Description of problem:
certmonger can download the root certificate from an IPA master. It currently uses cn=cacert,cn=ipa,cn=etc, $SUFFIX as the source of that but it should use cn=certificates,cn=ipa,cn=etc,$SUFFIX instead to pull in all know CA certificates. This will include the entire chain that needs to be trusted by IPA.
This is for use with the -F option.
Note that IPA provides a mechanism to download these certificates system-wide, ipa-certupdate.
Version-Release number of selected component (if applicable):
certmonger-0.79.6-5.el8
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2020:1704