RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 713889 - ipa-server-install Man Page missing external ca install options and instructions
Summary: ipa-server-install Man Page missing external ca install options and instructions
Keywords:
Status: CLOSED DUPLICATE of bug 693766
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.1
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-06-16 17:38 UTC by Jenny Severance
Modified: 2015-01-04 23:49 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-07-19 17:25:06 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Jenny Severance 2011-06-16 17:38:38 UTC 
Description of problem:
Freeipa docs state there are external ca install options:

https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/creating-server.html

ipa-server-install man page does not include these ...

ipa-server-install(1)                                    ipa-server-install(1)

NAME
       ipa-server-install - Configure an IPA server

SYNOPSIS
       ipa-server-install [OPTION]...

DESCRIPTION
       Configures  the  services  needed by an IPA server. This includes setting up a Kerberos Key Distribution Center (KDC) with an LDAP back-end, configuring
       Apache, configuring NTP and starting the ipa_kpasswd service provided by IPA. By default a dogtag-based CA will be configured to issue  server  certifi-
       cates.

OPTIONS
       -u, --user=DS_USER
              The user that the Directory Server will run as

       -r, --realm=REALM_NAME
              The Kerberos realm name for the IPA server

       -n, --domain=DOMAIN_NAME
              Your DNS domain name

       -p, --ds-password=DM_PASSWORD
              The password to be used by the Directory Server for the Directory Manager user

       -P, --master-password=MASTER_PASSWORD
              The kerberos master password (normally autogenerated)

       -a, --admin-password=ADMIN_PASSWORD
              The password for the IPA admin user

       -d, --debug
              Enable debug logging when more verbose output is needed

       --selfsign
              Configure a self-signed CA instance for issuing server certificates instead of using dogtag for certificates

       --hostname=HOST_NAME
              The fully-qualified DNS name of this server

       --ip-address=IP_ADDRESS
              The  IP  address of this server. If this address does not match the address the host resolves to and --setup-dns is not selected the installation
              will fail.

      -U, --unattended
              An unattended installation that will never prompt for user input

       --setup-dns
              Generate a DNS zone if it does not exist already and configure the DNS server.  This option requires that you either specify  at  least  one  DNS
              forwarder through the --forwarder option or use the --no-forwarders option.

       --forwarder=IP_ADDRESS
              Add  a  DNS  forwarder to the DNS configuration. You can use this option multiple times to specify more forwarders, but at least one must be pro-
              vided, unless the --no-forwarders option is specified.

       --no-forwarders
              Do not add any DNS forwarders. Root DNS servers will be used instead.

       --zonemgr
              The e-mail address of the DNS zone manager. Defaults to root

       --no-host-dns
              Do not use DNS for hostname lookup during installation

       -N, --no-ntp
              Do not configure NTP

       --uninstall
              Uninstall an existing IPA installation

       --dirsrv_pkcs12=FILE
              PKCS#12 file containing the Directory Server SSL Certificate

       --http_pkcs12=FILE
              PKCS#12 file containing the Apache Server SSL Certificate

       --dirsrv_pin=DIRSRV_PIN
              The password of the Directory Server PKCS#12 file

       --http_pin=HTTP_PIN
              The password of the Apache Server PKCS#12 file

       --idstart=IDSTART
              The starting user and group id number (default random)

       --idmax=IDMAX
              The maximum user and group id number (default: idstart+199999). If set to zero, the default value will be used.

       --subject=SUBJECT

       --no_hbac_allow
              Don’t install allow_all HBAC rule. This rule lets any user from any host access any service on any other host. It is  expected  that  users  will
              remove this rule before moving to production.

       EXIT STATUS
              0 if the installation was successful

              1 if an error occurred

freeipa                           Mar 14 2008            ipa-server-install(1)


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Dmitri Pal 2011-06-17 17:39:45 UTC 
https://fedorahosted.org/freeipa/ticket/1345
Comment 2 Martin Kosek 2011-06-22 13:00:17 UTC 
This was already fixed upstream in ticket 1163 (BZ 693766):

master: 9de10f3674078ef8c423522e30fe704a2d09a7c2
ipa-2-0: 9a3bf577f831d3595cef6013cd319e3a4db03d1e


Updated man pages including --external-ca options:

NAME
       ipa-server-install - Configure an IPA server

SYNOPSIS
       ipa-server-install [OPTION]...

DESCRIPTION
       Configures the services needed by an IPA server. This includes setting up a Kerberos Key Dis‐
       tribution Center (KDC) with an LDAP back-end, configuring Apache, configuring NTP and  start‐
       ing  the ipa_kpasswd service provided by IPA. By default a dogtag-based CA will be configured
       to issue server certificates.

OPTIONS
       -r REALM_NAME, --realm=REALM_NAME
              The Kerberos realm name for the IPA server

       -n DOMAIN_NAME, --domain=DOMAIN_NAME
              Your DNS domain name

       -p DM_PASSWORD, --ds-password=DM_PASSWORD
              The password to be used by the Directory Server for the Directory Manager user

       -P MASTER_PASSWORD, --master-password=MASTER_PASSWORD
              The kerberos master password (normally autogenerated)

       -a ADMIN_PASSWORD, --admin-password=ADMIN_PASSWORD
              The password for the IPA admin user

       -d, --debug
              Enable debug logging when more verbose output is needed

       --selfsign
              Configure a self-signed CA instance for issuing server certificates instead  of  using
              dogtag for certificates

       --external-ca
              Generate a CSR to be signed by an external CA

       --external_cert_file=FILE
              File containing PKCS#10 certificate

       --external_ca_file=FILE
              File containing PKCS#10 of the external CA chain

       --hostname=HOST_NAME
              The fully-qualified DNS name of this server
...
Comment 3 Rob Crittenden 2011-07-19 17:25:06 UTC 
This was already fixed upstream in ticket #1163 (BZ 693766):

master: 9de10f3674078ef8c423522e30fe704a2d09a7c2
ipa-2-0: 9a3bf577f831d3595cef6013cd319e3a4db03d1e

*** This bug has been marked as a duplicate of bug 693766 ***
Note You need to log in before you can comment on or make changes to this bug.