Fix wrong expiration date on renewed IPA CA certificates

The expiration date was always set to the expiration date of the original
certificate.

https://fedorahosted.org/freeipa/ticket/4717

Reviewed-By: David Kupka <dkupka@redhat.com>

freeipa.spec.in

@@ -142,7 +142,7 @@ Requires: python-dns >= 1.11.1
 Requires: zip
 Requires: policycoreutils >= 2.1.12-5
 Requires: tar
-Requires(pre): certmonger >= 0.75.13
+Requires(pre): certmonger >= 0.76.8
 Requires(pre): 389-ds-base >= 1.3.3.5
 Requires: fontawesome-fonts
 Requires: open-sans-fonts
@@ -229,7 +229,7 @@ Requires: wget
 Requires: libcurl >= 7.21.7-2
 Requires: xmlrpc-c >= 1.27.4
 Requires: sssd >= 1.12.2
-Requires: certmonger >= 0.75.6
+Requires: certmonger >= 0.76.8
 Requires: nss-tools
 Requires: bind-utils
 Requires: oddjob-mkhomedir

install/certmonger/dogtag-ipa-ca-renew-agent-submit

@@ -146,6 +146,8 @@ def request_cert():
 
     path = paths.DOGTAG_IPA_RENEW_AGENT_SUBMIT
     args = [path] + sys.argv[1:]
+    if os.environ.get('CERTMONGER_CA_PROFILE') == 'caCACert':
+        args += ['-O', 'bypassCAnotafter=true']
     stdout, stderr, rc = ipautil.run(args, raiseonerr=False, env=os.environ)
     sys.stderr.write(stderr)
     sys.stderr.flush()