Conditionally restart certmonger after client installation

If certmonger is running prior to client installation then its
IPA CA configuration will be incomplete and missing the CA chain.

If a certificate is subsequently requested with -F to store the
CA chain in a file or NSS db it may not be available yet. A
conditional restart of certmonger will pick up the new IPA
configuration and complete the IPA CA configuration in certmonger.

A pure restart and service activation is not done since certmonger
is not required unless --request-cert was passed ipa-client-install.

https://pagure.io/freeipa/issue/8105

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Ade Lee <alee@redhat.com>

ipaclient/install/client.py

@@ -779,7 +779,16 @@ def configure_krb5_conf(
 def configure_certmonger(
         fstore, subject_base, cli_realm, hostname, options, ca_enabled):
 
+    cmonger = services.knownservices.certmonger
     if not options.request_cert:
+        # Conditionally restart certmonger to pick up the new IPA
+        # configuration.
+        try:
+            cmonger.try_restart()
+        except Exception as e:
+            logger.error(
+                "Failed to conditionally restart the %s daemon: %s",
+                cmonger.service_name, str(e))
         return
 
     if not ca_enabled:
@@ -794,7 +803,6 @@ def configure_certmonger(
         # which principal name to use when requesting certs.
         certmonger.add_principal_to_cas(principal)
 
-    cmonger = services.knownservices.certmonger
     try:
         cmonger.enable()
         cmonger.start()