Description of problem:
When you have a replica Setup, the replica is not making a copy of the ca to /usr/share/ipa/html/ca.crt, making ipa-client-install --Password= fail if a replica is hit, due to the Ca.crt missing. 

ls -l /usr/share/ipa/html/ca.crt will come out empty
Where on Server 1 it will be there. 

Check missing in replica install for ca.crt

And Client Needs to say if it can not download a ca.crt instead of giving wrong Password. 


Version-Release number of selected component (if applicable):
ipa-client-common-4.4.0-12.el7.noarch
ipa-client-4.4.0-12.el7.x86_64

ipa-server-4.4.0-12.el7.x86_64
ipa-server-dns-4.4.0-12.el7.noarch
ipa-server-common-4.4.0-12.el7.noarch
ipa-server-trust-ad-4.4.0-12.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Install IPA-server
2. Create Ad-Trust
3. setup-replica of IPA Server
4. Create Client ipa host-add hostname.example.com --Password=flaf
5. on Client ipa-client-install --Password=flaf
6. If IDM Server 1 is hit it will work, if replica is hit 

Actual results:
Server Fails with Password wrong. 

Expected results:
Server joined the AD.

Additional info: