Upgrade: always start CA

Some CA upgrade steps in upgrader requires running CA. We have to always
start CA and wait for running status using http, because systemd may
return false positive result that CA is running even if CA is just
starting and unable to serve.

https://fedorahosted.org/freeipa/ticket/5868

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>

ipaserver/install/server/upgrade.py

@@ -1448,6 +1448,7 @@ def upgrade_configuration():
         sub_dict['SUBJECT_BASE'] = subject_base
 
     ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
+    ca_running = ca.is_running()
 
     with installutils.stopped_service('pki-tomcatd', 'pki-tomcat'):
         # Dogtag must be stopped to be able to backup CS.cfg config
@@ -1481,6 +1482,11 @@ def upgrade_configuration():
             )
         upgrade_pki(ca, fstore)
 
+    # several upgrade steps require running CA
+    # always run ca.start() because we need to wait until CA is really ready
+    # by checking status using http
+    ca.start('pki-tomcat')
+
     certmonger_service = services.knownservices.certmonger
     if ca.is_configured() and not certmonger_service.is_running():
         certmonger_service.start()
@@ -1653,6 +1659,11 @@ def upgrade_configuration():
     elif not ds_running and ds.is_running():
         ds.stop(ds_serverid)
 
+    if ca_running and not ca.is_running():
+        ca.start('pki-tomcat')
+    elif not ca_running and ca.is_running():
+        ca.stop('pki-tomcat')
+
 
 def upgrade_check(options):
     try: