Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 713889

Summary:	ipa-server-install Man Page missing external ca install options and instructions
Product:	Red Hat Enterprise Linux 6	Reporter:	Jenny Severance <jgalipea>
Component:	ipa	Assignee:	Rob Crittenden <rcritten>
Status:	CLOSED DUPLICATE	QA Contact:	Chandrasekar Kannan <ckannan>
Severity:	unspecified	Docs Contact:
Priority:	medium
Version:	6.1	CC:	benl, dpal, mkosek
Target Milestone:	rc
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2011-07-19 17:25:06 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Jenny Severance 2011-06-16 17:38:38 UTC

Description of problem:
Freeipa docs state there are external ca install options:

https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/creating-server.html

ipa-server-install man page does not include these ...

ipa-server-install(1) ipa-server-install(1)

NAME
ipa-server-install - Configure an IPA server

SYNOPSIS
ipa-server-install [OPTION]...

DESCRIPTION
Configures the services needed by an IPA server. This includes setting up a Kerberos Key Distribution Center (KDC) with an LDAP back-end, configuring
Apache, configuring NTP and starting the ipa_kpasswd service provided by IPA. By default a dogtag-based CA will be configured to issue server certifi-
cates.

OPTIONS
-u, --user=DS_USER
The user that the Directory Server will run as

-r, --realm=REALM_NAME
The Kerberos realm name for the IPA server

-n, --domain=DOMAIN_NAME
Your DNS domain name

-p, --ds-password=DM_PASSWORD
The password to be used by the Directory Server for the Directory Manager user

-P, --master-password=MASTER_PASSWORD
The kerberos master password (normally autogenerated)

-a, --admin-password=ADMIN_PASSWORD
The password for the IPA admin user

-d, --debug
Enable debug logging when more verbose output is needed

--selfsign
Configure a self-signed CA instance for issuing server certificates instead of using dogtag for certificates

--hostname=HOST_NAME
The fully-qualified DNS name of this server

--ip-address=IP_ADDRESS
The IP address of this server. If this address does not match the address the host resolves to and --setup-dns is not selected the installation
will fail.

-U, --unattended
An unattended installation that will never prompt for user input

--setup-dns
Generate a DNS zone if it does not exist already and configure the DNS server. This option requires that you either specify at least one DNS
forwarder through the --forwarder option or use the --no-forwarders option.

--forwarder=IP_ADDRESS
Add a DNS forwarder to the DNS configuration. You can use this option multiple times to specify more forwarders, but at least one must be pro-
vided, unless the --no-forwarders option is specified.

--no-forwarders
Do not add any DNS forwarders. Root DNS servers will be used instead.

--zonemgr
The e-mail address of the DNS zone manager. Defaults to root

--no-host-dns
Do not use DNS for hostname lookup during installation

-N, --no-ntp
Do not configure NTP

--uninstall
Uninstall an existing IPA installation

--dirsrv_pkcs12=FILE
PKCS#12 file containing the Directory Server SSL Certificate

--http_pkcs12=FILE
PKCS#12 file containing the Apache Server SSL Certificate

--dirsrv_pin=DIRSRV_PIN
The password of the Directory Server PKCS#12 file

--http_pin=HTTP_PIN
The password of the Apache Server PKCS#12 file

--idstart=IDSTART
The starting user and group id number (default random)

--idmax=IDMAX
The maximum user and group id number (default: idstart+199999). If set to zero, the default value will be used.

--subject=SUBJECT

--no_hbac_allow
Don’t install allow_all HBAC rule. This rule lets any user from any host access any service on any other host. It is expected that users will
remove this rule before moving to production.

EXIT STATUS
0 if the installation was successful

1 if an error occurred

freeipa Mar 14 2008 ipa-server-install(1)

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.
2.
3.

Actual results:

Expected results:

Additional info:

Comment 1 Dmitri Pal 2011-06-17 17:39:45 UTC

https://fedorahosted.org/freeipa/ticket/1345

Comment 2 Martin Kosek 2011-06-22 13:00:17 UTC

This was already fixed upstream in ticket 1163 (BZ 693766):

master: 9de10f3674078ef8c423522e30fe704a2d09a7c2
ipa-2-0: 9a3bf577f831d3595cef6013cd319e3a4db03d1e


Updated man pages including --external-ca options:

NAME
       ipa-server-install - Configure an IPA server

SYNOPSIS
       ipa-server-install [OPTION]...

DESCRIPTION
       Configures the services needed by an IPA server. This includes setting up a Kerberos Key Dis‐
       tribution Center (KDC) with an LDAP back-end, configuring Apache, configuring NTP and  start‐
       ing  the ipa_kpasswd service provided by IPA. By default a dogtag-based CA will be configured
       to issue server certificates.

OPTIONS
       -r REALM_NAME, --realm=REALM_NAME
              The Kerberos realm name for the IPA server

       -n DOMAIN_NAME, --domain=DOMAIN_NAME
              Your DNS domain name

       -p DM_PASSWORD, --ds-password=DM_PASSWORD
              The password to be used by the Directory Server for the Directory Manager user

       -P MASTER_PASSWORD, --master-password=MASTER_PASSWORD
              The kerberos master password (normally autogenerated)

       -a ADMIN_PASSWORD, --admin-password=ADMIN_PASSWORD
              The password for the IPA admin user

       -d, --debug
              Enable debug logging when more verbose output is needed

       --selfsign
              Configure a self-signed CA instance for issuing server certificates instead  of  using
              dogtag for certificates

       --external-ca
              Generate a CSR to be signed by an external CA

       --external_cert_file=FILE
              File containing PKCS#10 certificate

       --external_ca_file=FILE
              File containing PKCS#10 of the external CA chain

       --hostname=HOST_NAME
              The fully-qualified DNS name of this server
...

Comment 3 Rob Crittenden 2011-07-19 17:25:06 UTC

This was already fixed upstream in ticket #1163 (BZ 693766):

master: 9de10f3674078ef8c423522e30fe704a2d09a7c2
ipa-2-0: 9a3bf577f831d3595cef6013cd319e3a4db03d1e

*** This bug has been marked as a duplicate of bug 693766 ***