Move publishing of CA cert to cainstance creation on master

IPAHTTPSConnection which is set up first time in certificate profiles
migration to LDAP requires CA cert to be stored in a file.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Jan Cholasta <jcholast@redhat.com>

ipaserver/install/cainstance.py

@@ -423,6 +423,8 @@ class CAInstance(DogtagInstance):
                 self.step("setting audit signing renewal to 2 years", self.set_audit_renewal)
                 self.step("restarting certificate server", self.restart_instance)
                 if not self.clone:
+                    self.step("publishing the CA certificate",
+                              self.__publish_ca_cert)
                     self.step("adding RA agent as a trusted user", self.__create_ca_agent)
                 self.step("authorizing RA to modify profiles", configure_profiles_acl)
                 self.step("authorizing RA to manage lightweight CAs",
@@ -744,6 +746,10 @@ class CAInstance(DogtagInstance):
 
         conn.disconnect()
 
+    def __publish_ca_cert(self):
+        db = certs.CertDB(self.realm)
+        db.publish_ca_cert(paths.IPA_CA_CRT)
+
     def __get_ca_chain(self):
         try:
             return dogtag.get_ca_certchain(ca_host=self.fqdn)

ipaserver/install/server/install.py

@@ -775,14 +775,11 @@ def install(installer):
             write_cache(cache_vars)
 
         # Create RA DB
-        radb = certs.CertDB(realm_name, nssdir=paths.IPA_RADB_DIR,
-                            user=IPAAPI_USER, group=IPAAPI_GROUP,
-                            truncate=True)
+        certs.CertDB(realm_name, nssdir=paths.IPA_RADB_DIR,
+                     user=IPAAPI_USER, group=IPAAPI_GROUP,
+                     truncate=True)
 
         ca.install_step_0(False, None, options)
-
-        # Now put the CA cert where other instances expect it
-        radb.publish_ca_cert(paths.IPA_CA_CRT)
     else:
         # Put the CA cert where other instances expect it
         x509.write_certificate(http_ca_cert, paths.IPA_CA_CRT)