Use secure method to acquire IPA CA certificate
    
    Major changes ipa-client-install:
    
    * Use GSSAPI connection to LDAP server to download CA cert (now
      the default method)
    
    * Add --ca-cert-file option to load the CA cert from a disk file.
      Validate the file. If this option is used the supplied CA cert
      is considered definitive.
    
    * The insecure HTTP retrieval method is still supported but it must be
      explicitly forced and a warning will be emitted.
    
    * Remain backward compatible with unattended case (except for aberrant
      condition when preexisting /etc/ipa/ca.crt differs from securely
      obtained CA cert, see below)
    
    * If /etc/ipa/ca.crt CA cert preexists the validate it matches the
      securely acquired CA cert, if not:
    
      - If --unattended and not --force abort with error
    
      - If interactive query user to accept new CA cert, if not abort
    
      In either case warn user.
    
    * If interactive and LDAP retrieval fails prompt user if they want to
      proceed with insecure HTTP method
    
    * If not interactive and LDAP retrieval fails abort unless --force
    
    * Backup preexisting /etc/ipa/ca.crt in FileStore prior to execution,
      if ipa-client-install fails it will be restored.
    
    Other changes:
    
    * Add new exception class CertificateInvalidError
    
    * Add utility convert_ldap_error() to ipalib.ipautil
    
    * Replace all hardcoded instances of /etc/ipa/ca.crt in
      ipa-client-install with CACERT constant (matches existing practice
      elsewhere).
    
    * ipadiscovery no longer retrieves CA cert via HTTP.
    
    * Handle LDAP minssf failures during discovery, treat failure to check
      ldap server as a warninbg in absebce of a provided CA certificate via
      --ca-cert-file or though existing /etc/ipa/ca.crt file.
    
    Signed-off-by: Simo Sorce <simo@redhat.com>
    Signed-off-by: Rob Crittenden <rcritten@redhat.com>