Move client certificate request after krb5.conf is created
    
    The creation of krb5.conf was moved to the end of the script
    as part of maintaining server affinity during ipa-client-install.
    If the installation is faster than replication then requests
    against some IPA servers may fail because the client entry is
    not yet present.
    
    This is more difficult with certmonger as it will only use
    /etc/krb5.conf. There is no way of knowing, even at the end
    of the client installation, that replication has finished.
    
    Certificate issuance may fail during ipa-client-install but
    certmonger will re-try the request.
    
    Fixes: https://pagure.io/freeipa/issue/9246
    
    Signed-off-by: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
    Reviewed-By: Stanislav Levin <slev@altlinux.org>