From 03e3540e74e7b6da68987574d65668c07d484396 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 25 Mar 2019 16:13:38 +1100 Subject: [PATCH] ipa-cert-fix: add man page Part of: https://pagure.io/freeipa/issue/7885 Reviewed-By: Florence Blanc-Renaud --- freeipa.spec.in | 1 + install/tools/man/Makefile.am | 1 + install/tools/man/ipa-cert-fix.1 | 66 ++++++++++++++++++++++++++++++++ 3 files changed, 68 insertions(+) create mode 100644 install/tools/man/ipa-cert-fix.1 diff --git a/freeipa.spec.in b/freeipa.spec.in index 775394619ab0eb682935c0d28fe434bcf8248a01..a18a5b4aab335ad104f1263fa3ae8b26659c3095 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -1450,6 +1450,7 @@ fi %{_mandir}/man1/ipa-winsync-migrate.1* %{_mandir}/man1/ipa-pkinit-manage.1* %{_mandir}/man1/ipa-crlgen-manage.1* +%{_mandir}/man1/ipa-cert-fix.1* %files -n python2-ipaserver diff --git a/install/tools/man/Makefile.am b/install/tools/man/Makefile.am index 947e5c65f7d97734a320ee0a1979d7e890de6ed2..28fb57e87648d2a1a8904cc9d96921aa7e0f206e 100644 --- a/install/tools/man/Makefile.am +++ b/install/tools/man/Makefile.am @@ -29,6 +29,7 @@ dist_man1_MANS = \ ipa-winsync-migrate.1 \ ipa-pkinit-manage.1 \ ipa-crlgen-manage.1 \ + ipa-cert-fix.1 \ $(NULL) dist_man8_MANS = \ diff --git a/install/tools/man/ipa-cert-fix.1 b/install/tools/man/ipa-cert-fix.1 new file mode 100644 index 0000000000000000000000000000000000000000..3edef3118947d203d8972994d0d880850302a348 --- /dev/null +++ b/install/tools/man/ipa-cert-fix.1 @@ -0,0 +1,66 @@ +.\" +.\" Copyright (C) 2019 FreeIPA Contributors see COPYING for license +.\" +.TH "ipa-cert-fix" "1" "Mar 25 2019" "FreeIPA" "FreeIPA Manual Pages" +.SH "NAME" +ipa\-cert\-fix \- Renew expired certificates +.SH "SYNOPSIS" +ipa\-cert\-fix [options] +.SH "DESCRIPTION" + +\fIipa-cert-fix\fR is a tool for recovery when expired certificates +prevent the normal operation of FreeIPA. It should ONLY be used in +such scenarios, and backup of the system, especially certificates +and keys, is \fBSTRONGLY RECOMMENDED\fR. + +Do not use this program unless expired certificates are inhibiting +normal operation and renewal procedures. + +To renew the IPA CA certificate, use \fIipa-cacert-manage(1)\fR. + +This tool cannot renew certificates signed by external CAs. To +install new, externally-signed HTTP, LDAP or KDC certificates, use +\fIipa-server-certinstall(1)\fR. + +\fIipa-cert-fix\fR will examine FreeIPA and Certificate System +certificates and renew certificates that are expired, or close to +expiry (less than two weeks). If any "shared" certificates are +renewed, \fIipa-cert-fix\fR will set the current server to be the CA +renewal master, and add the new shared certificate(s) to LDAP for +replication to other CA servers. Shared certificates include all +Dogtag system certificates except the HTTPS certificate, and the IPA +RA certificate. + +To repair certificates across multiple CA servers, first ensure that +LDAP replication is working across the topology. Then run +\fIipa-cert-fix\fR on one CA server. Before running +\fIipa-cert-fix\fR on another CA server, trigger Certmonger renewals +for shared certificates via \fIgetcert-resubmit(1)\fR (on the other +CA server). This is to avoid unnecessary renewal of shared +certificates. + +.SH "OPTIONS" +.TP +\fB\-\-version\fR +Show the program's version and exit. +.TP +\fB\-h\fR, \fB\-\-help\fR +Show the help for this program. +.TP +\fB\-v\fR, \fB\-\-verbose\fR +Print debugging information. +.TP +\fB\-q\fR, \fB\-\-quiet\fR +Output only errors (output from child processes may still be shown). +.TP +\fB\-\-log\-file\fR=\fIFILE\fR +Log to the given file. +.SH "EXIT STATUS" +0 if the command was successful + +1 if an error occurred + +.SH "SEE ALSO" +.BR ipa-cacert-manage(1) +.BR ipa-server-certinstall(1) +.BR getcert-resubmit(1) -- 2.20.1