Description of problem:
certmonger can download the root certificate from an IPA master. It currently uses cn=cacert,cn=ipa,cn=etc, $SUFFIX as the source of that but it should use cn=certificates,cn=ipa,cn=etc,$SUFFIX instead to pull in all know CA certificates. This will include the entire chain that needs to be trusted by IPA.
This is for use with the -F option.
Note that IPA provides a mechanism to download these certificates system-wide, ipa-certupdate.
Version-Release number of selected component (if applicable):
Test passed in CI pipeline. Hence marking the bug as verified.