ipa-server-install: publish complete cert chain in /usr/share/ipa/html/ca.crt
When IPA is installed with an externally signed CA, the master installer
does not publish the whole cert chain in /usr/share/ipa/html/ca.crt (but
/etc/ipa/ca.crt contains the full chain).
If a client is installed with a One-Time Password and without the
--ca-cert-file option, the client installer downloads the cert chain
from http://master.example.com/ipa/config/ca.crt, which is in fact
/usr/share/ipa/html/ca.crt. The client installation then fails.
Note that when the client is installed by providing admin/password,
installation succeeds because the cert chain is read from the LDAP server.
https://pagure.io/freeipa/issue/7526
Reviewed-By: Rob Crittenden <rcritten@redhat.com>