cf4c2c6 upgrade: add ipa-ca.$DOMAIN alias to HTTP certificate

Authored and Committed by ftweedal 4 years ago
    upgrade: add ipa-ca.$DOMAIN alias to HTTP certificate
    
    For detailed discussion on the purpose of this change and the design
    decisions made, see `git log -1 $THIS_COMMIT~3`.
    
    If the HTTP certificate does not have the ipa-ca.$DOMAIN dNSName,
    resubmit the certificate request to add the name.  This action is
    performed after the tracking request has already been updated.
    
    Note: due to https://pagure.io/certmonger/issue/143, the resubmitted
    request, if it does not immediately succeed (fairly likely during
    ipa-server-upgrade) and if the notAfter date of the current cert is
    still far off (also likely), then Certmonger will wait 7 days before
    trying again (unless restarted).  There is not much we can do about
    that in the middle of ipa-server-upgrade.
    
    Part of: https://pagure.io/freeipa/issue/8186
    
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>