Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1356091 - ipa-cacert-manage --help and man differ
Summary: ipa-cacert-manage --help and man differ
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Kaleem
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-07-13 11:51 UTC by Petr Vobornik
Modified: 2016-11-04 05:57 UTC (History)
4 users (show)

Fixed In Version: ipa-4.4.0-6.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-04 05:57:49 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2404 normal SHIPPED_LIVE ipa bug fix and enhancement update 2016-11-03 13:56:18 UTC

Description Petr Vobornik 2016-07-13 11:51:21 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/6013

The ipa-cacert-manage --help differs from its man page.

The --help displays which options are available for which subcommand, the man page shows all options for both subcommands (although some of the options are not taken into account during renew action, neither are some during install).

Also, neither help nor man page expresses the need to add the certificate file as an argument to the script for the install subcommand.

Comment 1 Martin Bašti 2016-08-09 14:10:59 UTC
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/bf6adfe69d2dc1e6cc76d17023f4049e49cfd8ae

Comment 3 Xiyang Dong 2016-09-18 13:22:49 UTC
Verified on ipa-server-4.4.0-9.el7:
[root@auto-hv-01-guest02 ~]# ipa-cacert-manage --help
Usage: ipa-cacert-manage renew [options]
       ipa-cacert-manage install [options] CERTFILE

Manage CA certificates.

Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -p PASSWORD, --password=PASSWORD
                        Directory Manager password

  Logging and output options:
    -v, --verbose       print debugging information
    -q, --quiet         output only errors
    --log-file=FILE     log to the given file

  Renew options:
    --self-signed       Sign the renewed certificate by itself
    --external-ca       Sign the renewed certificate by external CA
    --external-cert-file=FILE
                        File containing the IPA CA certificate and the
                        external CA certificate chain

  Install options:
    -n NICKNAME, --nickname=NICKNAME
                        Nickname for the certificate
    -t TRUST_FLAGS, --trust-flags=TRUST_FLAGS
                        Trust flags for the certificate in certutil format

[root@auto-hv-01-guest02 ~]# man ipa-cacert-manage > /tmp/ipa-cacert-manage.out
[root@auto-hv-01-guest02 ~]# cat /tmp/ipa-cacert-manage.out 
ipa-cacert-manage(1)                                    IPA Manual Pages                                   ipa-cacert-manage(1)



NAME
       ipa-cacert-manage - Manage CA certificates in IPA

SYNOPSIS
       ipa-cacert-manage [OPTIONS...] renew
ipa-cacert-manage [OPTIONS...] install CERTFILE

DESCRIPTION
       ipa-cacert-manage can be used to manage CA certificates in IPA.

COMMANDS
       renew  - Renew the IPA CA certificate

              This command can be used to manually renew the CA certificate of the IPA CA.

              When  the  IPA CA is the root CA (the default), it is not usually necessary to manually renew the CA certificate,
              as it will be renewed automatically when it is about to expire, but you can do so if you wish.

              When the IPA CA is subordinate of an external CA, the renewal process involves submitting a CSR to  the  external
              CA  and  installing  the  newly issued certificate in IPA, which cannot be done automatically. It is necessary to
              manually renew the CA certificate in this setup.

              When the IPA CA is not configured, this command is not available.

       install
              - Install a CA certificate

              This command can be used to install the certificate contained in CERTFILE as a new CA certificate to IPA.

COMMON OPTIONS
       --version
              Show the program's version and exit.

       -h, --help
              Show the help for this program.

       -p DM_PASSWORD, --password=DM_PASSWORD
              The Directory Manager password to use for authentication.

       -v, --verbose
              Print debugging information.

       -q, --quiet
              Output only errors.

       --log-file=FILE
              Log to the given file.

RENEW OPTIONS
       --self-signed
              Sign the renewed certificate by itself.

       --external-ca
              Sign the renewed certificate by external CA.

       --external-cert-file=FILE
              File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER
              certificate and PKCS#7 certificate chain formats. This option may be used multiple times.

INSTALL OPTIONS
       -n NICKNAME, --nickname=NICKNAME
              Nickname for the certificate.

       -t TRUST_FLAGS, --trust-flags=TRUST_FLAGS
              Trust  flags for the certificate in certutil format. Trust flags are of the form "X,Y,Z" where X is for SSL, Y is
              for S/MIME, and Z is for code signing. Use ",," for no explicit trust.

              The supported trust flags are:

                     C - CA trusted to issue server certificates

                     T - CA trusted to issue client certificates

                     p - not trusted

EXIT STATUS
       0 if the command was successful

       1 if an error occurred



IPA                                                       Aug 12 2013                                      ipa-cacert-manage(1)

Comment 4 Xiyang Dong 2016-09-18 13:25:48 UTC
A minor issue should be fixed.
In man page:

.
.
.
SYNOPSIS
       ipa-cacert-manage [OPTIONS...] renew
ipa-cacert-manage [OPTIONS...] install CERTFILE


should change to :
.
.
.
SYNOPSIS
       ipa-cacert-manage [OPTIONS...] renew
       ipa-cacert-manage [OPTIONS...] install CERTFILE

Comment 6 errata-xmlrpc 2016-11-04 05:57:49 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html


Note You need to log in before you can comment on or make changes to this bug.