Bug 1356091

Summary: ipa-cacert-manage --help and man differ
Product: Red Hat Enterprise Linux 7 Reporter: Petr Vobornik <pvoborni>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Kaleem <ksiddiqu>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: mbasti, pvoborni, rcritten, xdong
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.4.0-6.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 05:57:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Petr Vobornik 2016-07-13 11:51:21 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/6013

The ipa-cacert-manage --help differs from its man page.

The --help displays which options are available for which subcommand, the man page shows all options for both subcommands (although some of the options are not taken into account during renew action, neither are some during install).

Also, neither help nor man page expresses the need to add the certificate file as an argument to the script for the install subcommand.

Comment 1 Martin Bašti 2016-08-09 14:10:59 UTC
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/bf6adfe69d2dc1e6cc76d17023f4049e49cfd8ae

Comment 3 Xiyang Dong 2016-09-18 13:22:49 UTC
Verified on ipa-server-4.4.0-9.el7:
[root@auto-hv-01-guest02 ~]# ipa-cacert-manage --help
Usage: ipa-cacert-manage renew [options]
       ipa-cacert-manage install [options] CERTFILE

Manage CA certificates.

Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -p PASSWORD, --password=PASSWORD
                        Directory Manager password

  Logging and output options:
    -v, --verbose       print debugging information
    -q, --quiet         output only errors
    --log-file=FILE     log to the given file

  Renew options:
    --self-signed       Sign the renewed certificate by itself
    --external-ca       Sign the renewed certificate by external CA
    --external-cert-file=FILE
                        File containing the IPA CA certificate and the
                        external CA certificate chain

  Install options:
    -n NICKNAME, --nickname=NICKNAME
                        Nickname for the certificate
    -t TRUST_FLAGS, --trust-flags=TRUST_FLAGS
                        Trust flags for the certificate in certutil format

[root@auto-hv-01-guest02 ~]# man ipa-cacert-manage > /tmp/ipa-cacert-manage.out
[root@auto-hv-01-guest02 ~]# cat /tmp/ipa-cacert-manage.out 
ipa-cacert-manage(1)                                    IPA Manual Pages                                   ipa-cacert-manage(1)



NAME
       ipa-cacert-manage - Manage CA certificates in IPA

SYNOPSIS
       ipa-cacert-manage [OPTIONS...] renew
ipa-cacert-manage [OPTIONS...] install CERTFILE

DESCRIPTION
       ipa-cacert-manage can be used to manage CA certificates in IPA.

COMMANDS
       renew  - Renew the IPA CA certificate

              This command can be used to manually renew the CA certificate of the IPA CA.

              When  the  IPA CA is the root CA (the default), it is not usually necessary to manually renew the CA certificate,
              as it will be renewed automatically when it is about to expire, but you can do so if you wish.

              When the IPA CA is subordinate of an external CA, the renewal process involves submitting a CSR to  the  external
              CA  and  installing  the  newly issued certificate in IPA, which cannot be done automatically. It is necessary to
              manually renew the CA certificate in this setup.

              When the IPA CA is not configured, this command is not available.

       install
              - Install a CA certificate

              This command can be used to install the certificate contained in CERTFILE as a new CA certificate to IPA.

COMMON OPTIONS
       --version
              Show the program's version and exit.

       -h, --help
              Show the help for this program.

       -p DM_PASSWORD, --password=DM_PASSWORD
              The Directory Manager password to use for authentication.

       -v, --verbose
              Print debugging information.

       -q, --quiet
              Output only errors.

       --log-file=FILE
              Log to the given file.

RENEW OPTIONS
       --self-signed
              Sign the renewed certificate by itself.

       --external-ca
              Sign the renewed certificate by external CA.

       --external-cert-file=FILE
              File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER
              certificate and PKCS#7 certificate chain formats. This option may be used multiple times.

INSTALL OPTIONS
       -n NICKNAME, --nickname=NICKNAME
              Nickname for the certificate.

       -t TRUST_FLAGS, --trust-flags=TRUST_FLAGS
              Trust  flags for the certificate in certutil format. Trust flags are of the form "X,Y,Z" where X is for SSL, Y is
              for S/MIME, and Z is for code signing. Use ",," for no explicit trust.

              The supported trust flags are:

                     C - CA trusted to issue server certificates

                     T - CA trusted to issue client certificates

                     p - not trusted

EXIT STATUS
       0 if the command was successful

       1 if an error occurred



IPA                                                       Aug 12 2013                                      ipa-cacert-manage(1)

Comment 4 Xiyang Dong 2016-09-18 13:25:48 UTC
A minor issue should be fixed.
In man page:

.
.
.
SYNOPSIS
       ipa-cacert-manage [OPTIONS...] renew
ipa-cacert-manage [OPTIONS...] install CERTFILE


should change to :
.
.
.
SYNOPSIS
       ipa-cacert-manage [OPTIONS...] renew
       ipa-cacert-manage [OPTIONS...] install CERTFILE

Comment 6 errata-xmlrpc 2016-11-04 05:57:49 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html