Catch and log errors when adding CA profiles
    
    Rather than stopping the installer entirely, catch and report
    errors adding new certificate profiles, and remove the
    broken profile entry from LDAP so it may be re-added later.
    
    It was discovered that installing a newer IPA that has the
    ACME profile which requires sanToCNDefault will fail when
    installing a new server against a very old one that lacks
    this class.
    
    Running ipa-server-upgrade post-install will add the profile
    and generate the missing ipa-ca SAN record so that ACME
    can work.
    
    https://pagure.io/freeipa/issue/8974
    
    Signed-off-by: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>