certupdate: update config after deployment becomes CA-ful
When a deployment gets promoted from CA-less to CA-ful other
replicas still have enable_ra=False in default.conf, and do not have
the ra-agent key and certificate. Enhance ipa-certupdate to detect
when the deployment has become CA-ful; retrieve the ra-agent
credential and update default.conf.
The rationale for adding this behaviour to ipa-certupdate is that it
is already necessary to use this command to update local trust
stores with the new CA certificate(s). So by using ipa-certupdate
we avoid introducing additional steps for administrators.
It is necessary to choose a CA master to use as the ca_host. We use
the first server returned by LDAP. A better heuristic might be to
choose a master in the same location but this is just left as a
comment unless or until the need is proven.
Finally, defer the httpd service restart until after the possible
update of default.conf so that the IPA API executes with the new
configuration.
This change also addresses the case of a CA server being removed
from the topology, i.e. ipa-certupdate detects when non-CA replicas
are pointing at the removed server, and chooses a new ca_host.
HOW TO TEST:
1. Install a CA-less server (first server).
2. Install a CA-less replica.
3. Run 'ipa-ca-install' on first server, promoting deployment from
CA-less to CA-ful.
4. Run 'ipa-certupdate' on second server.
5. Exceute 'ipa cert-show 5' on second server. Should succeed,
because ra-agent credential was retrieved and default.conf
updated at step #4.
Fixes: https://pagure.io/freeipa/issue/7188
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>