ejHnQ4fpYf3GO/TrQCVG+VNlyOCScMVDD6iY1Ug8UQvvWXPGepjZjZk6vVrWGmcem\n/jKFQMaTExALXlExZ62tF/BtUA/Hc+GiwYXb/nk8gqFiu/jHyNCZmdZgtodtXQw/6Q9H12Xo9vRa\nvpz5onRnnT/4HP05LvVAh5mYqJdUEMbNBozlSXrJIGDvMIIBKQYJKoZIhvcNAQcBoIIBGgSCARYw\nggESMIIBDgYLKoZIhvcNAQwKAQKggbQwgbEwHAYKKoZIhvcNAQwBAzAOBAhoOaZ+iRAj3AICCAAE\ngZAcM2KczRt3Ot/uasxYQcQ6epOuKfQ5nm320ThWsytR41dXVJoZyXrDXEthxYOwtR8rDo8wQQXS\nRvILruQMlqedZM6a/oGqVxiszIl1zHflUWje0NdTMFcvW//9O8gpYM8r8jNMICTv8q8RjvUN4WbJ\nwuwREu7pW/2OqlDV5SnsbIr4AYDx/ZpA0mKUE4NnuFwxSDAhBgkqhkiG9w0BCRQxFB4SAGEAbABl\nAHgAYQBuAGQAZQByMCMGCSqGSIb3DQEJFTEWBBTS6kUJ+Vz/QU5BCPMOmiA58PJYVjAxMCEwCQYF\nKw4DAhoFAAQUJxjXN2numcm+U7us43A0wbtF67YECPDhjClVpPBVAgIIAA==', 'item': u'alexander', u'delta': u'0:00:00.002305', u'stderr': u'', u'rc': 0, u'invocation': {u'module_args': {u'warn': True, u'executable': None, u'chdir': u'configs/35.161.5.226/pki/', u'_raw_params': u'cat private/alexander.p12 | base64', u'removes': None, u'creates': None, u'_uses_shell': True, u'stdin': None}}, 'stdout_lines': [u'MIIEKQIBAzCCA+8GCSqGSIb3DQEHAaCCA+AEggPcMIID2DCCAqcGCSqGSIb3DQEHBqCCApgwggKU', u'AgEAMIICjQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIH0bVvGxF4S0CAggAgIICYNlF8TtD', u'mvGYegPzs6hBzWszC+Iyp2WtSwCYqUfnwJXHxldB4jCTQLR22gAvU5YC+2ThXSItcDEzSGjYP+k+', u'+mkLghyl/rcJKTbjgoaXUO7wce1FW3WeI0EHb4jkwUUkZmjjTpxNaIshhfBznbT6T1ZhxxB7Jo79', u'VuZP5GyxmUNMEkzBmF+/eMRFb+UB1M4mbJF0Re3KwUSz/4tJSRLcpBYuMB1NmBMcF52vacvjr/x7', u'BBbavqWmNgnwj8ELVP7G70FtukKjEcpPs+Crh9FO5K/Ka5p5yeDKcQjYlvSPAaefVGZTimAxxPKC', u'w2fyObkPzORF/MrbH/mPfph5XkgV3jRudVHFzzb6E0Z+scY1nEuGC0xNOzPESFrUDggbjBjrBZtv', u'dr6BjofLEr/p3W3St7kAbqGpzCgyGWz7cBRD5FWrKbrEQHY5Q7BuW+8s57hjV54p5cOfKgdHCtpN', u'3wMWT7c4tXtCVKTr2PMqqD8mzp+yzyDh2pf/gsqC3hrKAxlFoq50w2Me0VJBZPbZzMV663ZVDCPS', u'h9pWeIOG0wNTX1dlRBWCrR3MzenepmQq7QKjg1wMkSI7s7MSlGXJ8R8n+A6RcNEs7d5nVdEmL6iP', u'behce+3LIs8ejHnQ4fpYf3GO/TrQCVG+VNlyOCScMVDD6iY1Ug8UQvvWXPGepjZjZk6vVrWGmcem', u'/jKFQMaTExALXlExZ62tF/BtUA/Hc+GiwYXb/nk8gqFiu/jHyNCZmdZgtodtXQw/6Q9H12Xo9vRa', u'vpz5onRnnT/4HP05LvVAh5mYqJdUEMbNBozlSXrJIGDvMIIBKQYJKoZIhvcNAQcBoIIBGgSCARYw', u'ggESMIIBDgYLKoZIhvcNAQwKAQKggbQwgbEwHAYKKoZIhvcNAQwBAzAOBAhoOaZ+iRAj3AICCAAE', u'gZAcM2KczRt3Ot/uasxYQcQ6epOuKfQ5nm320ThWsytR41dXVJoZyXrDXEthxYOwtR8rDo8wQQXS', u'RvILruQMlqedZM6a/oGqVxiszIl1zHflUWje0NdTMFcvW//9O8gpYM8r8jNMICTv8q8RjvUN4WbJ', u'wuwREu7pW/2OqlDV5SnsbIr4AYDx/ZpA0mKUE4NnuFwxSDAhBgkqhkiG9w0BCRQxFB4SAGEAbABl', u'AHgAYQBuAGQAZQByMCMGCSqGSIb3DQEJFTEWBBTS6kUJ+Vz/QU5BCPMOmiA58PJYVjAxMCEwCQYF', u'Kw4DAhoFAAQUJxjXN2numcm+U7us43A0wbtF67YECPDhjClVpPBVAgIIAA=='], u'start': u'2018-06-27 07:34:34.856593', '_ansible_ignore_errors': None, 'failed': False}])
changed: [35.161.5.226 -> localhost] => (item=[u'arthur', {'_ansible_parsed': True, 'stderr_lines': [], u'cmd': u'cat private/arthur.p12 | base64', u'end': u'2018-06-27 07:34:34.970677', '_ansible_no_log': False, '_ansible_delegated_vars': {'ansible_delegated_host': u'localhost', 'ansible_host': u'localhost'}, '_ansible_item_result': True, u'changed': True, u'stdout': u'MIIEGwIBAzCCA+EGCSqGSIb3DQEHAaCCA9IEggPOMIIDyjCCAp8GCSqGSIb3DQEHBqCCApAwggKM\nAgEAMIIChQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQII9x1uHxj8bcCAggAgIICWD2FGdkP\nhuu/EWAsuterpXa7snknlFBJknPGMoJtnlkF2W41PyMY6mJuk8SOzT7IMtikcQVznOXsJkVtQmFs\nSqPht/9ILuwJY2M9Orx72Yh0hQw9jFu45e+8BD8zGilfRljjNoYtixlQlyx3LkPpgf3+Zp623gzP\neRDUatUlkMPv0eNr1SBrLs+ERY9rpfpMoH1zRxy5vgt5/u6W1O1lPWa3cphAO+1wIc5aLjPxsrdC\n4YggHUxwi6TLGF8X1QBOKaFRz59JNJFKMJgfOXuuNo033NcOg819n/y/nqn5GlkH0IHvSldUTnnW\nrU2rde/LKrwlCt9OmKc+uRfGToZ+70+m6tnpw3V5WrFjfsgahzTDDDK/bOYzc+DzILK3MAjihic9\nKjyVYJkaWYyCaHiiJiEGwA60dl2xjRaQ/VBpOT5ETs16ZAwqRPQk+S5NKbKi1IWr5FAbXHE6GKNt\nY8nuRO3V6ahD3dZ7/y+a08G2jbot4wSvqvjLStndg0l6rm2kWhm+kDlO9zyToRizPZqT2kyBmOdC\newU4L23qRGGOpu/+3N4li8qwgB/jNfyUDQbAJmAVRXm92twFSVFsDvkaFf1YURHsFENdKP8OTu/U\nQQqHVQTS5h2AyMCeHB6fjU6OfUWls1OqgsqtTJpecibwm5IGJqH1Byu4IZaU3K8RILPiP5Ph6MF/\nk2ph41zm1QjvLUkHzexUqem901QdXI6fZtw6JbiJKklJp4djOgDTpnN/3L1cpqE9LEdg7PSI6PdH\nJrw0i4ek6YVA9CN5/0osBBT687bzUyT/RTCCASMGCSqGSIb3DQEHAaCCARQEggEQMIIBDDCCAQgG\nCyqGSIb3DQEMCgECoIG0MIGxMBwGCiqGSIb3DQEMAQMwDgQILppvq0WgcDICAggABIGQ+5UNlXXd\n4R8h/v7TgGxruqd07pEdOjsdozYIu93CkKaeOwU2Wn8JipXqUCLaJKPC5cpRizk9Xie/dIA86i10\naz4/u3mnI1fNymmJ9OerB3VV2pCmmwdoUyPmrZvCj367K71C+dp1aM0p0D8p4+K3Zx6HQwzl1Kw7\n5P8h/exn9Bcq4eBA9wKx4DFXdlTyXAn+MUIwGwYJKoZIhvcNAQkUMQ4eDABhAHIAdABoAHUAcjAj\nBgkqhkiG9w0BCRUxFgQUQpm22xK+Nl0e3WxPcqqpnlhadjkwMTAhMAkGBSsOAwIaBQAEFBM1y+2k\nmAZTKgmsVtqjMizxX8EoBAgjs35MWMWP4QICCAA=', 'item': u'arthur', u'delta': u'0:00:00.002201', u'stderr': u'', u'rc': 0, u'invocation': {u'module_args': {u'warn': True, u'executable': None, u'chdir': u'configs/35.161.5.226/pki/', u'_raw_params': u'cat private/arthur.p12 | base64', u'removes': None, u'creates': None, u'_uses_shell': True, u'stdin': None}}, 'stdout_lines': [u'MIIEGwIBAzCCA+EGCSqGSIb3DQEHAaCCA9IEggPOMIIDyjCCAp8GCSqGSIb3DQEHBqCCApAwggKM', u'AgEAMIIChQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQII9x1uHxj8bcCAggAgIICWD2FGdkP', u'huu/EWAsuterpXa7snknlFBJknPGMoJtnlkF2W41PyMY6mJuk8SOzT7IMtikcQVznOXsJkVtQmFs', u'SqPht/9ILuwJY2M9Orx72Yh0hQw9jFu45e+8BD8zGilfRljjNoYtixlQlyx3LkPpgf3+Zp623gzP', u'eRDUatUlkMPv0eNr1SBrLs+ERY9rpfpMoH1zRxy5vgt5/u6W1O1lPWa3cphAO+1wIc5aLjPxsrdC', u'4YggHUxwi6TLGF8X1QBOKaFRz59JNJFKMJgfOXuuNo033NcOg819n/y/nqn5GlkH0IHvSldUTnnW', u'rU2rde/LKrwlCt9OmKc+uRfGToZ+70+m6tnpw3V5WrFjfsgahzTDDDK/bOYzc+DzILK3MAjihic9', u'KjyVYJkaWYyCaHiiJiEGwA60dl2xjRaQ/VBpOT5ETs16ZAwqRPQk+S5NKbKi1IWr5FAbXHE6GKNt', u'Y8nuRO3V6ahD3dZ7/y+a08G2jbot4wSvqvjLStndg0l6rm2kWhm+kDlO9zyToRizPZqT2kyBmOdC', u'ewU4L23qRGGOpu/+3N4li8qwgB/jNfyUDQbAJmAVRXm92twFSVFsDvkaFf1YURHsFENdKP8OTu/U', u'QQqHVQTS5h2AyMCeHB6fjU6OfUWls1OqgsqtTJpecibwm5IGJqH1Byu4IZaU3K8RILPiP5Ph6MF/', u'k2ph41zm1QjvLUkHzexUqem901QdXI6fZtw6JbiJKklJp4djOgDTpnN/3L1cpqE9LEdg7PSI6PdH', u'Jrw0i4ek6YVA9CN5/0osBBT687bzUyT/RTCCASMGCSqGSIb3DQEHAaCCARQEggEQMIIBDDCCAQgG', u'CyqGSIb3DQEMCgECoIG0MIGxMBwGCiqGSIb3DQEMAQMwDgQILppvq0WgcDICAggABIGQ+5UNlXXd', u'4R8h/v7TgGxruqd07pEdOjsdozYIu93CkKaeOwU2Wn8JipXqUCLaJKPC5cpRizk9Xie/dIA86i10', u'az4/u3mnI1fNymmJ9OerB3VV2pCmmwdoUyPmrZvCj367K71C+dp1aM0p0D8p4+K3Zx6HQwzl1Kw7', u'5P8h/exn9Bcq4eBA9wKx4DFXdlTyXAn+MUIwGwYJKoZIhvcNAQkUMQ4eDABhAHIAdABoAHUAcjAj', u'BgkqhkiG9w0BCRUxFgQUQpm22xK+Nl0e3WxPcqqpnlhadjkwMTAhMAkGBSsOAwIaBQAEFBM1y+2k', u'mAZTKgmsVtqjMizxX8EoBAgjs35MWMWP4QICCAA='], u'start': u'2018-06-27 07:34:34.968476', '_ansible_ignore_errors': None, 'failed': False}])
changed: [35.161.5.226 -> localhost] => (item=[u'bonnie', {'_ansible_parsed': True, 'stderr_lines': [], u'cmd': u'cat private/bonnie.p12 | base64', u'end': u'2018-06-27 07:34:35.081059', '_ansible_no_log': False, '_ansible_delegated_vars': {'ansible_delegated_host': u'localhost', 'ansible_host': u'localhost'}, '_ansible_item_result': True, u'changed': True, u'stdout': u'MIIEGwIBAzCCA+EGCSqGSIb3DQEHAaCCA9IEggPOMIIDyjCCAp8GCSqGSIb3DQEHBqCCApAwggKM\nAgEAMIIChQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIVDOs+gTZJAoCAggAgIICWB5OYXGy\nQC9/pEZojgF3yhgAVzfk7TpxFOJR5PD6zldCRcvPk0LPnfG40P39xHLixCub2YVIbJEIvvHQz1i6\nRAuaZSNhfn7qKBmU9vj/k8wOKvo5e7vPRxVp/Rl9KBn84NgZPJsC7fydG02bVXS4vUOov78uksjK\nm7MojrvqiKF3nasGnFurdLzeZ935dKfpGvXF+WS2M/3OHm+cs9SnwOkXeQ0bHzi0SLJ7yTiE5GP6\nTKiy+1LAW2ky5OtDcBMwTAnKXHvDV1Ap5iuOYCn8jSHzblpxtU0A1a9R5TzOwHFcYTIs74WnOS9f\n53Xpy+wbB2jGFyLwc6elJhuzAX0DLgy8TsY+CLk9B8+UgEbzZ1UNj6nT24RNvC0NQMjxCYG81r5a\nyEVYNczr+ROWfYIzqXHtd0ZI9QDtfKghcCZ+xTDmjaNYknA+f8SgmKeGEC4eZA7DwU98yATsVcSo\nUxJ7DWf2fOU6Z2Lf++mLDF7UTSdz2VdmrZf5m007zFNFhFEwxohxTjuNTjy5s9dyYysG2kzecn3A\nA39V+K2VR6wc4atxls1dsMubwoPmccDLl+aemZbVaR4NdhMik5ADRHXNW1v3PzszHDHOtDAhiLxS\nNvI5NOuqR33/+IK4wiizRs1MFiZ/SLF+JAphWIYeLtX0c4K/GNqqdKBVGCmPvwYqGYzQ5SoecEqq\nYX0ZWgN5t4PcuBerZ6Vn4HvodsXCmSVM40DFFHDiljDXr40Hh4SUA3M8oMaVBuPoENmmMdiZQe+Y\nXvyzMvvqNtoBnWzNI0RbI+rDkhlZHh4W5zCCASMGCSqGSIb3DQEHAaCCARQEggEQMIIBDDCCAQgG\nCyqGSIb3DQEMCgECoIG0MIGxMBwGCiqGSIb3DQEMAQMwDgQILWYQHuia+cwCAggABIGQnqAZNSje\nB/f0EGeGNTjJ2XgH0FvtNFyGrPji/MiOU2AiKO91oHSUnEv4zidM7t8649pxNyvLSWTRD84guHu5\nhjqTex+2BSTpjZ0X79v9O/5oHdAptxSrRjq6hmB2nq2imlIvLu6Ck38gFXMcRcTsnm1tQCKYYlDm\nVpdvKQ5Rj04xBnp+kqLPhwVCgXlxnz2QMUIwGwYJKoZIhvcNAQkUMQ4eDABiAG8AbgBuAGkAZTAj\nBgkqhkiG9w0BCRUxFgQUU/CJS8mFscg6qSn7PZOT8Ef8sNowMTAhMAkGBSsOAwIaBQAEFGzB8YS7\nk7XxCXCTvJa9/ngh7lGZBAhpQ3obm8ou5AICCAA=', 'item': u'bonnie', u'delta': u'0:00:00.002303', u'stderr': u'', u'rc': 0, u'invocation': {u'module_args': {u'warn': True, u'executable': None, u'chdir': u'configs/35.161.5.226/pki/', u'_raw_params': u'cat private/bonnie.p12 | base64', u'removes': None, u'creates': None, u'_uses_shell': True, u'stdin': None}}, 'stdout_lines': [u'MIIEGwIBAzCCA+EGCSqGSIb3DQEHAaCCA9IEggPOMIIDyjCCAp8GCSqGSIb3DQEHBqCCApAwggKM', u'AgEAMIIChQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIVDOs+gTZJAoCAggAgIICWB5OYXGy', u'QC9/pEZojgF3yhgAVzfk7TpxFOJR5PD6zldCRcvPk0LPnfG40P39xHLixCub2YVIbJEIvvHQz1i6', u'RAuaZSNhfn7qKBmU9vj/k8wOKvo5e7vPRxVp/Rl9KBn84NgZPJsC7fydG02bVXS4vUOov78uksjK', u'm7MojrvqiKF3nasGnFurdLzeZ935dKfpGvXF+WS2M/3OHm+cs9SnwOkXeQ0bHzi0SLJ7yTiE5GP6', u'TKiy+1LAW2ky5OtDcBMwTAnKXHvDV1Ap5iuOYCn8jSHzblpxtU0A1a9R5TzOwHFcYTIs74WnOS9f', u'53Xpy+wbB2jGFyLwc6elJhuzAX0DLgy8TsY+CLk9B8+UgEbzZ1UNj6nT24RNvC0NQMjxCYG81r5a', u'yEVYNczr+ROWfYIzqXHtd0ZI9QDtfKghcCZ+xTDmjaNYknA+f8SgmKeGEC4eZA7DwU98yATsVcSo', u'UxJ7DWf2fOU6Z2Lf++mLDF7UTSdz2VdmrZf5m007zFNFhFEwxohxTjuNTjy5s9dyYysG2kzecn3A', u'A39V+K2VR6wc4atxls1dsMubwoPmccDLl+aemZbVaR4NdhMik5ADRHXNW1v3PzszHDHOtDAhiLxS', u'NvI5NOuqR33/+IK4wiizRs1MFiZ/SLF+JAphWIYeLtX0c4K/GNqqdKBVGCmPvwYqGYzQ5SoecEqq', u'YX0ZWgN5t4PcuBerZ6Vn4HvodsXCmSVM40DFFHDiljDXr40Hh4SUA3M8oMaVBuPoENmmMdiZQe+Y', u'XvyzMvvqNtoBnWzNI0RbI+rDkhlZHh4W5zCCASMGCSqGSIb3DQEHAaCCARQEggEQMIIBDDCCAQgG', u'CyqGSIb3DQEMCgECoIG0MIGxMBwGCiqGSIb3DQEMAQMwDgQILWYQHuia+cwCAggABIGQnqAZNSje', u'B/f0EGeGNTjJ2XgH0FvtNFyGrPji/MiOU2AiKO91oHSUnEv4zidM7t8649pxNyvLSWTRD84guHu5', u'hjqTex+2BSTpjZ0X79v9O/5oHdAptxSrRjq6hmB2nq2imlIvLu6Ck38gFXMcRcTsnm1tQCKYYlDm', u'VpdvKQ5Rj04xBnp+kqLPhwVCgXlxnz2QMUIwGwYJKoZIhvcNAQkUMQ4eDABiAG8AbgBuAGkAZTAj', u'BgkqhkiG9w0BCRUxFgQUU/CJS8mFscg6qSn7PZOT8Ef8sNowMTAhMAkGBSsOAwIaBQAEFGzB8YS7', u'k7XxCXCTvJa9/ngh7lGZBAhpQ3obm8ou5AICCAA='], u'start': u'2018-06-27 07:34:35.078756', '_ansible_ignore_errors': None, 'failed': False}])
changed: [35.161.5.226 -> localhost] => (item=[u'dan', {'_ansible_parsed': True, 'stderr_lines': [], u'cmd': u'cat private/dan.p12 | base64', u'end': u'2018-06-27 07:34:35.197743', '_ansible_no_log': False, '_ansible_delegated_vars': {'ansible_delegated_host': u'localhost', 'ansible_host': u'localhost'}, '_ansible_item_result': True, u'changed': True, u'stdout': u'MIIEBQIBAzCCA8sGCSqGSIb3DQEHAaCCA7wEggO4MIIDtDCCAo8GCSqGSIb3DQEHBqCCAoAwggJ8\nAgEAMIICdQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQI4kZuri2dOW0CAggAgIICSLExPpUv\nAkMQDTBiJWcUxtx9CLSUmIS8t3I4xTLucIai+4fDirm4mZ/fzLHEE1chJ/xod8UffnpW3F/RGpDx\nR6VDrm4Pu8zQfto1txa4twUweZMHfXHbv61jGe4KD0HlKPEICZLaHMto7+dMRMn4wJeiV2/Wy3/V\nWlnYXPkJ28hgBV8xavU/uQZVtMWozqYEiW5FSNi+6bi5danlKYcLG0ccyqTqDLriSiEJ0V173EHD\ncfzQPXXoyRnuDWs8p+ZY3Oe0zgIFWnJ3revju3MqJaClw/4HqJaA82eLhQb2GLXQbQGKKn7WSy0X\nMRCsfQb0FDoi0sd9rziZJte1elvzA/CtzsSJ9o3sS18dnArxPV2kIcpHLzjy5d8nlfBBp4Cy9CT2\nD07QJZ7pnQpBzV9ZfHdzM1r5SS3cypHteB+bMzWTi8pc+I8bAg/lyjm62/9r5TV9p8vxFHOeBTqw\nBAUHZbuMfH61gjmPovcS7UHRydXcfQBr3UPywnWB1VBreY4XSfu7DGB21Mhip7x3o6pbbmw+Vkwd\nOJDCFPf/1mrnM0ONOgdop4j8U9Vzonjlk03yn+0L7Ihp9r9sCwwG2DTUUKlM4euYJsdjcWIzBVQM\n5qNnErDEitelKr6jmv3/YEJNZ0U4Ix1Xy+IwVEoWot3nV7obf9Yobd45QSYjnxUuIgqadhevqacB\n/ACcqAgqwxlXhCvfPLS38qk8RNgFZOA+L4J5ZAhipTy8G+ZfbFCKll/GcJPRJ1eX+1pqC+sUEU0A\nKgyVm0+P+4IZMIIBHQYJKoZIhvcNAQcBoIIBDgSCAQowggEGMIIBAgYLKoZIhvcNAQwKAQKggbQw\ngbEwHAYKKoZIhvcNAQwBAzAOBAjF7T/fkis5PAICCAAEgZAJDHpNf8sfsP3u3dSzkCvkA090jK+P\nlE8eLYERIyMtcFYDSFoHFFplixIiC8GezJKgOXV5RuvIp52TNcpDnWuFEkc2S7n8IDU1RYQkWrWM\nkLy9gMK2q/Jy+iNU9OHDF0zQBus3LKkLjeZ30ND+nCU2MDEAOxvigbNIbmLx6ijnc6474RI1a6lM\nHOztE7xk2+sxPDAVBgkqhkiG9w0BCRQxCB4GAGQAYQBuMCMGCSqGSIb3DQEJFTEWBBRAOpiSfz56\nF2sWx/Aw3j/zWmjn4zAxMCEwCQYFKw4DAhoFAAQUPZwWA0RoDmDlA+/qriOCBVDHEB8ECLla+Apd\nXY+EAgIIAA==', 'item': u'dan', u'delta': u'0:00:00.002252', u'stderr': u'', u'rc': 0, u'invocation': {u'module_args': {u'warn': True, u'executable': None, u'chdir': u'configs/35.161.5.226/pki/', u'_raw_params': u'cat private/dan.p12 | base64', u'removes': None, u'creates': None, u'_uses_shell': True, u'stdin': None}}, 'stdout_lines': [u'MIIEBQIBAzCCA8sGCSqGSIb3DQEHAaCCA7wEggO4MIIDtDCCAo8GCSqGSIb3DQEHBqCCAoAwggJ8', u'AgEAMIICdQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQI4kZuri2dOW0CAggAgIICSLExPpUv', u'AkMQDTBiJWcUxtx9CLSUmIS8t3I4xTLucIai+4fDirm4mZ/fzLHEE1chJ/xod8UffnpW3F/RGpDx', u'R6VDrm4Pu8zQfto1txa4twUweZMHfXHbv61jGe4KD0HlKPEICZLaHMto7+dMRMn4wJeiV2/Wy3/V', u'WlnYXPkJ28hgBV8xavU/uQZVtMWozqYEiW5FSNi+6bi5danlKYcLG0ccyqTqDLriSiEJ0V173EHD', u'cfzQPXXoyRnuDWs8p+ZY3Oe0zgIFWnJ3revju3MqJaClw/4HqJaA82eLhQb2GLXQbQGKKn7WSy0X', u'MRCsfQb0FDoi0sd9rziZJte1elvzA/CtzsSJ9o3sS18dnArxPV2kIcpHLzjy5d8nlfBBp4Cy9CT2', u'D07QJZ7pnQpBzV9ZfHdzM1r5SS3cypHteB+bMzWTi8pc+I8bAg/lyjm62/9r5TV9p8vxFHOeBTqw', u'BAUHZbuMfH61gjmPovcS7UHRydXcfQBr3UPywnWB1VBreY4XSfu7DGB21Mhip7x3o6pbbmw+Vkwd', u'OJDCFPf/1mrnM0ONOgdop4j8U9Vzonjlk03yn+0L7Ihp9r9sCwwG2DTUUKlM4euYJsdjcWIzBVQM', u'5qNnErDEitelKr6jmv3/YEJNZ0U4Ix1Xy+IwVEoWot3nV7obf9Yobd45QSYjnxUuIgqadhevqacB', u'/ACcqAgqwxlXhCvfPLS38qk8RNgFZOA+L4J5ZAhipTy8G+ZfbFCKll/GcJPRJ1eX+1pqC+sUEU0A', u'KgyVm0+P+4IZMIIBHQYJKoZIhvcNAQcBoIIBDgSCAQowggEGMIIBAgYLKoZIhvcNAQwKAQKggbQw', u'gbEwHAYKKoZIhvcNAQwBAzAOBAjF7T/fkis5PAICCAAEgZAJDHpNf8sfsP3u3dSzkCvkA090jK+P', u'lE8eLYERIyMtcFYDSFoHFFplixIiC8GezJKgOXV5RuvIp52TNcpDnWuFEkc2S7n8IDU1RYQkWrWM', u'kLy9gMK2q/Jy+iNU9OHDF0zQBus3LKkLjeZ30ND+nCU2MDEAOxvigbNIbmLx6ijnc6474RI1a6lM', u'HOztE7xk2+sxPDAVBgkqhkiG9w0BCRQxCB4GAGQAYQBuMCMGCSqGSIb3DQEJFTEWBBRAOpiSfz56', u'F2sWx/Aw3j/zWmjn4zAxMCEwCQYFKw4DAhoFAAQUPZwWA0RoDmDlA+/qriOCBVDHEB8ECLla+Apd', u'XY+EAgIIAA=='], u'start': u'2018-06-27 07:34:35.195491', '_ansible_ignore_errors': None, 'failed': False}])
changed: [35.161.5.226 -> localhost] => (item=[u'jack', {'_ansible_parsed': True, 'stderr_lines': [], u'cmd': u'cat private/jack.p12 | base64', u'end': u'2018-06-27 07:34:35.309600', '_ansible_no_log': False, '_ansible_delegated_vars': {'ansible_delegated_host': u'localhost', 'ansible_host': u'localhost'}, '_ansible_item_result': True, u'changed': True, u'stdout': u'MIIEDwIBAzCCA9UGCSqGSIb3DQEHAaCCA8YEggPCMIIDvjCCApcGCSqGSIb3DQEHBqCCAogwggKE\nAgEAMIICfQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIFsltfb2AoscCAggAgIICUNuxc1le\nB4PQ/L9YLHOQb44LXQJK6OjAjTiK+xb0U7QcpVHjjeDCjlqWhLcLDjUjwOA3FEYz1tCi2GJfa+Tz\nRz/pQtZdseuAVoTlpJ3l2lULEkG4TpaFt9x18QTYucumQc90oFHlFxmvEkuZOIkLLAjNYy02e6tV\njAMDmNgs5HT2rYdF9D3A/MEI+mympSq5poTJwkm4+Jv0W11kdG0Kv0qNSp+o1VYPMAaaWChyI8Hp\nlfH0KGIWFnk5F7JtYKgV4PcHxGbborJoVXJmnJAQ/SAXaH8nakCyzg/4EHB2Ga8Sn1Jp1x+WGjlB\nVdR0IIokjNYh00R50R8+bL3UFyLmPag0Sbr91UqjX6tM3RNi4JiteHvsDi3rwfsUaM4j5a54e9oR\nuzQAsKFz3SYRIjnz1YYC7YgcFUrwu8523t+AFTyxQO91IkoW1wxLqeP7CNTSzx2itMT7zvRBqUGG\nDhVb5I88ZQnSV+zC6xpsWBCj26ep3HRUIerMZcTecymkOYgf4dRl/Jf0TFoAnKHhyDnfzx+mnVXJ\nPnDgVCfHcB8SWXOE5VtdKeAeGE8dhthMcRwHoZD33e5ezG9agahAHfYmtjsU3SEhX+1/42iiWWxs\nf8bdAf8MNnN3lpy4GChmxFQOQ261RwGuFVcdgi9GysgXgc/+RY7e6TXhjNcvL34daGPAxS9WJ2/W\nmBtubmzYTTbGS16G/GPxGj45cchbuCnwIlIYHgstCpBbMcFwNWGE+3xfQcbYL2RUjJvTJJL4/25k\njenVyqvUCTos5Wq/ZWjWaQMwggEfBgkqhkiG9w0BBwGgggEQBIIBDDCCAQgwggEEBgsqhkiG9w0B\nDAoBAqCBtDCBsTAcBgoqhkiG9w0BDAEDMA4ECEEuz8p+GfNFAgIIAASBkLAQmIK0jrAb+tsEpYNK\nVeAzks4vXwAE2OX/4wLf1+zUsoX7k86q/zp3Qi6ZchojQZa6V4qYS9AZfWbgK+kbuU+JzBRpEFRC\nYBT5iS8uilRy2YVWiQmIHNPCSumtCSTvOUcszXJePQmS3jCUPUvo5pqAJ/O3Z7s6Pe2Wtinbk37j\n21qCTvIJex8bf2uCXD6uKDE+MBcGCSqGSIb3DQEJFDEKHggAagBhAGMAazAjBgkqhkiG9w0BCRUx\nFgQUBuL4H15PKpfBGEPgva3S4OrewdowMTAhMAkGBSsOAwIaBQAEFBpvq4mAHEaq7Rry154vtIMD\n+o8JBAgRzwXpugsxjgICCAA=', 'item': u'jack', u'delta': u'0:00:00.002360', u'stderr': u'', u'rc': 0, u'invocation': {u'module_args': {u'warn': True, u'executable': None, u'chdir': u'configs/35.161.5.226/pki/', u'_raw_params': u'cat private/jack.p12 | base64', u'removes': None, u'creates': None, u'_uses_shell': True, u'stdin': None}}, 'stdout_lines': [u'MIIEDwIBAzCCA9UGCSqGSIb3DQEHAaCCA8YEggPCMIIDvjCCApcGCSqGSIb3DQEHBqCCAogwggKE', u'AgEAMIICfQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIFsltfb2AoscCAggAgIICUNuxc1le', u'B4PQ/L9YLHOQb44LXQJK6OjAjTiK+xb0U7QcpVHjjeDCjlqWhLcLDjUjwOA3FEYz1tCi2GJfa+Tz', u'Rz/pQtZdseuAVoTlpJ3l2lULEkG4TpaFt9x18QTYucumQc90oFHlFxmvEkuZOIkLLAjNYy02e6tV', u'jAMDmNgs5HT2rYdF9D3A/MEI+mympSq5poTJwkm4+Jv0W11kdG0Kv0qNSp+o1VYPMAaaWChyI8Hp', u'lfH0KGIWFnk5F7JtYKgV4PcHxGbborJoVXJmnJAQ/SAXaH8nakCyzg/4EHB2Ga8Sn1Jp1x+WGjlB', u'VdR0IIokjNYh00R50R8+bL3UFyLmPag0Sbr91UqjX6tM3RNi4JiteHvsDi3rwfsUaM4j5a54e9oR', u'uzQAsKFz3SYRIjnz1YYC7YgcFUrwu8523t+AFTyxQO91IkoW1wxLqeP7CNTSzx2itMT7zvRBqUGG', u'DhVb5I88ZQnSV+zC6xpsWBCj26ep3HRUIerMZcTecymkOYgf4dRl/Jf0TFoAnKHhyDnfzx+mnVXJ', u'PnDgVCfHcB8SWXOE5VtdKeAeGE8dhthMcRwHoZD33e5ezG9agahAHfYmtjsU3SEhX+1/42iiWWxs', u'f8bdAf8MNnN3lpy4GChmxFQOQ261RwGuFVcdgi9GysgXgc/+RY7e6TXhjNcvL34daGPAxS9WJ2/W', u'mBtubmzYTTbGS16G/GPxGj45cchbuCnwIlIYHgstCpBbMcFwNWGE+3xfQcbYL2RUjJvTJJL4/25k', u'jenVyqvUCTos5Wq/ZWjWaQMwggEfBgkqhkiG9w0BBwGgggEQBIIBDDCCAQgwggEEBgsqhkiG9w0B', u'DAoBAqCBtDCBsTAcBgoqhkiG9w0BDAEDMA4ECEEuz8p+GfNFAgIIAASBkLAQmIK0jrAb+tsEpYNK', u'VeAzks4vXwAE2OX/4wLf1+zUsoX7k86q/zp3Qi6ZchojQZa6V4qYS9AZfWbgK+kbuU+JzBRpEFRC', u'YBT5iS8uilRy2YVWiQmIHNPCSumtCSTvOUcszXJePQmS3jCUPUvo5pqAJ/O3Z7s6Pe2Wtinbk37j', u'21qCTvIJex8bf2uCXD6uKDE+MBcGCSqGSIb3DQEJFDEKHggAagBhAGMAazAjBgkqhkiG9w0BCRUx', u'FgQUBuL4H15PKpfBGEPgva3S4OrewdowMTAhMAkGBSsOAwIaBQAEFBpvq4mAHEaq7Rry154vtIMD', u'+o8JBAgRzwXpugsxjgICCAA='], u'start': u'2018-06-27 07:34:35.307240', '_ansible_ignore_errors': None, 'failed': False}])

TASK [vpn : Restrict permissions for the local private directories] ******************
changed: [35.161.5.226 -> localhost] => (item=configs/35.161.5.226)

RUNNING HANDLER [dns_adblocking : restart apparmor] **********************************
changed: [35.161.5.226]

RUNNING HANDLER [vpn : restart strongswan] *******************************************
changed: [35.161.5.226]

RUNNING HANDLER [vpn : daemon-reload] ************************************************
changed: [35.161.5.226]

RUNNING HANDLER [vpn : restart iptables] *********************************************
changed: [35.161.5.226]

TASK [vpn : strongSwan started] ******************************************************
ok: [35.161.5.226]

TASK [debug] *************************************************************************
ok: [35.161.5.226] => {
    "msg": [
        [
            "\"#                          Congratulations!                            #\"", 
            "\"#                     Your Algo server is running.                     #\"", 
            "\"#    Config files and certificates are in the ./configs/ directory.    #\"", 
            "\"#              Go to https://whoer.net/ after connecting               #\"", 
            "\"#        and ensure that all your traffic passes through the VPN.      #\"", 
            "\"#               Local DNS resolver 172.16.0.1              #\"", 
            ""
        ], 
        "    \"#                The p12 and SSH keys password for new users is z4ZjoK1B             #\"\n", 
        "    \"#                  The CA key password is c42d7362422a42b0fd5723b036b83998                 #\"\n", 
        "    \"#      Shell access: ssh -i configs/algo.pem ubuntu@35.161.5.226        #\"\n"
    ]
}

TASK [Delete the CA key] *************************************************************
skipping: [35.161.5.226]

PLAY RECAP ***************************************************************************
35.161.5.226               : ok=116  changed=81   unreachable=0    failed=0   
localhost                  : ok=22   changed=4    unreachable=0    failed=0   

[jackivanov]

@TC1977 check out this one, please https://github.com/trailofbits/algo/pull/1015

[TC1977]

@jackivanov You want me to try to install #1015 onto AWS from my Mac? I don't have the problem @awwong1 is mentioning at all, at least I don't think so. I have no idea what Signal Messenger is, but curl -v https://ualberta.ca and wget -v https://ualberta.ca/ work just fine from my Algo server running on EC2.

[jackivanov]

Oh sorry @TC1977, wrong mention. Yes, I want @awwong1 to use this PR, redeploy the server and try it again

[awwong1]

@jackivanov Okay, I've rerun ./algo this time deploying to digital ocean. Using d5f0805282909b68bc8d5f0e75078729266eac8e. Algo output: https://gist.github.com/awwong1/207c26c905c06d119edba6ece4e55c62

Still seeing this issue.

$ curl -v https://ipinfo.io
* Rebuilt URL to: https://ipinfo.io/
*   Trying 216.239.34.21...
* TCP_NODELAY set
* Connected to ipinfo.io (216.239.34.21) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=ipinfo.io
*  start date: May  2 02:14:57 2018 GMT
*  expire date: Jul 31 02:14:57 2018 GMT
*  subjectAltName: host "ipinfo.io" matched cert's "ipinfo.io"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x555945435a80)
> GET / HTTP/2
> Host: ipinfo.io
> User-Agent: curl/7.60.0
> Accept: */*
> 
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 200 
< date: Wed, 27 Jun 2018 15:19:31 GMT
< content-type: application/json; charset=utf-8
< content-length: 203
< vary: Accept-Encoding
< x-powered-by: Express
< x-cloud-trace-context: f48f34d94e236da5625803c05452fc59/6875629800071669174;o=0
< access-control-allow-origin: *
< x-content-type-options: nosniff
< via: 1.1 google
< 
{
  "ip": "167.99.185.24",
  "hostname": "algo.next",
  "city": "Toronto",
  "region": "Ontario",
  "country": "CA",
  "loc": "43.6555,-79.3626",
  "postal": "M5A",
  "org": "AS14061 DigitalOcean, LLC"
* Connection #0 to host ipinfo.io left intact
}

$ curl -v https://www.ualberta.ca
* Rebuilt URL to: https://www.ualberta.ca/
*   Trying 54.86.190.74...
* TCP_NODELAY set
* Connected to www.ualberta.ca (54.86.190.74) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
^C

[jackivanov]

@awwong1 You need to play with max_mss and find the best value for you

[awwong1]

@jackivanov Hmm, okay! I'll read the docs lol. I'll update this issue again in a bit.

[jackivanov]

@awwong1 So, have you seen the details of the PR I mentioned?

[awwong1]

@jackivanov Yep. This definitely seems to be an MTU issue on my end.

My comment from two days ago is incorrect, doing a ping on my current algo vpn shows that the MTU was incorrect all along:

$ ping -M do -s 1500 www.google.com
PING www.google.com (172.217.2.164) 1500(1528) bytes of data.
ping: local error: Message too long, mtu=1438
ping: local error: Message too long, mtu=1438
^C
--- www.google.com ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1021ms

I see that my MTU is currently 1500. Therefore, max_mss should be 1460? I'm not sure what I should set this value to be.

$ ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: wlp58s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DORMANT group default qlen 1000
    link/ether 9c:b6:d0:fe:50:75 brd ff:ff:ff:ff:ff:ff
...

I deployed the new vpn with max_mss set to 1460 in the config file. When I ping google, I see that I get a Message too long error:

$ ping -M do -s 1500 www.google.com
PING www.google.com (172.217.0.100) 1500(1528) bytes of data.
ping: local error: Message too long, mtu=1406
ping: local error: Message too long, mtu=1406
ping: local error: Message too long, mtu=1406
^C
--- www.google.com ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2038ms

I then tried to set the mtu to 1406, but the number returned from ping shrank?

$ sudo ifconfig wlp58s0 mtu 1406

$ ping -M do -s 1500 www.google.com
PING www.google.com (172.217.0.100) 1500(1528) bytes of data.
ping: local error: Message too long, mtu=1310
ping: local error: Message too long, mtu=1310
^C
--- www.google.com ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1012ms

[jackivanov]

@awwong1 with max_mss fix on the server you probably don't need to do anything with MTU on your end

[awwong1]

@jackivanov How do I find out what value to use for max_mss? (or what is used when I don't supply any value?)

EDIT: This is what I've tried so far. Client MTU is set to the original 1500.

max_mss	ping -M do -s 1500 www.google.com
null	ping: local error: Message too long, mtu=1438
1460	ping: local error: Message too long, mtu=1406
1500	ping: local error: Message too long, mtu=1406

[awwong1]

Alright, after playing around with the max_mss a bit, seems like I can connect to sites properly now. Including my steps because why not?

1. Deploy an algo instance using ./algo Do not set max_mss to anything.
2. Connect to the vpn. Observe certain sites not loading properly. (like curl https://www.ualberta.ca)
3. Run ping -M do -s 1490 www.google.com

   $ ping -M do -s 1490 www.google.com
   PING www.google.com (172.217.0.228) 1490(1518) bytes of data.
   ping: local error: Message too long, mtu=1438
   ping: local error: Message too long, mtu=1438
   ping: local error: Message too long, mtu=1438
   ^C
   --- www.google.com ping statistics ---
   3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2030ms

4. Subtract the returned mtu number with the total bytes of data sent by ping, apply that difference to the payload size. In this case, that's 1490 - (1518 - 1438) = 1410. This number should be used as your MTU value.
5. Test the ping command with the new number (yours may be different):

   $ ping -M do -s 1410 www.google.com
   PING www.google.com (172.217.0.100) 1410(1438) bytes of data.
   72 bytes from yyz10s13-in-f4.1e100.net (172.217.0.100): icmp_seq=1 ttl=57 (truncated)
   72 bytes from yyz10s13-in-f4.1e100.net (172.217.0.100): icmp_seq=2 ttl=57 (truncated)
   ^C
   --- www.google.com ping statistics ---
   2 packets transmitted, 2 received, 0% packet loss, time 1000ms
   rtt min/avg/max/mdev = 88.151/117.670/147.190/29.521 ms

6. Disconnect from your VPN.
7. Within config.cfg, set max_mss equal to your calculated MTU subtract 40. For me, that's 1410 - 40 = 1370. Why 40? See the truth
8. Deploy and connect to your new algo instance with the updated config.
9. Update your client's MTU value.

   # eg (yours may be wlan0 or eth0 something)
   $ sudo ifconfig wlp58s0 mtu 1410

10. Test going to the old sites.

---

I don't know why 1500 doesn't work by default :/ I also don't know enough about networking to explain why the same ping command now shows a lower mtu. (curl works)

$ ping -M do -s 1410 www.google.com
PING www.google.com (172.217.0.228) 1410(1438) bytes of data.
ping: local error: Message too long, mtu=1310
ping: local error: Message too long, mtu=1310
^C
--- www.google.com ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1001ms

EDIT: this worked for a bit, then it stopped working. Not sure why, not going to bother. Just checked out master again and set the MTU on my client to 1200. ¯\(ツ)/¯