CHANGELOG: release 0.4.4

Merge pull request #865 from robstrong/hotfix/contentType
fix(peer_server) set content type to application/json in admin
2014-06-24 10:56:53 -07:00 · 2014-06-23 16:31:49 -07:00 · 2014-06-23 14:19:48 -07:00 · 2014-06-21 13:13:10 -04:00 · 2014-06-19 17:10:34 -07:00 · 2014-06-19 17:10:34 -07:00
881 changed files with 63501 additions and 100047 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,7 +1,6 @@
-src/
-pkg/
-/etcd
-/etcdbench
-/server/release_version.go
+/gopath
 /go-bindata
 /machine*
+/bin
+.vagrant
+*.etcd
--- a/.travis.yml
+++ b/.travis.yml
@ -1,13 +0,0 @@
-language: go
-go: 1.1
-
-install:
- - echo "Skip install"
-
-script:
- - ./test.sh
-
-# temporarily fix Travis
-env:
-  global:
-      - TRAVIS_BUILD_DIR=/home/travis/build/coreos/etcd
--- a/43
+++ b/43
@ -1,4 +1,45 @@
-v0.2
+v0.4.4
+* Fix `--no-sync` flag in etcdctl (#83)
+* Improved logging for machine removal (#844)
+* Various documentation improvements (#858, #851, #847)
+
+v0.4.3
+* Avoid panic() on truncated or unexpected log data (#834, #833)
+* Fix missing stats field (#807)
+* Lengthen default peer removal delay to 30mins (#835)
+* Reduce logging on heartbeat timeouts (#836)
+
+v0.4.2
+* Improvements to the clustering documents
+* Set content-type properly on errors (#469)
+* Standbys re-join if they should be part of the cluster (#810, #815, #818)
+
+v0.4.1
+* Re-introduce DELETE on the machines endpoint
+* Document the machines endpoint
+
+v0.4.0
+* Introduced standby mode
+* Added HEAD requests
+* Set logs NOCOW flag when BTRFS is detected to avoid fsync overhead
+* Fix all known data races, and pass Go race detector (TODO: re-run race detector)
+* Fixed timeouts when using HTTPS
+* Improved snapshot stability
+* Migration of machine names to new IPs
+* Updated peer discovery ordering
+
+v0.3.0
+* Add Compare-and-Delete support.
+* Added prevNode to response objects.
+* Added Discovery API.
+* Add tracing and debug endpoints (Documentation/debugging.md).
+* Improved logging of cluster events.
+* go get github.com/coreos/etcd works.
+* info file is no longer used.
+* Snapshots are on by default.
+* Statistics APIs documented.
+
+v0.2.0
 * Support directory creation and removal.
 * Add Compare-and-Swap (CAS) support.
 * Support recursive GETs.
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -1,17 +1,13 @@
 # How to contribute

-etcd is open source, Apache 2.0 licensed and accepts contributions via Github pull requests.
-This document outlines some of the conventions on commit message formatting, contact points for developers and other resources to make getting your contribution into etcd easier.
+etcd is Apache 2.0 licensed and accepts contributions via Github pull requests. This document outlines some of the conventions on commit message formatting, contact points for developers and other resources to make getting your contribution into etcd easier.

 # Email and chat

-For simplicity etcd discussions happen on coreos-dev and in #coreos-dev.
-As the community grows we will move to a dedicated mailing list and IRC channel.
-
- Email: [coreos-dev](https://groups.google.com/forum/#!forum/coreos-dev) 
+- Email: [etcd-dev](https://groups.google.com/forum/?hl=en#!forum/etcd-dev)
 - IRC: #[coreos](irc://irc.freenode.org:6667/#coreos) IRC channel on freenode.org

-## Getting Started
+## Getting started

 - Fork the repository on GitHub
 - Read the README.md for build instructions
@ -22,16 +18,21 @@ This is a rough outline of what a contributor's workflow looks like:

 - Create a topic branch from where you want to base your work. This is usually master.
 - Make commits of logical units.
- Make sure your commit messages are in the proper format, see below
+- Make sure your commit messages are in the proper format (see below).
 - Push your changes to a topic branch in your fork of the repository.
- Submit a pull request to coreos/etcd
+- Submit a pull request to coreos/etcd.

-Thanks for you contributions!
+Thanks for your contributions!
+
+### Code style
+
+The coding style suggested by the Golang community is used in etcd. See [style doc](https://code.google.com/p/go-wiki/wiki/Style) for details.
+
+Please follow this style to make etcd easy to review, maintain and develop.

 ### Format of the commit message

-etcd follow a rough convention for commit messages borrowed from Angularjs.
-This is an example of a commit:
+etcd follows a rough convention for commit messages borrowed from Angularjs. This is an example of a commit:

 ```
    feat(scripts/test-cluster): add a cluster test command
@ -40,7 +41,7 @@ This is an example of a commit:
    start for debugging.
 ```

-To make it more formal it looks something like this:
+The format can be more formally described as follows:

 ```
 <type>(<scope>): <subject>
@ -50,14 +51,14 @@ To make it more formal it looks something like this:
 <footer>
 ```

-The first line is the subject and should not be longer than 70 characters, the second line is always blank and other lines should be wrapped at 80 characters.
-This allows the message to be easier to read on github as well as in various git tools.
+The first line is the subject and should be no longer than 70 characters, the second line is always blank, and other lines should be wrapped at 80 characters.  This allows the message to be easier to read on github as well as
+in various git tools.

 ### Subject line

-The subject line contains succinct description of the change.
+The subject line contains a succinct description of the change.

-### Allowed <type>
+### Allowed <type>s
 - feat (feature)
 - fix (bug fix)
 - docs (documentation)
@ -66,9 +67,9 @@ The subject line contains succinct description of the change.
 - test (when adding missing tests)
 - chore (maintain)

-### Allowed <scope>
+### Allowed <scope>s

-Scopes could be anything specifying place of the commit change. For example store, api, etc.
+Scopes can be anything specifying the place of the commit change within the repository. For example, "store", "API", etc.

 ### More details on commits

--- a/36
+++ b/36
@ -0,0 +1,36 @@
+Developer Certificate of Origin
+Version 1.1
+
+Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
+660 York Street, Suite 102,
+San Francisco, CA 94110 USA
+
+Everyone is permitted to copy and distribute verbatim copies of this
+license document, but changing it is not allowed.
+
+
+Developer's Certificate of Origin 1.1
+
+By making a contribution to this project, I certify that:
+
+(a) The contribution was created in whole or in part by me and I
+    have the right to submit it under the open source license
+    indicated in the file; or
+
+(b) The contribution is based upon previous work that, to the best
+    of my knowledge, is covered under an appropriate open source
+    license and I have the right under that license to submit that
+    work with modifications, whether created in whole or in part
+    by me, under the same open source license (unless I am
+    permitted to submit under a different license), as indicated
+    in the file; or
+
+(c) The contribution was provided directly to me by some other
+    person who certified (a), (b) or (c) and I have not modified
+    it.
+
+(d) I understand and agree that this project and the contribution
+    are public and that a record of the contribution (including all
+    personal information I submit with it, including my sign-off) is
+    maintained indefinitely and may be redistributed consistent with
+    this project or the open source license(s) involved.
--- a/13
+++ b/13
@ -1,11 +1,12 @@
 FROM ubuntu:12.04
-RUN apt-get update
-RUN apt-get install -y python-software-properties git
-RUN add-apt-repository -y ppa:duh/golang
-RUN apt-get update
-RUN apt-get install -y golang
+# Let's install go just like Docker (from source).
+RUN apt-get update -q
+RUN DEBIAN_FRONTEND=noninteractive apt-get install -qy build-essential curl git
+RUN curl -s https://storage.googleapis.com/golang/go1.3.src.tar.gz | tar -v -C /usr/local -xz
+RUN cd /usr/local/go/src && ./make.bash --no-clean 2>&1
+ENV PATH /usr/local/go/bin:$PATH
 ADD . /opt/etcd
 RUN cd /opt/etcd && ./build
 EXPOSE 4001 7001
-ENTRYPOINT ["/opt/etcd/etcd"]
+ENTRYPOINT ["/opt/etcd/bin/etcd"]

--- a/Documentation/api.md
+++ b/Documentation/api.md
--- a/Documentation/clients-matrix.md
+++ b/Documentation/clients-matrix.md
@ -0,0 +1,46 @@
+# Client libraries support matrix for etcd
+
+As etcd features support is really uneven between client libraries, a compatibility matrix can be important.
+We will consider in detail only the features of clients supporting the v2 API. Clients still supporting the v1 API *only* are listed below.
+
+## v1-only clients
+
+Clients supporting only the API version 1
+
+- [justinsb/jetcd](https://github.com/justinsb/jetcd) Java
+- [transitorykris/etcd-py](https://github.com/transitorykris/etcd-py) Python
+- [russellhaering/txetcd](https://github.com/russellhaering/txetcd) Python
+- [iconara/etcd-rb](https://github.com/iconara/etcd-rb) Ruby
+- [jpfuentes2/etcd-ruby](https://github.com/jpfuentes2/etcd-ruby) Ruby
+- [aterreno/etcd-clojure](https://github.com/aterreno/etcd-clojure) Clojure
+- [marshall-lee/etcd.erl](https://github.com/marshall-lee/etcd.erl) Erlang
+
+
+## v2 clients
+
+The v2 API has a lot of features, we will categorize them in a few categories:
+
+- **HTTPS Auth**: Support for SSL-certificate based authentication
+- **Reconnect**: If the client is able to reconnect automatically to another server if one fails.
+- **Mod/Lock**: Support for the locking module
+- **Mod/Leader**: Support for the leader election module
+- **GET,PUT,POST,DEL Features**: Support for all the modifiers when calling the etcd server with said HTTP method.
+
+
+### Supported features matrix
+
+| Client| [go-etcd](https://github.com/coreos/go-etcd) | [jetcd](https://github.com/diwakergupta/jetcd) | [python-etcd](https://github.com/jplana/python-etcd) | [python-etcd-client](https://github.com/dsoprea/PythonEtcdClient) | [node-etcd](https://github.com/stianeikeland/node-etcd) | [nodejs-etcd](https://github.com/lavagetto/nodejs-etcd) | [etcd-ruby](https://github.com/ranjib/etcd-ruby) | [etcd-api](https://github.com/jdarcy/etcd-api) | [cetcd](https://github.com/dwwoelfel/cetcd) |  [clj-etcd](https://github.com/rthomas/clj-etcd) | [etcetera](https://github.com/drusellers/etcetera)| [Etcd.jl](https://github.com/forio/Etcd.jl) | [p5-etcd](https://metacpan.org/release/Etcd)
+| --- | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: |
+| **HTTPS Auth**    | Y | Y | Y | Y | Y | Y | - | - | - | - | - | - | - |
+| **Reconnect**     | Y | - | Y | Y | - | - | - | Y | - | - | - | - | - |
+| **Mod/Lock**      | - | - | Y | Y | - | - | - | - | - | - | - | Y | - |
+| **Mod/Leader**    | - | - | - | Y | - | - | - | - | - | - | - | Y | - |
+| **GET Features**  | F | B | F | F | F | F | F | B | F | G | F | F | F |
+| **PUT Features**  | F | B | F | F | F | F | F | G | F | G | F | F | F |
+| **POST Features** | F | - | F | F | - | F | F | - | - | - | F | F | F |
+| **DEL Features**  | F | B | F | F | F | F | F | B | G | B | F | F | F |
+
+**Legend**
+
+**F**: Full support **G**: Good support **B**: Basic support
+**Y**: Feature supported  **-**: Feature not supported
--- a/Documentation/cluster-discovery.md
+++ b/Documentation/cluster-discovery.md
@ -0,0 +1,60 @@
+# Cluster Discovery
+
+## Overview
+
+Starting an etcd cluster requires that each node knows another in the cluster. If you are trying to bring up a cluster all at once, say using a cloud formation, you also need to coordinate who will be the initial cluster leader. The discovery protocol helps you by providing an automated way to discover other existing peers in a cluster.
+
+For more information on how etcd can locate the cluster, see the [finding the cluster][cluster-finding] documentation.
+
+Please note - at least 3 nodes are required for [cluster availability][optimal-cluster-size].
+
+[cluster-finding]: https://github.com/coreos/etcd/blob/master/Documentation/design/cluster-finding.md
+[optimal-cluster-size]: https://github.com/coreos/etcd/blob/master/Documentation/optimal-cluster-size.md
+
+## Using discovery.etcd.io
+
+### Create a Token
+
+To use the discovery API, you must first create a token for your etcd cluster. Visit [https://discovery.etcd.io/new](https://discovery.etcd.io/new) to create a new token.
+
+You can inspect the list of peers by viewing `https://discovery.etcd.io/<token>`.
+
+### Start etcd With the Discovery Flag
+
+Specify the `-discovery` flag when you start each etcd instance. The list of existing peers in the cluster will be downloaded and configured. If the instance is the first peer, it will start as the leader of the cluster.
+
+Here's a full example:
+
+```
+TOKEN=$(curl https://discovery.etcd.io/new)
+./etcd -name instance1 -peer-addr 10.1.2.3:7001 -addr 10.1.2.3:4001 -discovery $TOKEN
+./etcd -name instance2 -peer-addr 10.1.2.4:7001 -addr 10.1.2.4:4001 -discovery $TOKEN
+./etcd -name instance3 -peer-addr 10.1.2.5:7001 -addr 10.1.2.5:4001 -discovery $TOKEN
+```
+
+## Running Your Own Discovery Endpoint
+
+The discovery API communicates with a separate etcd cluster to store and retrieve the list of peers. CoreOS provides [https://discovery.etcd.io](https://discovery.etcd.io) as a free service, but you can easily run your own etcd cluster for this purpose. Here's an example using an etcd cluster located at `10.10.10.10:4001`:
+
+```
+TOKEN="testcluster"
+./etcd -name instance1 -peer-addr 10.1.2.3:7001 -addr 10.1.2.3:4001 -discovery http://10.10.10.10:4001/v2/keys/$TOKEN
+./etcd -name instance2 -peer-addr 10.1.2.4:7001 -addr 10.1.2.4:4001 -discovery http://10.10.10.10:4001/v2/keys/$TOKEN
+./etcd -name instance3 -peer-addr 10.1.2.5:7001 -addr 10.1.2.5:4001 -discovery http://10.10.10.10:4001/v2/keys/$TOKEN
+```
+
+If you're interested in how to discovery API works behind the scenes, read about the [Discovery Protocol](https://github.com/coreos/etcd/blob/master/Documentation/discovery-protocol.md).
+
+## Setting Peer Addresses Correctly
+
+The Discovery API submits the `-peer-addr` of each etcd instance to the configured Discovery endpoint. It's important to select an address that *all* peers in the cluster can communicate with. For example, if you're located in two regions of a cloud provider, configuring a private `10.x` address will not work between the two regions, and communication will not be possible between all peers.
+
+## Stale Peers
+
+The discovery API will automatically clean up the address of a stale peer that is no longer part of the cluster. The TTL for this process is a week, which should be long enough to handle any extremely long outage you may encounter. There is no harm in having stale peers in the list until they are cleaned up, since an etcd instance only needs to connect to one valid peer in the cluster to join.
+
+## Lifetime of a Discovery URL
+
+A discovery URL identifies a single etcd cluster. Do not re-use discovery URLs for new clusters.
+
+When a machine starts with a new discovery URL the discovery URL will be activated and record the machine's metadata. If you destroy the whole cluster and attempt to bring the cluster back up with the same discovery URL it will fail. This is intentional because all of the registered machines are gone including their logs so there is nothing to recover the killed cluster.
--- a/Documentation/clustering.md
+++ b/Documentation/clustering.md
@ -0,0 +1,169 @@
+## Clustering
+
+### Example cluster of three machines
+
+Let's explore the use of etcd clustering.
+We use Raft as the underlying distributed protocol which provides consistency and persistence of the data across all of the etcd instances.
+
+Let start by creating 3 new etcd instances.
+
+We use `-peer-addr` to specify server port and `-addr` to specify client port and `-data-dir` to specify the directory to store the log and info of the machine in the cluster:
+
+```sh
+./etcd -peer-addr 127.0.0.1:7001 -addr 127.0.0.1:4001 -data-dir machines/machine1 -name machine1
+```
+
+**Note:** If you want to run etcd on an external IP address and still have access locally, you'll need to add `-bind-addr 0.0.0.0` so that it will listen on both external and localhost addresses.
+A similar argument `-peer-bind-addr` is used to setup the listening address for the server port.
+
+Let's join two more machines to this cluster using the `-peers` argument. A single connection to any peer will allow a new machine to join, but multiple can be specified for greater resiliency.
+
+```sh
+./etcd -peer-addr 127.0.0.1:7002 -addr 127.0.0.1:4002 -peers 127.0.0.1:7001,127.0.0.1:7003 -data-dir machines/machine2 -name machine2
+./etcd -peer-addr 127.0.0.1:7003 -addr 127.0.0.1:4003 -peers 127.0.0.1:7001,127.0.0.1:7002 -data-dir machines/machine3 -name machine3
+```
+
+We can retrieve a list of machines in the cluster using the HTTP API:
+
+```sh
+curl -L http://127.0.0.1:4001/v2/machines
+```
+
+We should see there are three machines in the cluster
+
+```
+http://127.0.0.1:4001, http://127.0.0.1:4002, http://127.0.0.1:4003
+```
+
+The machine list is also available via the main key API:
+
+```sh
+curl -L http://127.0.0.1:4001/v2/keys/_etcd/machines
+```
+
+```json
+{
+    "action": "get",
+    "node": {
+        "createdIndex": 1,
+        "dir": true,
+        "key": "/_etcd/machines",
+        "modifiedIndex": 1,
+        "nodes": [
+            {
+                "createdIndex": 1,
+                "key": "/_etcd/machines/machine1",
+                "modifiedIndex": 1,
+                "value": "raft=http://127.0.0.1:7001&etcd=http://127.0.0.1:4001"
+            },
+            {
+                "createdIndex": 2,
+                "key": "/_etcd/machines/machine2",
+                "modifiedIndex": 2,
+                "value": "raft=http://127.0.0.1:7002&etcd=http://127.0.0.1:4002"
+            },
+            {
+                "createdIndex": 3,
+                "key": "/_etcd/machines/machine3",
+                "modifiedIndex": 3,
+                "value": "raft=http://127.0.0.1:7003&etcd=http://127.0.0.1:4003"
+            }
+        ]
+    }
+}
+```
+
+We can also get the current leader in the cluster:
+
+```
+curl -L http://127.0.0.1:4001/v2/leader
+```
+
+The first server we set up should still be the leader unless it has died during these commands.
+
+```
+http://127.0.0.1:7001
+```
+
+Now we can do normal SET and GET operations on keys as we explored earlier.
+
+```sh
+curl -L http://127.0.0.1:4001/v2/keys/foo -XPUT -d value=bar
+```
+
+```json
+{
+    "action": "set",
+    "node": {
+        "createdIndex": 4,
+        "key": "/foo",
+        "modifiedIndex": 4,
+        "value": "bar"
+    }
+}
+```
+
+### Rejoining to the Cluster
+
+If one machine disconnects from the cluster, it could rejoin the cluster automatically when the communication is recovered.
+
+If one machine is killed, it could rejoin the cluster when started with old name. If the peer address is changed, etcd will treat the new peer address as the refreshed one, which benefits instance migration, or virtual machine boot with different IP. The peer-address-changing functionality is only supported when the majority of the cluster is alive, because this behavior needs the consensus of the etcd cluster.
+
+**Note:** For now, it is user responsibility to ensure that the machine doesn't join the cluster that has the member with the same name. Or unexpected error will happen. It would be improved sooner or later.
+
+### Killing Nodes in the Cluster
+
+Now if we kill the leader of the cluster, we can get the value from one of the other two machines:
+
+```sh
+curl -L http://127.0.0.1:4002/v2/keys/foo
+```
+
+We can also see that a new leader has been elected:
+
+```
+curl -L http://127.0.0.1:4002/v2/leader
+```
+
+```
+http://127.0.0.1:7002
+```
+
+or
+
+```
+http://127.0.0.1:7003
+```
+
+
+### Testing Persistence
+
+Next we'll kill all the machines to test persistence.
+Type `CTRL-C` on each terminal and then rerun the same command you used to start each machine.
+
+Your request for the `foo` key will return the correct value:
+
+```sh
+curl -L http://127.0.0.1:4002/v2/keys/foo
+```
+
+```json
+{
+    "action": "get",
+    "node": {
+        "createdIndex": 4,
+        "key": "/foo",
+        "modifiedIndex": 4,
+        "value": "bar"
+    }
+}
+```
+
+
+### Using HTTPS between servers
+
+In the previous example we showed how to use SSL client certs for client-to-server communication.
+Etcd can also do internal server-to-server communication using SSL client certs.
+To do this just change the `-*-file` flags to `-peer-*-file`.
+
+If you are using SSL for server-to-server communication, you must use it on all instances of etcd.
--- a/Documentation/external-documentation.md
+++ b/Documentation/external-documentation.md
@ -1,6 +1,8 @@
 # Etcd Configuration

-Configuration options can be set in three places:
+## Node Configuration
+
+Individual node configuration options can be set in three places:

 1. Command line flags
 2. Environment variables
@ -10,6 +12,16 @@ Options set on the command line take precedence over all other sources.
 Options set in environment variables take precedence over options set in
 configuration files.

+## Cluster Configuration
+
+Cluster-wide settings are configured via the `/config` admin endpoint and additionally in the configuration file. Values contained in the configuration file will seed the cluster setting with the provided value. After the cluster is running, only the admin endpoint is used.
+
+The full documentation is contained in the [API docs](https://github.com/coreos/etcd/blob/master/Documentation/api.md#cluster-config).
+
+* `activeSize` - the maximum number of peers that can participate in the consensus protocol. Other peers will join as standbys.
+* `removeDelay` - the minimum time in seconds that a machine has been observed to be unresponsive before it is removed from the cluster.
+* `syncInterval` - the amount of time in seconds between cluster sync when it runs in standby mode.
+
 ## Command Line Flags

 ### Required
@ -19,29 +31,34 @@ configuration files.
 ### Optional

 * `-addr` - The advertised public hostname:port for client communication. Defaults to `127.0.0.1:4001`.
-* `-bind-addr` - The listening hostname for client communication. Defaults to advertised ip.
+* `-discovery` - A URL to use for discovering the peer list. (i.e `"https://discovery.etcd.io/your-unique-key"`).
+* `-bind-addr` - The listening hostname for client communication. Defaults to advertised IP.
 * `-peers` - A comma separated list of peers in the cluster (i.e `"203.0.113.101:7001,203.0.113.102:7001"`).
 * `-peers-file` - The file path containing a comma separated list of peers in the cluster.
 * `-ca-file` - The path of the client CAFile. Enables client cert authentication when present.
 * `-cert-file` - The cert file of the client.
 * `-key-file` - The key file of the client.
-* `-config` - The path of the etcd config file. Defaults to `/etc/etcd/etcd.conf`.
-* `-cors-origins` - A comma separated white list of origins for cross-origin resource sharing.
-* `-cpuprofile` - The path to a file to output cpu profile data. Enables cpu profiling when present.
+* `-config` - The path of the etcd configuration file. Defaults to `/etc/etcd/etcd.conf`.
+* `-cors` - A comma separated white list of origins for cross-origin resource sharing.
+* `-cpuprofile` - The path to a file to output CPU profile data. Enables CPU profiling when present.
 * `-data-dir` - The directory to store log and snapshot. Defaults to the current working directory.
 * `-max-result-buffer` - The max size of result buffer. Defaults to `1024`.
 * `-max-cluster-size` - The max size of the cluster. Defaults to `9`.
 * `-max-retry-attempts` - The max retry attempts when trying to join a cluster. Defaults to `3`.
 * `-peer-addr` - The advertised public hostname:port for server communication. Defaults to `127.0.0.1:7001`.
-* `-peer-bind-addr` - The listening hostname for server communication. Defaults to advertised ip.
+* `-peer-bind-addr` - The listening hostname for server communication. Defaults to advertised IP.
 * `-peer-ca-file` - The path of the CAFile. Enables client/peer cert authentication when present.
 * `-peer-cert-file` - The cert file of the server.
 * `-peer-key-file` - The key file of the server.
-* `-snapshot` - Open or close snapshot. Defaults to `false`.
+* `-peer-election-timeout` - The number of milliseconds to wait before the leader is declared unhealthy.
+* `-peer-heartbeat-interval` - The number of milliseconds in between heartbeat requests
+* `-snapshot=false` - Disable log snapshots. Defaults to `true`.
+* `-cluster-active-size` - The expected number of instances participating in the consensus protocol. Only applied if the etcd instance is the first peer in the cluster.
+* `-cluster-remove-delay` - The delay before one node is removed from the cluster since it cannot be connected at all. Only applied if the etcd instance is the first peer in the cluster.
+* `-cluster-sync-interval` - The interval between synchronization for standby-mode instance with the cluster. Only applied if the etcd instance is the first peer in the cluster.
 * `-v` - Enable verbose logging. Defaults to `false`.
 * `-vv` - Enable very verbose logging. Defaults to `false`.
 * `-version` - Print the version and exit.
-* `-web-url` - The hostname:port of web interface.

 ## Configuration File

@ -53,9 +70,10 @@ addr = "127.0.0.1:4001"
 bind_addr = "127.0.0.1:4001"
 ca_file = ""
 cert_file = ""
-cors_origins = []
+cors = []
 cpu_profile_file = ""
 data_dir = "."
+discovery = "http://etcd.local:4001/v2/keys/_etcd/registry/examplecluster"
 key_file = ""
 peers = []
 peers_file = ""
@ -66,7 +84,6 @@ name = "default-name"
 snapshot = false
 verbose = false
 very_verbose = false
-web_url = ""

 [peer]
 addr = "127.0.0.1:7001"
@ -74,6 +91,11 @@ bind_addr = "127.0.0.1:7001"
 ca_file = ""
 cert_file = ""
 key_file = ""
+
+[cluster]
+active_size = 9
+remove_delay = 1800.0
+sync_interval = 5.0
 ```

 ## Environment Variables
@ -86,6 +108,7 @@ key_file = ""
 * `ETCD_CONFIG`
 * `ETCD_CPU_PROFILE_FILE`
 * `ETCD_DATA_DIR`
+ * `ETCD_DISCOVERY`
 * `ETCD_KEY_FILE`
 * `ETCD_PEERS`
 * `ETCD_PEERS_FILE`
@ -96,9 +119,12 @@ key_file = ""
 * `ETCD_SNAPSHOT`
 * `ETCD_VERBOSE`
 * `ETCD_VERY_VERBOSE`
- * `ETCD_WEB_URL`
 * `ETCD_PEER_ADDR`
 * `ETCD_PEER_BIND_ADDR`
 * `ETCD_PEER_CA_FILE`
 * `ETCD_PEER_CERT_FILE`
 * `ETCD_PEER_KEY_FILE`
+ * `ETCD_PEER_ELECTION_TIMEOUT`
+ * `ETCD_CLUSTER_ACTIVE_SIZE`
+ * `ETCD_CLUSTER_REMOVE_DELAY`
+ * `ETCD_CLUSTER_SYNC_INTERVAL`
--- a/Documentation/debugging.md
+++ b/Documentation/debugging.md
@ -0,0 +1,69 @@
+# Debugging etcd
+
+Diagnosing issues in a distributed application is hard.
+etcd will help as much as it can - just enable these debug features using the CLI flag `-trace=*` or the config option `trace=*`.
+
+## Logging
+
+Log verbosity can be increased to the max using either the `-vvv` CLI flag or the `very_very_verbose=true` config option.
+
+The only supported logging mode is to stdout.
+
+## Metrics
+
+etcd itself can generate a set of metrics.
+These metrics represent many different internal data points that can be helpful when debugging etcd servers.
+
+#### Metrics reference
+
+Each individual metric name is prefixed with `etcd.<NAME>`, where \<NAME\> is the configured name of the etcd server.
+
+* `timer.appendentries.handle`: amount of time a peer takes to process an AppendEntriesRequest from the POV of the peer itself
+* `timer.peer.<PEER>.heartbeat`: amount of time a peer heartbeat operation takes from the POV of the leader that initiated that operation for peer \<PEER\>
+* `timer.command.<COMMAND>`: amount of time a given command took to be processed through the local server's raft state machine. This does not include time waiting on locks.
+
+#### Fetching metrics over HTTP
+
+Once tracing has been enabled on a given etcd server, all metric data is available at the server's `/debug/metrics` HTTP endpoint (i.e. `http://127.0.0.1:4001/debug/metrics`).
+Executing a GET HTTP command against the metrics endpoint will yield the current state of all metrics in the etcd server.
+
+#### Sending metrics to Graphite
+
+etcd supports [Graphite's Carbon plaintext protocol](https://graphite.readthedocs.org/en/latest/feeding-carbon.html#the-plaintext-protocol) - a TCP wire protocol designed for shipping metric data to an aggregator.
+To send metrics to a Graphite endpoint using this protocol, use of the `-graphite-host` CLI flag or the `graphite_host` config option (i.e. `graphite_host=172.17.0.19:2003`).
+
+See an [example graphite deploy script](https://github.com/coreos/etcd/contrib/graphite).
+
+#### Generating additional metrics with Collectd
+
+[Collectd](http://collectd.org/documentation.shtml) gathers metrics from the host running etcd.
+While these aren't metrics generated by etcd itself, it can be invaluable to compare etcd's view of the world to that of a separate process running next to etcd.
+
+See an [example collectd deploy script](https://github.com/coreos/etcd/contrib/collectd).
+
+## Profiling
+
+etcd exposes profiling information from the Go pprof package over HTTP.
+The basic browsable interface is served by etcd at the `/debug/pprof` HTTP endpoint (i.e. `http://127.0.0.1:4001/debug/pprof`).
+For more information on using profiling tools, see http://blog.golang.org/profiling-go-programs.
+
+**NOTE**: In the following examples you need to ensure that the `./bin/etcd` is identical to the `./bin/etcd` that you are targeting (same git hash, arch, platform, etc).
+
+#### Heap memory profile
+
+```
+go tool pprof ./bin/etcd http://127.0.0.1:4001/debug/pprof/heap
+```
+
+#### CPU profile
+
+```
+go tool pprof ./bin/etcd http://127.0.0.1:4001/debug/pprof/profile
+```
+
+#### Blocked goroutine profile
+
+```
+go tool pprof ./bin/etcd http://127.0.0.1:4001/debug/pprof/block
+```
+
--- a/Documentation/design/cluster-finding.md
+++ b/Documentation/design/cluster-finding.md
@ -0,0 +1,34 @@
+## Cluster Finding Process
+
+Peer discovery uses the following sources in this order: log data in `-data-dir`, `-discovery` and `-peers`.
+
+If log data is provided, etcd will concatenate possible peers from three sources: the log data, the `-discovery` option, and `-peers`. Then it tries to join cluster through them one by one. If all connection attempts fail (which indicates that the majority of the cluster is currently down), it will restart itself based on the log data, which helps the cluster to recover from a full outage.
+
+Without log data, the instance is assumed to be a brand new one. If possible targets are provided by `-discovery` and `-peers`, etcd will make a best effort attempt to join them, and if none is reachable it will exit. Otherwise, if no `-discovery` or `-peers` option is provided, a new cluster will always be started.
+
+This ensures that users can always restart the node safely with the same command (without --force), and etcd will either reconnect to the old cluster if it is still running or recover its cluster from a outage.
+
+## Logical Workflow
+
+Start an etcd machine:
+
+```
+If log data is given:
+	Try to join via peers in previous cluster
+	Try to join via peers found in discover URL
+	Try to join via peers in peer list
+	Restart the previous cluster which is down
+	return
+
+If discover URL is given:
+	Fetch peers through discover URL
+	If Success:
+		Join via peers found
+		return
+
+If peer list is given:
+	Join as follower via peers in peer list
+	return
+
+Start as the leader of a new cluster
+```
--- a/Documentation/design/standbys.md
+++ b/Documentation/design/standbys.md
@ -0,0 +1,232 @@
+## Standbys
+
+Adding peers in an etcd cluster adds network, CPU, and disk overhead to the leader since each one requires replication.
+Peers primarily provide resiliency in the event of a leader failure but the benefit of more failover nodes decreases as the cluster size increases.
+A lightweight alternative is the standby.
+
+Standbys are a way for an etcd node to forward requests along to the cluster but the standbys are not part of the Raft cluster themselves.
+This provides an easier API for local applications while reducing the overhead required by a regular peer node.
+Standbys also act as standby nodes in the event that a peer node in the cluster has not recovered after a long duration.
+
+
+## Configuration Parameters
+
+There are three configuration parameters used by standbys: active size, remove delay and standby sync interval.
+
+The active size specifies a target size for the number of peers in the cluster.
+If there are not enough peers to meet the active size, standbys will send join requests until the peer count is equal to the active size.
+If there are more peers than the target active size then peers are removed by the leader and will become standbys.
+
+The remove delay specifies how long the cluster should wait before removing a dead peer.
+By default this is 30 minutes.
+If a peer is inactive for 30 minutes then the peer is removed.
+
+The standby sync interval specifies the synchronization interval of standbys with the cluster.
+By default this is 5 seconds.
+After each interval, standbys synchronize information with cluster.
+
+
+## Logical Workflow
+
+### Start a etcd machine
+
+#### Main logic
+
+```
+If find existing standby cluster info:
+  Goto standby loop
+
+Find cluster as required
+If determine to start peer server:
+  Goto peer loop
+Else:
+  Goto standby loop
+
+Peer loop:
+  Start peer mode
+  If running:
+    Wait for stop
+  Goto standby loop
+
+Standby loop:
+  Start standby mode
+  If running:
+    Wait for stop
+  Goto peer loop
+```
+
+
+#### [Cluster finding logic][cluster-finding.md]
+
+
+#### Join request logic:
+
+```
+Fetch machine info
+If cannot match version:
+  return false
+If active size <= peer count:
+  return false
+If it has existed in the cluster:
+  return true
+If join request fails:
+  return false
+return true
+```
+
+**Note**
+1. [TODO] The running mode cannot be determined by log, because the log may be outdated. But the log could be used to estimate its state.
+2. Even if sync cluster fails, it will restart still for recovery from full outage.
+
+
+#### Peer mode start logic
+
+```
+Start raft server
+Start other helper routines
+```
+
+
+#### Peer mode auto stop logic
+
+```
+When removed from the cluster:
+  Stop raft server
+  Stop other helper routines
+```
+
+
+#### Standby mode run logic
+
+```
+Loop:
+  Sleep for some time
+
+  Sync cluster, and write cluster info into disk
+
+  Check active size and send join request if needed
+  If succeed:
+    Clear cluster info from disk
+    Return
+```
+
+
+#### Serve Requests as Standby
+
+Return '404 Page Not Found' always on peer address. This is because peer address is used for raft communication and cluster management, which should not be used in standby mode.
+
+
+Serve requests from client:
+
+```
+Redirect all requests to client URL of leader
+```
+
+**Note**
+1. The leader here implies the one in raft cluster when doing the latest successful synchronization.
+2. [IDEA] We could extend HTTP Redirect to multiple possible targets.
+
+
+### Join Request Handling
+
+```
+If machine has existed in the cluster:
+  Return
+If peer count < active size:
+  Add peer
+  Increase peer count
+```
+
+
+### Remove Request Handling
+
+```
+If machine exists in the cluster:
+  Remove peer
+  Decrease peer count
+```
+
+
+## Cluster Monitor Logic
+
+### Active Size Monitor:
+
+This is only run by current cluster leader.
+
+```
+Loop:
+  Sleep for some time
+
+  If peer count > active size:
+    Remove randomly selected peer
+```
+
+
+### Peer Activity Monitor
+
+This is only run by current cluster leader.
+
+```
+Loop:
+  Sleep for some time
+
+  For each peer:
+    If peer last activity time > remove delay:
+      Remove the peer
+      Goto Loop
+```
+
+
+## Cluster Cases
+
+### Create Cluster with Thousands of Instances
+
+First few machines run in peer mode.
+
+All the others check the status of the cluster and run in standby mode.
+
+
+### Recover from full outage
+
+Machines with log data restart with join failure.
+
+Machines in peer mode recover heartbeat between each other.
+
+Machines in standby mode always sync the cluster. If sync fails, it uses the first address from data log as redirect target.
+
+
+### Kill one peer machine
+
+Leader of the cluster lose the connection with the peer.
+
+When the time exceeds remove delay, it removes the peer from the cluster.
+
+Machine in standby mode finds one available place of the cluster. It sends join request and joins the cluster.
+
+**Note**
+1. [TODO] Machine which was divided from majority and was removed from the cluster will distribute running of the cluster if the new node uses the same name.
+
+
+### Kill one standby machine
+
+No change for the cluster.
+
+
+## Cons
+
+1. New instance cannot join immediately after one peer is kicked out of the cluster, because the leader doesn't know the info about the standby instances.
+
+2. It may introduce join collision
+
+3. Cluster needs a good interval setting to balance the join delay and join collision.
+
+
+## Future Attack Plans
+
+1. Based on heartbeat miss and remove delay, standby could adjust its next check time.
+
+2. Preregister the promotion target when heartbeat miss happens.
+
+3. Get the estimated cluster size from the check happened in the sync interval, and adjust sync interval dynamically.
+
+4. Accept join requests based on active size and alive peers.
--- a/Documentation/development-tools.md
+++ b/Documentation/development-tools.md
@ -0,0 +1,12 @@
+# Development tools
+
+## Vagrant
+
+For fast start you can use Vagrant. `vagrant up` will make etcd build and running on virtual machine. Required Vagrant version is 1.5.0.
+
+Next lets set a single key and then retrieve it:
+
+```
+curl -L http://127.0.0.1:4001/v2/keys/mykey -XPUT -d value="this is awesome"
+curl -L http://127.0.0.1:4001/v2/keys/mykey
+```
--- a/Documentation/discovery-protocol.md
+++ b/Documentation/discovery-protocol.md
@ -0,0 +1,87 @@
+# Discovery Protocol
+
+Starting a new etcd cluster can be painful since each machine needs to know of at least one live machine in the cluster. If you are trying to bring up a new cluster all at once, say using an AWS cloud formation, you also need to coordinate who will be the initial cluster leader. The discovery protocol uses an existing running etcd cluster to start a second etcd cluster.
+
+To use this feature you add the command line flag `-discovery` to your etcd args. In this example we will use `http://example.com/v2/keys/_etcd/registry` as the URL prefix.
+
+## The Protocol
+
+By convention the etcd discovery protocol uses the key prefix `_etcd/registry`. A full URL to the keyspace will be `http://example.com/v2/keys/_etcd/registry`.
+
+### Creating a New Cluster
+
+Generate a unique token that will identify the new cluster. This will be used as a key prefix in the following steps. An easy way to do this is to use uuidgen:
+
+```
+UUID=$(uuidgen)
+```
+
+### Bringing up Machines
+
+Now that you have your cluster ID you can start bringing up machines. Every machine will follow this protocol internally in etcd if given a `-discovery`.
+
+### Registering your Machine
+
+The first thing etcd must do is register your machine. This is done by using the machine name (from the `-name` arg) and posting it with a long TTL to the given key.
+
+```
+curl -X PUT "http://example.com/v2/keys/_etcd/registry/${UUID}/${etcd_machine_name}?ttl=604800" -d value=${peer_addr}
+```
+
+### Discovering Peers
+
+Now that this etcd machine is registered it must discover its peers.
+
+But, the tricky bit of starting a new cluster is that one machine needs to assume the initial role of leader and will have no peers. To figure out if another machine has already started the cluster etcd needs to create the `_state` key and set its value to "started":
+
+```
+curl -X PUT "http://example.com/v2/keys/_etcd/registry/${UUID}/_state?prevExist=false" -d value=started
+```
+
+If this returns a `200 OK` response then this machine is the initial leader and should start with no peers configured. If, however, this returns a `412 Precondition Failed` then you need to find all of the registered peers:
+
+```
+curl -X GET "http://example.com/v2/keys/_etcd/registry/${UUID}?recursive=true"
+```
+
+```
+{
+    "action": "get",
+    "node": {
+        "createdIndex": 11,
+        "dir": true,
+        "key": "/_etcd/registry/9D4258A5-A1D3-4074-8837-31C1E091131D",
+        "modifiedIndex": 11,
+        "nodes": [
+            {
+                "createdIndex": 16,
+                "expiration": "2014-02-03T13:19:57.631253589-08:00",
+                "key": "/_etcd/registry/9D4258A5-A1D3-4074-8837-31C1E091131D/peer1",
+                "modifiedIndex": 16,
+                "ttl": 604765,
+                "value": "127.0.0.1:7001"
+            },
+            {
+                "createdIndex": 17,
+                "expiration": "2014-02-03T13:19:57.631253589-08:00",
+                "key": "/_etcd/registry/9D4258A5-A1D3-4074-8837-31C1E091131D/peer2",
+                "modifiedIndex": 17,
+                "ttl": 604765,
+                "value": "127.0.0.1:7002"
+            }
+        ]
+    }
+}
+```
+
+Using this information you can connect to the rest of the peers in the cluster.
+
+### Heartbeating
+
+At this point etcd will start heart beating to your registration URL. The
+protocol uses a heartbeat so permanently deleted nodes get slowly removed from
+the discovery information cluster.
+
+The heartbeat interval is about once per day and the TTL is one week. This
+should give a sufficiently wide window to protect against a discovery service
+taking a temporary outage yet provide adequate cleanup.
--- a/Documentation/errorcode.md
+++ b/Documentation/errorcode.md
@ -21,6 +21,7 @@ Error code corresponding strerror
        EcodeNotDir         = 104
        EcodeNodeExist      = 105
        EcodeKeyIsPreserved = 106
+        EcodeRootROnly      = 107

        EcodeValueRequired     = 200
        EcodePrevValueRequired = 201
@ -42,6 +43,7 @@ Error code corresponding strerror
    errors[104] = "Not A Directory"
    errors[105] = "Already exists" // create
    errors[106] = "The prefix of given key is a keyword in etcd"
+    errors[107] = "Root is read only"

    // Post form related errors
    errors[200] = "Value is Required in POST form"
--- a/Documentation/etcd-file-system.md
+++ b/Documentation/etcd-file-system.md
@ -5,13 +5,13 @@
 ![alt text](./img/etcd_fs_structure.jpg "etcd file system structure")

 ## Node
-In **Etcd**, the **Node** is the rudimentary element constructing the whole.
-Currently **Etcd** file system is comprised in a Unix-like way of files and directories, and they are two kinds of nodes different in:
+In **etcd**, the **node** is the base from which the filesystem is constructed.
+**etcd**'s file system is Unix-like with two kinds of nodes: file and directories.

- **File Node** has data associated with it.
- **Directory Node** has children nodes associated with it.
+- A **file node** has data associated with it.
+- A **directory node** has child nodes associated with it.

-Besides the file and directory difference, all nodes have common attributes and operations as follows:
+All nodes, regardless of type, have the following attributes and operations:

 ### Attributes:
 - **Expiration Time** [optional]
@ -20,7 +20,7 @@ Besides the file and directory difference, all nodes have common attributes and

 - **ACL**

-  The path of access control list of the node.
+  The path to the node's access control list.

 ### Operation:
 - **Get** (path, recursive, sorted)
@ -55,7 +55,7 @@ Besides the file and directory difference, all nodes have common attributes and
 - **TestAndSet** (path, prevValue [prevIndex], value, ttl)

  Atomic *test and set* value to a file. If test succeeds, this operation will change the previous value of the file to the given value.
-    - If the prevValue is given, it will test against previous value of 
+    - If the prevValue is given, it will test against previous value of
    the node.
    - If the prevValue is empty, it will test if the node is not existing.
    - If the prevValue is not empty, it will test if the prevValue is equal to the current value of the file.
@ -69,7 +69,7 @@ Besides the file and directory difference, all nodes have common attributes and

 ### Theory
 Etcd exports a Unix-like file system interface consisting of files and directories, collectively called nodes.
-Each node has various meta-data, including three names of access control lists used to control reading, writing and changing (change ACL names for the node).
+Each node has various meta-data, including three names of the access control lists used to control reading, writing and changing (change ACL names for the node).

 We are storing the ACL names for nodes under a special *ACL* directory.
 Each node has ACL name corresponding to one file within *ACL* dir.
@ -77,7 +77,7 @@ Unless overridden, a node naturally inherits the ACL names of its parent directo

 For each ACL name, it has three children: *R (Reading)*, *W (Writing)*, *C (Changing)*

-Each permission is also a node. Under the node it contains the users who have this permission for the file refering to this ACL name.
+Each permission is also a node. Under the node it contains the users who have this permission for the file referring to this ACL name.

 ### Example
 [TODO]
--- a/Documentation/internal-protocol-versioning.md
+++ b/Documentation/internal-protocol-versioning.md
@ -26,7 +26,7 @@ Advantages

 Disadvantages

- Follower knows better what versions of the interal protocol it can talk than the leader
+- Follower knows better what versions of the internal protocol it can talk than the leader


 ### Follower Controlled
--- a/Documentation/libraries-and-tools.md
+++ b/Documentation/libraries-and-tools.md
@ -0,0 +1,95 @@
+## Libraries and Tools
+
+**Tools**
+
+- [etcdctl](https://github.com/coreos/etcdctl) - A command line client for etcd
+- [etcd-dump](https://npmjs.org/package/etcd-dump) - Command line utility for dumping/restoring etcd.
+- [etcd-fs](https://github.com/xetorthio/etcd-fs) - FUSE filesystem for etcd
+
+**Go libraries**
+
+- [go-etcd](https://github.com/coreos/go-etcd) - Supports v2
+
+**Java libraries**
+
+- [justinsb/jetcd](https://github.com/justinsb/jetcd)
+- [diwakergupta/jetcd](https://github.com/diwakergupta/jetcd) - Supports v2
+
+**Python libraries**
+
+- [transitorykris/etcd-py](https://github.com/transitorykris/etcd-py)
+- [jplana/python-etcd](https://github.com/jplana/python-etcd) - Supports v2
+- [russellhaering/txetcd](https://github.com/russellhaering/txetcd) - a Twisted Python library
+- [cholcombe973/autodock](https://github.com/cholcombe973/autodock) - A docker deployment automation tool
+
+**Node libraries**
+
+- [stianeikeland/node-etcd](https://github.com/stianeikeland/node-etcd) - Supports v2 (w Coffeescript)
+- [lavagetto/nodejs-etcd](https://github.com/lavagetto/nodejs-etcd) - Supports v2
+
+**Ruby libraries**
+
+- [iconara/etcd-rb](https://github.com/iconara/etcd-rb)
+- [jpfuentes2/etcd-ruby](https://github.com/jpfuentes2/etcd-ruby)
+- [ranjib/etcd-ruby](https://github.com/ranjib/etcd-ruby) - Supports v2
+
+**C libraries**
+
+- [jdarcy/etcd-api](https://github.com/jdarcy/etcd-api) - Supports v2
+
+**Clojure libraries**
+
+- [aterreno/etcd-clojure](https://github.com/aterreno/etcd-clojure)
+- [dwwoelfel/cetcd](https://github.com/dwwoelfel/cetcd) - Supports v2
+- [rthomas/clj-etcd](https://github.com/rthomas/clj-etcd) - Supports v2
+
+**Erlang libraries**
+
+- [marshall-lee/etcd.erl](https://github.com/marshall-lee/etcd.erl)
+
+**.Net Libraries**
+
+- [drusellers/etcetera](https://github.com/drusellers/etcetera)
+
+**PHP Libraries**
+
+- [linkorb/etcd-php](https://github.com/linkorb/etcd-php)
+
+**Haskell libraries**
+
+- [wereHamster/etcd-hs](https://github.com/wereHamster/etcd-hs)
+
+A detailed recap of client functionalities can be found in the [clients compatibility matrix][clients-matrix.md].
+
+[clients-matrix.md]: https://github.com/coreos/etcd/blob/master/Documentation/clients-matrix.md
+
+**Chef Integration**
+
+- [coderanger/etcd-chef](https://github.com/coderanger/etcd-chef)
+
+**Chef Cookbook**
+
+- [spheromak/etcd-cookbook](https://github.com/spheromak/etcd-cookbook)
+
+**BOSH Releases**
+
+- [cloudfoundry-community/etcd-boshrelease](https://github.com/cloudfoundry-community/etcd-boshrelease)
+- [cloudfoundry/cf-release](https://github.com/cloudfoundry/cf-release/tree/master/jobs/etcd)
+
+**Projects using etcd**
+
+- [binocarlos/yoda](https://github.com/binocarlos/yoda) - etcd + ZeroMQ
+- [calavera/active-proxy](https://github.com/calavera/active-proxy) - HTTP Proxy configured with etcd
+- [derekchiang/etcdplus](https://github.com/derekchiang/etcdplus) - A set of distributed synchronization primitives built upon etcd
+- [go-discover](https://github.com/flynn/go-discover) - service discovery in Go
+- [gleicon/goreman](https://github.com/gleicon/goreman/tree/etcd) - Branch of the Go Foreman clone with etcd support
+- [garethr/hiera-etcd](https://github.com/garethr/hiera-etcd) - Puppet hiera backend using etcd
+- [mattn/etcd-vim](https://github.com/mattn/etcd-vim) - SET and GET keys from inside vim
+- [mattn/etcdenv](https://github.com/mattn/etcdenv) - "env" shebang with etcd integration
+- [kelseyhightower/confd](https://github.com/kelseyhightower/confd) - Manage local app config files using templates and data from etcd
+- [configdb](https://git.autistici.org/ai/configdb/tree/master) - A REST relational abstraction on top of arbitrary database backends, aimed at storing configs and inventories.
+- [scrz](https://github.com/scrz/scrz) - Container manager, stores configuration in etcd.
+- [fleet](https://github.com/coreos/fleet) - Distributed init system
+- [GoogleCloudPlatform/kubernetes](https://github.com/GoogleCloudPlatform/kubernetes) - Container cluster manager.
+- [mailgun/vulcand](https://github.com/mailgun/vulcand) - HTTP proxy that uses etcd as a configuration backend.
+- [duedil-ltd/discodns](https://github.com/duedil-ltd/discodns) - Simple DNS nameserver using etcd as a database for names and records.
--- a/Documentation/modules.md
+++ b/Documentation/modules.md
@ -0,0 +1,118 @@
+## Modules
+
+etcd has a number of modules that are built on top of the core etcd API.
+These modules provide things like dashboards, locks and leader election (removed).
+
+**Warning**: Modules are deprecated from v0.4 until we have a solid base we can apply them back onto.
+For now, we are choosing to focus on raft algorithm and core etcd to make sure that it works correctly and fast.
+And it is time consuming to maintain these modules in this period, given that etcd's API changes from time to time.
+Moreover, the lock module has some unfixed bugs, which may mislead users.
+But we also notice that these modules are popular and useful, and plan to add them back with full functionality as soon as possible.
+
+### Dashboard
+
+An HTML dashboard can be found at `http://127.0.0.1:4001/mod/dashboard/`.
+This dashboard is compiled into the etcd binary and uses the same API as regular etcd clients.
+
+Use the `-cors='*'` flag to allow your browser to request information from the current master as it changes.
+
+### Lock
+
+The Lock module implements a fair lock that can be used when lots of clients want access to a single resource.
+A lock can be associated with a value.
+The value is unique so if a lock tries to request a value that is already queued for a lock then it will find it and watch until that value obtains the lock.
+You may supply a `timeout` which will cancel the lock request if it is not obtained within `timeout` seconds.  If `timeout` is not supplied, it is presumed to be infinite.  If `timeout` is `0`, the lock request will fail if it is not immediately acquired.
+If you lock the same value on a key from two separate curl sessions they'll both return at the same time.
+
+Here's the API:
+
+**Acquire a lock (with no value) for "customer1"**
+
+```sh
+curl -X POST http://127.0.0.1:4001/mod/v2/lock/customer1?ttl=60
+```
+
+**Acquire a lock for "customer1" that is associated with the value "bar"**
+
+```sh
+curl -X POST http://127.0.0.1:4001/mod/v2/lock/customer1?ttl=60 -d value=bar
+```
+
+**Acquire a lock for "customer1" that is associated with the value "bar" only if it is done within 2 seconds**
+
+```sh
+curl -X POST http://127.0.0.1:4001/mod/v2/lock/customer1?ttl=60 -d value=bar -d timeout=2
+```
+
+**Renew the TTL on the "customer1" lock for index 2**
+
+```sh
+curl -X PUT http://127.0.0.1:4001/mod/v2/lock/customer1?ttl=60 -d index=2
+```
+
+**Renew the TTL on the "customer1" lock for value "bar"**
+
+```sh
+curl -X PUT http://127.0.0.1:4001/mod/v2/lock/customer1?ttl=60 -d value=bar
+```
+
+**Retrieve the current value for the "customer1" lock.**
+
+```sh
+curl http://127.0.0.1:4001/mod/v2/lock/customer1
+```
+
+**Retrieve the current index for the "customer1" lock**
+
+```sh
+curl http://127.0.0.1:4001/mod/v2/lock/customer1?field=index
+```
+
+**Delete the "customer1" lock with the index 2**
+
+```sh
+curl -X DELETE http://127.0.0.1:4001/mod/v2/lock/customer1?index=2
+```
+
+**Delete the "customer1" lock with the value "bar"**
+
+```sh
+curl -X DELETE http://127.0.0.1:4001/mod/v2/lock/customer1?value=bar
+```
+
+
+### Leader Election (Deprecated and Removed in 0.4)
+
+The Leader Election module wraps the Lock module to allow clients to come to consensus on a single value.
+This is useful when you want one server to process at a time but allow other servers to fail over.
+The API is similar to the Lock module but is limited to simple strings values.
+
+Here's the API:
+
+**Attempt to set a value for the "order_processing" leader key:**
+
+```sh
+curl -X PUT http://127.0.0.1:4001/mod/v2/leader/order_processing?ttl=60 -d name=myserver1.foo.com
+```
+
+**Retrieve the current value for the "order_processing" leader key:**
+
+```sh
+curl http://127.0.0.1:4001/mod/v2/leader/order_processing
+myserver1.foo.com
+```
+
+**Remove a value from the "order_processing" leader key:**
+
+```sh
+curl -X DELETE http://127.0.0.1:4001/mod/v2/leader/order_processing?name=myserver1.foo.com
+```
+
+If multiple clients attempt to set the value for a key then only one will succeed.
+The other clients will hang until the current value is removed because of TTL or because of a `DELETE` operation.
+Multiple clients can submit the same value and will all be notified when that value succeeds.
+
+To update the TTL of a value simply reissue the same `PUT` command that you used to set the value.
+
+
+
--- a/Documentation/optimal-cluster-size.md
+++ b/Documentation/optimal-cluster-size.md
@ -0,0 +1,38 @@
+# Optimal etcd Cluster Size
+
+etcd's Raft consensus algorithm is most efficient in small clusters between 3 and 9 peers. For clusters larger than 9, etcd will select a subset of instances to participate in the algorithm in order to keep it efficient. The end of this document briefly explores how etcd works internally and why these choices have been made.
+
+## Cluster Management
+
+You can manage the active cluster size through the [cluster config API](https://github.com/coreos/etcd/blob/master/Documentation/api.md#cluster-config). `activeSize` represents the etcd peers allowed to actively participate in the consensus algorithm.
+
+If the total number of etcd instances exceeds this number, additional peers are started as [standbys](https://github.com/coreos/etcd/blob/master/Documentation/design/standbys.md), which can be promoted to active participation if one of the existing active instances has failed or been removed.
+
+## Internals of etcd
+
+### Writing to etcd
+
+Writes to an etcd peer are always redirected to the leader of the cluster and distributed to all of the peers immediately. A write is only considered successful when a majority of the peers acknowledge the write.
+
+For example, in a cluster with 5 peers, a write operation is only as fast as the 3rd fastest machine. This is the main reason for keeping the number of active peers below 9. In practice, you only need to worry about write performance in high latency environments such as a cluster spanning multiple data centers.
+
+### Leader Election
+
+The leader election process is similar to writing a key &mdash; a majority of the active peers must acknowledge the new leader before cluster operations can continue. The longer each peer takes to elect a new leader means you have to wait longer before you can write to the cluster again. In low latency environments this process takes milliseconds.
+
+### Odd Active Cluster Size
+
+The other important cluster optimization is to always have an odd active cluster size (i.e. `activeSize`). Adding an odd node to the number of peers doesn't change the size of the majority and therefore doesn't increase the total latency of the majority as described above. But, you gain a higher tolerance for peer failure by adding the extra machine. You can see this in practice when comparing two even and odd sized clusters:
+
+| Active Peers | Majority   | Failure Tolerance |
+|--------------|------------|-------------------|
+| 1 peers      | 1 peers    | None              |
+| 3 peers      | 2 peers    | 1 peer            |
+| 4 peers      | 3 peers    | 2 peers           |
+| 5 peers      | 3 peers    | **3 peers**       |
+| 6 peers      | 4 peers    | 2 peers           |
+| 7 peers      | 4 peers    | **3 peers**       |
+| 8 peers      | 5 peers    | 3 peers           |
+| 9 peers      | 5 peers    | **4 peers**       |
+
+As you can see, adding another peer to bring the number of active peers up to an odd size is always worth it. During a network partition, an odd number of active peers also guarantees that there will almost always be a majority of the cluster that can continue to operate and be the source of truth when the partition ends.
--- a/Documentation/platforms/freebsd.md
+++ b/Documentation/platforms/freebsd.md
@ -0,0 +1,62 @@
+# FreeBSD
+
+Starting with version 0.1.2 both etcd and etcdctl have been ported to FreeBSD and can
+be installed either via packages or ports system. Their versions have been recently
+updated to 0.2.0 so now you can enjoy using etcd and etcdctl on FreeBSD 10.0 (RC4 as
+of now) and 9.x where they have been tested. They might also work when installed from
+ports on earlier versions of FreeBSD, but your mileage may vary.
+
+## Installation
+
+### Using pkgng package system
+
+1. If you do not have pkgng installed, install it with command `pkg` and answering 'Y'
+when asked
+
+2. Update your repository data with `pkg update`
+
+3. Install etcd with `pkg install coreosetcd coreosetcdctl`
+
+4. Verify successful installation with `pkg info | grep etcd` and you should get:
+
+```
+r@fbsd10:/ # pkg info | grep etcd
+coreosetcd0.2.0              Highlyavailable key value store and service discovery
+coreosetcdctl0.2.0           Simple commandline client for etcd
+r@fbsd10:/ #
+```
+
+5. You’re ready to use etcd and etcdctl! For more information about using pkgng, please
+see: http://www.freebsd.org/doc/handbook/pkgngintro.html
+ 
+### Using ports system
+
+1. If you do not have ports installed, install with with `portsnap fetch extract` (it
+may take some time depending on your hardware and network connection)
+
+2. Build etcd with `cd /usr/ports/devel/etcd && make install clean`, you
+will get an option to build and install documentation and etcdctl with it.
+
+3. If you haven't installed it with etcdctl, and you would like to install it later, you can build it
+with `cd /usr/ports/devel/etcdctl && make install clean`
+
+4. Verify successful installation with `pkg info | grep etcd` and you should get:
+ 
+
+```
+r@fbsd10:/ # pkg info | grep etcd
+coreosetcd0.2.0              Highlyavailable key value store and service discovery
+coreosetcdctl0.2.0           Simple commandline client for etcd
+r@fbsd10:/ #
+```
+
+5. You’re ready to use etcd and etcdctl! For more information about using ports system,
+please see: https://www.freebsd.org/doc/handbook/portsusing.html
+
+## Issues
+
+If you find any issues with the build/install procedure or you've found a problem that
+you've verified is local to FreeBSD version only (for example, by not being able to
+reproduce it on any other platform, like OSX or Linux), please sent a
+problem report using this page for more
+information: http://www.freebsd.org/sendpr.html
--- a/Documentation/production-ready.md
+++ b/Documentation/production-ready.md
@ -0,0 +1,7 @@
+etcd is being used successfully by many companies in production. It is,
+however, under active development and systems like etcd are difficult to get
+correct. If you are comfortable with bleeding-edge software please use etcd and
+provide us with the feedback and testing young software needs.
+
+When the etcd team feels confident removing this warning we will release etcd
+1.0.
--- a/Documentation/security.md
+++ b/Documentation/security.md
@ -0,0 +1,131 @@
+# Reading and Writing over HTTPS
+
+## Transport Security with HTTPS
+
+Etcd supports SSL/TLS and client cert authentication for clients to server, as well as server to server communication.
+
+First, you need to have a CA cert `clientCA.crt` and signed key pair `client.crt`, `client.key`.
+This site has a good reference for how to generate self-signed key pairs:
+http://www.g-loaded.eu/2005/11/10/be-your-own-ca/
+Or you could use [etcd-ca](https://github.com/coreos/etcd-ca) to generate certs and keys.
+
+For testing you can use the certificates in the `fixtures/ca` directory.
+
+Let's configure etcd to use this keypair:
+
+```sh
+./etcd -f -name machine0 -data-dir machine0 -cert-file=./fixtures/ca/server.crt -key-file=./fixtures/ca/server.key.insecure
+```
+
+There are a few new options we're using:
+
+* `-f` - forces a new machine configuration, even if an existing configuration is found. (WARNING: data loss!)
+* `-cert-file` and `-key-file` specify the location of the cert and key files to be used for for transport layer security between the client and server.
+
+You can now test the configuration using HTTPS:
+
+```sh
+curl --cacert ./fixtures/ca/server-chain.pem https://127.0.0.1:4001/v2/keys/foo -XPUT -d value=bar -v
+```
+
+You should be able to see the handshake succeed.
+
+**OSX 10.9+ Users**: curl 7.30.0 on OSX 10.9+ doesn't understand certificates passed in on the command line.
+Instead you must import the dummy ca.crt directly into the keychain or add the `-k` flag to curl to ignore errors.
+If you want to test without the `-k` flag run `open ./fixtures/ca/ca.crt` and follow the prompts.
+Please remove this certificate after you are done testing!
+If you know of a workaround let us know.
+
+```
+...
+SSLv3, TLS handshake, Finished (20):
+...
+```
+
+And also the response from the etcd server:
+
+```json
+{
+    "action": "set",
+    "key": "/foo",
+    "modifiedIndex": 3,
+    "value": "bar"
+}
+```
+
+
+## Authentication with HTTPS Client Certificates
+
+We can also do authentication using CA certs.
+The clients will provide their cert to the server and the server will check whether the cert is signed by the CA and decide whether to serve the request.
+
+```sh
+./etcd -f -name machine0 -data-dir machine0 -ca-file=./fixtures/ca/ca.crt -cert-file=./fixtures/ca/server.crt -key-file=./fixtures/ca/server.key.insecure
+```
+
+```-ca-file``` is the path to the CA cert.
+
+Try the same request to this server:
+
+```sh
+curl --cacert ./fixtures/ca/server-chain.pem https://127.0.0.1:4001/v2/keys/foo -XPUT -d value=bar -v
+```
+
+The request should be rejected by the server.
+
+```
+...
+routines:SSL3_READ_BYTES:sslv3 alert bad certificate
+...
+```
+
+We need to give the CA signed cert to the server.
+
+```sh
+curl --key ./fixtures/ca/server2.key.insecure --cert ./fixtures/ca/server2.crt --cacert ./fixtures/ca/server-chain.pem -L https://127.0.0.1:4001/v2/keys/foo -XPUT -d value=bar -v
+```
+
+You should able to see:
+
+```
+...
+SSLv3, TLS handshake, CERT verify (15):
+...
+TLS handshake, Finished (20)
+```
+
+And also the response from the server:
+
+```json
+{
+    "action": "set",
+    "node": {
+        "createdIndex": 12,
+        "key": "/foo",
+        "modifiedIndex": 12,
+        "value": "bar"
+    }
+}
+```
+
+### Why SSLv3 alert handshake failure when using SSL client auth?
+
+The `crypto/tls` package of `golang` checks the key usage of the certificate public key before using it.
+To use the certificate public key to do client auth, we need to add `clientAuth` to `Extended Key Usage` when creating the certificate public key.
+
+Here is how to do it:
+
+Add the following section to your openssl.cnf:
+
+```
+[ ssl_client ]
+...
+  extendedKeyUsage = clientAuth
+...
+```
+
+When creating the cert be sure to reference it in the `-extensions` flag:
+
+```
+openssl ca -config openssl.cnf -policy policy_anything -extensions ssl_client -out certs/machine.crt -infiles machine.csr
+```
--- a/Documentation/tuning.md
+++ b/Documentation/tuning.md
@ -0,0 +1,93 @@
+## Tuning
+
+The default settings in etcd should work well for installations on a local network where the average network latency is low.
+However, when using etcd across multiple data centers or over networks with high latency you may need to tweak the heartbeat interval and election timeout settings.
+
+### Time Parameters
+
+The underlying distributed consensus protocol relies on two separate time parameters to ensure that nodes can handoff leadership if one stalls or goes offline.
+The first parameter is called the *Heartbeat Interval*.
+This is the frequency with which the leader will notify followers that it is still the leader.
+etcd batches commands together for higher throughput so this heartbeat interval is also a delay for how long it takes for commands to be committed.
+By default, etcd uses a `50ms` heartbeat interval.
+
+The second parameter is the *Election Timeout*.
+This timeout is how long a follower node will go without hearing a heartbeat before attempting to become leader itself.
+By default, etcd uses a `200ms` election timeout.
+
+Adjusting these values is a trade off.
+Lowering the heartbeat interval will cause individual commands to be committed faster but it will lower the overall throughput of etcd.
+If your etcd instances have low utilization then lowering the heartbeat interval can improve your command response time.
+
+The election timeout should be set based on the heartbeat interval and your network ping time between nodes.
+Election timeouts should be at least 10 times your ping time so it can account for variance in your network.
+For example, if the ping time between your nodes is 10ms then you should have at least a 100ms election timeout.
+
+You should also set your election timeout to at least 4 to 5 times your heartbeat interval to account for variance in leader replication.
+For a heartbeat interval of 50ms you should set your election timeout to at least 200ms - 250ms.
+
+You can override the default values on the command line:
+
+```sh
+# Command line arguments:
+$ etcd -peer-heartbeat-interval=100 -peer-election-timeout=500
+
+# Environment variables:
+$ ETCD_PEER_HEARTBEAT_INTERVAL=100 ETCD_PEER_ELECTION_TIMEOUT=500 etcd
+```
+
+Or you can set the values within the configuration file:
+
+```toml
+[peer]
+heartbeat_interval = 100
+election_timeout = 100
+```
+
+The values are specified in milliseconds.
+
+
+### Snapshots
+
+etcd appends all key changes to a log file.
+This log grows forever and is a complete linear history of every change made to the keys.
+A complete history works well for lightly used clusters but clusters that are heavily used would carry around a large log.
+
+To avoid having a huge log etcd makes periodic snapshots.
+These snapshots provide a way for etcd to compact the log by saving the current state of the system and removing old logs.
+
+### Snapshot Tuning
+
+Creating snapshots can be expensive so they're only created after a given number of changes to etcd.
+By default, snapshots will be made after every 10,000 changes.
+If etcd's memory usage and disk usage are too high, you can lower the snapshot threshold by setting the following on the command line:
+
+```sh
+# Command line arguments:
+$ etcd -snapshot-count=5000
+
+# Environment variables:
+$ ETCD_SNAPSHOT_COUNT=5000 etcd
+```
+
+Or you can change the setting in the configuration file:
+
+```toml
+snapshot_count = 5000
+```
+
+You can also disable snapshotting by adding the following to your command line:
+
+```sh
+# Command line arguments:
+$ etcd -snapshot false
+
+# Environment variables:
+$ ETCD_SNAPSHOT=false etcd
+```
+
+You can also disable snapshotting within the configuration file:
+
+```toml
+snapshot = false
+```
--- a/Documentation/upgrade.md
+++ b/Documentation/upgrade.md
@ -0,0 +1,17 @@
+# Upgrading an Existing Cluster
+
+etcd clusters can be upgraded by doing a rolling upgrade or all at once. We make every effort to test this process, but please be sure to backup your data [by etcd-dump](https://github.com/AaronO/etcd-dump), or make a copy of data directory beforehand.
+
+## Upgrade Process
+
+- Stop the old etcd processes
+- Upgrade the etcd binary
+- Restart the etcd instance using the original --name, --address, --peer-address and --data-dir.
+
+## Rolling Upgrade
+
+During an upgrade, etcd clusters are designed to continue working in a mix of old and new versions. It's recommended to converge on the new version quickly. Using new API features before the entire cluster has been upgraded is only supported as a best effort. Each instance's version can be found with `curl http://127.0.0.1:4001/version`.
+
+## All at Once
+
+If downtime is not an issue, the easiest way to upgrade your cluster is to shutdown all of the etcd instances and restart them with the new binary. The current state of the cluster is saved to disk and will be loaded into the cluster when it restarts.
--- a/README.md
+++ b/README.md
--- a/27
+++ b/27
@ -0,0 +1,27 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+#
+Vagrant.require_version '>= 1.5.0'
+Vagrant.configure("2") do |config|
+  config.vm.box = "precise64"
+  config.vm.box_url = "http://files.vagrantup.com/precise64.box"
+
+  config.vm.network :forwarded_port, host: 4001, guest: 4001
+  config.vm.network :forwarded_port, host: 7001, guest: 7001
+
+  # Fix docker not being able to resolve private registry in VirtualBox
+  config.vm.provider :virtualbox do |vb, override|
+    vb.customize ["modifyvm", :id, "--natdnshostresolver1", "on"]
+    vb.customize ["modifyvm", :id, "--natdnsproxy1", "on"]
+  end
+
+  config.vm.provision "docker" do |d|
+    d.build_image "/vagrant", args: '-t etcd'
+    d.run "etcd", args: "-p 4001:4001 -p 7001:7001", demonize: true
+  end
+
+  # plugin conflict
+  if Vagrant.has_plugin?("vagrant-vbguest")
+    config.vbguest.auto_update = false
+  end
+end
--- a/bench/bench.go
+++ b/bench/bench.go
@ -4,27 +4,38 @@ import (
 	"flag"
 	"log"
 	"strconv"
+	"time"

-	"github.com/coreos/go-etcd/etcd"
+	"github.com/coreos/etcd/third_party/github.com/coreos/go-etcd/etcd"
 )

-func write(requests int, end chan int) {
-	client := etcd.NewClient(nil)
+var (
+	// output debug to log
+	verbose *bool
+)
+
+func write(endpoint string, requests int, end chan int) {
+	client := etcd.NewClient([]string{endpoint})

 	for i := 0; i < requests; i++ {
 		key := strconv.Itoa(i)
-		client.Set(key, key, 0)
+		_, err := client.Set(key, key, 0)
+		if err != nil {
+			println(err.Error())
+		}
 	}
 	end <- 1
 }

-func watch(key string) {
-	client := etcd.NewClient(nil)
+func watch(endpoint string, key string) {
+	client := etcd.NewClient([]string{endpoint})

 	receiver := make(chan *etcd.Response)
 	go client.Watch(key, 0, true, receiver, nil)

-	log.Printf("watching: %s", key)
+	if *verbose {
+		log.Printf("watching: %s", key)
+	}

 	received := 0
 	for {
@ -34,25 +45,35 @@ func watch(key string) {
 }

 func main() {
+	endpoint := flag.String("endpoint", "http://127.0.0.1:4001", "etcd HTTP endpoint")
+
 	rWrites := flag.Int("write-requests", 50000, "number of writes")
 	cWrites := flag.Int("concurrent-writes", 500, "number of concurrent writes")
-
-	watches := flag.Int("watches", 500, "number of writes")
+	watches := flag.Int("watches", 500, "number of concurrent watches")
+	verbose = flag.Bool("verbose", false, "output debug info")

 	flag.Parse()

+	log.Printf("Benchmarking %v", *endpoint)
+	log.Printf("%v writes with %v concurrent writers and %v watches", *rWrites, *cWrites, *watches)
+
+	t := time.Now()
 	for i := 0; i < *watches; i++ {
 		key := strconv.Itoa(i)
-		go watch(key)
+		go watch(*endpoint, key)
 	}

 	wChan := make(chan int, *cWrites)
 	for i := 0; i < *cWrites; i++ {
-		go write((*rWrites / *cWrites), wChan)
+		go write(*endpoint, (*rWrites / *cWrites), wChan)
 	}

 	for i := 0; i < *cWrites; i++ {
 		<-wChan
-		log.Printf("Completed %d writes", (*rWrites / *cWrites))
+		if *verbose {
+			log.Printf("Completed %d writes", (*rWrites / *cWrites))
+		}
 	}
+
+	log.Printf("Took %v", time.Now().Sub(t))
 }
--- a/35
+++ b/35
@ -1,27 +1,18 @@
-#!/bin/sh
-set -e
+#!/bin/sh -e

-ETCD_PACKAGE=github.com/coreos/etcd
-export GOPATH="${PWD}"
-SRC_DIR="$GOPATH/src"
-ETCD_DIR="$SRC_DIR/$ETCD_PACKAGE"
-
-ETCD_BASE=$(dirname "${ETCD_DIR}")
-if [ ! -d "${ETCD_BASE}" ]; then
-	mkdir -p "${ETCD_BASE}"
+if [ ! -h gopath/src/github.com/coreos/etcd ]; then
+	mkdir -p gopath/src/github.com/coreos/
+	ln -s ../../../.. gopath/src/github.com/coreos/etcd
 fi

-if [ ! -h "${ETCD_DIR}" ]; then
-	ln -s ../../../ "${ETCD_DIR}"
+export GOBIN=${PWD}/bin
+export GOPATH=${PWD}/gopath
+export GOFMTPATH="./bench ./config ./discovery ./etcd ./error ./http ./log main.go ./metrics ./mod ./server ./store ./tests"
+
+# Don't surprise user by formatting their codes by stealth
+if [ "--fmt" = "$1" ]; then
+	gofmt -s -w -l $GOFMTPATH
 fi

-for i in third_party/*; do
-	if [ "$i" = "third_party/src" ]; then
-		continue
-	fi
-	cp -R "$i" src/
-done
-
-./scripts/release-version > server/release_version.go
-go build "${ETCD_PACKAGE}"
-go build -o etcdbench "${ETCD_PACKAGE}"/bench
+go install github.com/coreos/etcd
+go install github.com/coreos/etcd/bench
--- a/build.ps1
+++ b/build.ps1
@ -1,24 +0,0 @@
-
-$ETCD_PACKAGE="github.com/coreos/etcd"
-$env:GOPATH=$pwd.Path
-$SRC_DIR="$env:GOPATH/src"
-$ETCD_DIR="$SRC_DIR/$ETCD_PACKAGE"
-$env:ETCD_DIR="$SRC_DIR/$ETCD_PACKAGE"
-
-$ETCD_BASE=(Split-Path $ETCD_DIR -Parent)
-if(-not(test-path $ETCD_DIR)){
-	mkdir -force "$ETCD_BASE" > $null
-}
-
-if(-not(test-path $ETCD_DIR )){
-	cmd /c 'mklink /D "%ETCD_DIR%" ..\..\..\'
-}
-
-foreach($i in (ls third_party/*)){
-	if("$i" -eq "third_party/src") {continue}
-	
-	cp -Recurse -force "$i" src/
-}
-
-./scripts/release-version.ps1 | Out-File -Encoding UTF8 server/release_version.go
-go build -v "${ETCD_PACKAGE}"
--- a/config/config.go
+++ b/config/config.go
@ -1,10 +1,10 @@
-package server
+package config

 import (
-	"encoding/json"
 	"flag"
 	"fmt"
 	"io/ioutil"
+	"math/rand"
 	"net"
 	"net/url"
 	"os"
@ -12,9 +12,13 @@ import (
 	"reflect"
 	"strconv"
 	"strings"
+	"time"
+
+	"github.com/coreos/etcd/third_party/github.com/BurntSushi/toml"

-	"github.com/BurntSushi/toml"
 	"github.com/coreos/etcd/log"
+	ustrings "github.com/coreos/etcd/pkg/strings"
+	"github.com/coreos/etcd/server"
 )

 // The default location for the etcd configuration file.
@ -22,24 +26,25 @@ const DefaultSystemConfigPath = "/etc/etcd/etcd.conf"

 // A lookup of deprecated flags to their new flag name.
 var newFlagNameLookup = map[string]string{
-	"C":             "peers",
-	"CF":            "peers-file",
-	"n":             "name",
-	"c":             "addr",
-	"cl":            "bind-addr",
-	"s":             "peer-addr",
-	"sl":            "peer-bind-addr",
-	"d":             "data-dir",
-	"m":             "max-result-buffer",
-	"r":             "max-retry-attempts",
-	"maxsize":       "max-cluster-size",
-	"clientCAFile":  "ca-file",
-	"clientCert":    "cert-file",
-	"clientKey":     "key-file",
-	"serverCAFile":  "peer-ca-file",
-	"serverCert":    "peer-cert-file",
-	"serverKey":     "peer-key-file",
-	"snapshotCount": "snapshot-count",
+	"C":                      "peers",
+	"CF":                     "peers-file",
+	"n":                      "name",
+	"c":                      "addr",
+	"cl":                     "bind-addr",
+	"s":                      "peer-addr",
+	"sl":                     "peer-bind-addr",
+	"d":                      "data-dir",
+	"m":                      "max-result-buffer",
+	"r":                      "max-retry-attempts",
+	"maxsize":                "max-cluster-size",
+	"clientCAFile":           "ca-file",
+	"clientCert":             "cert-file",
+	"clientKey":              "key-file",
+	"serverCAFile":           "peer-ca-file",
+	"serverCert":             "peer-cert-file",
+	"serverKey":              "peer-key-file",
+	"snapshotCount":          "snapshot-count",
+	"peer-heartbeat-timeout": "peer-heartbeat-interval",
 }

 // Config represents the server configuration.
@ -53,13 +58,14 @@ type Config struct {
 	CPUProfileFile   string
 	CorsOrigins      []string `toml:"cors" env:"ETCD_CORS"`
 	DataDir          string   `toml:"data_dir" env:"ETCD_DATA_DIR"`
+	Discovery        string   `toml:"discovery" env:"ETCD_DISCOVERY"`
 	Force            bool
 	KeyFile          string   `toml:"key_file" env:"ETCD_KEY_FILE"`
 	Peers            []string `toml:"peers" env:"ETCD_PEERS"`
 	PeersFile        string   `toml:"peers_file" env:"ETCD_PEERS_FILE"`
-	MaxClusterSize   int      `toml:"max_cluster_size" env:"ETCD_MAX_CLUSTER_SIZE"`
 	MaxResultBuffer  int      `toml:"max_result_buffer" env:"ETCD_MAX_RESULT_BUFFER"`
 	MaxRetryAttempts int      `toml:"max_retry_attempts" env:"ETCD_MAX_RETRY_ATTEMPTS"`
+	RetryInterval    float64  `toml:"retry_interval" env:"ETCD_RETRY_INTERVAL"`
 	Name             string   `toml:"name" env:"ETCD_NAME"`
 	Snapshot         bool     `toml:"snapshot" env:"ETCD_SNAPSHOT"`
 	SnapshotCount    int      `toml:"snapshot_count" env:"ETCD_SNAPSHOTCOUNT"`
@ -67,29 +73,44 @@ type Config struct {
 	ShowVersion      bool
 	Verbose          bool `toml:"verbose" env:"ETCD_VERBOSE"`
 	VeryVerbose      bool `toml:"very_verbose" env:"ETCD_VERY_VERBOSE"`
+	VeryVeryVerbose  bool `toml:"very_very_verbose" env:"ETCD_VERY_VERY_VERBOSE"`
 	Peer             struct {
-		Addr     string `toml:"addr" env:"ETCD_PEER_ADDR"`
-		BindAddr string `toml:"bind_addr" env:"ETCD_PEER_BIND_ADDR"`
-		CAFile   string `toml:"ca_file" env:"ETCD_PEER_CA_FILE"`
-		CertFile string `toml:"cert_file" env:"ETCD_PEER_CERT_FILE"`
-		KeyFile  string `toml:"key_file" env:"ETCD_PEER_KEY_FILE"`
-		HeartbeatTimeout int  `toml:"heartbeat_timeout" env:"ETCD_PEER_HEARTBEAT_TIMEOUT"`
-		ElectionTimeout  int  `toml:"election_timeout" env:"ETCD_PEER_ELECTION_TIMEOUT"`
+		Addr              string `toml:"addr" env:"ETCD_PEER_ADDR"`
+		BindAddr          string `toml:"bind_addr" env:"ETCD_PEER_BIND_ADDR"`
+		CAFile            string `toml:"ca_file" env:"ETCD_PEER_CA_FILE"`
+		CertFile          string `toml:"cert_file" env:"ETCD_PEER_CERT_FILE"`
+		KeyFile           string `toml:"key_file" env:"ETCD_PEER_KEY_FILE"`
+		HeartbeatInterval int    `toml:"heartbeat_interval" env:"ETCD_PEER_HEARTBEAT_INTERVAL"`
+		ElectionTimeout   int    `toml:"election_timeout" env:"ETCD_PEER_ELECTION_TIMEOUT"`
+	}
+	strTrace     string `toml:"trace" env:"ETCD_TRACE"`
+	GraphiteHost string `toml:"graphite_host" env:"ETCD_GRAPHITE_HOST"`
+	Cluster      struct {
+		ActiveSize   int     `toml:"active_size" env:"ETCD_CLUSTER_ACTIVE_SIZE"`
+		RemoveDelay  float64 `toml:"remove_delay" env:"ETCD_CLUSTER_REMOVE_DELAY"`
+		SyncInterval float64 `toml:"sync_interval" env:"ETCD_CLUSTER_SYNC_INTERVAL"`
 	}
 }

-// NewConfig returns a Config initialized with default values.
-func NewConfig() *Config {
+// New returns a Config initialized with default values.
+func New() *Config {
 	c := new(Config)
 	c.SystemPath = DefaultSystemConfigPath
 	c.Addr = "127.0.0.1:4001"
-	c.MaxClusterSize = 9
 	c.MaxResultBuffer = 1024
 	c.MaxRetryAttempts = 3
+	c.RetryInterval = 10.0
+	c.Snapshot = true
 	c.SnapshotCount = 10000
 	c.Peer.Addr = "127.0.0.1:7001"
-	c.Peer.HeartbeatTimeout = 0
-	c.Peer.ElectionTimeout = 0
+	c.Peer.HeartbeatInterval = defaultHeartbeatInterval
+	c.Peer.ElectionTimeout = defaultElectionTimeout
+	rand.Seed(time.Now().UTC().UnixNano())
+	// Make maximum twice as minimum.
+	c.RetryInterval = float64(50+rand.Int()%50) * defaultHeartbeatInterval / 1000
+	c.Cluster.ActiveSize = server.DefaultActiveSize
+	c.Cluster.RemoveDelay = server.DefaultRemoveDelay
+	c.Cluster.SyncInterval = server.DefaultSyncInterval
 	return c
 }

@ -129,16 +150,6 @@ func (c *Config) Load(arguments []string) error {
 		return err
 	}

-	// Sanitize all the input fields.
-	if err := c.Sanitize(); err != nil {
-		return fmt.Errorf("sanitize: %v", err)
-	}
-
-	// Force remove server configuration if specified.
-	if c.Force {
-		c.Reset()
-	}
-
 	return nil
 }

@ -164,6 +175,9 @@ func (c *Config) LoadEnv() error {
 	if err := c.loadEnv(&c.Peer); err != nil {
 		return err
 	}
+	if err := c.loadEnv(&c.Cluster); err != nil {
+		return err
+	}
 	return nil
 }

@ -192,7 +206,13 @@ func (c *Config) loadEnv(target interface{}) error {
 		case reflect.String:
 			value.Field(i).SetString(v)
 		case reflect.Slice:
-			value.Field(i).Set(reflect.ValueOf(trimsplit(v, ",")))
+			value.Field(i).Set(reflect.ValueOf(ustrings.TrimSplit(v, ",")))
+		case reflect.Float64:
+			newValue, err := strconv.ParseFloat(v, 64)
+			if err != nil {
+				return fmt.Errorf("Parse error: %s: %s", field.Tag.Get("env"), err)
+			}
+			value.Field(i).SetFloat(newValue)
 		}
 	}
 	return nil
@ -213,13 +233,15 @@ func (c *Config) LoadFlags(arguments []string) error {
 	f.BoolVar(&c.Force, "force", false, "")

 	f.BoolVar(&c.Verbose, "v", c.Verbose, "")
-	f.BoolVar(&c.VeryVerbose, "vv", c.Verbose, "")
+	f.BoolVar(&c.VeryVerbose, "vv", c.VeryVerbose, "")
+	f.BoolVar(&c.VeryVeryVerbose, "vvv", c.VeryVeryVerbose, "")

 	f.StringVar(&peers, "peers", "", "")
 	f.StringVar(&c.PeersFile, "peers-file", c.PeersFile, "")

 	f.StringVar(&c.Name, "name", c.Name, "")
 	f.StringVar(&c.Addr, "addr", c.Addr, "")
+	f.StringVar(&c.Discovery, "discovery", c.Discovery, "")
 	f.StringVar(&c.BindAddr, "bind-addr", c.BindAddr, "")
 	f.StringVar(&c.Peer.Addr, "peer-addr", c.Peer.Addr, "")
 	f.StringVar(&c.Peer.BindAddr, "peer-bind-addr", c.Peer.BindAddr, "")
@ -235,8 +257,8 @@ func (c *Config) LoadFlags(arguments []string) error {
 	f.StringVar(&c.DataDir, "data-dir", c.DataDir, "")
 	f.IntVar(&c.MaxResultBuffer, "max-result-buffer", c.MaxResultBuffer, "")
 	f.IntVar(&c.MaxRetryAttempts, "max-retry-attempts", c.MaxRetryAttempts, "")
-	f.IntVar(&c.MaxClusterSize, "max-cluster-size", c.MaxClusterSize, "")
-	f.IntVar(&c.Peer.HeartbeatTimeout, "peer-heartbeat-timeout", c.Peer.HeartbeatTimeout, "")
+	f.Float64Var(&c.RetryInterval, "retry-interval", c.RetryInterval, "")
+	f.IntVar(&c.Peer.HeartbeatInterval, "peer-heartbeat-interval", c.Peer.HeartbeatInterval, "")
 	f.IntVar(&c.Peer.ElectionTimeout, "peer-election-timeout", c.Peer.ElectionTimeout, "")

 	f.StringVar(&cors, "cors", "", "")
@ -245,6 +267,13 @@ func (c *Config) LoadFlags(arguments []string) error {
 	f.IntVar(&c.SnapshotCount, "snapshot-count", c.SnapshotCount, "")
 	f.StringVar(&c.CPUProfileFile, "cpuprofile", "", "")

+	f.StringVar(&c.strTrace, "trace", "", "")
+	f.StringVar(&c.GraphiteHost, "graphite-host", "", "")
+
+	f.IntVar(&c.Cluster.ActiveSize, "cluster-active-size", c.Cluster.ActiveSize, "")
+	f.Float64Var(&c.Cluster.RemoveDelay, "cluster-remove-delay", c.Cluster.RemoveDelay, "")
+	f.Float64Var(&c.Cluster.SyncInterval, "cluster-sync-interval", c.Cluster.SyncInterval, "")
+
 	// BEGIN IGNORED FLAGS
 	f.StringVar(&path, "config", "", "")
 	// BEGIN IGNORED FLAGS
@ -266,8 +295,8 @@ func (c *Config) LoadFlags(arguments []string) error {
 	f.StringVar(&c.DataDir, "d", c.DataDir, "(deprecated)")
 	f.IntVar(&c.MaxResultBuffer, "m", c.MaxResultBuffer, "(deprecated)")
 	f.IntVar(&c.MaxRetryAttempts, "r", c.MaxRetryAttempts, "(deprecated)")
-	f.IntVar(&c.MaxClusterSize, "maxsize", c.MaxClusterSize, "(deprecated)")
 	f.IntVar(&c.SnapshotCount, "snapshotCount", c.SnapshotCount, "(deprecated)")
+	f.IntVar(&c.Peer.HeartbeatInterval, "peer-heartbeat-timeout", c.Peer.HeartbeatInterval, "(deprecated)")
 	// END DEPRECATED FLAGS

 	if err := f.Parse(arguments); err != nil {
@ -277,16 +306,16 @@ func (c *Config) LoadFlags(arguments []string) error {
 	// Print deprecation warnings on STDERR.
 	f.Visit(func(f *flag.Flag) {
 		if len(newFlagNameLookup[f.Name]) > 0 {
-			fmt.Fprintf(os.Stderr, "[deprecated] use -%s, not -%s", newFlagNameLookup[f.Name], f.Name)
+			fmt.Fprintf(os.Stderr, "[deprecated] use -%s, not -%s\n", newFlagNameLookup[f.Name], f.Name)
 		}
 	})

 	// Convert some parameters to lists.
 	if peers != "" {
-		c.Peers = trimsplit(peers, ",")
+		c.Peers = ustrings.TrimSplit(peers, ",")
 	}
 	if cors != "" {
-		c.CorsOrigins = trimsplit(cors, ",")
+		c.CorsOrigins = ustrings.TrimSplit(cors, ",")
 	}

 	return nil
@ -302,7 +331,7 @@ func (c *Config) LoadPeersFile() error {
 	if err != nil {
 		return fmt.Errorf("Peers file error: %s", err)
 	}
-	c.Peers = trimsplit(string(b), ",")
+	c.Peers = ustrings.TrimSplit(string(b), ",")

 	return nil
 }
@ -328,9 +357,6 @@ func (c *Config) NameFromHostname() {

 // Reset removes all server configuration files.
 func (c *Config) Reset() error {
-	if err := os.RemoveAll(filepath.Join(c.DataDir, "info")); err != nil {
-		return err
-	}
 	if err := os.RemoveAll(filepath.Join(c.DataDir, "log")); err != nil {
 		return err
 	}
@ -340,73 +366,29 @@ func (c *Config) Reset() error {
 	if err := os.RemoveAll(filepath.Join(c.DataDir, "snapshot")); err != nil {
 		return err
 	}
+	if err := os.RemoveAll(filepath.Join(c.DataDir, "standby_info")); err != nil {
+		return err
+	}

 	return nil
 }

-// Reads the info file from the file system or initializes it based on the config.
-func (c *Config) Info() (*Info, error) {
-	info := &Info{}
-	path := filepath.Join(c.DataDir, "info")
-
-	// Open info file and read it out.
-	f, err := os.Open(path)
-	if err != nil && !os.IsNotExist(err) {
-		return nil, err
-	} else if f != nil {
-		defer f.Close()
-		if err := json.NewDecoder(f).Decode(&info); err != nil {
-			return nil, err
-		}
-		return info, nil
-	}
-
-	// If the file doesn't exist then initialize it.
-	info.Name = strings.TrimSpace(c.Name)
-	info.EtcdURL = c.Addr
-	info.EtcdListenHost = c.BindAddr
-	info.RaftURL = c.Peer.Addr
-	info.RaftListenHost = c.Peer.BindAddr
-	info.EtcdTLS = c.TLSInfo()
-	info.RaftTLS = c.PeerTLSInfo()
-
-	// Write to file.
-	f, err = os.Create(path)
-	if err != nil {
-		return nil, err
-	}
-	defer f.Close()
-
-	if err := json.NewEncoder(f).Encode(info); err != nil {
-		return nil, err
-	}
-
-	return info, nil
-}
-
 // Sanitize cleans the input fields.
 func (c *Config) Sanitize() error {
-	tlsConfig, err := c.TLSConfig()
-	if err != nil {
-		return err
-	}
-
-	peerTlsConfig, err := c.PeerTLSConfig()
-	if err != nil {
-		return err
-	}
+	var err error
+	var url *url.URL

 	// Sanitize the URLs first.
-	if c.Addr, err = sanitizeURL(c.Addr, tlsConfig.Scheme); err != nil {
+	if c.Addr, url, err = sanitizeURL(c.Addr, c.EtcdTLSInfo().Scheme()); err != nil {
 		return fmt.Errorf("Advertised URL: %s", err)
 	}
-	if c.BindAddr, err = sanitizeBindAddr(c.BindAddr, c.Addr); err != nil {
+	if c.BindAddr, err = sanitizeBindAddr(c.BindAddr, url); err != nil {
 		return fmt.Errorf("Listen Host: %s", err)
 	}
-	if c.Peer.Addr, err = sanitizeURL(c.Peer.Addr, peerTlsConfig.Scheme); err != nil {
+	if c.Peer.Addr, url, err = sanitizeURL(c.Peer.Addr, c.PeerTLSInfo().Scheme()); err != nil {
 		return fmt.Errorf("Peer Advertised URL: %s", err)
 	}
-	if c.Peer.BindAddr, err = sanitizeBindAddr(c.Peer.BindAddr, c.Peer.Addr); err != nil {
+	if c.Peer.BindAddr, err = sanitizeBindAddr(c.Peer.BindAddr, url); err != nil {
 		return fmt.Errorf("Peer Listen Host: %s", err)
 	}

@ -416,72 +398,76 @@ func (c *Config) Sanitize() error {
 		c.NameFromHostname()
 	}

-	if c.DataDir == "" && c.Name != "" {
+	if c.DataDir == "" && c.Name != "" && !c.ShowVersion && !c.ShowHelp {
 		c.DataDirFromName()
 	}

 	return nil
 }

-// TLSInfo retrieves a TLSInfo object for the client server.
-func (c *Config) TLSInfo() TLSInfo {
-	return TLSInfo{
+// EtcdTLSInfo retrieves a TLSInfo object for the etcd server
+func (c *Config) EtcdTLSInfo() *server.TLSInfo {
+	return &server.TLSInfo{
 		CAFile:   c.CAFile,
 		CertFile: c.CertFile,
 		KeyFile:  c.KeyFile,
 	}
 }

-// ClientTLSConfig generates the TLS configuration for the client server.
-func (c *Config) TLSConfig() (TLSConfig, error) {
-	return c.TLSInfo().Config()
-}
-
-// PeerTLSInfo retrieves a TLSInfo object for the peer server.
-func (c *Config) PeerTLSInfo() TLSInfo {
-	return TLSInfo{
+// PeerRaftInfo retrieves a TLSInfo object for the peer server.
+func (c *Config) PeerTLSInfo() *server.TLSInfo {
+	return &server.TLSInfo{
 		CAFile:   c.Peer.CAFile,
 		CertFile: c.Peer.CertFile,
 		KeyFile:  c.Peer.KeyFile,
 	}
 }

-// PeerTLSConfig generates the TLS configuration for the peer server.
-func (c *Config) PeerTLSConfig() (TLSConfig, error) {
-	return c.PeerTLSInfo().Config()
+// MetricsBucketName generates the name that should be used for a
+// corresponding MetricsBucket object
+func (c *Config) MetricsBucketName() string {
+	return fmt.Sprintf("etcd.%s", c.Name)
+}
+
+// Trace determines if any trace-level information should be emitted
+func (c *Config) Trace() bool {
+	return c.strTrace == "*"
+}
+
+func (c *Config) ClusterConfig() *server.ClusterConfig {
+	return &server.ClusterConfig{
+		ActiveSize:   c.Cluster.ActiveSize,
+		RemoveDelay:  c.Cluster.RemoveDelay,
+		SyncInterval: c.Cluster.SyncInterval,
+	}
 }

 // sanitizeURL will cleanup a host string in the format hostname[:port] and
 // attach a schema.
-func sanitizeURL(host string, defaultScheme string) (string, error) {
+func sanitizeURL(host string, defaultScheme string) (string, *url.URL, error) {
 	// Blank URLs are fine input, just return it
 	if len(host) == 0 {
-		return host, nil
+		return host, &url.URL{}, nil
 	}

 	p, err := url.Parse(host)
 	if err != nil {
-		return "", err
+		return "", nil, err
 	}

 	// Make sure the host is in Host:Port format
 	_, _, err = net.SplitHostPort(host)
 	if err != nil {
-		return "", err
+		return "", nil, err
 	}

 	p = &url.URL{Host: host, Scheme: defaultScheme}
-	return p.String(), nil
+	return p.String(), p, nil
 }

 // sanitizeBindAddr cleans up the BindAddr parameter and appends a port
 // if necessary based on the advertised port.
-func sanitizeBindAddr(bindAddr string, addr string) (string, error) {
-	aurl, err := url.Parse(addr)
-	if err != nil {
-		return "", err
-	}
-
+func sanitizeBindAddr(bindAddr string, aurl *url.URL) (string, error) {
 	// If it is a valid host:port simply return with no further checks.
 	bhost, bport, err := net.SplitHostPort(bindAddr)
 	if err == nil && bhost != "" {
--- a/config/config_test.go
+++ b/config/config_test.go
@ -1,12 +1,12 @@
-package server
+package config

 import (
 	"io/ioutil"
 	"os"
 	"testing"

-	"github.com/BurntSushi/toml"
-	"github.com/stretchr/testify/assert"
+	"github.com/coreos/etcd/third_party/github.com/BurntSushi/toml"
+	"github.com/coreos/etcd/third_party/github.com/stretchr/testify/assert"
 )

 // Ensures that a configuration can be deserialized from TOML.
@ -18,6 +18,7 @@ func TestConfigTOML(t *testing.T) {
 		cors = ["*"]
 		cpu_profile_file = "XXX"
 		data_dir = "/tmp/data"
+		discovery = "http://example.com/foobar"
 		key_file = "/tmp/file.key"
 		bind_addr = "127.0.0.1:4003"
 		peers = ["coreos.com:4001", "coreos.com:4002"]
@ -29,7 +30,6 @@ func TestConfigTOML(t *testing.T) {
 		snapshot = true
 		verbose = true
 		very_verbose = true
-		web_url = "/web"

 		[peer]
 		addr = "127.0.0.1:7002"
@ -37,8 +37,13 @@ func TestConfigTOML(t *testing.T) {
 		cert_file = "/tmp/peer/file.cert"
 		key_file = "/tmp/peer/file.key"
 		bind_addr = "127.0.0.1:7003"
+
+		[cluster]
+		active_size = 5
+		remove_delay = 100.0
+		sync_interval = 10.0
 	`
-	c := NewConfig()
+	c := New()
 	_, err := toml.Decode(content, &c)
 	assert.Nil(t, err, "")
 	assert.Equal(t, c.Addr, "127.0.0.1:4002", "")
@ -46,11 +51,11 @@ func TestConfigTOML(t *testing.T) {
 	assert.Equal(t, c.CertFile, "/tmp/file.cert", "")
 	assert.Equal(t, c.CorsOrigins, []string{"*"}, "")
 	assert.Equal(t, c.DataDir, "/tmp/data", "")
+	assert.Equal(t, c.Discovery, "http://example.com/foobar", "")
 	assert.Equal(t, c.KeyFile, "/tmp/file.key", "")
 	assert.Equal(t, c.BindAddr, "127.0.0.1:4003", "")
 	assert.Equal(t, c.Peers, []string{"coreos.com:4001", "coreos.com:4002"}, "")
 	assert.Equal(t, c.PeersFile, "/tmp/peers", "")
-	assert.Equal(t, c.MaxClusterSize, 10, "")
 	assert.Equal(t, c.MaxResultBuffer, 512, "")
 	assert.Equal(t, c.MaxRetryAttempts, 5, "")
 	assert.Equal(t, c.Name, "test-name", "")
@ -62,6 +67,9 @@ func TestConfigTOML(t *testing.T) {
 	assert.Equal(t, c.Peer.CertFile, "/tmp/peer/file.cert", "")
 	assert.Equal(t, c.Peer.KeyFile, "/tmp/peer/file.key", "")
 	assert.Equal(t, c.Peer.BindAddr, "127.0.0.1:7003", "")
+	assert.Equal(t, c.Cluster.ActiveSize, 5, "")
+	assert.Equal(t, c.Cluster.RemoveDelay, 100.0, "")
+	assert.Equal(t, c.Cluster.SyncInterval, 10.0, "")
 }

 // Ensures that a configuration can be retrieved from environment variables.
@ -71,6 +79,7 @@ func TestConfigEnv(t *testing.T) {
 	os.Setenv("ETCD_CPU_PROFILE_FILE", "XXX")
 	os.Setenv("ETCD_CORS", "localhost:4001,localhost:4002")
 	os.Setenv("ETCD_DATA_DIR", "/tmp/data")
+	os.Setenv("ETCD_DISCOVERY", "http://example.com/foobar")
 	os.Setenv("ETCD_KEY_FILE", "/tmp/file.key")
 	os.Setenv("ETCD_BIND_ADDR", "127.0.0.1:4003")
 	os.Setenv("ETCD_PEERS", "coreos.com:4001,coreos.com:4002")
@ -82,24 +91,26 @@ func TestConfigEnv(t *testing.T) {
 	os.Setenv("ETCD_SNAPSHOT", "true")
 	os.Setenv("ETCD_VERBOSE", "1")
 	os.Setenv("ETCD_VERY_VERBOSE", "yes")
-	os.Setenv("ETCD_WEB_URL", "/web")
 	os.Setenv("ETCD_PEER_ADDR", "127.0.0.1:7002")
 	os.Setenv("ETCD_PEER_CA_FILE", "/tmp/peer/file.ca")
 	os.Setenv("ETCD_PEER_CERT_FILE", "/tmp/peer/file.cert")
 	os.Setenv("ETCD_PEER_KEY_FILE", "/tmp/peer/file.key")
 	os.Setenv("ETCD_PEER_BIND_ADDR", "127.0.0.1:7003")
+	os.Setenv("ETCD_CLUSTER_ACTIVE_SIZE", "5")
+	os.Setenv("ETCD_CLUSTER_REMOVE_DELAY", "100")
+	os.Setenv("ETCD_CLUSTER_SYNC_INTERVAL", "10")

-	c := NewConfig()
+	c := New()
 	c.LoadEnv()
 	assert.Equal(t, c.CAFile, "/tmp/file.ca", "")
 	assert.Equal(t, c.CertFile, "/tmp/file.cert", "")
 	assert.Equal(t, c.CorsOrigins, []string{"localhost:4001", "localhost:4002"}, "")
 	assert.Equal(t, c.DataDir, "/tmp/data", "")
+	assert.Equal(t, c.Discovery, "http://example.com/foobar", "")
 	assert.Equal(t, c.KeyFile, "/tmp/file.key", "")
 	assert.Equal(t, c.BindAddr, "127.0.0.1:4003", "")
 	assert.Equal(t, c.Peers, []string{"coreos.com:4001", "coreos.com:4002"}, "")
 	assert.Equal(t, c.PeersFile, "/tmp/peers", "")
-	assert.Equal(t, c.MaxClusterSize, 10, "")
 	assert.Equal(t, c.MaxResultBuffer, 512, "")
 	assert.Equal(t, c.MaxRetryAttempts, 5, "")
 	assert.Equal(t, c.Name, "test-name", "")
@ -111,44 +122,50 @@ func TestConfigEnv(t *testing.T) {
 	assert.Equal(t, c.Peer.CertFile, "/tmp/peer/file.cert", "")
 	assert.Equal(t, c.Peer.KeyFile, "/tmp/peer/file.key", "")
 	assert.Equal(t, c.Peer.BindAddr, "127.0.0.1:7003", "")
+	assert.Equal(t, c.Cluster.ActiveSize, 5, "")
+	assert.Equal(t, c.Cluster.RemoveDelay, 100.0, "")
+	assert.Equal(t, c.Cluster.SyncInterval, 10.0, "")
+
+	// Clear this as it will mess up other tests
+	os.Setenv("ETCD_DISCOVERY", "")
 }

 // Ensures that the "help" flag can be parsed.
 func TestConfigHelpFlag(t *testing.T) {
-	c := NewConfig()
+	c := New()
 	assert.Nil(t, c.LoadFlags([]string{"-help"}), "")
 	assert.True(t, c.ShowHelp)
 }

 // Ensures that the abbreviated "help" flag can be parsed.
 func TestConfigAbbreviatedHelpFlag(t *testing.T) {
-	c := NewConfig()
+	c := New()
 	assert.Nil(t, c.LoadFlags([]string{"-h"}), "")
 	assert.True(t, c.ShowHelp)
 }

 // Ensures that the "version" flag can be parsed.
 func TestConfigVersionFlag(t *testing.T) {
-	c := NewConfig()
+	c := New()
 	assert.Nil(t, c.LoadFlags([]string{"-version"}), "")
 	assert.True(t, c.ShowVersion)
 }

 // Ensures that the "force config" flag can be parsed.
 func TestConfigForceFlag(t *testing.T) {
-	c := NewConfig()
+	c := New()
 	assert.Nil(t, c.LoadFlags([]string{"-force"}), "")
 	assert.True(t, c.Force)
 }

 // Ensures that the abbreviated "force config" flag can be parsed.
 func TestConfigAbbreviatedForceFlag(t *testing.T) {
-	c := NewConfig()
+	c := New()
 	assert.Nil(t, c.LoadFlags([]string{"-f"}), "")
 	assert.True(t, c.Force)
 }

-// Ensures that a the advertised url can be parsed from the environment.
+// Ensures that the advertised url can be parsed from the environment.
 func TestConfigAddrEnv(t *testing.T) {
 	withEnv("ETCD_ADDR", "127.0.0.1:4002", func(c *Config) {
 		assert.Nil(t, c.LoadEnv(), "")
@ -156,14 +173,14 @@ func TestConfigAddrEnv(t *testing.T) {
 	})
 }

-// Ensures that a the advertised flag can be parsed.
+// Ensures that the advertised flag can be parsed.
 func TestConfigAddrFlag(t *testing.T) {
-	c := NewConfig()
+	c := New()
 	assert.Nil(t, c.LoadFlags([]string{"-addr", "127.0.0.1:4002"}), "")
 	assert.Equal(t, c.Addr, "127.0.0.1:4002", "")
 }

-// Ensures that a the CA file can be parsed from the environment.
+// Ensures that the CA file can be parsed from the environment.
 func TestConfigCAFileEnv(t *testing.T) {
 	withEnv("ETCD_CA_FILE", "/tmp/file.ca", func(c *Config) {
 		assert.Nil(t, c.LoadEnv(), "")
@ -171,14 +188,14 @@ func TestConfigCAFileEnv(t *testing.T) {
 	})
 }

-// Ensures that a the CA file flag can be parsed.
+// Ensures that the CA file flag can be parsed.
 func TestConfigCAFileFlag(t *testing.T) {
-	c := NewConfig()
+	c := New()
 	assert.Nil(t, c.LoadFlags([]string{"-ca-file", "/tmp/file.ca"}), "")
 	assert.Equal(t, c.CAFile, "/tmp/file.ca", "")
 }

-// Ensures that a the CA file can be parsed from the environment.
+// Ensures that the CA file can be parsed from the environment.
 func TestConfigCertFileEnv(t *testing.T) {
 	withEnv("ETCD_CERT_FILE", "/tmp/file.cert", func(c *Config) {
 		assert.Nil(t, c.LoadEnv(), "")
@ -186,14 +203,14 @@ func TestConfigCertFileEnv(t *testing.T) {
 	})
 }

-// Ensures that a the Cert file flag can be parsed.
+// Ensures that the Cert file flag can be parsed.
 func TestConfigCertFileFlag(t *testing.T) {
-	c := NewConfig()
+	c := New()
 	assert.Nil(t, c.LoadFlags([]string{"-cert-file", "/tmp/file.cert"}), "")
 	assert.Equal(t, c.CertFile, "/tmp/file.cert", "")
 }

-// Ensures that a the Key file can be parsed from the environment.
+// Ensures that the Key file can be parsed from the environment.
 func TestConfigKeyFileEnv(t *testing.T) {
 	withEnv("ETCD_KEY_FILE", "/tmp/file.key", func(c *Config) {
 		assert.Nil(t, c.LoadEnv(), "")
@ -201,14 +218,14 @@ func TestConfigKeyFileEnv(t *testing.T) {
 	})
 }

-// Ensures that a the Key file flag can be parsed.
+// Ensures that the Key file flag can be parsed.
 func TestConfigKeyFileFlag(t *testing.T) {
-	c := NewConfig()
+	c := New()
 	assert.Nil(t, c.LoadFlags([]string{"-key-file", "/tmp/file.key"}), "")
 	assert.Equal(t, c.KeyFile, "/tmp/file.key", "")
 }

-// Ensures that a the Listen Host can be parsed from the environment.
+// Ensures that the Listen Host can be parsed from the environment.
 func TestConfigBindAddrEnv(t *testing.T) {
 	withEnv("ETCD_BIND_ADDR", "127.0.0.1:4003", func(c *Config) {
 		assert.Nil(t, c.LoadEnv(), "")
@ -216,36 +233,75 @@ func TestConfigBindAddrEnv(t *testing.T) {
 	})
 }

-// Ensures that a the Listen Host file flag can be parsed.
+// Ensures that the Listen Host file flag can be parsed.
 func TestConfigBindAddrFlag(t *testing.T) {
-	c := NewConfig()
+	c := New()
 	assert.Nil(t, c.LoadFlags([]string{"-bind-addr", "127.0.0.1:4003"}), "")
 	assert.Equal(t, c.BindAddr, "127.0.0.1:4003", "")
 }

-// Ensures that a the Listen Host port overrides the advertised port
+// Ensures that the Listen Host port overrides the advertised port
 func TestConfigBindAddrOverride(t *testing.T) {
-	c := NewConfig()
+	c := New()
 	assert.Nil(t, c.LoadFlags([]string{"-addr", "127.0.0.1:4009", "-bind-addr", "127.0.0.1:4010"}), "")
 	assert.Nil(t, c.Sanitize())
 	assert.Equal(t, c.BindAddr, "127.0.0.1:4010", "")
 }

-// Ensures that a the Listen Host inherits its port from the advertised addr
+// Ensures that the Listen Host port overrides the advertised port
+func TestConfigBindIPv6AddrOverride(t *testing.T) {
+	c := New()
+	assert.Nil(t, c.LoadFlags([]string{"-addr", "[::1]:4009", "-bind-addr", "[::1]:4010"}), "")
+	assert.Nil(t, c.Sanitize())
+	assert.Equal(t, c.BindAddr, "[::1]:4010", "")
+}
+
+// Ensures that the Listen Host port overrides the advertised port
+func TestConfigBindIPv6WithZoneAddrOverride(t *testing.T) {
+	c := New()
+	assert.Nil(t, c.LoadFlags([]string{"-addr", "[::1%25lo]:4009", "-bind-addr", "[::1%25lo]:4010"}), "")
+	assert.Nil(t, c.Sanitize())
+	assert.Equal(t, c.BindAddr, "[::1%25lo]:4010", "")
+}
+
+// Ensures that the Listen Host inherits its port from the advertised addr
 func TestConfigBindAddrInheritPort(t *testing.T) {
-	c := NewConfig()
+	c := New()
 	assert.Nil(t, c.LoadFlags([]string{"-addr", "127.0.0.1:4009", "-bind-addr", "127.0.0.1"}), "")
 	assert.Nil(t, c.Sanitize())
 	assert.Equal(t, c.BindAddr, "127.0.0.1:4009", "")
 }

+// Ensures that the Listen Host inherits its port from the advertised addr
+func TestConfigBindIPv6AddrInheritPort(t *testing.T) {
+	c := New()
+	assert.Nil(t, c.LoadFlags([]string{"-addr", "[::1]:4009", "-bind-addr", "::1"}), "")
+	assert.Nil(t, c.Sanitize())
+	assert.Equal(t, c.BindAddr, "[::1]:4009", "")
+}
+
+// Ensures that the Listen Host inherits its port from the advertised addr
+func TestConfigBindIPv6WithZoneAddrInheritPort(t *testing.T) {
+	c := New()
+	assert.Nil(t, c.LoadFlags([]string{"-addr", "[::1%25lo]:4009", "-bind-addr", "::1%25lo"}), "")
+	assert.Nil(t, c.Sanitize())
+	assert.Equal(t, c.BindAddr, "[::1%25lo]:4009", "")
+}
+
 // Ensures that a port only argument errors out
 func TestConfigBindAddrErrorOnNoHost(t *testing.T) {
-	c := NewConfig()
+	c := New()
 	assert.Nil(t, c.LoadFlags([]string{"-addr", "127.0.0.1:4009", "-bind-addr", ":4010"}), "")
 	assert.Error(t, c.Sanitize())
 }

+// Ensures that a bad IPv6 address will raise an error
+func TestConfigBindAddrErrorOnBadIPv6Addr(t *testing.T) {
+	c := New()
+	assert.Nil(t, c.LoadFlags([]string{"-addr", "[::1%lo]:4009"}), "")
+	assert.Error(t, c.Sanitize())
+}
+
 // Ensures that the peers can be parsed from the environment.
 func TestConfigPeersEnv(t *testing.T) {
 	withEnv("ETCD_PEERS", "coreos.com:4001,coreos.com:4002", func(c *Config) {
@ -254,9 +310,9 @@ func TestConfigPeersEnv(t *testing.T) {
 	})
 }

-// Ensures that a the Peers flag can be parsed.
+// Ensures that the Peers flag can be parsed.
 func TestConfigPeersFlag(t *testing.T) {
-	c := NewConfig()
+	c := New()
 	assert.Nil(t, c.LoadFlags([]string{"-peers", "coreos.com:4001,coreos.com:4002"}), "")
 	assert.Equal(t, c.Peers, []string{"coreos.com:4001", "coreos.com:4002"}, "")
 }
@ -269,28 +325,13 @@ func TestConfigPeersFileEnv(t *testing.T) {
 	})
 }

-// Ensures that a the Peers File flag can be parsed.
+// Ensures that the Peers File flag can be parsed.
 func TestConfigPeersFileFlag(t *testing.T) {
-	c := NewConfig()
+	c := New()
 	assert.Nil(t, c.LoadFlags([]string{"-peers-file", "/tmp/peers"}), "")
 	assert.Equal(t, c.PeersFile, "/tmp/peers", "")
 }

-// Ensures that the Max Cluster Size can be parsed from the environment.
-func TestConfigMaxClusterSizeEnv(t *testing.T) {
-	withEnv("ETCD_MAX_CLUSTER_SIZE", "5", func(c *Config) {
-		assert.Nil(t, c.LoadEnv(), "")
-		assert.Equal(t, c.MaxClusterSize, 5, "")
-	})
-}
-
-// Ensures that a the Max Cluster Size flag can be parsed.
-func TestConfigMaxClusterSizeFlag(t *testing.T) {
-	c := NewConfig()
-	assert.Nil(t, c.LoadFlags([]string{"-max-cluster-size", "5"}), "")
-	assert.Equal(t, c.MaxClusterSize, 5, "")
-}
-
 // Ensures that the Max Result Buffer can be parsed from the environment.
 func TestConfigMaxResultBufferEnv(t *testing.T) {
 	withEnv("ETCD_MAX_RESULT_BUFFER", "512", func(c *Config) {
@ -299,9 +340,9 @@ func TestConfigMaxResultBufferEnv(t *testing.T) {
 	})
 }

-// Ensures that a the Max Result Buffer flag can be parsed.
+// Ensures that the Max Result Buffer flag can be parsed.
 func TestConfigMaxResultBufferFlag(t *testing.T) {
-	c := NewConfig()
+	c := New()
 	assert.Nil(t, c.LoadFlags([]string{"-max-result-buffer", "512"}), "")
 	assert.Equal(t, c.MaxResultBuffer, 512, "")
 }
@ -314,9 +355,9 @@ func TestConfigMaxRetryAttemptsEnv(t *testing.T) {
 	})
 }

-// Ensures that a the Max Retry Attempts flag can be parsed.
+// Ensures that the Max Retry Attempts flag can be parsed.
 func TestConfigMaxRetryAttemptsFlag(t *testing.T) {
-	c := NewConfig()
+	c := New()
 	assert.Nil(t, c.LoadFlags([]string{"-max-retry-attempts", "10"}), "")
 	assert.Equal(t, c.MaxRetryAttempts, 10, "")
 }
@ -329,16 +370,16 @@ func TestConfigNameEnv(t *testing.T) {
 	})
 }

-// Ensures that a the Name flag can be parsed.
+// Ensures that the Name flag can be parsed.
 func TestConfigNameFlag(t *testing.T) {
-	c := NewConfig()
+	c := New()
 	assert.Nil(t, c.LoadFlags([]string{"-name", "test-name"}), "")
 	assert.Equal(t, c.Name, "test-name", "")
 }

 // Ensures that a Name gets guessed if not specified
 func TestConfigNameGuess(t *testing.T) {
-	c := NewConfig()
+	c := New()
 	assert.Nil(t, c.LoadFlags([]string{}), "")
 	assert.Nil(t, c.Sanitize())
 	name, _ := os.Hostname()
@ -347,7 +388,7 @@ func TestConfigNameGuess(t *testing.T) {

 // Ensures that a DataDir gets guessed if not specified
 func TestConfigDataDirGuess(t *testing.T) {
-	c := NewConfig()
+	c := New()
 	assert.Nil(t, c.LoadFlags([]string{}), "")
 	assert.Nil(t, c.Sanitize())
 	name, _ := os.Hostname()
@ -362,9 +403,9 @@ func TestConfigSnapshotEnv(t *testing.T) {
 	})
 }

-// Ensures that a the Snapshot flag can be parsed.
+// Ensures that the Snapshot flag can be parsed.
 func TestConfigSnapshotFlag(t *testing.T) {
-	c := NewConfig()
+	c := New()
 	assert.Nil(t, c.LoadFlags([]string{"-snapshot"}), "")
 	assert.Equal(t, c.Snapshot, true, "")
 }
@ -377,9 +418,9 @@ func TestConfigVerboseEnv(t *testing.T) {
 	})
 }

-// Ensures that a the Verbose flag can be parsed.
+// Ensures that the Verbose flag can be parsed.
 func TestConfigVerboseFlag(t *testing.T) {
-	c := NewConfig()
+	c := New()
 	assert.Nil(t, c.LoadFlags([]string{"-v"}), "")
 	assert.Equal(t, c.Verbose, true, "")
 }
@ -392,9 +433,9 @@ func TestConfigVeryVerboseEnv(t *testing.T) {
 	})
 }

-// Ensures that a the Very Verbose flag can be parsed.
+// Ensures that the Very Verbose flag can be parsed.
 func TestConfigVeryVerboseFlag(t *testing.T) {
-	c := NewConfig()
+	c := New()
 	assert.Nil(t, c.LoadFlags([]string{"-vv"}), "")
 	assert.Equal(t, c.VeryVerbose, true, "")
 }
@ -407,9 +448,9 @@ func TestConfigPeerAddrEnv(t *testing.T) {
 	})
 }

-// Ensures that a the Peer Advertised URL flag can be parsed.
+// Ensures that the Peer Advertised URL flag can be parsed.
 func TestConfigPeerAddrFlag(t *testing.T) {
-	c := NewConfig()
+	c := New()
 	assert.Nil(t, c.LoadFlags([]string{"-peer-addr", "localhost:7002"}), "")
 	assert.Equal(t, c.Peer.Addr, "localhost:7002", "")
 }
@ -422,9 +463,9 @@ func TestConfigPeerCAFileEnv(t *testing.T) {
 	})
 }

-// Ensures that a the Peer CA file flag can be parsed.
+// Ensures that the Peer CA file flag can be parsed.
 func TestConfigPeerCAFileFlag(t *testing.T) {
-	c := NewConfig()
+	c := New()
 	assert.Nil(t, c.LoadFlags([]string{"-peer-ca-file", "/tmp/peer/file.ca"}), "")
 	assert.Equal(t, c.Peer.CAFile, "/tmp/peer/file.ca", "")
 }
@ -437,9 +478,9 @@ func TestConfigPeerCertFileEnv(t *testing.T) {
 	})
 }

-// Ensures that a the Cert file flag can be parsed.
+// Ensures that the Cert file flag can be parsed.
 func TestConfigPeerCertFileFlag(t *testing.T) {
-	c := NewConfig()
+	c := New()
 	assert.Nil(t, c.LoadFlags([]string{"-peer-cert-file", "/tmp/peer/file.cert"}), "")
 	assert.Equal(t, c.Peer.CertFile, "/tmp/peer/file.cert", "")
 }
@ -452,9 +493,9 @@ func TestConfigPeerKeyFileEnv(t *testing.T) {
 	})
 }

-// Ensures that a the Peer Key file flag can be parsed.
+// Ensures that the Peer Key file flag can be parsed.
 func TestConfigPeerKeyFileFlag(t *testing.T) {
-	c := NewConfig()
+	c := New()
 	assert.Nil(t, c.LoadFlags([]string{"-peer-key-file", "/tmp/peer/file.key"}), "")
 	assert.Equal(t, c.Peer.KeyFile, "/tmp/peer/file.key", "")
 }
@ -469,29 +510,74 @@ func TestConfigPeerBindAddrEnv(t *testing.T) {

 // Ensures that a bad flag returns an error.
 func TestConfigBadFlag(t *testing.T) {
-	c := NewConfig()
+	c := New()
 	err := c.LoadFlags([]string{"-no-such-flag"})
 	assert.Error(t, err)
 	assert.Equal(t, err.Error(), `flag provided but not defined: -no-such-flag`)
 }

-// Ensures that a the Peer Listen Host file flag can be parsed.
+// Ensures that the Peer Listen Host file flag can be parsed.
 func TestConfigPeerBindAddrFlag(t *testing.T) {
-	c := NewConfig()
+	c := New()
 	assert.Nil(t, c.LoadFlags([]string{"-peer-bind-addr", "127.0.0.1:4003"}), "")
 	assert.Equal(t, c.Peer.BindAddr, "127.0.0.1:4003", "")
 }

+// Ensures that the cluster active size can be parsed from the environment.
+func TestConfigClusterActiveSizeEnv(t *testing.T) {
+	withEnv("ETCD_CLUSTER_ACTIVE_SIZE", "5", func(c *Config) {
+		assert.Nil(t, c.LoadEnv(), "")
+		assert.Equal(t, c.Cluster.ActiveSize, 5, "")
+	})
+}
+
+// Ensures that the cluster active size flag can be parsed.
+func TestConfigClusterActiveSizeFlag(t *testing.T) {
+	c := New()
+	assert.Nil(t, c.LoadFlags([]string{"-cluster-active-size", "5"}), "")
+	assert.Equal(t, c.Cluster.ActiveSize, 5, "")
+}
+
+// Ensures that the cluster remove delay can be parsed from the environment.
+func TestConfigClusterRemoveDelayEnv(t *testing.T) {
+	withEnv("ETCD_CLUSTER_REMOVE_DELAY", "100", func(c *Config) {
+		assert.Nil(t, c.LoadEnv(), "")
+		assert.Equal(t, c.Cluster.RemoveDelay, 100.0, "")
+	})
+}
+
+// Ensures that the cluster remove delay flag can be parsed.
+func TestConfigClusterRemoveDelayFlag(t *testing.T) {
+	c := New()
+	assert.Nil(t, c.LoadFlags([]string{"-cluster-remove-delay", "100"}), "")
+	assert.Equal(t, c.Cluster.RemoveDelay, 100.0, "")
+}
+
+// Ensures that the cluster sync interval can be parsed from the environment.
+func TestConfigClusterSyncIntervalEnv(t *testing.T) {
+	withEnv("ETCD_CLUSTER_SYNC_INTERVAL", "10", func(c *Config) {
+		assert.Nil(t, c.LoadEnv(), "")
+		assert.Equal(t, c.Cluster.SyncInterval, 10.0, "")
+	})
+}
+
+// Ensures that the cluster sync interval flag can be parsed.
+func TestConfigClusterSyncIntervalFlag(t *testing.T) {
+	c := New()
+	assert.Nil(t, c.LoadFlags([]string{"-cluster-sync-interval", "10"}), "")
+	assert.Equal(t, c.Cluster.SyncInterval, 10.0, "")
+}
+
 // Ensures that a system config field is overridden by a custom config field.
 func TestConfigCustomConfigOverrideSystemConfig(t *testing.T) {
 	system := `addr = "127.0.0.1:5000"`
 	custom := `addr = "127.0.0.1:6000"`
 	withTempFile(system, func(p1 string) {
 		withTempFile(custom, func(p2 string) {
-			c := NewConfig()
+			c := New()
 			c.SystemPath = p1
 			assert.Nil(t, c.Load([]string{"-config", p2}), "")
-			assert.Equal(t, c.Addr, "http://127.0.0.1:6000", "")
+			assert.Equal(t, c.Addr, "127.0.0.1:6000", "")
 		})
 	})
 }
@ -503,10 +589,10 @@ func TestConfigEnvVarOverrideCustomConfig(t *testing.T) {

 	custom := `[peer]` + "\n" + `advertised_url = "127.0.0.1:9000"`
 	withTempFile(custom, func(path string) {
-		c := NewConfig()
+		c := New()
 		c.SystemPath = ""
 		assert.Nil(t, c.Load([]string{"-config", path}), "")
-		assert.Equal(t, c.Peer.Addr, "http://127.0.0.1:8000", "")
+		assert.Equal(t, c.Peer.Addr, "127.0.0.1:8000", "")
 	})
 }

@ -515,10 +601,10 @@ func TestConfigCLIArgsOverrideEnvVar(t *testing.T) {
 	os.Setenv("ETCD_ADDR", "127.0.0.1:1000")
 	defer os.Setenv("ETCD_ADDR", "")

-	c := NewConfig()
+	c := New()
 	c.SystemPath = ""
 	assert.Nil(t, c.Load([]string{"-addr", "127.0.0.1:2000"}), "")
-	assert.Equal(t, c.Addr, "http://127.0.0.1:2000", "")
+	assert.Equal(t, c.Addr, "127.0.0.1:2000", "")
 }

 //--------------------------------------
@ -527,162 +613,142 @@ func TestConfigCLIArgsOverrideEnvVar(t *testing.T) {

 func TestConfigDeprecatedAddrFlag(t *testing.T) {
 	_, stderr := capture(func() {
-		c := NewConfig()
+		c := New()
 		err := c.LoadFlags([]string{"-c", "127.0.0.1:4002"})
 		assert.NoError(t, err)
 		assert.Equal(t, c.Addr, "127.0.0.1:4002")
 	})
-	assert.Equal(t, stderr, "[deprecated] use -addr, not -c")
+	assert.Equal(t, stderr, "[deprecated] use -addr, not -c\n")
 }

 func TestConfigDeprecatedBindAddrFlag(t *testing.T) {
 	_, stderr := capture(func() {
-		c := NewConfig()
+		c := New()
 		err := c.LoadFlags([]string{"-cl", "127.0.0.1:4003"})
 		assert.NoError(t, err)
 		assert.Equal(t, c.BindAddr, "127.0.0.1:4003", "")
 	})
-	assert.Equal(t, stderr, "[deprecated] use -bind-addr, not -cl", "")
+	assert.Equal(t, stderr, "[deprecated] use -bind-addr, not -cl\n", "")
 }

 func TestConfigDeprecatedCAFileFlag(t *testing.T) {
 	_, stderr := capture(func() {
-		c := NewConfig()
+		c := New()
 		err := c.LoadFlags([]string{"-clientCAFile", "/tmp/file.ca"})
 		assert.NoError(t, err)
 		assert.Equal(t, c.CAFile, "/tmp/file.ca", "")
 	})
-	assert.Equal(t, stderr, "[deprecated] use -ca-file, not -clientCAFile", "")
+	assert.Equal(t, stderr, "[deprecated] use -ca-file, not -clientCAFile\n", "")
 }

 func TestConfigDeprecatedCertFileFlag(t *testing.T) {
 	_, stderr := capture(func() {
-		c := NewConfig()
+		c := New()
 		err := c.LoadFlags([]string{"-clientCert", "/tmp/file.cert"})
 		assert.NoError(t, err)
 		assert.Equal(t, c.CertFile, "/tmp/file.cert", "")
 	})
-	assert.Equal(t, stderr, "[deprecated] use -cert-file, not -clientCert", "")
+	assert.Equal(t, stderr, "[deprecated] use -cert-file, not -clientCert\n", "")
 }

 func TestConfigDeprecatedKeyFileFlag(t *testing.T) {
 	_, stderr := capture(func() {
-		c := NewConfig()
+		c := New()
 		err := c.LoadFlags([]string{"-clientKey", "/tmp/file.key"})
 		assert.NoError(t, err)
 		assert.Equal(t, c.KeyFile, "/tmp/file.key", "")
 	})
-	assert.Equal(t, stderr, "[deprecated] use -key-file, not -clientKey", "")
+	assert.Equal(t, stderr, "[deprecated] use -key-file, not -clientKey\n", "")
 }

 func TestConfigDeprecatedPeersFlag(t *testing.T) {
 	_, stderr := capture(func() {
-		c := NewConfig()
+		c := New()
 		err := c.LoadFlags([]string{"-C", "coreos.com:4001,coreos.com:4002"})
 		assert.NoError(t, err)
 		assert.Equal(t, c.Peers, []string{"coreos.com:4001", "coreos.com:4002"}, "")
 	})
-	assert.Equal(t, stderr, "[deprecated] use -peers, not -C", "")
+	assert.Equal(t, stderr, "[deprecated] use -peers, not -C\n", "")
 }

 func TestConfigDeprecatedPeersFileFlag(t *testing.T) {
 	_, stderr := capture(func() {
-		c := NewConfig()
+		c := New()
 		err := c.LoadFlags([]string{"-CF", "/tmp/machines"})
 		assert.NoError(t, err)
 		assert.Equal(t, c.PeersFile, "/tmp/machines", "")
 	})
-	assert.Equal(t, stderr, "[deprecated] use -peers-file, not -CF", "")
-}
-
-func TestConfigDeprecatedMaxClusterSizeFlag(t *testing.T) {
-	_, stderr := capture(func() {
-		c := NewConfig()
-		err := c.LoadFlags([]string{"-maxsize", "5"})
-		assert.NoError(t, err)
-		assert.Equal(t, c.MaxClusterSize, 5, "")
-	})
-	assert.Equal(t, stderr, "[deprecated] use -max-cluster-size, not -maxsize", "")
-}
-
-func TestConfigDeprecatedMaxResultBufferFlag(t *testing.T) {
-	_, stderr := capture(func() {
-		c := NewConfig()
-		err := c.LoadFlags([]string{"-m", "512"})
-		assert.NoError(t, err)
-		assert.Equal(t, c.MaxResultBuffer, 512, "")
-	})
-	assert.Equal(t, stderr, "[deprecated] use -max-result-buffer, not -m", "")
+	assert.Equal(t, stderr, "[deprecated] use -peers-file, not -CF\n", "")
 }

 func TestConfigDeprecatedMaxRetryAttemptsFlag(t *testing.T) {
 	_, stderr := capture(func() {
-		c := NewConfig()
+		c := New()
 		err := c.LoadFlags([]string{"-r", "10"})
 		assert.NoError(t, err)
 		assert.Equal(t, c.MaxRetryAttempts, 10, "")
 	})
-	assert.Equal(t, stderr, "[deprecated] use -max-retry-attempts, not -r", "")
+	assert.Equal(t, stderr, "[deprecated] use -max-retry-attempts, not -r\n", "")
 }

 func TestConfigDeprecatedNameFlag(t *testing.T) {
 	_, stderr := capture(func() {
-		c := NewConfig()
+		c := New()
 		err := c.LoadFlags([]string{"-n", "test-name"})
 		assert.NoError(t, err)
 		assert.Equal(t, c.Name, "test-name", "")
 	})
-	assert.Equal(t, stderr, "[deprecated] use -name, not -n", "")
+	assert.Equal(t, stderr, "[deprecated] use -name, not -n\n", "")
 }

 func TestConfigDeprecatedPeerAddrFlag(t *testing.T) {
 	_, stderr := capture(func() {
-		c := NewConfig()
+		c := New()
 		err := c.LoadFlags([]string{"-s", "localhost:7002"})
 		assert.NoError(t, err)
 		assert.Equal(t, c.Peer.Addr, "localhost:7002", "")
 	})
-	assert.Equal(t, stderr, "[deprecated] use -peer-addr, not -s", "")
+	assert.Equal(t, stderr, "[deprecated] use -peer-addr, not -s\n", "")
 }

 func TestConfigDeprecatedPeerBindAddrFlag(t *testing.T) {
 	_, stderr := capture(func() {
-		c := NewConfig()
+		c := New()
 		err := c.LoadFlags([]string{"-sl", "127.0.0.1:4003"})
 		assert.NoError(t, err)
 		assert.Equal(t, c.Peer.BindAddr, "127.0.0.1:4003", "")
 	})
-	assert.Equal(t, stderr, "[deprecated] use -peer-bind-addr, not -sl", "")
+	assert.Equal(t, stderr, "[deprecated] use -peer-bind-addr, not -sl\n", "")
 }

 func TestConfigDeprecatedPeerCAFileFlag(t *testing.T) {
 	_, stderr := capture(func() {
-		c := NewConfig()
+		c := New()
 		err := c.LoadFlags([]string{"-serverCAFile", "/tmp/peer/file.ca"})
 		assert.NoError(t, err)
 		assert.Equal(t, c.Peer.CAFile, "/tmp/peer/file.ca", "")
 	})
-	assert.Equal(t, stderr, "[deprecated] use -peer-ca-file, not -serverCAFile", "")
+	assert.Equal(t, stderr, "[deprecated] use -peer-ca-file, not -serverCAFile\n", "")
 }

 func TestConfigDeprecatedPeerCertFileFlag(t *testing.T) {
 	_, stderr := capture(func() {
-		c := NewConfig()
+		c := New()
 		err := c.LoadFlags([]string{"-serverCert", "/tmp/peer/file.cert"})
 		assert.NoError(t, err)
 		assert.Equal(t, c.Peer.CertFile, "/tmp/peer/file.cert", "")
 	})
-	assert.Equal(t, stderr, "[deprecated] use -peer-cert-file, not -serverCert", "")
+	assert.Equal(t, stderr, "[deprecated] use -peer-cert-file, not -serverCert\n", "")
 }

 func TestConfigDeprecatedPeerKeyFileFlag(t *testing.T) {
 	_, stderr := capture(func() {
-		c := NewConfig()
+		c := New()
 		err := c.LoadFlags([]string{"-serverKey", "/tmp/peer/file.key"})
 		assert.NoError(t, err)
 		assert.Equal(t, c.Peer.KeyFile, "/tmp/peer/file.key", "")
 	})
-	assert.Equal(t, stderr, "[deprecated] use -peer-key-file, not -serverKey", "")
+	assert.Equal(t, stderr, "[deprecated] use -peer-key-file, not -serverKey\n", "")
 }

 //--------------------------------------
@ -693,7 +759,7 @@ func TestConfigDeprecatedPeerKeyFileFlag(t *testing.T) {
 func withEnv(key, value string, f func(c *Config)) {
 	os.Setenv(key, value)
 	defer os.Setenv(key, "")
-	c := NewConfig()
+	c := New()
 	f(c)
 }

--- a/config/timeout.go
+++ b/config/timeout.go
@ -0,0 +1,9 @@
+package config
+
+const (
+	// The amount of time (in ms) to elapse without a heartbeat before becoming a candidate
+	defaultElectionTimeout = 200
+
+	// The frequency (in ms) by which heartbeats are sent to followers.
+	defaultHeartbeatInterval = 50
+)
--- a/contrib/collectd/Dockerfile
+++ b/contrib/collectd/Dockerfile
@ -0,0 +1,9 @@
+FROM stackbrew/ubuntu:raring
+
+RUN apt-get update && apt-get install -y collectd
+RUN adduser --system --group --no-create-home collectd
+ADD collectd.conf /etc/collectd/collectd.conf.tmpl
+ADD collectd-wrapper /bin/collectd-wrapper
+RUN chown -R collectd:collectd /etc/collectd
+
+CMD ["collectd-wrapper"]
--- a/contrib/collectd/README
+++ b/contrib/collectd/README
@ -0,0 +1,20 @@
+We're going to use Docker to build a chroot env that can be run with systemd-nspawn since I cannot figure out how to run
+a container using docker in the global network namespace.
+
+1. Build the collectd image using docker
+docker build -t collectd .
+
+2. Run the container (since we have to run it to export it...)
+COLLECTD_CONTAINER=`docker run -name collectd-tmp -d collectd`
+
+3. Export then kill the container
+docker export collectd-tmp > /tmp/collectd.tar
+
+4. Kill the temporary container
+docker kill $COLLECTD_CONTAINER
+
+5. Unpack the tar archive
+mkdir -p /tmp/collectd && tar -xvf /tmp/collectd.tar -C /tmp/collectd/
+
+6. Run collectd with systemd-nspawn - replace the COLLECTD_* env vars with your parameters!
+sudo systemd-run --unit collectd systemd-nspawn -D /tmp/collectd /bin/bash -c "COLLECTD_GRAPHITE_HOSTNAME=172.31.13.241 COLLECTD_LOCAL_HOSTNAME=node1 /bin/collectd-wrapper"
--- a/contrib/collectd/collectd-wrapper
+++ b/contrib/collectd/collectd-wrapper
@ -0,0 +1,16 @@
+#!/bin/bash
+
+cat /etc/collectd/collectd.conf.tmpl > /etc/collectd/collectd.conf
+
+cat << EOF >> /etc/collectd/collectd.conf
+Hostname "${COLLECTD_LOCAL_HOSTNAME}"
+
+<Plugin write_graphite>
+    <Carbon>
+        Host "${COLLECTD_GRAPHITE_HOSTNAME}"
+        Port "2003"
+    </Carbon>
+</Plugin>
+EOF
+
+collectd -C /etc/collectd/collectd.conf -f
--- a/contrib/collectd/collectd.conf
+++ b/contrib/collectd/collectd.conf
@ -0,0 +1,898 @@
+# Config file for collectd(1).
+#
+# Some plugins need additional configuration and are disabled by default.
+# Please read collectd.conf(5) for details.
+#
+# You should also read /usr/share/doc/collectd-core/README.Debian.plugins
+# before enabling any more plugins.
+
+#Hostname "localhost"
+#FQDNLookup true
+#BaseDir "/var/lib/collectd"
+#PluginDir "/usr/lib/collectd"
+#TypesDB "/usr/share/collectd/types.db" "/etc/collectd/my_types.db"
+#Interval 10
+#Timeout 2
+#ReadThreads 5
+
+LoadPlugin logfile
+#LoadPlugin syslog
+
+<Plugin logfile>
+	LogLevel "info"
+	File STDOUT
+	Timestamp true
+	PrintSeverity false
+</Plugin>
+
+#<Plugin syslog>
+#	LogLevel info
+#</Plugin>
+
+#LoadPlugin amqp
+#LoadPlugin apache
+#LoadPlugin apcups
+#LoadPlugin ascent
+#LoadPlugin battery
+#LoadPlugin bind
+#LoadPlugin conntrack
+#LoadPlugin contextswitch
+LoadPlugin cpu
+#LoadPlugin cpufreq
+#LoadPlugin csv
+#LoadPlugin curl
+#LoadPlugin curl_json
+#LoadPlugin curl_xml
+#LoadPlugin dbi
+LoadPlugin df
+#LoadPlugin disk
+#LoadPlugin dns
+#LoadPlugin email
+#LoadPlugin entropy
+#LoadPlugin ethstat
+#LoadPlugin exec
+#LoadPlugin filecount
+#LoadPlugin fscache
+#LoadPlugin gmond
+#LoadPlugin hddtemp
+#LoadPlugin interface
+#LoadPlugin ipmi
+#LoadPlugin iptables
+#LoadPlugin ipvs
+#LoadPlugin irq
+#LoadPlugin java
+#LoadPlugin libvirt
+#LoadPlugin load
+#LoadPlugin madwifi
+#LoadPlugin mbmon
+#LoadPlugin md
+#LoadPlugin memcachec
+#LoadPlugin memcached
+LoadPlugin memory
+#LoadPlugin multimeter
+#LoadPlugin mysql
+#LoadPlugin netlink
+#LoadPlugin network
+#LoadPlugin nfs
+#LoadPlugin nginx
+#LoadPlugin notify_desktop
+#LoadPlugin notify_email
+#LoadPlugin ntpd
+#LoadPlugin numa
+#LoadPlugin nut
+#LoadPlugin olsrd
+#LoadPlugin openvpn
+#<LoadPlugin perl>
+#	Globals true
+#</LoadPlugin>
+#LoadPlugin pinba
+#LoadPlugin ping
+#LoadPlugin postgresql
+#LoadPlugin powerdns
+#LoadPlugin processes
+#LoadPlugin protocols
+#<LoadPlugin python>
+#	Globals true
+#</LoadPlugin>
+#LoadPlugin rrdcached
+#LoadPlugin rrdtool
+#LoadPlugin sensors
+#LoadPlugin serial
+#LoadPlugin snmp
+#LoadPlugin swap
+#LoadPlugin table
+#LoadPlugin tail
+LoadPlugin tcpconns
+#LoadPlugin teamspeak2
+#LoadPlugin ted
+#LoadPlugin thermal
+#LoadPlugin tokyotyrant
+#LoadPlugin unixsock
+#LoadPlugin uptime
+#LoadPlugin users
+#LoadPlugin uuid
+#LoadPlugin varnish
+#LoadPlugin vmem
+#LoadPlugin vserver
+#LoadPlugin wireless
+LoadPlugin write_graphite
+#LoadPlugin write_http
+#LoadPlugin write_mongodb
+
+#<Plugin amqp>
+#	<Publish "name">
+#		Host "localhost"
+#		Port "5672"
+#		VHost "/"
+#		User "guest"
+#		Password "guest"
+#		Exchange "amq.fanout"
+#		RoutingKey "collectd"
+#		Persistent false
+#		StoreRates false
+#	</Publish>
+#</Plugin>
+
+#<Plugin apache>
+#	<Instance "foo">
+#		URL "http://localhost/server-status?auto"
+#		User "www-user"
+#		Password "secret"
+#		VerifyPeer false
+#		VerifyHost false
+#		CACert "/etc/ssl/ca.crt"
+#		Server "apache"
+#	</Instance>
+#
+#	<Instance "bar">
+#		URL "http://some.domain.tld/status?auto"
+#		Host "some.domain.tld"
+#		Server "lighttpd"
+#	</Instance>
+#</Plugin>
+
+#<Plugin apcups>
+#	Host "localhost"
+#	Port "3551"
+#</Plugin>
+
+#<Plugin ascent>
+#	URL "http://localhost/ascent/status/"
+#	User "www-user"
+#	Password "secret"
+#	VerifyPeer false
+#	VerifyHost false
+#	CACert "/etc/ssl/ca.crt"
+#</Plugin>
+
+#<Plugin "bind">
+#	URL "http://localhost:8053/"
+#
+#	ParseTime false
+#
+#	OpCodes true
+#	QTypes true
+#	ServerStats true
+#	ZoneMaintStats true
+#	ResolverStats false
+#	MemoryStats true
+#
+#	<View "_default">
+#		QTypes true
+#		ResolverStats true
+#		CacheRRSets true
+#
+#		Zone "127.in-addr.arpa/IN"
+#	</View>
+#</Plugin>
+
+#<Plugin csv>
+#	DataDir "/var/lib/collectd/csv"
+#	StoreRates false
+#</Plugin>
+
+#<Plugin curl>
+#	<Page "stock_quotes">
+#		URL "http://finance.google.com/finance?q=NYSE%3AAMD"
+#		User "foo"
+#		Password "bar"
+#		VerifyPeer false
+#		VerifyHost false
+#		CACert "/etc/ssl/ca.crt"
+#		MeasureResponseTime false
+#		<Match>
+#			Regex "<span +class=\"pr\"[^>]*> *([0-9]*\\.[0-9]+) *</span>"
+#			DSType "GaugeAverage"
+#			Type "stock_value"
+#			Instance "AMD"
+#		</Match>
+#	</Page>
+#</Plugin>
+
+#<Plugin curl_json>
+## See: http://wiki.apache.org/couchdb/Runtime_Statistics
+#  <URL "http://localhost:5984/_stats">
+#    Instance "httpd"
+#    <Key "httpd/requests/count">
+#      Type "http_requests"
+#    </Key>
+#
+#    <Key "httpd_request_methods/*/count">
+#      Type "http_request_methods"
+#    </Key>
+#
+#    <Key "httpd_status_codes/*/count">
+#      Type "http_response_codes"
+#    </Key>
+#  </URL>
+## Database status metrics:
+#  <URL "http://localhost:5984/_all_dbs">
+#    Instance "dbs"
+#    <Key "*/doc_count">
+#      Type "gauge"
+#    </Key>
+#    <Key "*/doc_del_count">
+#      Type "counter"
+#    </Key>
+#    <Key "*/disk_size">
+#      Type "bytes"
+#    </Key>
+#  </URL>
+#</Plugin>
+
+#<Plugin "curl_xml">
+#	<URL "http://localhost/stats.xml">
+#		Host "my_host"
+#		Instance "some_instance"
+#		User "collectd"
+#		Password "thaiNg0I"
+#		VerifyPeer true
+#		VerifyHost true
+#		CACert "/path/to/ca.crt"
+#
+#		<XPath "table[@id=\"magic_level\"]/tr">
+#			Type "magic_level"
+#			InstancePrefix "prefix-"
+#			InstanceFrom "td[1]"
+#			ValuesFrom "td[2]/span[@class=\"level\"]"
+#		</XPath>
+#	</URL>
+#</Plugin>
+
+#<Plugin dbi>
+#	<Query "num_of_customers">
+#		Statement "SELECT 'customers' AS c_key, COUNT(*) AS c_value \
+#				FROM customers_tbl"
+#		MinVersion 40102
+#		MaxVersion 50042
+#		<Result>
+#			Type "gauge"
+#			InstancePrefix "customer"
+#			InstancesFrom "c_key"
+#			ValuesFrom "c_value"
+#		</Result>
+#	</Query>
+#
+#	<Database "customers_db">
+#		Driver "mysql"
+#		DriverOption "host" "localhost"
+#		DriverOption "username" "collectd"
+#		DriverOption "password" "secret"
+#		DriverOption "dbname" "custdb0"
+#		SelectDB "custdb0"
+#		Query "num_of_customers"
+#		Query "..."
+#	</Database>
+#</Plugin>
+
+#<Plugin df>
+#	Device "/dev/sda1"
+#	Device "192.168.0.2:/mnt/nfs"
+#	MountPoint "/home"
+#	FSType "ext3"
+#	IgnoreSelected false
+#	ReportByDevice false
+#	ReportReserved false
+#	ReportInodes false
+#</Plugin>
+
+#<Plugin disk>
+#	Disk "hda"
+#	Disk "/sda[23]/"
+#	IgnoreSelected false
+#</Plugin>
+
+#<Plugin dns>
+#	Interface "eth0"
+#	IgnoreSource "192.168.0.1"
+#	SelectNumericQueryTypes false
+#</Plugin>
+
+#<Plugin email>
+#	SocketFile "/var/run/collectd-email"
+#	SocketGroup "collectd"
+#	SocketPerms "0770"
+#	MaxConns 5
+#</Plugin>
+
+#<Plugin ethstat>
+#	Interface "eth0"
+#	Map "rx_csum_offload_errors" "if_rx_errors" "checksum_offload"
+#	Map "multicast" "if_multicast"
+#	MappedOnly false
+#</Plugin>
+
+#<Plugin exec>
+#	Exec user "/path/to/exec"
+#	Exec "user:group" "/path/to/exec"
+#	NotificationExec user "/path/to/exec"
+#</Plugin>
+
+#<Plugin filecount>
+#	<Directory "/path/to/dir">
+#		Instance "foodir"
+#		Name "*.conf"
+#		MTime "-5m"
+#		Size "+10k"
+#		Recursive true
+#		IncludeHidden false
+#	</Directory>
+#</Plugin>
+
+#<Plugin gmond>
+#	MCReceiveFrom "239.2.11.71" "8649"
+#
+#	<Metric "swap_total">
+#		Type "swap"
+#		TypeInstance "total"
+#		DataSource "value"
+#	</Metric>
+#
+#	<Metric "swap_free">
+#		Type "swap"
+#		TypeInstance "free"
+#		DataSource "value"
+#	</Metric>
+#</Plugin>
+
+#<Plugin hddtemp>
+#	Host "127.0.0.1"
+#	Port 7634
+#</Plugin>
+
+#<Plugin interface>
+#	Interface "eth0"
+#	IgnoreSelected false
+#</Plugin>
+
+#<Plugin ipmi>
+#	Sensor "some_sensor"
+#	Sensor "another_one"
+#	IgnoreSelected false
+#	NotifySensorAdd false
+#	NotifySensorRemove true
+#	NotifySensorNotPresent false
+#</Plugin>
+
+#<Plugin iptables>
+#	Chain "table" "chain"
+#</Plugin>
+
+#<Plugin irq>
+#	Irq 7
+#	Irq 8
+#	Irq 9
+#	IgnoreSelected true
+#</Plugin>
+
+#<Plugin java>
+#	JVMArg "-verbose:jni"
+#	JVMArg "-Djava.class.path=/usr/share/collectd/java/collectd-api.jar"
+#
+#	LoadPlugin "org.collectd.java.GenericJMX"
+#	<Plugin "GenericJMX">
+#		# See /usr/share/doc/collectd/examples/GenericJMX.conf
+#		# for an example config.
+#	</Plugin>
+#</Plugin>
+
+#<Plugin libvirt>
+#	Connection "xen:///"
+#	RefreshInterval 60
+#	Domain "name"
+#	BlockDevice "name:device"
+#	InterfaceDevice "name:device"
+#	IgnoreSelected false
+#	HostnameFormat name
+#	InterfaceFormat name
+#</Plugin>
+
+#<Plugin madwifi>
+#	Interface "wlan0"
+#	IgnoreSelected false
+#	Source "SysFS"
+#	WatchSet "None"
+#	WatchAdd "node_octets"
+#	WatchAdd "node_rssi"
+#	WatchAdd "is_rx_acl"
+#	WatchAdd "is_scan_active"
+#</Plugin>
+
+#<Plugin mbmon>
+#	Host "127.0.0.1"
+#	Port 411
+#</Plugin>
+
+#<Plugin md>
+#	Device "/dev/md0"
+#	IgnoreSelected false
+#</Plugin>
+
+#<Plugin memcachec>
+#	<Page "plugin_instance">
+#		Server "localhost"
+#		Key "page_key"
+#		<Match>
+#			Regex "(\\d+) bytes sent"
+#			ExcludeRegex "<lines to be excluded>"
+#			DSType CounterAdd
+#			Type "ipt_octets"
+#			Instance "type_instance"
+#		</Match>
+#	</Page>
+#</Plugin>
+
+#<Plugin memcached>
+#	Socket "/var/run/memcached.sock"
+# or:
+#	Host "127.0.0.1"
+#	Port "11211"
+#</Plugin>
+
+#<Plugin mysql>
+#	<Database db_name>
+#		Host "database.serv.er"
+#		Port "3306"
+#		User "db_user"
+#		Password "secret"
+#		Database "db_name"
+#		MasterStats true
+#	</Database>
+#
+#	<Database db_name2>
+#		Host "localhost"
+#		Socket "/var/run/mysql/mysqld.sock"
+#		SlaveStats true
+#		SlaveNotifications true
+#	</Database>
+#</Plugin>
+
+#<Plugin netlink>
+#	Interface "All"
+#	VerboseInterface "All"
+#	QDisc "eth0" "pfifo_fast-1:0"
+#	Class "ppp0" "htb-1:10"
+#	Filter "ppp0" "u32-1:0"
+#	IgnoreSelected false
+#</Plugin>
+
+#<Plugin network>
+#	# client setup:
+#	Server "ff18::efc0:4a42" "25826"
+#	<Server "239.192.74.66" "25826">
+#		SecurityLevel Encrypt
+#		Username "user"
+#		Password "secret"
+#		Interface "eth0"
+#	</Server>
+#	TimeToLive "128"
+#
+#	# server setup:
+#	Listen "0.0.0.0" "25826"
+#	<Listen "239.192.74.66" "25826">
+#		SecurityLevel Sign
+#		AuthFile "/etc/collectd/passwd"
+#		Interface "eth0"
+#	</Listen>
+#	MaxPacketSize 1024
+#
+#	# proxy setup (client and server as above):
+#	Forward true
+#
+#	# statistics about the network plugin itself
+#	ReportStats false
+#
+#	# "garbage collection"
+#	CacheFlush 1800
+#</Plugin>
+
+#<Plugin nginx>
+#	URL "http://localhost/status?auto"
+#	User "www-user"
+#	Password "secret"
+#	VerifyPeer false
+#	VerifyHost false
+#	CACert "/etc/ssl/ca.crt"
+#</Plugin>
+
+#<Plugin notify_desktop>
+#	OkayTimeout 1000
+#	WarningTimeout 5000
+#	FailureTimeout 0
+#</Plugin>
+
+#<Plugin notify_email>
+#	SMTPServer "localhost"
+#	SMTPPort 25
+#	SMTPUser "my-username"
+#	SMTPPassword "my-password"
+#	From "collectd@main0server.com"
+#	# <WARNING/FAILURE/OK> on <hostname>.
+#	# Beware! Do not use not more than two placeholders (%)!
+#	Subject "[collectd] %s on %s!"
+#	Recipient "email1@domain1.net"
+#	Recipient "email2@domain2.com"
+#</Plugin>
+
+#<Plugin ntpd>
+#	Host "localhost"
+#	Port 123
+#	ReverseLookups false
+#</Plugin>
+
+#<Plugin nut>
+#	UPS "upsname@hostname:port"
+#</Plugin>
+
+#<Plugin olsrd>
+#	Host "127.0.0.1"
+#	Port "2006"
+#	CollectLinks "Summary"
+#	CollectRoutes "Summary"
+#	CollectTopology "Summary"
+#</Plugin>
+
+#<Plugin openvpn>
+#	StatusFile "/etc/openvpn/openvpn-status.log"
+#	ImprovedNamingSchema false
+#	CollectCompression true
+#	CollectIndividualUsers true
+#	CollectUserCount false
+#</Plugin>
+
+#<Plugin perl>
+#	IncludeDir "/my/include/path"
+#	BaseName "Collectd::Plugins"
+#	EnableDebugger ""
+#	LoadPlugin Monitorus
+#	LoadPlugin OpenVZ
+#
+#	<Plugin foo>
+#		Foo "Bar"
+#		Qux "Baz"
+#	</Plugin>
+#</Plugin>
+
+#<Plugin pinba>
+#	Address "::0"
+#	Port "30002"
+#	<View "name">
+#		Host "host name"
+#		Server "server name"
+#		Script "script name"
+#	<View>
+#</Plugin>
+
+#<Plugin ping>
+#	Host "host.foo.bar"
+#	Host "host.baz.qux"
+#	Interval 1.0
+#	Timeout 0.9
+#	TTL 255
+#	SourceAddress "1.2.3.4"
+#	Device "eth0"
+#	MaxMissed -1
+#</Plugin>
+
+#<Plugin postgresql>
+#	<Query magic>
+#		Statement "SELECT magic FROM wizard WHERE host = $1;"
+#		Param hostname
+#
+#		<Result>
+#			Type gauge
+#			InstancePrefix "magic"
+#			ValuesFrom "magic"
+#		</Result>
+#	</Query>
+#
+#	<Query rt36_tickets>
+#		Statement "SELECT COUNT(type) AS count, type \
+#		                  FROM (SELECT CASE \
+#		                               WHEN resolved = 'epoch' THEN 'open' \
+#		                               ELSE 'resolved' END AS type \
+#		                               FROM tickets) type \
+#		                  GROUP BY type;"
+#
+#		<Result>
+#			Type counter
+#			InstancePrefix "rt36_tickets"
+#			InstancesFrom "type"
+#			ValuesFrom "count"
+#		</Result>
+#	</Query>
+#
+#	<Database foo>
+#		Host "hostname"
+#		Port 5432
+#		User "username"
+#		Password "secret"
+#
+#		SSLMode "prefer"
+#		KRBSrvName "kerberos_service_name"
+#
+#		Query magic
+#	</Database>
+#
+#	<Database bar>
+#		Interval 60
+#		Service "service_name"
+#
+#		Query backend # predefined
+#		Query rt36_tickets
+#	</Database>
+#</Plugin>
+
+#<Plugin powerdns>
+#	<Server "server_name">
+#		Collect "latency"
+#		Collect "udp-answers" "udp-queries"
+#		Socket "/var/run/pdns.controlsocket"
+#	</Server>
+#	<Recursor "recursor_name">
+#		Collect "questions"
+#		Collect "cache-hits" "cache-misses"
+#		Socket "/var/run/pdns_recursor.controlsocket"
+#	</Recursor>
+#	LocalSocket "/opt/collectd/var/run/collectd-powerdns"
+#</Plugin>
+
+#<Plugin processes>
+#	Process "name"
+#	ProcessMatch "foobar" "/usr/bin/perl foobar\\.pl.*"
+#</Plugin>
+
+#<Plugin protocols>
+#	Value "/^Tcp:/"
+#	IgnoreSelected false
+#</Plugin>
+
+#<Plugin python>
+#	ModulePath "/path/to/your/python/modules"
+#	LogTraces true
+#	Interactive true
+#	Import "spam"
+#
+#	<Module spam>
+#		spam "wonderful" "lovely"
+#	</Module>
+#</Plugin>
+
+#<Plugin rrdcached>
+#	DaemonAddress "unix:/var/run/rrdcached.sock"
+#	DataDir "/var/lib/rrdcached/db/collectd"
+#	CreateFiles true
+#	CollectStatistics true
+#</Plugin>
+
+<Plugin rrdtool>
+	DataDir "/var/lib/collectd/rrd"
+#	CacheTimeout 120
+#	CacheFlush 900
+#	WritesPerSecond 30
+#	RandomTimeout 0
+#
+# The following settings are rather advanced
+# and should usually not be touched:
+#	StepSize 10
+#	HeartBeat 20
+#	RRARows 1200
+#	RRATimespan 158112000
+#	XFF 0.1
+</Plugin>
+
+#<Plugin sensors>
+#	SensorConfigFile "/etc/sensors3.conf"
+#	Sensor "it8712-isa-0290/temperature-temp1"
+#	Sensor "it8712-isa-0290/fanspeed-fan3"
+#	Sensor "it8712-isa-0290/voltage-in8"
+#	IgnoreSelected false
+#</Plugin>
+
+# See /usr/share/doc/collectd/examples/snmp-data.conf.gz for a
+# comprehensive sample configuration.
+#<Plugin snmp>
+#	<Data "powerplus_voltge_input">
+#		Type "voltage"
+#		Table false
+#		Instance "input_line1"
+#		Scale 0.1
+#		Values "SNMPv2-SMI::enterprises.6050.5.4.1.1.2.1"
+#	</Data>
+#	<Data "hr_users">
+#		Type "users"
+#		Table false
+#		Instance ""
+#		Shift -1
+#		Values "HOST-RESOURCES-MIB::hrSystemNumUsers.0"
+#	</Data>
+#	<Data "std_traffic">
+#		Type "if_octets"
+#		Table true
+#		InstancePrefix "traffic"
+#		Instance "IF-MIB::ifDescr"
+#		Values "IF-MIB::ifInOctets" "IF-MIB::ifOutOctets"
+#	</Data>
+#
+#	<Host "some.switch.mydomain.org">
+#		Address "192.168.0.2"
+#		Version 1
+#		Community "community_string"
+#		Collect "std_traffic"
+#		Inverval 120
+#	</Host>
+#	<Host "some.server.mydomain.org">
+#		Address "192.168.0.42"
+#		Version 2
+#		Community "another_string"
+#		Collect "std_traffic" "hr_users"
+#	</Host>
+#	<Host "some.ups.mydomain.org">
+#		Address "192.168.0.3"
+#		Version 1
+#		Community "more_communities"
+#		Collect "powerplus_voltge_input"
+#		Interval 300
+#	</Host>
+#</Plugin>
+
+#<Plugin swap>
+#	ReportByDevice false
+#</Plugin>
+
+#<Plugin table>
+#	<Table "/proc/slabinfo">
+#		Instance "slabinfo"
+#		Separator " "
+#		<Result>
+#			Type gauge
+#			InstancePrefix "active_objs"
+#			InstancesFrom 0
+#			ValuesFrom 1
+#		</Result>
+#		<Result>
+#			Type gauge
+#			InstancePrefix "objperslab"
+#			InstancesFrom 0
+#			ValuesFrom 4
+#		</Result>
+#	</Table>
+#</Plugin>
+
+#<Plugin "tail">
+#	<File "/var/log/exim4/mainlog">
+#		Instance "exim"
+#		<Match>
+#			Regex "S=([1-9][0-9]*)"
+#			DSType "CounterAdd"
+#			Type "ipt_bytes"
+#			Instance "total"
+#		</Match>
+#		<Match>
+#			Regex "\\<R=local_user\\>"
+#			ExcludeRegex "\\<R=local_user\\>.*mail_spool defer"
+#			DSType "CounterInc"
+#			Type "counter"
+#			Instance "local_user"
+#		</Match>
+#	</File>
+#</Plugin>
+
+<Plugin tcpconns>
+	LocalPort "4001"
+	LocalPort "7001"
+</Plugin>
+
+#<Plugin teamspeak2>
+#	Host "127.0.0.1"
+#	Port "51234"
+#	Server "8767"
+#</Plugin>
+
+#<Plugin ted>
+#	Device "/dev/ttyUSB0"
+#	Retries 0
+#</Plugin>
+
+#<Plugin thermal>
+#	ForceUseProcfs false
+#	Device "THRM"
+#	IgnoreSelected false
+#</Plugin>
+
+#<Plugin tokyotyrant>
+#	Host "localhost"
+#	Port "1978"
+#</Plugin>
+
+#<Plugin unixsock>
+#	SocketFile "/var/run/collectd-unixsock"
+#	SocketGroup "collectd"
+#	SocketPerms "0660"
+#	DeleteSocket false
+#</Plugin>
+
+#<Plugin uuid>
+#	UUIDFile "/etc/uuid"
+#</Plugin>
+
+#<Plugin varnish>
+#	<Instance>
+#		CollectCache true
+#		CollectBackend true
+#		CollectConnections true
+#		CollectSHM true
+#		CollectESI false
+#		CollectFetch false
+#		CollectHCB false
+#		CollectSMA false
+#		CollectSMS false
+#		CollectSM false
+#		CollectTotals false
+#		CollectWorkers false
+#	</Instance>
+#
+#	<Instance "myinstance">
+#		CollectCache true
+#	</Instance>
+#</Plugin>
+
+#<Plugin vmem>
+#	Verbose false
+#</Plugin>
+
+#<Plugin write_graphite>
+#	<Carbon>
+#		Host "127.0.01"
+#		Port "2003"
+#		Prefix "collectd"
+#		Postfix "collectd"
+#		StoreRates false
+#		AlwaysAppendDS false
+#		EscapeCharacter "_"
+#	</Carbon>
+#</Plugin>
+
+#<Plugin write_http>
+#	<URL "http://example.com/collectd-post">
+#		User "collectd"
+#		Password "secret"
+#		VerifyPeer true
+#		VerifyHost true
+#		CACert "/etc/ssl/ca.crt"
+#		Format "Command"
+#		StoreRates false
+#	</URL>
+#</Plugin>
+
+#<Plugin write_mongodb>
+#	<Node "example">
+#		Host "localhost"
+#		Port "27017"
+#		Timeout 1000
+#		StoreRates false
+#	<Node>
+#</Plugin>
+
+Include "/etc/collectd/filters.conf"
+Include "/etc/collectd/thresholds.conf"
--- a/contrib/graphite/Dockerfile
+++ b/contrib/graphite/Dockerfile
@ -0,0 +1,31 @@
+from	stackbrew/ubuntu:precise
+
+run	echo 'deb http://us.archive.ubuntu.com/ubuntu/ precise universe' >> /etc/apt/sources.list
+run	apt-get -y update
+
+# Install required packages
+run	apt-get -y install python-cairo python-django python-twisted python-django-tagging python-simplejson python-pysqlite2 python-support python-pip gunicorn supervisor nginx-light
+run	pip install whisper
+run	pip install --install-option="--prefix=/var/lib/graphite" --install-option="--install-lib=/var/lib/graphite/lib" carbon
+run	pip install --install-option="--prefix=/var/lib/graphite" --install-option="--install-lib=/var/lib/graphite/webapp" graphite-web
+
+# Add system service config
+add	./nginx.conf /etc/nginx/nginx.conf
+add	./supervisord.conf /etc/supervisor/conf.d/supervisord.conf
+
+# Add graphite config
+add	./initial_data.json /var/lib/graphite/webapp/graphite/initial_data.json
+add	./local_settings.py /var/lib/graphite/webapp/graphite/local_settings.py
+add	./carbon.conf /var/lib/graphite/conf/carbon.conf
+add	./storage-schemas.conf /var/lib/graphite/conf/storage-schemas.conf
+run	mkdir -p /var/lib/graphite/storage/whisper
+run	touch /var/lib/graphite/storage/graphite.db /var/lib/graphite/storage/index
+run	chown -R www-data /var/lib/graphite/storage
+run	chmod 0775 /var/lib/graphite/storage /var/lib/graphite/storage/whisper
+run	chmod 0664 /var/lib/graphite/storage/graphite.db
+run cd /var/lib/graphite/webapp/graphite && python manage.py syncdb --noinput
+
+expose	:80
+expose	:2003
+
+cmd	["/usr/bin/supervisord"]
--- a/contrib/graphite/README
+++ b/contrib/graphite/README
@ -0,0 +1,7 @@
+Running graphite under Docker is straightforward:
+
+1. Build the graphite image using Docker
+docker build -t graphite .
+
+2. Run a graphite container. Be sure to replace the $IP field with the IP address at which you wish to expose your graphite web service.
+docker run -p $IP:8080:80 -p $IP:2003:2003 -d graphite
--- a/contrib/graphite/carbon.conf
+++ b/contrib/graphite/carbon.conf
@ -0,0 +1,62 @@
+[cache]
+LOCAL_DATA_DIR = /var/lib/graphite/storage/whisper/
+
+# Specify the user to drop privileges to
+# If this is blank carbon runs as the user that invokes it
+# This user must have write access to the local data directory
+USER = 
+
+# Limit the size of the cache to avoid swapping or becoming CPU bound.
+# Sorts and serving cache queries gets more expensive as the cache grows.
+# Use the value "inf" (infinity) for an unlimited cache size.
+MAX_CACHE_SIZE = inf
+
+# Limits the number of whisper update_many() calls per second, which effectively
+# means the number of write requests sent to the disk. This is intended to
+# prevent over-utilizing the disk and thus starving the rest of the system.
+# When the rate of required updates exceeds this, then carbon's caching will
+# take effect and increase the overall throughput accordingly.
+MAX_UPDATES_PER_SECOND = 1000
+
+# Softly limits the number of whisper files that get created each minute.
+# Setting this value low (like at 50) is a good way to ensure your graphite
+# system will not be adversely impacted when a bunch of new metrics are
+# sent to it. The trade off is that it will take much longer for those metrics'
+# database files to all get created and thus longer until the data becomes usable.
+# Setting this value high (like "inf" for infinity) will cause graphite to create
+# the files quickly but at the risk of slowing I/O down considerably for a while.
+MAX_CREATES_PER_MINUTE = inf
+
+LINE_RECEIVER_INTERFACE = 0.0.0.0
+LINE_RECEIVER_PORT = 2003
+
+#PICKLE_RECEIVER_INTERFACE = 0.0.0.0
+#PICKLE_RECEIVER_PORT = 2004
+
+#CACHE_QUERY_INTERFACE = 0.0.0.0
+#CACHE_QUERY_PORT = 7002
+
+LOG_UPDATES = False
+
+# Enable AMQP if you want to receve metrics using an amqp broker
+# ENABLE_AMQP = False
+
+# Verbose means a line will be logged for every metric received
+# useful for testing
+# AMQP_VERBOSE = False
+
+# AMQP_HOST = localhost
+# AMQP_PORT = 5672
+# AMQP_VHOST = /
+# AMQP_USER = guest
+# AMQP_PASSWORD = guest
+# AMQP_EXCHANGE = graphite
+
+# Patterns for all of the metrics this machine will store. Read more at
+# http://en.wikipedia.org/wiki/Advanced_Message_Queuing_Protocol#Bindings
+#
+# Example: store all sales, linux servers, and utilization metrics
+# BIND_PATTERNS = sales.#, servers.linux.#, #.utilization
+#
+# Example: store everything
+# BIND_PATTERNS = #
--- a/contrib/graphite/initial_data.json
+++ b/contrib/graphite/initial_data.json
@ -0,0 +1,20 @@
+[
+  {
+    "pk": 1,
+    "model": "auth.user",
+    "fields": {
+      "username": "admin",
+      "first_name": "",
+      "last_name": "",
+      "is_active": true,
+      "is_superuser": true,
+      "is_staff": true,
+      "last_login": "2011-09-20 17:02:14",
+      "groups": [],
+      "user_permissions": [],
+      "password": "sha1$1b11b$edeb0a67a9622f1f2cfeabf9188a711f5ac7d236",
+      "email": "root@example.com",
+      "date_joined": "2011-09-20 17:02:14"
+    }
+  }
+]
--- a/contrib/graphite/local_settings.py
+++ b/contrib/graphite/local_settings.py
@ -0,0 +1 @@
+TIME_ZONE = 'UTC'
--- a/contrib/graphite/nginx.conf
+++ b/contrib/graphite/nginx.conf
@ -0,0 +1,69 @@
+daemon off;
+user www-data;
+worker_processes 1;
+pid /var/run/nginx.pid;
+
+events {
+  worker_connections 1024;
+}
+
+http {
+  sendfile on;
+  tcp_nopush on;
+  tcp_nodelay on;
+  keepalive_timeout 65;
+  types_hash_max_size 2048;
+  server_tokens off;
+
+  server_names_hash_bucket_size 32;
+
+  include /etc/nginx/mime.types;
+  default_type application/octet-stream;
+
+  access_log /var/log/nginx/access.log;
+  error_log /var/log/nginx/error.log;
+
+  gzip on;
+  gzip_disable "msie6";
+
+  server {
+    listen 80 default_server;
+    server_name _;
+
+    open_log_file_cache max=1000 inactive=20s min_uses=2 valid=1m;
+
+    location / {
+        proxy_pass                 http://127.0.0.1:8000;
+        proxy_set_header           X-Real-IP   $remote_addr;
+        proxy_set_header           X-Forwarded-For  $proxy_add_x_forwarded_for;
+        proxy_set_header           X-Forwarded-Proto  $scheme;
+        proxy_set_header           X-Forwarded-Server  $host;
+        proxy_set_header           X-Forwarded-Host  $host;
+        proxy_set_header           Host  $host;
+
+        client_max_body_size       10m;
+        client_body_buffer_size    128k;
+
+        proxy_connect_timeout      90;
+        proxy_send_timeout         90;
+        proxy_read_timeout         90;
+
+        proxy_buffer_size          4k;
+        proxy_buffers              4 32k;
+        proxy_busy_buffers_size    64k;
+        proxy_temp_file_write_size 64k;
+    }
+
+    add_header Access-Control-Allow-Origin "*";
+    add_header Access-Control-Allow-Methods "GET, OPTIONS";
+    add_header Access-Control-Allow-Headers "origin, authorization, accept";
+
+    location /content {
+      alias /var/lib/graphite/webapp/content;
+    }
+
+    location /media {
+      alias /usr/share/pyshared/django/contrib/admin/media;
+    }
+  }
+}
--- a/contrib/graphite/storage-schemas.conf
+++ b/contrib/graphite/storage-schemas.conf
@ -0,0 +1,7 @@
+[carbon]
+pattern = ^carbon\..*
+retentions = 1m:31d,10m:1y,1h:5y
+
+[default]
+pattern = .*
+retentions = 10s:8d,1m:31d,10m:1y,1h:5y
--- a/contrib/graphite/supervisord.conf
+++ b/contrib/graphite/supervisord.conf
@ -0,0 +1,25 @@
+[supervisord]
+nodaemon = true
+environment = GRAPHITE_STORAGE_DIR='/var/lib/graphite/storage',GRAPHITE_CONF_DIR='/var/lib/graphite/conf'
+
+[program:nginx]
+command = /usr/sbin/nginx
+stdout_logfile = /var/log/supervisor/%(program_name)s.log
+stderr_logfile = /var/log/supervisor/%(program_name)s.log
+autorestart = true
+
+[program:carbon-cache]
+user = www-data
+command = /var/lib/graphite/bin/carbon-cache.py --debug start
+stdout_logfile = /var/log/supervisor/%(program_name)s.log
+stderr_logfile = /var/log/supervisor/%(program_name)s.log
+autorestart = true
+
+[program:graphite-webapp]
+user = www-data
+directory = /var/lib/graphite/webapp
+environment = PYTHONPATH='/var/lib/graphite/webapp'
+command = /usr/bin/gunicorn_django -b127.0.0.1:8000 -w2 graphite/settings.py
+stdout_logfile = /var/log/supervisor/%(program_name)s.log
+stderr_logfile = /var/log/supervisor/%(program_name)s.log
+autorestart = true
--- a/discovery/discovery.go
+++ b/discovery/discovery.go
@ -0,0 +1,148 @@
+package discovery
+
+import (
+	"errors"
+	"fmt"
+	"net/url"
+	"path"
+	"strings"
+	"time"
+
+	etcdErr "github.com/coreos/etcd/error"
+	"github.com/coreos/etcd/log"
+	"github.com/coreos/etcd/third_party/github.com/coreos/go-etcd/etcd"
+)
+
+const (
+	stateKey     = "_state"
+	startedState = "started"
+	defaultTTL   = 604800 // One week TTL
+)
+
+type Discoverer struct {
+	client       *etcd.Client
+	name         string
+	peer         string
+	prefix       string
+	discoveryURL string
+}
+
+var defaultDiscoverer *Discoverer
+
+func init() {
+	defaultDiscoverer = &Discoverer{}
+}
+
+func (d *Discoverer) Do(discoveryURL string, name string, peer string, closeChan <-chan bool, startRoutine func(func())) (peers []string, err error) {
+	d.name = name
+	d.peer = peer
+	d.discoveryURL = discoveryURL
+
+	u, err := url.Parse(discoveryURL)
+
+	if err != nil {
+		return
+	}
+
+	// prefix is prepended to all keys for this discovery
+	d.prefix = strings.TrimPrefix(u.Path, "/v2/keys/")
+
+	// keep the old path in case we need to set the KeyPrefix below
+	oldPath := u.Path
+	u.Path = ""
+
+	// Connect to a scheme://host not a full URL with path
+	log.Infof("Discovery via %s using prefix %s.", u.String(), d.prefix)
+	d.client = etcd.NewClient([]string{u.String()})
+
+	if !strings.HasPrefix(oldPath, "/v2/keys") {
+		d.client.SetKeyPrefix("")
+	}
+
+	// Register this machine first and announce that we are a member of
+	// this cluster
+	err = d.heartbeat()
+	if err != nil {
+		return
+	}
+
+	// Start the very slow heartbeat to the cluster now in anticipation
+	// that everything is going to go alright now
+	startRoutine(func() { d.startHeartbeat(closeChan) })
+
+	// Attempt to take the leadership role, if there is no error we are it!
+	resp, err := d.client.Create(path.Join(d.prefix, stateKey), startedState, 0)
+
+	// Bail out on unexpected errors
+	if err != nil {
+		if clientErr, ok := err.(*etcd.EtcdError); !ok || clientErr.ErrorCode != etcdErr.EcodeNodeExist {
+			return nil, err
+		}
+	}
+
+	// If we got a response then the CAS was successful, we are leader
+	if resp != nil && resp.Node.Value == startedState {
+		// We are the leader, we have no peers
+		log.Infof("Discovery _state was empty, so this machine is the initial leader.")
+		return nil, nil
+	}
+
+	// Fall through to finding the other discovery peers
+	return d.findPeers()
+}
+
+func (d *Discoverer) findPeers() (peers []string, err error) {
+	resp, err := d.client.Get(path.Join(d.prefix), false, true)
+	if err != nil {
+		return nil, err
+	}
+
+	node := resp.Node
+
+	if node == nil {
+		return nil, fmt.Errorf("%s key doesn't exist.", d.prefix)
+	}
+
+	for _, n := range node.Nodes {
+		// Skip our own entry in the list, there is no point
+		if strings.HasSuffix(n.Key, "/"+d.name) {
+			continue
+		}
+		peers = append(peers, n.Value)
+	}
+
+	if len(peers) == 0 {
+		return nil, errors.New("Discovery found an initialized cluster but no reachable peers are registered.")
+	}
+
+	log.Infof("Discovery found peers %v", peers)
+
+	return
+}
+
+func (d *Discoverer) startHeartbeat(closeChan <-chan bool) {
+	// In case of errors we should attempt to heartbeat fairly frequently
+	heartbeatInterval := defaultTTL / 8
+	ticker := time.NewTicker(time.Second * time.Duration(heartbeatInterval))
+	defer ticker.Stop()
+	for {
+		select {
+		case <-ticker.C:
+			err := d.heartbeat()
+			if err != nil {
+				log.Warnf("Discovery heartbeat failed: %v", err)
+			}
+		case <-closeChan:
+			return
+		}
+	}
+}
+
+func (d *Discoverer) heartbeat() error {
+	_, err := d.client.Set(path.Join(d.prefix, d.name), d.peer, defaultTTL)
+	return err
+}
+
+func Do(discoveryURL string, name string, peer string, closeChan <-chan bool, startRoutine func(func())) ([]string, error) {
+	return defaultDiscoverer.Do(discoveryURL, name, peer, closeChan, startRoutine)
+}
--- a/error/error.go
+++ b/error/error.go
@ -22,63 +22,81 @@ import (
 	"net/http"
 )

-var errors map[int]string
+var errors = map[int]string{
+	// command related errors
+	EcodeKeyNotFound:      "Key not found",
+	EcodeTestFailed:       "Compare failed", //test and set
+	EcodeNotFile:          "Not a file",
+	EcodeNoMorePeer:       "Reached the max number of peers in the cluster",
+	EcodeNotDir:           "Not a directory",
+	EcodeNodeExist:        "Key already exists", // create
+	EcodeRootROnly:        "Root is read only",
+	EcodeKeyIsPreserved:   "The prefix of given key is a keyword in etcd",
+	EcodeDirNotEmpty:      "Directory not empty",
+	EcodeExistingPeerAddr: "Peer address has existed",
+
+	// Post form related errors
+	EcodeValueRequired:        "Value is Required in POST form",
+	EcodePrevValueRequired:    "PrevValue is Required in POST form",
+	EcodeTTLNaN:               "The given TTL in POST form is not a number",
+	EcodeIndexNaN:             "The given index in POST form is not a number",
+	EcodeValueOrTTLRequired:   "Value or TTL is required in POST form",
+	EcodeTimeoutNaN:           "The given timeout in POST form is not a number",
+	EcodeNameRequired:         "Name is required in POST form",
+	EcodeIndexOrValueRequired: "Index or value is required",
+	EcodeIndexValueMutex:      "Index and value cannot both be specified",
+	EcodeInvalidField:         "Invalid field",
+
+	// raft related errors
+	EcodeRaftInternal: "Raft Internal Error",
+	EcodeLeaderElect:  "During Leader Election",
+
+	// etcd related errors
+	EcodeWatcherCleared:     "watcher is cleared due to etcd recovery",
+	EcodeEventIndexCleared:  "The event in requested index is outdated and cleared",
+	EcodeStandbyInternal:    "Standby Internal Error",
+	EcodeInvalidActiveSize:  "Invalid active size",
+	EcodeInvalidRemoveDelay: "Standby remove delay",
+
+	// client related errors
+	EcodeClientInternal: "Client Internal Error",
+}

 const (
-	EcodeKeyNotFound    = 100
-	EcodeTestFailed     = 101
-	EcodeNotFile        = 102
-	EcodeNoMorePeer     = 103
-	EcodeNotDir         = 104
-	EcodeNodeExist      = 105
-	EcodeKeyIsPreserved = 106
-	EcodeRootROnly      = 107
-	EcodeDirNotEmpty    = 108
+	EcodeKeyNotFound      = 100
+	EcodeTestFailed       = 101
+	EcodeNotFile          = 102
+	EcodeNoMorePeer       = 103
+	EcodeNotDir           = 104
+	EcodeNodeExist        = 105
+	EcodeKeyIsPreserved   = 106
+	EcodeRootROnly        = 107
+	EcodeDirNotEmpty      = 108
+	EcodeExistingPeerAddr = 109

-	EcodeValueRequired      = 200
-	EcodePrevValueRequired  = 201
-	EcodeTTLNaN             = 202
-	EcodeIndexNaN           = 203
-	EcodeValueOrTTLRequired = 204
+	EcodeValueRequired        = 200
+	EcodePrevValueRequired    = 201
+	EcodeTTLNaN               = 202
+	EcodeIndexNaN             = 203
+	EcodeValueOrTTLRequired   = 204
+	EcodeTimeoutNaN           = 205
+	EcodeNameRequired         = 206
+	EcodeIndexOrValueRequired = 207
+	EcodeIndexValueMutex      = 208
+	EcodeInvalidField         = 209

 	EcodeRaftInternal = 300
 	EcodeLeaderElect  = 301

-	EcodeWatcherCleared    = 400
-	EcodeEventIndexCleared = 401
+	EcodeWatcherCleared     = 400
+	EcodeEventIndexCleared  = 401
+	EcodeStandbyInternal    = 402
+	EcodeInvalidActiveSize  = 403
+	EcodeInvalidRemoveDelay = 404
+
+	EcodeClientInternal = 500
 )

-func init() {
-	errors = make(map[int]string)
-
-	// command related errors
-	errors[EcodeKeyNotFound] = "Key not found"
-	errors[EcodeTestFailed] = "Compare failed" //test and set
-	errors[EcodeNotFile] = "Not a file"
-	errors[EcodeNoMorePeer] = "Reached the max number of peers in the cluster"
-	errors[EcodeNotDir] = "Not a directory"
-	errors[EcodeNodeExist] = "Key already exists" // create
-	errors[EcodeRootROnly] = "Root is read only"
-	errors[EcodeKeyIsPreserved] = "The prefix of given key is a keyword in etcd"
-	errors[EcodeDirNotEmpty] = "Directory not empty"
-
-	// Post form related errors
-	errors[EcodeValueRequired] = "Value is Required in POST form"
-	errors[EcodePrevValueRequired] = "PrevValue is Required in POST form"
-	errors[EcodeTTLNaN] = "The given TTL in POST form is not a number"
-	errors[EcodeIndexNaN] = "The given index in POST form is not a number"
-	errors[EcodeValueOrTTLRequired] = "Value or TTL is required in POST form"
-
-	// raft related errors
-	errors[EcodeRaftInternal] = "Raft Internal Error"
-	errors[EcodeLeaderElect] = "During Leader Election"
-
-	// etcd related errors
-	errors[EcodeWatcherCleared] = "watcher is cleared due to etcd recovery"
-	errors[EcodeEventIndexCleared] = "The event in requested index is outdated and cleared"
-
-}
-
 type Error struct {
 	ErrorCode int    `json:"errorCode"`
 	Message   string `json:"message"`
@ -101,7 +119,7 @@ func Message(code int) string {

 // Only for error interface
 func (e Error) Error() string {
-	return e.Message
+	return e.Message + " (" + e.Cause + ")"
 }

 func (e Error) toJsonString() string {
@ -125,5 +143,6 @@ func (e Error) Write(w http.ResponseWriter) {
 			status = http.StatusInternalServerError
 		}
 	}
-	http.Error(w, e.toJsonString(), status)
+	w.WriteHeader(status)
+	fmt.Fprintln(w, e.toJsonString())
 }
--- a/etcd.go
+++ b/etcd.go
@ -1,109 +0,0 @@
-/*
-Copyright 2013 CoreOS Inc.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-     http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package main
-
-import (
-	"fmt"
-	"os"
-	"time"
-
-	"github.com/coreos/etcd/log"
-	"github.com/coreos/etcd/server"
-	"github.com/coreos/etcd/store"
-	"github.com/coreos/raft"
-)
-
-func main() {
-	// Load configuration.
-	var config = server.NewConfig()
-	if err := config.Load(os.Args[1:]); err != nil {
-		fmt.Println(server.Usage() + "\n")
-		fmt.Println(err.Error() + "\n")
-		os.Exit(1)
-	} else if config.ShowVersion {
-		fmt.Println(server.ReleaseVersion)
-		os.Exit(0)
-	} else if config.ShowHelp {
-		fmt.Println(server.Usage() + "\n")
-		os.Exit(0)
-	}
-
-	// Enable options.
-	if config.VeryVerbose {
-		log.Verbose = true
-		raft.SetLogLevel(raft.Debug)
-	} else if config.Verbose {
-		log.Verbose = true
-	}
-	if config.CPUProfileFile != "" {
-		profile(config.CPUProfileFile)
-	}
-
-	if config.DataDir == "" {
-		log.Fatal("The data dir was not set and could not be guessed from machine name")
-	}
-
-	// Create data directory if it doesn't already exist.
-	if err := os.MkdirAll(config.DataDir, 0744); err != nil {
-		log.Fatalf("Unable to create path: %s", err)
-	}
-
-	// Load info object.
-	info, err := config.Info()
-	if err != nil {
-		log.Fatal("info:", err)
-	}
-
-	// Retrieve TLS configuration.
-	tlsConfig, err := info.EtcdTLS.Config()
-	if err != nil {
-		log.Fatal("Client TLS:", err)
-	}
-	peerTLSConfig, err := info.RaftTLS.Config()
-	if err != nil {
-		log.Fatal("Peer TLS:", err)
-	}
-
-	// Create etcd key-value store and registry.
-	store := store.New()
-	registry := server.NewRegistry(store)
-
-	// Create peer server.
-	ps := server.NewPeerServer(info.Name, config.DataDir, info.RaftURL, info.RaftListenHost, &peerTLSConfig, &info.RaftTLS, registry, store, config.SnapshotCount)
-	ps.MaxClusterSize = config.MaxClusterSize
-	ps.RetryTimes = config.MaxRetryAttempts
-	if config.Peer.HeartbeatTimeout > 0 {
-		ps.HeartbeatTimeout = time.Duration(config.Peer.HeartbeatTimeout) * time.Millisecond
-	}
-	if config.Peer.ElectionTimeout > 0 {
-		ps.ElectionTimeout = time.Duration(config.Peer.ElectionTimeout) * time.Millisecond
-	}
-
-	// Create client server.
-	s := server.New(info.Name, info.EtcdURL, info.EtcdListenHost, &tlsConfig, &info.EtcdTLS, ps, registry, store)
-	if err := s.AllowOrigins(config.CorsOrigins); err != nil {
-		panic(err)
-	}
-
-	ps.SetServer(s)
-
-	// Run peer server in separate thread while the client server blocks.
-	go func() {
-		log.Fatal(ps.ListenAndServe(config.Snapshot, config.Peers))
-	}()
-	log.Fatal(s.ListenAndServe())
-}
--- a/etcd/etcd.go
+++ b/etcd/etcd.go
@ -0,0 +1,416 @@
+/*
+Copyright 2013 CoreOS Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package etcd
+
+import (
+	"net/http"
+	"os"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"sync"
+	"time"
+
+	goetcd "github.com/coreos/etcd/third_party/github.com/coreos/go-etcd/etcd"
+	golog "github.com/coreos/etcd/third_party/github.com/coreos/go-log/log"
+	"github.com/coreos/etcd/third_party/github.com/goraft/raft"
+	httpclient "github.com/coreos/etcd/third_party/github.com/mreiferson/go-httpclient"
+
+	"github.com/coreos/etcd/config"
+	ehttp "github.com/coreos/etcd/http"
+	"github.com/coreos/etcd/log"
+	"github.com/coreos/etcd/metrics"
+	"github.com/coreos/etcd/server"
+	"github.com/coreos/etcd/store"
+)
+
+// TODO(yichengq): constant extraTimeout is a hack.
+// Current problem is that there is big lag between join command
+// execution and join success.
+// Fix it later. It should be removed when proper method is found and
+// enough tests are provided. It is expected to be calculated from
+// heartbeatInterval and electionTimeout only.
+const extraTimeout = time.Duration(1000) * time.Millisecond
+
+type Etcd struct {
+	Config *config.Config // etcd config
+
+	Store         store.Store        // data store
+	Registry      *server.Registry   // stores URL information for nodes
+	Server        *server.Server     // http server, runs on 4001 by default
+	PeerServer    *server.PeerServer // peer server, runs on 7001 by default
+	StandbyServer *server.StandbyServer
+
+	server     *http.Server
+	peerServer *http.Server
+
+	mode        Mode
+	modeMutex   sync.Mutex
+	closeChan   chan bool
+	readyNotify chan bool // To signal when server is ready to accept connections
+	onceReady   sync.Once
+	stopNotify  chan bool // To signal when server is stopped totally
+}
+
+// New returns a new Etcd instance.
+func New(c *config.Config) *Etcd {
+	if c == nil {
+		c = config.New()
+	}
+	return &Etcd{
+		Config:      c,
+		closeChan:   make(chan bool),
+		readyNotify: make(chan bool),
+		stopNotify:  make(chan bool),
+	}
+}
+
+// Run the etcd instance.
+func (e *Etcd) Run() {
+	// Sanitize all the input fields.
+	if err := e.Config.Sanitize(); err != nil {
+		log.Fatalf("failed sanitizing configuration: %v", err)
+	}
+
+	// Force remove server configuration if specified.
+	if e.Config.Force {
+		e.Config.Reset()
+	}
+
+	// Enable options.
+	if e.Config.VeryVeryVerbose {
+		log.Verbose = true
+		raft.SetLogLevel(raft.Trace)
+		goetcd.SetLogger(
+			golog.New(
+				"go-etcd",
+				false,
+				golog.CombinedSink(
+					os.Stdout,
+					"[%s] %s %-9s | %s\n",
+					[]string{"prefix", "time", "priority", "message"},
+				),
+			),
+		)
+	} else if e.Config.VeryVerbose {
+		log.Verbose = true
+		raft.SetLogLevel(raft.Debug)
+	} else if e.Config.Verbose {
+		log.Verbose = true
+	}
+
+	if e.Config.CPUProfileFile != "" {
+		profile(e.Config.CPUProfileFile)
+	}
+
+	if e.Config.DataDir == "" {
+		log.Fatal("The data dir was not set and could not be guessed from machine name")
+	}
+
+	// Create data directory if it doesn't already exist.
+	if err := os.MkdirAll(e.Config.DataDir, 0744); err != nil {
+		log.Fatalf("Unable to create path: %s", err)
+	}
+
+	// Warn people if they have an info file
+	info := filepath.Join(e.Config.DataDir, "info")
+	if _, err := os.Stat(info); err == nil {
+		log.Warnf("All cached configuration is now ignored. The file %s can be removed.", info)
+	}
+
+	var mbName string
+	if e.Config.Trace() {
+		mbName = e.Config.MetricsBucketName()
+		runtime.SetBlockProfileRate(1)
+	}
+
+	mb := metrics.NewBucket(mbName)
+
+	if e.Config.GraphiteHost != "" {
+		err := mb.Publish(e.Config.GraphiteHost)
+		if err != nil {
+			panic(err)
+		}
+	}
+
+	// Retrieve CORS configuration
+	corsInfo, err := ehttp.NewCORSInfo(e.Config.CorsOrigins)
+	if err != nil {
+		log.Fatal("CORS:", err)
+	}
+
+	// Create etcd key-value store and registry.
+	e.Store = store.New()
+	e.Registry = server.NewRegistry(e.Store)
+
+	// Create stats objects
+	followersStats := server.NewRaftFollowersStats(e.Config.Name)
+	serverStats := server.NewRaftServerStats(e.Config.Name)
+
+	// Calculate all of our timeouts
+	heartbeatInterval := time.Duration(e.Config.Peer.HeartbeatInterval) * time.Millisecond
+	electionTimeout := time.Duration(e.Config.Peer.ElectionTimeout) * time.Millisecond
+	dialTimeout := (3 * heartbeatInterval) + electionTimeout
+	responseHeaderTimeout := (3 * heartbeatInterval) + electionTimeout
+
+	clientTransporter := &httpclient.Transport{
+		ResponseHeaderTimeout: responseHeaderTimeout + extraTimeout,
+		// This is a workaround for Transport.CancelRequest doesn't work on
+		// HTTPS connections blocked. The patch for it is in progress,
+		// and would be available in Go1.3
+		// More: https://codereview.appspot.com/69280043/
+		ConnectTimeout: dialTimeout + extraTimeout,
+		RequestTimeout: responseHeaderTimeout + dialTimeout + 2*extraTimeout,
+	}
+	if e.Config.PeerTLSInfo().Scheme() == "https" {
+		clientTLSConfig, err := e.Config.PeerTLSInfo().ClientConfig()
+		if err != nil {
+			log.Fatal("client TLS error: ", err)
+		}
+		clientTransporter.TLSClientConfig = clientTLSConfig
+		clientTransporter.DisableCompression = true
+	}
+	client := server.NewClient(clientTransporter)
+
+	// Create peer server
+	psConfig := server.PeerServerConfig{
+		Name:          e.Config.Name,
+		Scheme:        e.Config.PeerTLSInfo().Scheme(),
+		URL:           e.Config.Peer.Addr,
+		SnapshotCount: e.Config.SnapshotCount,
+		RetryTimes:    e.Config.MaxRetryAttempts,
+		RetryInterval: e.Config.RetryInterval,
+	}
+	e.PeerServer = server.NewPeerServer(psConfig, client, e.Registry, e.Store, &mb, followersStats, serverStats)
+
+	// Create raft transporter and server
+	raftTransporter := server.NewTransporter(followersStats, serverStats, e.Registry, heartbeatInterval, dialTimeout, responseHeaderTimeout)
+	if e.Config.PeerTLSInfo().Scheme() == "https" {
+		raftClientTLSConfig, err := e.Config.PeerTLSInfo().ClientConfig()
+		if err != nil {
+			log.Fatal("raft client TLS error: ", err)
+		}
+		raftTransporter.SetTLSConfig(*raftClientTLSConfig)
+	}
+	raftServer, err := raft.NewServer(e.Config.Name, e.Config.DataDir, raftTransporter, e.Store, e.PeerServer, "")
+	if err != nil {
+		log.Fatal(err)
+	}
+	raftServer.SetElectionTimeout(electionTimeout)
+	raftServer.SetHeartbeatInterval(heartbeatInterval)
+	e.PeerServer.SetRaftServer(raftServer, e.Config.Snapshot)
+
+	// Create etcd server
+	e.Server = server.New(e.Config.Name, e.Config.Addr, e.PeerServer, e.Registry, e.Store, &mb)
+
+	if e.Config.Trace() {
+		e.Server.EnableTracing()
+	}
+
+	e.PeerServer.SetServer(e.Server)
+
+	// Create standby server
+	ssConfig := server.StandbyServerConfig{
+		Name:       e.Config.Name,
+		PeerScheme: e.Config.PeerTLSInfo().Scheme(),
+		PeerURL:    e.Config.Peer.Addr,
+		ClientURL:  e.Config.Addr,
+		DataDir:    e.Config.DataDir,
+	}
+	e.StandbyServer = server.NewStandbyServer(ssConfig, client)
+	e.StandbyServer.SetRaftServer(raftServer)
+
+	// Generating config could be slow.
+	// Put it here to make listen happen immediately after peer-server starting.
+	peerTLSConfig := server.TLSServerConfig(e.Config.PeerTLSInfo())
+	etcdTLSConfig := server.TLSServerConfig(e.Config.EtcdTLSInfo())
+
+	if !e.StandbyServer.IsRunning() {
+		startPeerServer, possiblePeers, err := e.PeerServer.FindCluster(e.Config.Discovery, e.Config.Peers)
+		if err != nil {
+			log.Fatal(err)
+		}
+		if startPeerServer {
+			e.setMode(PeerMode)
+		} else {
+			e.StandbyServer.SyncCluster(possiblePeers)
+			e.setMode(StandbyMode)
+		}
+	} else {
+		e.setMode(StandbyMode)
+	}
+
+	serverHTTPHandler := &ehttp.CORSHandler{e.Server.HTTPHandler(), corsInfo}
+	peerServerHTTPHandler := &ehttp.CORSHandler{e.PeerServer.HTTPHandler(), corsInfo}
+	standbyServerHTTPHandler := &ehttp.CORSHandler{e.StandbyServer.ClientHTTPHandler(), corsInfo}
+
+	log.Infof("etcd server [name %s, listen on %s, advertised url %s]", e.Server.Name, e.Config.BindAddr, e.Server.URL())
+	listener := server.NewListener(e.Config.EtcdTLSInfo().Scheme(), e.Config.BindAddr, etcdTLSConfig)
+	e.server = &http.Server{Handler: &ModeHandler{e, serverHTTPHandler, standbyServerHTTPHandler}}
+	log.Infof("peer server [name %s, listen on %s, advertised url %s]", e.PeerServer.Config.Name, e.Config.Peer.BindAddr, e.PeerServer.Config.URL)
+	peerListener := server.NewListener(e.Config.PeerTLSInfo().Scheme(), e.Config.Peer.BindAddr, peerTLSConfig)
+	e.peerServer = &http.Server{Handler: &ModeHandler{e, peerServerHTTPHandler, http.NotFoundHandler()}}
+
+	wg := sync.WaitGroup{}
+	wg.Add(2)
+	go func() {
+		<-e.readyNotify
+		defer wg.Done()
+		if err := e.server.Serve(listener); err != nil {
+			if !isListenerClosing(err) {
+				log.Fatal(err)
+			}
+		}
+	}()
+	go func() {
+		<-e.readyNotify
+		defer wg.Done()
+		if err := e.peerServer.Serve(peerListener); err != nil {
+			if !isListenerClosing(err) {
+				log.Fatal(err)
+			}
+		}
+	}()
+
+	e.runServer()
+
+	listener.Close()
+	peerListener.Close()
+	wg.Wait()
+	log.Infof("etcd instance is stopped [name %s]", e.Config.Name)
+	close(e.stopNotify)
+}
+
+func (e *Etcd) runServer() {
+	var removeNotify <-chan bool
+	for {
+		if e.mode == PeerMode {
+			log.Infof("%v starting in peer mode", e.Config.Name)
+			// Starting peer server should be followed close by listening on its port
+			// If not, it may leave many requests unaccepted, or cannot receive heartbeat from the cluster.
+			// One severe problem caused if failing receiving heartbeats is when the second node joins one-node cluster,
+			// the cluster could be out of work as long as the two nodes cannot transfer messages.
+			e.PeerServer.Start(e.Config.Snapshot, e.Config.ClusterConfig())
+			removeNotify = e.PeerServer.RemoveNotify()
+		} else {
+			log.Infof("%v starting in standby mode", e.Config.Name)
+			e.StandbyServer.Start()
+			removeNotify = e.StandbyServer.RemoveNotify()
+		}
+
+		// etcd server is ready to accept connections, notify waiters.
+		e.onceReady.Do(func() { close(e.readyNotify) })
+
+		select {
+		case <-e.closeChan:
+			e.PeerServer.Stop()
+			e.StandbyServer.Stop()
+			return
+		case <-removeNotify:
+		}
+
+		if e.mode == PeerMode {
+			peerURLs := e.Registry.PeerURLs(e.PeerServer.RaftServer().Leader(), e.Config.Name)
+			e.StandbyServer.SyncCluster(peerURLs)
+			e.setMode(StandbyMode)
+		} else {
+			// Create etcd key-value store and registry.
+			e.Store = store.New()
+			e.Registry = server.NewRegistry(e.Store)
+			e.PeerServer.SetStore(e.Store)
+			e.PeerServer.SetRegistry(e.Registry)
+			e.Server.SetStore(e.Store)
+			e.Server.SetRegistry(e.Registry)
+
+			// Generate new peer server here.
+			// TODO(yichengq): raft server cannot be started after stopped.
+			// It should be removed when raft restart is implemented.
+			heartbeatInterval := time.Duration(e.Config.Peer.HeartbeatInterval) * time.Millisecond
+			electionTimeout := time.Duration(e.Config.Peer.ElectionTimeout) * time.Millisecond
+			raftServer, err := raft.NewServer(e.Config.Name, e.Config.DataDir, e.PeerServer.RaftServer().Transporter(), e.Store, e.PeerServer, "")
+			if err != nil {
+				log.Fatal(err)
+			}
+			raftServer.SetElectionTimeout(electionTimeout)
+			raftServer.SetHeartbeatInterval(heartbeatInterval)
+			e.PeerServer.SetRaftServer(raftServer, e.Config.Snapshot)
+			e.StandbyServer.SetRaftServer(raftServer)
+
+			e.PeerServer.SetJoinIndex(e.StandbyServer.JoinIndex())
+			e.setMode(PeerMode)
+		}
+	}
+}
+
+// Stop the etcd instance.
+func (e *Etcd) Stop() {
+	close(e.closeChan)
+	<-e.stopNotify
+}
+
+// ReadyNotify returns a channel that is going to be closed
+// when the etcd instance is ready to accept connections.
+func (e *Etcd) ReadyNotify() <-chan bool {
+	return e.readyNotify
+}
+
+func (e *Etcd) Mode() Mode {
+	e.modeMutex.Lock()
+	defer e.modeMutex.Unlock()
+	return e.mode
+}
+
+func (e *Etcd) setMode(m Mode) {
+	e.modeMutex.Lock()
+	defer e.modeMutex.Unlock()
+	e.mode = m
+}
+
+func isListenerClosing(err error) bool {
+	// An error string equivalent to net.errClosing for using with
+	// http.Serve() during server shutdown. Need to re-declare
+	// here because it is not exported by "net" package.
+	const errClosing = "use of closed network connection"
+
+	return strings.Contains(err.Error(), errClosing)
+}
+
+type ModeGetter interface {
+	Mode() Mode
+}
+
+type ModeHandler struct {
+	ModeGetter
+	PeerModeHandler    http.Handler
+	StandbyModeHandler http.Handler
+}
+
+func (h *ModeHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	switch h.Mode() {
+	case PeerMode:
+		h.PeerModeHandler.ServeHTTP(w, r)
+	case StandbyMode:
+		h.StandbyModeHandler.ServeHTTP(w, r)
+	}
+}
+
+type Mode int
+
+const (
+	PeerMode Mode = iota
+	StandbyMode
+)
--- a/etcd/etcd_test.go
+++ b/etcd/etcd_test.go
@ -0,0 +1,41 @@
+/*
+Copyright 2013 CoreOS Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package etcd
+
+import (
+	"io/ioutil"
+	"os"
+	"testing"
+
+	"github.com/coreos/etcd/config"
+)
+
+func TestRunStop(t *testing.T) {
+	path, _ := ioutil.TempDir("", "etcd-")
+	defer os.RemoveAll(path)
+
+	config := config.New()
+	config.Name = "ETCDTEST"
+	config.DataDir = path
+	config.Addr = "localhost:0"
+	config.Peer.Addr = "localhost:0"
+
+	etcd := New(config)
+	go etcd.Run()
+	<-etcd.ReadyNotify()
+	etcd.Stop()
+}
--- a/etcd/profile.go
+++ b/etcd/profile.go
@ -1,4 +1,4 @@
-package main
+package etcd

 import (
 	"os"
--- a/fixtures/ca/README
+++ b/fixtures/ca/README
@ -1,21 +1,13 @@
-Testing x509 certs for etcd
+The steps to regenerate this CA:

-The passphrases for the keys are `asdf`.
+1. Get etcd-ca source code and generate binary.

-# Make the CA cert
-openssl genrsa -des3 -out ca.key 4096
-openssl req -new -x509 -days 365 -key ca.key -out ca.crt  -config openssl.cnf -extensions v3_ca
+$ go get github.com/coreos/etcd-ca

-# Make server cert and signing request
-openssl genrsa -des3 -out server.key 4096
-openssl req -new -key server.key -out server.csr  -config openssl.cnf
+2. Run generate_testing_certs.sh with etcd-ca binary location.

-# Sign the server csr and generate a crt
-openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt -extfile openssl.cnf -extensions v3_req
+$ ./generate_testing_certs.sh

-# Output unencrypted server key
-openssl rsa -in server.key -out server.key.insecure
-
-# Output "raw" public key from server crt
-openssl x509 -pubkey -noout -in server.crt > server.pub
+Details about generation are in the generate_testing_certs.sh script.

+3. Check current directory to see regenerated files.
--- a/fixtures/ca/broken/README
+++ b/fixtures/ca/broken/README
@ -1,21 +0,0 @@
-## Testing x509 certs for luvit
-
-# Make the CA cert
-openssl genrsa -out ca.key 4096
-openssl req -new -x509 -days 365 -key ca.key -out ca.crt
-
-# Make server cert and signing request
-openssl genrsa -out server.key 4096
-openssl req -new -key server.key -out server.csr
-
-# Sign the server csr and generate a crt
-openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
-
-# Output unencrypted server key
-openssl rsa -in server.key -out server.key.insecure
-
-# Output "raw" public key from server crt
-openssl x509 -pubkey -noout -in server.crt > server.pub
-
-# Sign the public key with the key (just for testing signatures)
-openssl dgst -sign server.key.insecure -sha256  server.pub > server.pub.sig
--- a/fixtures/ca/broken/ca.crt
+++ b/fixtures/ca/broken/ca.crt
@ -1,33 +0,0 @@
-----BEGIN CERTIFICATE-----
-MIIFtTCCA52gAwIBAgIJANfWYo0ePBBqMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
-BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX
-aWRnaXRzIFB0eSBMdGQwHhcNMTIwMzE1MjMxMzMwWhcNMTMwMzE1MjMxMzMwWjBF
-MQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50
-ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
-CgKCAgEAyzBV/DH0PWmPxdnr3BTogxPYKVJQ4OQjiiALRRtYPjvQYKPWWsbt4Zlw
-kfYsc6ihIKUL1tGEnjD6YDTtTwWH7DXeq0mWebFr3kQg/ssoTM5oHN9VglwPMRnx
-7qqbBG0/LO/K2Go/UMFGmWHiRYRWcOYegq6DXJpj1sRJz8o3uk4Fxz/xr1sjng1l
-EfAfE4segFLRhmXy1e6Ooy2U5WcpDeKGrD1O01DKsYdR+RavcgkmFYfZ5rdtaKrE
-wpYLylJNmOAkss7w5tOyEEDLoZHtkRFX5Ss38wuU2h9Li8P9vhyL4Ylzcuy/pBXW
-MA89D8bBXjR3G4Hk7qX7gqlI9GdRXtPqnRpgEy/vw/+6aJVfNJtLIRdabSr3vStL
-rhF1y4ocr8OJdNjHGp8tssc9I0LhhItT7bWgjQLHTRezVXV5kzpggAlDCQc48bdc
-aYjBoLuu8jH9mgGCnPtrJMyV+T96rV5V4XJieA9k4IQ3nWJk1Nslqm5S/FSQbM32
-+ineL0ZlT/x8qXNnL3FHQFDOKCng3Ww6wC7M9BDf9+Di04lNtd37pri/i5dcvsn1
-WaYzvHpSGom234Bl4NQSoupKlEhfgTc5w/uuhbGSWcsH+wB4Yi7dg5U7voNkwtVo
-loEaZ58ldd4Dkz16lZSSg4wzwDbMQWpGCPRAfVDAVk/AxpfOiOsCAwEAAaOBpzCB
-pDAdBgNVHQ4EFgQUpahFGYUWGD8RygULRRlo6TlAkxowdQYDVR0jBG4wbIAUpahF
-GYUWGD8RygULRRlo6TlAkxqhSaRHMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpT
-b21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGSCCQDX
-1mKNHjwQajAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4ICAQAvdXT3GIjK
-diHYGurJKSGhja8nVcZ9vm0SICyMQU3nOaMhNdrFXUP21dqO1xP+uqgc7vHGOyPg
-MNLvamCY7JtmcLEgByG5Z+aeNESdwGjP4Rl4YRB83JUyOHke0cONiJXYTjGwF7FL
-vCXjJm/3t5rTj+gPPMkcN3FtYpiVUn2Ra5LURCiRucsqnStEKiLeIM3WluKOFssZ
-AHGkUEGXpYyuobdBvejCqdc02+ywyqGuV05mOHB7dDAt0eS0tUqaEyoKlWgIuVlN
-770LJGjQkQqa0oYwrbsgKuPjH4zu7MDjzooZsYkEpgPCaK64HQ03mdWYWiqW3KY5
-JxT4TdOwSXQfvmeLbT/By1Qo0m9R2Sqb4Q0t3VDILyJmvTr4dLCRjAMfDaADxiPI
-58cXUeT5kLbF2kHQ8GZIFXpWQRhX5Go0sETlv35HtL9szNK/p2ngob6XkbxJf8rC
-ygP96Xa09J94CPrJF34slRM3hsdf/t92ytG8HTOf+42QjT60zgApibVVXwEYwx2S
-M/1FZbt9xR2nfvrKBZG4luyPuIVbAI3VbtgfP2ywIxQI7OkBQec52Ck2e4AvZk9q
-PUgxRqZbzpQSdEr3U3bhEtKf/Yq3Lgx/4Luo11BlZkWRKViBpK1yTUe1C4UkFo5Z
-gZO0oCwwO5YWxTCA1xCJDJeSuz16snOXpw==
-----END CERTIFICATE-----
--- a/fixtures/ca/broken/ca.key
+++ b/fixtures/ca/broken/ca.key
@ -1,51 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
-MIIJKQIBAAKCAgEAyzBV/DH0PWmPxdnr3BTogxPYKVJQ4OQjiiALRRtYPjvQYKPW
-Wsbt4ZlwkfYsc6ihIKUL1tGEnjD6YDTtTwWH7DXeq0mWebFr3kQg/ssoTM5oHN9V
-glwPMRnx7qqbBG0/LO/K2Go/UMFGmWHiRYRWcOYegq6DXJpj1sRJz8o3uk4Fxz/x
-r1sjng1lEfAfE4segFLRhmXy1e6Ooy2U5WcpDeKGrD1O01DKsYdR+RavcgkmFYfZ
-5rdtaKrEwpYLylJNmOAkss7w5tOyEEDLoZHtkRFX5Ss38wuU2h9Li8P9vhyL4Ylz
-cuy/pBXWMA89D8bBXjR3G4Hk7qX7gqlI9GdRXtPqnRpgEy/vw/+6aJVfNJtLIRda
-bSr3vStLrhF1y4ocr8OJdNjHGp8tssc9I0LhhItT7bWgjQLHTRezVXV5kzpggAlD
-CQc48bdcaYjBoLuu8jH9mgGCnPtrJMyV+T96rV5V4XJieA9k4IQ3nWJk1Nslqm5S
-/FSQbM32+ineL0ZlT/x8qXNnL3FHQFDOKCng3Ww6wC7M9BDf9+Di04lNtd37pri/
-i5dcvsn1WaYzvHpSGom234Bl4NQSoupKlEhfgTc5w/uuhbGSWcsH+wB4Yi7dg5U7
-voNkwtVoloEaZ58ldd4Dkz16lZSSg4wzwDbMQWpGCPRAfVDAVk/AxpfOiOsCAwEA
-AQKCAgEAkOSBDHxa3Mg//CiwZpqKS56FEMJgZl6JcV/0aW1cedSRfbiXjNg6nhub
-CJrxi/B+JhdL3/48gcoPYTec2jLpgGnRxXeOVG1OrIsMtGUO8eZmm+Auy+z18F++
-BCGotXlqCZNdpQHu8JlCzPHeNxBty8htjWcAybJW67nBoOlk3/fvauyQXimxtm16
-21XN81PLhlqIizx79E5PbNF+UjBEOGCHBKAba9k7EWmb7PJeXgVkIQplOn8nB/Ju
-qQvykG4sY43C3bdwVkozuh9alnbHYCFr+kHdffWOShTy/FHgygb1QPmRWCy3ZD0m
-JdNYCb4D+jeTkAwKwpueRMiO+6oJfT5P/J6eovfFVN+fdcg7v/0AdnUO1vkb5ykV
-9YpYw7igF+ueRTl2LLEI4xHRfeAybpIouVgRtIBkSd8Cjp4fhKCLOKsEYWgP+uWS
-o1tHJ7KliweWPK/eZPrgRHiyH/4gP+EyYDZwDJxFvpr3Tw7STR9DUXMTWrQ4U7/w
-3dfGPROOjieZiTT/zG6NjL2U+zq829k/48+rOaxN+ga7d8OV0aP+9/HmpcrmbRqI
-H77KOdogCpemZkoxSE82eJbwrCQLR/LWbhNRyrllI3njh8djJ/LWMOXP7SRRRESa
-6DcFW7mNtzIloKq1FTck3NYef2GjjqkElqVNHl/xkzwwU5aanUECggEBAOvNp2Cr
-OGeym/It8MxiunuOOzwYwDup96mICBME810Dfv0fLjhdw6y3ervKzBE82CKre7O4
-VueGhdIg7x0A5K8h1jYpgjkJtn77YXGJ+c4IbhfXz66uL5JL0t44gtARCSbLm+ks
-5NXdwUEkgPeKFik/cECqLE9yeeMQc9uoeKXx/nNBIPW44hr2KAIW/occyWJym2fu
-oeYV54OqXxWWDFsg0ZDGBAQ0EZiKQwfA9cd7UQrgCPrLlBcuDEtHLyF37cHt6ePk
-dzdrCg5Jy1OrmMjlKLYoaWSwfIj5CgVIncRcV6dq+EVPxoZ9MYz9Wr7e/SoiL5jC
-RiLNaixmI2S7HvECggEBANyXjyI3WWp9cMVnc76BF/fsNQvcCkFKdiDEm+yMcPdz
-IhiaaQdakhQ1GR/EKKrHIrnuPw85LmSmwHut6VD6Hk1H1mmlZ9enTLgDuntFs+ls
-/WWGvDCyddbpqblkMlKeteFlCWVnpcKGoqCBMWWOMsLbMOhh8+yEFpwJ3l/N2XSv
-TVbWoKJa0skhvNgAe/JpriOurU7mEfhDj1jMFxJNZZkoOTWGCYAB3FoLxd76I+sF
-IBy/g4ehwf4/+GRwBm/LpnGRvmjRWk4zSspo9tqnsdJlq+6YWbWBjs23ci37bT3k
-qtRUpKb/ltzFh9ai8ohEeMH34AIQRxTLipzJ3wMZnZsCggEBAN0jR6YTzNkLGs67
-IMk8ibCXyZtphtYtZvLZfOEBUo3XWn9df4YjAP/4LiTxYgGEcxnIgkEgTnfgo51V
-f4lOrihD7lVrBhIhtsFNVKwa/menZj/8B2vFNR3Y+A+pJZylbVSxvCyoCo864SML
-bds35+KU+Nvb+6QiMoashkroqwTNdph16sgms/0e/pQ/JkJlz8MAwhdtJu3VewHy
-hCuFRV8s3vwLh/a9MgdBGu2pm5WRY4Z0Zld1FhPK/oKWZm/XveSSDzfGqbsSKiMO
-N53nHmjA6DY0nepszM3T5/7eg/6Drzx1yBGQaBj2TcLwUusPypJ57vMutoGq7Lho
-rSapibECggEAGzTqJ2syMQslpIM86EsdvKs6Y6sQ7LqVVTdKj+NGb46YrvYkbA7E
-o49k+OEFrwJ+ivYSevsveKSEavypIR6oLBnnHQKUiymMMcnr7xZKuUiC/Emg3lS0
-afxJvZ7ZAg2nGxSOEx60eAiI+EjW4dKm+hd0scSbBBnKfBZPgftujZCtdj9kcoHH
-K51ooC93Gg/ktWvu3iNMJhWXEXmigtRe6oPmgm50r4ALQGPhVL3/PhZUvpb0Tv8p
-YQVcym5yrMkuTyWNmXnwrGJxIAPQJmm2ad+2U+ggcF15UnAEuh0ffRm95BBIenxd
-i/8k4NkaFqpzRmEfFMITMkJkZzASvFwlbwKCAQAQe+VFR5gKXY1ateUlo4PixXOz
-i0ktP+VvrcXRi6u+J9nhUHd0sZofVERO7u7Y8xg2bSjGfpNhY2DCaa36lnrZzuCH
-56JYSIFPk9UvclD3nqWxsICGUmfRHj9p2yEHAtn2NCGuVK24bSQMSo7Iuth9geIL
-zMY4q3Hayq2OK/1BQY6wwJvxvKQC8gBUoXfn3Ecih3Q2V17+6yauNUW8ebnm5ccb
-tIiufc92E/TU/32pJmrweHkI+FRJKmPEmHzxJOSLhxMcQ0IXCKD/ukFvGDVm1KvF
-XNwJKCwQ2KnC2gt2BRCVGxV5oKw4TnX4PVEZbC/yOsPBxnFw4QbKjtw3Bdms
-----END RSA PRIVATE KEY-----
--- a/fixtures/ca/broken/server.crt
+++ b/fixtures/ca/broken/server.crt
@ -1,29 +0,0 @@
-----BEGIN CERTIFICATE-----
-MIIE/jCCAuYCAQEwDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCQVUxEzARBgNV
-BAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0
-ZDAeFw0xMjAzMTUyMzEzNDZaFw0xMzAzMTUyMzEzNDZaMEUxCzAJBgNVBAYTAkFV
-MRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRz
-IFB0eSBMdGQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDOwQ+StykH
-YPBXIQPgD+ZqU4RBgbwpT94p9Fvf5/OZIenI2Ujv9wCEeRbwdtbKj+RlvcM8BX2I
-27MNp0dd5G9+dLizKbDgigjDRJXVNk4d9RPd7r/51jBT3WIkkI+4qkbTMjqfhkJn
-iBQZisAajucaO02F6FGxdqlFcU/l92CG12MRbvmNqmJ9odWniylKHwAfV1jSbnQS
-ckvtsxAc9bCNm3mDrjAwZlZCaHWEy0sq3VoBA7y1IWxOSg7aXR5t6NHEMs61ARfQ
-/bdGR4ww4haGVdflS68oSZtOa9TJytv0BaMnIFLkFDvEpq39KXjP0yrSGqJQC5cA
-3yh3uJQxUcZ9A2rPRR7LoS6ZVEk+4OWRP0kPW6FILDRiHMOlj0jeMmfLzLGLW/NW
-WBPBAG6pwNJaO1Y4LLHZRUJE3dM70v/lNMmB/T1S3kJ7TX+pluTgdCKo2qjxvnQI
-A0CnQeeQSV7TiefuIixXwAGGdg7dZO0MSkX8NASPiS/B3KWP4pSDDEzsRmz4UqRG
-0tnkFRfCKHtkBPJ7OWdHapgXnlUBImQWO2MStPenmZBzuVcCkv52QwuFC8g/EKlr
-tvzRl11Ajgg9LZApI0BaOtXE/LGkBpPpXNh0Pi10ETniPhvfZhX/RYb4g6WeVGsx
-oD6V9vHrD1Psp4u+QKZRldsD0d1aRvXvzwIDAQABMA0GCSqGSIb3DQEBBQUAA4IC
-AQCAzJrMHAIZVPupdJiiooCHvLc3M/4wn02Wws/NgvkIO3mNs+9uZvJ/IsLSOS/0
-x9gIVIXscoT0y/RRCg9IUwCGmCp9XkfL0MzBNPfhOXZ2/SXLGv2ubBTv7nyXAeF9
-Oh719bbir+vmEKoMXej0LBQ3qGT6zS8Zs2iKGj1bXZjZXiTt67YkYZgr65uZTYW4
-XtywTnJ+vUg9Mp6fReXgOWDlM8BiJ6JKnRn9f5Y66INSePV4NvtcIrqNNvrBEDqX
-LOWuh1Vs32gOySF8A1jM/GdSCdV1Wsng5HxGMMuGAKnw35YguW598Fk8LLfE8w5V
-x9Gth2RdxvimMu+qsNMq0mc78C1yPDSfRXC51t8J8d5+hke/apb6KfB/47gooQeH
-TCRMorOzO8tWhK6NDPp9iKoNSYznmtWq+0Lc4Upa+cc3ktIOCiTWh9OBaFsFd8jB
-Dlhw3sqwhMtqxJEoEJIZMGSE0W9p9y+D1XeNqfHmJ04NaTvuqfkt2z6ROd+pPdqb
-A+b6aFZfBdh+ynOq2g6Epwq8rNe338E23gVGgNfcw4pdFq9NmpdVKREIQKObQWCQ
-oElaQwIgyPI9rkpkT3QsHHJnEb9mRn05tlEplOi6S05/NIb+yz07Jb09UdAjxHDR
-4MiUfXVXZwUAvuWKBnKK4ZjjgEZe21aoliLDl3yekewVqA==
-----END CERTIFICATE-----
--- a/fixtures/ca/broken/server.csr
+++ b/fixtures/ca/broken/server.csr
@ -1,27 +0,0 @@
-----BEGIN CERTIFICATE REQUEST-----
-MIIEijCCAnICAQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUx
-ITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCAiIwDQYJKoZIhvcN
-AQEBBQADggIPADCCAgoCggIBAM7BD5K3KQdg8FchA+AP5mpThEGBvClP3in0W9/n
-85kh6cjZSO/3AIR5FvB21sqP5GW9wzwFfYjbsw2nR13kb350uLMpsOCKCMNEldU2
-Th31E93uv/nWMFPdYiSQj7iqRtMyOp+GQmeIFBmKwBqO5xo7TYXoUbF2qUVxT+X3
-YIbXYxFu+Y2qYn2h1aeLKUofAB9XWNJudBJyS+2zEBz1sI2beYOuMDBmVkJodYTL
-SyrdWgEDvLUhbE5KDtpdHm3o0cQyzrUBF9D9t0ZHjDDiFoZV1+VLryhJm05r1MnK
-2/QFoycgUuQUO8Smrf0peM/TKtIaolALlwDfKHe4lDFRxn0Das9FHsuhLplUST7g
-5ZE/SQ9boUgsNGIcw6WPSN4yZ8vMsYtb81ZYE8EAbqnA0lo7VjgssdlFQkTd0zvS
-/+U0yYH9PVLeQntNf6mW5OB0IqjaqPG+dAgDQKdB55BJXtOJ5+4iLFfAAYZ2Dt1k
-7QxKRfw0BI+JL8HcpY/ilIMMTOxGbPhSpEbS2eQVF8Ioe2QE8ns5Z0dqmBeeVQEi
-ZBY7YxK096eZkHO5VwKS/nZDC4ULyD8QqWu2/NGXXUCOCD0tkCkjQFo61cT8saQG
-k+lc2HQ+LXQROeI+G99mFf9FhviDpZ5UazGgPpX28esPU+yni75AplGV2wPR3VpG
-9e/PAgMBAAGgADANBgkqhkiG9w0BAQUFAAOCAgEAyqppt9mxmlqAUkYCbNxPnc+M
-1d5OQZ1Fqy0a4eF9/WxK+PqjRTKbD+rvGEulYdeCGiz8wP5HxVCdT2xzdVZdhMUX
-opZGG3x5H1xXy0YLzBsxB9rkYjz+NeVtl8lKXvWDfgZ1vjjRHOIc261Eq6CPoXjT
-5ENHnTyT0xbDmdkyjGNT0qowl50rlZotx6Vb2VPquAtau1m2nrvx5t0wkbJPocPA
-XTndphgdH0aecJXZOgN8MWh9LYObNM5UqIFPaiNHHAetJIOLoDDIpEl5ZVj4PwtU
-uiiaWpNjz3ODx2j5tmEz1SUF+6vS0OfvKx/pInQzFFRLfudgphzGYLf9rwOswBI7
-8d0sEfrUNEladzvIz/IvJpuRrWJ/uLfpE4LXYTNbGWP50d1YRGxv7Zl8Bio0CU34
-q+Du1CXpWce5bcOJ25KYZd7Lrf0YVzQjneuyNbBCPrp2gbweeydQWd6LGdtUab0l
-gjQ3lj4E8Y1vIpTOL2K3bvkqJxJYoaYdzzGEzuv6/FS7ATYVn5sBYxJrsUqgYdjp
-SMx6RS6ImNbHVy56nb6MiaztwAE4uo59vkrdKdvIETvP5duD4qDBsZL3WzJwhMxl
-d9An+z3VAqEABzNtM7/Cdq7pZmgdPAHgGFasB3eihdmHsONWqExRPhcmW4H1hpVQ
-pkguJFDOpRqebdLHZPI=
-----END CERTIFICATE REQUEST-----
--- a/fixtures/ca/broken/server.key
+++ b/fixtures/ca/broken/server.key
@ -1,51 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
-MIIJKAIBAAKCAgEAzsEPkrcpB2DwVyED4A/malOEQYG8KU/eKfRb3+fzmSHpyNlI
-7/cAhHkW8HbWyo/kZb3DPAV9iNuzDadHXeRvfnS4symw4IoIw0SV1TZOHfUT3e6/
-+dYwU91iJJCPuKpG0zI6n4ZCZ4gUGYrAGo7nGjtNhehRsXapRXFP5fdghtdjEW75
-japifaHVp4spSh8AH1dY0m50EnJL7bMQHPWwjZt5g64wMGZWQmh1hMtLKt1aAQO8
-tSFsTkoO2l0ebejRxDLOtQEX0P23RkeMMOIWhlXX5UuvKEmbTmvUycrb9AWjJyBS
-5BQ7xKat/Sl4z9Mq0hqiUAuXAN8od7iUMVHGfQNqz0Uey6EumVRJPuDlkT9JD1uh
-SCw0YhzDpY9I3jJny8yxi1vzVlgTwQBuqcDSWjtWOCyx2UVCRN3TO9L/5TTJgf09
-Ut5Ce01/qZbk4HQiqNqo8b50CANAp0HnkEle04nn7iIsV8ABhnYO3WTtDEpF/DQE
-j4kvwdylj+KUgwxM7EZs+FKkRtLZ5BUXwih7ZATyezlnR2qYF55VASJkFjtjErT3
-p5mQc7lXApL+dkMLhQvIPxCpa7b80ZddQI4IPS2QKSNAWjrVxPyxpAaT6VzYdD4t
-dBE54j4b32YV/0WG+IOlnlRrMaA+lfbx6w9T7KeLvkCmUZXbA9HdWkb1788CAwEA
-AQKCAgEAyFMhDquu8jpHxHP1uERPoZfYHkxgjrqW7JmZ50FrsmS8iuGVHQR7GN/m
-jQjoJo3y421Q3DgJoPAV9dWtfVjXenQHfXiYq4ay5NfwQQyD9dy+6hrpIV4Zpzhq
-Xjk/N9KsGveg+23vqzabGwBoD5OEcdMh0uv9M3BgpCsdGhltCllo4LxgyZVcJpQG
-Wnaog+uzh6pvIjzo8/KQhPgpVZXsAdixjRfaExsk2uUxcIA1DYw5J6CCWBHRSa3R
-5FuzHxUlIe+EfrZXaCRcTpkGSVrWLkTAkaeaR/PBqeMq4nZOVYqcwU09Y0YDfw9s
-p01mhB77b2Vk/R+tqKeQIyfRVlQAduQ4ONyQwHQo7wzLcWicxR06AdYDDgAsW5W4
-na0El8PG8vsUQQrdY+rVHvye7GsKGlRqzTiuvy9QVJxPtoJlMlK1ktzRbrOJjZy3
-NuP87o4rlZljcqJbcIuTY9be6JGVwKSoUGLGxV28NgOJwnNhp3NjEvp1gaQhY5w1
-DAwD1H6W7OQ2aWpkScy9H+u7aY2rOQNyB+5E79KuAOiqhi3oH4g8V/hhRFVkDi7X
-AJHPbeTa3pQ8CxNJF76p56nxkBZfxTN21m7kWqtnZ+O7YU6I47UuT2xHPEgsy28m
-lZfWACLVU0oLLSUpiuvWGAo/J0TTxVpNGmGZjSaiD7TnIW5GnokCggEBAOySIQFr
-8DDeiESmFpSbnXLNeO8CTqxUMbaidD1zf7nkZ9JuOODkBOXNlkw8ECOLzb85dEVv
-TZTbKB2mRKgtiucEQJDLiYXtQGrpJNrcHt0f/QZQwlUGi9z9yOuboLb9ypJgcRb8
-t4+BuNNInP3DGGGGpnECC/DATgvp5s4RQU9qO5F7AXSRqw4YKnFU39mE257oMotx
-ypOklhFkvaRJaSJdcANPxTJR4IFZ6zxuLfhVgcJsfoY2+vMV/8Hm03CDQ/bwvNe7
-iOEVtxVdClhEFuWZl49HbiqLKH3F8VrsFhrS7GKK+llZRMAAt+BGcocQiqLs/G9p
-tc3SZSYmAazqbT0CggEBAN+8Ckoopa2gj1a0JDzti8rn61xyYrCm8ifG2QvN4A9J
-YqvXEwcKuiILwA/nZjM1CciZPLDi7PhplHYTA9uyCXJ8gf7aeM+MlS3KElaTohhN
-TvNUsqPO8sQUtaInzJeM3HcD8UkIl3N2Czsj2zr9WjCOMFazNG3euoCYV827Kx58
-5T3T1oXnV0vlGXRN73WFkd20agkSnYRZadefFbRV5NtW84UQ19mdOtCpvbWSQ1kW
-ps9q10spuBaqvGs2xp2+ZpawzKmWitLOOFPCF+GTigz3K6B3iCi9Q9UbLtlnYEaf
-wIQTtJwMI8GLmbxyXqluQf69g+CtiqR5djfet4sXefsCggEAeGcLK1kPPyATRLUv
-auUkpkhTU3neJrEXODfIZ3pAOJE6EgyNIFCM+ZS/+P7cy+qchcWtGqXCW4+LBEQa
-T2oWdutgHRGqZaJRldghLM65WpusQKmbroCNcKUtvFRR4LCciBFTnXpzxjMkqUwc
-sr63yvMoBP4gq6CEWGXsVVbM4alUtf9fxz9YSu0btOCYqXGIAYF2MChzDN/IjQOz
-zUibnKTnnJfd6nVniQ4FvpTpCqoiR5zGbHLRGCVLLRnY5Tu5vJXb1wSYbs6JhvL6
-j9/fs22PiJm3RSncKt8yrq7XtUFClAjdz9myNvJmo1vXcEyH8tIgzGeF40JAvsC7
-O5F4lQKCAQBrZZU+4eIdxVvpD9HxWUnoXYlyOAo9p/XHuEEJ1IqAbAasXDJrB/Av
-VZqdR8OcQxJuM3iZpGSCHhRA1YHdnMnCJhg0oOSrJF2bvEsvOfDuX3XNglO6JCYO
-j65cp2QjP1+41bCmETS6HOjpO54J5AG+GxMDG0TIlMjL39UOEZFyMhvMoPpyDomu
-Ccw9MwgGTtalKOxZbJEmLdGLynaduTmBPGzq7BnhAQNxlHlXRl2Dz0bFfBDaqK0Q
-XGbTxFh08ifGoBmuMnBzHsCVHC9gffUfoipT/ezjOW7tRf4oJ+JkJF1CST9CROWJ
-C50Bg5kDFcUiJhC+8i8CIrfnu8Y5Q0yvAoIBAEnzE7VgiObij2fytS+Qo8C5Abgz
-e9ZN3cKC9vpGYK95mBnoK/TYMGj62+ETNHS244VuOCEnHk+ypnLU/yfx/eVcbq2K
-JCFjcrM2O9k9AuJidA320Zmr0NvGRIu/NZnRy6GvYSeBS2xWhY0d13IcrZM+KnBV
-64eB2aX7OI33yyFiCYeW+1fzg3qf5m+iFKQtAmLwlcWgmbcHJCXP/Z49kPw229/2
-IszEW0PbXsA22i/CVCSn7mw7M+8Cw8JkVKS1VB2bTDkTZeO1SXuP/0nmBfE3qaie
-WuWdp6bI7KPXuxcy6aPWJVU3uoA7GeGTnne29vmRs2l8MuIAswMOkCSHnQk=
-----END RSA PRIVATE KEY-----
--- a/fixtures/ca/broken/server.key.insecure
+++ b/fixtures/ca/broken/server.key.insecure
@ -1,51 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
-MIIJKAIBAAKCAgEAzsEPkrcpB2DwVyED4A/malOEQYG8KU/eKfRb3+fzmSHpyNlI
-7/cAhHkW8HbWyo/kZb3DPAV9iNuzDadHXeRvfnS4symw4IoIw0SV1TZOHfUT3e6/
-+dYwU91iJJCPuKpG0zI6n4ZCZ4gUGYrAGo7nGjtNhehRsXapRXFP5fdghtdjEW75
-japifaHVp4spSh8AH1dY0m50EnJL7bMQHPWwjZt5g64wMGZWQmh1hMtLKt1aAQO8
-tSFsTkoO2l0ebejRxDLOtQEX0P23RkeMMOIWhlXX5UuvKEmbTmvUycrb9AWjJyBS
-5BQ7xKat/Sl4z9Mq0hqiUAuXAN8od7iUMVHGfQNqz0Uey6EumVRJPuDlkT9JD1uh
-SCw0YhzDpY9I3jJny8yxi1vzVlgTwQBuqcDSWjtWOCyx2UVCRN3TO9L/5TTJgf09
-Ut5Ce01/qZbk4HQiqNqo8b50CANAp0HnkEle04nn7iIsV8ABhnYO3WTtDEpF/DQE
-j4kvwdylj+KUgwxM7EZs+FKkRtLZ5BUXwih7ZATyezlnR2qYF55VASJkFjtjErT3
-p5mQc7lXApL+dkMLhQvIPxCpa7b80ZddQI4IPS2QKSNAWjrVxPyxpAaT6VzYdD4t
-dBE54j4b32YV/0WG+IOlnlRrMaA+lfbx6w9T7KeLvkCmUZXbA9HdWkb1788CAwEA
-AQKCAgEAyFMhDquu8jpHxHP1uERPoZfYHkxgjrqW7JmZ50FrsmS8iuGVHQR7GN/m
-jQjoJo3y421Q3DgJoPAV9dWtfVjXenQHfXiYq4ay5NfwQQyD9dy+6hrpIV4Zpzhq
-Xjk/N9KsGveg+23vqzabGwBoD5OEcdMh0uv9M3BgpCsdGhltCllo4LxgyZVcJpQG
-Wnaog+uzh6pvIjzo8/KQhPgpVZXsAdixjRfaExsk2uUxcIA1DYw5J6CCWBHRSa3R
-5FuzHxUlIe+EfrZXaCRcTpkGSVrWLkTAkaeaR/PBqeMq4nZOVYqcwU09Y0YDfw9s
-p01mhB77b2Vk/R+tqKeQIyfRVlQAduQ4ONyQwHQo7wzLcWicxR06AdYDDgAsW5W4
-na0El8PG8vsUQQrdY+rVHvye7GsKGlRqzTiuvy9QVJxPtoJlMlK1ktzRbrOJjZy3
-NuP87o4rlZljcqJbcIuTY9be6JGVwKSoUGLGxV28NgOJwnNhp3NjEvp1gaQhY5w1
-DAwD1H6W7OQ2aWpkScy9H+u7aY2rOQNyB+5E79KuAOiqhi3oH4g8V/hhRFVkDi7X
-AJHPbeTa3pQ8CxNJF76p56nxkBZfxTN21m7kWqtnZ+O7YU6I47UuT2xHPEgsy28m
-lZfWACLVU0oLLSUpiuvWGAo/J0TTxVpNGmGZjSaiD7TnIW5GnokCggEBAOySIQFr
-8DDeiESmFpSbnXLNeO8CTqxUMbaidD1zf7nkZ9JuOODkBOXNlkw8ECOLzb85dEVv
-TZTbKB2mRKgtiucEQJDLiYXtQGrpJNrcHt0f/QZQwlUGi9z9yOuboLb9ypJgcRb8
-t4+BuNNInP3DGGGGpnECC/DATgvp5s4RQU9qO5F7AXSRqw4YKnFU39mE257oMotx
-ypOklhFkvaRJaSJdcANPxTJR4IFZ6zxuLfhVgcJsfoY2+vMV/8Hm03CDQ/bwvNe7
-iOEVtxVdClhEFuWZl49HbiqLKH3F8VrsFhrS7GKK+llZRMAAt+BGcocQiqLs/G9p
-tc3SZSYmAazqbT0CggEBAN+8Ckoopa2gj1a0JDzti8rn61xyYrCm8ifG2QvN4A9J
-YqvXEwcKuiILwA/nZjM1CciZPLDi7PhplHYTA9uyCXJ8gf7aeM+MlS3KElaTohhN
-TvNUsqPO8sQUtaInzJeM3HcD8UkIl3N2Czsj2zr9WjCOMFazNG3euoCYV827Kx58
-5T3T1oXnV0vlGXRN73WFkd20agkSnYRZadefFbRV5NtW84UQ19mdOtCpvbWSQ1kW
-ps9q10spuBaqvGs2xp2+ZpawzKmWitLOOFPCF+GTigz3K6B3iCi9Q9UbLtlnYEaf
-wIQTtJwMI8GLmbxyXqluQf69g+CtiqR5djfet4sXefsCggEAeGcLK1kPPyATRLUv
-auUkpkhTU3neJrEXODfIZ3pAOJE6EgyNIFCM+ZS/+P7cy+qchcWtGqXCW4+LBEQa
-T2oWdutgHRGqZaJRldghLM65WpusQKmbroCNcKUtvFRR4LCciBFTnXpzxjMkqUwc
-sr63yvMoBP4gq6CEWGXsVVbM4alUtf9fxz9YSu0btOCYqXGIAYF2MChzDN/IjQOz
-zUibnKTnnJfd6nVniQ4FvpTpCqoiR5zGbHLRGCVLLRnY5Tu5vJXb1wSYbs6JhvL6
-j9/fs22PiJm3RSncKt8yrq7XtUFClAjdz9myNvJmo1vXcEyH8tIgzGeF40JAvsC7
-O5F4lQKCAQBrZZU+4eIdxVvpD9HxWUnoXYlyOAo9p/XHuEEJ1IqAbAasXDJrB/Av
-VZqdR8OcQxJuM3iZpGSCHhRA1YHdnMnCJhg0oOSrJF2bvEsvOfDuX3XNglO6JCYO
-j65cp2QjP1+41bCmETS6HOjpO54J5AG+GxMDG0TIlMjL39UOEZFyMhvMoPpyDomu
-Ccw9MwgGTtalKOxZbJEmLdGLynaduTmBPGzq7BnhAQNxlHlXRl2Dz0bFfBDaqK0Q
-XGbTxFh08ifGoBmuMnBzHsCVHC9gffUfoipT/ezjOW7tRf4oJ+JkJF1CST9CROWJ
-C50Bg5kDFcUiJhC+8i8CIrfnu8Y5Q0yvAoIBAEnzE7VgiObij2fytS+Qo8C5Abgz
-e9ZN3cKC9vpGYK95mBnoK/TYMGj62+ETNHS244VuOCEnHk+ypnLU/yfx/eVcbq2K
-JCFjcrM2O9k9AuJidA320Zmr0NvGRIu/NZnRy6GvYSeBS2xWhY0d13IcrZM+KnBV
-64eB2aX7OI33yyFiCYeW+1fzg3qf5m+iFKQtAmLwlcWgmbcHJCXP/Z49kPw229/2
-IszEW0PbXsA22i/CVCSn7mw7M+8Cw8JkVKS1VB2bTDkTZeO1SXuP/0nmBfE3qaie
-WuWdp6bI7KPXuxcy6aPWJVU3uoA7GeGTnne29vmRs2l8MuIAswMOkCSHnQk=
-----END RSA PRIVATE KEY-----
--- a/fixtures/ca/broken/server.pub
+++ b/fixtures/ca/broken/server.pub
@ -1,14 +0,0 @@
-----BEGIN PUBLIC KEY-----
-MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAzsEPkrcpB2DwVyED4A/m
-alOEQYG8KU/eKfRb3+fzmSHpyNlI7/cAhHkW8HbWyo/kZb3DPAV9iNuzDadHXeRv
-fnS4symw4IoIw0SV1TZOHfUT3e6/+dYwU91iJJCPuKpG0zI6n4ZCZ4gUGYrAGo7n
-GjtNhehRsXapRXFP5fdghtdjEW75japifaHVp4spSh8AH1dY0m50EnJL7bMQHPWw
-jZt5g64wMGZWQmh1hMtLKt1aAQO8tSFsTkoO2l0ebejRxDLOtQEX0P23RkeMMOIW
-hlXX5UuvKEmbTmvUycrb9AWjJyBS5BQ7xKat/Sl4z9Mq0hqiUAuXAN8od7iUMVHG
-fQNqz0Uey6EumVRJPuDlkT9JD1uhSCw0YhzDpY9I3jJny8yxi1vzVlgTwQBuqcDS
-WjtWOCyx2UVCRN3TO9L/5TTJgf09Ut5Ce01/qZbk4HQiqNqo8b50CANAp0HnkEle
-04nn7iIsV8ABhnYO3WTtDEpF/DQEj4kvwdylj+KUgwxM7EZs+FKkRtLZ5BUXwih7
-ZATyezlnR2qYF55VASJkFjtjErT3p5mQc7lXApL+dkMLhQvIPxCpa7b80ZddQI4I
-PS2QKSNAWjrVxPyxpAaT6VzYdD4tdBE54j4b32YV/0WG+IOlnlRrMaA+lfbx6w9T
-7KeLvkCmUZXbA9HdWkb1788CAwEAAQ==
-----END PUBLIC KEY-----
--- a/fixtures/ca/broken/server.pub.sig
+++ b/fixtures/ca/broken/server.pub.sig
--- a/fixtures/ca/broken_ca.crt
+++ b/fixtures/ca/broken_ca.crt
@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIFNDCCAx6gAwIBAgIBATALBgkqhkiG9w0BAQUwLTEMMAoGA1UEBhMDVVNBMRAw
+DgYDVQQKEwdldGNkLWNhMQswCQYDVQQLEwJDQTAeFw0xNDAzMTMwMjA4NTRaFw0y
+NDAzMTMwMjA4NTRaMC0xDDAKBgNVBAYTA1VTQTEQMA4GA1UEChMHZXRjZC1jYTEL
+MAkGA1UECxMCQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDGyDN5
+EcwViDB+EpOvZNfW9AJ79EiY8yiGEgXF9M3BLVFoB09wDT0ASEmPrpZhMSZb1eSM
+emUFELzuEEDtuEG0TrFFNI3/gScZm8Mp6+d7oCqWRF87ecBLfAUCmr3vA0VD/KQz
+dj8F+4UWwEXkeyzJ67vPW5n35CJrZOq9Yp8bPUoVvE1/L03wbQHeIXynEHmgPIB2
+syVuQwluhrgpNX8kEsWpy3GzusuorJ3jcTONin4y4h9pgaAZvR32mhXmCRh/6i+y
+u4NOsx11kSAgPBWdLJBQcj5HH3YZan/7n+ygTAIbXKI9sHxgPYPgXW0P/7OhaUiH
+LEcDw2ipGpYxZxj/8hkQVJ1b4YMgD4TIFHix9TeASufsZUwEkuiTYncXp7q38feq
+4z4UNqgn5ozgOT0kqVDGSiEOJTH81Tq1SUhC7FsN6UkgIVWGSYsPMyxc7V+tH2EV
+qpWCnRuw9MPr+CEZfGzM88alc65ZOwmxgIU4heTTi457d5RgXqinCBCfcUdHTFYa
+E65MWh0FdO1jrSw7KzFDd+vt0ajZ1K64+tbBhV4QvIrd2ktQDMk3InawFx2GAIEv
+l9TxC8jf+RoamPxt7sPwPzvZuiSXj4mO1H3GdiSBn94ZVzOnDT+UV/TwwyphvCtB
+OOzV2SlKZ/bl1CmD7JoRpw18W0J72RV0vd219QIDAQABo2MwYTAOBgNVHQ8BAf8E
+BAMCAAQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUze1XmPTcVbM2gSnXwfVx
+1VQ/ZYwwHwYDVR0jBBgwFoAUze1XmPTcVbM2gSnXwfVx1VQ/ZYwwCwYJKoZIhvcN
+AQEFA4ICAQC/4a4QiGt3NhEhl2fWMYDF+EAtQj82bFT8fod8rsQQZddI0baNOzTa
+9GRzAqChpoDaxzH/ErhlMs6nLL7NC6NB8Jr596cgakbIOpLcQujoajDAvF7HhbGE
+cnZWXFdjEZNkAg5RM3jCcjlnZ6HfsMlQJGO3mGPGMjHIhKv+RLquXY7NOy3fczrI
+THyJFfL99l77u3Ieo6MstfWog5IUM0PmNzf6ocXJ4o5woQcrSLJVx7hlHaU7iTsV
+e//oHh+S/yJHmeOzmI3LayMOEGRGjP2SJBqTuOak4cINutoqJnRnt8JIOvur9zCG
+rEm6aCTRi/5fqMys4vQuATPalI9/lLQa9NlMs1xoFAGjE6j8ybAUWxrAWdTWOOQd
+S7IA0TU2JTIcWt8fbKUwf4gkO8rfCcj2Y2Y4xZQu8uqZI7uXCse8yNE2zWPTqCPf
+BzA9kZs42AP47mknVGSl59HNAovBTjQuXlFZZ1BnBDAzCq49sDR5wcr4uetC1rss
+dFfFqQPPonAGcEAaKsSoaOHgVaBHfufMM7nq8JqJvZGOmLFhUgsTO3xEgnpDts9h
+cfhSS/5YVofp2Vy3+++yIkSC3NDuyNCPwfzSLA2pW1GoiIv0hdSco7ALuG9FxsCs
+gSc5qcrrTkazbjlCwM9rgM0BEH8pXOAkRAEZLlKd9eg6Lh3q4yBnhw==
+-----END CERTIFICATE-----
--- a/fixtures/ca/broken_ca.key
+++ b/fixtures/ca/broken_ca.key
@ -0,0 +1,54 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,29382520d522b331
+
+Xf4bWUvPQD9R4uGGFXweLkKfdqwz37nHoAHXCbWu7Eb24tkyXE4ZtBrq2xyt7EWO
+GD0Am2v9S8jhvOXEYUgdDyvCaX6jQQlSo2JAyg8aeepSf7vimineQSryZVAHuILw
+lHBpD31Mxpg/sGHe+OPPMjvdoqVEPnRYZcnCpLeOuL6BqUnf387h9FSfehIAxTm3
+s8xPOM5PxXye+F2AhdjYnZehlufhYEK472ZR7hffxunMP3x/cdmOQnC6VgPnTL6M
+OA2uXTaexyFeUDQJzM0MxXTXRSqhzEZh0154TLikaK+o4Mc7P3UTIF9+wLkr43RR
+Lxiyv/ie/OAxCa2GEnWyq3wDdgBb/NR2aTdYCDa8x5R1NLYOxQf4URH9npgMVJiY
+5R1vPx2avnY3s8hWia1QztNLqWTXC9bvJnbJQ2DOndbeTLK6fIy0k9ZR2a0hrROI
+OxZBMaAGdd4PBba3IA7jKlxOYVmdpXZoNGdL0W2KTYfm4h/ktQaGpn/lS06/ohwk
+3u5bKq4tTUMs99GuaDXMQhStBsZr5jQjK8A7RKcPnTYewBthXKcwwUbvrSzfbjo4
+g1HqkArR1SRJK+E4T+xmdi4TwT7JEBTFGoKqYJ7Yv5Tlq6u7ogTJ99Y5Wg3nLnJ6
+TO2eCR6so5A6/gEMhuqb/Zg0pd1b5BJlhu+1Mn0WDRl4+zcW8X/LKzK+jjh2TDMl
+NAspIWG0ExmzR0Y6XkphhVXzeiow2HphuoIPRXUeP537/AmWN3dpDsuVCEVsGXPJ
+JJH/x+IUGzymNSFMY1K7+uwCieCv5TfLrGq2qM0R3vtL5LRx7AN/ZULLuWWe2yWv
+SSbpior9zUvxPXmXsY+wNttzt9sx9KNYXl6I5aNzN+4odJzZg/4KwO/b8altDMLW
+Zu6VAgLV0tWEic/6g6f40CmNAbewO5VMwgLQ/qlq9zM9cRjVTmo5ahobkk+sxZ8Z
+rGtMUtXyqnxcHtRkkVyFhsMVudPWLF+Mp9A3KozMJ7HnXjgJvdBNUTDjysrPbkyE
+WoFhiWaAtIyy+1RdKrQea71ZASSAdUwnOKQ+VV6dXTX+uI0FqqwRK6seX4FAbFGR
+Alwco054Gb9rNL+Eiz7p5/5lg7beVMCT8ReZF2J4FYYX/il7THUKzxJpDjJ6s0BG
+3jA22yZkeQqzY7+fnfPsAPyDWIzlpDjjY66QWDISDfNeoZZDPBqBxXHfUA3OOMRb
+S5C2fxHUjTtpIaRi5jnYaHOizExxtTB7t4uD2C7AsFOUhlkPiSSbORr8iJuKeSvu
+JkXOC1gSdpn20fCmm8IwQZeaMpYdAY8hhGzGCWdpCv8ySRIatLbbzOySMUfwLu2a
+9+tcuRPfM/8Rr1GP2vksDehC/c/C9/j44m3telnAXleW62t2gr6UN9rsD4u7jybF
+JuJkRCll1VDKE5EMOhr4+9pquaLqwidAjmpmv0nbuOMbBxFRvAkF9HesntUFzwTa
+/YBOj4emVgESjXM8FjdMOTgKY5PwKKfAvYnUOTYoEDGrqqyJzbee8f8ecw5yR9zF
+QO4BWHuurJe1vFWYLuNxZxtlnDb8+n1fT6Hpbx0wz4ReElxx2P/XLK5Mf64JUNbi
+naB7MYPzwV/DXGPBw4tsqE/UMBd44f1oMbUwImipBQ71EXUvoRzBsY/B+lG8vFeH
+JcBFLJM7ArR+BpEGJF2WgsQwLZErUl4HpG2cTjol0t2CJxDmUiz3ssQR1zxbmPbP
+4wqf992SX5VXCpMBKu0c7on2kEUyEAteaFVWnswFEyuzDW01UBkMImnxbJIddvp+
+nD+pvA6djgZBRFIxKrRRSyi0jnyfyO42u9JpEnU8KS1o4UdmukBuEEQgnToAHgWs
+GV8LNMO5AGnZGSNsJ2bo+k+wwXXC+YkHSxp6FcciyTYfnl2ikpO/E/0nkCO4EMN7
+WPpyTNkmkVZbd4WvRLErfLCd7LxGrZEpjyuejy7v/bUk+MWXLB1bNxtRLaaQ9QSK
+Ewaxdy7PmVZrpEY3xB7gZ7oUksNWQIsVGF01CO6WlGRgl2O7JkpJ7kEh3UUm5tu9
+nWVK+OAxyZQGXUYRXJXPYGMyAZsVkPvx5FJDdl5ELVUDwbwu2iNLNCszcGWK7CZT
+/e5ae2OWEY1ZYKJaoKLWHwwi2pIdAnBRP2y1sQfWXq1uVlvrOFvJrC6O1KdyJr9
+XldkRKFKbERqtllmjPXLYUNfuctN4yxlhR0Sia83quOs16b+EhHxHEwyy9lrG3CS
+qb5RwWT1hlC+20M7ssyK2vZVt9G5RvWNRfAMb6r2TsKferobgRZLA30p1OH2Hbhu
+Iynv7zB2vJQs6ptwUPYcx0+NKJQP+aeUaJc560+FMuSbRHYlsKg8prSgi7/8Z31n
+5XZPLvUJZUqH/Gc4Iyb03sPQC1+3I8V84BW11GFRm2MiO24kVzjWd/P2pmQjvu2z
+da5eqmOQVXsvnbH1rbn+6UfxgLjxuc/Pio5I13zuFopFMmQf/fKVJ8gL492/i7y5
+SsmxgMAk+Lo+nYN5qmdo8dmitkOyAJacijGRI9kBnRfaMKg8btnaOBV+0ZD+rXwM
+WUIoj/SYArwZXLys1MgXHNMWmjn+QXnyMAZ6VfCVuT7nSG52plR+YrTDATPuOAug
+Vtjw7fqM6NDXPRdu38rw+KRk42mSN+2uqxj21WVzcnTi5LK8tNmEDZR0OtYE93n9
+Ons0jYYLt1FV5yzXSxRqtiqMOtj1KDt4yqIIftH9hbtKCtcQHPOif9of7QoOJdw5
+ukc9JAAjapbt46WRrvd/ak6/F9ewxbmWcppoz3bogZKpjaPn90854h0ft9YMgBDM
+xTj14lbbRWGG9npoIElX53pG06ZtAHBEjqBBi4LEWfHwPFRZY/xqjmHNCRFjPNxy
+IAoaOQLWEItDsTy2UB/Ow0J7B6aQzHaQxgTnKZpWy+oQgA0l8v7r+5UZYeQx8f7P
+sNEXQYKHqM/sj0iyiuztVWFUWVEcWXMtdgQqMq94FRFdXXMihtgrjh3EYu1sUwgQ
+fB+l7UASUjYvBG3BIGLQSlPgj41Rv6Q4q5tpZm2543UzH3g74Cr60TPSyybi/HUL
+UPQ2OZ5vIuXnLxRIeq5qhDcugNJIqMDaVYDgEcIRkVXqFaKfDa9uFWwWypHDkjXy
+-----END RSA PRIVATE KEY-----
--- a/fixtures/ca/broken_server.crt
+++ b/fixtures/ca/broken_server.crt
@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFYjCCA0ygAwIBAgIBAjALBgkqhkiG9w0BAQUwLTEMMAoGA1UEBhMDVVNBMRAw
+DgYDVQQKEwdldGNkLWNhMQswCQYDVQQLEwJDQTAeFw0xNDAzMTMwMjA5MDdaFw0y
+NDAzMTMwMjA5MDdaMEwxDDAKBgNVBAYTA1VTQTEQMA4GA1UEChMHZXRjZC1jYTEW
+MBQGA1UECwwNYnJva2VuX3NlcnZlcjESMBAGA1UEAxMJMTI3LjAuMC4xMIICIjAN
+BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAymbo/4oo+oi0poLAvNyXIyFLw3xC
+uO0pcALKCnA84KzTopAnB45+HLKtovkIyi4j2aSEWGVw1xXE6hsJJxpcuDeBGhA3
+4QdUP2OyYWs65rSpx1G8Yxm5zBd8wGO0dRgSA2dAUgWETUXmaRuiR7W2NLDzZna0
+LEe8jATn9Ex3o5IeVUAx3fw/sDr1AD/HkDh2dhoXB9PVDGqGBizS0qzRsDJxhH7f
+xwL1Wb4Ug7YQ0oaWniZ8dPDlxbXC4C0xsaOb6rQGSS91ivZdvNksjht4qrFnCHYO
+olqI4IFet9P/B7hcaPTe0oExoTZd0o3XNrZR/rfG0MPuKA5U2BG1E+VnntYamp/l
+fds1YYahvFUoJVQ5PzwY38nb2JjQm14iM2jzWrLrqKjkdEdqH9Gf7j8vlXki9Riq
+4vO665z0zim/u2CpraQq2VhgX6ShmoV4vmgEnD3p4MwbXqHkKtU/1kMSo15HSKBe
+b3GSFPI0EDpFYfUp0FyfFGfHtgw/Y7V8z6g65Z5c3xjvIb0r5/40mRTUJpoCJbdG
+5RG6pxBUsnAVM01G6TH5TPkRgWo+0it6+qQOAObNoPqN0dyGAfN8T1zD+BEMe6H4
+6toKSyGlAYyCcnSspy8JA9wEm91ZkLqxkc5qeav6ZPqCcN+Clf544XSWEHVLcgPD
+VpYNXNT2DZRtJZUCAwEAAaNyMHAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
+BwMCMB0GA1UdDgQWBBQX2fL+Aa48uIwgyYFJOoKGfIqRSzAfBgNVHSMEGDAWgBTN
+7VeY9NxVszaBKdfB9XHVVD9ljDAPBgNVHREECDAGhwR/AAABMAsGCSqGSIb3DQEB
+BQOCAgEAfYKCbV/hvhSUqvNmQBtl8GkZ2WrDvduRQ+nQLXiUpgO28k1bieKA5SrF
+/yUyjUEoXP2lQdYxGiKNzXP+WCkldPn4mrbaAbktJABuqFW+AotOyu2juyNR8nTx
+xBFULKpXgF+DDXa7DnSqjaxEWz8TFLWTb8h1pc7Ha3kejB1U3V6HbcxLBLVLL4vJ
+ETU0V6PnjYOmHZJCQLixB4h4v0mCCns1u3OXQaR1dL9PwRVL7qzpFTbp0jF9Y2LO
+gJFuW8if80le5A+ovXJLJMoAKpKeLfSRRzPy8j4EgLw/iJO5ZLJMWOIEa1P/SLap
+xfL8yfRg5jBaMhHtdhbIku1Kmyqypch1XoZ8w5hNFY/pDVL0tff+cslzUJrFLMa/
+XKZqHnX07dN5Cyz/oAZSz4DhZ2LlYrNq0FTo8tqNr3tf7oakpyFr6fr6i8u7Mmwx
+U6Dsg1yJXnb0nA5ROWC8td714S7oIvzFbn69pyEnwGmCxBHvfTIBKoWeYlUTSxJu
+7e3wR7yia5GV8ZgmzKgB9FUd0VBDYOR3quFl0ixxv2n2slqlRwbfbJTwBdijoaCs
+FlYb3WlRRFQ1s2MiWwVHQY/SMXtan5xwT0l99pWVMS/D0y6tjALHKXWfDT4Pp/wX
+xNjPqNR6L4Ru1eTb6nuUGzKAgonn/w9bYXqLiYnRye9pIf00gtU=
+-----END CERTIFICATE-----
--- a/fixtures/ca/broken_server.key.insecure
+++ b/fixtures/ca/broken_server.key.insecure
@ -0,0 +1,51 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIJKQIBAAKCAgEAymbo/4oo+oi0poLAvNyXIyFLw3xCuO0pcALKCnA84KzTopAn
+B45+HLKtovkIyi4j2aSEWGVw1xXE6hsJJxpcuDeBGhA34QdUP2OyYWs65rSpx1G8
+Yxm5zBd8wGO0dRgSA2dAUgWETUXmaRuiR7W2NLDzZna0LEe8jATn9Ex3o5IeVUAx
+3fw/sDr1AD/HkDh2dhoXB9PVDGqGBizS0qzRsDJxhH7fxwL1Wb4Ug7YQ0oaWniZ8
+dPDlxbXC4C0xsaOb6rQGSS91ivZdvNksjht4qrFnCHYOolqI4IFet9P/B7hcaPTe
+0oExoTZd0o3XNrZR/rfG0MPuKA5U2BG1E+VnntYamp/lfds1YYahvFUoJVQ5PzwY
+38nb2JjQm14iM2jzWrLrqKjkdEdqH9Gf7j8vlXki9Riq4vO665z0zim/u2CpraQq
+2VhgX6ShmoV4vmgEnD3p4MwbXqHkKtU/1kMSo15HSKBeb3GSFPI0EDpFYfUp0Fyf
+FGfHtgw/Y7V8z6g65Z5c3xjvIb0r5/40mRTUJpoCJbdG5RG6pxBUsnAVM01G6TH5
+TPkRgWo+0it6+qQOAObNoPqN0dyGAfN8T1zD+BEMe6H46toKSyGlAYyCcnSspy8J
+A9wEm91ZkLqxkc5qeav6ZPqCcN+Clf544XSWEHVLcgPDVpYNXNT2DZRtJZUCAwEA
+AQKCAgEAl7gIk/UWvqZW9DIzE98vE9BToJe21DRCyYnttWFo4OnsQoFYIFv5wL1X
+V0DiC9wGV5Dw++oeabwRvYLCm6MxOY2xor3hhTcfOd0by9a7clCeq6BjXM3d7lT0
+2KpkjRmb9x0go9sqz1nEW6mxPZvCl0DFU1tLt52WgkbzMLdZPy26uyDBwKrjetDW
+8nbcuwj4E5N/DAkIPKRlDp/u8KlHDZLicPVB/UYEcF8BtbF2brkgkjA7PtWNB2U2
+TSDTjVsc9xQ3WgjPTXlbzsHkmimRjDIrD7afRagjzlZrj9TD6R+TdcGIfbcGYtgE
+AF7+oi6MzCkqSTd1gGUtyEGNwPpHbvyR0V3S/3Hqw7r+yIMLt7CWrX+n3j4CcQ6G
+pVHef/Gs+rBtyl3LReX28C92VvTnEtEWC8R/5OqqXe1+UpOqfvln9PEHOSXRBVAI
+ztzqma6+SgUy69b3WCMEaVL5AGFizPcJNuhUap2J5PqjZlxjy+oq/RPOwyn5aj00
+ROpXLOKnFdrkqwGw3AVKEdSUcDz4s5v8ZWgJeGS1ZiqhMUcsXzeVyV+7eQvCp7dq
+MnrdygRGNMXTlfN5dz4yZRDtYMGo8tMa/8GiX7ey5S8vQu55dXJry6i5vGK4+Qqb
+NzhwznyU7+C9h+kUJkUR8MkzDNYhwSpQVFQJ/zNSxY5x01YAsIkCggEBAPddOBuZ
+IGHyiNKZ697pn20AF6+46YyWNrceI3Y4MDzEKiFVfqxLmMxjq58gH9ZM4CRq/ZUz
+vZbet6+IbtAUCIFPv6H+LI0U8Kejpizs02CJS42uFtGVT8F78abDKkZe1Mrb++zS
+/qpoqZ/LMTOmZYTr4OZp+DmtVeSJhlYRaWWetE2b4XKjMbAmMK72v0dVPN/hQcSb
+Yi3xR+45MLEKlItaZ9IbaE6bhXZKl6dRpjqgUhU5IWA7sQkFm/b++zKTrEplA/tz
+TpPxqQPOds+RDGCCraxu2ICq62Y3FHJQK1DXFr9p0CNX9Dz9AbLK5JiYKihRFb23
+GE+gz1xF5Pp+8UsCggEBANF32S+DEIWe6E52tXgmeap9xg66dUv5YMztYsGyaTnF
+IbhdcT7M+EfxFm/vbPdd9mVREHDHu7h5kHIjWAix+DOJa/nrVmDfdtymv1cRxFse
+rcrbeOJb37GJJS9EV+N20IPmSsPj437BmegB9Rc5BjmdVWLytzod5a5Mvvp9nGzX
+SKPw5EUMR9C1bZxlRgzw6w65rB0yxKHIteB7eYgbpeBHRw3xq6PCzw3H10/553qX
+tcfQB/YJ/hnqaqixY6LmXnPHJXU2wnXWR/QwTr0rk2UgnXgcONHlQ65MR4GxIAza
+OTyu4r48XUH65F+rlHxIJqBDpVdzf/A46qOuzgs62J8CggEBAOd3XkJM5kVhGvDe
+wR1ExT7M4F05DanVAfwWAp7j8xdZhAbPJop47tEKzxRGjiQMqYzKZOGRme2sGHvz
+kaW5qT+/bRVbbzrRBmQHuT6+mQjzUDSSW53gNtJZdYVTiKJyqHHuqW0w/sZcy6TQ
+EQlAwixAQKG7NWBbN01z9rVg85v4hsU8gRixZpRrGBEQqWpJc34XHWCo+ZT9+w4K
+i+qOePNxNEciCFfOJXPMVt5lg8PGMyjS3c1b7cwAaLIWZN4t2wF+RtyrSDMd5ca/
+EuQl2UwR3AvHaWX1CfMKxWI2bGHn8sxIalA4RD4xjb5NJt03PfOd9FcjFmeklYTF
+jn9r+8MCggEAfKnzXE+Imb3FTE1iGyvq5QkNwt49yQWWEuCFEfp4naUxOGSEbXfX
+nBlj3SKFm4MUjZ/9ROHaWyQeT4+xaRtiOGnlFUx2kBjuyMuEvPEaB5DupfiQrUc4
+jpSsyMDH/dxMpPN+M6+BSYM3cdkYYMXTap60nrsNSU1Z0K5kSvhPDIfj9436jQ2O
+ACy6G4Y6dqE7g/wE7yuz0wV9GSjjX5n00tIY+7eFC2V5jR4Ois6UcWWxDkZFNq0j
+yZC2AcfxIJYySH2RUX1RpoftMus9MWCpzFno3f8N4f2sliNXu1wLUxrdTbxXvhh2
+Dm1iSq4qG7YbjFUSgO3dOSq4Ne8UPqoyQKCAQBr0KXHwlEUWGNCzlakbKkGgwp0
+0dRQ4AASWKLOM8kyYJVLDYMEm/MEPRUnh6J4sIeL//vxMWhUaWDFuwYg1keIjCl1
+3Q9tLbrIFwHdIWjR/dX5fwXJ+tzOAx+YkscIlb9206TLVbimTLeKo25EI2ZcQVb6
+MUtkpdfGBEcXTI2LRPE6KnCSy0bpX25Y79qUj5ztzLrrI2Uy7FjRpdFyKoLN6al9
+w/ELH0+dliF/RdP/t/goI0dvjS/S+KHcaQIdRcHxptk+3rl6Y9CVLDwcRL3Ttiq+
+IcnupppZ+xNXwy6P7bweDCpWKTz+BZ0w2PG8nP0XjkFl2ioso4bnt+D8g8Pa
+-----END RSA PRIVATE KEY-----
--- a/fixtures/ca/ca.crt
+++ b/fixtures/ca/ca.crt
@ -1,31 +1,30 @@
 -----BEGIN CERTIFICATE-----
-MIIFajCCA1KgAwIBAgIJAKMtnrbM5eQaMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
-BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
-aWRnaXRzIFB0eSBMdGQwHhcNMTMxMTEzMTkwNzMwWhcNMTQxMTEzMTkwNzMwWjBF
-MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
-ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
-CgKCAgEAs3+PRcgMLMquxhHB/1aN7lytduBGlXTsDNky3IQyQCpqFUdYYc5cS3nL
-Y0wtwB4v+yNJ2qNOsYOlSUSSPS1nUxDsHWiMMPC6NxsE34wuf1jYI1UQbQiAEf73
-wB+LMTuv30ZDG9EMfwiHf1VbOGKUwkSeZcMl8EX/DfmJCB9PONFHvlS1yQHnJwqv
-SvIw55UgL/7fRvmblqrMsl0g/cveSanT2bGTV6eNYlDcAfw6SsszYbKA+i5zjt9F
-puZA+JbqZ2mQ4RNi228ib9qGiS1S1YgyWqiJqGD8I15nvrWV9fA93z+kYekdc+nM
-HXtWnd296vfcGQfuRgKAigp0Q2Xr/r6IfT0etMwNWOT/ikAE7l5hA3xUdEba0xdZ
-2PYLmrb+5mtPB8uZ8K0JSrZJU70p1hlk644Nw1S6Je5/XfUZFzwLq8OotGnRzD7Y
-dyvY/DEDodiQisLtLTCI9z4F7cjadTKwSSq5Yzr8Pdq1PkahBQth1Eq8KvodOXOR
-WTVxP+YBYmbbk7EEOSZ8ZI7ppqngS6/pjcjCHobZfzJdfx8YuTrBWUHucYDqeV6r
-xYtvlDiOaxyij8vhaAJ7zLfUuVGHKPfLgHZDAH47a+1qnIq5tM2Zv8p9g7wg56UV
-aplu4GwBqNrL+5R10P2YuBgrUOZOjIOv0u5pvBjLZpTeal8KI7sCAwEAAaNdMFsw
-HQYDVR0OBBYEFOkUWSDlAWoxFoSsbnbEH9GIN8bfMB8GA1UdIwQYMBaAFOkUWSDl
-AWoxFoSsbnbEH9GIN8bfMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqG
-SIb3DQEBBQUAA4ICAQBi30INj8fsPRsX9p1vVtljln2dh/iOJ0shL3gz9NmUM0jV
-/UchKo5iykVrrCKVlI7DD/QFXXty20x6PnbSUwfhZpJj+AwT9G8pVD/8DBU60+z0
-1zFSUxQ2GN9RDWgoiyz1QZ48n5zl7JVzzvBAf6N3jmdvgmIoKaDpqNLmQxqNsuCW
-USMKqvqKwWfqvj8JQNYVmKdDVsoax36glVaj4qHZojul9eWS6SdDOo6a5t/xf0kP
-Upxi87dqS4H7qfa6HTVFQhqRL8JuPqTs4csojA6XJt+yYzTfs8Gf3MAyQznuwiWh
-E7kIv9lYH5APLW5LXNLizTaZtBS826f05TgBsYuYj3mGeSsr/llP4zb8u7qxL+B3
-0Q6OLK3JtPbwtaHCBxs70HOQzjWjiEF6PE3f1MhvXFjMQmQEgGzCuK69EEUWK2s0
-cIjoTLJxmQ+voWPms39gjstNLeykAygsyaYryGks/YjgchRrTtrOxUCows8knkmB
-lve7RC9xW7yQwmWacPq0ndJUL0smdsWODx+L3J0R/YmbjYIO5N8i9YFqSwFLIC2v
-ghirHq7EqZbYAaDxS6KvpeVh+f0pC8AC63FLbsp9+SOayoEQJ/gB8f+s3cxV+rNQ
-/Z6077QuDgb1gpjCWCHHjMMELtjvy+HNUmgiRfv6a+mtWOS8g5Ii3OUYFVr2kQ==
+MIIFNDCCAx6gAwIBAgIBATALBgkqhkiG9w0BAQUwLTEMMAoGA1UEBhMDVVNBMRAw
+DgYDVQQKEwdldGNkLWNhMQswCQYDVQQLEwJDQTAeFw0xNDAzMTMwMjA5MDlaFw0y
+NDAzMTMwMjA5MDlaMC0xDDAKBgNVBAYTA1VTQTEQMA4GA1UEChMHZXRjZC1jYTEL
+MAkGA1UECxMCQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDdlBlw
+Jiakc4C1UpMUvQ+2fttyBMfMLivQgj51atpKd8qIBvpZwz1wtpzdRG0hSYMF0IUk
+MfBqyg+T5tt2Lfs3Gx3cYKS7G0HTfmABC7GdG8gNvEVNl/efxqvhis7p7hur765e
+J+N2GR4oOOP5Wa8O5flv10cp3ZJLhAguc2CONLzfh/iAYAItFgktGHXJ/AnUhhaj
+KWdKlK9Cv71YsRPOiB1hCV+LKfNSqrXPMvQ4sarz3yECIBhpV/KfskJoDyeNMaJd
+gabX/S7gUCd2FvuOpGWdSIsDwyJf0tnYmQX5XIQwBZJib/IFMmmoVNYc1bFtYvRH
+j0g0Ax4tHeXU/0mglqEcaTuMejnx8jlxZAM8Z94wHLfKbtaP0zFwMXkaM4nmfZqh
+vLZwowDGMv9M0VRFEhLGYIc3xQ8G2u8cFAGw1UqTxKhwAdRmrcFaQ38sk4kziy0u
+AkpGavS7PKcFjjB/fdDFO/kwGQOthX/oTn9nP3BT+IK2h1A6ATMPI4lVnhb5/KBt
+9M/fGgbiU+I9QT0Ilz/LlrcCuzyRXREvIZvoUL77Id+JT3qQxqPn/XMKLN4WEFII
+112MFGqCD85JZzNoC4RkZd8kFlR4YJWsS4WqJlWprESr5cCDuLviK+31cnIRF4fJ
+mz0gPsVgY7GFEan3JJnL8oRUVzdTPKfPt0atsQIDAQABo2MwYTAOBgNVHQ8BAf8E
+BAMCAAQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUnVlVvktY+zlLpG43nTpG
+AWmUkrYwHwYDVR0jBBgwFoAUnVlVvktY+zlLpG43nTpGAWmUkrYwCwYJKoZIhvcN
+AQEFA4ICAQAqIcPFux3V4h1N0aGM4fCS/iT50TzDnRb5hwILKbmyA6LFnH4YF7PZ
+aA0utDNo1XSRDMpR38HWk0weh5Sfx6f2danaKZHAsea8oVEtdrz16ZMOvoh0CPIM
+/hn0CGQOoXDADDNFASuExhhpoyYkDqTVTCQ/zbhZg1mjBljJ+BBzlSgeoE4rUDpn
+nuDcmD9LtjpsVQL+J662rd51xV4Z6a7aZLvN9GfO8tYkfCGCD9+fGh1Cpz0IL7qw
+VRie+p/XpjoHemswnRhYJ4wn10a1UkVSR++wld6Gvjb9ikyr9xVyU5yrRM55pP2J
+VguhzjhTIDE1eDfIMMxv3Qj8+BdVQwtKFD+zQYQcbcjsvjTErlS7oCbM2DVlPnRT
+QaCM0q0yorfzc4hmml5P95ngz2xlohavgNMhsYIlcWyq3NVbm7mIXz2pjqa16Iit
+vL7WX6OVupv/EOMRx5cVcLqqEaYJmAlNd/CCD8ihDQCwoJ6DJhczPRexrVp+iZHK
+SnIUONdXb/g8ungXUGL1jGNQrWuq49clpI5sLWNjMDMFAQo0qu5bLkOIMlK/evCt
+gctOjXDvGXCk5h6Adf14q9zDGFdLoxw0/aciUSn9IekdzYPmkYUTifuzkVRsPKzS
+nmI4dQvz0rHIh4FBUKWWrJhRWhrv9ty/YFuJXVUHeAwr5nz6RFZ4wQ==
 -----END CERTIFICATE-----
--- a/fixtures/ca/ca.key
+++ b/fixtures/ca/ca.key
@ -1,54 +1,54 @@
 -----BEGIN RSA PRIVATE KEY-----
 Proc-Type: 4,ENCRYPTED
-DEK-Info: DES-EDE3-CBC,5AD5C95753A0AE70
+DEK-Info: DES-EDE3-CBC,d2e70acc12a86116

-NW4oxy0HmyCZQluW6/g8A+LxWALNpscFiFWSVIVaqfOWD1sFZxzsP25pG6/dE3cR
-sg5PlVZ2UOlTHoaqmtA21UKDuXnwmczqMrWtLegyz5WQLw2DpfMiEbaMhcwIy60m
-yKh9N9Agf2gE+SumpzG0De338zJhcc28ogStr6d4VECbCHqdsj39cF4Os44FH/ns
-PT332vLt1umLyYgMhvZWaXZGlYARU51vsB03Jb5vNyZPOfPbEWT6+jIukFWYuBK1
-WeccnYhjtFWjCg9zhOyYLyjb2kPJORvIPBwkjkjhRnFnMyJpRVEZNSseE1dDyzZV
-dGgVn4HmydJY4L+Mcaexp2CLAPxGEmv/C6/2sz5sffQYZ3+3BGMjXOUJSTzpaKNj
-wSLfZFiY5nZ2TpLucRmlUHU+kJvPmJzPzSPl3QrLVC/Gb0Wy3HbEZl4KWvaoTdIL
-aoBFx32j9KvnvfU9x+i2wj1Z+bFig/yH4Sxp+2EpUyE/9Hqg7se14Eg1F04skb+K
-Uorz9JELyQ01Mm6gxYhVzL1UPJKfEq7NBwDyFnjSqB2zUFnNnsizYkSgT/wBRo/9
-BtLI0YjXqeq2Y5OEvZ1t6a1XB9gLOx9isyA9GooXR6iaWg+9vwOm2Woo5MgNWA4b
-JUYteTqXktdkqMgk7Rzz/xB9U/bAo67gMz3LR9SYYX6YPOEMcTLQfF1njPzD0fCk
-WhWTfVOmPNJFoZUe5pfA5uLpNmC8fIDCFYFwRInImKfSd7SBQ70cF9LV8xvjOHCt
-Sl2cdipumILO5+UfsN5EAhMPpeh8Xk+b54IAE77tnE+CRi02nw7G+7Jt/QGIgckR
-ymc2+JYRdbS/Wd87nY7ipTKspV/1Bjus9cokKD3mWfURPzQOWWNpgRsB+dnkK+HB
-muecoNeoWwLQ6Z11wU5B36qVtFj1/wfkMUH8LlBXqfIDHmvH9vNeLOykiZyudn0n
-CjN6+hq9Gy49T141lw3Ek9XHo4mly6lQQtFdtNI9/PHyGlctqVIeMZ4WXvE3ohxq
-mq0AMWqb39BHXjrno3gru039rhe6Jf/+vhbpsF+ZT1LquptL9x+ggV1U4D7d2/Mw
-oY3DKc5jjUYsnJNFWarSc8M0HNaHcYXi6HshfYDqamUVWiQVaw2W4lLti8A+vBuw
-NwWHQ0vI8XwIKEiWJ9/e7xSNuHp7SF8zbBKDXgnuzG6V76iASay2xEtpoJUTRMk7
-ckMa+x4IftAr2Z5KuJk9As6mSDIraTkWu7lnkIt9C3dXJR5yOIhF+XkQOoKSEjJ2
-lKh7rkz8O5HkvAubXre64MYvokdxhCFQaHPGcB810+hJQBgAcClWLHoF9acY/3ca
-L6tnoGqS+B3ZPugtQqHkLzFLMMB/qI7MUUNp7DcA6P8H35L0fpX3I6mg4cty0G75
-f96KnUQDuHxis9Vqf46dh2vjZXYHAOnjTl/BqxY+vqmzSRblY81Sx+2q1U5u4OvG
-WuotIykrAMIxDED66fE+67+kugrX1AMVNCty82BA+xeXim/cExOxnn578hhtIWiI
-aBl1zq9KhACnHC7tVNrHXA1auhIdpk0i+WCMnPI5KFfTcSL3/PZaf/3+IagRouNl
-pLK6Y3ZGgEbxL+fD7p6PJ4UQUUFV5bKHEo4S6sb0iqYBRZwfQq4VCU1bdtETMc9S
-7/0ViTdOiEb37/Wblyqs1Q/aIZ809nPobGxkCY4uYnLZIYdvlxAO7eLS5cLZ3Yln
-JFR/be0wQ4hztLgcqyVpr53qiVrlZkuRgwdyBiOp9Lf051M7hsNlEuVy32LFV4or
-ED5fskmKhTpsX7gxhXWPqZbKYJo27Ahze2JA/luq5Abav5wq4eXduf4I0SDUlwEV
-BLZVq0uIz/lHc1JrfuD+d8mUV8NMUByrKATX2kEccfYgepAs8IcBdXJfYTBmDG+7
-JU2cBbMCV1Ktf0tL8I/njI6QEwcPVjI+2fzKEkV6qz37Gwb6Fe5MT+1KtecuxG4a
-vYEKVXYlSEJSxeXDV/Mdb/iXn1CoGG/A/EXirq8GLZUo3J8ftwh2EFkKLjJ/jLdr
-RvtJqBg/6AD23DHwD33znpG9wKj8XY5vPJ4+K7xDvURhyqZWt7e6BkeKDaMwFAH6
-Hk2WEy48c7X1PRspOrHpRGZdVOjlElDQWrWr8eDZNl9E6noXuXDLampNp0sURvi/
-py22lh0xAGPxjj+N3ahNqweVt4pRmNmprSIkw7eX4jbe5XTdzp4YNGvA4zUNZqB5
-8WElwbVZG+F3kx8+vJ10z/PSIP1GaF9wk6ChqBNi945A8VBkZkry1W5Km63AQCUW
-ejRjYm9TnV2zhIS9eVL80+LSJhyTobZbebQ/1gVck0SIpbm7uyp0mGNxvhtV25SA
-t/WIFyOBWQzEDyzmc27VEHtr9mIZi25AiGaktzMfLKEZ+ZSfMKo3udwHc3uKX9fg
-iVN/arnKFbtRSYI7DMJsFYLFyLASy23jNn+OhxgNJRGvhmaaHpxLoL0kCBqIIqha
-SffOlLhCPxdqsP6UZ0Y8DJdAGx1LeFzaLbizTrAJ2TmYys2cawRbkH9ufaoBWxpx
-rKYGii6N0yaqk9IJqz/h/WxPJmGuJF8J4yDi7jlJWTmw/l17G74LMFstD8qrUtSN
-Vv4wgEeq6CeqIOCzRpo2E4nJ6uaRRatVyI9sDAb403dgeR76QoM0qhXeVRZgegT7
-iNtI5vhGsSv1xokr1WJ/cyOjnTrcCE7qGH97IMaquIWniMDw6I1vY3eLK6w7gFtD
-HmsA/TQ59PgDVHP1wthzSQFpEXu2fOqrShBDF30m0MV5SlemVHxLYLl9ApEDUWbD
-hQZP9r1zdWzQHiBrO0tot6SFHi4oSCtBY4cquvFAO/9HSdhlBZgBsBl3MFgc1sBG
-E0DqNsHrykoHkSpqSJNNwSz4wxYpGmu1asshv4wBnoG4k4MGDgiuKpQ7BiKfz7EE
-89ZARgv9cac43KZAnP3VvPpLURvjjjarQIuCS5M61vEOYr9e77v+YOQmvmcijWmt
-lNKeTlZMqYYa0FSDxOQ2WtmTqQXCv5oMrgEo5AZ3WWnDus+5UFFlLmgQ9u6u2QB1
-COpJsJ/4+vfqQ+aqWBPIL639kwb2yqJzi3naAqKk/k8ze0BEQC71oFK+nr7s93Oj
+uAmKZ41MiYTa7CappCFEcLL/kWRX4rE8DJG3sL59lv3j/6bYFkdczy3kgrEWm4Pn
+pveJEssQkszXHkjA3vHx8nlTvfQOwa7ggcc76LNYj1sPHawVRNA0pb6WvjDzN7D
+JMgAnptVuZGP8N6ZIzFvr5Rf58ar5Y2aI7Ti6KxLZvqYojgvz5dzGimC3+SwDlFy
+Q2kwBA/HT4X9w2qSxpQ7WGPw2pkYILZ4Nxfqh9PWHd0Pk1d9KoLhbU5LEtGSy/y9
+9jqKsUqBzp9905t7d2KmFDF9Nd7XvHrDZDPILlKcQYnBxg6c1ChH1NkIqdAW7lQ6
+dAKAFZlMpVb/ArFBjhioljBIO+gLcWxYseHXbteOgbC1cw5xcBTHqH+7RotFH1VO
+ya0DFeW2CyPj4mp7vORD+IOVQaG4H5j1vJXqA9OPBziZR+lHvD0gVJqZIquXIQlW
+MBpX5CfV/3xITb6o0wA2OG2qlNM+VbKzg/cqh/kkusAqcfXIByh16K85k4jwPrBG
+wsYWABgw1vLlrCJ7ug6P2rb6VmzTbMqe4gpqUROgCS36ARjs5eDBDYZsX6NaGSh6
+twAUfzpwoGNuHwUpIYf5BjH1me+tnM0S8tAEtCFf9hy88nCg6v22cWQuAD6+6P6B
+Skl/UYT4sxeeETFv7Vf70wLnBMA3/uymBM75FhPyD5Vvg9fxz7aAJbfB2ovUVZ/v
+l3HCsCo8y7DtEXoiBmPCH28JWVhIZbmP3dYnU8c86SubhNWm0yjJIIwoghyFmCcO
+Wjs0XkVUUa9fGrl6Mc6XQIGsS6UdQkFoIcO+dtIFPg5C5GWnPnF53ro0J4pGcyR0
+zgt9ubCcFKNz5Cbcfw7fKJwswMt6zXtFxE/tVvOq2EPAPrmYYwPrnvbSNbuVL+as
+OT5ukITR9MDsYR/19jFUsdRDjSvUQVwqH7PiKwTnZouuJUhYHfj3Bjhz6cWzadcd
+pNdxqSgEeSzvaz390p1dOpN/0d1ItXlp3za6JZUarVkx8yH9UCFfpEEisPYgTASf
+F2xIrWHgZY+87OjPluU+Gym12ldcs0dbySgsxhKZMyAUd0DB2Knnmug+cqVvN+xo
+rJ2pD7J08zmQSRGyAUsbeUnuGb6fGNxaD5QpEN7nK4x3K1Q5N9QQ3RwL4Ik6jV0N
+eO0LzXF/BZbOAvl/OXAse1f5c7FO21oUw6u6iI0xvTJAcnaH/0eE2N6Y9Lwt507K
+HxhuN5j58/sOeb6kfkX563SoKSdYSrBqIaogDZFCtKpEBevsRM+QRdzAc//Fm67U
+Zs2K/ADM8+IaQN7uhm8IAPtWEnJ5+9rM2PCF0NX+7qa9HtZxTd0cqbeL8Ayx4i/T
+dHvN8k3kPuC+6He7+eZR6EQpN5GPt5SX3QGgKOQbbwBgF8mS/R0zaZpHvaqTY4Bi
+RfsLbRBGoTvR8YjqaQW91tExe5FghH7k02slSGzEzgs/ZhqPMCLNC7uFcSKcx9jA
+Bj+GmrYOMrUOYLQPT1iRtBFjLEUGPlvUGlaJS/JcvBN6DPW375tQHk7kbpVcudPh
+6vVXftuDiYEJk1TIQLt3QdC9s6ieVuAds4KDjYaTZz4s5W2Lkwo5AZzwLeMRank1
+96okoO1qRaDgagHsG8yPIwq+8/b/8dNl7E+wsbAWwLXLhYZGqDmHm/16pv/Ck59W
+LXLoJfrOdKBoxTTZulIsTISZ14Bj87QWPW26kI6So9V5vN60rb2MWrd+HU46Qapi
+JCsfCVsi715GUh4IkqAnec26TuXW2THcOp3p19SyubuJ33XqUR9H7BOZuBsIFeZV
+8sihbgjJ/zb7fZ7AGT3VmAxEtgFi8u2NOBN/WqYb++khtXgnIbOhBx9PuhOBofrO
+4M0R5s6F2SpbX2LEBJFN48wIlRmSMTsKdmZmA7f0IuxjYIcotBdRCGoXRlJJnZeH
+7WriXQJsq0517GlrqgYMDx26xHJy/ao+zcDxsCtftzAQvENuGr1lzsCdIcGXs+FU
+7C8qdmqSXgZgltFQpyR7+PMikXcdYdzkT3BjFh+VKJNiAeGXNnVXQH7L/V49zaij
+BRYWWtHwEDz50vSzZz3fnrFl6Pk8tny4bKoLjB4vBjMlb4yte7LcK+vbfDdreISD
+cDqfpzjAmIpv1GoQFKWGLQjagvwiAfOA8GUivEG9SQSAAImkV9qkr5qYzM7Jn2WU
+icA8D0YfuILpGxTOQc1SgDMOiGboCB+f7cxPsjXHbVahNyxxAbDbTjbc6v7q1oiy
+PESoLaBR0Bi0tdKivvbB63ok2Kq9XneFrQeCIyrhkXIvYDEwdcoCBpL1DEotbU+D
+YjZTLr4UW92xi1M4d94zmG6pyJsfC4sHGflY5paml9dLiEy78rCPfrJkrSSUplf+
+8CjfUoZsbq3haE0N4TbqV0I0W2Fm/a6U113CTRYxj9DeA3m/HFU3TLzk9Vg/vGxP
+/xltsu/wd/GoyoD9OhWhW1Ck9dtQ0G64hQjeXVd/pzsDCMT8hrtKSlX1Q7vK96ml
+OJ9Ju/CdhX2lJA8BrGVh4HS1fsuNFjr5KqZAY6MwFpjAPqvqD7WFE3Yflk5/7VtX
+bsvBZoN2vp9hprXsgm8/KmSNnWxzQY1Nps4XjRJVYeTmND5EyQClGJyCYKg0QVDo
+7L/2GAhnOrSLkAHOcYAlrNhZ85yBiLhjJcvWyT6DDcMpCusgictI2Qv2ZjMmz46v
+62PzHm0/Z3yQMcJnpRO79OdodbY22Eg9xZGGhBp1Xbm/OXYLaEpGW9S7DqPvlD5v
+O+VxENxJNwDELK9H2auGJAQdORwgF0VfvZxN6tGRyb7eI6aJj04YYMBkg5Nds+AR
+sNEdGNzqKm8sWvINSoX+BCOyjElOSRW0glK+ala5Y7/mM3+KOWgMas2LZBcLZfBr
+1/Z0DPIA2CkFtT1VsBKa+fSkEN0s+PRLRV/QWrcMbkSvIaKcswMwoyvI6OcddUEz
+YgjAOZ3TdnRm1DMqZHIsPOj+3xQv6nETqSwhvLJT1wJwnJQVbxjZwoUmJKSsZDEB
+2xL9OWlhFNY2qS7F77vv2ZUJYLYniiTGrC09AAQ4ti8zWnY1gqtaCp+1wynt/Abs
+9gGcbEIaQGWhpVjPtlKjNm86jGP0IXPaAgaOViIuBH+0GeVOLuUMLvb0nL0NWMJa
 -----END RSA PRIVATE KEY-----
--- a/fixtures/ca/generate_testing_certs.sh
+++ b/fixtures/ca/generate_testing_certs.sh
@ -0,0 +1,58 @@
+#!/bin/bash
+#
+# This script is used to generate all cert related files for etcd testing.
+
+# location for temporary depot
+depot=".depot"
+# The passphrases for the keys are `asdf`.
+passphrase="--passphrase asdf"
+
+# etcd-ca could be found at github.com/coreos/etcd-ca
+if [ $# -eq 0 ]; then
+	# try to find it through $GOPATH
+	IFS=':' read -a paths <<< "${GOPATH}"
+	for path in ${paths[@]}; do
+		if [ -f "${path}/bin/etcd-ca" ]; then
+			ca="${path}/bin/etcd-ca --depot-path $depot"
+			break
+		fi
+	done
+	if [ "$ca" == "" ]; then echo "Failed finding etcd-ca binary"; exit 1; fi
+else
+	# treat the first argument as the path to etcd-ca binary
+	ca="$1 --depot-path $depot"
+fi
+
+rm -rf $depot 2>/dev/null
+# create ca, which is assumed to be the broken one
+$ca init $passphrase
+# export out and rename files
+$ca export | tar xvf -
+mv ca.crt broken_ca.crt
+mv ca.key broken_ca.key
+
+# create certificate
+$ca new-cert $passphrase --ip 127.0.0.1 server
+$ca sign $passphrase server
+# export out and rename files
+$ca export --insecure $passphrase server | tar xvf -
+mv server.crt broken_server.crt
+mv server.key.insecure broken_server.key.insecure
+
+rm -rf $depot 2>/dev/null
+# create ca
+$ca init $passphrase
+$ca export | tar xvf -
+
+# create certificate for server
+$ca new-cert $passphrase --ip 127.0.0.1 server
+$ca sign $passphrase server
+$ca export --insecure $passphrase server | tar xvf -
+$ca chain server > server-chain.pem
+
+# create certificate for server2
+$ca new-cert $passphrase --ip 127.0.0.1 server2
+$ca sign $passphrase server2
+$ca export --insecure $passphrase server2 | tar xvf -
+
+rm -rf $depot 2>/dev/null
--- a/fixtures/ca/openssl.cnf
+++ b/fixtures/ca/openssl.cnf
@ -1,337 +0,0 @@
-[ new_oids ]
-
-# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
-# Add a simple OID like this:
-# testoid1=1.2.3.4
-# Or use config file substitution like this:
-# testoid2=${testoid1}.5.6
-
-# Policies used by the TSA examples.
-tsa_policy1 = 1.2.3.4.1
-tsa_policy2 = 1.2.3.4.5.6
-tsa_policy3 = 1.2.3.4.5.7
-
-####################################################################
-[ ca ]
-default_ca	= CA_default		# The default ca section
-
-####################################################################
-[ CA_default ]
-
-dir		= ./demoCA		# Where everything is kept
-certs		= $dir/certs		# Where the issued certs are kept
-crl_dir		= $dir/crl		# Where the issued crl are kept
-database	= $dir/index.txt	# database index file.
-#unique_subject	= no			# Set to 'no' to allow creation of
-					# several ctificates with same subject.
-new_certs_dir	= $dir/newcerts		# default place for new certs.
-
-certificate	= $dir/cacert.pem 	# The CA certificate
-serial		= $dir/serial 		# The current serial number
-crlnumber	= $dir/crlnumber	# the current crl number
-					# must be commented out to leave a V1 CRL
-crl		= $dir/crl.pem 		# The current CRL
-private_key	= $dir/private/cakey.pem# The private key
-RANDFILE	= $dir/private/.rand	# private random number file
-
-x509_extensions	= usr_cert		# The extentions to add to the cert
-
-# Comment out the following two lines for the "traditional"
-# (and highly broken) format.
-name_opt 	= ca_default		# Subject Name options
-cert_opt 	= ca_default		# Certificate field options
-
-# Extension copying option: use with caution.
-# copy_extensions = copy
-
-# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
-# so this is commented out by default to leave a V1 CRL.
-# crlnumber must also be commented out to leave a V1 CRL.
-# crl_extensions	= crl_ext
-
-default_days	= 365			# how long to certify for
-default_crl_days= 30			# how long before next CRL
-default_md	= default		# use public key default MD
-preserve	= no			# keep passed DN ordering
-
-# A few difference way of specifying how similar the request should look
-# For type CA, the listed attributes must be the same, and the optional
-# and supplied fields are just that :-)
-policy		= policy_match
-
-# For the CA policy
-[ policy_match ]
-countryName		= match
-stateOrProvinceName	= match
-organizationName	= match
-organizationalUnitName	= optional
-commonName		= supplied
-emailAddress		= optional
-
-# For the 'anything' policy
-# At this point in time, you must list all acceptable 'object'
-# types.
-[ policy_anything ]
-countryName		= optional
-stateOrProvinceName	= optional
-localityName		= optional
-organizationName	= optional
-organizationalUnitName	= optional
-commonName		= supplied
-emailAddress		= optional
-
-####################################################################
-[ req ]
-default_bits		= 1024
-default_keyfile 	= privkey.pem
-distinguished_name	= req_distinguished_name
-attributes		= req_attributes
-x509_extensions	= v3_ca	# The extentions to add to the self signed cert
-
-# Passwords for private keys if not present they will be prompted for
-# input_password = secret
-# output_password = secret
-
-# This sets a mask for permitted string types. There are several options. 
-# default: PrintableString, T61String, BMPString.
-# pkix	 : PrintableString, BMPString (PKIX recommendation before 2004)
-# utf8only: only UTF8Strings (PKIX recommendation after 2004).
-# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
-# MASK:XXXX a literal mask value.
-# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
-string_mask = utf8only
-
-req_extensions = v3_req # The extensions to add to a certificate request
-
-[ req_distinguished_name ]
-countryName			= Country Name (2 letter code)
-countryName_default		= AU
-countryName_min			= 2
-countryName_max			= 2
-
-stateOrProvinceName		= State or Province Name (full name)
-stateOrProvinceName_default	= Some-State
-
-localityName			= Locality Name (eg, city)
-
-0.organizationName		= Organization Name (eg, company)
-0.organizationName_default	= Internet Widgits Pty Ltd
-
-# we can do this but it is not needed normally :-)
-#1.organizationName		= Second Organization Name (eg, company)
-#1.organizationName_default	= World Wide Web Pty Ltd
-
-organizationalUnitName		= Organizational Unit Name (eg, section)
-#organizationalUnitName_default	=
-
-commonName			= Common Name (e.g. server FQDN or YOUR name)
-commonName_max			= 64
-
-emailAddress			= Email Address
-emailAddress_max		= 64
-
-# SET-ex3			= SET extension number 3
-
-[ req_attributes ]
-challengePassword		= A challenge password
-challengePassword_min		= 4
-challengePassword_max		= 20
-
-unstructuredName		= An optional company name
-
-[ usr_cert ]
-
-# This is required for TSA certificates.
-# This is required for client Auth and server Auth
-extendedKeyUsage = critical,timeStamping,serverAuth,clientAuth
-
-# These extensions are added when 'ca' signs a request.
-
-# This goes against PKIX guidelines but some CAs do it and some software
-# requires this to avoid interpreting an end user certificate as a CA.
-
-basicConstraints=CA:FALSE
-
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-
-# This is OK for an SSL server.
-# nsCertType			= server
-
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-
-# For normal client use this is typical
-# nsCertType = client, email
-
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-
-# This is typical in keyUsage for a client certificate.
-# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-# This will be displayed in Netscape's comment listbox.
-nsComment			= "OpenSSL Generated Certificate"
-
-# PKIX recommendations harmless if included in all certificates.
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer
-
-# This stuff is for subjectAltName and issuerAltname.
-# Import the email address.
-# subjectAltName=email:copy
-# An alternative to produce certificates that aren't
-# deprecated according to PKIX.
-# subjectAltName=email:move
-
-# Copy subject details
-# issuerAltName=issuer:copy
-
-#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-
-[ v3_req ]
-
-# Extensions to add to a certificate request
-
-basicConstraints = CA:FALSE
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-extendedKeyUsage = critical,timeStamping,serverAuth,clientAuth
-subjectAltName = @alt_names
-
-[ v3_ca ]
-
-
-# Extensions for a typical CA
-
-
-# PKIX recommendation.
-
-subjectKeyIdentifier=hash
-
-authorityKeyIdentifier=keyid:always,issuer
-
-# This is what PKIX recommends but some broken software chokes on critical
-# extensions.
-#basicConstraints = critical,CA:true
-# So we do this instead.
-basicConstraints = CA:true
-keyUsage = keyCertSign, cRLSign
-
-# Key usage: this is typical for a CA certificate. However since it will
-# prevent it being used as an test self-signed certificate it is best
-# left out by default.
-# keyUsage = cRLSign, keyCertSign
-
-# Some might want this also
-# nsCertType = sslCA, emailCA
-
-# Include email address in subject alt name: another PKIX recommendation
-# subjectAltName=email:copy
-# Copy issuer details
-# issuerAltName=issuer:copy
-
-# DER hex encoding of an extension: beware experts only!
-# obj=DER:02:03
-# Where 'obj' is a standard or added object
-# You can even override a supported extension:
-# basicConstraints= critical, DER:30:03:01:01:FF
-
-[ crl_ext ]
-
-# CRL extensions.
-# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
-
-# issuerAltName=issuer:copy
-authorityKeyIdentifier=keyid:always
-
-[ proxy_cert_ext ]
-# These extensions should be added when creating a proxy certificate
-
-# This goes against PKIX guidelines but some CAs do it and some software
-# requires this to avoid interpreting an end user certificate as a CA.
-
-basicConstraints=CA:FALSE
-
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-
-# This is OK for an SSL server.
-# nsCertType			= server
-
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-
-# For normal client use this is typical
-# nsCertType = client, email
-
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-
-# This is typical in keyUsage for a client certificate.
-# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-# This will be displayed in Netscape's comment listbox.
-nsComment			= "OpenSSL Generated Certificate"
-
-# PKIX recommendations harmless if included in all certificates.
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer
-
-# This stuff is for subjectAltName and issuerAltname.
-# Import the email address.
-# subjectAltName=email:copy
-# An alternative to produce certificates that aren't
-# deprecated according to PKIX.
-# subjectAltName=email:move
-
-# Copy subject details
-# issuerAltName=issuer:copy
-
-#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-
-# This really needs to be in place for it to be a proxy certificate.
-proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
-
-####################################################################
-[ tsa ]
-
-default_tsa = tsa_config1	# the default TSA section
-
-[ tsa_config1 ]
-
-# These are used by the TSA reply generation only.
-dir		= ./demoCA		# TSA root directory
-serial		= $dir/tsaserial	# The current serial number (mandatory)
-crypto_device	= builtin		# OpenSSL engine to use for signing
-signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
-					# (optional)
-certs		= $dir/cacert.pem	# Certificate chain to include in reply
-					# (optional)
-signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
-
-default_policy	= tsa_policy1		# Policy if request did not specify it
-					# (optional)
-other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
-digests		= md5, sha1		# Acceptable message digests (mandatory)
-accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
-clock_precision_digits  = 0	# number of digits after dot. (optional)
-ordering		= yes	# Is ordering defined for timestamps?
-				# (optional, default: no)
-tsa_name		= yes	# Must the TSA name be included in the reply?
-				# (optional, default: no)
-ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
-				# (optional, default: no)
-
-
-[alt_names]
-IP.1 = 127.0.0.1
--- a/fixtures/ca/server-chain.pem
+++ b/fixtures/ca/server-chain.pem
@ -1,63 +1,61 @@
 -----BEGIN CERTIFICATE-----
-MIIFajCCA1KgAwIBAgIJAKMtnrbM5eQaMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
-BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
-aWRnaXRzIFB0eSBMdGQwHhcNMTMxMTEzMTkwNzMwWhcNMTQxMTEzMTkwNzMwWjBF
-MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
-ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
-CgKCAgEAs3+PRcgMLMquxhHB/1aN7lytduBGlXTsDNky3IQyQCpqFUdYYc5cS3nL
-Y0wtwB4v+yNJ2qNOsYOlSUSSPS1nUxDsHWiMMPC6NxsE34wuf1jYI1UQbQiAEf73
-wB+LMTuv30ZDG9EMfwiHf1VbOGKUwkSeZcMl8EX/DfmJCB9PONFHvlS1yQHnJwqv
-SvIw55UgL/7fRvmblqrMsl0g/cveSanT2bGTV6eNYlDcAfw6SsszYbKA+i5zjt9F
-puZA+JbqZ2mQ4RNi228ib9qGiS1S1YgyWqiJqGD8I15nvrWV9fA93z+kYekdc+nM
-HXtWnd296vfcGQfuRgKAigp0Q2Xr/r6IfT0etMwNWOT/ikAE7l5hA3xUdEba0xdZ
-2PYLmrb+5mtPB8uZ8K0JSrZJU70p1hlk644Nw1S6Je5/XfUZFzwLq8OotGnRzD7Y
-dyvY/DEDodiQisLtLTCI9z4F7cjadTKwSSq5Yzr8Pdq1PkahBQth1Eq8KvodOXOR
-WTVxP+YBYmbbk7EEOSZ8ZI7ppqngS6/pjcjCHobZfzJdfx8YuTrBWUHucYDqeV6r
-xYtvlDiOaxyij8vhaAJ7zLfUuVGHKPfLgHZDAH47a+1qnIq5tM2Zv8p9g7wg56UV
-aplu4GwBqNrL+5R10P2YuBgrUOZOjIOv0u5pvBjLZpTeal8KI7sCAwEAAaNdMFsw
-HQYDVR0OBBYEFOkUWSDlAWoxFoSsbnbEH9GIN8bfMB8GA1UdIwQYMBaAFOkUWSDl
-AWoxFoSsbnbEH9GIN8bfMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqG
-SIb3DQEBBQUAA4ICAQBi30INj8fsPRsX9p1vVtljln2dh/iOJ0shL3gz9NmUM0jV
-/UchKo5iykVrrCKVlI7DD/QFXXty20x6PnbSUwfhZpJj+AwT9G8pVD/8DBU60+z0
-1zFSUxQ2GN9RDWgoiyz1QZ48n5zl7JVzzvBAf6N3jmdvgmIoKaDpqNLmQxqNsuCW
-USMKqvqKwWfqvj8JQNYVmKdDVsoax36glVaj4qHZojul9eWS6SdDOo6a5t/xf0kP
-Upxi87dqS4H7qfa6HTVFQhqRL8JuPqTs4csojA6XJt+yYzTfs8Gf3MAyQznuwiWh
-E7kIv9lYH5APLW5LXNLizTaZtBS826f05TgBsYuYj3mGeSsr/llP4zb8u7qxL+B3
-0Q6OLK3JtPbwtaHCBxs70HOQzjWjiEF6PE3f1MhvXFjMQmQEgGzCuK69EEUWK2s0
-cIjoTLJxmQ+voWPms39gjstNLeykAygsyaYryGks/YjgchRrTtrOxUCows8knkmB
-lve7RC9xW7yQwmWacPq0ndJUL0smdsWODx+L3J0R/YmbjYIO5N8i9YFqSwFLIC2v
-ghirHq7EqZbYAaDxS6KvpeVh+f0pC8AC63FLbsp9+SOayoEQJ/gB8f+s3cxV+rNQ
-/Z6077QuDgb1gpjCWCHHjMMELtjvy+HNUmgiRfv6a+mtWOS8g5Ii3OUYFVr2kQ==
+MIIFNDCCAx6gAwIBAgIBATALBgkqhkiG9w0BAQUwLTEMMAoGA1UEBhMDVVNBMRAw
+DgYDVQQKEwdldGNkLWNhMQswCQYDVQQLEwJDQTAeFw0xNDAzMTMwMjA5MDlaFw0y
+NDAzMTMwMjA5MDlaMC0xDDAKBgNVBAYTA1VTQTEQMA4GA1UEChMHZXRjZC1jYTEL
+MAkGA1UECxMCQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDdlBlw
+Jiakc4C1UpMUvQ+2fttyBMfMLivQgj51atpKd8qIBvpZwz1wtpzdRG0hSYMF0IUk
+MfBqyg+T5tt2Lfs3Gx3cYKS7G0HTfmABC7GdG8gNvEVNl/efxqvhis7p7hur765e
+J+N2GR4oOOP5Wa8O5flv10cp3ZJLhAguc2CONLzfh/iAYAItFgktGHXJ/AnUhhaj
+KWdKlK9Cv71YsRPOiB1hCV+LKfNSqrXPMvQ4sarz3yECIBhpV/KfskJoDyeNMaJd
+gabX/S7gUCd2FvuOpGWdSIsDwyJf0tnYmQX5XIQwBZJib/IFMmmoVNYc1bFtYvRH
+j0g0Ax4tHeXU/0mglqEcaTuMejnx8jlxZAM8Z94wHLfKbtaP0zFwMXkaM4nmfZqh
+vLZwowDGMv9M0VRFEhLGYIc3xQ8G2u8cFAGw1UqTxKhwAdRmrcFaQ38sk4kziy0u
+AkpGavS7PKcFjjB/fdDFO/kwGQOthX/oTn9nP3BT+IK2h1A6ATMPI4lVnhb5/KBt
+9M/fGgbiU+I9QT0Ilz/LlrcCuzyRXREvIZvoUL77Id+JT3qQxqPn/XMKLN4WEFII
+112MFGqCD85JZzNoC4RkZd8kFlR4YJWsS4WqJlWprESr5cCDuLviK+31cnIRF4fJ
+mz0gPsVgY7GFEan3JJnL8oRUVzdTPKfPt0atsQIDAQABo2MwYTAOBgNVHQ8BAf8E
+BAMCAAQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUnVlVvktY+zlLpG43nTpG
+AWmUkrYwHwYDVR0jBBgwFoAUnVlVvktY+zlLpG43nTpGAWmUkrYwCwYJKoZIhvcN
+AQEFA4ICAQAqIcPFux3V4h1N0aGM4fCS/iT50TzDnRb5hwILKbmyA6LFnH4YF7PZ
+aA0utDNo1XSRDMpR38HWk0weh5Sfx6f2danaKZHAsea8oVEtdrz16ZMOvoh0CPIM
+/hn0CGQOoXDADDNFASuExhhpoyYkDqTVTCQ/zbhZg1mjBljJ+BBzlSgeoE4rUDpn
+nuDcmD9LtjpsVQL+J662rd51xV4Z6a7aZLvN9GfO8tYkfCGCD9+fGh1Cpz0IL7qw
+VRie+p/XpjoHemswnRhYJ4wn10a1UkVSR++wld6Gvjb9ikyr9xVyU5yrRM55pP2J
+VguhzjhTIDE1eDfIMMxv3Qj8+BdVQwtKFD+zQYQcbcjsvjTErlS7oCbM2DVlPnRT
+QaCM0q0yorfzc4hmml5P95ngz2xlohavgNMhsYIlcWyq3NVbm7mIXz2pjqa16Iit
+vL7WX6OVupv/EOMRx5cVcLqqEaYJmAlNd/CCD8ihDQCwoJ6DJhczPRexrVp+iZHK
+SnIUONdXb/g8ungXUGL1jGNQrWuq49clpI5sLWNjMDMFAQo0qu5bLkOIMlK/evCt
+gctOjXDvGXCk5h6Adf14q9zDGFdLoxw0/aciUSn9IekdzYPmkYUTifuzkVRsPKzS
+nmI4dQvz0rHIh4FBUKWWrJhRWhrv9ty/YFuJXVUHeAwr5nz6RFZ4wQ==
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIIFfDCCA2SgAwIBAgIBATANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJBVTET
-MBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ
-dHkgTHRkMB4XDTEzMTExMzE5MDgxMloXDTE0MTExMzE5MDgxMlowZTELMAkGA1UE
-BhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdp
-ZGdpdHMgUHR5IEx0ZDEeMBwGA1UEAwwVaHR0cDovLzEyNy4wLjAuMTo0MDAxMIIC
-IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1XBtjDav5Sl3H+/fUcGiQO36
-oqtZG+YuC9D0z0u89Shq+XNs3tRtonGGCyEIrDtI6R7PItMJa6rQ1VuFoMWPrjmF
-f5tFemSOZtQx/DF78H+5tWaIBVDA+Kw1zxdqj1n3/AQjAGsSuqhgcaIQQFqTNNtA
-tW40048fDh17jWIDB9baF65az2uArq97uS4deDujG3CHV9svO7hoqpzYt039VDKK
-4N+dDMUZFqhEmY2MqjyQySY2bd/gsYBjcGWSIuonALactiYDc4zIusAfNptnXycw
-K/aQAqDwhwMcQA9L5YKQ5hoUukDTQFbvoNLJ3vNQDI/o8sjCh94EkMuopSp90tJ/
-syTPKRlh/MaGMXvwu8Vab5iPeVop48jTKl3Z+G8NErGM8KKCyd1mQoGisVuIMQPK
-uJUi7jOu6wgXlA8ZgUGfSQQDA4v2Q0tV/GlJmvsP5JshA3v7C/sSBY/3AnPHeWTl
-ozXlNgXitxps1EwgR2jo+YW2gxrfM//xtgMCjMXjO9g2TsCnWR6j93oXWn88UP/C
-eAcyjeTdJjW+piuLdvYOctY6+Yql5gm9Vx0u+w9jTmpzOCoh+9cNtjqmPiOhecFc
-Vf71vMf4krMp6lmY/Nq1/km9u0ViNP5CJHk18YXG42vnj7sUgT7WgpLh8g/iPc2p
-etH9lMd9te+Jyak/zA8CAwEAAaNXMFUwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAw
-KgYDVR0lAQH/BCAwHgYIKwYBBQUHAwgGCCsGAQUFBwMBBggrBgEFBQcDAjAPBgNV
-HREECDAGhwR/AAABMA0GCSqGSIb3DQEBBQUAA4ICAQCmF13fF7kAcgCzRKBCpggz
-ObVNSK9btGKUU+xyOZsRgEDWdfeBvG3VzXflLMDv3P45O90CHkcGfckbj1ISctIY
-0OSnCn4vmIwnhwUWyYlCagtNB68GVcPH8XLxn/wsnT2MbiA/ohUStKXQtBmBxIUH
-rI+7r28qcHW7AnT47G5BbSYzW0xYzlkUwyl8rBxRLDKVTHBJ5GmlREJKdAzKS7CS
-6jhcsxa544Rsa7CDvjLKpJO0iploL0/GY+5oj3VdhgdEJgwqwvu3skfd1N8wkxH4
-NQuRmyvXxcMSxKv4vbOOUm4PfOqOwwXiVZLoc29ePUv9zCU2AVdS21DD9zAZeKDb
-B87VWnQKO6JUvL5vX7xsMnsSbnLHGA2kPv4IDZ6jKuZdVneM+whDZlBWpHRL2RKX
-K0JZICf7+EbmrUW3Rwl+dIaIJ55Ni1rfDSZWeIYKFx04Mod6Wbch7ahb/XVvIDe9
-SFjLfeNj7L/Iz0i+1lTarAMxIRC521IwcobhAxqxYCv3oNf6f+tz8DyCCvsTCc9W
-/OLKX7sukh1ohle+0EFrSYpX5PzkHwZRVZjx55KwkIV/KtwBadJv+z6iwW3qOn/A
-/1yC8Mbc2TdCaRPwFO80LAg9cz+XfT5vZoQUvOnOxIrhFnasQ/xiovy0zKCr2Fjg
-ePQ4BNEN9wt3SsPp8ig39g==
+MIIFWzCCA0WgAwIBAgIBAjALBgkqhkiG9w0BAQUwLTEMMAoGA1UEBhMDVVNBMRAw
+DgYDVQQKEwdldGNkLWNhMQswCQYDVQQLEwJDQTAeFw0xNDAzMTMwMjA5MjJaFw0y
+NDAzMTMwMjA5MjJaMEUxDDAKBgNVBAYTA1VTQTEQMA4GA1UEChMHZXRjZC1jYTEP
+MA0GA1UECxMGc2VydmVyMRIwEAYDVQQDEwkxMjcuMC4wLjEwggIiMA0GCSqGSIb3
+DQEBAQUAA4ICDwAwggIKAoICAQDI3EvqJrLWsnPbjAT8ENiMRyBINhhafubi5Nb+
+glEzkbC2kv2zXkVkpkBubDRwyh3eomSbdwKYk3yz+IopT753teJueRpMPq9Ayr/+
+PZl4Y1tG04KcjfOvOls6zPsDfHzluR8TE705If5wwZu3Bdwxzdtx9T0ROzIEgRt0
+Axuce5qkg93IWNxOrIr+4LCxYfTpvpTXO20lz0IuQNm1Opo9PVoWn7PXdOmuCzSG
+2hW1DcKqSyQP7IkplBJS0EhoovIsXavSkPKJssvQj73ZFIBVgKhXuHmPNdrypaQk
+CtxsqbVdOOlojItqYTTDAiadwRQWkYgDOSQCGJiPqYVJx+rH4MlzxQ6n9x2qIcne
+lfMr+VFDEc1YvHu1XLMg5b1ImD6ChutYW0RhFJ3CQVdQR2i4kJ8T1DSJYLISMODZ
+ux1cZaUoSL/EkrC5/8POWZmP8nJXO6A4wrZDHF30/qWpo+T5PvsA6cABfX1jkcTx
+PBXGK1qOZ8rToTxprJ2zc3zuZNxSgM32nzjcPUgn559Mgdl0HR4c4JeTZGsebWmx
+MWmkz//BV4eUaGHqCpzRQHf3YIxysvDC2Xf4z2Alk8AlLRXp7/ksatdxAtyc+y8+
+MWCc6N0YbI9zjv+ezCBqR+mu1P5Tb0HebPFz3dOdIpiC3kU8QyMEagw8u5xliZs4
+AxwdNwIDAQABo3IwcDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYD
+VR0OBBYEFD6UrVN8uolWz6et79jVeZetjd4XMB8GA1UdIwQYMBaAFJ1ZVb5LWPs5
+S6RuN506RgFplJK2MA8GA1UdEQQIMAaHBH8AAAEwCwYJKoZIhvcNAQEFA4ICAQCo
+sKn1Rjx0tIVWAZAZB4lCWvkQDp/txnb5zzQUlKhIW2o98IklASmOYYyZbE2PXlda
+/n8TwKIzWgIoNh5AcgLWhtASrnZdGFXY88n5jGk6CVZ1+Dl+IX99h+r+YHQzf1jU
+BjGrZHGv3pPjwhFGDS99lM/TEBk/eLI2Kx5laL+nWMTwa8M1OwSIh6ZxYPVlWUqb
+rurk5l/YqW+UkYIXIQhe6LwtB7tBjr6nDIWBfHQ7uN8IdB8VIAF6lejr22VmERTW
+j+zJ5eTzuQN1f0s930mEm8pW7KgGxlEqrUlSJtxlMFCv6ZHZk1Y4yEiOCBKlPNme
+X3B+lhj//PH3gLNm3+ZRr5ena3k+wL9Dd3d3GDCIx0ERQyrGS/rJpqNPI+8ZQlG0
+nrFlm7aP6UznESQnJoSFbydiD0EZ4hXSdmDdXQkTklRpeXfMcrYBGN7JrGZOZ2T2
+WtXBMx2bgPeEH50KRrwUMFe122bchh0Fr+hGvNK2Q9/gRyQPiYHq6vSF4GzorzLb
+aDuWA9JRH8/c0z8tMvJ7KjmmmIxd39WWGZqiBrGQR7utOJjpQl+HCsDIQM6yZ/Bu
+RpwKj2yBz0OQg4tWbtqUuFkRMTkCR6vo3PadgO1VWokM7UFUXlScnYswcM5EwnzJ
+/IsYJ2s1V706QVUzAGIbi3+wYi3enk7JfYoGIqa2oA==
 -----END CERTIFICATE-----
--- a/fixtures/ca/server.crt
+++ b/fixtures/ca/server.crt
@ -1,32 +1,31 @@
 -----BEGIN CERTIFICATE-----
-MIIFfDCCA2SgAwIBAgIBATANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJBVTET
-MBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ
-dHkgTHRkMB4XDTEzMTExMzE5MDgxMloXDTE0MTExMzE5MDgxMlowZTELMAkGA1UE
-BhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdp
-ZGdpdHMgUHR5IEx0ZDEeMBwGA1UEAwwVaHR0cDovLzEyNy4wLjAuMTo0MDAxMIIC
-IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1XBtjDav5Sl3H+/fUcGiQO36
-oqtZG+YuC9D0z0u89Shq+XNs3tRtonGGCyEIrDtI6R7PItMJa6rQ1VuFoMWPrjmF
-f5tFemSOZtQx/DF78H+5tWaIBVDA+Kw1zxdqj1n3/AQjAGsSuqhgcaIQQFqTNNtA
-tW40048fDh17jWIDB9baF65az2uArq97uS4deDujG3CHV9svO7hoqpzYt039VDKK
-4N+dDMUZFqhEmY2MqjyQySY2bd/gsYBjcGWSIuonALactiYDc4zIusAfNptnXycw
-K/aQAqDwhwMcQA9L5YKQ5hoUukDTQFbvoNLJ3vNQDI/o8sjCh94EkMuopSp90tJ/
-syTPKRlh/MaGMXvwu8Vab5iPeVop48jTKl3Z+G8NErGM8KKCyd1mQoGisVuIMQPK
-uJUi7jOu6wgXlA8ZgUGfSQQDA4v2Q0tV/GlJmvsP5JshA3v7C/sSBY/3AnPHeWTl
-ozXlNgXitxps1EwgR2jo+YW2gxrfM//xtgMCjMXjO9g2TsCnWR6j93oXWn88UP/C
-eAcyjeTdJjW+piuLdvYOctY6+Yql5gm9Vx0u+w9jTmpzOCoh+9cNtjqmPiOhecFc
-Vf71vMf4krMp6lmY/Nq1/km9u0ViNP5CJHk18YXG42vnj7sUgT7WgpLh8g/iPc2p
-etH9lMd9te+Jyak/zA8CAwEAAaNXMFUwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAw
-KgYDVR0lAQH/BCAwHgYIKwYBBQUHAwgGCCsGAQUFBwMBBggrBgEFBQcDAjAPBgNV
-HREECDAGhwR/AAABMA0GCSqGSIb3DQEBBQUAA4ICAQCmF13fF7kAcgCzRKBCpggz
-ObVNSK9btGKUU+xyOZsRgEDWdfeBvG3VzXflLMDv3P45O90CHkcGfckbj1ISctIY
-0OSnCn4vmIwnhwUWyYlCagtNB68GVcPH8XLxn/wsnT2MbiA/ohUStKXQtBmBxIUH
-rI+7r28qcHW7AnT47G5BbSYzW0xYzlkUwyl8rBxRLDKVTHBJ5GmlREJKdAzKS7CS
-6jhcsxa544Rsa7CDvjLKpJO0iploL0/GY+5oj3VdhgdEJgwqwvu3skfd1N8wkxH4
-NQuRmyvXxcMSxKv4vbOOUm4PfOqOwwXiVZLoc29ePUv9zCU2AVdS21DD9zAZeKDb
-B87VWnQKO6JUvL5vX7xsMnsSbnLHGA2kPv4IDZ6jKuZdVneM+whDZlBWpHRL2RKX
-K0JZICf7+EbmrUW3Rwl+dIaIJ55Ni1rfDSZWeIYKFx04Mod6Wbch7ahb/XVvIDe9
-SFjLfeNj7L/Iz0i+1lTarAMxIRC521IwcobhAxqxYCv3oNf6f+tz8DyCCvsTCc9W
-/OLKX7sukh1ohle+0EFrSYpX5PzkHwZRVZjx55KwkIV/KtwBadJv+z6iwW3qOn/A
-/1yC8Mbc2TdCaRPwFO80LAg9cz+XfT5vZoQUvOnOxIrhFnasQ/xiovy0zKCr2Fjg
-ePQ4BNEN9wt3SsPp8ig39g==
+MIIFWzCCA0WgAwIBAgIBAjALBgkqhkiG9w0BAQUwLTEMMAoGA1UEBhMDVVNBMRAw
+DgYDVQQKEwdldGNkLWNhMQswCQYDVQQLEwJDQTAeFw0xNDAzMTMwMjA5MjJaFw0y
+NDAzMTMwMjA5MjJaMEUxDDAKBgNVBAYTA1VTQTEQMA4GA1UEChMHZXRjZC1jYTEP
+MA0GA1UECxMGc2VydmVyMRIwEAYDVQQDEwkxMjcuMC4wLjEwggIiMA0GCSqGSIb3
+DQEBAQUAA4ICDwAwggIKAoICAQDI3EvqJrLWsnPbjAT8ENiMRyBINhhafubi5Nb+
+glEzkbC2kv2zXkVkpkBubDRwyh3eomSbdwKYk3yz+IopT753teJueRpMPq9Ayr/+
+PZl4Y1tG04KcjfOvOls6zPsDfHzluR8TE705If5wwZu3Bdwxzdtx9T0ROzIEgRt0
+Axuce5qkg93IWNxOrIr+4LCxYfTpvpTXO20lz0IuQNm1Opo9PVoWn7PXdOmuCzSG
+2hW1DcKqSyQP7IkplBJS0EhoovIsXavSkPKJssvQj73ZFIBVgKhXuHmPNdrypaQk
+CtxsqbVdOOlojItqYTTDAiadwRQWkYgDOSQCGJiPqYVJx+rH4MlzxQ6n9x2qIcne
+lfMr+VFDEc1YvHu1XLMg5b1ImD6ChutYW0RhFJ3CQVdQR2i4kJ8T1DSJYLISMODZ
+ux1cZaUoSL/EkrC5/8POWZmP8nJXO6A4wrZDHF30/qWpo+T5PvsA6cABfX1jkcTx
+PBXGK1qOZ8rToTxprJ2zc3zuZNxSgM32nzjcPUgn559Mgdl0HR4c4JeTZGsebWmx
+MWmkz//BV4eUaGHqCpzRQHf3YIxysvDC2Xf4z2Alk8AlLRXp7/ksatdxAtyc+y8+
+MWCc6N0YbI9zjv+ezCBqR+mu1P5Tb0HebPFz3dOdIpiC3kU8QyMEagw8u5xliZs4
+AxwdNwIDAQABo3IwcDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYD
+VR0OBBYEFD6UrVN8uolWz6et79jVeZetjd4XMB8GA1UdIwQYMBaAFJ1ZVb5LWPs5
+S6RuN506RgFplJK2MA8GA1UdEQQIMAaHBH8AAAEwCwYJKoZIhvcNAQEFA4ICAQCo
+sKn1Rjx0tIVWAZAZB4lCWvkQDp/txnb5zzQUlKhIW2o98IklASmOYYyZbE2PXlda
+/n8TwKIzWgIoNh5AcgLWhtASrnZdGFXY88n5jGk6CVZ1+Dl+IX99h+r+YHQzf1jU
+BjGrZHGv3pPjwhFGDS99lM/TEBk/eLI2Kx5laL+nWMTwa8M1OwSIh6ZxYPVlWUqb
+rurk5l/YqW+UkYIXIQhe6LwtB7tBjr6nDIWBfHQ7uN8IdB8VIAF6lejr22VmERTW
+j+zJ5eTzuQN1f0s930mEm8pW7KgGxlEqrUlSJtxlMFCv6ZHZk1Y4yEiOCBKlPNme
+X3B+lhj//PH3gLNm3+ZRr5ena3k+wL9Dd3d3GDCIx0ERQyrGS/rJpqNPI+8ZQlG0
+nrFlm7aP6UznESQnJoSFbydiD0EZ4hXSdmDdXQkTklRpeXfMcrYBGN7JrGZOZ2T2
+WtXBMx2bgPeEH50KRrwUMFe122bchh0Fr+hGvNK2Q9/gRyQPiYHq6vSF4GzorzLb
+aDuWA9JRH8/c0z8tMvJ7KjmmmIxd39WWGZqiBrGQR7utOJjpQl+HCsDIQM6yZ/Bu
+RpwKj2yBz0OQg4tWbtqUuFkRMTkCR6vo3PadgO1VWokM7UFUXlScnYswcM5EwnzJ
+/IsYJ2s1V706QVUzAGIbi3+wYi3enk7JfYoGIqa2oA==
 -----END CERTIFICATE-----
--- a/fixtures/ca/server.csr
+++ b/fixtures/ca/server.csr
@ -1,30 +0,0 @@
-----BEGIN CERTIFICATE REQUEST-----
-MIIFEDCCAvgCAQAwZTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
-ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEeMBwGA1UEAwwVaHR0
-cDovLzEyNy4wLjAuMTo0MDAxMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC
-AgEA1XBtjDav5Sl3H+/fUcGiQO36oqtZG+YuC9D0z0u89Shq+XNs3tRtonGGCyEI
-rDtI6R7PItMJa6rQ1VuFoMWPrjmFf5tFemSOZtQx/DF78H+5tWaIBVDA+Kw1zxdq
-j1n3/AQjAGsSuqhgcaIQQFqTNNtAtW40048fDh17jWIDB9baF65az2uArq97uS4d
-eDujG3CHV9svO7hoqpzYt039VDKK4N+dDMUZFqhEmY2MqjyQySY2bd/gsYBjcGWS
-IuonALactiYDc4zIusAfNptnXycwK/aQAqDwhwMcQA9L5YKQ5hoUukDTQFbvoNLJ
-3vNQDI/o8sjCh94EkMuopSp90tJ/syTPKRlh/MaGMXvwu8Vab5iPeVop48jTKl3Z
-+G8NErGM8KKCyd1mQoGisVuIMQPKuJUi7jOu6wgXlA8ZgUGfSQQDA4v2Q0tV/GlJ
-mvsP5JshA3v7C/sSBY/3AnPHeWTlozXlNgXitxps1EwgR2jo+YW2gxrfM//xtgMC
-jMXjO9g2TsCnWR6j93oXWn88UP/CeAcyjeTdJjW+piuLdvYOctY6+Yql5gm9Vx0u
-+w9jTmpzOCoh+9cNtjqmPiOhecFcVf71vMf4krMp6lmY/Nq1/km9u0ViNP5CJHk1
-8YXG42vnj7sUgT7WgpLh8g/iPc2petH9lMd9te+Jyak/zA8CAwEAAaBmMGQGCSqG
-SIb3DQEJDjFXMFUwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwKgYDVR0lAQH/BCAw
-HgYIKwYBBQUHAwgGCCsGAQUFBwMBBggrBgEFBQcDAjAPBgNVHREECDAGhwR/AAAB
-MA0GCSqGSIb3DQEBBQUAA4ICAQCeVkI4JwSyax5kJJ1iljkngfK+BdsrqBJWPITj
-mrl9DH7/2ev0GdzHEG3oQrti6vMvsowS6vHtpgc1tsbS9UwDY/N0ZgFWgnb5O5k2
-4zZfGkma3GHCvG9WXsA9+Gs7KedggsXxfnJTLe4B/sZqtRO0dMD/JZTJQ6reuayh
-bYvVBVSmittAjsfer+9xuXkHYYAPNYmW52aUN1AhnIsS3TVp1vHcxgNoFOQglN21
-lHwmeh5QbTx/paHFnWLLqLVydbiB/Qzz6x4zsEKESATd02WbN9XKUfGM0G+bG+57
-ErtrU7yzsLjPYYPcP9nYg8dzfdwVgfdjg+yw2hdmkqjDQD3YAmxRcat7uK8htVa0
-z4dfjdNRO3HhSLALKS/Tl9qpLKpEi8/0ByYErJz6i+Xyf4pkdPQcBQKybkFja136
-9xkonhE7DLTo1zQobfAJlnfTMxuJc0mOGvT+DqGSCFmNEl3WgIAgu9m77mp81Bqo
-0qwrB3pYSAzL9xHuluwZMn37sdmVFFReEkEaRllRgDTZL9vSQh2yOqtV920083/y
-sHPUijSsKysSKz0RuzMBCc3RD07Kcs1TFg/NdZiYKf8V9NDDOgk5LC2Sqoin7v6F
-yB4wpnm6RqQ7iSRpp/VBs3PAnK2uJEkoOU5p5jZdQ0IDtesHVzM7bCUIrQIX2pAr
-owvMhQ==
-----END CERTIFICATE REQUEST-----
--- a/fixtures/ca/server.key
+++ b/fixtures/ca/server.key
@ -1,54 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: DES-EDE3-CBC,E445BB698AB9CDC4
-
-GRzRVv6TB5rdE/8OP9HHqoQRQDCbgXgpB2hs6quyq4eNQSQPQ6IfhFtRJh5Utie7
-flNfN46NqSOAdwehnQffRBUayWpuSQFstNzglnFLK2fESisuxmB2ppnkKwm0+Wz2
-SHY/u/okRPOpGbXy+LV3pomqLe6Q5AaH2BwKfpYtYlCGAQpcErFupwwv5YpkuH+Q
-lzfhOZj/Cj/8A4Egsumzl+h7Ikg6vgOw8FHCwq0QFkdyGSUnqeZOCtgMChH3FJis
-ubjpZDfSLK8IITiQ7VtzgSTeNziH/YxFQveBqRmDH+a/mqisyyOR9D/LgvCQ13cB
-/k241OA+NugxvZ+VBgbGq5u3gfjt9qYVrsea/oeUwR9iD+LSIQToJob9varFKtGA
-i7v5h+4He5mqs9+bQabk3J0OpMHxnDR+N99uYFlboQK65t1/mlM52LCMM0o4DlJX
-dhtfEz+KEuMUscVgl3DOtkUoY1+Y/Mp5FgQ7omP9vQLyTIGVez6hLRXLMPHIk43+
-5dU6VwzHJMz7lz/bisJmLL/Dy3cM7lYea/PF+hbhbUfeXoDi3OkaCD3ZFnnPBVN5
-nKYEb3ucpKGGiqjYywDYkHltvWfZom8q2q0AZU9xpIepkeO3aVFmN/QQib1LiwR8
-FRdOaJO7sOpyS1XgPW1N+0lllfxCsdDIYzHByauTG+qa95En1sFdmH2yKIHWejuI
-DTgOrI3jUCt7o7cxUa3FL6xoMwirgOTq0AJSzoF7sFs4VtBknAA0Vg4EvbKtNBUu
-Z2gvpKCgUPwAL8CTZwTWRlZg//BgBEJTPlMKObUQz85iQRMxezvQrnD2VmL1EZJx
-qjjBgT0rQFCDUZydM5hXRlEoHJ4lkJ+LhDggcUDhCzehSMYbQ7kBWlfRLZpBXM4o
-U/q7ZLZkRphk8GJSOTwv41xkBzq9gDX2bw5eCR70Lh/oBdW+q+06zyCSu9Q/rYZj
-8rXJRpqFozr/5A2tZkzg8Eqib255NkSyXY1FhYhhuNkphNoStuhajPudCK7T3Qd9
-qvIiLD1iyXaA7pr/ZInCGXRgE18Whn6A4mde8eKnnJ3il5wDSAeEb2C1Oplu0eto
-f3J8l+OmM8f/J1p+2XeE4HMyopsoFTHubvKbvO93u5HQn2+jZJPlsg8nPL06pBqd
-FZzArkIWZPCMJWb9z2+xiOzPsptGoT7uesTKv244DN3f6SWIgX1Ye9kRn/vCp+Dd
-P85l9VxDcZ1Av3u2WQxMBw7OiMOzHToe+rLUEjbGR2juDArfcyeEfV5aTwXDmdMX
-QDAtiBV4Xezv0kg55Y0e85y815BUc+0oOTWTWiP5zgGQGcWKZgPtddUc6YZcwdgC
-4AAbdCcclXSImDsn/znsUXs4BYCJNnVr9FBQ8axBNxBUUjFMDr96lCspnOVEVq3E
-9aW3JxS4X354W0JSKa8AVjxq0P8XUC1tCcYTf0g4grJoDp+z4c3WgQlrOWzwtj6/
-D/nGIAOUXSt9c4Kn677Q/JPfxuV662sSiDgtMA6tfDkHkjcdvkxmXYiUkjHeU13K
-dxWU7LHDA0hhPL3Wuf8mDJb5YNnV5T/MdPJdOGcBjnhhu1pi46ej6xZ+KYHSnfbG
-Tp9XU3WV+ltmWEd11xRnrBRa3QkfoIzD8LLxywXECYVk/dWgVJEDY3MzjzZZeNPg
-FjiQ2kByEVI/NkG5G7shwqR4MdqLdwB8gRgMpmV9psMnrafKYeKDXW/Dw2FhJ2+k
-QqALnkC27aYb8hbW2uJZwCzTCadu6GrHwsZ6RZfl/sq5ptapbbB2QnkvWU7EJnTz
-CAjssY6MQ20/8/Y5x6AqT8dnnH/nhSbd3GfA0JSxAeQPD2dw1kXwXNUYZdjfWu86
-ScITEy2HUwnAtlqXXmjxUB1N9eE8nO3tiYPrYzOWMZp5eBzWCE1a6l9W1HsfXvKo
-nnOLmEg9SkkLtEqgmtuhOZYAdZIA3T9Xjc9XCHpWpq1fwa+EgXDRhIgJbL9URj72
-pG7rUYSpY96a8h5udOiN2p2NdX+YLG7hfcKciEUk9uvXi/U0965A6xv4G1C9JbBu
-X7ROEN7MS3jKZT6Qn4J/h++0h1HYACDZNnuYp7hDSVyQVlCDqa1Wo3Yv5S9hDjEj
-NZ8vDHE7adIs5SFgyKDgPPHg/qUZQr11GaT5rvwHhtO1MGF0+q4VPOOqpZpY6iIi
-Kz21GQY0E9L2XCndlD9lkRDebQUnJB0PHGCnSqFKHZTLG9idRgB+C2ZAqzATuwS5
-wVxEgvXqQTH2gsCfPfeRZZiduN3ghZQ0ggVCyINIczE2FtmQ6erxGfFtM8kkDRSI
-JQkEXvCqz4A2VOYFEZFfF0JP286R2HSMxmWVg+qYKo59et6EQBjPtFrhlQXhWEQ+
-pe3ks+sQO3YvQxRQn03+MHhpMG5QI0zUijnNv3p4PRArDJKMBEq2/03u3AQdaseR
-WN8jzYd7d1KjcHCjshppX/FpoDrVu4l+TNvmmKaAoSdN5Dm5GvVhuoY1zhmFm4jo
-fJQOgvG76nH2rCKP2dAegYZTkyBzC+/8GoJC6KQeWPKT0uiBqgaP0qzuKsgcABlY
-Ydj1/R1k6Z1pogpi8IUUenJvAQADp6JabjqbrFRRfB3fAZ8OGIsk/s6W8t3IlYL+
-srcCrElFmazyTy7y95sBc9oi9wAwBS/BURz47AZnytraxWpx7xS6u1Z9Wt9rfSQw
-RFfZ4ZdELZJfMvfXcQdFLZ3LG4fSgEJye+WgWBHTBjnPL6rm3NJ6J1viRvP4tbqv
-cFl4Tgr+GhkWpmp01K+kqjzwPWU7CvsYM2Z+bXd7C0aC1OttAly1/s9tp1k0PESz
-4y+4ImHwzceslIZiUDsKFOW1+mldM7akSg656LFmURdDcwOEZvnb97YZ9A3Ch4ol
-0+2v4cziNNtXx5fOyrNNGUj9bM2+Kv+yvy09uLE+aoS9p+Swx5HeJUVK7aMNGZoH
-LjCa1qdcpLtAaSBaagbJ9gTwgbGTZ7dAmJW9kGmN5ImOI5GKSsBf7feqI4J+Mq2P
-GTUfTTrBw1/ttCRcnvWlO7aQPZLkest5uq88K3hk1JcGu08pNIeDDWRwLK0cRMxq
-1cvlHYStF5YFG/bV/cROcm1uksEhN1mQu5Z4A+mSMz3pF+ZY2oRoZTBW/KngRpPf
-----END RSA PRIVATE KEY-----
--- a/fixtures/ca/server.key.insecure
+++ b/fixtures/ca/server.key.insecure
@ -1,51 +1,51 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIJKAIBAAKCAgEA1XBtjDav5Sl3H+/fUcGiQO36oqtZG+YuC9D0z0u89Shq+XNs
-3tRtonGGCyEIrDtI6R7PItMJa6rQ1VuFoMWPrjmFf5tFemSOZtQx/DF78H+5tWaI
-BVDA+Kw1zxdqj1n3/AQjAGsSuqhgcaIQQFqTNNtAtW40048fDh17jWIDB9baF65a
-z2uArq97uS4deDujG3CHV9svO7hoqpzYt039VDKK4N+dDMUZFqhEmY2MqjyQySY2
-bd/gsYBjcGWSIuonALactiYDc4zIusAfNptnXycwK/aQAqDwhwMcQA9L5YKQ5hoU
-ukDTQFbvoNLJ3vNQDI/o8sjCh94EkMuopSp90tJ/syTPKRlh/MaGMXvwu8Vab5iP
-eVop48jTKl3Z+G8NErGM8KKCyd1mQoGisVuIMQPKuJUi7jOu6wgXlA8ZgUGfSQQD
-A4v2Q0tV/GlJmvsP5JshA3v7C/sSBY/3AnPHeWTlozXlNgXitxps1EwgR2jo+YW2
-gxrfM//xtgMCjMXjO9g2TsCnWR6j93oXWn88UP/CeAcyjeTdJjW+piuLdvYOctY6
-+Yql5gm9Vx0u+w9jTmpzOCoh+9cNtjqmPiOhecFcVf71vMf4krMp6lmY/Nq1/km9
-u0ViNP5CJHk18YXG42vnj7sUgT7WgpLh8g/iPc2petH9lMd9te+Jyak/zA8CAwEA
-AQKCAgBR1Tw7IRCJdT92IDroFqyF5nhM/BM7LiKDZ0clX22ANVHmeEnKmXm7aXky
-NSUlG8nVj3ltaapX/HL7Co8OWBDBhM5ZYYfe6ETsyfisL7DMQbxK/5exKggCj8xF
-rT2u3pjEqDVfSK4yoLHxf2hptBBymImTxkA8yMfoWodvap+s1sRhhfjNQ/NfhmqS
-Ukr8OSlNMPTDS4cth4OhvmccyKsTKBm1JCcLqVn4JOXAVdQTxQriBGOj9s0oYQg/
-JMJF3q67iEhHUgXKvLSNXXHaNvUIN3cxs+P9DgWKTjf7m6HGyiuR/Xfq/UXBilNv
-vsGlWHZdiqOOykhDXW00stDjGoqIoVhkz4dxabY7il2BPW0MujdYNELVOJ/ikJ9v
-0M+3jgyyS8UDhgBAz6LFYXRkAyREbRi6NwWGT4vWtrfycEd7tO02OZ9v7w9Xb6el
-iU/AvNlb5MqfXaMp9gWJR2tDka66cMBhH+9VtMDd2J6Qpfjzwnn6VtEqUvt7Q+KF
-LyPb0CtOTzxYuPdCc5ZpIiIiv6iudUXsDOSl9CsXMTGTD0W8g9RQ+GKo703fZWlu
-LU9gOWVXq9c4VaR2dpLNjvOPzYxkChCHI5rNtcsnU6x7XumL/n1iJq+3/SMQ5K6t
-QSqTXAuMDZkHGhLB38zrQBb4Zg9LsojzEC1AvCrhqvN3nx+UuQKCAQEA/TySUNIr
-39j+oQtw0m6icqWDOMTKn6GamDOxq9+9gsNfY1mQt+W2XLYfPgScNXXXaggYxtXU
-i4dhEc+f1a8crBSFPPIgVx/ggawTO1jBZAGrrO/ppcePvf8bGmj45ybmiB3NjzhO
-Eg50neZ9/ciz0cmx76Flb/2zFto9aj1RhxKpjAQHq8aNdBCanPVuZC7ov2PgBpPI
-UU8FZB/pYjVjha+on4+fUG2S3urEwJR6uA9zwSrNsLmJ4VrcqBGN2huAkrsqzUXP
-vysrn82Y+sR4q5fmXb3Dn5pFZ3mSuRclnp0ESEFA//U95JTvG1aBtK4UGwzI78ia
-FVIqyRqyOZ52xQKCAQEA18SuK51fglgLvdq62GlzteDcZy2GIk8JRh6/rJe3X/E4
-4PgoWYEz++N3SMZsXWaz76KpGaAhirV6l60uy0/iG/yoV6P9amokFELdcWoj9+I2
-OAVPbJrRjZOKFDDA/TwgZIKd7amUArfwwvZLAxCzG77HSaz6/DcxwRriKR32GPQ5
-ty0sfK+xtU4li9kT2iOBHHjyjBcTfN2SjBupwaLQ4jHu37dpfWIEqfk9hEVaTPCh
-UejbzKsbEvTg6R5YMDa5JPcf9x2Wxk4ZbC8FPWdCMcXYtprH8pwoHa4hqTgHBN+Z
-LNQTgXKqItWPTMWuG14J/l2C71YcwtzCcYUaPfNEwwKCAQAnFqZvG0Hyd4g2S5HK
-qZEhqTKsHJQ6N7OpMrGGGi8idA3RRA32lNqlTOddp1CFX/80OrO4XWFFeEwfd7Dw
-RutiFHjMg4NCb4Uz/t+pFXYkfa2GMDIciMVDSpFgbjudUn/bGt6T8Nj8KIcPqHhi
-KAy5oSx6FKuXsc1nBaDdOUHQW60YE7craKaE99slxyyXAjai9EOsQDt3cX8fiV14
-70zBYe/hUUYCICe/iPV91G1s49W2R2kgkkMaKfBNcQg4Vm5uN73PmasLkxpUvGOU
-sab+tZ+1cIk1pZZ49mcTcuM3rHzwukHSQIShN+wAiEXVIdmwozSQ7qH6EIjSKfDA
-vBkRAoIBAHRX/zpRT1CvPRWQPbO3mMb3iqCv8WXKjEudBOmBnUVEgtD7vnYUrv0h
-eA5rv77VRCzw3pGMwMlUddgXb+X9GwTQRc2MBXc96Fpse49OFjrxZR7r7hm3mUrn
-xUqBx25E34qSy6l9COw2VsIpn+T1Oj65rifR+DvLXy6q2kwlda+a8QwOdbB95CrJ
-CoHP+V5kSpgZt19GiiGIMB8QQ4a/zjZJim5jLaSIF8+3Ly6FXt2h2rqZ/vrrQFwG
-YsgQrqjAuTBveHL9J3GiZx7oc8DaTt0bu3ErIKl2/kKSxF/EcDR2hNehOytPsuG5
-md1hsjHbkTPxJEr9eeCwvMANb0r8Q5UCggEBAOhGwGdM24ULcSLGONg2Qz03bdDP
-alDteEfq79X3mEuxn2x7N+tu31sBKCgIlrrTlsG6vWgLebFelAF3Vm/T3Hc6ifUL
-yDf7/gkvM+X/+f4XYt2Z5r0u+bVOsAITydDQJhakGfar/0it6URknXr9NJca8tRD
-DATfrRA5jHCbu+sEoDLb6m2lGXIFnkeD0rc7tz27inues1sxyTLy6lENAB4c6K2n
-oFtigO7F22miqUiVOXAAllJo6yVfwtmbtDkEYTjLZ2oQwpEdyff70f/iDm2+uKRO
-eF8kNuKxR2Em03slcfOV6M145fN35Eq5IuOI5N/+SiQhvywbjh6j5DRHlTg=
+MIIJKAIBAAKCAgEAyNxL6iay1rJz24wE/BDYjEcgSDYYWn7m4uTW/oJRM5GwtpL9
+s15FZKZAbmw0cMod3qJkm3cCmJN8s/iKKU++d7XibnkaTD6vQMq//j2ZeGNbRtOC
+nI3zrzpbOsz7A3x85bkfExO9OSH+cMGbtwXcMc3bcfU9ETsyBIEbdAMbnHuapIPd
+yFjcTqyK/uCwsWH06b6U1zttJc9CLkDZtTqaPT1aFp+z13Tprgs0htoVtQ3Cqksk
+D+yJKZQSUtBIaKLyLF2r0pDyibLL0I+92RSAVYCoV7h5jzXa8qWkJArcbKm1XTjp
+aIyLamE0wwImncEUFpGIAzkkAhiYj6mFScfqx+DJc8UOp/cdqiHJ3pXzK/lRQxHN
+WLx7tVyzIOW9SJg+gobrWFtEYRSdwkFXUEdouJCfE9Q0iWCyEjDg2bsdXGWlKEi/
+xJKwuf/DzlmZj/JyVzugOMK2Qxxd9P6lqaPk+T77AOnAAX19Y5HE8TwVxitajmfK
+06E8aayds3N87mTcUoDN9p843D1IJ+efTIHZdB0eHOCXk2RrHm1psTFppM//wVeH
+lGhh6gqc0UB392CMcrLwwtl3+M9gJZPAJS0V6e/5LGrXcQLcnPsvPjFgnOjdGGyP
+c47/nswgakfprtT+U29B3mzxc93TnSKYgt5FPEMjBGoMPLucZYmbOAMcHTcCAwEA
+AQKCAgBS1vCESKOXgo/f61ae8v+skyUQQyc2I4Jr739wBiUhRKQCGIuDr4ylHyAR
+qpTSM7mv+X/O0n2CmcljnEy3Dwl568zQTSf4bB3xde1LGPKzwR6DDnaexLjM+x9n
+F+UqoewM/pV/U7PF3WxH6sGi8UrIS6OG02L1OVm+m9TLuwBnQF8eHLiaiXOLCwRk
+bBzTe5f70zslrX+tiVY9J0fiw6GbQjNmg0UzxicePcbTGxy6yEsR2t2rp51GRahs
+TPz28hPXe6gcGFnQxNmF/JvllH7cY18aDvSQZ7kVkZlCwmv0ypWoUM6eESDgkW1
+a6yrgVccm7bhxW5BYw2AqqSrMkV0oMcCUjh2rYvex7w6dM374Ok3DD/dXjTHLNV5
+0tHMxXUiCKwe7hVEg+iGD4E1jap5n5c4RzpEtAXsGEK5WUBksHi9qOBv+lubjZn
+Kcfbos+BbnmUCU3MmU48EZwyFQIu9djkLXfJV2Cbbg9HmkrIOYgi4tFjoBKeQLE4
+6GCucMWnNfMO7Kq/z7c+7sfWOAA55pu0Ojel8VH6US+Y/1mEuSUhQudrJn8GxAmc
+4t+C2Ie1Q1bK3iJbd0NUqtlwd9xI9wQgCbaxfQceUmBBjuTUu3YFctZ7Jia7h18I
+gZ3wsKfySDhW29XTFvnT3FUpc+AN9Pv4sB7uobm6qOBV8/AdKQKCAQEA1zwIuJki
+bSgXxsD4cfKgQsyIk0eMj8bDOlf/A8AFursXliH3rRASoixXNgzWrMhaEIE2BeeT
+InE13YCUjNCKoz8oZJqKYpjh3o/diZf1vCo6m/YUSR+4amynWE4FEAa58Og2WCJ3
+Nx8/IMpmch2VZ+hSQuNr5uvpH84+eZADQ1GB6ypzqxb5HjIEeryLJecDQGe4ophd
+JCo3loezq/K0XJQI8GTBe2GQPjXSmLMZKksyZoWEXAaC1Q+sdJWZvBpm3GfVQbXu
+q7wyqTMknVIlEOy0sHxstsbayysSFFQ/fcgKjyQb8f4efOkyQg8mH5vQOZghbHJ+
+7I8wVSSBt+bE2wKCAQEA7udRoo2NIoIpJH+2+SPqJJVq1gw/FHMM4oXNZp+AAjR1
+hTWcIzIXleMyDATl5ZFzZIY1U2JMifS5u2R7fDZEu9vfZk4e6BJUJn+5/ahjYFU8
+m8WV4rFWR6XN0SZxPb43Mn6OO7EoMqr8InRufiN4LwIqnPqDm2D9Fdijb9QFJ2UG
+QLKNnIkLTcUfx1RYP4T48CHkeZdxV8Cp49SzSSV8PbhIVBx32bm/yO6nLHoro7Wl
+YqXGW0wItf2BUA5a5eYNO0ezVkOkTp2aj/p9i+0rqbsYa480hzlnOzYI5F72Z8V2
+iPltUAeQn53Vg1azySa1x8/0Xp5nVsgQSh18CH3p1QKCAQBxZv4pVPXgkXlFjTLZ
+xr5Ns7pZ7x7OOiluuiJw9WGPazgYMDlxA8DtlXM11Tneu4lInOu73LGXOhLpa+/Y
+6Z/CN2qu5wX2wRpwy1gsQNaGl7FdryAtDvt5h1n8ms7sDL83gQHxGee6MUpvmnSz
+t4aawrtk5rJZbv7bdS1Rm2E8vNs47psXD/mdwTi++kxOYhNCgeO0N5cLkPrM4x71
+f+ErzguPrWaL/XGkdXNKZULjF8+sWLjOS9fvLlzs6E2h4D9F7addAeCIt5XxtDKc
+eUVyT2U8f7I/8zIgTccu0tzJBvcZSCs5K20g3zVNvPGXQd9KGS+zFfht51vN4HhA
+TuR1AoIBAGuQBKZeexP1bJa9VeF4dRxBldeHrgMEBeIbgi5ZU+YqPltaltEV5Z6b
+q1XUArpIsZ6p+mpvkKxwXgtsI1j6ihnW1g+Wzr2IOxEWYuQ9I3klB2PPIzvswj8B
+/NfVKhk1gl6esmVXzxR4/Yp5x6HNUHhBznPdKtITaf+jCXr5B9UD3DvW6IF5Bnje
+bv9tD0qSEQ71A4xnTiXHXfZxNsOROA4F4bLVGnUR97J9GRGic/GCgFMY9mT2p9lg
+qQ8lV3G5EW4GS01kqR6oQQXgLxSIFSeXUFhlIq5bfwoeuwQvaVuxgTwMqVXmAgyL
+oK1ApTPE1QWAsLLFORvOed8UxVqBbn0CggEBALfr/wheXCKLdzFzm03sO1i9qVz2
+vnpxzexXW3V/TtM6Dff2ojgkDC+CVximtAiLA/Wj60hXnQxw53g5VVT5rESx0J3c
+pq+azbi1eWzFeOrqJvKQhMfYc0nli7YuGnPkKzeepJJtWZHYkAjL4QZAn1jt0RqV
+DQmlGPGiOuGP8uh59c23pbjgh4eSJnvhOT2BFKhKZpBdTBYeiQiZBqIyme8rNTFr
+NmpBxtUr77tccVTrcWWhhViG36UNpetAP7b5QCHScIXZJXrEqyK5HaePqi5UMH8o
+alSz6s2REG/xP7x54574TvRG/3cIamv1AfZAOjin7BwhlSLhPl2eeh4Cgas=
 -----END RSA PRIVATE KEY-----
--- a/fixtures/ca/server2.crt
+++ b/fixtures/ca/server2.crt
@ -1,31 +1,31 @@
 -----BEGIN CERTIFICATE-----
-MIIFXDCCA0SgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJBVTET
-MBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ
-dHkgTHRkMB4XDTEzMTExMzE5MTg1MFoXDTE0MTExMzE5MTg1MFowRTELMAkGA1UE
-BhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdp
-ZGdpdHMgUHR5IEx0ZDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALY5
-FfOgbclrkfZS/XpzPJgWZrs/W+zakuoBDtkeTeIdVMk2lNZ//oA4g+eYVPnf0DSJ
-oEPvJIOuwjF8b2M3iYR+fwV4iI2NKVEiV5469qtjkSm7OlvNRMAeWztGm8uXI9wg
-9MEqVU4SPlpTV7kUE2c/d3jU6ZAjvgBn6sWnRWG39lBGXecqay6PzbAYhlrGH/Ou
-PZaL4mc6nE1D7/mdBOo3J+6dNQUzB9FhU/BY55M5c0tSrDGlM9pPE9/p3JXu1dcp
-95YtZbUCib/NPVnHGEK5s8LfG6RE8kxxUj6bPjPmyEF+jsgwJb2vdHjOXbwbtsji
-WprZ6TrAFfLQWmD9qbsVxvyMlnuzrfPyaREWhgijBADDGBmcL8k/OFH3LqhmwOET
-LpGepCV5BbRqD3+tDIQcjjlt1fdJTDu1RuPs921EdHXaQNzTTPbO9DoNpFY0l6Ul
-Hjlz8VlnwuEoehd3NDZc7a/b8X6Ry0JwuaymouUJE9GQrGJRJ3imZkwrhhqxiWIt
-p6HJKgePD38V1tFbifqjiF/LfhqaZ/oaFU5f3wLbs41BuMOQtEoNsmRCNd2L6BJ+
-+fskqnJfbuw6YRoB7gvoFjyqn5CZuox8ArmOs/oYk2nior2jBEQI+S0JwVquBDvb
-vyUnYT+E/mSURUA6kPtHax0kaDZnQijXGc4KwASpAgMBAAGjVzBVMAkGA1UdEwQC
-MAAwCwYDVR0PBAQDAgXgMCoGA1UdJQEB/wQgMB4GCCsGAQUFBwMIBggrBgEFBQcD
-AQYIKwYBBQUHAwIwDwYDVR0RBAgwBocEfwAAATANBgkqhkiG9w0BAQUFAAOCAgEA
-qZuN6qS3vIXPCOcRAC/3mxLtccfZOg57NKb6NQ1lzkPXdMDp6Bd3TfWyrkj0lm1w
-Ya9fb/G0yVGAI11WW4ifML3SF3sKwd5PwiqCZa2kTTxL2Wes7t01jueZ0J7vDecf
-n++PNkCZjQ4BoSbnCABNyuHoW3GMdZAnlaVdkZHetRN7gwsNvfiCWFHU/slhjN8K
-KgvQi08BWhiIFqUmBhqpDJDSgd8lJi2gBjq4idkYkW1xcpO4Iz+dZRloPB/ZICnl
-dt+Err9MAec6XpKdniJFLil2FALMmATEZXnGZMuXezXJEZKYhx9ZHuZZDuNBhD6Y
-VbOTrpq9F7oWdzqhUCa4y3HKKPt0ZuvP/0nHnGBe/eOPrJANQYpCHw02AXom67eJ
-9PW0PS2YC7O4cy+Y/DOI9FkzRpa+Z6OMSqKu9hkBCLGVad1cb8cLyl0MJpUu2UAV
-55ovFT6owhR/ZSIDEX4VeNwX0PsHIXIUDFE5Xp58tB9QbRp9ZA4c4OAQ2eGQ8Grz
-v2IxJJgmjBIuAZqdW6KDKy2vc1SQZw3uaFOYUEk3f5uAoTiARIVF2qrVGPDQjGbC
-fumWNsjU0ale1EstgS5KdQc2Ox3wHsc84up6QaMfPqKmvSDOd+RgGzRqh5G07bni
-BWHaIF0K+tJNnPYiTX7nbP9dP3SAfvsPylUFVj9fiSI=
+MIIFXDCCA0agAwIBAgIBAzALBgkqhkiG9w0BAQUwLTEMMAoGA1UEBhMDVVNBMRAw
+DgYDVQQKEwdldGNkLWNhMQswCQYDVQQLEwJDQTAeFw0xNDAzMTMwMjA5MjlaFw0y
+NDAzMTMwMjA5MjlaMEYxDDAKBgNVBAYTA1VTQTEQMA4GA1UEChMHZXRjZC1jYTEQ
+MA4GA1UECxMHc2VydmVyMjESMBAGA1UEAxMJMTI3LjAuMC4xMIICIjANBgkqhkiG
+9w0BAQEFAAOCAg8AMIICCgKCAgEAryUf5kGdRfw3D17AIi5vhGREgkIIVVtqMlHA
+UBH7qij8DNM7OQVJ7vDiwbuJjQxYrd1lEWUY9CvTxvG74esNKi194GLuTugSQnfZ
+JvCPnM6pDHtVfG6qXHdO0LJ9hy9InbWQpGS5gIsBtf4WJWUui7kUSJ/BkJhwaRhb
+ytPnI17v1f/9xQC0ZuqxUrHiRYhTTwURrd7nbvnqax9u4RKqamktr3Fnx8/OVzat
+vM7HkFaMY/v7I8H5q0gjrPUR3kUfEXvL8NpaA0jhkuy6h2sbhNiJ6v0jmI1qI/cy
+NmqL+CIsIZke6osBIN/41YDKlH5JRzXAS+nAV0+Bfp2w+qfin8D060rlhe6MscXL
+2W9+u/7zxtnV1GI5kI1+kGiLGRc6fL/zbwhws3SDtCC1+Z9ZWog7phi7JjsI2KpE
+GcoZLm8NdjDgRtcNYv0UhvRSwKDwAc/Ep2d4G5/MUlui8poIT4xFmhgQu1W2S3rv
+LQn3kgRX8MqlJ+5PVO5mH1w1iDEi06xJ+NMlpU2pd6fi2K2BpVfuVdeZsRLMOJpM
+PxOsgdKJGeFzTwC2geBl+i5DbzyAVqQvmWGazxj7TIu2fSuPQmopXbvggphPWkDL
+M4FA+2Q7bR5nW6eXENJAhXF3U+7ybscpume5JfO2jeyYxOWKQaduC0drAiUj3wC7
+r1XqZPsCAwEAAaNyMHAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0G
+A1UdDgQWBBTMcJk/I0rIwDOtgjjUlLJMta4OBjAfBgNVHSMEGDAWgBSdWVW+S1j7
+OUukbjedOkYBaZSStjAPBgNVHREECDAGhwR/AAABMAsGCSqGSIb3DQEBBQOCAgEA
+wKd+r2NqgxSrjF4g2lP+78/HbNxh5YJafaqoysTn6auNa83z7jUwyFzUiEj2LmxE
+eNPg1gaRBSHuURjT+nO3JHUEn/6sPiL5nWTVNP8NKrj6d0whjlP1aQkMNK+Gki4U
+FqykhCpFQibzY2gywbbn7uJy+lI/RgiidikZGCIBzm3JQXr8x7k6WNHDufHnSBkS
+vXWrGTygM07oxanyWA7ib7OBMuqFmLX08TGQ82DgKOPtZG2VOAsMM+Dxs03Znns2
+BDkkuSZ5uo6CMoZnZ+Ppu32WAcJy2cjtxwZwJql52u2zQvJlj1qZpxMvK0EfRzzU
+eGy8JL/C5EO3YeCp0p/sCTeoKrDTQySkh0CTBloKer2KH44HEC2KODL459QOV0Q7
+8fWh9xdW+KCOCLxUcPfClapZywfr9nPkoIv7bMGEKZkLsnSrkncHHszbcSP5y463
+E8q+hS7YBR5fDwYoP2cNAFyewq0trV4Fm7/JcQVYcvUqgf0l+6NxtD2bmhy+RHHA
+jLoqfVwsI7VEfcX7/LQ9Dr7RIiz94GeyQSsZT6nte8EpILz95bJcHHOgP9nji5VL
+MoBSpncrIpP+HvxFrGXg2pIQKTSNZhY6YdzI8n2/r+kXbdb9IjPWbU8X2abJXX1P
+QCX4xrifBp5L0XTm5FowwGk4vCy2VFQcK85fj3PfH9s=
 -----END CERTIFICATE-----
--- a/fixtures/ca/server2.csr
+++ b/fixtures/ca/server2.csr
@ -1,29 +0,0 @@
-----BEGIN CERTIFICATE REQUEST-----
-MIIE8DCCAtgCAQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
-ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCAiIwDQYJKoZIhvcN
-AQEBBQADggIPADCCAgoCggIBALY5FfOgbclrkfZS/XpzPJgWZrs/W+zakuoBDtke
-TeIdVMk2lNZ//oA4g+eYVPnf0DSJoEPvJIOuwjF8b2M3iYR+fwV4iI2NKVEiV546
-9qtjkSm7OlvNRMAeWztGm8uXI9wg9MEqVU4SPlpTV7kUE2c/d3jU6ZAjvgBn6sWn
-RWG39lBGXecqay6PzbAYhlrGH/OuPZaL4mc6nE1D7/mdBOo3J+6dNQUzB9FhU/BY
-55M5c0tSrDGlM9pPE9/p3JXu1dcp95YtZbUCib/NPVnHGEK5s8LfG6RE8kxxUj6b
-PjPmyEF+jsgwJb2vdHjOXbwbtsjiWprZ6TrAFfLQWmD9qbsVxvyMlnuzrfPyaREW
-hgijBADDGBmcL8k/OFH3LqhmwOETLpGepCV5BbRqD3+tDIQcjjlt1fdJTDu1RuPs
-921EdHXaQNzTTPbO9DoNpFY0l6UlHjlz8VlnwuEoehd3NDZc7a/b8X6Ry0Jwuaym
-ouUJE9GQrGJRJ3imZkwrhhqxiWItp6HJKgePD38V1tFbifqjiF/LfhqaZ/oaFU5f
-3wLbs41BuMOQtEoNsmRCNd2L6BJ++fskqnJfbuw6YRoB7gvoFjyqn5CZuox8ArmO
-s/oYk2nior2jBEQI+S0JwVquBDvbvyUnYT+E/mSURUA6kPtHax0kaDZnQijXGc4K
-wASpAgMBAAGgZjBkBgkqhkiG9w0BCQ4xVzBVMAkGA1UdEwQCMAAwCwYDVR0PBAQD
-AgXgMCoGA1UdJQEB/wQgMB4GCCsGAQUFBwMIBggrBgEFBQcDAQYIKwYBBQUHAwIw
-DwYDVR0RBAgwBocEfwAAATANBgkqhkiG9w0BAQUFAAOCAgEAsjhQOckysiSTZaz/
-Ck5APYE13ckBQOxvHqrCvDQSRMqq/yb/eWtItQhCs9u3fKGFGKCefPYwtVdUj6v2
-g4SpXzBblcXNP8SXEtbcNuG4lPNsTc2YbDxuLWmgvLX8on2nq0f+TcGmtvvmCaLz
-tEdLPlQfkzQUlwfaK4kMJ4qzR8eeHxBrhKJyDyzSreZSa/ZXMcKpjJLhXl6oM+ud
-cfi0BO/xOKt/MmGHAxTMNrTFV5HcEWzws+r51sCcIV4BwuELA5rZuG0leaj3CDDy
-3dPkpLp3HObbX3KV6yyCCfEAN4pyoZQNut8i87FITsYbJJy4ld7/PWTvg/JMk96X
-ZACpeI1ERL/Sr3uzFpmlLszwSQ7t/hv5ykFA6d1QLv0u+EX1mL1O/PZ5Lb3moC4t
-7ma3CffPqJpEjvvdXtweol62MI4Rr/1sXyZGR+lvkjcoSY5vzv0j7V4w6/e1In3D
-nHY4vmpuy65w5gGm/s2y2cXRfCc8P4we0+A+QbNAgt3eicdJmWZGcWwlMQI10Nmq
-6Qnp8cpwvFM/iCIajfIAz0fD7G0UEL5ExSFoh6WhFFDOYbTl5MeXUjMaYmemICE2
-r3GVfZxHLvDQzftkq/oSXXiZgLkoYveN0R7VJuUfCgyLOlJL5O8WX2lX8odUKINc
-DcZ/FpV+R/u7WGm2j0tvRA4y9Qc=
-----END CERTIFICATE REQUEST-----
--- a/fixtures/ca/server2.key
+++ b/fixtures/ca/server2.key
@ -1,54 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: DES-EDE3-CBC,F332544C4A2552FC
-
-0qzUXmrtDC8Uj4pnudhKPIHLErzRRgqS5qY6+Q+LNET41cltRat3t1/txN7WVPYa
-3AKo1SRb6VyAthcbih4pEPC2rQpjPcPrhuXNP3HeiDxQ9CHcNxniN2HmVMYxf7p9
-WaKSYgfTLP/La3YHlicimDIpmLvPjCzVvEx7bY2zrRU24mmSopG2gsLpnbLUDL2e
-U1R5lXKVULaO47hdtwcLQkmGo+b3uW+TAAmn6wTrJbOHKjq2+kFwZuilnmspXPcp
-t64OrBbE2jmY2TiBurDhT8HnbRhpeYWn7LqRdYOV9Fsl/3ftXIr3pItUDitiGxkH
-aNdFTm7XM2Sw25sS3TKxvksZW4sOMkIOUu/U/LrwQqNjvXMJMFJWRpMR9yDx62uc
-yElcz53zAo5yg0q7vNOu4yap0xQdOc5fu7fWDWZO+cfEYFtaSZV1du9QPxTpnSy+
-UQIqFmv4sNcJOl3gdVu2rClKi//jutnjyPkxhoPGpbSxA1WbltcO0c2J1eSJJnd2
-2jWbHFXFpIIp4WLI1TKKMM2ARVL6ITi9L/EL7HNAXh+bw5F1j3KkdsYKDMepgk2b
-ArJVPqvbLu8r6AdTtooOXfweJIWIGQNitDx4Ghj2d+XH6StImGBatYoofgKBH4q3
-nvxQRj+lsCX2ChdOD2rB1kyv8ak/6h880qtv3XTlaXzKUZfQ6Okd8/z+//eQcpRe
-WY8uXfXWyc/EZ+IHkAp9FCwjlSe2kQpGDmTbXz55gT2fKy/WtJOX7YDEpoUcPjI7
-+efoQYjo62e73/drH2SafQBkoDTfB66+IVO7osGJx7wb5iLENjkZ7mnpLR4oydsr
-miF9Iaik4eKzbX2EEXCvVX3/oCG51cdXB3Tun9bnLNZmHCsRFeOjNPTydMA9V729
-Pw07cBCKDMYK5D0QYkRRFWqpCsLiq5GZlEjLoJEjh7FJyQwCYrilfSSanCNk7llk
-onCKwh11OrC6Amdq7NvLfhuM0pHkLf+LZsEQ1Z6MbMN6Sm/NGAMFl0SeCQrlZNub
-rtOSQ3M6LhzFxWddfxt53MiK3adXRWdqeGBQtQLddj5PPCCJ7SSxFzIhAP6/jo5E
-1Tym9BkqoaZhnK7IwGvc3qBlziyvs952OfwkS57YkM5t5DFdJwlVCNUiVvVNJdju
-Z0PnRgfxZDUU+IB2h0jplSFpgsHPgZ3nPMYYprPMomj/qH2NTNQFLwf5Wv2eT33+
-AWjdnY4rUf5Up2rRVoPFgx2mVY3t54pLhX7UjcEwXMyKn8/jy/BhtHCRVdN9gHba
-sHvicd4tOGepTjZYORDWq1pEJv0uB2qdHoJlA4PoH5HT32b5MW2hVssHyVt0DpLO
-JP03k4ZxzA7JFCzjXQJvQfJ5uWTz2d/pHXQN7D+h2JxADhd+NeLvP7hwLZnXCF9z
-uz3AmYbFQVWGnUaWuvwPfizqTRuKmbkkuEcVPhoOsrqXSj+K5ulMTOzPmAAku3Ig
-UU2yAzCb6Jh/BlqhjreX0DU+ugvUZ0dYk+sGKv61VKA1Ifu315S6RtkowZn5cL/g
-AQDc94OQ1kQUe0etnDjTUjW+MswAYrjsHGUa2KCYUwz/X/u4xfbaX/cPRiyM09+U
-VbACr1ido9Fb/B71CHyYMi2nx0FYM0LpIfC/336+ONpuidfUwWD3Thia2krEaUQW
-0/47ALXa96BVhJ1XWItII+1uW243YnN1W/QKB+fB4IKFqX6qCf7XddabFMWBG4OS
-I8Ms2LdDcybIORs7G1iP95+UMljMNo9TFHH7vxEH1RcTRPejjmLk7/AxQzB63hML
-+Cf24pD8H2CaHKBet97CEfP5AYk2Y3KcSPm7rmc9bwllFEbIotjz4QEPAOL8A81l
-DUPuIaBNUgTzyjFhuzh5CCnseiJBrn4BnKJGeS27AzL2OEzsB6irmbrztAYA5AK8
-D7UrjdoT7f1MSmqf0gyXrxtrOJszdHG1U0HW3pZfJhgiqDVtUaE2ekspu9ji8vbk
-s9wtIRWXM9+EXPVGtp2nbJftJjxj+Bj4GignDw3taLfn5nl5pfUbW9EQGBQ10KlU
-CNl25Hwl5qcdvQeyfom/lXrUgY4nyGEwv6fqjjklz6N3yQpYYpJdW5kdTue56QDV
-MkKeogf8ZgyFqMaEtaMhHNwSW032K3hc2B2GXoaF17KPdb5snEKGN+TXG+2tuV8A
-ZBMT7Is+29Kyf750cUUmDlHS21BN9OjJcdZV9vQLbivRUtggfsMKImC0DYcqL4O4
-ToZB2VHiywlZjPLkiJSbx5u91mYCv10x2IPd3N4O15MWVZtp1L9KZEO8Dkn/OMAd
-mw6mtFYHCfCnHC8hjvU/cWfvlia1M0gLDweokd3auiN61gQ/1S9THkUMPP/RA7qd
-Zpj5UeqoTpLDjcVbYFl6NzkJM2KSbsdIewpqgsZW7PHiwO3c0iiXux8Ueo8nyDc9
-U3+mbYcBHpkd8F2hdyJPi5t9qW4ytI5P5LCA8Cgoj2CvkOLYh7qQFTMay2MEwsm6
-qwwcK8S3Ul4kZKx5KxoZOux4jDM36fR4pf0z+GIrDzfbnonJsv+oqHXGQYs4adwv
-4LT71pJ9mein1LGDrRq6Kgvp/Eu4Sr/S3oWjkFKxa/zd2LucKrjt5n9M5dL4NVZK
-0xyuoWTWY2lUol0hi53W0otz2hLQPFJllaHKUGISclmVSbHLi/6/Cc9XGALLM1+N
-hGyrMDsEJLsgsMNZFm1QDphrGgHo/HdBsQoghiUTxuLS2gIE/845maJYW9F+1YZh
-Q3uZKjFpL8MHyLTbP7RXjUFKUkM2lU5JJ9ydr3+W1OkVJENnmLbpalQctkO0W1It
-vXU0U8bB4nCtZUO75299m4mUh/lw2Ej/D651+Pbk+iHcO/+p1hjiVfhoLF701JNo
-WmEZ2/1ZGBqtO+ON7mlJLWOeYmiLnE/GheVPnFWv7ZFZCLVp8uEG69iK4pm9EH0B
-QaqUA42etpo7gHOMfTiOkwvmQDWsiXl4+MSnPo+MBaCFlWor8ZHj5OkDU79bEn1x
-dzzjhb3HTEJ9a//RC1vZbpRJuA4eueTrVkAJYcH1JMtnftKFz8qAaxYxsk8lVbnK
-TIkxA1CjP9Btoq5a0XNkSRzzTAXo1blYAA/xy6HLbODuwNY4Mym+ZIPR9B6QlYZQ
-----END RSA PRIVATE KEY-----
--- a/fixtures/ca/server2.key.insecure
+++ b/fixtures/ca/server2.key.insecure
@ -1,51 +1,51 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIJJwIBAAKCAgEAtjkV86BtyWuR9lL9enM8mBZmuz9b7NqS6gEO2R5N4h1UyTaU
-1n/+gDiD55hU+d/QNImgQ+8kg67CMXxvYzeJhH5/BXiIjY0pUSJXnjr2q2ORKbs6
-W81EwB5bO0aby5cj3CD0wSpVThI+WlNXuRQTZz93eNTpkCO+AGfqxadFYbf2UEZd
-5yprLo/NsBiGWsYf8649loviZzqcTUPv+Z0E6jcn7p01BTMH0WFT8FjnkzlzS1Ks
-MaUz2k8T3+ncle7V1yn3li1ltQKJv809WccYQrmzwt8bpETyTHFSPps+M+bIQX6O
-yDAlva90eM5dvBu2yOJamtnpOsAV8tBaYP2puxXG/IyWe7Ot8/JpERaGCKMEAMMY
-GZwvyT84UfcuqGbA4RMukZ6kJXkFtGoPf60MhByOOW3V90lMO7VG4+z3bUR0ddpA
-3NNM9s70Og2kVjSXpSUeOXPxWWfC4Sh6F3c0Nlztr9vxfpHLQnC5rKai5QkT0ZCs
-YlEneKZmTCuGGrGJYi2nockqB48PfxXW0VuJ+qOIX8t+Gppn+hoVTl/fAtuzjUG4
-w5C0Sg2yZEI13YvoEn75+ySqcl9u7DphGgHuC+gWPKqfkJm6jHwCuY6z+hiTaeKi
-vaMERAj5LQnBWq4EO9u/JSdhP4T+ZJRFQDqQ+0drHSRoNmdCKNcZzgrABKkCAwEA
-AQKCAgA+zV/mbmVIJR3SMnoQCMVaeWYApO6OrCo0Ihc29z3Kb2d4TapwXv6cvF2h
-pRusXtnIMaKdpz8Db2iYW5WcMVjg5CPtA8S0XHFf+CEQdKvtF8zBADk1yIIoYI36
-2PP67+U5Cdaw+GEcHieFQ/IY5HVngTUw3Nh+iAME6su8QVElQ5zNv+K/OBxmmMNA
-LMOpZ109w9CQITfvcgDKlF6Rve8itc26bE4Is7S/Efc2/70YPZWh4SVdmt1LITPt
-WRFgT0c998XP6WeDQhOtmhPJ7FdNL+lngTNqoySK+gdpcmG2y5Q7Fl4pWoa3YFAZ
-Dq65lSejBnhJpE7Ao9EstWhgwywKrKF2TRFWDyBCFbCJ+LdbuwA/0fjMYC1NiyxU
-ApSuULGkbg7hCUGOAa8OzbSk1BL55s934cI2bW0NuLQHYcrFcLxjOxGpgt1RWHT9
-9tIeE28oupjMEvlXqIvOy8OWR5nLLhUT8xVyGWRtj/GgyI4GBGtujR2NmYG6xOrj
-CThdCqmm1oMdZx4puNPKpG4rXIafP7itOVbWucuAecYNiOD5buVJQLLSHSYpCool
-204QPY+jlFlYrXypCKzSdGv0Yx8Z2BryVV930lle0GY1QwJyklk4Qhksl3txXrO1
-89ERklRnqn83WDKDopPKKgveTWMK1VGA8VuWYIDXj/qqklFKMQKCAQEA3dHbJgQ3
-EJvrnK/WL/RPNmfxc7R0oSPDPP691CriXrlKIfs9zHPX/KsdZ8HHDYqR9AehE/xc
-6dYsoKtvy9kP/96WDh8TH+Ofx0zlQmYtLRengWTBkHU9ti+1D/cZBSyW5xx5uTKr
-lxCJBOk5qn5LJuYaIZpzCKR7FkzjE/H4KGiGnG4aNXwa8jXx0ZP7GGKTuaR1dEa/
-G9Ju25yokhmiAvrQ07qk91lZmOER2wlZdU8LTJMgYnM8bPEoZc10jpLj1q8QSNEw
-XL/uvFXsiBh2qNr+11QGzQiKXNPWzGVLtjxzQG//5SIj1gpuTgGO0+sgMFQE/e13
-0utMmgv8DLgEnQKCAQEA0k1AsvR5soPYgZQxztUK/Zrn4HTyjO4PRkObbPAzdNjw
-CrLJugSbeNQJ+7mOxR2p09KsDuLcWhhB55pab/SytXZVCr3wxjpQIUxtmybkkOMx
-7QPkCi9+rKDE5MSSWfSkGOMhTVV7+1jG2+enIWCQBJg+pEgjC3OypkLTR1jDwsa8
-WgpNTm8RZx79WHi+XMqf9BpgKxTD88wdJJQbOW0sh8/MiQ6rUl4Za64rufglnNmM
-+6X2ME9Sz55KvFQqv5Us573lU2z1WYnRoHjt4WbCNMZdBT0pUvN50Lg3rWglu7jY
-c+EyWEUd9eMrA2Hk3ZUc8p0diRcWh6d0jrlO3reUfQKCAQBU84j1b0nTb5N1h5YE
-+ZDYqkg7YtID4JlmI715ow7c7iNpDjplsbv3RWVWlkzwb7BkAAP9jnnbCC5BPkbr
-j+7jtFBNijMd1GQdxOJMYqtMiLGbCYZkF7KRsoWqXpzTcXc9fZdUiQZULX38RoHS
-PNn1RMyfL/J8Tdnh+YJB4jqC5z0ebcBV2XjMaEJ7XCwe86nVwBlHdcy9EANq0f1x
-LqXwdDRD0khZfnuk5BWdiGAdYC9YnUQa0D1FD7rD+kJ4U+M0FgmriYn3C36X3GRg
-3tWa53wP5VtRbMLouCycTPMJEO+mrv4Wt9N3prkF4OzdVkAWoibjRO3N9lV47bwS
-9uq1AoIBAEPqmQNyOr8xH0Gxx2ghm1wNo+b0PcTPuPUbLl2/MQ8CZHtABC/j/wXF
-jLfT1EzKaKc0+UYRc9JQ1S/jxGM1pmU+IvbGIrUR7gDi+t7Jb7Vu+heuUv4LGqDL
-hurOpOkSPdCfwYiFG/YvVIF+TZZU5g3l0Q0jEtZG9iIFoNAA1a/YmMmHXDIBYqBn
-/K+OxwOWmJOv1PD00tewSpUek7A3FtOBg2+b4i5Gn3UMGakEf7ko9QPsNBaj931/
-hGlP0UJv/cGVrTMFFDNnc+CcTU6m7f83NKFVgDv+z49dfvWslcsLRjQePTEOmT9o
-ruJ3wf7hgijEHt7AKxGCPf090T/SD80CggEAfxDd94aLvdJZWFenilAQsx0Zm6i4
-PMbMN0izQ4DG6Ds5XnUtbPjmomHaW/sqorrpGNoE3hG4sSQKcxjD4TI3Dp6OPjoN
-wIuFWjeXDNzGNRBPV5wmm+uKWbMf00sOOa9BvHAzd0yNisMEMGEun4b9wuC/E/IS
-XI/cJVoDQUI+dF/q7OS5mLclVnPO6TC3ZT8/JBpBnjs62b8bkqAtLa1TqWJFKnz2
-vz8uyM2o+6zVUqKB7s7vOHwN7nf8EHNTXe/JeZ49qLYgzmBkSjoVLFsAAvZ1IkXW
-vETDH3t9bjd7WzZizF0iVBrk0zd5242L150av9AgGSTLljOo7npEkSlzEg==
+MIIJKQIBAAKCAgEAryUf5kGdRfw3D17AIi5vhGREgkIIVVtqMlHAUBH7qij8DNM7
+OQVJ7vDiwbuJjQxYrd1lEWUY9CvTxvG74esNKi194GLuTugSQnfZJvCPnM6pDHtV
+fG6qXHdO0LJ9hy9InbWQpGS5gIsBtf4WJWUui7kUSJ/BkJhwaRhbytPnI17v1f/9
+xQC0ZuqxUrHiRYhTTwURrd7nbvnqax9u4RKqamktr3Fnx8/OVzatvM7HkFaMY/v7
+I8H5q0gjrPUR3kUfEXvL8NpaA0jhkuy6h2sbhNiJ6v0jmI1qI/cyNmqL+CIsIZke
+6osBIN/41YDKlH5JRzXAS+nAV0+Bfp2w+qfin8D060rlhe6MscXL2W9+u/7zxtnV
+1GI5kI1+kGiLGRc6fL/zbwhws3SDtCC1+Z9ZWog7phi7JjsI2KpEGcoZLm8NdjDg
+RtcNYv0UhvRSwKDwAc/Ep2d4G5/MUlui8poIT4xFmhgQu1W2S3rvLQn3kgRX8Mql
+J+5PVO5mH1w1iDEi06xJ+NMlpU2pd6fi2K2BpVfuVdeZsRLMOJpMPxOsgdKJGeFz
+TwC2geBl+i5DbzyAVqQvmWGazxj7TIu2fSuPQmopXbvggphPWkDLM4FA+2Q7bR5n
+W6eXENJAhXF3U+7ybscpume5JfO2jeyYxOWKQaduC0drAiUj3wC7r1XqZPsCAwEA
+AQKCAgBAjPQ2ztQCKTS5y3gQoQCk0LeXMnMT0n9PUGYKnLYePsC2kVtwZoybLdjF
+AjNt8rD0U3aedJ4/z69b0VgnqZPOibms64ldN5cTPEyiV2L2rgwL96DIHZlYPvij
+XkV5f2nKBlLq49yijZjx1FWhLqt6/5mEMq0Kd8RmV33tQTAdDy5httl2tA3JKJJ2
+Ie19JwNdSkb7x/2QHzfQh2M8PL7mPSGDWc6gC+zGo/Zgce2HOv6/Eu26fhFgmVPc
+uO3+94a90NyXRkKKl1/b4LfWlRktWwlpvCZUYTpPSxoMiDRSHXYaY+7LDrQ5w5JY
+TgFbvTeQsTTQRbSH+VuGqOPDXgDduArWUiCqEoK4BkmB24rjNpiqrDyPhptagD8s
+UKZB4IJIMr20YO/8BWQma1MCt1WPP0a3docefFTokjGRZXn5nIa/qKemefNrXn3o
+irp8FUoL7evB1p/GhsH45mH81AYmY1kwFCcpsDWofroOckTuFe+RyXuiwsrRGMfz
+lwjXKH+HBSxA02Kp0XUwkHN21oNBnode/UfefBFb8JLVTuY+Dpc9urQ5kerRIq4L
+a71cNvIieQGvZJF8M+Q3kvB4nhbv2GO74hWuWmzgLzOyQtXRm4+NDO05l4wRSxse
+Ow7q0kck15ZWsuO0uB1yj/TtEH/JcU24bz+o4w7SdfXY35VjIQKCAQEA0DAoGchp
+mJ9KWINvsDjy9xMWLPQPjHXaMJEyI7aIoDfPyi3nQt/qDz09vzmFWxDFPw00Pyka
+b3iO1O/vwoWXP7ncD0FkuVjSuxfc7KsjldDI1FCdHxMEy7cZ73Oo8S09uRgEHKc+
+biCUailQjScn77wxqmQ+eLIpHnDrbRH4VNqxkSegY1Fzg9RRLbXNBKUKbOl6l5bs
+scT0iiTpTcJM2SsrxacZYqbvd/rqgPe1AztQuAYyIOUr6AdWdc9MMz6HjDC7PRwv
+WqAX2mxhrDUdnMSPEK0llE8hL2Al9nTqVGTfdOcEi2e8IC3tPZbNw++Fv85Y7mwN
+dcyG9aYYEgTTQwKCAQEA115KcROnkYEvn/h5+SIlAus2NXbfkttANqCLD4jB00fb
+LjiZRh+apBTBuL2HjXmVzpOXKkihB7TzQHVifPlTfxwFT7CSL2f8HFO16jNmsifL
+aeUGQFKio+rUUznfoWe1nzTtHCuCNep0Wn3HKNuwBcCySluIf5THNtE6Im6OV14J
+AD4SUedYFzadhnLrYFg/aVgwLkffcttjKQf22rbV8AwrLbsp9RfJCeh2p+HY6gfE
+4IXRxEAyN1Qz5+eI/xpsUSQF0+ZidaHreAdtxnY1ZO1KUw+Wqc6Htuy88AcTw1ux
+H5C2pzF5IfZGMtbW1Shq4IgV7CAgz2UFc0QRWLsf6QKCAQEAz/JaC67QMt9gzlqy
+081+emY5Lzu00DLjdsGA2IU5oPc+eQ8ywOyRiRk9tOTKnDR7IMiamEABJLjBylXD
+IYR4l/GYqjBCYJQlITXruQYUbE94WgIPfvtrPeQtZq0bYZMz5M7lRI2U4UFvnT6Z
+M/SZgm9zGGQ6tioWwk4+Cdr6Nh+fX4K6RJoWDOalE0hVeT8006a+ie35jHNTYy0N
+UFs0kXL6rNmElLJz3V7mn11NE+ZKcRXXOl5OZdv2c4RU85aQo+oFDDw73ISubsD1
+KqJ/apg24oxgTexgFEcwhCUx7ow3WzhppKlAEtBs+KjJ7N0xtm1xDO0m4LQjVfjK
+cC0bqwKCAQBhZLWbXz0HEvm7iP13yZYdNMsl8GT4n4fxbDaWxsyIRFV9GIFP8djX
+3L8iUStsshAqBBp3N7MCrjTW8H6ib4nv0Hcia4IgSBD9qml4yNfnNxHJCJYEHpqI
+MBjmriRQdHrwzVlwxMg0o5sMlRashnSalWLLN4uJznksc/+rNH3QSqkdX/Se71Sp
+4rvn4i5JOn8qn4PiWgRVh5rXIk/i5o3m6UnZe2tk9+WlQmfuUbbrVqoUss+CxVkw
+Jjb254DPhF55byXnhqb99URr2kgtWKWax6g12bXTgp9i/LoQfdLVJLD7ylCfWUMj
+NaDXOsqaSJXUhhYL2xebUl7dmmmRy8WJAoIBAQDB5JaqagiVU0WPglIOzaJbxfRu
+ZS0QL0VdQnpiMY+6sV9EEz4CEJvV+JdvG4aOb50FtkBHWDxIE+CVQ3SNbwR16Pz5
+Maob/OIkvzG6CcJellEtKUKDMLLXvAoSKHjwaB87j+iFO2MDZr5bzbAnKuzltFIZ
+tDMF2z0ysjXVCn5lyQ4qvV7/kgYoRzzyiqzSDziPQX2k70P5PAiNW5BUD+5s3p/4
+fHjb3na66iHOSgOWyuLstKygyAAsM6vCPVx+u4D3PQc+C1rIW19yI5N9tyNWNDTk
+iK7QlNkZ84DSYkpa1j3HLG8nFLDfLLwFIQrHS+pdUqrPlV+wAnC3lNjTogfp
 -----END RSA PRIVATE KEY-----
--- a/go_version.go
+++ b/go_version.go
@ -1,3 +1,3 @@
-// +build !go1.1
+// +build !go1.2

-"etcd requires go 1.1 or greater to build"
+"etcd requires go 1.2 or greater to build"
--- a/server/cors_handler.go
+++ b/server/cors_handler.go
@ -14,56 +14,59 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */

-package server
+package http

 import (
 	"fmt"
 	"net/http"
 	"net/url"
-
-	"github.com/gorilla/mux"
 )

-type corsHandler struct {
-	router      *mux.Router
-	corsOrigins map[string]bool
-}
+type CORSInfo map[string]bool

-// AllowOrigins sets a comma-delimited list of origins that are allowed.
-func (s *corsHandler) AllowOrigins(origins []string) error {
+func NewCORSInfo(origins []string) (*CORSInfo, error) {
 	// Construct a lookup of all origins.
 	m := make(map[string]bool)
 	for _, v := range origins {
 		if v != "*" {
 			if _, err := url.Parse(v); err != nil {
-				return fmt.Errorf("Invalid CORS origin: %s", err)
+				return nil, fmt.Errorf("Invalid CORS origin: %s", err)
 			}
 		}
 		m[v] = true
 	}
-	s.corsOrigins = m

-	return nil
+	info := CORSInfo(m)
+	return &info, nil
 }

 // OriginAllowed determines whether the server will allow a given CORS origin.
-func (c *corsHandler) OriginAllowed(origin string) bool {
-	return c.corsOrigins["*"] || c.corsOrigins[origin]
+func (c CORSInfo) OriginAllowed(origin string) bool {
+	return c["*"] || c[origin]
+}
+
+type CORSHandler struct {
+	Handler http.Handler
+	Info    *CORSInfo
 }

 // addHeader adds the correct cors headers given an origin
-func (h *corsHandler) addHeader(w http.ResponseWriter, origin string) {
+func (h *CORSHandler) addHeader(w http.ResponseWriter, origin string) {
 	w.Header().Add("Access-Control-Allow-Methods", "POST, GET, OPTIONS, PUT, DELETE")
 	w.Header().Add("Access-Control-Allow-Origin", origin)
 }

-// ServeHTTP adds the correct CORS headers based on the origin and returns immediatly
+// ServeHTTP adds the correct CORS headers based on the origin and returns immediately
 // with a 200 OK if the method is OPTIONS.
-func (h *corsHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
+func (h *CORSHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
+	// It is important to flush before leaving the goroutine.
+	// Or it may miss the latest info written.
+	defer w.(http.Flusher).Flush()
+
 	// Write CORS header.
-	if h.OriginAllowed("*") {
+	if h.Info.OriginAllowed("*") {
 		h.addHeader(w, "*")
-	} else if origin := req.Header.Get("Origin"); h.OriginAllowed(origin) {
+	} else if origin := req.Header.Get("Origin"); h.Info.OriginAllowed(origin) {
 		h.addHeader(w, origin)
 	}

@ -72,5 +75,5 @@ func (h *corsHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 		return
 	}

-	h.router.ServeHTTP(w, req)
+	h.Handler.ServeHTTP(w, req)
 }
--- a/http/query_params.go
+++ b/http/query_params.go
@ -0,0 +1,36 @@
+package http
+
+import (
+	"net/http"
+	"strings"
+)
+
+func NewLowerQueryParamsHandler(hdlr http.Handler) *LowerQueryParamsHandler {
+	return &LowerQueryParamsHandler{hdlr}
+}
+
+type LowerQueryParamsHandler struct {
+	Handler http.Handler
+}
+
+func (h *LowerQueryParamsHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
+	err := req.ParseForm()
+	if err == nil {
+		lowerBoolQueryParams(req)
+	}
+	h.Handler.ServeHTTP(w, req)
+}
+
+func lowerBoolQueryParams(req *http.Request) {
+	form := req.Form
+	for key, vals := range form {
+		for i, val := range vals {
+			lowered := strings.ToLower(val)
+			if lowered == "true" || lowered == "false" {
+				req.Form[key][i] = lowered
+			} else {
+				req.Form[key][i] = val
+			}
+		}
+	}
+}
--- a/http/query_params_test.go
+++ b/http/query_params_test.go
@ -0,0 +1,46 @@
+package http
+
+import (
+	"net/http"
+	"testing"
+)
+
+type NilResponseWriter struct{}
+
+func (w NilResponseWriter) Header() http.Header {
+	return http.Header{}
+}
+
+func (w NilResponseWriter) Write(data []byte) (int, error) {
+	return 0, nil
+}
+
+func (w NilResponseWriter) WriteHeader(code int) {
+	return
+}
+
+type FunctionHandler struct {
+	f func(*http.Request)
+}
+
+func (h FunctionHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	h.f(r)
+}
+
+func TestQueryParamsLowered(t *testing.T) {
+	assertFunc := func(req *http.Request) {
+		if len(req.Form["One"]) != 1 || req.Form["One"][0] != "true" {
+			t.Errorf("Unexpected value for One: %s", req.Form["One"])
+		} else if len(req.Form["TWO"]) != 1 || req.Form["TWO"][0] != "false" {
+			t.Errorf("Unexpected value for TWO")
+		} else if len(req.Form["three"]) != 2 || req.Form["three"][0] != "true" || req.Form["three"][1] != "false" {
+			t.Errorf("Unexpected value for three")
+		}
+	}
+	assertHdlr := FunctionHandler{assertFunc}
+	hdlr := NewLowerQueryParamsHandler(assertHdlr)
+	respWriter := NilResponseWriter{}
+
+	req, _ := http.NewRequest("GET", "http://example.com?One=TRUE&TWO=False&three=true&three=FALSE", nil)
+	hdlr.ServeHTTP(respWriter, req)
+}
--- a/log/log.go
+++ b/log/log.go
@ -1,8 +1,9 @@
 package log

 import (
-	golog "github.com/coreos/go-log/log"
 	"os"
+
+	golog "github.com/coreos/etcd/third_party/github.com/coreos/go-log/log"
 )

 // The Verbose flag turns on verbose logging.
--- a/main.go
+++ b/main.go
@ -0,0 +1,44 @@
+/*
+Copyright 2013 CoreOS Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/coreos/etcd/config"
+	"github.com/coreos/etcd/etcd"
+	"github.com/coreos/etcd/server"
+)
+
+func main() {
+	var config = config.New()
+	if err := config.Load(os.Args[1:]); err != nil {
+		fmt.Println(server.Usage() + "\n")
+		fmt.Println(err.Error() + "\n")
+		os.Exit(1)
+	} else if config.ShowVersion {
+		fmt.Println("etcd version", server.ReleaseVersion)
+		os.Exit(0)
+	} else if config.ShowHelp {
+		fmt.Println(server.Usage() + "\n")
+		os.Exit(0)
+	}
+
+	var etcd = etcd.New(config)
+	etcd.Run()
+}
--- a/metrics/metrics.go
+++ b/metrics/metrics.go
@ -0,0 +1,42 @@
+// Package metrics provides both a means of generating metrics and the ability
+// to send metric data to a graphite endpoint.
+// The usage of this package without providing a graphite_addr when calling
+// NewBucket results in NOP metric objects. No data will be collected.
+package metrics
+
+import (
+	"io"
+
+	gometrics "github.com/coreos/etcd/third_party/github.com/rcrowley/go-metrics"
+)
+
+type Timer gometrics.Timer
+type Gauge gometrics.Gauge
+
+type Bucket interface {
+	// If a timer exists in this Bucket, return it. Otherwise, create
+	// a new timer with the given name and store it in this Bucket.
+	// The returned object will fulfull the Timer interface.
+	Timer(name string) Timer
+
+	// This acts similarly to Timer, but with objects that fufill the
+	// Gauge interface.
+	Gauge(name string) Gauge
+
+	// Write the current state of all Metrics in a human-readable format
+	// to the provide io.Writer.
+	Dump(io.Writer)
+
+	// Instruct the Bucket to periodically push all metric data to the
+	// provided graphite endpoint.
+	Publish(string) error
+}
+
+// Create a new Bucket object that periodically
+func NewBucket(name string) Bucket {
+	if name == "" {
+		return nilBucket{}
+	}
+
+	return newStandardBucket(name)
+}
--- a/metrics/nil.go
+++ b/metrics/nil.go
@ -0,0 +1,25 @@
+package metrics
+
+import (
+	"io"
+
+	gometrics "github.com/coreos/etcd/third_party/github.com/rcrowley/go-metrics"
+)
+
+type nilBucket struct{}
+
+func (nmb nilBucket) Dump(w io.Writer) {
+	return
+}
+
+func (nmb nilBucket) Timer(name string) Timer {
+	return gometrics.NilTimer{}
+}
+
+func (nmf nilBucket) Gauge(name string) Gauge {
+	return gometrics.NilGauge{}
+}
+
+func (nmf nilBucket) Publish(string) error {
+	return nil
+}
--- a/metrics/standard.go
+++ b/metrics/standard.go
@ -0,0 +1,86 @@
+package metrics
+
+import (
+	"io"
+	"net"
+	"sync"
+	"time"
+
+	gometrics "github.com/coreos/etcd/third_party/github.com/rcrowley/go-metrics"
+)
+
+const (
+	// RuntimeMemStatsSampleInterval is the interval in seconds at which the
+	// Go runtime's memory statistics will be gathered.
+	RuntimeMemStatsSampleInterval = time.Duration(2) * time.Second
+
+	// GraphitePublishInterval is the interval in seconds at which all
+	// gathered statistics will be published to a Graphite endpoint.
+	GraphitePublishInterval = time.Duration(2) * time.Second
+)
+
+type standardBucket struct {
+	sync.Mutex
+	name     string
+	registry gometrics.Registry
+	timers   map[string]Timer
+	gauges   map[string]Gauge
+}
+
+func newStandardBucket(name string) standardBucket {
+	registry := gometrics.NewRegistry()
+
+	gometrics.RegisterRuntimeMemStats(registry)
+	go gometrics.CaptureRuntimeMemStats(registry, RuntimeMemStatsSampleInterval)
+
+	return standardBucket{
+		name:     name,
+		registry: registry,
+		timers:   make(map[string]Timer),
+		gauges:   make(map[string]Gauge),
+	}
+}
+
+func (smb standardBucket) Dump(w io.Writer) {
+	gometrics.WriteOnce(smb.registry, w)
+	return
+}
+
+func (smb standardBucket) Timer(name string) Timer {
+	smb.Lock()
+	defer smb.Unlock()
+
+	timer, ok := smb.timers[name]
+	if !ok {
+		timer = gometrics.NewTimer()
+		smb.timers[name] = timer
+		smb.registry.Register(name, timer)
+	}
+
+	return timer
+}
+
+func (smb standardBucket) Gauge(name string) Gauge {
+	smb.Lock()
+	defer smb.Unlock()
+
+	gauge, ok := smb.gauges[name]
+	if !ok {
+		gauge = gometrics.NewGauge()
+		smb.gauges[name] = gauge
+		smb.registry.Register(name, gauge)
+	}
+
+	return gauge
+}
+
+func (smb standardBucket) Publish(graphite_addr string) error {
+	addr, err := net.ResolveTCPAddr("tcp", graphite_addr)
+	if err != nil {
+		return err
+	}
+
+	go gometrics.Graphite(smb.registry, GraphitePublishInterval, smb.name, addr)
+
+	return nil
+}
--- a/mod/dashboard/.bowerrc
+++ b/mod/dashboard/.bowerrc
@ -1,3 +1,3 @@
 {
-    "directory": "app/bower_components"
+  "directory": "app/bower_components"
 }
--- a/mod/dashboard/.editorconfig
+++ b/mod/dashboard/.editorconfig
@ -1,21 +0,0 @@
-# EditorConfig helps developers define and maintain consistent
-# coding styles between different editors and IDEs
-# editorconfig.org
-
-root = true
-
-
-[*]
-
-# Change these settings to your own preference
-indent_style = space
-indent_size = 2
-
-# We recommend you to keep these unchanged
-end_of_line = lf
-charset = utf-8
-trim_trailing_whitespace = true
-insert_final_newline = true
-
-[*.md]
-trim_trailing_whitespace = false
--- a/mod/dashboard/.gitattributes
+++ b/mod/dashboard/.gitattributes
@ -1 +0,0 @@
-* text=auto
--- a/mod/dashboard/.gitignore
+++ b/mod/dashboard/.gitignore
@ -1,6 +1,6 @@
+/go-bindata
 node_modules
 dist
 .tmp
-.sass-cache
+app/compiled
 app/bower_components
-/go-bindata
--- a/mod/dashboard/.jshintignore
+++ b/mod/dashboard/.jshintignore
@ -1,3 +0,0 @@
-app/scripts/vega.js
-app/scripts/moment.min.js
-app/scripts/ng-time-relative.min.js
--- a/mod/dashboard/.jshintrc
+++ b/mod/dashboard/.jshintrc
@ -1,27 +0,0 @@
-{
-  "node": true,
-  "browser": true,
-  "esnext": true,
-  "bitwise": true,
-  "camelcase": true,
-  "curly": true,
-  "eqeqeq": true,
-  "immed": true,
-  "indent": 2,
-  "latedef": true,
-  "newcap": true,
-  "noarg": true,
-  "quotmark": "single",
-  "regexp": true,
-  "undef": true,
-  "unused": false,
-  "strict": true,
-  "trailing": true,
-  "smarttabs": true,
-  "globals": {
-    "angular": false,
-    "$": false,
-    "vg": false,
-    "moment": false
-  }
-}
--- a/mod/dashboard/.travis.yml
+++ b/mod/dashboard/.travis.yml
@ -1,7 +0,0 @@
-language: node_js
-node_js:
-  - '0.8'
-  - '0.10'
-before_script:
-  - 'npm install -g bower grunt-cli'
-  - 'bower install'
--- a/mod/dashboard/Gruntfile.js
+++ b/mod/dashboard/Gruntfile.js
@ -1,345 +1,307 @@
-// Generated on 2013-10-07 using generator-webapp 0.4.3
 'use strict';

-// # Globbing
-// for performance reasons we're only matching one level down:
-// 'test/spec/{,*/}*.js'
-// use this if you want to recursively match all subfolders:
-// 'test/spec/**/*.js'
+var util = require('util');

-module.exports = function (grunt) {
-    // show elapsed time at the end
-    require('time-grunt')(grunt);
-    // load all grunt tasks
-    require('load-grunt-tasks')(grunt);
+module.exports = function(grunt) {
+  /*jshint maxstatements:false */

-    grunt.initConfig({
-        // configurable paths
-        uglify: {
-          options: {
-            mangle: false
-          },
-        },
-        yeoman: {
-            app: 'app',
-            dist: 'dist'
-        },
-        watch: {
-            compass: {
-                files: ['<%= yeoman.app %>/styles/{,*/}*.{scss,sass}'],
-                tasks: ['compass:server', 'autoprefixer']
-            },
-            styles: {
-                files: ['<%= yeoman.app %>/styles/{,*/}*.css'],
-                tasks: ['copy:styles', 'autoprefixer']
-            },
-            livereload: {
-                options: {
-                    livereload: '<%= connect.options.livereload %>'
-                },
-                files: [
-                    '<%= yeoman.app %>/*.html',
-                    '.tmp/styles/{,*/}*.css',
-                    '{.tmp,<%= yeoman.app %>}/scripts/{,*/}*.js',
-                    '<%= yeoman.app %>/images/{,*/}*.{png,jpg,jpeg,gif,webp,svg}'
-                ]
-            }
-        },
-        connect: {
-            options: {
-                port: 9000,
-                livereload: 35729,
-                // change this to '0.0.0.0' to access the server from outside
-                hostname: 'localhost'
-            },
-            livereload: {
-                options: {
-                    open: true,
-                    base: [
-                        '.tmp',
-                        '<%= yeoman.app %>'
-                    ]
-                }
-            },
-            test: {
-                options: {
-                    base: [
-                        '.tmp',
-                        'test',
-                        '<%= yeoman.app %>'
-                    ]
-                }
-            },
-            dist: {
-                options: {
-                    open: true,
-                    base: '<%= yeoman.dist %>'
-                }
-            }
-        },
-        clean: {
-            dist: {
-                files: [{
-                    dot: true,
-                    src: [
-                        '.tmp',
-                        '<%= yeoman.dist %>/*',
-                        '!<%= yeoman.dist %>/.git*'
-                    ]
-                }]
-            },
-            server: '.tmp'
-        },
-        jshint: {
-            options: {
-                jshintrc: '.jshintrc'
-            },
-            all: [
-                '<%= yeoman.app %>/scripts/{,*/}*.js',
-                '!<%= yeoman.app %>/scripts/vendor/*',
-            ]
-        },
-        mocha: {
-            all: {
-                options: {
-                    run: true,
-                    urls: ['http://<%= connect.test.options.hostname %>:<%= connect.test.options.port %>/index.html']
-                }
-            }
-        },
-        compass: {
-            options: {
-                sassDir: '<%= yeoman.app %>/styles',
-                cssDir: '.tmp/styles',
-                generatedImagesDir: '.tmp/images/generated',
-                imagesDir: '<%= yeoman.app %>/images',
-                javascriptsDir: '<%= yeoman.app %>/scripts',
-                fontsDir: '<%= yeoman.app %>/styles/fonts',
-                importPath: '<%= yeoman.app %>/bower_components',
-                httpImagesPath: '/images',
-                httpGeneratedImagesPath: '/images/generated',
-                httpFontsPath: '/styles/fonts',
-                relativeAssets: false,
-                assetCacheBuster: false
-            },
-            dist: {
-                options: {
-                    generatedImagesDir: '<%= yeoman.dist %>/images/generated'
-                }
-            },
-            server: {
-                options: {
-                    debugInfo: true
-                }
-            }
-        },
-        autoprefixer: {
-            options: {
-                browsers: ['last 1 version']
-            },
-            dist: {
-                files: [{
-                    expand: true,
-                    cwd: '.tmp/styles/',
-                    src: '{,*/}*.css',
-                    dest: '.tmp/styles/'
-                }]
-            }
-        },
-        // not used since Uglify task does concat,
-        // but still available if needed
-        /*concat: {
-            dist: {}
-        },*/
-        requirejs: {
-            dist: {
-                // Options: https://github.com/jrburke/r.js/blob/master/build/example.build.js
-                options: {
-                    // `name` and `out` is set by grunt-usemin
-                    baseUrl: '<%= yeoman.app %>/scripts',
-                    optimize: 'none',
-                    // TODO: Figure out how to make sourcemaps work with grunt-usemin
-                    // https://github.com/yeoman/grunt-usemin/issues/30
-                    //generateSourceMaps: true,
-                    // required to support SourceMaps
-                    // http://requirejs.org/docs/errors.html#sourcemapcomments
-                    preserveLicenseComments: false,
-                    useStrict: true,
-                    wrap: true
-                    //uglify2: {} // https://github.com/mishoo/UglifyJS2
-                }
-            }
-        },
-        useminPrepare: {
-            options: {
-                dest: '<%= yeoman.dist %>'
-            },
-            html: ['<%= yeoman.app %>/**/*.html']
-        },
-        usemin: {
-            options: {
-                dirs: ['<%= yeoman.dist %>']
-            },
-            html: ['<%= yeoman.dist %>/{,*/}*.html'],
-            css: ['<%= yeoman.dist %>/styles/{,*/}*.css']
-        },
-        imagemin: {
-            dist: {
-                files: [{
-                    expand: true,
-                    cwd: '<%= yeoman.app %>/images',
-                    src: '{,*/}*.{png,jpg,jpeg}',
-                    dest: '<%= yeoman.dist %>/images'
-                }]
-            }
-        },
-        svgmin: {
-            dist: {
-                files: [{
-                    expand: true,
-                    cwd: '<%= yeoman.app %>/images',
-                    src: '{,*/}*.svg',
-                    dest: '<%= yeoman.dist %>/images'
-                }]
-            }
-        },
-        cssmin: {
-            // This task is pre-configured if you do not wish to use Usemin
-            // blocks for your CSS. By default, the Usemin block from your
-            // `index.html` will take care of minification, e.g.
-            //
-            //     <!-- build:css({.tmp,app}) styles/main.css -->
-            //
-            // dist: {
-            //     files: {
-            //         '<%= yeoman.dist %>/styles/main.css': [
-            //             '.tmp/styles/{,*/}*.css',
-            //             '<%= yeoman.app %>/styles/{,*/}*.css'
-            //         ]
-            //     }
-            // }
-        },
-        htmlmin: {
-            dist: {
-                options: {
-                    /*removeCommentsFromCDATA: true,
-                    // https://github.com/yeoman/grunt-usemin/issues/44
-                    //collapseWhitespace: true,
-                    collapseBooleanAttributes: true,
-                    removeAttributeQuotes: true,
-                    removeRedundantAttributes: true,
-                    useShortDoctype: true,
-                    removeEmptyAttributes: true,
-                    removeOptionalTags: true*/
-                },
-                files: [{
-                    expand: true,
-                    cwd: '<%= yeoman.app %>',
-                    src: '*.html',
-                    dest: '<%= yeoman.dist %>'
-                }]
-            }
-        },
-        // Put files not handled in other tasks here
-        copy: {
-            dist: {
-                files: [{
-                    expand: true,
-                    dot: true,
-                    cwd: '<%= yeoman.app %>',
-                    dest: '<%= yeoman.dist %>',
-                    src: [
-                        '*.{ico,png,txt}',
-                        '.htaccess',
-                        'images/{,*/}*.{webp,gif}',
-                        'styles/fonts/{,*/}*.*',
-                        'views/*.*',
-                        'index.html',
-                        'bower_components/sass-bootstrap/fonts/*.*'
-                    ]
-                }]
-            },
-            styles: {
-                expand: true,
-                dot: true,
-                cwd: '<%= yeoman.app %>/styles',
-                dest: '.tmp/styles/',
-                src: '{,*/}*.css'
-            }
-        },
-        modernizr: {
-            devFile: '<%= yeoman.app %>/bower_components/modernizr/modernizr.js',
-            outputFile: '<%= yeoman.dist %>/bower_components/modernizr/modernizr.js',
-            files: [
-                '<%= yeoman.dist %>/scripts/{,*/}*.js',
-                '<%= yeoman.dist %>/styles/{,*/}*.css',
-                '!<%= yeoman.dist %>/scripts/vendor/*'
-            ],
-            uglify: true
-        },
-        concurrent: {
-            server: [
-                'compass',
-                'copy:styles'
-            ],
-            test: [
-                'copy:styles'
-            ],
-            dist: [
-                'compass',
-                'copy:styles',
-                'imagemin',
-                'svgmin',
-                'htmlmin'
-            ]
-        },
-        bower: {
-            options: {
-                exclude: ['modernizr']
-            },
-            all: {
-                rjsConfig: '<%= yeoman.app %>/scripts/main.js'
-            }
+  require('matchdep').filterDev('grunt-*').forEach(grunt.loadNpmTasks);
+
+  grunt.initConfig({
+
+    config: {
+      appName: 'etcd-dashboard',
+      appPath: 'app',
+      bowerPath: 'app/bower_components',
+      tmpPath: '.tmp',
+      distPath: 'dist'
+    },
+
+    watch: {
+      css: {
+        files: ['<%= config.appPath %>/{page,ui,style}/{**/,}*.scss'],
+        tasks: ['sass']
+      },
+      html: {
+        files: [
+          '<%= config.appPath %>/{module,ui,page}/**/*.html'
+        ],
+        tasks: ['views']
+      },
+      js: {
+        files: [
+          '<%= config.appPath %>/{module,page}/**/*.js',
+          '<%= config.appPath %>/*.js'
+        ],
+        tasks: ['jshint']
+      }
+    },
+
+    concurrent: {
+      dev: {
+        tasks: [
+          'watch',
+          //'test-watch'
+        ],
+        options: {
+          logConcurrentOutput: true
        }
-    });
+      }
+    },

-    grunt.registerTask('server', function (target) {
-        if (target === 'dist') {
-            return grunt.task.run(['build', 'connect:dist:keepalive']);
+    clean: {
+      tmp: {
+        files: [{
+          dot: true,
+          src: [
+            '<%= config.tmpPath %>',
+            '.sass-cache/**/*'
+          ]
+        }]
+      },
+      dist: {
+        files: [{
+          dot: true,
+          src: [
+            '<%= config.distPath %>/*'
+          ]
+        }]
+      },
+      'dist-static': {
+        files: [{
+          dot: true,
+          src: [
+            '<%= config.distPath %>/cp/**'
+          ]
+        }]
+      },
+      compiled: {
+        files: [{
+          dot: true,
+          src: [
+            '<%= config.appPath %>/compiled/**'
+          ]
+        }]
+      }
+    },
+
+    // JS code linting.
+    jshint: {
+      options: {
+        camelcase: true,
+        curly: true,
+        eqeqeq: true,
+        eqnull: true,
+        forin: true,
+        freeze: true,
+        immed: true,
+        indent: 2,
+        latedef: true,
+        maxcomplexity: 10,
+        maxdepth: 3,
+        maxlen: 80,
+        maxparams: 20,
+        maxstatements: 200,
+        newcap: true,
+        noarg: true,
+        node: true,
+        noempty: true,
+        nonew: true,
+        nonbsp: true,
+        quotmark: 'single',
+        strict: true,
+        sub: true,
+        trailing: true,
+        undef: true,
+        unused: true
+      },
+      src: {
+        node: false,
+        options: {
+          globals: {
+            angular: true,
+            window: true
+          }
+        },
+        files: {
+          src: [
+            '<%= config.appPath %>/*.js',
+            '<%= config.appPath %>/{module,page}**/*.js',
+            '!<%= config.appPath %>/vega.js'
+          ]
        }
+      }
+    },

-        grunt.task.run([
-            'clean:server',
-            'concurrent:server',
-            'autoprefixer',
-            'connect:livereload',
-            'watch'
-        ]);
+    // Compile SCSS to CSS.
+    sass: {
+      etcd: {
+        options: {
+          includePaths: ['<%= config.appPath %>/coreos-web/sass'],
+          outputStyle: 'nested'
+        },
+        files: {
+          '<%= config.appPath %>/compiled/main.css': '<%= config.appPath %>/main.scss'
+        }
+      }
+    },
+
+    /**
+     * Generate grunt configs for concat, uglify, cssmin.
+     */
+    useminPrepare: {
+      html: '<%= config.appPath %>/index.html',
+      options: {
+        dest: '<%= config.distPath %>'
+      }
+    },
+
+    usemin: {
+      html: ['<%= config.distPath %>/index.html']
+    },
+
+    // This block gets generated by usemin.
+    cssmin: {
+    },
+
+    // This block gets generated by usemin.
+    uglify: {
+    },
+
+    // This block gets generated by usemin.
+    concat: {
+    },
+
+    // Make our angular code minification friendly.
+    ngmin: {
+      dist: {
+        files: [{
+          src: '<%= config.tmpPath %>/concat/app.js',
+          dest: '<%= config.tmpPath %>/concat/app.js'
+        }]
+      }
+    },
+
+    copy: {
+      dist: {
+        files: [{
+          expand: true,
+          cwd: '<%= config.appPath %>',
+          src: ['index.html'],
+          dest: '<%= config.distPath %>'
+        }]
+      },
+      images: {
+        files: [{
+          expand: true,
+          cwd: '<%= config.appPath %>/img',
+          src: ['**'],
+          dest: '<%= config.distPath %>/img'
+        }]
+      },
+      'coreos-web': {
+        files: [{
+          cwd: '<%= config.appPath %>/coreos-web',
+          expand: true,
+          src: [
+            'fonts/*',
+            'img/*'
+          ],
+          dest: '<%= config.distPath %>/coreos-web'
+        }]
+      },
+      'dist-static': {
+        files: [
+          {
+            expand: true,
+            flatten: true,
+            src: [
+              '<%= config.distPath %>/cp/static/*'
+            ],
+            dest: '<%= config.distPath %>'
+          }
+        ]
+      }
+    },
+
+    // Precompile html views into a single javascript file.
+    html2js: {
+      options: {
+        base: '<%= config.appPath %>',
+        rename: function(moduleName) {
+          return '/' + moduleName;
+        }
+      },
+      views: {
+        src: [
+          '<%= config.appPath %>/{page,ui,module}/**/*.html'
+        ],
+        dest: '<%= config.appPath %>/compiled/views.js'
+      }
+    }
+
+  });
+
+  grunt.registerTask('clean-paths', 'clean up resource paths', function() {
+    grunt.log.writeln('cleaning paths...');
+    function clean(path) {
+      return path.replace('mod/dashboard/static/', '');
+    }
+    ['concat', 'uglify', 'cssmin'].forEach(function(task) {
+      var config = grunt.config(task);
+
+      config.generated.files.forEach(function(fileGroup) {
+        fileGroup.dest = clean(fileGroup.dest);
+        fileGroup.src = fileGroup.src.map(function(path) {
+          return clean(path);
+        });
+      });
+      grunt.config(task, config);
+      grunt.log.ok(task + ' config is now:');
+      grunt.log.writeln(util.inspect(grunt.config(task), false, 4, true));
    });
+  });

-    grunt.registerTask('test', [
-        'clean:server',
-        'concurrent:test',
-        'autoprefixer',
-        'connect:test',
-        'mocha'
-    ]);
+  grunt.registerTask('test', [
+    'views',
+    'karma:unit'
+  ]);

-    grunt.registerTask('build', [
-        'clean:dist',
-        'useminPrepare',
-        'concurrent:dist',
-        'autoprefixer',
-        'concat',
-        'cssmin',
-        'uglify',
-        'usemin',
-        'copy:dist'
-    ]);
+  grunt.registerTask('test-watch', [
+    'karma:dev'
+  ]);

-    grunt.registerTask('default', [
-        'jshint',
-        'test',
-        'build'
-    ]);
+  grunt.registerTask('views', [
+    'html2js:views'
+  ]);
+
+  grunt.registerTask('dev', [
+    'clean',
+    'jshint',
+    'views',
+    'sass',
+    'concurrent:dev'
+  ]);
+
+  grunt.registerTask('build', [
+    'clean',
+    'jshint',
+    'views',
+    //'test',
+    'sass',
+    'useminPrepare',
+    'clean-paths',
+    'concat',
+    'ngmin:dist',
+    'uglify',
+    'cssmin',
+    'copy:dist',
+    'usemin',
+    'copy:dist-static',
+    'clean:dist-static',
+    'copy:images',
+    'copy:coreos-web'
+  ]);
+
+  grunt.registerTask('default', ['build']);
 };
--- a/mod/dashboard/README.md
+++ b/mod/dashboard/README.md
@ -4,24 +4,38 @@

 If you'd like to contribute to the etcd dashboard mod, follow these instructions. For contributing to the rest of etcd, see the contributing document in the root of the repository.

-### Install yeoman
+### Install Dependencies

-http://yeoman.io/
+Requires nodejs.  

-### Install NPM locally
+Run all commands from within the `/mod/dashboard` directory.  
+
+run `./setup` to install npm modules and bower front-end dependencies.
+
+To run a non-compiled development version of the dashboard:  
+
+Continually compile html templates, sass/css, and run unit tests.

 ```
-npm install
+grunt dev
 ```

-### Install Bower Components
+Export an environment varible to notify etcd of the dashboard source code location:  

 ```
-bower install
+export ETCD_DASHBOARD_DIR=./mod/dashboard/app
 ```

-### View in Browser
+Run local etc as usual (be sure to include the cors flag).  

-Run etcd like you normally would and afterward browse to:
+```
+// from etcd root dir  
+./bin/etcd -cors="*"  
+```

-http://localhost:4001/mod/dashboard/
+Alternatively, build the optimized production-build version of the website and run etcd as above:  
+
+```
+grunt  
+export ETCD_DASHBOARD_DIR=./mod/dashboard/dist  
+```
--- a/mod/dashboard/app/.buildignore
+++ b/mod/dashboard/app/.buildignore
@ -1 +0,0 @@
-*.coffee
--- a/mod/dashboard/app/404.html
+++ b/mod/dashboard/app/404.html
@ -0,0 +1,31 @@
+<div class="co-m-404">
+
+  <div class="row co-l-secondary-nav">
+    <div class="col-lg-3 col-md-3 col-sm-3 col-xs-6 co-m-primary-action"></div>
+    <div class="col-lg-6 col-md-6 col-sm-6 col-xs-12 co-m-page-title">
+      <h1 class="co-fx-text-shadow">Page Not Found</h1>
+    </div>
+  </div>
+
+  <div class="row">
+
+    <div class="col-lg-12 col-md-12 col-sm-12 col-xs-12">
+      <div class="panel co-m-panel co-fx-box-shadow-heavy">
+        <div class="panel-body">
+          <div class="row">
+            <div class="col-lg-6 col-lg-offset-3 col-md-6 col-md-offset-3 col-sm-8 col-sm-offset-2 col-xs-12 co-m-404-animation">
+              <div class="co-m-404-logo" ng-include="'/cp/static/img/globe-only.svg'"></div>
+              <div class="co-m-404-orbit">
+                <div class="co-m-404-moon">
+                  <div class="co-m-404-moon-text">404</div>
+                </div>
+              </div>
+            </div>
+          </div>
+        </div>
+      </div>
+     </div>
+
+  </div>
+
+</div>
--- a/Show More
+++ b/Show More