lts differ between threads; runtime corrupted**step api** provides commands for connecting to the Smallstep API. step beta [arguments] [global-flags] [subcommand-flags]Disables TLS server validation when connecting to the Attestation CAWhat URI would you like to use for the intermediate certificate key?Return stringified JSON containing the main attributes of a context.big: invalid 2nd argument to Int.Jacobi: need odd integer but got %sembedded IPv4 address must replace the final 2 fields of the addressgo-jose/go-jose: invalid SHA-1 thumbprint (must be %d bytes, not %d)go-jose/go-jose: invalid SHA-1 thumbprint, does not match cert chaingo-jose/go-jose/jwt: validation failed, invalid audience claim (aud)cbor: cannot create DecMode with TagSet when TagsMd is TagsForbiddencannot decode CBOR array to struct with different number of elementscbor: cannot create EncMode with TagSet when TagsMd is TagsForbiddeninvalid descriptor: using edition features in a proto with syntax %sinvalid retry throttling config: tokenRatio (%v) may not be negativelabels in collected metric %s %s are inconsistent with descriptor %spositional argument must match the certificate common nameflag disable-ssh-ca-user is not supported for Azure IID provisionersflag disable-ssh-ca-host is not supported for Azure IID provisionersThe path to the containing passphrase to decrypt private key.extension %v does not implement protoreflect.ExtensionTypeDescriptorexpected a JSON struct with one entry; received entry %v at index %ddelegating_resolver: failed to determine proxy URL for target %q: %vcloudresourcemanager.organizations.listAvailableOrgPolicyConstraints[GOOS: %s, GOARCH: %s] syncing file failed, db.datasz: %d, error: %vcannot use QueryExecModeCacheStatement with disabled statement cacheunsupported AuthenticationRecord version %q. This module supports %vNewDefaultAzureCredential failed to initialize some credentials: %sx509: failed to unmarshal certificate list authority info access: %vThe 'GivenName' field of the subject MUST be less than 17 charactersCertificates valid through the year 2049 MUST be encoded in UTC timeprivate key should be a PEM or plain PKCS1 or PKCS8; parse error: %vrollback: freed page (%d) was allocated by the same transaction (%d)oauth2/google/externalaccount: unable to retrieve AWS role name - %sresponse has no WWW-Authenticate header for challenge authenticationLog line format: [IWEF]mmdd hh:mm:ss.uuuuuu threadid file:line] msg comma-separated list of pattern=N settings for file-filtered loggingGetAccessTokenFromSamlGrant returned unknown SAML assertion type: %qpeer server is not responding and re-connection should be attempted.decoding int array or slice: length exceeds input size (%d elements)error obtaining home directory, please define environment variable %shttp2: Transport closing idle conn %p (forSingleUse=%v, maxStream=%v)%s matches more methods than %s, but has a more specific path pattern%s matches fewer methods than %s, but has a more general path patterncertificate request does not contain the valid URIs - got %v, want %vsshpop.authorizeToken; sshpop certificate validAfter is in the futuretoken subject %q and sshpop certificate serial number %q do not matchextractSSHPOPCert; error converting ssh public key to ssh certificatetls: peer doesn't support the certificate custom signature algorithmstls: handshake message of length %d bytes exceeds maximum of %d bytestls: client certificate contains an unsupported public key of type %Treflect: embedded interface with unexported method(s) not implementedno-cache, no-store, no-transform, must-revalidate, private, max-age=0error validating renew token: cannot get provisioner from certificateruntime.Pinner: found leaking pinned pointer; forgot to call Unpin()?flag '--%s' requires at least %s unless '--insecure' flag is providedrevokeCertificateRequest `serialNumber` or `certificate` are required**step ca acme** command group provides facilities for managing ACME.The path of an existing key of the root certificate authority.Generates a Helm values YAML to be used with step-certificates chart.crypto/ecdh: only crypto/rand.Reader is allowed in FIPS 140-only modetoo many hex fields to fit an embedded IPv4 at the end of the addressgo-jose/go-jose: invalid JWK, x5c thumbprint does not match x5t valuedecoding public, creationData, creationHash, ticket, creationName: %vURI domain constraint %q can only have wildcard as starting character-//softquad//dtd hotmetal pro 4.0::19971010::extensions to html 4.0//The Microsoft Azure tenant used to validate the identity tokens.provisioner type 'SCEP' does not support multiple '--challenge' flagsauthenticate and encrypt small messages using public-key cryptographyencrypt and authenticate small messages using secret-key cryptographyedwards25519: internal error: setShortBytes called with a long stringValue log truncate required to run DB. This might result in data losscannot use NewWriteBatch in managed mode. Use NewWriteBatchAt insteadError while retrieving datakey in levelsController.compactBuildTablesThe source bucket (%s) and the target bucket (%s) are the same bucketinvalid DSN: interpolateParams can not be used with unsafe collationscannot use QueryExecModeCacheDescribe with disabled description cacheMemory that is reserved for runtime mspan structures, but not in-use.x509: trailing data after certificate list issuing distribution point^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$^[0-9a-f]{8}-[0-9a-f]{4}-5[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$CAs must support key identifiers and include them in all certificatesConforming CAs MUST mark the policy constraints extension as criticalSubordinate CA certificates must have a certificatePolicies extensionThe 'PostalCode' field of the subject MUST be less than 17 charactersrandomstringutils illegal argument: The chars array must not be emptyError while decrypting table index for the table %d in readTableIndexremoves the provided DNS names from the policy instead of adding themmanage wildcard name settings for X.509 certificate issuance policiesinternal error: %d > %d, maxheader: %d, sl: %d, tl: %d, normcount: %vinvalid value for %s: %q. Must be one of "true", "false", "1", or "0"was unable to unmarshal decoded JWT in TokenRespone to ClientInfo: %wdecoding bool array or slice: length exceeds input size (%d elements)decoding int8 array or slice: length exceeds input size (%d elements)decoding uint array or slice: length exceeds input size (%d elements)received frame with incorrect message type %v, expected lower byte %vx509: PKCS#8 wrapping contained private key with unknown algorithm: %vx509: certificate relies on legacy Common Name field, use SANs insteadgot %s for stream %d; expected CONTINUATION following %s for stream %dSpecific error conditions are indicated in the “subproblems” arrayCSR IPs do not match identifiers exactly: CSR IPs = %v, Order IPs = %vbytes.Buffer: UnreadByte: previous operation was not a successful readK8s Service Account provisioner cannot be initialized without pub keystoken is not valid: failed to verify certificate against configured CAerror creating certificate request: unsupported signature algorithm %qCRL Generation requested, but database does not support CRL generationerror decoding login response: pemCertificateChain should not be emptyerror converting to certificates provisioner from linkedca provisionerprovisioner %q does not have a default decrypter certificate availablecrypto/ecdsa: only crypto/rand.Reader is allowed in FIPS 140-only modecrypto/ed25519: use of Ed25519ctx is not allowed in FIPS 140-only modecloudCAS GetCertificateAuthority: PemCACertificate should not be emptycloudCAS CreateCertificateAuthority failed: PemCaCertificates is empty**step ca** [arguments] [global-flags] [subcommand-flags]uninstall from Firefox's, Java's, and the system's default trust storeGenerate a certificate signing request (CSR) instead of a certificate.sync/atomic: compare and swap of inconsistently typed value into Valuego-jose/go-jose: invalid SHA-256 thumbprint (must be %d bytes, not %d)the command may require writing of NV and NV is not current accessibleblockingPicker: the picked transport is not ready, loop back to repickinvalid retry throttling config: maxTokens (%v) out of range (0, 1000]pkcs7: zero parents provided to verify the signature of certificate %qNo admin credentials found. You must login to execute admin commands. Allow renewals for expired certificates generated by this provisioner.invalid jwk use: found 'sig' (signature), expecting 'enc' (encryption)The path to the containing passphrase to decrypt a private key.error adding certificate to ssh agent - certificate is already expiredMemory that is reserved for runtime mcache structures, but not in-use.error details: name = ErrorInfo reason = %s domain = %s metadata = %s failed deleting AK %q because %d key(s) exist that were attested by ittbsCertList.crlExtensions.*.IssuingDistributionPoint.distributionPointtbsCertList.revokedCertificates.crlEntryExtensions.*.CertificateIssuerRoot and Subordinate CA certificate keyUsage extension MUST be presentThe 'State Name' field of the subject MUST be less than 128 charactersremoves the provided Principals from the policy instead of adding themtrustboundary: trust boundary request failed with status: %s, body: %sdecoding int16 array or slice: length exceeds input size (%d elements)decoding int32 array or slice: length exceeds input size (%d elements)decoding int64 array or slice: length exceeds input size (%d elements)Failed to send request to S2Av2 for server peer cert chain validation.Failed to send request to S2Av2 for client peer cert chain validation.chacha20poly1305: invalid buffer overlap of output and additional datax509: issuer has name constraints but leaf doesn't have a SAN extensionjson: invalid use of ,string struct tag, trying to unmarshal %q into %vinternal error: attempt to send frame on a half-closed-local stream: %vThe request must include a value for the "externalAccountBinding" fieldk8ssa.authorizeToken; k8sSA TokenReview API integration not implementedtls: peer doesn't support any of the certificate's signature algorithmscrypto/ecdsa: use of custom curves is not allowed in FIPS 140-only moderange function recovered a loop body panic and did not resume panickingcreateCertificateAuthorityRequest `type=%d' is invalid or not supported**step api** [arguments] [global-flags] [subcommand-flags](e.g. 4fe5f5ef09e95c803fdcb80b8cf511e2a885eb86f3ce74e3e90e62fa3faf1531)Print all fingerprints in the order in which they appear in the bundle.Check all certificates in the order in which they appear in the bundle.The certificate authority used to issue the new certificate (PEM file).**step crl** [arguments] [global-flags] [subcommand-flags]flag '--device-authorization-endpoint' requires flag '--token-endpoint'missing or invalid 'device_authorization_endpoint' in provider metadataAn error occurred in the step process. Please contact an administrator.dynamic table size update MUST occur at the beginning of a header blockgo-jose/go-jose/jwt: validation field, token issued in the future (iat)cbor: cannot set TagsMd to TagsForbidden when TimeTag is EncTagRequiredunsupported key derivation function or function not appropriate for usetransport: set send compressor called after headers sent or stream donegrpc: error unmarshalling service config %s due to methodConfig[%d]: %vtoo many concurrent operations on a single file or socket (max 1048575)collected metric %q { %s} has two or more labels with the same name: %sexec: command with a non-nil Cancel was not created with CommandContextThe path to a containing the password for the SCEP decrypter keyx509: certificate name constraint contained IP address range of length failed to load softKMS: please define decryptionKeyPEM or decryptionKeyInvalid API request. Not allowed to perform this action using ManagedDB%d compactor(s) succeeded. One or more tables from level %d compacted. simple protocol queries must be run with standard_conforming_strings=onnumber of field descriptions must equal number of values, got %d and %dgoogle: could not find default credentials. See %v for more informationEnvironmentCredential will authenticate with UsernamePasswordCredentialTo troubleshoot, visit https://aka.ms/azsdk/go/identity/troubleshoot#%sGeneralized time values MUST be expressed in Greenwich Mean Time (Zulu)X520 Distinguished Name SerialNumber MUST be encoded as PrintableStringServer list entry:|%d|, ipStr:|%s|, port:|%d|, load balancer token:|%v|credentials: provided subject_token_field_name not found in credentialsINVALIDBOOLINT64FLOAT64STRINGBOOLSLICEINT64SLICEFLOAT64SLICESTRINGSLICEDigest length of %v bytes does not match Hash function size of %v bytesdecoding string array or slice: length exceeds input size (%d elements)decoding uint16 array or slice: length exceeds input size (%d elements)decoding uint32 array or slice: length exceeds input size (%d elements)decoding uint64 array or slice: length exceeds input size (%d elements)bug: fieldBaseType() lookup of field(%s) on type(%s): do not have fieldgcp.authorizeToken; gcp token google.compute_engine.zone cannot be emptyk8ssa.authorizeToken; error validating k8sSA token and extracting claimscertificate request contains unauthorized DNS names - got %v, allowed %vclient doesn't support any cipher suites compatible with the certificatetls: server's certificate contains an unsupported type of public key: %Ttls: second client hello encrypted client hello extension does not matchtls: certificate private key of type %T does not implement crypto.Signerreflect: embedded type with methods not implemented for non-pointer typeerror parsing DirectoryName SAN: empty value or asn1Value is not allowedcrypto/fips140: FIPS 140-3 mode enabled, but integrity check didn't passcrypto/rsa: use of multi-prime keys is not allowed in FIPS 140-only moderuntime.Goexit called in a thread that was not created by the Go runtimeGenerate a CA configuration without the DB stanza. No persistence layer.What GCS bucket do you want to use? Leave it empty to use a managed one.The path to the containing the password to encrypt the .p12 file.print certificate revocation list (CRL) details in human-readable formatverify the hash digest for a file or directory matches an expected valuego-jose/go-jose: invalid call to newFixedSizeBuffer (len(data) > length)got Content-Type = application/json, but could not unmarshal as JSON: %vcbor: invalid DefaultByteStringType: %s is not of kind string or []uint8grpc: Server.RegisterService found duplicate service registration for %qerror parsing fingerprint format: '%s' is not a valid fingerprint formatExclude the CA intermediate certificate in the SCEP CA certificate chainThe callback
used in the OpenID Connect flow (e.g. \":10000\")The path to the containing passphrase to decrypt the private key.step crypto key SUBCOMMAND [ARGUMENTS] [GLOBAL_FLAGS] [SUBCOMMAND_FLAGS]AEIOUaeiouBCDFGHJKLMNPQRSTVWXYZbcdfghjklmnpqrstvwxyz0123456789!@#$%^&*(){"loadBalancingConfig":[{"grpclb":{"childPolicy":[{"pick_first":{}}]}}]}error details: name = PreconditionFailure type = %s subj = %s desc = %s google: read JWT from JSON credentials: 'type' field is %q (expected %q)EnvironmentCredential will authenticate with ClientCertificateCredentialA certificate policy OID must not appear more than once in the extensionWhen subjectAlternateName contains a URI, the name MUST be an IA5 stringThe 'Serial Number' field of the subject MUST be less than 64 characterscredentials: auth handler must be specified for this credential filetypeNewDefaultCredentialsWithOptions: failed to create application oauth: %voauth2/google/externalaccount: unable to retrieve AWS session token - %sremoves the provided Common Names from the policy instead of adding themtoken request had an empty authority.AuthParams.Scopes, which is invaliddecoding float32 array or slice: length exceeds input size (%d elements)decoding float64 array or slice: length exceeds input size (%d elements)decoding uintptr array or slice: length exceeds input size (%d elements) can only be decoded from remote interface type; received concrete type application data received while processing fragmented handshake messagesFailed to receive server peer cert chain validation response from S2Av2.Failed to receive client peer cert chain validation response from S2Av2.callMarshalJSON called on type %T that does not have MarshalJSON definedunexpected status code when performing is-enabled check for Admin API: %dchallenge identifier %q doesn't match the attested hardware identifier %qCSR URIs do not match identifiers exactly: CSR URIs = %v, Order URIs = %vtls: received unexpected handshake message of type %T when waiting for %Ttls: internal error: handshake returned an error but is marked successfultls: found a certificate rather than a key in the PEM for the private keygo package net: GODEBUG=netdns contains an invalid dns mode, ignoring it error revoking certificate: certificate authority extension was not foundstep api token [arguments] [global-flags] [subcommand-flags]The representing the reason for which the cert is being revoked.generate a new private key and certificate signed by the root certificatePrint the certificate or CSR details in shorter and more friendly format.step certificate SUBCOMMAND [ARGUMENTS] [GLOBAL_FLAGS] [SUBCOMMAND_FLAGS]invalid value '%s' for flag '--not-after': certificate is already expiredissuer certificate cannot sign an intermediate-ca: pathLenConstraint is 0**step crypto hash compare** [--alg ALGORITHM]**step crypto rand** [] [--format=] [--dictionary=]1087160488420-1u0jqoulmv3mfomfh6fhkfs4vk4bdjih.apps.googleusercontent.com1087160488420-8qt7bavg3qesdhs6it824mhnfgcfe8il.apps.googleusercontent.comgo-jose/go-jose: key algorithm '%s' not supported in multi-recipient modego-jose/go-jose: invalid or SHA-256 thumbprint, does not match cert chaingo-jose/go-jose: invalid JWK, found 'oct' (symmetric) key with cert chainout of shared object/session memory or need space for internal operations%s: a non nil application or transaction must be provided to enrich a log/google.cloud.security.privateca.v1.CertificateAuthorityService/GetCaPoolThe Microsoft Azure audience used to validate the identity tokens.pkcs12: PBMAC1 requires explicit KeyLength parameter in PBKDF2 parametersflag '--exp' must be in the future unless the '--subtle' flag is provided**step crypto nacl box open** [--raw]Ignoring resolver error because balancer is using a previous good update.Received a RST_STREAM frame with code %q, but found no mapped gRPC statusInter: Biggest(j-1) %s vs Smallest(j): %s : level=%d j=%d numTables=%dinvalid compressed packet: uncompressed length in header is %d, actual %dHeap memory occupied by live objects that were marked by the previous GC.The total amount space that is scannable. Sum of all metrics in /gc/scan.x509: failed to unmarshal certificate list issuing distribution point: %vSubscriber certificates MUST contain the Subject Alternate Name extensionIETF Draft: https://tools.ietf.org/id/draft-strad-trans-redaction-00.htmlCertificates should not have multiple attributes in a single RDN (issuer)The 'Locality Name' field of the subject MUST be less than 128 charactersThe 'StreetAddress' field of the subject MUST be less than 129 charactersstringutils illegal argument: Minimum abbreviation width with offset is 7oauth2/google/externalaccount: failed to unmarshal subject token file: %voauth2/google/externalaccount: invalid credential_source file format typeNoneMapMapKeyMapValueSliceSliceElemArrayArrayElemStructStructFieldWalkLocTenantDiscoveryResponse: issuer was not found in the openid configurationdSTS authority must be an https URL such as https:///dstsv2/%stype %T has field 'AdditionalFields' that is not a map[string]interface{}bytes.Buffer: UnreadRune: previous operation was not a successful ReadRunemalformed response from server: malformed non-numeric status pseudo headernet/http: server replied with more than declared Content-Length; truncatedaws.authorizeToken; invalid aws identity document - accountId is not validgcp.AuthorizeSSHSign; sshCA for Hosts is disabled for gcp provisioner '%s'gcp.AuthorizeSSHSign; sshCA for Users is disabled for gcp provisioner '%s'certificate request does not contain the valid DNS names - got %v, want %vtls: certificate RSA key size too small for supported signature algorithmscrypto/rand: failed to read random data (see https://go.dev/issue/66821): crypto/rsa: use of keys with odd size is not allowed in FIPS 140-only moderuntime: cannot set cpu profile rate until previous profile has finished. To use a Hosted authority, you'll need a Smallstep account. To create one,What IP and port will your new CA bind to? (:443 will bind to 0.0.0.0:443)flag '--%s' must be provided when no and are presentThe path to the containing the password to decrypt the private key.The path to the containing the password to encrypt the private key.The of the output string. See help for list of available formats.**step crypto hash digest** ... [**--alg**=]step crypto kdf [arguments] [global-flags] [subcommand-flags]go-jose/go-jose: invalid JWK, x5c thumbprint does not match x5t#S256 valuepublic and sensitive portions of an object are not cryptographically boundparsing nvram header: ekCert size %d smaller than specified cert length %d{"name": "{{ .name }}", "preferred_username": "{{ .preferred_username }}"}gcm: internal error: using generic implementation despite hardware supportNumber of currently allocated objects. Equals to /gc/heap/objects:objects.Certificate () in PEM format to store in the 'x5c' header of a JWT.Certificate in PEM format to store in the 'nebula' header of a JWT.The to open in the system browser when the OAuth flow is successful.cannot create a new token: the CA does not have any provisioner configured good or bad at