Bug 947912

Summary: ipa-server-install's help text wrong for --external_cert_file, --external_ca_file
Product: Red Hat Enterprise Linux 7 Reporter: Rob Crittenden <rcritten>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED CURRENTRELEASE QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.0CC: mkosek, nsoman
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-3.2.1-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 10:03:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Rob Crittenden 2013-04-03 14:07:15 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3523

The help text and man pages for `ipa-server-install`'s `--external_cert_file` and `--external_ca_file` state that the options take PKCS#10 files. That doesn't make much sense as PKCS#10 is a format for CSRs.

The options actually take PEM certs.
Comment 1 Martin Kosek 2013-04-15 11:34:13 UTC 
Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/b36380fff80d5a6755240bd65b6ef432ef2741e6
Comment 4 Namita Soman 2013-12-03 19:58:45 UTC 
Verified using ipa-server-3.3.3-5

Automated Test Result:
:: [ 14:15:41 ] ::  EXECUTING: ipa-server-install --help > /tmp/tmp.MMBZ7iZWfM/ipaserverinstall_default.out 2>&1
:: [   PASS   ] :: Capturing ipa-server-install's help text (Expected 0, got 0)
Usage: ipa-server-install [options]

Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit

  basic options:
    -r REALM_NAME, --realm=REALM_NAME
                        realm name
    -n DOMAIN_NAME, --domain=DOMAIN_NAME
                        domain name
    -p DM_PASSWORD, --ds-password=DM_PASSWORD
                        admin password
    -P MASTER_PASSWORD, --master-password=MASTER_PASSWORD
                        kerberos master password (normally autogenerated)
    -a ADMIN_PASSWORD, --admin-password=ADMIN_PASSWORD
                        admin user kerberos password
    --mkhomedir         create home directories for users on their first login
    --hostname=HOST_NAME
                        fully qualified name of server
    --ip-address=IP_ADDRESS
                        Master Server IP Address
    -N, --no-ntp        do not configure ntp
    --idstart=IDSTART   The starting value for the IDs range (default random)
    --idmax=IDMAX       The max value value for the IDs range (default:
                        idstart+199999)
    --no_hbac_allow     Don't install allow_all HBAC rule
    --no-ui-redirect    Do not automatically redirect to the Web UI
    --ssh-trust-dns     configure OpenSSH client to trust DNS SSHFP records
    --no-ssh            do not configure OpenSSH client
    --no-sshd           do not configure OpenSSH server
    -d, --debug         print debugging information
    -U, --unattended    unattended (un)installation never prompts the user

  certificate system options:
    --external-ca       Generate a CSR to be signed by an external CA
    --external_cert_file=EXTERNAL_CERT_FILE
                        PEM file containing a certificate signed by the
                        external CA
    --external_ca_file=EXTERNAL_CA_FILE
                        PEM file containing the external CA chain
    --dirsrv_pkcs12=DIRSRV_PKCS12
                        PKCS#12 file containing the Directory Server SSL
                        certificate
    --http_pkcs12=HTTP_PKCS12
                        PKCS#12 file containing the Apache Server SSL
                        certificate
    --dirsrv_pin=DIRSRV_PIN
                        The password of the Directory Server PKCS#12 file
    --http_pin=HTTP_PIN
                        The password of the Apache Server PKCS#12 file
    --root-ca-file=ROOT_CA_FILE
                        PEM file with root CA certificate(s) to trust
    --subject=SUBJECT   The certificate subject base (default O=<realm-name>)

  DNS options:
    --setup-dns         configure bind with our zone
    --forwarder=FORWARDERS
                        Add a DNS forwarder
    --no-forwarders     Do not add any DNS forwarders, use root servers
                        instead
    --reverse-zone=REVERSE_ZONE
                        The reverse DNS zone to use
    --no-reverse        Do not create reverse DNS zone
    --zonemgr=ZONEMGR   DNS zone manager e-mail address. Defaults to
                        hostmaster@DOMAIN
    --no-host-dns       Do not use DNS for hostname lookup during installation
    --no-dns-sshfp      Do not automatically create DNS SSHFP records

  uninstall options:
    --uninstall         uninstall an existing installation. The uninstall can
                        be run with --unattended option
:: [   PASS   ] :: Running 'cat /tmp/tmp.MMBZ7iZWfM/ipaserverinstall_default.out' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmp.MMBZ7iZWfM/ipaserverinstall_default.out' should not contain 'PKCS#10'
Comment 5 Ludek Smid 2014-06-13 10:03:03 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.