certupdate: update config after deployment becomes CA-ful
    
    When a deployment gets promoted from CA-less to CA-ful other
    replicas still have enable_ra=False in default.conf, and do not have
    the ra-agent key and certificate.  Enhance ipa-certupdate to detect
    when the deployment has become CA-ful; retrieve the ra-agent
    credential and update default.conf.
    
    The rationale for adding this behaviour to ipa-certupdate is that it
    is already necessary to use this command to update local trust
    stores with the new CA certificate(s).  So by using ipa-certupdate
    we avoid introducing additional steps for administrators.
    
    It is necessary to choose a CA master to use as the ca_host.  We use
    the first server returned by LDAP.  A better heuristic might be to
    choose a master in the same location but this is just left as a
    comment unless or until the need is proven.
    
    Finally, defer the httpd service restart until after the possible
    update of default.conf so that the IPA API executes with the new
    configuration.
    
    This change also addresses the case of a CA server being removed
    from the topology, i.e. ipa-certupdate detects when non-CA replicas
    are pointing at the removed server, and chooses a new ca_host.
    
    HOW TO TEST:
    
    1. Install a CA-less server (first server).
    
    2. Install a CA-less replica.
    
    3. Run 'ipa-ca-install' on first server, promoting deployment from
       CA-less to CA-ful.
    
    4. Run 'ipa-certupdate' on second server.
    
    5. Exceute 'ipa cert-show 5' on second server.  Should succeed,
       because ra-agent credential was retrieved and default.conf
       updated at step #4.
    
    Fixes: https://pagure.io/freeipa/issue/7188
    Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>