|
 |
86baa9 |
From 03e3540e74e7b6da68987574d65668c07d484396 Mon Sep 17 00:00:00 2001
|
|
|
86baa9 |
From: Fraser Tweedale <ftweedal@redhat.com>
|
|
|
86baa9 |
Date: Mon, 25 Mar 2019 16:13:38 +1100
|
|
|
86baa9 |
Subject: [PATCH] ipa-cert-fix: add man page
|
|
|
86baa9 |
|
|
|
86baa9 |
Part of: https://pagure.io/freeipa/issue/7885
|
|
|
86baa9 |
|
|
|
86baa9 |
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
|
|
86baa9 |
---
|
|
|
86baa9 |
freeipa.spec.in | 1 +
|
|
|
86baa9 |
install/tools/man/Makefile.am | 1 +
|
|
|
86baa9 |
install/tools/man/ipa-cert-fix.1 | 66 ++++++++++++++++++++++++++++++++
|
|
|
86baa9 |
3 files changed, 68 insertions(+)
|
|
|
86baa9 |
create mode 100644 install/tools/man/ipa-cert-fix.1
|
|
|
86baa9 |
|
|
|
86baa9 |
diff --git a/freeipa.spec.in b/freeipa.spec.in
|
|
|
86baa9 |
index 775394619ab0eb682935c0d28fe434bcf8248a01..a18a5b4aab335ad104f1263fa3ae8b26659c3095 100644
|
|
|
86baa9 |
--- a/freeipa.spec.in
|
|
|
86baa9 |
+++ b/freeipa.spec.in
|
|
|
86baa9 |
@@ -1450,6 +1450,7 @@ fi
|
|
|
86baa9 |
%{_mandir}/man1/ipa-winsync-migrate.1*
|
|
|
86baa9 |
%{_mandir}/man1/ipa-pkinit-manage.1*
|
|
|
86baa9 |
%{_mandir}/man1/ipa-crlgen-manage.1*
|
|
|
86baa9 |
+%{_mandir}/man1/ipa-cert-fix.1*
|
|
|
86baa9 |
|
|
|
86baa9 |
|
|
|
86baa9 |
%files -n python2-ipaserver
|
|
|
86baa9 |
diff --git a/install/tools/man/Makefile.am b/install/tools/man/Makefile.am
|
|
|
86baa9 |
index 947e5c65f7d97734a320ee0a1979d7e890de6ed2..28fb57e87648d2a1a8904cc9d96921aa7e0f206e 100644
|
|
|
86baa9 |
--- a/install/tools/man/Makefile.am
|
|
|
86baa9 |
+++ b/install/tools/man/Makefile.am
|
|
|
86baa9 |
@@ -29,6 +29,7 @@ dist_man1_MANS = \
|
|
|
86baa9 |
ipa-winsync-migrate.1 \
|
|
|
86baa9 |
ipa-pkinit-manage.1 \
|
|
|
86baa9 |
ipa-crlgen-manage.1 \
|
|
|
86baa9 |
+ ipa-cert-fix.1 \
|
|
|
86baa9 |
$(NULL)
|
|
|
86baa9 |
|
|
|
86baa9 |
dist_man8_MANS = \
|
|
|
86baa9 |
diff --git a/install/tools/man/ipa-cert-fix.1 b/install/tools/man/ipa-cert-fix.1
|
|
|
86baa9 |
new file mode 100644
|
|
|
86baa9 |
index 0000000000000000000000000000000000000000..3edef3118947d203d8972994d0d880850302a348
|
|
|
86baa9 |
--- /dev/null
|
|
|
86baa9 |
+++ b/install/tools/man/ipa-cert-fix.1
|
|
|
86baa9 |
@@ -0,0 +1,66 @@
|
|
|
86baa9 |
+.\"
|
|
|
86baa9 |
+.\" Copyright (C) 2019 FreeIPA Contributors see COPYING for license
|
|
|
86baa9 |
+.\"
|
|
|
86baa9 |
+.TH "ipa-cert-fix" "1" "Mar 25 2019" "FreeIPA" "FreeIPA Manual Pages"
|
|
|
86baa9 |
+.SH "NAME"
|
|
|
86baa9 |
+ipa\-cert\-fix \- Renew expired certificates
|
|
|
86baa9 |
+.SH "SYNOPSIS"
|
|
|
86baa9 |
+ipa\-cert\-fix [options]
|
|
|
86baa9 |
+.SH "DESCRIPTION"
|
|
|
86baa9 |
+
|
|
|
86baa9 |
+\fIipa-cert-fix\fR is a tool for recovery when expired certificates
|
|
|
86baa9 |
+prevent the normal operation of FreeIPA. It should ONLY be used in
|
|
|
86baa9 |
+such scenarios, and backup of the system, especially certificates
|
|
|
86baa9 |
+and keys, is \fBSTRONGLY RECOMMENDED\fR.
|
|
|
86baa9 |
+
|
|
|
86baa9 |
+Do not use this program unless expired certificates are inhibiting
|
|
|
86baa9 |
+normal operation and renewal procedures.
|
|
|
86baa9 |
+
|
|
|
86baa9 |
+To renew the IPA CA certificate, use \fIipa-cacert-manage(1)\fR.
|
|
|
86baa9 |
+
|
|
|
86baa9 |
+This tool cannot renew certificates signed by external CAs. To
|
|
|
86baa9 |
+install new, externally-signed HTTP, LDAP or KDC certificates, use
|
|
|
86baa9 |
+\fIipa-server-certinstall(1)\fR.
|
|
|
86baa9 |
+
|
|
|
86baa9 |
+\fIipa-cert-fix\fR will examine FreeIPA and Certificate System
|
|
|
86baa9 |
+certificates and renew certificates that are expired, or close to
|
|
|
86baa9 |
+expiry (less than two weeks). If any "shared" certificates are
|
|
|
86baa9 |
+renewed, \fIipa-cert-fix\fR will set the current server to be the CA
|
|
|
86baa9 |
+renewal master, and add the new shared certificate(s) to LDAP for
|
|
|
86baa9 |
+replication to other CA servers. Shared certificates include all
|
|
|
86baa9 |
+Dogtag system certificates except the HTTPS certificate, and the IPA
|
|
|
86baa9 |
+RA certificate.
|
|
|
86baa9 |
+
|
|
|
86baa9 |
+To repair certificates across multiple CA servers, first ensure that
|
|
|
86baa9 |
+LDAP replication is working across the topology. Then run
|
|
|
86baa9 |
+\fIipa-cert-fix\fR on one CA server. Before running
|
|
|
86baa9 |
+\fIipa-cert-fix\fR on another CA server, trigger Certmonger renewals
|
|
|
86baa9 |
+for shared certificates via \fIgetcert-resubmit(1)\fR (on the other
|
|
|
86baa9 |
+CA server). This is to avoid unnecessary renewal of shared
|
|
|
86baa9 |
+certificates.
|
|
|
86baa9 |
+
|
|
|
86baa9 |
+.SH "OPTIONS"
|
|
|
86baa9 |
+.TP
|
|
|
86baa9 |
+\fB\-\-version\fR
|
|
|
86baa9 |
+Show the program's version and exit.
|
|
|
86baa9 |
+.TP
|
|
|
86baa9 |
+\fB\-h\fR, \fB\-\-help\fR
|
|
|
86baa9 |
+Show the help for this program.
|
|
|
86baa9 |
+.TP
|
|
|
86baa9 |
+\fB\-v\fR, \fB\-\-verbose\fR
|
|
|
86baa9 |
+Print debugging information.
|
|
|
86baa9 |
+.TP
|
|
|
86baa9 |
+\fB\-q\fR, \fB\-\-quiet\fR
|
|
|
86baa9 |
+Output only errors (output from child processes may still be shown).
|
|
|
86baa9 |
+.TP
|
|
|
86baa9 |
+\fB\-\-log\-file\fR=\fIFILE\fR
|
|
|
86baa9 |
+Log to the given file.
|
|
|
86baa9 |
+.SH "EXIT STATUS"
|
|
|
86baa9 |
+0 if the command was successful
|
|
|
86baa9 |
+
|
|
|
86baa9 |
+1 if an error occurred
|
|
|
86baa9 |
+
|
|
|
86baa9 |
+.SH "SEE ALSO"
|
|
|
86baa9 |
+.BR ipa-cacert-manage(1)
|
|
|
86baa9 |
+.BR ipa-server-certinstall(1)
|
|
|
86baa9 |
+.BR getcert-resubmit(1)
|
|
|
86baa9 |
--
|
|
|
86baa9 |
2.20.1
|
|
|
86baa9 |
|