ipa-cert-fix: improve handling of 'pki-server cert-fix' failure
    
    'pki-server cert-fix' has a known and expected failure when the DS
    certificate is expired.  'ipa-cert-fix' handles this by
    optimistically ignoring the CalledProcessError and continuing when
    the DS certificate was up for renewal.
    
    This heuristic is a bit too optimistic.  If 'pki-server cert-fix'
    fails due and returns nonzero due to some other, more serious error
    (as has been seen in the wild[1]), 'ipa-cert-fix' continues then
    fails later with a more confusing error, for example:
    
        [Errno 2] No such file or directory:
          '/etc/pki/pki-tomcat/certs/27-renewed.crt'
    
    [1] https://bugzilla.redhat.com/show_bug.cgi?id=1930586
    
    Improve the heuristic by also checking whether output files
    corresponding ot all of the "extra" certificate that we asked
    'ipa-cert-fix' to renew, do indeed exist and are X.509 certificates.
    
    Fixes: https://pagure.io/freeipa/issue/8721
    Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>