c6f2d02 dogtag-ipa-ca-renew-agent-submit: expect certs to be on HSMs

Authored and Committed by rcritten 8 months ago
    dogtag-ipa-ca-renew-agent-submit: expect certs to be on HSMs
    
    On a non-HSM, non-renewal-server replica we look in LDAP for
    an updated certificate. If the certificates don't match then we
    have a new one and write it out. If they match the assumption is
    that it hasn't been renewed yet so go into CA_WORKING.
    
    The problem is that for networked HSMs the cert will already be
    visible in the database so certmonger will always be in CA_WORKING.
    In this case we can assume that if the certs are the same then
    that's just fine.
    
    Related: https://pagure.io/freeipa/issue/9273
    
    Signed-off-by: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>