renew agent: respect CA renewal master setting

Do not bypass the renewal master check when a non-virtual profile is used
in dogtag-ipa-ca-renew-agent-submit.

This fixes dogtag-ipa-ca-renew-agent not respecting the CA renewal master
setting for certificates tracked with a real profile. (Note that there
currently aren't any such certificates tracked by us.)

Request the RA certificate using dogtag-submit rather than
dogtag-ipa-ca-renew-agent-submit as the CA renewal master setting is not
available so early in the install process.

https://pagure.io/freeipa/issue/5799

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>

install/certmonger/dogtag-ipa-ca-renew-agent-submit

@@ -535,7 +535,7 @@ def main():
 
         profile = os.environ.get('CERTMONGER_CA_PROFILE')
         if is_replicated():
-            if profile or is_renewal_master():
+            if is_renewal_master():
                 handler = request_and_store_cert
             else:
                 handler = retrieve_cert_continuous

ipaserver/install/cainstance.py

@@ -822,7 +822,7 @@ class CAInstance(DogtagInstance):
              "-out", chain_file.name,
              ], stdin=data, capture_output=False)
 
-        agent_args = [paths.DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT,
+        agent_args = [paths.CERTMONGER_DOGTAG_SUBMIT,
                       "--dbdir", self.tmp_agent_db,
                       "--nickname", "ipa-ca-agent",
                       "--cafile", chain_file.name,