Fixes for FreeIPA 4.12

[t-woerner]

ipaserver: Set hsm attributes to None for now

The HSM parameters

token_name
token_library_path
token_password
token_password_file

are set to None to enable deployment with IPA 4.12 as a workaround till HSM can be fully supported by the ipaserver role.

ipareplica_install_ca_certs: Do not return unchanged config attributes

The config attributes config_master_host_name and also config_ca_host_name are not changed within ipareplica_install_ca_certs, therefore it is not needed to return them and also to use the returned values for following tasks.

ipareplica: Refactor CA file handling

replicainstall.install_ca_cert has been removed, paths.IPA_CERTUPDATE is called instead if the client was configured before deploying with iparepica role.

FreeIPA commit 8f25b2a74a587548976f3d29f0b69d566d70125d

Refactor CA file handling in replica installer

Clean up and remove obsolete code from ipa-replica-install. For several
versions replica installer first ensures that a host is an IPA client,
then promotes the client to a replica. The client installer code sets up
CA stores like IPA_CA_CRT already.

ipareplica: After an HSM replica install ensure all certs are visible

FreeIPA commit ea0bf4020ce0b1e32572e128e9323c5af60ec93d

After an HSM replica install ensure all certs are visible

If a certificate on a token does not have NSS trust set then
it won't be visible in the softoken. This can be disconcerting
for those used to seeing all the certificates.

Loop through the possibilities and set no trust (or Peer) for
all the certificates on the token.

Also ensure that the CA certificate has the correct nickname.

Related: https://pagure.io/freeipa/issue/9273