Blob Blame History Raw
From 03e3540e74e7b6da68987574d65668c07d484396 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Mon, 25 Mar 2019 16:13:38 +1100
Subject: [PATCH] ipa-cert-fix: add man page

Part of: https://pagure.io/freeipa/issue/7885

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
 freeipa.spec.in                  |  1 +
 install/tools/man/Makefile.am    |  1 +
 install/tools/man/ipa-cert-fix.1 | 66 ++++++++++++++++++++++++++++++++
 3 files changed, 68 insertions(+)
 create mode 100644 install/tools/man/ipa-cert-fix.1

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 775394619ab0eb682935c0d28fe434bcf8248a01..a18a5b4aab335ad104f1263fa3ae8b26659c3095 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1450,6 +1450,7 @@ fi
 %{_mandir}/man1/ipa-winsync-migrate.1*
 %{_mandir}/man1/ipa-pkinit-manage.1*
 %{_mandir}/man1/ipa-crlgen-manage.1*
+%{_mandir}/man1/ipa-cert-fix.1*
 
 
 %files -n python2-ipaserver
diff --git a/install/tools/man/Makefile.am b/install/tools/man/Makefile.am
index 947e5c65f7d97734a320ee0a1979d7e890de6ed2..28fb57e87648d2a1a8904cc9d96921aa7e0f206e 100644
--- a/install/tools/man/Makefile.am
+++ b/install/tools/man/Makefile.am
@@ -29,6 +29,7 @@ dist_man1_MANS = 			\
 	ipa-winsync-migrate.1		\
 	ipa-pkinit-manage.1		\
 	ipa-crlgen-manage.1		\
+	ipa-cert-fix.1			\
         $(NULL)
 
 dist_man8_MANS =			\
diff --git a/install/tools/man/ipa-cert-fix.1 b/install/tools/man/ipa-cert-fix.1
new file mode 100644
index 0000000000000000000000000000000000000000..3edef3118947d203d8972994d0d880850302a348
--- /dev/null
+++ b/install/tools/man/ipa-cert-fix.1
@@ -0,0 +1,66 @@
+.\"
+.\" Copyright (C) 2019  FreeIPA Contributors see COPYING for license
+.\"
+.TH "ipa-cert-fix" "1" "Mar 25 2019" "FreeIPA" "FreeIPA Manual Pages"
+.SH "NAME"
+ipa\-cert\-fix \- Renew expired certificates
+.SH "SYNOPSIS"
+ipa\-cert\-fix [options]
+.SH "DESCRIPTION"
+
+\fIipa-cert-fix\fR is a tool for recovery when expired certificates
+prevent the normal operation of FreeIPA.  It should ONLY be used in
+such scenarios, and backup of the system, especially certificates
+and keys, is \fBSTRONGLY RECOMMENDED\fR.
+
+Do not use this program unless expired certificates are inhibiting
+normal operation and renewal procedures.
+
+To renew the IPA CA certificate, use \fIipa-cacert-manage(1)\fR.
+
+This tool cannot renew certificates signed by external CAs.  To
+install new, externally-signed HTTP, LDAP or KDC certificates, use
+\fIipa-server-certinstall(1)\fR.
+
+\fIipa-cert-fix\fR will examine FreeIPA and Certificate System
+certificates and renew certificates that are expired, or close to
+expiry (less than two weeks).  If any "shared" certificates are
+renewed, \fIipa-cert-fix\fR will set the current server to be the CA
+renewal master, and add the new shared certificate(s) to LDAP for
+replication to other CA servers.  Shared certificates include all
+Dogtag system certificates except the HTTPS certificate, and the IPA
+RA certificate.
+
+To repair certificates across multiple CA servers, first ensure that
+LDAP replication is working across the topology.  Then run
+\fIipa-cert-fix\fR on one CA server.  Before running
+\fIipa-cert-fix\fR on another CA server, trigger Certmonger renewals
+for shared certificates via \fIgetcert-resubmit(1)\fR (on the other
+CA server).  This is to avoid unnecessary renewal of shared
+certificates.
+
+.SH "OPTIONS"
+.TP
+\fB\-\-version\fR
+Show the program's version and exit.
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Show the help for this program.
+.TP
+\fB\-v\fR, \fB\-\-verbose\fR
+Print debugging information.
+.TP
+\fB\-q\fR, \fB\-\-quiet\fR
+Output only errors (output from child processes may still be shown).
+.TP
+\fB\-\-log\-file\fR=\fIFILE\fR
+Log to the given file.
+.SH "EXIT STATUS"
+0 if the command was successful
+
+1 if an error occurred
+
+.SH "SEE ALSO"
+.BR ipa-cacert-manage(1)
+.BR ipa-server-certinstall(1)
+.BR getcert-resubmit(1)
-- 
2.20.1